Proton: Is Signal safe?

Really great article that goes deep and even compares to other services.

I especially liked:

However, the Signal Protocol doesn’t secure your metadata, so the app developers can see who you speak to, when you speak to them, how often, and for how long. So the Signal Protocol does not, in itself, provide privacy.

What sets Signal (the app developed by the Signal Foundation) apart from most other apps that use the the Signal Protocol, is that it doesn’t harvest your metadata. Signal only keeps “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service”. This claim has been proven in court(new window).

All WhatsApp messages are secured using the Signal Protocol, so no-one can access their contents. However, as noted above, the Signal Protocol doesn’t protect your metadata.

Given that WhatsApp is owned by Meta (which also owns Facebook), who’s entire bushiness model is to learn as much about you as possible so it can target you with ever more personalized ads, it was always a safe assumption that Meta would abuse its access to WhatsApp metadata. And, like Signal, Meta is based in the United States and is therefore subject to US law enforcement requests for user data, often without a warrant or notice.

A (new window)2025(new window) lawsuit by WhatsApp’s former security chief claims that WhatsApp employees have access to sensitive user information, including location, profile photos, group memberships, and contact lists. It also alleges that Meta repeatedly ignored major security and privacy flaws that could be exploited by hackers and other malicious entities.

So does it mean that if a law requires private messaging services to collect metadata, Signal would be compelled to start doing so?

I had understood that what really differenciated Signal from WhatsApp was that it was tecnically impossible for Signal to harvest metadata too.

But if Signal doesn’t collect it not because it can’t do so technically, but simply because it chooses not to–while it remains technically feasible–then It’s a concern.

Not ideal. We absolutely need to stop discussing if something is “private”. It matters in what way something is private, and by what means. It’s irresponsible to issue blanket statements such as “Signal does not provide privacy.”

Signal provides content-privacy by design: post-quantum end-to-end encryption, on native clients with MITM protection.

Signal provides metadata-privacy by policy: it can collect metadata if it wants, but it has a policy to not do that, and court documents to prove it doesn’t collect it. You need metadata-privacy by design? You’ll want something that’s P2P over Tor, like Cwtch.

I’ve written about this in The collective misunderstanding of Privacy vs Security vs Anonymity

In other regards the article was a positive surprise, no shilling of Proton’s products, well written and balanced. The only issue (in addition to the “not private“ claim) I saw was lack of notion that all software that has ever been written, has bugs, and it’s enough the vendor responds rapidly to reports. If that’s the case and the product isn’t constantly full of holes, it’s the best you can expect, and Signal definitely ticks both boxes.

Signal does hide at least some metadata. I have no idea whether this is part of the protocol itself though

I think you’re misunderstanding what the article is saying. They’re not saying Signal the app doesn’t provide privacy. They’re saying the Signal Protocol (which is also implemented in other apps like WhatsApp) does not provide privacy on its own.

Signal does protect metadata privacy by design and not just by policy. It does this by implementing technologies like sealed sender on top of the Signal Protocol in the app. Proton writes this in the cited article right after they talk about the Signal Protocol. Also see The Best Private Instant Messengers - Privacy Guides

to be fair, the way the article is written does present it a bit like that. I don’t see why the protocol was so relevant to undermine in this article comparing apps. Not the best article imho.

the Signal Protocol does not, in itself, provide privacy.

What an absurd and embarrassing thing for a privacy company to say. If it were the case that something doesn’t provide privacy because there is still metadata available, then Protonmail doesn’t provide privacy either as it can see the same if not even more information about your emails than what is available via the Signal protocol. What they probably meant is that Signal doesn’t provide anonymity.

If I go into a store and use a changing room to try on clothes, I wouldn’t say I didn’t have privacy because the store knew who was using the changing room, at what time, and for how long. If I go there with a mask on and don’t identify myself, then I have both privacy and anonymity. If I go there with a mask on and don’t identify myself, but change in the middle of the store rather than a changing room, then I have anonymity but not privacy.

I would think Proton would understand this.

They explained it very well and understood very well difference between privacy, security and anonymity.

They say ; The Signal Protocol is secure, but not private because it does not protect metadata.

Plus, they explain that Signal provides privacy by policy. I believe they don’t mention sealed sender though.

They are also honest about emails, ProtonMail and the relative privacy ProtonMail provides.

But metadata like your profile are E2EE, yes it isn’t the protocol that’s protecting metadata otherwise we would be recommending WhatsApp if that was the case but that signal utilizes the protocol to protect metadata using it (E2EE)

Yeah, that’s wrong. That makes it lacking anonymity, not lacking privacy.

Privacy is a horribly lazy and vague word to use in the first place. Secure messaging space is filled with apps offering differing levels of metadata and content privacy.

Signal’s privacy properties are provided by its protocol. If it had multiple protocols we’d have to ask which one. It doesn’t matter if its implemented in other apps. WhatsApp has server managed groups, making it somewhat distinct, meaning Signal protocol in Signal is the reference implementation, and when you say the reference implementation does not provide privacy, it extrapolates to Signal, the app.

Sealed sender means the client hides the sender information inside:

s_ciphertext = AES_CTR(s_cipherKey, input=sender_certificate || message_ciphertext)

This is a Signal protocol layer information. That part is privacy by design. However, alone, it doesn’t matter.

Your device has to exchange that ciphertext with the Signal server, and that is done over Transmission Control Protocol - Wikipedia.

TCP automatically includes the source IP and destination IP addresses, to every single packet, and there’s nothing you can do about it. TCP is what’s called a reliable byte stream, delivery is enforced with forced re-deliveries if a packet drops. Source IP field is mandatory, and packet without it will be considered malformed by all relaying nodes from your home router to ISP to IX routers.

So because by default Signal server sees your IP address, the only thing it can do, is strip said IP address. And that stripping is a policy decision.

To distinguish metadata-privacy by design, you need something where the code you yourself run on a device you own, enforces your IP-address not leaking. You can use Signal through VPN or Tor to hide your IP-address to have metadata-privacy by design. But, since Signal doesn’t do it automatically, Signal is not itself metadata-private by design.

Signal is not coy about admitting this. The Sealed Sender article @Encounter5729 linked says:

These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development.

This means there is not built-in metadata-privacy by design to hide IP-addresses.

We do not collect or store any sensitive information about our users, and that won’t ever change.

This means there is metadata-privacy by policy in place.

Also see The Best Private Instant Messengers - Privacy Guides

Just because I’m not extremely active on this forum doesn’t mean I haven’t been contributing to the field since 2012 with what I know, and with code I write.

Overall disappointing quality of article. Few things that jump out for me:

1. Emphasis on auditing, and implying frequent external audits are somehow necessary is both a dog whistle for their own audits, and a subtle attack on smaller projects that cannot afford it, and bigger projects like Signal that know it is mostly useless.
2. The 0 click attack shared is not something signal can fix, and it plagues any global service. Framing it like Signal thinks it’s CDN’s job and not their job, when it is actually the CDNs job objectively is certainly a choice.
3. Marking out reliance on AWS, when Proton itself used Tesonet ( IPVanish “No-Logging” VPN Led Homeland Security to Comcast User | Hacker News ) is another rich choice. But finally a valid criticism, but one that is unsolvable unless Signal somehow becomes a large provider with ability to do load balancing across the world.
4. Making it seems like Threema is a viable alternative ( Threema: Three Strikes, You’re Out - Dhole Moments , its not)
5. Happy to see them clear up the Signalgate incident.

Overall meh for me.

Sure, I wasn’t arguing that they used the word privacy well. Just that they were only talking about the signal protocol and not the app itself.

I’m aware, but to say as you did in your original comment that signal only provides metadata privacy by policy just because they can see your ip address is incredibly misleading at best.

I would actually beg to differ here. Protecting metadata is incredibly important in protecting privacy because you can often infer what is happening based on information like who someone is talking to, how many messages they sent, the size of attachments, etc. Case in point is that even though it implements the signal protocol, WhatsApp is still juicy enough to be profitable for Facebook/Meta. The FBI kills people based on metadata.

To use your changing room analogy - sure, if you use the changing room, you have privacy in the sense that everyone can’t see you without clothes on, but you don’t have privacy over what items you decided to try on, how long you spent deliberating, what you were likely doing in the changing room, that you loudly ripped ass in there, etc. You still may want to protect these things but protecting them wouldn’t fall under the realm of anonymity.

Metadata is important enough to privacy that PG specifically does not recommend using email even with Proton’s encryption for outgoing messages because we have things like Signal which protect loads of metadata by design.

Wouldn’t you agree Signal claiming it hides the sender information with technical means, without doing anything about the IP-addresses, would be a LOT more misleading?

Signal can’t just see your IP address, they can at will, associate every ciphertext with recipient information with your IP address, to tell who talks to who, when, how much, and in which order. It can also infer group membership information based on tightly grouped 1:1 messages sent to each recipient.

It’s important Signal doesn’t process the sender information inside the server, that halves information that gets written on disk and message cache, and makes the stored ciphertexts even less valuable as it only has information about to whom a ciphertext is addressed. At most it shows who’s popular. That’s great. I don’t deny that at all.

But the only difference between that and full record of who talks to whom, how much, when etc, is an internal policy decision to not write the source IP address, reception timestamp etc as metadata for those ciphertexts.

Privacy by design is

1. Proactive not reactive; preventive not remedial

2. Privacy as the default setting

3. Privacy embedded into design

4. Full functionality – positive-sum, not zero-sum

5. End-to-end security – full lifecycle protection

6. Visibility and transparency – keep it open

7. Respect for user privacy – keep it user-centric

Here, points 1, 2, 3, 5 and 7 all point towards the same what end-to-end encryption is for content privacy: Something that’s done by the user (proactive), that is done by default, that is part of design, that is end-to-end == user to user, and that is user-centric (no weaseling out, and enforcing that behavior for the app so that it’s outside your control).

If the IP-addresses negate the sealed sender, Signal isn’t metadata-private by default. Signal can be dragged from hair into being metadata-private by design, by using Tor, burner phone, and prepaid SIM in a country that doesn’t check ID upon purchase. But that’s too many hoops for overwhelming majority of people.

Contrast that with Cwtch that bundles Tor, that connects to Tor automatically, spins up Onion Service automatically, creates peer-to-peer connection to contact through five proxies that all mask IP address of previous node. That’s metadata-privacy by design.

Signal is absolutely fine, they don’t advertise mechanisms that aren’t there. They communicate their threat model clearly, and the app comes across as something with state-of-the-art content privacy. That’s what they’re known for.

My original gripe was about the language. About blanket statement of something not being private at all because it lacks metadata privacy. If you’re going to call something private only if it offers both, you’re pressed to be upfront about the definition at least until it’s common language to split privacy into metadata and content privacy, and mean both by privacy.

Related issue right now is people have this silly conception of privacy vs anonymity being the categories, where to them privacy incorrectly means E2EE, and anonymity is the only metadata privacy they care about, without realizing you usually can’t have anonymity without E2EE since that’s what’s hiding your college saying “Good morning John Smith! –” So those people would read the article to mean Signal has no functional E2EE which is the polar opposite of truth. Signal pioneers in that field. EDIT: No offense @lyricism, just noticed you made the distinction above. I think it’s really good you’re trying to make a distinction between types of privacy, I just disagree on the hierarchy of terms.

In practice for most people, not really. Even without use of a VPN, public IP addresses change all the time due to ISPs rotating addresses between customers and client devices moving between different networks. IP addresses are also typically shared between many client devices on a single network due to NAT forwarding. It wouldn’t be impossible to figure out who’s who using that information, but it wouldn’t be a trivial task either. Unless I’m missing something, it would require significant effort on the part of signal and is only relevant for high threat models which should be using VPN or Tor or a different messenger anyway.

Fair enough

The laws may also require ISPs to retain logs of the IP (Internet Protocol) addresses they assign
to their users. In general, every time a device is connected to the Internet, it is assigned an IP
address by its ISP or mobile carrier. A log of these address allocations will indicate which device
was assigned which IP address for a particular period of time.

IP addresses are also typically shared between many client devices on a single network due to NAT forwarding.

That only applies to household Wi-Fi. Every Signal app runs on a smartphone, every smart phone has a data plan and thus, an individual IP-address the TelCo knows. If anything Signal can infer which users live in the same household and which users visit their household if they use guest Wi-Fi. It still has the same public IP due to NAT :>

The IP-address of the phone stays the same through the session, meaning until you reboot or toggle airplane mode. When was the last time you did that as a sanitation method? I know I never did before I googled this ten seconds ago. But still, the TelCo knows which IP was used when, and that’s not ideal.

it would require significant effort on the part of signal

The funny thing about computer science is, things are hard when you design and program them, not when you run the program code gazillion times across logs that rarely change table/column configurations due to complexity of DB migrations. I’m not saying Signal is secretly doing this now.

Yeah if your threat model includes “The service provider must not be able to determine who I am or who I talk to“, then you should favor Cwtch or Ricochet Next over Signal. To explain why that’s the case, we need the language to explain why, and that’s where it’s good to have distinction between metadata-privacy by policy and metadata-privacy by design

Fair enough. I actually didn’t know that bit about retaining IP addresses with your cell service provider and each IP address being unique. That’s pretty interesting.

I guess this is the point where I disagree, because I feel like this distinction is almost as bad as saying something is private or not private. I would argue there are different gradations and levels of metadata privacy by design as well. Proton Mail/PGP encrypted email has little to no metadata privacy, Signal has a reasonable level for most, and Cwtch or Ricochet Next would have complete metadata privacy.

Not sure if we’ll find common ground on that point but genuinely thank you for all the information. Super interesting to hear from someone who works on this stuff.

I understand your main point (that they prioritise metadata-resistant design more than Signal do) but I don’t think even those projects would describe themselves as having complete metadata privacy.

The thing is there’s multiple types of metadata-privacy. I took a closer look at Cwtch last spring. Turns out just by looking at the I/O graphs in WireShark you can tell

• When Cwtch opens (4500 packet burst that’s very distinct from Tor Browser and OnionShare, as Cwtch loads the entire Tor consensus data about Tor’s structure between reboots)
• Number of Cwtch accounts opened with initial password as there’s roughly 415 packets per account sent in the initial account unlock and service setup burst.
• There’s a heartbeat traffic between users with possible model fitting to tell number of open connections to peers. (The devs have been informed about all this and these aren’t really big issues)

These of course assume quite clean web traffic and no other Tor traffic to same guard node in the background. But it goes to show how hard this stuff is.

Also, there’s nothing Cwtch metadata protection does about traffic flow confidentiality. I tried to solve this in TFC’s traffic masking mode that sends a constant stream of packets to peers, to hide when, how much, and what type of traffic (messages/files) takes place. But it’s anything but ideal as you lock recipient to single user or group to not spam the HW bottleneck of everyone on your contact list. It can’t be the default mode at least for this tool.

Finally, all things Tor run into massive issue of end-to-end correlation attacks by largest intelligence establishments (mostly FVEY) that just can not be prevented. Their own slides (thanks Snowden) from pre-2013 said they could do random deanonymization of Tor users but also that they’d never be able to do it on demand.

I fear the moderators here will throw this conversation into chat soon so I’ll try to avoid spam, end here, and just say that there’s always an attack, nothing offers complete metadata-privacy. What you can do is try to learn what your threat model’s adversaries can do wrt metadata, and then mitigate if you can. You’ll never be able to tell if there’s an even stronger adversary interested about your digital Fort Knox. But outside these extreme examples of most well funded state actors, there’s usually space to discuss what’s enough to thwart threats of surveillance capitalistic private equity ruining the platform in the future, or what the user’s banana republic can see with DPI, and think how to harden the platform against it. Like Signal did with sealed sender. The stuff just needs appropriate hyperbole-avoiding terminology to describe.