Among those is a mapping from the phone number to all the devices the user owns. For each of those devices, the server stores the information if it’s Google, Apple or something else (“user agent”). For Google and Apple it stores a unique push token that can be linked by Google and Apple to their respective accounts (and thus is PII under GDPR and similar legal definitions). As Signal was always able to send push notifications and still is today, we can be certain that even if they don’t use the open source version of the server in their live system (which they are known to have done in the past), we know they are storing those push tokens. They also state it in their privacy policy that they do this (but who reads those when there is a nice “we don’t store, see our published responses to gov” page that claims they don’t store anything).
As an example, in the request Signal >> Government Requests >> Grand jury subpoena for Signal user data, Central District of California (again!) the subpoena specifically included “device data” and “connected applications”. Signal had this data (as seen above), but in their reply they didn’t include it and they even explicitly claim (without any need), that they only have “the time of account creation and the date of the account’s last connection to Signal server”, which as can be seen when looking at the code, is completely wrong.
Also, phone numbers are not “hashed” as many claim, adding a username does nothing and it can still be correlated. Shared with a third party Twilio that known to have a terrible security practices.
I don’t think we need yet another topic discussing Signal’s weaknesses and flaws. There are plenty of topics about this already.
The fact that governments can only get access to useless data was always dumb and still is dumb. What matters is what data Signal can access and see, not what data they store.
Who gives a duck if a VPN or Signal doesn’t store logs but could be forced to or those logs can be obtained by compromising a server, etc.
The fact that people use these government requests as a selling point for Signal is a meme, in my opinion.
iirc this post literally came up from XMPP evangelists trying to promote their case. Their arguments always fail and they always come back to “blah blah decentralization and I run my own server”.
If you actually read the lobste.rs link you cited, it’s not. It’s in response to Soatok’s post explaining why XMPP sucks and someone mentioning that he likes Signal. The user who you’ve quoted was just pointing to one class from the Signal server codebase.
But to the main topic, of Signal allegedly storing more than they tell courts they do, I kinda don’t trust that random lobste.rs user because they did a piss poor job of explaining how that fits in with the rest of the server architecture (is this used just to register a user and then data is discarded? what about accounts.java? and so on)
Original article is very well structured, nice read.
As @pinkandwhite points out, they don’t actually know what data Signal stores, but are mostly armchair experts speculating. The data could be temporary or stored for instant attribution/key exchange and then deleted (if they have a problem with that, boy do I have some fun examples for them in TLS protocols). And contrary to popular belief, Signal actually would not lie to US courts’ subpoenas (neither would any other service with hopes of existing in the US, or what Proton does when facing Swiss orders). They are anyways have a HUGE target on their backs, so I don’t think intentionally lying is something they would even want to do.
Unfortunately, the Internet is full of cargo cults built around specific technologies, and their followers have an emotional interest in muddying the waters.
Pretty much nails the discussion on “lobste.rs”. More unexplained, unverified attacks on Signal from fans of protocols that are being used outside of their actual use case and then crying when they are deemed insufficient security. Although I am someone who only uses decentralized social media, I can’t wait for the day when people who think “decentralization” is the only requirement for privacy and security actually start listening to subject matter experts.
There’s no proof of what you’re saying, otherwise all privacy- and security-oriented tools are honeypots, Tor, Proton, Tuta, Threema, Linux, GrapheneOS etc.
Without proof or solid testimony, insinuating that people who trust Signal are “morons” is worthless, until now no one has been able to prove that Signal is a honeypot, only allegations.