I have been frustrated with Signal on this. I pitched that it is a good idea because of a scenario:
> You're protesting with people. Cops pick them up, but not you. You can delete their messages and it is likely that you are able to do so before the police can clone your phone or copy the messages (screenshot, whatever).
I got a few strange responses back:
- Deleting messages doesn't mean they can't be saved (yeah... this is probabilistic privacy, not guaranteed)
- My device, my data (okay?)
- Some people run custom apps that save everything (how does that apply here? Funny enough, a sibling comment said something similar)
- Just own up to your typos (-_____-)
- Don't use Signal for communication then because you can't be guaranteed privacy (great, I'll use smoke signals with my friends to organize)
To be fair to Signal, the devs did not get into the forums. To also be fair, Signal is taking the same position and is going to only allow deletion an hour after a message was sent. As much as I love Signal, it is my preferred messaging app, I think they are not in touch with the needs of people. We should look at why people are turning to Telegram when protesting. What can we do to better preserve the privacy of people protesting in HK, Belarus, America, etc? Everything is probabilistic security and privacy when it comes down to it. But what tools would help these people the most? I would argue that bidirectional deletion to reduce the chance of self incrimination is one of them. The other is group messaging, channels, and anonymous messages (so your phone number isn't visible in channels). Emojis are nice and fun for day to day use, but it is getting more and more important to push these other features (yes, I know they are extremely difficult to do and actually preserve privacy to the standard Signal currently does. I think many would be fine if it was an incremental increase in privacy with these newer features).
I don't know why you're getting down-voted. It's an accurate statement that many loyal Signal users can attest to. Signal has been my primary messaging app for years now, but that's my main issue with them outside of group MMS issues still being problematic all these years. Their slow response or lack of care was especially apparent after the huge outcry over constant nag notifications for verifying PIN, setting a profile name, and asking contacts to join Signal. It's like they don't understand how badly they need better adoption for Signal to be effective. If 90% or greater of my contacts don't use Signal, then what good is that? They need to start listening to their users better.
I do think that things like emojis and the (now fixed) link previews do help with adoption. But I think there is another and more compelling adoption method given the current state of the world: privacy and security. The reason people are turning to telegram is because they think it is secure. Signal will never gain mass adoption without good groups. And honestly, they probably need channels too. If it had both those things then all these protestors would turn towards Signal. After all, isn't that why they get funding from the US government? To "enable" democracy in other countries?
I was pitching the following idea to a friend of mine yesterday:
- the UI should hide e2e/“reallyprivate” conversations by default
- as in "not visible anywhere" (edit: unless the app is in the foreground and you are chatting of course)
Unless you:
- do the “add a new user/conversation"
- then instead of adding mail/GUID/phone you add a whatevercanberemembered number/emoji/sentence that unlocks the private conversation you initiated long before
There should be no trace in the UI that private conversations are going on.
What does HN think ? Why hasn't it been done before ?
Edit: there could even be notifications disguised as another app (news subscriptions, medical reminders, battery low, etc.)
This doesn't give you plausible deniability if law enforcement gets their hands on your unlocked phone, as they can see that the file size of the encrypted message logs doesn't match the visible content. If the phone is jailbroken and the key for the message logs is leaked, it doesn't help at all.
Wouldn't the solution here just be to allocate a larger disk space and encrypt that? Then when the space is filled up you expand again? I've seen this done before.
Rather I'd change the GP's solution to having a secret vault in an already encrypted chat system (so you can do the above), essentially making it two layers. Just the second layer isn't a button that says "look at me, I'm where all the real secret shit is."
I agree that security through obscurity isn't a winning solution, but it is part of the toolkit. It would just be dumb to rely on your security solely being obscurity. Encrypted steganography is still a powerful tool, hackers obscure code, and real spies use obscurity all the time. It just isn't the dominant factor.
> This doesn't give you plausible deniability if law enforcement gets their hands on your unlocked phone, as they can see that the file size of the encrypted message logs doesn't match the visible content.
Hmmm. What about from the get-go saying that the app allocates 100Mbytes of space and fills it randomly at regular time until some encrypted content is generated. That'd put a 100Mbytes log/message limit to conversations but that'd be by design and nobody could be sure those bytes are random or genuine messages.
> If the phone is jailbroken and the key for the message logs is leaked, it doesn't help at all.
Why would the key get leaked if it's never stored ?
> . We should look at why people are turning to Telegram when protesting.
Every single person I know who uses Telegram does it for either porn or piracy or both. So using what you already have for protests if they occur makes sense. Trying to get ppl to install a different app is much more complicated at this point. Sometimes may even be prevented by the regime.
See, the lack of bidirectional deletion is one of the reasons I prefer Signal. Nobody other than me should have the ability to delete data on my device.
I disagree. I see my phone as an extension of my brain. If I have an in-person conversation, the other party can't force me to forget the conversation, and they shouldn't have that ability for my phone either.
What if only the other partys messages where deleted?
In telegram it is understood that 'secret chats' constitutes confidentiality. As such, both parties, I believe, ought to be able to delete everything.
I kind of see you point about non-secret chats.
But then we are back with a opt-in model for privacy.
Personally: what I tell you at the coffee machine, in confidence or not, is ephemeral. I would probably not talk to you at all if you where taperecording all conversations, as you want to do with messages... so I think both.parties.should be able to delete text conversations. And privacy should be on by default.
> I would probably not talk to you at all if you where taperecording all conversations
You hit the nail on the head with this one. To me deletion is a nice compromise and why the coffee shop analogy isn't a good comparator. Similarly we don't record video calls (and Moxie himself doesn't like this). So why should every text be recorded and parties do not have control over that data? I do feel that each person in the conversation has a right to control that data (if anything the sender more so) and when policy fails it should fail in the direction that has more privacy (which is the message not existing within Signal's log^). But currently people aren't given this choice and there is no consideration of failure modes.
^ Careful wording because if I don't make this added comment people think I'm unaware that screenshots exist.
I don't really make that distinction, I think it's harmful to have E2E as optional, and only use platforms than have either mandatory E2E encryption (Signal, WhatsApp), or no E2E encryption (SMS, email).
If you have an in-person conversation with me in confidence, that doesn't grant you any additional powers to make me forget details of the conversation.
> Personally: what I tell you at the coffee machine, in confidence or not, is ephemeral. I would probably not talk to you at all if you where taperecording all conversations, as you want to do with messages...
What if I have a very good memory, and follow conversations by writing up their details in personal memos that you can't delete? (e.g. Comey's contemporary memos of conversations he had with Trump.)
> so I think both.parties.should be able to delete text conversations. And privacy should be on by default.
The problem for you is that I'm not going to agree to that - if you won't use Signal, I'm going to force a downgrade to SMS or email, and then you get even worse security and privacy.
If you want to have a conversation that can't be recorded in an automated way, you basically need to meet in a sauna.
> If you won't use Signal, I'm going to force a downgrade to SMS or email, and then you get even worse security and privacy.
Or we will set up e2e encrypted telegram. Or not talk.
> What if I have a very good memory, and follow conversations by writing up their details
You saying that you remember I said something, even took a screenshot vs you can prove I said something, is a big difference.
If I am doing a snowden, I might go to a sauna. If I am planning to overthrow my boss, I think e2e telegram is okay. Because I can delete the conversation it might even be preferable to signal.
Sorry, I just can't agree with your take. You're fundamentally trying to use technology to restrict rather than enable use cases, and doing so in ways that aren't actually robust to your use cases and threat models.
> You're protesting with people. Cops pick them up, but not you. You can delete their messages and it is likely that you are able to do so before the police can clone your phone or copy the messages (screenshot, whatever).
I got a few strange responses back:
- Deleting messages doesn't mean they can't be saved (yeah... this is probabilistic privacy, not guaranteed)
- My device, my data (okay?)
- Some people run custom apps that save everything (how does that apply here? Funny enough, a sibling comment said something similar)
- Just own up to your typos (-_____-)
- Don't use Signal for communication then because you can't be guaranteed privacy (great, I'll use smoke signals with my friends to organize)
To be fair to Signal, the devs did not get into the forums. To also be fair, Signal is taking the same position and is going to only allow deletion an hour after a message was sent. As much as I love Signal, it is my preferred messaging app, I think they are not in touch with the needs of people. We should look at why people are turning to Telegram when protesting. What can we do to better preserve the privacy of people protesting in HK, Belarus, America, etc? Everything is probabilistic security and privacy when it comes down to it. But what tools would help these people the most? I would argue that bidirectional deletion to reduce the chance of self incrimination is one of them. The other is group messaging, channels, and anonymous messages (so your phone number isn't visible in channels). Emojis are nice and fun for day to day use, but it is getting more and more important to push these other features (yes, I know they are extremely difficult to do and actually preserve privacy to the standard Signal currently does. I think many would be fine if it was an incremental increase in privacy with these newer features).