The pin code thing and phone number thing is not that much of a concern for most but I’ve been keeping an eye on others coming into the space. Threema is one such messaging app which seems to have all the privacy and security needed backed with its strong European base in Switzerland.
I wrote it off in my mind because it didn’t have a open code base for security experts to view openly. However that recently changed with them opensourcing the code base.
Because of this change I’m relooking at the Threema, although I don’t think I’ll be dumping Signal as a result but rather using both?
I have been introducing Signal to friends as a proper alternative to Whatsapp. Its mainly been ok but my friend Hannah has hit a catch 22 problem, in her own words…
Signal should be a great app. It’s secure, easy to use and even my most skeptical and tech-suspicious friend uses it. But since I forgot my pin, I’ve not been able to get onto the app, not been able to reset my account or even been able to delete my account to start again!
I did email to get some advice about this problem but what I got back (after nudging to get a response) wasn’t really helpful. Apparently, you can reset your pin once you’re in the app but since I don’t know my pin, I can’t get into the app to reset the pin I don’t know. I also need to be in the app to delete my account. So basically, in order to access the information I need, I need the information I need. And yes, I did query the logic of this advice but it was just repeated to me!
This is really frustrating because even after deleting the app and waiting 7 days as suggested, the problem remains. In fact, I’ve done this a few times, waiting longer periods and it still hasn’t worked. Signal is effectively holding my phone number hostage, not allowing me to use it to create a new account or access the numerous messages I’m informed I’m missing (through other less secure – but at least reliable – platforms).
I get that not revealing my pin to me is a security thing but to be honest, it seems daft that I can’t even reset that pin using other means. For example, Signal already texts me a confirmation number when I try to sign in – surely this is enough to know that I’m the owner of the phone? They also have my email address.
If I really can’t reset my account, I would be more than happy to delete the current account and start over again. But until there’s a way for me to do this without entering the app in the first place, I’m stuck in limbo.
I’ve sent one last email to try and sort it out… fingers crossed!
If anyone has a solid answer what Hannah can do, that would be massively helpful. Even I’m lost to what she can do now.
“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.
That, according to critics, has now changed.
“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”
I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.
Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”
“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”
The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.
It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…
Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.
We live in incredible times with such possibilities that is clear. Although its easily dismissed by looking at the sorry state of the UK during our EU withdrawal or the tech press panic over the corona-virus.
To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.”
Ian thinks: Signal as a behemoth is concerning but its clearly made the best use of open source licenses to keep itself in check. Love the new systems which are being built on the protocol, real opportunity for something very new.
Ian thinks: The comparisons are spot on and its clear podcasting is going through a massive change right now. Spotify’s play to commodify and dominate is hard to break unless there is experiences they can not own.