Comment by zuhsetaqi
2 years ago
If I understand correctly it’ll still not be possible to create an account without entering a phone number?
For me this is a requirement to call a service a private service because in Germany at least every phone number is connected with a persons identity. To get a phone number you need to connect it to an identity using a identity card
Here in Thailand it's the same but phone numbers get recycled and expire very aggressively. I just got a new phone number and I can login to many platforms of some 20 year old guy who really likes pc gaming.
Phone numbers should have NEVER became an ID. Incredibly hypocritical of Signal to claim "privacy focus" when the lowest layer of the system is literally the least secure identification method we have.
same in my country.
I had two SIM cards dedicated to online crap - one for important stuff like banking, another for social media and such.
both have expired after ≈ 3 months of inactivity, when my 2 week trip unexpectedly took 4 months. those SIM cards weren't physically inserted into my phone - I used to do that once a month to call someone and get billed a few cents so it would remain active, until that trip.
there's no way to get those phone numbers back and it's been an enormous pain the dick. I hate this fucking system, but I hate the fact that fucking everything requires a phone number even more.
in Germany at least every phone number is connected with a persons identity. To get a phone number you need to connect it to an identity using a identity card
Personally, I am totally baffled by this.
Due in large part to C3's positive influence, Germany is at the forefront of privacy issues and legislation on so many areas, except for this one, which ends up turning into a massive backdoor in the whole edifice. Okay, we can't ask for a copy of your identification card... we'll just use a telephone number or SIM code or something trivially tied back to your IMSI (like an app store account or IMEI) instead. Because of the absurd 2017 law, these are equivalent to your government ID card.
I really don't understand why Germans put up with this while simultaneously pushing so hard for positive changes in every other aspect of online privacy. Especially when so many other developed Western countries do not tie SIM cards to identities: Netherlands, Denmark, Finland, Iceland, Ireland, US, UK, Canada, and many many others.
It's like a giant `sudo gimme-your-identity` backdoor in all the other data collection protections. And nobody seems to care about closing the backdoor.
It wasn't always like this - the requirement to give your ID to get a SIM card, as you noted, was only introduced in 2017 (though it certainly feels way longer ago for me).
Anyways - why does nobody care?
Simple: most don't feel this being an issue.
Some may even say that they "don't have anything to hide" and there goes the erosion of privacy, bit by bit - by the time someone notices "ok, this may become a problem" - it'll be too late :(
Simple: most don't feel this being an issue.
Sure, but what's incredibly weird is that many Germans do feel that almost all other digital privacy matters are an issue. It baffles me that they treat this one particular issue differently for some reason.
I wonder if this is some kind of mass-psychology exploit, like it doesn't occur to your average nontechnical person that the ID requirement makes your Apple app store account, and every app you use it to install, equivalent to your government photo ID.
On the flip side, SMS fraud is almost nonexistent from German mobile numbers, which is why scammers just send from other countries to German mobile phone owners. Mostly from France.
SMS fraud is almost nonexistent from German mobile numbers
Even if this is true, how does that benefit Germans?
Nobody's seriously talking about blocking all SMSes at the national border.
> Due in large part to C3's positive influence, Germany is at the forefront of privacy issues and legislation
That's the entirely wrong cause and effect.
The obvious root cause are a world war and the DDR.
Yes yes, of course; there are root causes and proximal causes. You are correct about the root cause, which is the reason why Germans in general care about these things.
C3 is the catalyst that turned that caring into actual tangible results. Or at least a big part of the catalyst. Their level of political effectiveness is extremely unusual in the hacker world. I'm glad it has been a force for positive change.
That said, it has limits. And I have heard rumblings before about the telecom giants (DT) being an insurmountable political obstacle. So hacker culture has more political influence in Germany than elsewhere, as long as it doesn't upset the telecom giants.
This is a fundamentally different problem for a fundamentally different audience.
If we take privacy issue, it can be divided into 3 segments:
* Privacy of user data. The basic level. When you use Google or Apple, they collect data. Even if you minimize all settings — data is still collected. This data is used to train models and models is used to sell ads, target you or do anything else you have no clue about (like reselling it to hundred of “partners”).
* Privacy against undesired identification. Next layer of privacy. When you want to have some personal life online without sharing much about you. Like Reddit, anonymous forums, or Telegram (to some degree).
* Privacy against governments. The ultimate boss of privacy. When you want to hide from all governments in the world your identity.
Signal was perfect at first layer strong but not perfect at 3rd layer (e2e encryption, no data collection to share nothing with governments who seek for data, good privacy settings, always tell you if your peer logged to new device to protect from cases when government operates with telecom companies and use sms password to make a new login), and almost non present at 2nd because they have no public features except group chats where you share your number.
Now they in one move close gaps at 2nd layer — you can hide phone number and stay fully anonymous, and strength their positions in 3rd layer, leaving the last piece open: government still will know that you have some Signal account.
As for me, this setup solves 99,999% cases for regular people in democratic and semi-democratic countries and address the most fundamental one: privacy of data and actions online.
Yes it is not perfect but barrier for government to spy on me is that high that I reasonably can believe that in most cases you should never be worried about being spied, especially if you live in some places which are named not as Iran or Russia.
The only scenario, in my perspective, you can want to have a login without phone (with all sacrifices to spam accounts, quality of peers and usual troll fiesta in such places) is when you want to do something you don’t want ever be found in your current country.
But in this case, IMO, Signal is the last worry you usually have on your mind and there are a lot of specialized services and protocols to address your need.
1,2 and in part 3 were already fixed with the Signal FOSS fork back then, but Moxie and his army of lawyers decided to send out multiple cease and desist letters against those projects. Which, in return, makes Signal not open source, no matter what the claims are. If they don't hold up their end of the license and argue with their proprietary (and closed to use) infrastructure then I'd argue they are no better than Telegram or WhatsApp. Signal's backup problem is another story which might blow up my comment too much.
Because of your mentioned points I would never recommend Signal, and rather point to Briar as a messenger and group/broadcast platform. Currently, it's still a little painful to use and e.g. QR Codes would already help so much with easing up the connection and discovery/handshake process.
But it has huge potential as both a messenger and a federated and decentralized platform.
I just don't want my metadata (contact graph) hoovered because I send a (encrypted) message to someone that may be an over sharer on FB, etc.
I use Signal because I am a "nothing to hide and I like to own my privacy as much as possible" type online person.
Signal == more peace of mind just generally in this online world we have.
> no data collection to share nothing with governments who seek for data,
That isn't true anymore and hasn't been for years. Signal collects your data and keeps it forever in the cloud.
citation needed. care to elaborate on this?
4 replies →
If we take privacy issue, it can be divided into 3 segments:
This sounds like a bunch of bullshit.
Sounds like your username.
Just use Wire (wire.com). True end to end encrypted multi device messenger, open source, federated and based on MLS. All you need is an email address, no phone number required. And based in Europe. They allow building your own clients (with some stipulations) and seem to solve everyone’s issues with signal here
No, a for-profit corporation providing a free messaging service really isn't the solution.
I think it is a holdover from the Text Secure days. And like others say, it's a different problem.
But for solutions, can't you just buy a voip number? You just need it for registration and then can dump it. I'm sure you can buy one with cash or zcash if you're really paranoid.
While in the US I don't have to show my gov ID to get a phone number, I don't know anyone who buys a phone with cash except international students. So practically everyone is identifiable anyways. But I'm not sure this is a deal breaker since all I'm leaking is that I have registered a Signal account. AFAIK Signal only has logs of an account existing and last online with 24hr resolution (which avoids many collision deanonymization methods). Even paying with cash is hard as I'm probably caught on camera (but these usually get flushed).
So I'm legitimately curious, why is this a dealbreaker? It doesn't seem like a concern for the vast majority of people, and the problem Signal is solving is secure communication for the masses, not the most secure method possible with unbounded complexity. It's being as secure as possible while being similar in complexity to the average messenger.
> But for solutions, can't you just buy a voip number?
No, how would my uncle in the countryside of Vietnam do that? He doesn't have a credit card -- not many here do. He doesn't speak English -- can you find a website that sells voip numbers in Vietnamese? Buying a voip number from a provider in Vietnam has the same exact KYC requirements as buying a SIM, so it is still tied to your government ID and registered forever.
Also buying a VOIP for 1 month costs something like $10 from a quick Google. Average salaries are like $1.50/hour. Nobody is going to pay an entire day's salary to buy an VOIP number they throw for a month just so they can register anonymously for chat.
So, not you can't "just" buy a voip number unless you're a rich Westerner. But who needs privacy more? People in liberal democracies or people in places like Vietnam (literally an authoritarian country where people are routinely imprisoned for speaking against the government)?
> I don't know anyone who buys a phone with cash except international students.
Everyone buys a phone with cash here because few people have credit cards, since there is no such thing as "credit ratings" and it is easy for people to disappear from their debts. There are more people in Vietnam than any country in Europe. We all use smartphones and messenger apps here, too.
Briar ('droid only), SimpleX, and Session; optionally with a cheap VPN like Mullvad or Proton to ameliorate anonymity issues in the p2p voice/video features.
He’d ask you to do it then like every non technical older person. It’s a non issue.
3 replies →
Why do you need a German phone number? Many countries let anyone have a phone number, with no proof of address or other identifying information. Just use one of those numbers instead. One example service is https://jmp.chat/ but there are many others.
It's a voip service isn't it? Those numbers will not work with many online services and even some more obscure normal providers.
Basically everything is VoIP these days (VoLTE, etc.). Online services sometimes have secret lists of phone numbers they don't like, but "voipness" isn't a silver bullet for determining whether or not a service will like your number or not. The JMP people wrote more about this at https://blog.jmp.chat/b/2022-sms-account-verification
Anyway, this thread is about Signal, and JMP numbers work with Signal, which is why I suggested it.
This is not correct. Go to a phone booth, get Signal, never need the phone number again. Any phone will do. Get a phone number from a different country online and without identity check, who cares, you will never need it again.
I haven't seen a phone booth in Europe for the last 7 years.
Just use the wonderful openstreetmap to find the nearest one, it will be closer than you think.
6 replies →
> … never need the phone number again
What if I lose my phone and want to login again on a new one. Don't they send a verification code to the number again?
Well if you lost your only credential and it’s a secure solution, it’s gone. You must set it up from scratch again.
Since we’re discussing not providing your phone number out of privacy/security concerns, I assume that “registration lock” and PIN are on the table, which would anyway block you from registering again using the same number after loosing your phone.
Hence, the situation is the same as with your mobile phone number: no backup, no luck.
wouldn't the next bloke using the booth for same cause get the whole account?
Not if you set a PIN no. But I think the next bloke can't use the booth to create a signal account anymore. I don't think we'll run out of booth though considering how rare the use case is ;)
2 replies →
Partially off-topic: I've always found this German requirement baffling. In the Netherlands you can just buy a SIM card at a supermarket and pay cash. No identity, nothing.
Same in Spain since 2004 Madrid train bombings IIRC.
This is the case in most countries these days. There are very few places left where you can get a mobile phone number without identifying yourself at some point.
I used to care, but at this point it’s obvious that taking a phone number is by far the most effective anti spam and anti trolling method in existence.
2 replies →
Not in Finland for example.
It's still preferable to use a burner number for signal/telegram if you want privacy.
There are many countries where it's completely impossible to get a burner phone.
... but then Signal wouldn't have your phone number either. What they need it for is ... dubious if you ask me.
> ... but then Signal wouldn't have your phone number either. What they need it for is ... dubious if you ask me.
The reasons they need it aren't really that dubious to me: they want to create a service that actual people will actually use, not just weird privacy geeks who never gave up on PGP. Using phone numbers allows for the kind of user discovery that most people expect in 2024, and requiring them inserts a barrier to mass account creation that can keep spam accounts down to a manageable level (especially given the whole point is they can't do content-based spam-filtering in the way that makes email managable).
Personally, my understanding is they've always been trying to develop the maximally private usable chat app, which requires some compromises from the theoretically maximally private chat app.
Yeah, privacy is weird and cringe! Let's call 'em "privacy-bros" or maybe "encryption-bros" to signify that they are low status (I don't want to be like them, ew!)
6 replies →
> Using phone numbers allows for the kind of user discovery that most people expect in 2024
Do people really expect to still exchange phone numbers ?
Fundamentally I don't want people to call me nor SMS me (that's for spam only), most messaging services will allow contact exchange through a QR code inside the app, and if everything else fail an email address will be the most stable fallback.
6 replies →
But then it's not private. It's linked to your phone number.
23 replies →
>and requiring them inserts a barrier to mass account creation that can keep spam accounts
Well, an even better barrier to reduce spam would be Signal to require some official ID of people...
1 reply →
> not just weird privacy geeks who never gave up on PGP
Looks like you're thinking about key exchanges as opposed to phone number exchanges.
Ever heard of user nicknames?
I mean, a phone number is an arbtrary sequence of digits. I'm very happy to use a chat app where I say to someone 'what's your username?'.
I'm not giving a chat app free access to all my contacts - and that includes things like Whatsapp
The claim (which generally I'm inclined to believe) is that requiring a phone number drastically increases the cost to sending spam. That in turn drastically reduces the spam amount.
To me Signal is in the business of collecting metadata and nothing else (for whom, that is a good question: probably some three letter agency).
Perhaps you need a refresher in Signal Protocol.
Do not be sprouting on about things that you do not understand.
https://eprint.iacr.org/2016/1013.pdf
6 replies →
What they need it for is simply that it's the way the system has always worked, because Signal started life as an encrypted replacement for SMS. The point was that you could switch from the standard SMS app you were already using over to Signal (which was called "TextSecure" at the time) without having to change your habits, because sending messages to people's phone numbers was simply what people did then. There's nothing nefarious about it.
[dead]
Yes, this is just Apple level bullshit - trust us with your private data even though no law prevents us from exploiting it ...
Damn, people will never be satisfied, will they. It's not meant to be an anonymous messenger, because those have spam issues.
Signal has spam issues even with the phone number requirement, as I've experienced lately (though nothing on the scale of Twitter). I dread to think what the spam would be like without the requirement of a phone number.
1 reply →
I never received any spam in Matrix.
3 replies →
Not true I don't have spam on Tox or Briar.
But sadly I don't have contacts either!
They could collect a small amount in cryptocurrency to prove user is not a spammer. Telegram tried this but the price for not providing a phone number was too high. Does it mean knowing user's number is so valuable?
2 replies →
I could certainly point out the differences, but the fact that you yourself aren’t acknowledging them indicates to me that you’re throwing intellectual integrity out the window because this product doesn’t work in the way that you want it to work. Engineering is about tradeoffs, and not every company serves to build something that does exactly what YOU want it to. I prefer Signal the way it is. I understand the tradeoffs.