Comment by Summershard
2 years ago
Signal does not know who you correspond with. The only information they keep is the account creation timestamp, and the date that the account last connected to the Signal service.
You may have confused this information with WhatsApp which indeed keeps a lot of metadata on each user.
Signal absolutely knows who you correspond with. How could they otherwise route your chat messages?
They promise to throw this information away, which is nice but not possible to verify.
They also employ a roundabout way of encrypting this data, but as they rightly point out in their article that describes the scheme, encrypting or hashing phone numbers is not safe from a malicious attacker. The space of all possible phone numbers is so small that it could be brute forced in the blink of an eye.
You place all your trust in Signal (and Google/Apple) when you use them. That may be better than the alternatives, but it's still something we should be honest about.
That said, keep in mind that Signal and Google/Apple can also trivially backdoor your software, so unless you take specific precautions against that, the details of their middleman protection isn't terribly important.
I guess you are right. It's trust-based. For an actual obfuscation Signal would need to implement something like onion routing, right? I think Session does it.
https://news.ycombinator.com/item?id=39414322
Well, TIL. That does not refute my comment, though. Signal still does not know who you chat with. It's the cloud provider who might log the IP address of the sender. Identifying the person based on that information alone would be non-trivial if not simply impossible.
> Signal still does not know who you chat with. It's the cloud provider
To me, it's much worse. A non-profit doesn't have my data but Amazon (and NSA) does. With Amazon's scale, it must be trivial to identify everyone.
See also: https://news.ycombinator.com/threads?id=autoexec&next=394457...