Comment by tucnak
1 day ago
I wonder whether the protesters could opt for offshore alternatives that don't require exposing their phone number to a company that could be compelled to reveal it by US law. For example, there is Threema[1], a Swiss option priced at 5 euros one-time. It is interesting on Android as you can pay anonymously[2], therefore it doesn't depend on Google Play and its services (they offer Threema Push services of their own.) If your threat model includes traffic analysis, likely none of it would make much difference as far as US state-side sigint product line is concerned, but with Threema a determined party might as well get a chance! Arguably, the US protest organisers must be prepared for the situation to escalate, and adjust their security model accordingly: GrapheneOS, Mullvad subscription with DAITA countermeasures, Threema for Android, pay for everything with Monero?
It's worth noting that the way Signal's architecture is set up, Signal the organisation doesn't have access to users' phone numbers.
They technically have logs from when verification happens (as that goes through an SMS verification service) but that just documents that you have an account/when you registered. And it's unclear whether those records are available anymore since no warrants have been issued since they moved to the new username system.
And the actual profile and contact discovery infra is all designed to be actively hostile to snooping on identifiable information even with hardware access (requiring compromise of secure enclaves + multiple levels of obfuscation and cryptographic anti-extraction techniques on top).
Perhaps you're right that they couldn't be compelled by law to reveal it, then! However, I can still find people on Signal using their phone number, by design. If they can do that, surely there is sufficient information, and appropriate means, for US state-side signals intelligence to do so, too. I don't think Signal self-hosts their infrastructure, so it wouldn't be much of a challenge considering it's a priority target.
Now, whether FBI and friends would be determined to use PII obtained in this way to that end—is a point of contention, but why take the chance?
Better yet, don't expose your PII to third parties in the first place.
Yeah it should be technically feasible to do "eventually" but it's non trivial. I linked a bunch of their blogs on how they harden contact discovery, etc. And of course you can turn contact discovery off entirely in the settings.
Settings > Privacy > Phone Number > Who can find me by number > Nobody
https://news.ycombinator.com/item?id=46786794
1 reply →
Note that Threema has had a recent change in ownership to a German investment firm. Supposedly nothing will change but I can’t help but be wary
Just being owned by an offshore company doesn't mean that they still can't be infiltrated. But as you pointed out, just because Company A creates an app does not mean that Company B can't come in later to take control.
The alarming extent of US-affiliated signals intelligence collection is well-documented, but in the case of Threema it's largely inconsequential; you can still purchase the license for it anonymously, optionally build from source, and actively resist traffic analysis when using it.
That is to say: it allows a determined party to largely remain anonymous even in the face of upstream provider's compromise.