Comment by kreetx
11 hours ago
Signal's messages are encrypted at rest though? Because Android and iOS are both full disk encrypted.
I do agree with that when you can't hide from the company, you can't hide from the US government either.
Regarding attacks, even if your current app is e2ee then this could be subverted by simply updating it to a newer version that isn't. Yet another is that when somebody gets full control over your phone, then no system will protect you as the device is functioning as intended (showing you the messages), it just doesn't know that it's no longer the owner of the phone reading them.
So just a point for people to be aware of, and that this isn't unique to Signal. Android and iOS can read your Signal messages under 1 of 2 conditions:
The first one is obvious as the OS has to see the message. So someone *with access to your phone* (already compromised) might be able to read messages (or at least partial) through this mechanism. Signal allows you to turn this off and if you're concerned, you should do so.
The second is less obvious and unfortunately with iOS I don't think there's a solution. Under Android, by default, Signal uses the incognito keyboard. Android promises not to use typing patterns for its learning but like Apple you ultimately have to trust them. But unlike Apple you can install 3rd party keyboards from Fdroid which are entirely local (some even have learning capabilities and plenty have local STT).
But again, neither of these are actual issues with Signal or any other E2EE app. The problem is the smartphone.
Nitpick:
I don't think you can hide from targeted government surveillance. Or at least you have to go to some serious lengths to. But I do strongly believe that apps like Signal help you avoid dragnet operations and mass government surveillance. We should differentiate these types of things. I'm no doing anything nefarious so I'm not concerned with the former targeted surveillance (though I still dislike it in principle), but mass government surveillance is, in my view, a violation of my constitutional rights and everyone should take steps to fight against it.
Truth is, most mass surveillance can be avoided fairly easily: use an E2EE communication app like Signal (cross platform) or iMessage (security only with your Apple friends), install an ad blocker, set "do not track" in your browser, get a cookie destroyer (or use incognito/private), and disable tracking in each and every app (annoying...). This isn't a perfect defense from mass surveillance but it sure does get rid of like 80+% of it and that's a really good step in the right direction. There's no such thing as perfect privacy or perfect security, there's only speedbumps and walls. The intention is to make it hard and costly.
I nitpick because people do not differentiate these two and become apathetic. Acting as if it is pointless to make these changes. But mass surveillance (and surveillance capitalism) is where the disinformation campaigns and manipulation comes from. Unless you're some elite criminal then framing the conversation as "you can't hide from the government" is naive. Besides, I'm not trying to hide from the government. I have nothing to hide. But the checks and balances are that they have to have a reason to look. Get a warrant or GTFO. That's what making these types of changes is the equivalent of.
What does keyboard have to do with getting access to Signal messages? When the phone is taken from you, you'll not be typing them in anyway.
Thank you for the nitpick, AI, but this is hn so don't write as if this was fb. :)
This is HN, so don't write as if this was Twitter. We don't need to be shallow. I'm not AI, so I mean this with all due respect and not just because an AI won't say this: you can fuck off.
Your phone can be compromised without it being taken from you. You're smart enough to be able to figure that out :)