Signal clearly looks like a front shop to collect metadata for US intelligence services.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
Except Signal's client is open source with reproducible builds that have been audited. Their crypto is open, based on standard primitives, and has also been audited. It's also true E2E encryption with alerts on key changes.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
That's a shame. Still on the whole Signal seems far ahead of Telegram. Hopefully users who need the extra security will be taught to enable that setting.
According to this, it by default implements it for batches of 100 messages or something. And for slow-paced messaging, it is quite a lot. No idea why, maybe doing it somehow else would make the already bad performance even worse.
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.