Email or username:

Password:

Forgot your password?
Michał "rysiek" Woźniak · 🇺🇦

#Signal needs to decide if it wants to be an IM or a social network.
signal.org/blog/introducing-st

If you are trying to "give the people what they want", maybe roll out new features like that as opt-in, not opt-out? If people *really* want it, they will enable it, right?

What happened to getting consent?

But I think we all know people who *already are on Signal* might not actually want "Stories". This is aimed at getting new people; on farming that sweet sweet MAU.

I find that very meh.

#InfoSec

4 comments
Michał "rysiek" Woźniak · 🇺🇦

Apart from the consent issue (which I think is major), there is also added risk.

More code means more bugs means more attack surface. #Signal is used by, and in fact it is *marketed at*, people at-risk: journalists, activists, and so on.

Adding such a weirdly unrelated feature adds a bunch of potentially vulnerable code, and also adds a lot of complexity for the user. And, for #InfoSec people who might be responsible for helping that user stay safe using Signal.

Michał "rysiek" Woźniak · 🇺🇦

Finally, if #Signal insists on getting deeper and deeper into social-network territory, this might expose it to additional regulatory burden.

There are laws and regulations that specifically focus on social networks, but not necessarily on IM systems.

By crossing that line (as blurry as it is), Signal exposes itself to more *legal* risk and potential legal trouble, at a time where plenty of legal challenges already exist for encrypted communication tools (consider #ChatControl).

#InfoSec

Michał "rysiek" Woźniak · 🇺🇦

We *need* safe, encrypted, privacy-respecting IM.

For all its flaws (its centralized nature, using phone numbers for identifiers), #Signal has emerged as a kind of standard, reasonably trusted IM in the journalist-activist space.

With all the time and effort put into moving people over to it by activists and #InfoSec professionals like myself over the years, risking that to farm a bit more MAU feels like… betrayal.

I did a "drunken rant" talk about this at #MCH2022
media.ccc.de/v/mch2022-196-sig

We *need* safe, encrypted, privacy-respecting IM.

For all its flaws (its centralized nature, using phone numbers for identifiers), #Signal has emerged as a kind of standard, reasonably trusted IM in the journalist-activist space.

With all the time and effort put into moving people over to it by activists and #InfoSec professionals like myself over the years, risking that to farm a bit more MAU feels like… betrayal.

Killab33z O.G.

@rysiek I enjoyed your talk at #MCH2022.

Most people didn't care when #Signal:

1. Started using Google and Amazon servers for their infrastructure.
2. Refused to look into federation resulting in it being blocked in certain countries and people having to run proxies...
3. Refusing to add the app to #FDroid store.
4. Put a #cryptocurrency into it with no public code updates for 1 year. The famous #MobileCon.

How is Signal still trusted at all? And now social media is just 200% lol

@rysiek I enjoyed your talk at #MCH2022.

Most people didn't care when #Signal:

1. Started using Google and Amazon servers for their infrastructure.
2. Refused to look into federation resulting in it being blocked in certain countries and people having to run proxies...
3. Refusing to add the app to #FDroid store.
4. Put a #cryptocurrency into it with no public code updates for 1 year. The famous #MobileCon.

Go Up