signal w : privacy

[-] Nugscree@lemmy.world 14 points 1 week ago

That is exactly what they did, the user used a credit card with their damn name on it, while Proton even allows you to send them cash money for the service.

The FBI filed a MLAT (Mutual Legal Assistance Treaty) request which was processed by the Swiss Federal Department of Justice and Police.

The Swiss gave a legal binding order to Proton to hand over information that they had, the only information that was handed over was the payment identifier.

I don't get why people get hung up on a company complying with a legal order by their justice system, especially with Proton that could not hand over any more information.

[-] Ghostie@lemmy.zip 2 points 1 week ago* (last edited 1 week ago)

Same. It’s not like these companies can just say no to legal orders within the bounds of their laws. Even solo FOSS devs with their fledgling privacy centric messager apps would have to comply with their country’s laws. I also think a fair number of users that get outraged over it aren’t big on actually reading the privacy policies for the services they use. IMO Proton didn’t do anything surprising here if one reads that policy.

[-] glitching@lemmy.ml 1 points 1 week ago* (last edited 1 week ago)

The issue is them having any info to give out in the first place, it is a horrendous transgression for a shop that touts privacy as their thing.

Signal demonstrated that you can decouple payment info from account info and thus they ain't got nothing to produce, MLAT or not. The least Proton coulda done is mimic that tech.

edit: are you shills illiterate, what's your deal? signal also accepts payments, the kind normal people use, like CC and stuff. and they decoupled payment info from account info, so nobody can link John Smith, Fuckville, AL to account protonshill4lyfe@proton.yo

[-] ReluctantlyZen@ani.social 4 points 1 week ago

Signal demonstrated that you can decouple payment info from account info

How did Signal demonstrate this? Signal is not a paid subscription service

[-] bort@sopuli.xyz 2 points 1 week ago

The least Proton coulda done is mimic that tech.

Proton even allows you to send them cash money for the service.

load more comments (1 replies)

[-] JackbyDev@programming.dev 2 points 1 week ago

Proton even allows you to send them cash money for the service.

[-] Doomsider@lemmy.world 2 points 1 week ago

I have pointed this out to protards many times. The fact is there are solutions to not keeping this data on their servers. Then they have the audacity to blame the user.

A company that was concerned about privacy and not money would have already moved this data off their servers. Proton is a garbage company.

[-] Kekzkrieger@feddit.org 1 points 1 week ago

Proton allows payment with cash, so you can stay private, but if you use your credit card, your company will know and they have to store it in some way.

Not Protons fault in this case.

[-] leadore@lemmy.world 2 points 1 week ago

They don't have to store it.

[-] Nugscree@lemmy.world 1 points 1 week ago

That is not really the same, Signal is a donation and Proton is a subscription where a monthly (or yearly) request has to go to the payment provider for your fee, for this you need to keep the payment information on file and linked to the account. Signal can say I got donated by someone but they do not need to keep this information linked to a specific user, just the payment record (that still has your cc/bank details on it) for tax purposes.

[-] sveltecider@lemmy.ca 10 points 1 week ago

…email will inherently be a lot less secure than messaging, no matter what you do.

If you truly want to be private about something, don’t email it lol

[-] elephantium@lemmy.world 4 points 1 week ago

no matter what you do.

Even PGP?

...TBF, getting your counterparty to also use PGP is the heavy lift there.

[-] TechLich@lemmy.world 5 points 1 week ago

Security yes, privacy not especially.

PGP lets you encrypt the messages and sign them to digitally prove you sent them.

It doesn't help with the problem here which is that the metadata of who you are (the IP used to log into the webmail and the email address of the sender) and who you're talking to (the email of the recipient) and when (timestamps etc.) were able to be leaked.

In fact, depending on the implementation, PGP could be considered slightly worse for privacy because you'd have the added identity proof of the message having a signature that only you could create with your private key (although that's encrypted, it's a stronger identity proof than the sender email address). It also generally leaks the recipients' key IDs too (although that's configurable) PGP is great for accountability, message confidentiality and non-repudiation. Not so much for privacy. For that you'd need other systems.

[-] elephantium@lemmy.world 2 points 1 week ago

Good point re: metadata. Keeping that private is an underrated aspect of security.

[-] Avicenna@programming.dev 2 points 1 week ago

People like Jeffrey Epstein running one of the biggest blackmail networks in the planet and at the same time blatantly emailing each other about it from gmail really amazes me. Either they are that stupid or powerful enough that they just don't care.

[-] Kacarott@aussie.zone 1 points 1 week ago

Is it really so hard to make it secure? If both parties are using some kind of secure email client, couldn't the clients just encrypt and decrypt the subject/content?

[-] UnfortunateShort@lemmy.world 8 points 1 week ago* (last edited 1 week ago)

Don't hate the player. You can't send mail with E2E encrypted headers and you can't leave payment data and expect Proton to violate regulations and delete it.

Signal has to deal with neither of these issues.

load more comments (10 replies)

[-] ReluctantlyZen@ani.social 7 points 1 week ago* (last edited 1 week ago)

This comparison makes no sense.

Signal doesn't have payment data. It's not a paid service. Proton is a paid subscription service and that payment data needs to be accessible in order to charge the user and they're not a payment processor.

[-] leadore@lemmy.world 7 points 1 week ago

The fact that it's a paid service doesn't mean they have to keep your PID and payment info on file. I use posteo.de for my email, which is a paid service. But my payment info is only used during the payment process and they don't keep it on file once they receive the payment. You buy like 12 or 20 months and have that many credits. When it starts to get low, you buy some more.

[-] Taldan@lemmy.world 2 points 1 week ago

Proton let me delete the payment information between charges, but they certainly made it a painful process. I had to email support

[-] edg@lemmy.world 0 points 1 week ago

What if a user donates to Signal?

[-] ReluctantlyZen@ani.social 1 points 1 week ago

Not sure, they do seem to store something (pretty unclear what though), but I'm guessing that can be fully decoupled from a user's account, since it's unrelated to the actual service.

[-] RAFAELRAMIREZ@lemmy.world 5 points 1 week ago

When a service can only hand over a timestamp, that’s when you know the encryption is doing its job. 🔐

[-] Ghostie@lemmy.zip 4 points 1 week ago* (last edited 1 week ago)

Just saw someone claim Signal was a honeypot the other day, no sources of course. Then this info comes out.

[-] white_nrdy@programming.dev 4 points 1 week ago

I hate this sentiment. I was part of a bachelor party, and we had a group chat going. Had Android/iPhone users, so it was just a MMS chat. I suggested we use signal, and one of the iPhone users goes on a rant

"I'm not gonna use Signal. It's just a honeypot for the CIA. Why else would they fund it if they didn't get any value out of. It's obviously a honey pot"

[-] Cort@lemmy.world 3 points 1 week ago

I'm not gonna use Signal. It's just a honeypot for the CIA.

No you're thinking of telegram.

[-] white_nrdy@programming.dev 1 points 1 week ago

So there is actually disinfo about it being funded by the CIA. I had heard it was, and tbh didn't care too much. I figured they funded it because they used it and got value. It's well audited so I trust it. Only learned it's disinfo when I looked for a source to include in my original reply

https://euvsdisinfo.eu/report/us-intelligences-services-control-the-signal-app/

[-] JackbyDev@programming.dev 2 points 1 week ago

Do they think MMS is magically invisible?

[-] SuspiciousFlop8964@sh.itjust.works 4 points 1 week ago* (last edited 1 week ago)

Service A is compelled to hand over all the data it has on a user

They comply

Service B is compelled to hand over all the data it has on a user

They comply

"And that's how it's done!"

[-] bss03@infosec.pub 1 points 1 week ago

Proton has the disadvantage of having to work with other email services as well, so there's protocol limitations. When mailing from one Proton mailbox to another, they do intentionally avoid SMTP for this reason, but Signal has the advantage of "owning" the whole protocol, too.

I imagine if you donate with a CC to Signal, they might also be forced to turn that over. The weakness is not in Signal or Proton, but in the Visa/Mastercard duopoly and CC processing in general. Cryptocurrency has some advantages here, but they are outweighed by the abuse, fraud, speculation, and general dishonestly (and just general failure to be good currencies for "normal" purchases.)

[-] bonenode@piefed.social 3 points 1 week ago

One is a messenger the other is using the e-mail protocols, aren't there differences in how the metadata is possible to be encrypted between those too. Just wonder if this is a fair comparison.

load more comments (1 replies)

[-] LordOfLocksley@lemmy.world 1 points 1 week ago

God, I wish more people used Signal

[-] paequ2@lemmy.today 1 points 1 week ago* (last edited 1 week ago)

I've been using Signal more to test if I can recommend it to other people... it's mostly like WhatsApp, which is good...

Except, can we please disable all of those god damn popups. Everyday: "Hey! Verify your pin!", "Hey! Verify your LONG ASS recovery key!", "Hey, plz donate!", "HEY! I couldn't start a backup", "HEY LOOK AT ME!"

[-] white_nrdy@programming.dev 1 points 1 week ago

I have never been asked to verify my recovery key.
It asks to verify pin once a month. Which I think is fair, since it can help you recover from a lockout / transfer your device.
backups are important, but they can also be disabled
Donating to open source projects is important, as it's a large portion of their funding.

[-] bss03@infosec.pub 0 points 1 week ago* (last edited 1 week ago)

I agree with all your points, BUT I do think Signal could be slightly less "user-hostile" with the reminders, maybe?

I get annoyed at the pop-ups in my Linux system, too, and all of them are got similarly legitimate reasons. Getting the way of my current task (or worse stealing focus) doesn't ever seem like the "right" way for computers/tools to behave.

[-] white_nrdy@programming.dev 1 points 1 week ago

How obtrusive are the popups? Are you on iPhone or Android? The pin verify popup is like 20% of the screen at the bottom for me. And it's nearly the same color as the background, so I sometimes don't even notice it. Or at least, I finally see it and think "how long has that been there?"

I agree that some things can probably be scaled back. But wouldn't it be an even worse experience if someone forgot their pin, and thus was unable to access their data?

load more comments (2 replies)

[-] VitoRobles@lemmy.today 1 points 1 week ago

I don't like Proton after the CEO posted the pro-Trump statement and did not use them after that.

Its really weird how people are blaming Protonmail when it was the Swiss government that complied with the FBI. That to me is really suspicious. The US government is currently not a trusted source of accuracy, and for the Swiss to readily agree to it?

Worse, the chuds blaming the proton user?

Protonmail is used by a lot of reporters/whistleblowers. As what point is their work also a threat to the US government and will the Swiss force Protonmail to hand that over too?

[-] Cattail@lemmy.world 1 points 1 week ago

Ain't gonna stop me from shit posting about group chat leaks on signal

[-] notabot@piefed.social 0 points 1 week ago

This is why it's always struck me as unreasonable for proton to claim they care about user privacy. If they did, they wouldn't provide an email service, as it is inherently impossible to adaquately protect the metadata if it is sent to a different mail server. A better approach would be for them to explain why you can have email or privacy, but not both, and to point people to a separate service if they insist on email, so it is decoupled from any of their other services. Accepting payment through a means that isn't tied to your personal identity would be a good step too.

[-] JoshuaFalken@lemmy.world 0 points 1 week ago

Accepting payment through a means that isn't tied to your personal identity would be a good step too.

They do accept bitcoin, and if that's not private enough, they also let you mail them cash in an envelope.

[-] frongt@lemmy.zip 0 points 1 week ago

Mailing cash is probably less private. Your mail is postmarked, and can be tracked. The serial numbers on the bills can be tracked too. Not to mention the envelope itself, fingerprints, possible DNA in the saliva when you licked it to seal it, your handwriting or printing to address it, how unique the stamp is...

[-] testaccount372920@piefed.zip 1 points 1 week ago

Only if all that information is collected and stored. Digital finance systems tend to track every transaction and keep a record of them (because of legal requirements among other reasons). With cash in an envelope a government can't check all the info you suggested a year after the payment has happened, perhaps not even after a few days.

Privacy