Signal Should Improve Visualization of Its Privacy Properties

Recent articles
About this blog
How to use this blog efficiently
Subscribe to one of my feeds:
- links only feed (most reliable)
- article teaser feed
- full content feed
TBD: Per Tag Feeds
TBD: Archive
Top tags:
- software (265)
- pim (171)
- hardware (121)
- austria (83)
- graz (77)
- emacs (75)
- security (68)
- cloud (63)
- privacy (62)
- diy (62)

It got complicated. In my opinion, we do need an overview, what information is visible/exposed/known to/by whom when using the Signal messenger software.

Until a few years ago, the situation was somewhat simple: there was your phone number, E2E encrypted content and some meta-data on the conversation and list of contacts. There were some analysis by Signal and external parties. All fine.

However, in the meantime, we've got additional features that complicated the situation in a way that even security savvy people don't know the details.

It's Complicated

Instead of phone-number only accounts, we do have:

Contact by phone number
Contact by Signal user alias name
Contact by Signal QR Code (same information exposure as user alias name?)
Contact added by Signal user alias name (or QR) but I've allowed access to more data myself
Even more?

This holds true for both sides of a person-to-person chat in any combination possible.

Then we've got video and audio calls.

Furthermore the chat rooms with multiple users of various kind (see list above).

For example, what is exposed from a phone number user in a multi-person chat room to a different user who joined via chat room QR code? Does he/she see all phone numbers? Also from people joined via username? Is that even possible?

You see, there are many variables and a growing number of use-cases where I have no idea what privacy implication this means in practice.

And don't get me started with file attachments. Which file meta-data is removed before uploading by the uploader's Signal client? Is this all the same for Android, iOS and the Desktop app? Who sees the original file name of the uploaded file?

My Proposal

My proposal is a web form like the following:

Source contact (Alice):

How did Alice join? Contact joined Signal via phone number
Contact joined Signal via user name only
Contact joined multi-person chat room via phone number
Contact joined multi-person chat room via room QR code
(whatever options do apply as well)

Target contact (Bob):

How did Bob join? Contact joined Signal via phone number
Contact joined Signal via user name only
Contact joined multi-person chat room via phone number
Contact joined multi-person chat room via room QR code
(whatever options do apply as well)

Doing what? (maybe a multi-select?)

Actions Alice writes a simple text message to Bob
Alice writes a simple text message to a group chat that includes Bob
Alice writes a simple text message with a GIF
Alice contact adds a JPEG file as attachment
Alice contact adds a PDF file as attachment
Alice starts a voice call
Alice starts a video call
(whatever options do apply as well)

When somebody selects a certain combination, a generated summary appears below, listing all the (meta-)data for that specific combination which is exposed to the following parties:

Known to Alice, the sender
Known to Bob, the reveiving side
Known to Eve: Signal Technology Foundation as well as any third party which is able to force Signal to give away data for surveillance of some sort
Known to any other external parties such as GIF providers, phone network providers, ISPs, …

If there are any version-specific variations, this should be mentioned as well. I'm personally fine with "this applies to the most current application versions as they are (+ list of their exact versions)".

In the best case, this little web tool is maintained by the Signal Technology Foundation. However, I also take something maintained by the community as longs as its results are trustworthy.

The Benefit

This should help anybody who is interested to know, what is exposed to whom in which situation.

If you know of any service that does that already, drop me a line and I add it here.

Comment via email (persistent) or via Disqus (ephemeral) comments below: