****** DONE Signal Should Improve Visualization of Its Privacy Properties :blog:software:security:privacy:
CLOSED: [2025-10-12 Sun 16:49] SCHEDULED: <2025-10-12 Sun>
:PROPERTIES:
:CREATED:  [2025-09-30 Tue 08:38]
:ID:       2025-09-30-Signal-Privacy-Properties
:END:
:LOGBOOK:
- State "DONE"       from "TODO"       [2025-10-12 Sun 16:49]
:END:

It got complicated. In my opinion, we do need an overview, what
information is visible/exposed/known to/by whom when using the [[https://en.wikipedia.org/wiki/Signal_(software)][Signal
messenger software]].

Until a few years ago, the situation was somewhat simple: there was
your phone number, [[https://en.wikipedia.org/wiki/End-to-end_encryption][E2E encrypted]] content and some meta-data on the
conversation and list of contacts. There were some analysis by Signal
and external parties. All fine.

However, in the meantime, we've got additional features that
complicated the situation in a way that even security savvy people
don't know the details.

******* It's Complicated

Instead of phone-number only accounts, we do have:

- Contact by phone number
- Contact by Signal user alias name
- Contact by Signal QR Code (same information exposure as user alias name?)
- Contact added by Signal user alias name (or QR) but I've allowed access to more data myself
- Even more?

This holds true for both sides of a person-to-person chat in any
combination possible.

Then we've got video and audio calls.

Furthermore the chat rooms with multiple users of various kind (see
list above).

For example, what is exposed from a phone number user in a
multi-person chat room to a different user who joined via chat room QR
code? Does he/she see all phone numbers? Also from people joined via
username? Is that even possible?

You see, there are many variables and a growing number of use-cases
where I have no idea what privacy implication this means in practice.

And don't get me started with file attachments. Which file meta-data
is removed before uploading by the uploader's Signal client? Is this
all the same for Android, iOS and the Desktop app? Who sees the
original file name of the uploaded file?

******* My Proposal

My proposal is a web form like the following:

#+BEGIN_HTML
 <label for="mySourceDropdown">Source contact (<a href="https://en.wikipedia.org/wiki/Alice_and_Bob">Alice</a>):</label>
 <fieldset>
      <legend>How did Alice join?</legend>
      <label><input type="radio" name="sourceJoin" value="phone"> Contact joined Signal via phone number</label><br>
      <label><input type="radio" name="sourceJoin" value="username"> Contact joined Signal via user name only</label><br>
      <label><input type="radio" name="sourceJoin" value="groupPhone"> Contact joined multi-person chat room via phone number</label><br>
      <label><input type="radio" name="sourceJoin" value="groupQR"> Contact joined multi-person chat room via room QR code</label><br>
      <label><input type="radio" name="sourceJoin" value="other"> (whatever options do apply as well)</label>
    </fieldset>
<br />
 <label for="myTargetDropdown">Target contact (<a href="https://en.wikipedia.org/wiki/Alice_and_Bob">Bob</a>):</label>
    <fieldset>
      <legend>How did Bob join?</legend>
      <label><input type="radio" name="targetJoin" value="phone"> Contact joined Signal via phone number</label><br>
      <label><input type="radio" name="targetJoin" value="username"> Contact joined Signal via user name only</label><br>
      <label><input type="radio" name="targetJoin" value="groupPhone"> Contact joined multi-person chat room via phone number</label><br>
      <label><input type="radio" name="targetJoin" value="groupQR"> Contact joined multi-person chat room via room QR code</label><br>
      <label><input type="radio" name="targetJoin" value="other"> (whatever options do apply as well)</label>
    </fieldset>
<br />
 <label for="myDoings">Doing what? (maybe a multi-select?)</label>
  <fieldset>
      <legend>Actions</legend>
      <label><input type="radio" name="doing" value="textBob"> Alice writes a simple text message to Bob</label><br>
      <label><input type="radio" name="doing" value="textGroup"> Alice writes a simple text message to a group chat that includes Bob</label><br>
      <label><input type="radio" name="doing" value="gif"> Alice writes a simple text message with a GIF</label><br>
      <label><input type="radio" name="doing" value="jpeg"> Alice contact adds a JPEG file as attachment</label><br>
      <label><input type="radio" name="doing" value="pdf"> Alice contact adds a PDF file as attachment</label><br>
      <label><input type="radio" name="doing" value="voice"> Alice starts a voice call</label><br>
      <label><input type="radio" name="doing" value="video"> Alice starts a video call</label><br>
      <label><input type="radio" name="doing" value="other"> (whatever options do apply as well)</label>
    </fieldset>
#+END_HTML

When somebody selects a certain combination, a generated summary
appears below, listing all the (meta-)data for that specific
combination which is exposed to the following parties:

1. Known to Alice, the sender
2. Known to Bob, the reveiving side
3. Known to [[https://en.wikipedia.org/wiki/Alice_and_Bob][Eve]]: Signal Technology Foundation as well as any third party which is able to force Signal to give away data for surveillance of some sort
4. Known to any other external parties such as GIF providers, phone network providers, ISPs, ...

If there are any version-specific variations, this should be mentioned
as well. I'm personally fine with "this applies to the most current
application versions as they are (+ list of their exact versions)".

In the best case, this little web tool is maintained by the Signal
Technology Foundation. However, I also take something maintained by
the community as longs as its results are trustworthy.

******* The Benefit

*This should help anybody who is interested to know, what is exposed to whom in which situation.*

If you know of any service that does that already, drop me a line and I add it here.