I've been a user and supporter of Signal for years. I've disagreed with various design decisions, but there has always been sensible reasoning behind their decisions based on facts and logic. I only used to disagree on certain priorities and had faith in them. No longer the case.
Conversation
The recent controversy over the replacement of the registration lock PIN with a mandatory sync feature is a symptom of broader issues. The main issue I have with it is not their design decision but rather how they've presented it and responded to valid criticism and questions.
1
2
19
Signal already had an encrypted backup feature with a strong key. It could be made more usable by using a seed phrase instead of presenting the user with a bunch of numbers. Having users select credentials, especially when they're encouraged to use a weak PIN is much worse.
1
4
18
They're presenting this as something they have to do to support usernames. It's not true. My question at twitter.com/DanielMicay/st was left unanswered. If they had modern storage support, users could also choose to store their encrypted backups via the sync service of their choice.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
What's wrong with having it locally in the Signal app and relying on the same encrypted backup / restore feature as everything else? System contacts are also local data with the option to do backup / restore.
2
2
11
It was inaccurately claimed that the ability to do local backups is going away. That couldn't be further from the truth. I responded to that at twitter.com/DanielMicay/st. Again no response, but they continue to make these kinds of false claims despite it clearly not being accurate.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
Backing up locally via SAF works fine. No need for the deprecated Storage permission. The app can request persistent access to a directory for backups and the user just chooses the backup directory via SAF and the app. Can't something similar be done on iOS via their equivalent?
2
2
10
I replied to at twitter.com/DanielMicay/st noting the PIN existed before as a useful registration lock feature and the importance of securing the app for how most people use it, not just power users. It encourages a weak PIN for sync. blocked me for that tweet.
Quote Tweet
Replying to @chrisrohlf @signalapp and @moxie
Hopefully as a toggle so that it's still possible to have a registration lock PIN without contact syncing, as it was before this was introduced. Most people are going to use the defaults so that's what really matters, and a user-generated PIN + SGX is not a secure approach.
1
2
11
Again, Signal already has an encrypted backup / restore mechanism (at least on Android) with a strong key generated by the app. This sync feature is only secure if users realize they can and should set a strong passphrase and do it. The app encourages a weak PIN + they make it...
2
1
9
... seem like that's fine based on using SGX when it's an extremely problematic approach that's ultimately unworkable. The reliance on SGX is at serious odds with past design choices: end-to-end encryption, encrypted backup / restore with a strong key, etc. Also again, my main...
1
2
8
... issue is not these recent design decisions but rather how they've handled the response to it including valid criticism. Repeatedly making false claims, misrepresenting criticism/suggestions and responding with a holier-than-thou attitude, platitudes and fallacies. Bad look.
1
2
12
It's possible to set a strong passphrase as this PIN and avoid depending on SGX security. The issue is how they've converted an existing feature, the lack of a proper explanation for users, their dismissive response to valid criticisms about it and inaccurate/misleading claims.
1
1
11
The experience of the registration lock PIN being converted to this resembles dark patterns used by Facebook. It wasn't clear even to highly technical people what was happening and what the new PIN they were creating was doing. It is STILL a problem with them adding an opt-out.
Replying to
They did such a good job designing features like link previews and profiles in a privacy-preserving way. Don't understand how they go from that to this. Bonus of a response resembling a cover-up hand waving away the criticism + blocking people with legitimate questions/concerns.
1
3
12
A weak PIN was fine for the registration lock feature, but it doesn't work well as a way of deriving a meaningful encryption key. Adding a way to opt-out doesn't change that they encourage doing this and it looks like you won't be able to just set a registration lock like before.
2
1
11