28
65
231
Conversation
Explanation: For years has been adding features while retaining the core commitment to a secure communications protocol with a functioning client and no more. Now, Signal will backup your data to their computers, protected by that PIN they’ve been nagging you about.
3
68
123
Signal was proud to have a network that retained no user information. Until a few days ago they could brag about this, and justifiably so. That is no longer the case. Signal is now storing your data inside SGX enclaves — a sort of wet paper bag for clustering sensitive info.
6
79
190
There is no way to opt out of Signal’s data grab.
13
15
71
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
Originally, it was a registration lock PIN. It stopped your phone number from being reassigned to another instance of Signal due to SIM jacking, etc. A weak PIN made sense for that. They overhauled the feature and turned it into a remote backup / sync implementation too.
1
1
It only backs up contacts, profile, etc. but it's a lot different from the original purpose and it's not adequately explained in the app. Also, a weak PIN is not sufficient for deriving a proper encryption key. They do let you to set a strong passphrase, but it's not encouraged.
1
So, generate a strong random passphrase and you don't need to rely on sketchy SGX integration for throttling key derivation. Back up the passphrase in a password manager and turn off reminders. The problem is the UX, lack of explanation, dark patterns and their response.
1
There isn't really a technical reason to stop using Signal based on this. It's an extra thing to deal with to use the app with the same privacy properties as before though. They're adding a way to opt out but registration lock is important since people don't check safety numbers.
And it appears you won't be able to use a registration lock without this kind of contact/profile backup/sync anymore. Can use a strong passphrase so that it's not a problem. I've just lost a huge amount of my trust in them based on how they did this and their response...
1
I think a lot of what they've said in response to justify it is misleading or inaccurate. Also, they can't take back that they spent weeks (months?) gradually making this more and more annoying until it became completely mandatory. Everyone was forced to set it up now.
1
Show replies