I'm currently in the progress of deleting whatsapp and migrating to signal.
The hardest part of it is dealing with friends and family. I informed them about the incoming whatsapp-deletion tomorrow and the results were mixed. One friend told me she will not use signal, but i haven't talked with her that much anyway so... My mother asked me "can you not do this because i don't have space left on my phone?", my father told me "can you tell me about [...] before you go offline?", 2 people don't seem to care, and only my cousin contacted me on signal yet.

I have signal for 3 years now and even invited people to it, but i got the expected response "but all my friends are on whatsapp". Until recently i was the one with the shitload of messengers on my phone but some people can't be bothered to install a second one because i want to take one step (out of many to follow) to widen my privacy.
I'm really pissed by now and will declare any contact lost due to this as collateral damage.

Why move from WhatsApp to widen privacy? WhatsApp is encrypted is it not?

@nullableint nearly 🤓

@nullableint it is, but on the other hand it belongs to facebook. And you're propably aware of how deeply facebook tracks its users. I don't know what data they collect but i'll also delete other apps and switch to lineage this year.

Edit: whatsapp claims to be e2e-encrypted, but you can't be sure. And if you look at it's history you want to facepalm hard (unencrypted first, then unencrypted but on a port for encrypted communication, then encrypted and now they adopted signal's protocol)

@krister-alm

How so?

@YouAreAPIRate
Didn’t Zuckerburg just go in front of Congress and confirm that they don’t see the content of messages used in WhatsApp?

@nullableint see responce above

@nullableint they don't see the content (that's e2e-encryption), but there is metadata. They can see the data packets and can guess how much messages i send, whom i send this to and where i am.
Signal's servers are in the google cloud, so technically google can see those things too. But signal also incorporates webrtc which enables p2p-connections without the need for a server. So even if google tracks signal users (which is unlikely imo) they can't see all the things facebook can.

Ahh, I see. I had no idea about any of that, I’m not clued up on encryption at all really. Suppose every day is a school day 😂

I really want to switch to Wire so bad, but everybody is just staying on WhatsApp. D:

@YouAreAPIRate why do you think it’s unlikely that google tracks signal users?

@abhishekb imagine someone running his program on your server. For simplicity we assume there are no logfiles. To track the users communicating over this program you would have to modify the program or read its memory or do an (potentially expensive) analysis based on the incoming data packages.
I don't know the details of the signal protocol so i can't say if metadata collection would be easy or hard for google. But i believe most ways to do this are either legally questionable or too expensive and the already existing tracking methods (i am writing this from an android) are good enough.

.

@fun2code i might have mistaken something when reading the (german) wikipedia-article. Signal uses google cloud messaging on android which gives google the potential ability to track users (see paragraph "security"). But it says nothing about the signal servers themselves. My bad.

Signal also says they only keep necessary data as long as needed and i believe them on that.

@fun2code oh, and they do domain-fronting to prevent censorship and use google-servers for that. But i don't know how much more data google gets from people who use that.

I want to move away from WA for years now. But there are just 2 important notif groups I need to keep in. And people dont respond or pick up calls if it’s not over WA... :/

@YouAreAPIRate I use AWS at work. The amount of metrics that AWS collects about the application is pretty scary. I assume GCP does the same. I believe these companies have the resources to perform all sorts of expensive computations if it serves their purpose. And btw Google just stopped doing domain fronting.

@abhishekb Could you please link me to any sources online about what kind of scary metrics aws collects? Curious.

@fun2code Nope, Amazon AWS.

I want to do the same with Facebook messenger and Telegram so hard. The only problem is that literally none of the people I know use Telegram, only the ones I've met in a random Telegram channel.

@nullableint @krister-alm @YouAreAPIRate

In any case you have to trust the service provider on their blue eyes as for the backend anyways.

Its publicly known (tos) that WhatsApp collects metadata. Next to that it is indeed owned by Facebook of which we all know their practices by now. Their app is closed source as well so you'll except for believing Facebook on its blue eyes, you cant check shit.

With Signal you can at least check its source code. Next to that, its developed by one of worlds best cryptographers and security specialists. they're very open on what they collect (timestamp of registration rounded to the day and timestamp of last connection time, also rounded to the day, BCrypt hashes of contacts IF you allow it, your phone number and some IP addresses are retained in the RAM memory for up to one day for security purposes).

Notifications go through Google if Google services are installed on the phone, otherwise a persistent connection is maintained with the signal servers (I don't have Google apps installed on my phone but notifs work great).

Signal has been audited to great success, they use a special technique to bypass censorship (domain fronting) and they seem to store as little as possible while the app is open source.

@sisakmarton If you want to use Telegram, go ahead! Just know that its security and privacy isn't great (source: many security/crypto/privacy experts from around the world)

@linuxxx a great summary. Can you tell me how to see if those google services are installed and what you mean by that? I have a bunch of google apps i can't seem to delete on my phone and would like to know if these change signal's behaviour.
Of course i'll only be free after i switch to lineage or smth else.

@linuxxx telegram once had a vulnerability where anyone could impersonate the server and read sent messages. Real cryptographers would have never let this happen, but the telegram guys are mathematicians and did their own crypto. That's like me cooking something exotic for the first time, the result will cause stomach pain just by looking at it too.

@tacticalKimchi If you're using any of their software services on top of their infra, any runtime parameters offered by that software is available to the service consumer via dashboards like CloudWatch (extensively documented) and therefore is also available to amazon.

If you're running your own software and just consuming their infra, they have access to the memory being used by the software and any network bytes that software is exchanging on the network.

As @linuxxx said in his post, it comes down to your trust on the service provider and their tos.

@YouAreAPIRate If you see Google apps which you cant delete, Google apps (gapps) are/is installed.

@abhishekb It also comes down to privacy and security practices the apps follow

@linuxxx of course. You are in no place to blame google and amazon if you’re writing usernames and passwords to the log.

@abhishekb Well that wasn't really my point but true yes haha

@linuxxx my phone also came with a bunch of microsoft apps (evernote, skype, onedrive...) but those got deactivated asap. Why do phones always come with a load of crapware that just says "please insert phone into mouth and suck gently for the next year, until the next model comes out"?