• LWD@lemm.ee
    link
    fedilink
    arrow-up
    34
    arrow-down
    2
    ·
    9 months ago

    Is there a reasonable alternative, though? Email addresses? Adding a cryptographic challenge to prevent somebody from generating tons of accounts?

    As far as phone numbers go, I’m not a big fan of Signal having them, but I definitely prefer not having to give them out! That change is a huge deal to me, as I can now communicate with people without handing them a phone number. And Signal has provided their client and server source code, along with evidence that their servers store absolutely nothing.

    Nowadays, the most likely way your Signal data will get leaked is if somebody screenshots it.

    • kixik@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      9 months ago

      Jami doesn’t require a phone number, which is p2p. Xmpp (+ Omemo) doesn’t require a phone number and it’s federated… I mean, if a service is willing to rid of phone numbers, it’ll do totally without them.

    • vorpuni@jlai.lu
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      The challenge of having your device solve a nasty PoW that takes minutes would not deter most people: a timer once is better than evil captchas, phone numbers, etc. I don’t understand why they use hCaptcha and not that.

      • LWD@lemm.ee
        link
        fedilink
        arrow-up
        10
        ·
        9 months ago

        If one computer can create a single spam account every few minutes, imagine how many total spam accounts could be created by a small farm of computers, in a single day.

        • vorpuni@jlai.lu
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          9 months ago

          A lot, but farming phone numbers from poor countries is also cheap and Signal sends them insanely expensive SMS. There is no perfect solution, spammers aren’t stupid. Since Signal is centralised they can enforce PoW incrementally if they get reports for spam, I still think it is way better than hCaptcha which is garbage.

    • RandoCalrandian@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      6
      ·
      9 months ago

      It’s the signal metadata that they want to keep associated with an identity

      They still can fulfill government requests for who is talking to who and how often

      • LWD@lemm.ee
        link
        fedilink
        arrow-up
        9
        ·
        9 months ago

        Only the recipient number has been in the messages, so unless Signal servers have been compromised, and they’ve figured out how to associate sender IP addresses with phone numbers, and they’ve never been caught by the multiple government demands from them… I think it’s fair to say

        1. they probably don’t keep these logs, and
        2. they made it about as hard as possible to do
      • cjf@feddit.uk
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        Got proof for that last claim?

        I thought their sealed sender feature was meant to prevent exactly this scenario.