What are the reasons to use Signal over Telegram

stomata@sh.itjust.works

Telegram is not end to end encrypted. Repeating it's not. Only private mode or something like that is.

thehobbyist@lemmy.zip

If you open the latest instance, from August 2024, you will find a California government request, for a number of phone numbers.

The second paragraph of that very page says:

Once again, Signal doesn’t have access to your messages; your calls; your chat list; your files and attachments; your stories; your groups; your contacts; your stickers; your profile name or avatar; your reactions; or even the animated GIFs you search for – and it’s impossible to turn over any data that we never had access to in the first place.

They respond to the request with the following information:

6. The responsive information that Signal possessed was:

a. REDACTED: Most Recent Registration: 2023-01-31 T19:42:10 UTC; Most Recent Login: 2023-01-31 T00:00:00 UTC.

b. REDACTED: Most Recent Registration: 2022-06-01 T16:30:01UTC; Most Recent Login: 2022-12-12 T00:00:00 UTC.

c. REDACTED: Most Recent Registration 2021-12-02T03:42:09 UTC; Most Recent Login: 2022-12-28 T00:00:00 UTC.

The redacted values are the phone numbers.

That is the full extent of their reply. No other information is provided, to the government request.

dyskolos@lemmy.zip

You don't say? A cloud-service I can access from all devices plus API and bots is not e2e-encrypted with zero knowledge?
I'm shocked. That's what "secret chat" is for. Literally.

They chose this way as the regular Joe and Jane don't care for privacy but for comfort.
You can never ever have both. Nowhere.

I love tgram for it being so open. And e2e when I need it. I don't need privacy for when my smarthome sends me notifications about a light I left on or something

aria@lemmygrad.ml

We can't verify that. They have a vested interest in lying, and occasionally are barred from disclosing government requests. However, using this as evidence, as I suggested in my previous comment, we can use it to make informed guesses as to what data they can share. They can't share the content of the message or calls -- This is believable and assumed. But they don't mention anything surrounding the message, such as whom they sent it to (and it is them who receives and sends the messages), when, how big it was, etc. They say they don't have access to your contact book -- This is also very likely true. But that isn't the same as not being able to provide a social graph, since they know everyone you've spoken to, even if they don't know what you've saved about those people on your device. They also don't mention anything about the connection they might collect that isn't directly relevant to providing the service, like device info.

Think about the feasibility of interacting with feds in the manner they imply. No extra communication to explain that they can't provide info they don't have? Even though they feel the need to communicate that to their customers. Of course this isn't the extent of the communication, or they'd be in jail. But they're comfortable spinning narratives. Consider their whole business is dependant on how they react to these requests. Do you think it's likely their communication of how they handled it is half-truths?

aria@lemmygrad.ml

Your client talks to their server, their server talks to your friend's client. They don't accept third party apps. The server code is open source, not a secret. But that doesn't mean it isn't 99% the open source code, with a few privacy breaking changes. Or that the server software runs exactly as implied, but that that is moot since other software also runs on the same servers and intercepts the data.

dessalines@lemmy.ml

California does not issue NSLs, the US federal government does. And those come with gag orders that means you will go to federal prison if you tell anyone that you've been asked to spy on your users.

dessalines@lemmy.ml

They have to. They can't route your messages otherwise.

dessalines@lemmy.ml

There was also no proof that a ton of US companies were spying on their users, until the global surveillance disclosures. Crypto AG ran a honeypot that spied on communications between world leaders for > 40 years until it got exposed.

dessalines@lemmy.ml

On by default, and just works.

emergencyfood@sh.itjust.works

It really depends on who your friend is, and who they are trying to defenf against.

If the US ( or Russian / Chinese) government really wants to access an internet-connected device, they can do it; what app you are using doesn't even matter. For example, most people use the default Google keyboard, which could be compromised.

If the concern is about local goons / employers / coworkers, then both Telegram and Signal are more than enough to stop them prying.

As for whether to use Signal or Telegram, Signal has end to end encryption enabled by default, while in Telegram you have to switch it on for each chat. On the other hand, Telegram has the best UI among messaging apps hands down.

dessalines@lemmy.ml

They have your phone number (meaning your full identity, and even current address), and as the primary identifier, it means they have message timestamps and social graphs.

Its impossible to verify what code their server is running. You should never rely on someone saying "just trust us". Truly secure systems have much harder verifiability tests to pass.

boomkop3@reddthat.com

Yep, and this allows for proper content moderation. Telegram can actually just find and report creeps to authorities

dessalines@lemmy.ml

The server is supposedly open source, but they did anger the open source community a few years back, by going a whole year without posting any code updates. Either way that's not reliable, because signal isn't self-hostable, so you have no idea what code the server is running. Never rely on someone saying "just trust us."

thehobbyist@lemmy.zip

They have to know who the message needs to go to, granted. But they don't have to know who the message comes from, hence why the sealed sender technique works. The recipient verifies the message via the keys that are exchanged if they have been communicating with that correspondent before or else it is a new message request.

So I don't see how they can build social graphs if they don't know who the sender if all messages are, they can only plot recipients which is not enough.

thehobbyist@lemmy.zip

Are you implying that Signal is withholding information from the Californian Government? And only providing the full extent of their data to the government?

This comes back to the earlier point that there is no proof Signal even has more data than they have shared.

dessalines@lemmy.ml

If you don't know what an NSL is, then you definitely shouldn't be speaking about privacy.

dessalines@lemmy.ml

But they don't have to know who the message comes from, hence why the sealed sender technique works.

Anyone who's worked with centralized databases can tell you that even if they did add something like that, with message timestamps, it'd be trivial to find the real sender of a message. You have no proof that they even use that, because the server is centralized, and closed source. Again, if their response is "just trust us", then its not secure.

dessalines@lemmy.ml

Behind those usernames, are phone numbers (meaning real identities) stored in signal's database.

tartas1995@discuss.tchncs.de

As far as I know telegram requires a phone number too.

And the conversation was about "talking to strangers without giving them your number", not without giving signal nor telegram your number.

9tr6gyp3@lemmy.world

Right but Signal has been audited by various security firms throughout its lifetime, and each time they generally report back that this messenger has encryption locked down properly.