Have you lost Signal?
The Signal Foundation / Signal Messenger has had some interesting developments over the past few years. Some of the changes have raised alarms, seeding a mix of distrust and exodus from the popular encrypted messenger.
Full disclosure, I am a Signal user and have been since its inception. These concerns in mind, I likely will continue to use Signal for the foreseeable future.
Funding - A Sidestepped Conversation
Signal Foundation was funded by the following:
- Open Technology Fund (OTF)
- Radio Free Asia
Why does this matter?
OTF is funded and controlled by the U.S. government agency U.S. Agency for Global Media (USAGM), which oversees state media outlets like Voice of America. This raises concerns about the OTF’s independence and true commitment to online freedom and privacy, as it is essentially an extension of U.S. government interests. The OTF was previously managed by Radio Free Asia, which has been described as part of a “worldwide propaganda network built by the CIA.” More recently, OTF has pushed to fund closed-source technology.
In essence, the OTF’s close ties to the U.S. government, past association with propaganda efforts, allegations of mismanagement, and recent pivot towards closed-source technology have undermined its credibility among the privacy and open-source communities it claims to support.
How much money Signal received from the U.S. government is difficult to determine, as Moxie and Open Whisper System have been less than transparent. If you add up the information that’s been publicly released by the Open Technology Fund, the Radio Free Asia conduit that funded Signal, we know that Moxie’s group received at least $3 million over the span of four years — from 2013 through 2016. That’s the minimum Signal received from federal government.
Perhaps this was all in good faith with no strings attached, however they were not transparent about funding and avoided the conversation altogether.
Related New York Times article from 1977 highlighting Radio Free Asia. [1]. [2].
Feature Prioritization
Phone number linkage never changed, despite rolling out the username feature for privacy. This was a feature request since Signal began. The general intent was to remove phone numbers and pivot to strictly usernames, but instead usernames were simply added to the mix and only impacted the discovery feature.
To Signal’s defense, Voice-over-Internet-Protocol (VoIP) numbers do still work as a method to privately use Signal, and they have no discrimination against VoIPs like many media platforms do - including their market competitor Telegram.
The fact of the matter is the ease of integration and the intentional refusal to do so. Session messenger implemented this with ease, likely with significantly less funding and support. Simplex and other modern messengers have also developed ways around the phone number requirement.
Outside of the phone number debacle, aesthetics have taken reign in the development cycles over any noticeable changes to the underlying security features. In their defense, the security baseline could have been completed early on and deemed “feature-complete,” where the aesthetics of the applications were on the back burner, and rightly so.
Centralization - In the foundation, we trust
On the same vein with respect to features, Signal has reliably chosen to keep its infrastructure centralized. In doing so, we cannot monitor the server(s) that our devices are communicating to/from. Proprietary code could be running on their infrastructure, and the frequent communication to Amazon’s infrastructure remains. Ultimately, when you cannot run your own decentralized instances, you are back in the blackbox segment of code rather than the full transparency that the average user would assume.
While transparency with open-source software is never a bad thing to have, people innately make the following assumption - It is audited and transparent.
The reality, as observed within the XZ package not long ago, is that nation-states and other sophisticated non-governmental organizations (NGO) can build trust over time and embed themselves into software. They can then inject malicious code incrementally, providing obfuscation to the passive observer. The trust in transparency is only as good as the auditors, and few understand how to deobfuscate and investigate a large codebase.
MobileCoin (renamed Sentz) Wallet Integration
Admittedly, this cryptocurrency cropped up out of nowhere. That point isn’t a flag in itself, as thousands of coins have come and gone in the past half-decade. Given the volatile cryptocurrency markets and opportunistic investing, it is of little surprise that Moxie went this route with MobileCoin (now named Sentz) given his wide array of interests.
In my opinion, this was a disservice to real privacy initiatives where they could have integrated Monero (XMR), which has long been a proposal for the Molly derivative. XMR has been tested and proven for practical use, and there is a reason it has become the tool of choice among the open internet.
To add to the matter at hand, Renee DiResta was brought onto the board of MobileCoin.
The point has been raised that Renee DiResta is a former CIA fellow, and she has a particular inclination towards targeting misinformation via censorship. [1]. [2]. While you may deem this point as irrelevant, it does make you wonder what former intelligence is doing with a small-cap cryptocurrency coin, especially when you take into account her skillset and proclivity.
Connections Matter
A controversial figure, Katherine Maher, was added to the Signal Foundation board.
Katherine Maher is the former CEO and Executive Director of the Wikimedia Foundation, responsible for Wikipedia. She is currently a non-resident Senior Fellow at the Atlantic Council, where her work focuses on the intersection of technology, human rights, and democracy. Prior to Wikimedia, she was the Director of Advocacy for the digital rights organization Access Now. Maher is a term member of the Council on Foreign Relations, a World Economic Forum Young Global Leader, and a security fellow at the Truman National Security Project.
While I would normally avoid blanket affiliations as a flag, both Moxie and Meredith Whittaker (Current CEO of Signal) have made public statements about Maher. Instead of addressing their audience’s concerns with her being on the board, they cited that neither she nor any affiliates would be able to tamper with the software due to how Signal was built.
This does not instill trust from my perspective, when the founder and acting CEO are alluding to the tamper resistance of their cryptography & software to deter subversion from an insider threat. The code can change.
Matthew Rosenfeld’s (Moxie) statement
On April 18th, 2024, Moxie made the following post on X:
“I’m no longer involved at Signal. While I may wish a lot of different things for it, the whole point of the project is that you don’t have to trust your communication to anyone.”
This statement signals his own distrust in the new members of the foundation. His faith lies in the underlying cryptography, which could be subverted. For instance, assuming that the changed hands of Signal hypothetically wanted, they could attempt the following:
- Downgrade their cryptographic implementations
- Inject malicious code from server to client
- Run proprietary code on their infrastructure
And again, I am not suggesting this is in fact the case, but these are all possibilities had malicious parties gained access to the code/infrastructure. We could hope that good actors would timely identify a plot when/if it should occur, but there is always the risk that such a plot would fall on deaf ears.
Privacy Policy
From Signal’s Privacy Policy:
Information we may share
Third Parties: We work with third parties to provide some of our Services. For example, our Third-Party Providers send a verification code to your phone number when you register for our Services. These providers are bound by their Privacy Policies to safeguard that information.
Effective as of May 25, 2018, Updated May 25, 2018
The third party providers were never disclosed, nor did they explain how that data is used and stored. Exposing metadata has its consequences.
To Signal’s defense, they did contact the impacted 1900 users directly when Twilio was breached.
Signal’s public disclosure - [1]. [2].
This ultimately ties back into the problem with exposed phone numbers and the trust you’re willing to extend with more hands in the pot. Should a platform emphasizing its ability to protect under high stakes, such as journalism, be exposing its users to this added attack surface?
Wrap Up
Through the lack of transparency with respect to funding, collected / shared metadata with unnamed third parties, concerning connections, and questionable integrations, the appeal of Signal begins to be weakened. As someone who has spent quite a lot of time being an advocate for Signal, along with having friends and family sign-up for the platform to enjoy surveillance-free, ephemeral discussions, I would like to hope that these concerns are all negligible and unfounded.
Are you driving through the trees? As you seem to be losing signal.