this post was submitted on 12 Mar 2026
550 points (91.7% liked)

Privacy

9224 readers
642 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
iopq@lemmy.world
550
signal w (lemmy.blahaj.zone)
submitted 1 day ago by not_IO@lemmy.blahaj.zone to c/privacy@lemmy.world
128 comments fedilink hide all child comments
 

mastodon: https://mastodon.social/@mshelton/116214301513839946

article: https://signal.org/bigbrother/district-of-columbia/

context: https://technologymagazine.com/cloud-and-cybersecurity/protonmail-under-fire-over-data-handover

top 50 comments
sorted by: hot top controversial new old
[–] Cattail@lemmy.world 1 points 6 hours ago

Ain't gonna stop me from shit posting about group chat leaks on signal

[–] sveltecider@lemmy.ca 33 points 1 day ago (4 children)

…email will inherently be a lot less secure than messaging, no matter what you do.

If you truly want to be private about something, don’t email it lol

[–] Avicenna@programming.dev 3 points 6 hours ago

People like Jeffrey Epstein running one of the biggest blackmail networks in the planet and at the same time blatantly emailing each other about it from gmail really amazes me. Either they are that stupid or powerful enough that they just don't care.

[–] elephantium@lemmy.world 14 points 19 hours ago (1 children)

no matter what you do.

Even PGP?

...TBF, getting your counterparty to also use PGP is the heavy lift there.

[–] TechLich@lemmy.world 5 points 16 hours ago (1 children)

Security yes, privacy not especially.

PGP lets you encrypt the messages and sign them to digitally prove you sent them.

It doesn't help with the problem here which is that the metadata of who you are (the IP used to log into the webmail and the email address of the sender) and who you're talking to (the email of the recipient) and when (timestamps etc.) were able to be leaked.

In fact, depending on the implementation, PGP could be considered slightly worse for privacy because you'd have the added identity proof of the message having a signature that only you could create with your private key (although that's encrypted, it's a stronger identity proof than the sender email address). It also generally leaks the recipients' key IDs too (although that's configurable) PGP is great for accountability, message confidentiality and non-repudiation. Not so much for privacy. For that you'd need other systems.

[–] elephantium@lemmy.world 1 points 13 hours ago

Good point re: metadata. Keeping that private is an underrated aspect of security.

[–] Kacarott@aussie.zone 2 points 15 hours ago (1 children)

Is it really so hard to make it secure? If both parties are using some kind of secure email client, couldn't the clients just encrypt and decrypt the subject/content?

[–] sveltecider@lemmy.ca 4 points 10 hours ago

The main issue is that in reality, 95%+ of people aren’t using an encrypted service. So it’s proton to Gmail usually

[–] ChickenLadyLovesLife@lemmy.world 2 points 21 hours ago (2 children)

Or go talk to the other person out in the middle of a field somewhere without your phones. And I'm not even 100% sure anymore that that would work. Like, maybe the lanternflies are bugged (pun intended).

[–] utopiah@lemmy.world 1 points 12 hours ago (1 children)

Well I'd suggest a forest instead but anyway depends how you get there :

  • look up online how? there might be now a path on a server to your target destination
  • disconnect phone in a pattern that's usually not how you use it? more surveillance
  • public transport tracking, plate tracking until you leave the city
  • rough estimation on your direction then follow up with drones tracking you, if it's 100m high it's hard to notice

... anyway, ending the paranoia comment ;)

[–] cecinestpasunbot@lemmy.ml 1 points 12 hours ago (1 children)

Don't forget facial recognition! Then just in case you decided to wear a mask, gait recognition!

[–] qaeta@lemmy.ca 1 points 6 hours ago

Membership in the Ministry of Silly Walks about to pay off!

[–] johnyreeferseed@lemmy.dbzer0.com 5 points 21 hours ago (1 children)

The bird surveillance system is always watching. Remember birds aren't real!

[–] ChickenLadyLovesLife@lemmy.world 2 points 21 hours ago

Flying tape recorders.

[–] Nugscree@lemmy.world 69 points 1 day ago (13 children)

That is exactly what they did, the user used a credit card with their damn name on it, while Proton even allows you to send them cash money for the service.

The FBI filed a MLAT (Mutual Legal Assistance Treaty) request which was processed by the Swiss Federal Department of Justice and Police.

The Swiss gave a legal binding order to Proton to hand over information that they had, the only information that was handed over was the payment identifier.

I don't get why people get hung up on a company complying with a legal order by their justice system, especially with Proton that could not hand over any more information.

load more comments (13 replies)
[–] RAFAELRAMIREZ@lemmy.world 18 points 1 day ago

When a service can only hand over a timestamp, that’s when you know the encryption is doing its job. 🔐

[–] ReluctantlyZen@ani.social 19 points 1 day ago (3 children)

This comparison makes no sense.

Signal doesn't have payment data. It's not a paid service. Proton is a paid subscription service and that payment data needs to be accessible in order to charge the user.

[–] kilgore_trout@feddit.it 1 points 10 hours ago

Not only, Proton deletes the information of your payment method if you delete it from your account.
Unfortunately the only real private solution remains to self-host.

[–] leadore@lemmy.world 7 points 22 hours ago (2 children)

The fact that it's a paid service doesn't mean they have to keep your PID and payment info on file. I use posteo.de for my email, which is a paid service. But my payment info is only used during the payment process and they don't keep it on file once they receive the payment. You buy like 12 or 20 months and have that many credits. When it starts to get low, you buy some more.

[–] Taldan@lemmy.world 4 points 20 hours ago

Proton let me delete the payment information between charges, but they certainly made it a painful process. I had to email support

load more comments (1 replies)
[–] edg@lemmy.world 3 points 23 hours ago (2 children)

What if a user donates to Signal?

[–] ReluctantlyZen@ani.social 3 points 22 hours ago

Not sure, they do seem to store something (pretty unclear what though), but I'm guessing that can be fully decoupled from a user's account, since it's unrelated to the actual service.

load more comments (1 replies)
[–] UnfortunateShort@lemmy.world 145 points 1 day ago* (last edited 1 day ago) (20 children)

Don't hate the player. You can't send mail with E2E encrypted headers and you can't leave payment data and expect Proton to violate regulations and delete it.

Signal has to deal with neither of these issues.

[–] asdfasdfasdf@lemmy.world 1 points 10 hours ago

Mullvad handles payment data in a much, much better way.

load more comments (19 replies)
[–] SuspiciousFlop8964@sh.itjust.works 21 points 1 day ago* (last edited 1 day ago) (2 children)

Service A is compelled to hand over all the data it has on a user

They comply

Service B is compelled to hand over all the data it has on a user

They comply

"And that's how it's done!"

[–] bss03@infosec.pub 5 points 1 day ago

Proton has the disadvantage of having to work with other email services as well, so there's protocol limitations. When mailing from one Proton mailbox to another, they do intentionally avoid SMTP for this reason, but Signal has the advantage of "owning" the whole protocol, too.

I imagine if you donate with a CC to Signal, they might also be forced to turn that over. The weakness is not in Signal or Proton, but in the Visa/Mastercard duopoly and CC processing in general. Cryptocurrency has some advantages here, but they are outweighed by the abuse, fraud, speculation, and general dishonestly (and just general failure to be good currencies for "normal" purchases.)

[–] blujan@sopuli.xyz 5 points 1 day ago

The criticism is that better privacy can be achieved by not saving data, it is a good criticism but I don't know how legit it is because I don't know if credit card payments can be processed without saving the data (i would assume yes, if tokenized)

[–] bonenode@piefed.social 57 points 1 day ago (4 children)

One is a messenger the other is using the e-mail protocols, aren't there differences in how the metadata is possible to be encrypted between those too. Just wonder if this is a fair comparison.

load more comments (4 replies)
[–] LordOfLocksley@lemmy.world 21 points 1 day ago (6 children)

God, I wish more people used Signal

[–] paequ2@lemmy.today 6 points 1 day ago* (last edited 1 day ago) (2 children)

I've been using Signal more to test if I can recommend it to other people... it's mostly like WhatsApp, which is good...

Except, can we please disable all of those god damn popups. Everyday: "Hey! Verify your pin!", "Hey! Verify your LONG ASS recovery key!", "Hey, plz donate!", "HEY! I couldn't start a backup", "HEY LOOK AT ME!"

[–] white_nrdy@programming.dev 6 points 1 day ago (5 children)
  • I have never been asked to verify my recovery key.
  • It asks to verify pin once a month. Which I think is fair, since it can help you recover from a lockout / transfer your device.
  • backups are important, but they can also be disabled
  • Donating to open source projects is important, as it's a large portion of their funding.
load more comments (5 replies)
load more comments (1 replies)
load more comments (5 replies)
[–] Ghostie@lemmy.zip 12 points 1 day ago* (last edited 1 day ago) (1 children)

Just saw someone claim Signal was a honeypot the other day, no sources of course. Then this info comes out.

[–] white_nrdy@programming.dev 9 points 1 day ago (4 children)

I hate this sentiment. I was part of a bachelor party, and we had a group chat going. Had Android/iPhone users, so it was just a MMS chat. I suggested we use signal, and one of the iPhone users goes on a rant

"I'm not gonna use Signal. It's just a honeypot for the CIA. Why else would they fund it if they didn't get any value out of. It's obviously a honey pot"

[–] JackbyDev@programming.dev 4 points 21 hours ago

Do they think MMS is magically invisible?

[–] Cort@lemmy.world 8 points 1 day ago (1 children)

I'm not gonna use Signal. It's just a honeypot for the CIA.

No you're thinking of telegram.

[–] white_nrdy@programming.dev 6 points 1 day ago

So there is actually disinfo about it being funded by the CIA. I had heard it was, and tbh didn't care too much. I figured they funded it because they used it and got value. It's well audited so I trust it. Only learned it's disinfo when I looked for a source to include in my original reply

https://euvsdisinfo.eu/report/us-intelligences-services-control-the-signal-app/

load more comments (2 replies)
[–] VitoRobles@lemmy.today 19 points 1 day ago (9 children)

I don't like Proton after the CEO posted the pro-Trump statement and did not use them after that.

Its really weird how people are blaming Protonmail when it was the Swiss government that complied with the FBI. That to me is really suspicious. The US government is currently not a trusted source of accuracy, and for the Swiss to readily agree to it?

Worse, the chuds blaming the proton user?

Protonmail is used by a lot of reporters/whistleblowers. As what point is their work also a threat to the US government and will the Swiss force Protonmail to hand that over too?

load more comments (9 replies)
load more comments
view more: next ›