Talk:Signal Data Collection: Difference between revisions
Add topicLatest comment: 7 March by InTransparencyWeTrust in topic Notices
No edit summary |
→Notices: Reply |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Notices == | ==Notices== | ||
added several notices on this article [[User:InTransparencyWeTrust|InTransparencyWeTrust]] ([[User talk:InTransparencyWeTrust|talk]]) 18:30, 6 March 2025 (UTC) | added several notices on this article [[User:InTransparencyWeTrust|InTransparencyWeTrust]] ([[User talk:InTransparencyWeTrust|talk]]) 18:30, 6 March 2025 (UTC) | ||
: [[User:InTransparencyWeTrust|@InTransparencyWeTrust]]! Thank you for highlighting exactly the problem with Signal's misleading and unclear communication. | :[[User:InTransparencyWeTrust|@InTransparencyWeTrust]]! Thank you for highlighting exactly the problem with Signal's misleading and unclear communication. | ||
There is no question that Signal stores data in the cloud. Please review references for more information. If you are in a hurry, here's Signal's handy animation https://signal.org/blog/images/secure-value-recovery-animation.gif taken from https://signal.org/blog/secure-value-recovery/ explicitly illustrating how requests are sent to and handled by their cloud servers | :There is no question that Signal stores data in the cloud. Please review references for more information. If you are in a hurry, here's Signal's handy animation https://signal.org/blog/images/secure-value-recovery-animation.gif taken from https://signal.org/blog/secure-value-recovery/ explicitly illustrating how requests are sent to and handled by their cloud servers | ||
The data being stored in the cloud (which includes the user's name, photo, phone number, and a list of every contact) is an entirely different thing from private contact discovery. The data collection is not related in any way to private contact discovery (although both use SGX for protection). This data collection is only for SVR/Storage Service. You may find this FAQ helpful. This is the archived version as it was removed and replaced with links to a bunch of far less helpful blog posts: https://web.archive.org/web/20230101032155/https://community.signalusers.org/t/faq-signal-pin-svr-kbs-storage-service-cloud/15690 | :The data being stored in the cloud (which includes the user's name, photo, phone number, and a list of every contact) is an entirely different thing from private contact discovery. The data collection is not related in any way to private contact discovery (although both use SGX for protection). This data collection is only for SVR/Storage Service. You may find this FAQ helpful. This is the archived version as it was removed and replaced with links to a bunch of far less helpful blog posts: https://web.archive.org/web/20230101032155/https://community.signalusers.org/t/faq-signal-pin-svr-kbs-storage-service-cloud/15690 | ||
Also note that the feature which can migrate all Signal data without the data stored on the cloud does not in any way prevent Signal from collecting and storing that data on the cloud. More importantly that feature did nothing prevent the data already stored in the cloud from being vulnerable to the CacheOut attack and will not prevent any future SGX vulnerabilities or side channel attacks from allowing that data to be exposed. | :Also note that the feature which can migrate all Signal data without the data stored on the cloud does not in any way prevent Signal from collecting and storing that data on the cloud. It just doesn't use the data stored in the cloud to transfer settings. The data is still in the cloud though. More importantly that feature did nothing prevent the data already stored in the cloud from being vulnerable to the CacheOut attack and will not prevent any future SGX vulnerabilities or side channel attacks from allowing that data to be exposed. | ||
As for "Tone" concerns, if somebody has a better way to say that Signal is telling people something that objectively isn't true ("Signal is designed to never collect or store any sensitive information.") without saying that they are lying, feel free to edit that language to whatever is more appropriate. I don't know what else to call a lie without sounding like weasel. [[Special:Contributions/131.93.221.242|131.93.221.242]] 01:21, 7 March 2025 (UTC) | :As for "Tone" concerns, if somebody has a better way to say that Signal is telling people something that objectively isn't true ("Signal is designed to never collect or store any sensitive information.") without saying that they are lying, feel free to edit that language to whatever is more appropriate. I don't know what else to call a lie without sounding like weasel. [[Special:Contributions/131.93.221.242|131.93.221.242]] 01:21, 7 March 2025 (UTC) | ||
::The animation you reference is about the consensus algorithm they use, which they operate within the constrained environment of an SGX enclave, used to store the auth key and amount of guesses, according to the blog. You mention that the alleged data collection is different, and is only for SVR/Storage Service, which you do not mention in the article. What is also missing is explaining when this Storage Service is used, opt-in/opt-out, relation to settings like setting a PIN, etc. The article also needs a fuller extend of the response to the backlash. A more recent blog post of this year (https://signal.org/blog/a-synchronized-start-for-linked-devices/) explains that "your personal devices are where your message history lives, and that means we have to transfer history between the devices themselves.", "We don’t have access to your message history (or your [https://signal.org/blog/building-faster-oram/ contacts], [https://signal.org/blog/signal-private-group-system/ groups], [https://signal.org/blog/introducing-stories/ stories], [https://signal.org/blog/signal-profiles-beta/ profile avatars], or [https://signal.org/bigbrother/ anything else])." [[User:InTransparencyWeTrust|InTransparencyWeTrust]] ([[User talk:InTransparencyWeTrust|talk]]) 09:01, 7 March 2025 (UTC) | |||
Latest revision as of 09:01, 7 March 2025
Notices[edit source]
added several notices on this article InTransparencyWeTrust (talk) 18:30, 6 March 2025 (UTC)
- @InTransparencyWeTrust! Thank you for highlighting exactly the problem with Signal's misleading and unclear communication.
- There is no question that Signal stores data in the cloud. Please review references for more information. If you are in a hurry, here's Signal's handy animation https://signal.org/blog/images/secure-value-recovery-animation.gif taken from https://signal.org/blog/secure-value-recovery/ explicitly illustrating how requests are sent to and handled by their cloud servers
- The data being stored in the cloud (which includes the user's name, photo, phone number, and a list of every contact) is an entirely different thing from private contact discovery. The data collection is not related in any way to private contact discovery (although both use SGX for protection). This data collection is only for SVR/Storage Service. You may find this FAQ helpful. This is the archived version as it was removed and replaced with links to a bunch of far less helpful blog posts: https://web.archive.org/web/20230101032155/https://community.signalusers.org/t/faq-signal-pin-svr-kbs-storage-service-cloud/15690
- Also note that the feature which can migrate all Signal data without the data stored on the cloud does not in any way prevent Signal from collecting and storing that data on the cloud. It just doesn't use the data stored in the cloud to transfer settings. The data is still in the cloud though. More importantly that feature did nothing prevent the data already stored in the cloud from being vulnerable to the CacheOut attack and will not prevent any future SGX vulnerabilities or side channel attacks from allowing that data to be exposed.
- As for "Tone" concerns, if somebody has a better way to say that Signal is telling people something that objectively isn't true ("Signal is designed to never collect or store any sensitive information.") without saying that they are lying, feel free to edit that language to whatever is more appropriate. I don't know what else to call a lie without sounding like weasel. 131.93.221.242 01:21, 7 March 2025 (UTC)
- The animation you reference is about the consensus algorithm they use, which they operate within the constrained environment of an SGX enclave, used to store the auth key and amount of guesses, according to the blog. You mention that the alleged data collection is different, and is only for SVR/Storage Service, which you do not mention in the article. What is also missing is explaining when this Storage Service is used, opt-in/opt-out, relation to settings like setting a PIN, etc. The article also needs a fuller extend of the response to the backlash. A more recent blog post of this year (https://signal.org/blog/a-synchronized-start-for-linked-devices/) explains that "your personal devices are where your message history lives, and that means we have to transfer history between the devices themselves.", "We don’t have access to your message history (or your contacts, groups, stories, profile avatars, or anything else)." InTransparencyWeTrust (talk) 09:01, 7 March 2025 (UTC)