Signal Data Collection: Difference between revisions

Since 2020 Signal has been collecting and keeping sensitive user data in the cloud while lying to their users about their data collection practices.{{DisputedInline|Tone is inappropriate|reason=tone}} Users and potential users of Signal have a right to know what data is being collected and how it is being stored and secured so that they make informed choices about the risks they are taking when using Signal.  

{{DisputedInline|reason=see further notices in this section, section title is misleading|Misleading section title}}

This new feature meant that Signal would start collecting the same kinds of information that Signal had been getting legal requests to turn over, and that Signal would permanently keep that data in the cloud.{{DisputedInline|reason=feature does not store user data in the cloud like other messaging apps|Misrepresents the new feature as storing user's data to cloud servers}} Their stated reason for doing this was so that if a Signal user got a new device they could install the app, enter a pin, and the app would pull down the user's data from cloud servers.  

The data being collecting and stored in could includes: The user's name, photo, phone number, and a list of every Signal user they have contacted.<ref>{{Cite web |title=What contact info does the Signal PIN functionality actually save |url=https://community.signalusers.org/t/what-contact-info-does-the-signal-pin-functionality-actually-save/16854/4 |access-date=6 Mar 2025}}</ref>{{DisputedInline|reason=contact discovery on Signal is private and does not share the phone number as explained later in the cited sources|Cited source is heavily cherry picked}}  

This was a highly controversial change, and some Signal users objected on philosophical grounds<ref>{{Cite web |title=Don’t want PIN, don’t want anything stored in cloud |url=https://community.signalusers.org/t/dont-want-pin-dont-want-anything-stored-in-cloud/14057 |archive-url=https://web.archive.org/web/20240301015109/https://community.signalusers.org/t/dont-want-pin-dont-want-anything-stored-in-cloud/14057 |archive-date=1 Mar 2024 |access-date=6 Mar 2025}}</ref>, requesting that Signal instead provide a means to export encrypted backups that could be imported locally eliminating any need to upload data to the cloud. Signal users also raised technical concerns about the security of the system and doubts that it would protect their data.<ref>{{Cite web |title=Proper secure value security: PINs are too easy to brute force, SGX is not reliable enough |url=https://community.signalusers.org/t/proper-secure-value-security-pins-are-too-easy-to-brute-force-sgx-is-not-reliable-enough/15096 |archive-url=https://web.archive.org/web/20240301015110/https://community.signalusers.org/t/proper-secure-value-security-pins-are-too-easy-to-brute-force-sgx-is-not-reliable-enough/15096 |archive-date=1 Mar 2024 |access-date=6 Mar 2025}}</ref> Some of these concerns were also shared by cybersecurity-experts<ref>{{Cite web |title=Signal’s New PIN Feature Worries Cybersecurity Experts |url=https://www.vice.com/en/article/signal-new-pin-feature-worries-cybersecurity-experts/ |archive-url=https://web.archive.org/web/20250117232443/https://www.vice.com/en/article/signal-new-pin-feature-worries-cybersecurity-experts/ |archive-date=17 Jan 2025 |access-date=6 Mar 2025}}</ref> and security researchers demonstrated that the system was vulnerable to attacks which allowed them to access the user data being stored.<ref>{{Cite web |title=SGX CacheOut SGAxe attack. Signal’s cloud storage and contact discovery vulnerable |url=https://community.signalusers.org/t/sgx-cacheout-sgaxe-attack-signals-cloud-storage-and-contact-discovery-vulnerable/14892 |archive-url=https://web.archive.org/web/20230519115856/https://community.signalusers.org/t/sgx-cacheout-sgaxe-attack-signals-cloud-storage-and-contact-discovery-vulnerable/14892 |archive-date=19 May 2023 |access-date=6 Mar 2025}}</ref>{{DisputedInline|reason="In recent weeks, Signal has introduced more features that make it more user friendly to people who may not have extremely paranoid threat models. For example, it’s now possible to migrate all Signal data, including message history, from one phone to another, using a feature that does not rely on cloud servers and is also encrypted, according to Signal. "|Cited vice article explains more nuance}}

Signal was not convinced to abandon this data collection and they began to roll out the change in 2020 without clear communication about the new feature.{{DisputedInline|reason=tone|Tone is inappropriate}}{{DisputedInline|Misrepresents PIN feature as it is optional and not properly explained|reason=include the response to the hysteria and a proper explanation of the feature}} It resulted in a lot of confusion for users, many of whom only learned about this feature when they were prompted to create a PIN. There were many social media posts expressing confusion over what the feature was and what it was doing. Even years after the change was made some Signal users were/are still unsure about what data Signal collects or were/are convinced that Signal doesn't collect any data at all<ref>{{Cite web |title=What info does Signal store about it's user? |url=https://old.reddit.com/r/signal/comments/q5tlg1/what_info_does_signal_store_about_its_user/ |archive-url=https://web.archive.org/web/20211011111619/https://old.reddit.com/r/signal/comments/q5tlg1/what_info_does_signal_store_about_its_user/ |archive-date=11 Oct 2021 |access-date=6 Mar 2025}}</ref><ref>{{Cite web |title=About data collection and data delivery |url=https://old.reddit.com/r/signal/comments/1id3xu8/about_data_collection_and_data_delivery/ |archive-url=https://web.archive.org/web/20250201072439/https://old.reddit.com/r/signal/comments/1id3xu8/about_data_collection_and_data_delivery/?ref=readnext |archive-date=1 Feb 2025 |access-date=6 Mar 2025}}</ref>  

This confusion is understandable{{DisputedInline|reason=tone|Tone is inappropriate}}, since Signal's own website continues to state that they do not collect the information they are collecting. The first line of their "Terms & Privacy Policy" page reads: "Signal is designed to never collect or store any sensitive information."<ref>{{Cite web |title=Signal Terms & Privacy Policy |url=https://signal.org/legal/ |archive-url=https://web.archive.org/web/20250302122622/https://signal.org/legal/ |archive-date=2 Mar 2025 |access-date=6 Mar 2025}}</ref>

This lie{{DisputedInline|reason=tone|Tone is inappropriate}} is also repeated on their support page under the heading: How do I know my communication is private<ref>{{Cite web |title=How do I know my communication is private? |url=https://support.signal.org/hc/en-us/articles/360007318911-How-do-I-know-my-communication-is-private |archive-url=https://web.archive.org/web/20250214030028/https://support.signal.org/hc/en-us/articles/360007318911-How-do-I-know-my-communication-is-private |archive-date=14 Feb 2025 |access-date=6 Mar 2025}}</ref>