They may be sponsored by the US Government, or by cryptographers with ties to the government.
https://thebaffler.com/salvos/the-crypto-keepers-levine
It’s a long read, but it’s quite good. Here’s a snippet to whet your palate where he describes some of the prominent people behind these projects:
At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.
For context: I have become very interested in the debate amongst app users such as Telegram, Signal, Threema, etc… and I know that many people claim that Signal is the very best amongst all of them but there’s something really sketchy about its location (US based) and the fact that the government can for anyone to comply with their orders and forbid them from telling anyone about it via gag orders (see Durov’s comments on this: https://t.me/durov/59).
Both are fascinating reads, and certainly help me appreciate platforms like Telegram and Threema even more. Regarding Threema, today they posted a comparison between their app and the competition, and found this interesting tidbit regarding Signal:
https://threema.ch/en/blog/posts/messenger-comparison-2021
Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US company, Signal is also subject to the CLOUD Act, which entitles US authorities to access data from IT service providers that are based in the US.
Also: I just learned that FB spends millions of dollars every year on marketing and trying to influence people to not use platforms such as telegram.
Signal has not been able to provide the US gov with personal data as they only store the date of account creation and a signal ID number. Look at how signal handles these information requests right now.
You’re totally right. Signal has demonstrated its full proof against US courts. But perhaps not against security agencies. Signal stores private keys in the cloud. Relying on SGX extensions to keep them from being trivially broken. Signal could be compromised, SGX could be compromised, something we don’t realize in that supply chain could be compromised. So it could just be a long-term honeypot. But if you’re a threat model does not include US security apparatus, you’re fine
The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.
Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.
Hello again!
I think everyone here knows my position on 14 Eyes from my smartphone hardening guide, which I have also earned some racist flak for for my rigid stand on the same. This is a large reason why I recommend staying away from Google Pixels with proprietary Titan M chip, or Qualcomm smartphones or even South Korean Samsung’s Exynos phones. Apple iPhones are equivalent to Ebola virus for me.
I myself use a debloated Huawei phone since the baseband modem and hardware is non 14 Eyes, and might only pick either a Huawei and/or an ARM based Linux phone in the future. I refuse to trust 5/9/14 Eyes proprietary technology for any sensitive work, and the only reason I am seeing Signal as decent for masses is its audited cryptography with ease of use. (I am also more outspoken on Lemmy compared to Big Tech Reddit.)
Still using XMPP and Matrix, and have special email provider for covert operations.