Sure, it’s possible to purchase Threema with cryptocurrency rather than using the Google Play Store. It’s the same set of “Account and Subscriber Information” that we can provide: Unix timestamps for when each account was created and the date that each account last connected to the Signal service.Īdditionally, their claim that “Threema can be used anonymously” is, at best, a significant stretch. As a result, our response to the subpoena will look familiar. Signal doesn’t have access to your messages your chat list your groups your contacts your stickers your profile name or avatar or even the GIFs you search for.
It’s impossible to turn over data that we never had access to in the first place. Which is, as demonstrated by a consistent paper trail of court records, almost nothing.Īs usual, we couldn’t provide any of that. The CLOUD Act isn’t black magic it can only force Signal to turn over the data they actually possess. The quoted paragraph is deceptive, and was apparently designed to make their prospective customers distrustful of Signal.
The fact that Signal, being a US-based IT service provider, is subject to the CLOUD Act only makes this privacy deficit worse. Threema, on the other hand, can be used anonymously: Users don’t have to provide their phone number or email address. Signal requires users to disclose personally identifiable information.
Flaws in deleted keybase app chat code#
I had planned on following up by conducting a thorough analysis of their code and reporting my findings to them privately (which is called coordinated disclosure, not “responsible disclosure”).īut then I read this bit of FUD on their Messenger Comparison page. In response, I had casually glanced through their source code and pointed out a few obvious WTFs in the Twitter thread. I use it for international family and friends. Works on desktop and mobile, no phone number requirement.
Flaws in deleted keybase app chat free#
Threema is open source and has a clear business model (meaning they aren't likely to sell data of a free app down the road or whatever). Don’t let a critical post about someone else’s product discourage you from encrypting your users’ data. I’m stating all this up-front because I want to re-emphasize that end-to-end encryption is important, and I don’t want to discourage the development of E2EE. This effort had come on the heels of my analysis of bizarre choices in Zoom’s end-to-end encryption, and a brief foray into the discussion into the concept of cryptographic deniability. The goal is NOT to compete with highly specialized and peer-reviewed privacy technology. The goal of this is to increase the amount of end-to-end encryption deployed on the Internet that the service operator cannot decrypt (even if compelled by court order) and make E2EE normalized. If you’re in a hurry, there’s a summary of results at the end.)Īround this time last year, I was writing Going Bark: A Furry’s Guide to End-to-End Encryption and the accompanying TypeScript implementation of the Extended 3-Way Diffie-Hellman authenticated key exchange ( Rawr X3DH). (If you aren’t interested in the background information, feel free to skip to the meat of this post.
0 kommentar(er)
