2021 Review: Signal
12 June 2021 | 3:58 pm

Even if you’re not big into privacy or security, you’ve likely at least heard of Signal. The WhatsApp/Telegram competitor rose to mainstream prominence earlier this year, when WhatsApp announced planned changes to their privacy policy and Elon Musk almost immediately tweeted “Use Signal.” Though the app had been around for years, these two factors combined to catapult Signal into the mainstream consciousness overnight, hitting the number one spot in multiple countries’ app stores and even crashing the servers for a weekend. So what is Signal, should you use it (and why, if yes), and how does it rank for those who value their privacy and security?

The Service

Signal is an end-to-end encrypted messenger, similar to WhatsApp or (arguably) Telegram. Based in the US, it was founded by Moxie Marlinspike around July 2014. It allows voice, text, or video chat to any other user (one-to-one or up to five at once) and has a variety of features that might appeal to mainstream users like stickers and GIFs. Signal is based on the Signal Protocol encryption, which I will discuss more in a moment.

The Good

Actually, let’s just go ahead and start there. Signal’s encryption is good. Like, really good. So good that according to the Vault 7 leaks, the CIA has considered pretty much every insane idea to circumvent it because they can’t actually crack it. While Signal has its fair share of detractors and criticisms (some of them valid, many of them not), you can’t knock them for their encryption. It is world-class, and is even used by WhatsApp, Facebook Secret Messages, Skype, and even Google (they know a thing or two about security). The app itself is used by the EU Commission, numerous politicians, journalists, whistleblowers, and law enforcement. Unarguably, you can’t get much better security than Signal.

Setup is – as I like to call it – insultingly easy. Seriously. If you’ve never tried Signal before, go do it right now just so you can see how ridiculously easy set up is. You download it, you basically hit “next” three or four times, and you’re ready to go. On Android, you can even make Signal your default messenger so that if you text another Signal user but don’t know they use Signal, it will automatically make use of the encryption. Actually using the app is also incredibly easy, with very intuitive and plain-English buttons, menus, and options.

Signal is fast, stable, and if you don’t want to use your SIM number (I’ll mention that in a second), you can use a VoIP number with no additional work except that you have to manually enter the verification code rather than Signal pulling it automatically. Messages are end-to-end encrypted by default, unlike services such as Telegram which require you to enable encryption. Perhaps most importantly, Signal as a company has a proven track record of not logging any user data and having virtually nothing to turn over to police when requested.

The Bad

Signal’s downsides are, in my opinion, far and few between. However, they are legitimate and worth noting. One “bad thing” that some people note is that Signal is based in the US. Given that Signal is open source, audited, and has proven themselves to respect user privacy, I personally don’t think this is a big deal. However, the US government is a notorious enemy of privacy. For the vast majority of people, I wouldn’t consider this a reason not to use Signal, but it is worth being aware of what laws Signal is subject to and the hostility the company faces from the government.

The next most obvious flaw is that Signal requires a phone number to use. Phone numbers are as good as social security numbers these days and a quick web search of a phone number can turn up tons of identifying information. While one can use a VoIP number (as I mentioned above), most people won’t (not to mention that this alienates people who don’t have a valid phone number and can’t get a VoIP number). This is a realistic potential privacy and security risk for every user, and while Signal has said they plan to roll out usernames in the future, they’re not here yet and last time I checked there was no real word on when “the future” would arrive.

Let’s address the elephant in the room: the Mobilecoin incident. For those who don’t know, Signal went almost a year between Spring 2020 – Spring 2021 without publicly posting the source code for their server. They continued to share the client source code, and those who examined it found it was still secure, however the client very obviously was contacting an updated server version than the one that was posted and Signal refused to say why they hadn’t updated it. Speculation ran rampant about malicious backdoors, government gag orders, and more. It turned out that Signal was laying the groundwork to integrate a privacy-respecting payment platform with a cryptocurrency called Mobilecoin. This move was considered highly controversial for a number of reasons. Among some of the most valid and popular reasons: it was considered highly unethical and shady to keep users in the dark about the server code updates, integrating cryptocurrency can attract unwanted attention from government regulators like the IRS and FTC, and many users expressed concerns about what impact this would have on the security of Signal and the possibility that this was all a “pump and dump” financing scheme. You can find my take on this story here and you can find a (in my opinion somewhat sensational but factually correct) deep dive here. Here’s the takeway from all this: while this incident – at this time – does not indicate any sort of technical compromise with Signal’s privacy or security, it definitely cast a lot of doubt on them as an organization ethically.

Last but not least, there’s also been a lot of rightful accusations and concerns about Signal’s infrastructure, such as using services like AWS and Google to support their cloud. While – again – there’s no reason to suspect that Amazon or Google have any access to user messages or data, it is understandably troubling that using Signal also means supporting some of the biggest enemies of privacy on the planet by proxy. One could consider this the necessary evil of making Signal reliably available to the masses, but it’s still not comforting. Moxie has also been very strict about refusing to allow Signal to be decentralized or federated, even going so far as to legally pursue and shut down forks that attempt to be interoperable with Signal. Once again, this is done in the name of keeping Signal scalable and reliably secure (if everyone can run their own server, some servers will inevitably fall out of date due to lack of administrative maintenance which will create security risks for everyone involved) but it’s still a ding for people who value decentralization.

Final Verdict

I’ll be honest: I like Signal. The stability, the ease of use, it can’t be matched. I use Signal for 90% of my conversations with friends, family, and even a good chunk of The New Oil conversations. There’s never any issues with key exchange, the messages arrive quickly, the call quality is clear, communication is reliable, and it’s just so freaking easy. There’s no easier messenger out there. However, I’m not a Signal fanboy who will defend them to the ends of the Earth. Their opacity during the Mobilecoin incident was inexcusable, and I’ve already gotten all my close family to sign up for Matrix in the event that we ever have to jump ship on Signal (if Session rolls out voice calls any time soon then I’ll move them all to that instead, Session is also easy to set up). I like Signal, but as soon as I see any reasonable indication that they've been compromised, I'm out.

The moral is this: Signal is not a perfect company. To their defense, I’ve yet to find a “perfect” company or “perfect” anything really. They've made some ethically questionable business decisions and they could check more privacy-enthusiast boxes if they did things differently. But they are reputable, proven, and perfect for the masses. If you have a high threat model or like to go to the extreme for your privacy, Signal may not be for you (at least not yet). But for 95% of people reading this, Signal is just fine. They take user privacy and security seriously and they’re easy to use with a plethora of features. I whole-heartedly recommend Signal to most people. If you’re still looking for a messenger, I think this one is worthy of your consideration.

You can download Signal here.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.


Prime Day is This Month. Here’s Why You Should Stop Using Amazon
5 June 2021 | 1:17 pm

Amazon’s now-legendary “Prime Day” was just announced this week: June 21-22. Much like Black Friday or Cyber Monday, this means sales on lots of items on Amazon’s vast marketplace, and as such many people flock to the giant’s website to get sweet deals on everything from computers to small kitchen appliances and more. But this year, I urge you to resist the allure. Far be it from me to tell you what to spend your money on or where, but in this week’s post I hope to lay out a compelling case for everyone for why Amazon is full-stop evil, no caveats, and is undeserving of your money on a moral and ethical level. Amazon needs to be stopped, and legislation will not do so. Only its loyal consumers – who keep the beast alive – can do that by taking their money elsewhere.

Here are five reasons that you should stop supporting Amazon with your money and purchases.

Amazon Is An Enemy of Black Lives Matter

Do you believe that black lives matter? Do you think police have too much funding, too little oversight, are a tool of an oppressive regime, and/or are a private police force for the rich to keep the poor and minorities in line? Well guess what: up until last year Amazon proudly sold their Rekognition facial recognition software to law enforcement agencies all cross the country. Like every other facial recognition software out there, this system was notoriously bad at accurately identifying minorities, including people of color and women. Amazon only stopped for PR reasons at the start of the George Floyd protests, and even then they only issued a “one-year moratorium.” This has since been extended indefinitely, but frankly that doesn’t matter. It’s still just PR. Why do I say that? Because for one, that ban only applies to the US. Amazon is still free to sell their faulty facial recognition services to other countries and industries. Second, Amazon still gives police across the nation unfettered access to Ring doorbells, allowing police to have vast real-time surveillance networks paid for by private citizens who may not even know law enforcement has this sort of access. Amazon is actively helping police spy on and identify – poorly – everyone, even peaceful protesters.

Amazon Is An Enemy of Small Businesses

“Well I think all lives matter,” you may say to yourself, “and I support our law enforcement officers.” That’s cool. If you’re more right-leaning, you probably believe in the free market and you’ll likely be furious to know that Amazon actively crushes small businesses. Amazon has been repeatedly proven to use data gathered from small merchants who use their marketplace to create competing products, avoiding the financial hit of the mistakes that those smaller businesses may have already made in marketing, pricing, or production. Not that it matters, because Amazon can also just use their massive empire to undercut the competition, selling products at a massive loss until the competitor is eventually driven out of business, then bouncing prices back up to profit-making levels once there’s no alternatives to compete with. The use of this data in the first place isn’t just free market sorting itself out, it’s straight up corporate espionage. It’s one thing if I left my job to work for a competitor and said “we learned that our customers respond better to blue than red.” It would be completely different for me to take a copy of all our business records, marketing documents, and passwords with me. That’s basically what Amazon does. They leverage their highly-invasive platform (which is so ubiquitous that to NOT sell on Amazon is practically a death sentence) to harvest sensitive business data and then use their resources to take the hit until the smaller guys can’t anymore and fold. In any other scenario, this would be corporate spying and illegal monopolizing. Even if it wasn’t illegal, I’d have a hard time believing any free-market enthusiast actually has no problem with this.

Amazon Is An Enemy of Human Rights

Maybe you’re an apolitical person (there’s really no such thing and that’s actually a very “privileged” stance to take, but I digress). In this situation, you can probably agree that we’re all human beings. We all deserve to be treated with respect, no matter what. Well, Amazon is unbelievably hostile to worker’s rights. For years, Amazon Prime delivery drivers have been reporting unrealistic expectations like being expected to deliver 200 packages in a 9-hour shift (that’s about 1 package every 3 minutes), missing pay, intimidation, favoritism, and buggy AI tracking their “performance” (even off the clock). Many of them have reported having to pee in bottles to try to stay on schedule. One reported a hospital-worthy injury where he was advised to finish his deliveries (several hours’ worth) before seeking medical treatment. Warehouse workers report timed bathroom breaks and not being allowed sit down for a few minutes outside of breaks (I’m all about hard work ethic, but you’ve seriously never had a day where you just needed five minutes to gather yourself?). Amazon took it one step further with patented wearables in the workplace to spy on employees and make them work even harder. (For the record, there’s no evidence they plan to roll this out yet but the fact that they expressed an interest in controlling the rights to this technology is unsettling.) When workers expressed an interest in unionizing so they could force more humane working conditions (aren’t there already supposed to be labor laws in the first place?) Amazon used their powerful surveillance network to spy on and infiltrate those groups and even attempted to put cameras over the ballot boxes to “ensure integrity.” Amazon doesn’t give a crap about their employees, it’s all about the bottom line and quite frankly I’m surprised they haven’t just moved overseas to sweat shops.

Amazon Is An Enemy of Democracy

“Wow, we really need some regulation on Amazon!” you might be thinking. Yeah, that’d be cool, except that at this point Amazon is more powerful than the US government. Amazon spent $18 million in 2020 on lobbying – for those who live outside the US, “lobbying” is a fancy word for “legal bribery.” I’m not making that up. It started off with good intentions and it does make sense, but it gets abused constantly and in laughably transparent ways that make every American citizen wonder how the hell this practice is legal. Anyways, that’s not the point. Have you ever wondered why the “settlement” amounts in corporate lawsuits are always so obnoxiously low? It’s because corporations hire GOOD lawyers. They can afford to hire lawyers who are field experts and can pay them to focus all their time and attention only on that one company and that one subject/department. Then they can pour even more resources into filing new paperwork, doing research, fighting the case, etc. Eventually the court costs start to pile up and the idea of dragging this out for years and spending millions of dollars becomes arduous, frustrating, and impractical. Look at the recent Home Depot data breach settlement – 10 years later! This is compounded even more when you’re an elected official. “You’ve spent HOW MUCH taxpayer money on fighting over some silly case that doesn’t even concern me – the voter – in a way I can comprehend when that money could’ve gone to better roads, schools, healthcare, national defense, etc?” The fact is that these cases do matter and do concern everyone, but it’s hard to care when you’re buying new rims because you damaged the old one on a pothole, or when your kid brings home a history book from 1989, or when you work 60 hours a week and still don’t qualify for basic healthcare coverage. Amazon can’t be reigned in by regulation because they can outspend the government in time, fines, lobbying, and any other area that they need to. The government has to answer for their tax money spent (in theory). Amazon only has to answer to shareholders and only one question: “how much more money did you make me this quarter?” They can afford to hire lobbyists who shape the laws, and if they fail that they can always drag the court case into oblivion until it just gets settled.

You Are Part of The Problem

Do you remember when Chris Brown beat Rihanna? When that was still top news and I met people who listened to his music I’d always ask them “don’t have you an issue with him beating up Rihanna?” and without fail they’d always answer “Of course! But I just like his music, I don't support what he did.” Here’s the thing though: it’s impossible in situations like that to benefit without supporting the person in question. Every album purchase, every stream, every shirt purchased, every YouTube view, these are all metrics he can use to justify his popularity and book large venues with large guarantees. Honestly I’d even leverage illegal downloads if I was his booking agent. “They can download a song, they can’t download a concert. Those are potentially paying fans.” The same is true with Amazon. In no way can you give any money to Amazon and NOT be directly contributing to these problems I’ve listed above. Every penny you spend can be directed towards developing new surveillance tech or hiring new sales people to score new government contracts. Every purchase you make says that you’re okay with how things are currently working at Amazon and shows them that you’re willing to spend money there. Even using Alexa is sharing your data, which Amazon then uses to refine their products or serve you more ads (which they get paid for). There is absolutely no way for you to use Amazon that doesn’t tell their shareholders “I’m okay with this. Keep the course.” The only way that we can ever hope to affect change is to force their hand by taking your money elsewhere.

Reality and Next Steps

Look, I’m a realist, okay? I know that sometimes there are things that you absolutely cannot get anywhere else except Amazon (or if you can, it costs significantly more). First off, I’d ask you to weigh your definition of “significantly.” Paying $5 more on a $100 product is not “significant.” Furthermore, depending on your financial situation, paying $5 more on a $20 product may also not be much for you. In these cases, I urge you to take the ethical path and not give into Amazon. It’s worth paying a little extra for a good cause. Having said that, paying $50 more for a $10 product, that’s understandably different. If you must use Amazon, here’s my suggestions: First off, if you already have an account, you’re probably fine to leave it active. Your history will stay there, but frankly if you create a new account, it’s likely to get flagged and suspended or if you do it wrong Amazon will still trace it back to you anyways. Feel free to keep your current account, but go ahead and make sure you use good practices like 2FA, strong passwords, and forwarding e-mail addresses.

If you’re making a new account, I recommend using a forwarding email address or an old, already very-publicly exposed email address for credibility purposes (like an old Gmail address). I’ve had good success with buying pre-paid Amazon gift cards in cash at 7/11 and using those to make my purchases, however I’ve heard some people have still had their accounts flagged regardless in those situations, so don’t put too much money in right away in case that happens. You can attempt to make new accounts for every purchase (since ideally this should be rare for you anyways), or you can attempt to make one account and just keep topping it up as needed. Michael Bazzell offers more details on what's worked for him on this podcast episode.

Last but not least, I encourage you not only to avoid Amazon itself, but avoid their subsidiaries as using them will still contribute to Amazon’s unethical empire. Unfortunately this includes popular brands like Twitch, Audible, IMDB, GoodReads, Zappos, and over 100 others. I know it’s a lot and it can be hard, but as I outlined before we can’t keep hoping someone else will reign them in. It’s going to take a collective, serious effort to hit them where it hurts (the wallet) and force them to start being a more ethical company.

Prime Day is later this month. Please, avoid it.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.


What REALLY is the Best iOS Browser? Addendum: SnowHaze
29 May 2021 | 4:40 pm

Two weeks ago, I decided to pit all of the commonly-promoted “privacy-respecting” iOS browsers against each other to see if I could determine empirically which one was actually the most private. Unsurprisingly, within minutes of posting I received feedback. Surprisingly, most of it wasn’t “you suck and you’re wrong because I’m loyal to my browser.” Rather, it was “you forgot one.” Allow me to remedy that situation. This week, I will be reviewing SnowHaze. If you need a reminder of my methodology, you can check the blog in question here.

Privacy Policy

Image

SnowHaze starts off strong out the gate by claiming to collect absolutely no information about you, anonymous or otherwise. In this respect, SnowHaze easily usurps Brave to win the privacy policy category.

Winner: SnowHaze

Loser: Safari

Not to much say here. SnowHaze is the obvious winner and Safari is still abysmal.

Browser Fingerprinting

Things get really weird in this section. SnowHaze offers an ungodly amount of granular control over the browser’s privacy settings – which I will discuss in the “Features” section. When highly configured, I was unable to run Cover Your Tracks at all, which leads me to assume (without evidence, for the record) that this means fingerprinting you at all has become relatively impossible for most sites, or at least quite difficult (from what I understand, many common fingerprint methods rely on Javascript). However, this also causes significant breakage across many sites. After tinkering for a few weeks, I finally found some settings that mostly work across most sites. The particular settings that seems to matter for testing sites like Cover Your Tracks and Speedometer mostly seem to boil down to the Content Blockers section. At the time of this test, I was only able to disable Fonts and still get a score. Remember that as always your results may vary, especially depending on how you configure the vast settings options.

SnowHaze: 17.96

Winner: Safari

Loser: Brave/DuckDuckGo

Based on this score, SnowHaze ranks second worst just above Safari. However, it’s worth noting that I suspect this score is not truly reflective of my average browsing experience. As I said above, I was only able to get a score by enabling everything except Fonts. In my daily browsing, I usually have Raw/XHR disabled, and often third-party scripts as well. I also have SnowHaze set not to load any Javascript unless I manually approve it on a per-site basis (another Feature we’ll discuss later). And last but not least, SnowHaze can be set to spoof User Agents, so much like Brave's fingerprint is large but fake, I suspect that SnowHaze works in a similar fashion. While this score seems particularly bad, I suspect it's not.

Browser Speed

SnowHaze: 48.35 (+/–.47)

Winner: SnowHaze

Loser: DuckDuckGo

Once again, I had to severely dial back the number of content blockers I was using in order for Speedometer 2.0 to finish its test without stalling. I assume part of the test includes loading XHR and third-party scripts. From what I understand this means that with more aggressive content blockers your speed should actually improve because you’re loading less content. Either way, SnowHaze easily comes in on par with or dramatically ahead of Brave, the previous winner, who had a score of 49 (+/–.53).

Features

Alright, this is where SnowHaze really puts the rest to shame. SnowHaze has granular features for controlling the browser that I have never seen before on a mobile browser. While Brave and DuckDuckGo do offer some good features like control over what data is retained, the ability to add protected sites, and stuff like that, SnowHaze goes all out. SnowHaze offers the usual general features like search engine selection and appearance, but also the ability to lock your browser with a passcode, the ability to spoof your User Agent (and to select which agents to spoof), granular history and tracking control, additional content blockers that I alluded to above including CSS, third party javascript, fonts, etc, and even has an experimental Tor integration feature (which I don’t recommend but it’s cool that they offer it). And those are just the highlights. You have the ability to disable Javascript by default and then enable it on a site-by-site basis, and you can even easily add custom search engines like SearX! Hands down SnowHaze has the most features out of any browser I reviewed for this study, and the amount of control it gives you over your browsing experience makes it laugh in the face of lesser browsers. SnowHaze offers all the same features that any other given browser would and then some.

Winner: SnowHaze

Loser: Firefox Focus

Final Verdict

Winner: SnowHaze

I can think of one situation where I would recommend Brave over SnowHaze: ease. Because of the massive amount of of options, setting up SnowHaze can be a bit daunting. The default settings are – in my opinion – not ideal. I understand the desire to create a browser that’s basically ready to go out of the box, but I think SnowHaze could afford to tighten up their default settings a bit and still retain functionality for the average person. Even so, I commonly recommend that any time you set up a new account or download a new app you should make time to go through the settings and tweak them. This means any person downloading SnowHaze for the first time can quickly become overwhelmed by the exhaustive number of options to be examined, interpreted, and possibly changed. Even moreso, those settings will likely change as they browse and realize a certain functionality they want/need broke. I personally pretty much only use my browser to surf webcomics and Reddit when I’m bored (which is rare) and to make quick, important searches when I’m away from my desk. Despite that limited usage, I quickly found myself changing settings to make more and more sites work properly as I went, finally finding a mostly-happy medium after about a week or so. The average person may be frustrated by the constant tweaking and want something that just works.

Hands down, I think SnowHaze is the most superior iOS browser I’ve found so far, and thank you to the multiple readers who alerted me to overlooking it. This has been a lifechanging experiment. I highly encourage you to make the switch if you use iOS, and here’s what I recommend: keep Brave for a short time as a fallback. Download Snowhaze, change the settings, get used to it, but until you get it dialed in just right be sure to have a backup for when you can’t afford to experiment to find what’s breaking the site. Once you get SnowHaze dialed in just right, go ahead and delete Brave. That’s what I did. (Well, DuckDuckGo for me if you recall the last blog, but same concept). SnowHaze is truly an incredible piece of work. Well done, devs.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.



More News from this Feed See Full Web Site