Signal requires phone number in order not to store your contact list on their servers. Instead of id's/email addresses/nicknames they are using your phone contact list. IMHO that's better for privacy.
That depends on what you want with privacy. If you'd want to chat anonymously, having to use your real phone number is a bummer. At least in my country, it's getting harder and harder to get a SIM-card that is not tied to your name.
The alternative is getting a burner SIM-card. Though, that will become harder once more prepaid providers require your ID.
Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
I know their infra codebase pretty well as I've worked on it for projects unrelated to Signal/Open Whisper Systems. Unfortunately their public Github is usually ~3 months behind their running infra and often released much later than the equivalent functionality in the clients hits the public.
> Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
> Our goal with PINs is to enable non-phone # based addressing. Since that will mean your Signal contacts can't live in your address book anymore, they're Signal's responsibility. Every other messenger does this by storing them in plaintext, but that's not private, so we built SVR.
Thanks for that. I had a quick look through their blog but couldn't find anything to reference.
It's been a few months since I worked with their codebase but at the time it relied on Intel SGX for the contact storage Enclave, which is now considered compromised[0]. Additionally, if you wanted to run your own, the requirements to get licensed to use the Enclave are non-trivial.
Opinions are my own, I represent no one, etc, etc.
Yeah I think that's still true. That said, as I understand it, the enclave is used as "proof" that they're running the server-side code they say they do (which should be protecting the data), not the data itself. I could definitely be wrong there though.
> Signal requires phone number in order not to store your contact list on their servers.
That does not make sense. There is no relation between 'using phone number as id' and 'storing contact list on servers'. E-mail and same other communication protocols also do not use phone numbers and do not store contact list on servers.
Yes but do they offer the same experience? Signal figured out that you probably have a list of contacts that you want to talk to. If they use mobile numbers as identifiers then they don't have to keep the contact list - it's already there on your phone. IMHO it's a good compromise.
I'm not an advocate for Signal, but I totally get this approach.
That's very reasonable then. It's not a deal breaking issue especially so moving from or compared to less trustworthy entities already having your phone number (e.g. WhatsApp), but it had left me wondering, I thought it was used in the most part for authentication.
