For this reason, I never even considered using Telegram. If I were an unethical intelligence service like a Russian one, I would create a messenger app (and/or social network). Based outside my jurisdiction would add to plausible deniability.
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
dongcarl · 20h ago
> On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
Signal clearly looks like a front shop to collect metadata for US intelligence services.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
paulryanrogers · 21h ago
Except Signal's client is open source with reproducible builds that have been audited. Their crypto is open, based on standard primitives, and has also been audited. It's also true E2E encryption with alerts on key changes.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
That's a shame. Still on the whole Signal seems far ahead of Telegram. Hopefully users who need the extra security will be taught to enable that setting.
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
Matrix is the actual solution.
neobrain · 21h ago
Your links are a bunch of user comments?
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
hammyhavoc · 17h ago
SIM hijacking is a thing. Telcos also control phone numbers.
I have never understood the unflinching attitude towards Signal relying on phone numbers.
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
jaoane · 21h ago
Are there ethical intelligence services? :P
4gotunameagain · 21h ago
> an unethical intelligence service
As opposed to which ethical intelligence service that you have in mind ?
This is the bread and butter of "intelligence". Spying. Both enemies, allies & the populace.
thunspa · 19h ago
I never used Telegram, but was under the impression that it's similar to Signal. However, Pavel Durov recently tried to meddle in the Romanian elections process[0] in a very bizarre, almost desperate attempt to misinform the electorate.
That impression is a testament to Pavel's ability to distort the reality. Telegram is nothing like Signal, because the overwhelming majority of traffic is not E2EE, the server has the plaintext. Even for E2EE chats (that are deliberately hidden away), the protocol is weird in a bad way.
danogentili · 19h ago
Note that the article employs unwarranted FUD in regards to the auth_key_id, which is fully equivalent to a TLS session ticket, used, like in TLS, to avoid repeating the handshake each time a new connection is established (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
UncleEntity · 22h ago
Does anyone really believe their metadata is safe from any government... or non-government for that matter?
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.
Not really, the auth_key_id really is simply equivalent to a TLS session ticket, used to avoid repeating the handshake every time a new connection is established: there's nothing "unencryted" about it, it's just an identifier of a previously established encrypted channel, like session tickets in TLS (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
This is why we need more [MPRs](https://www.privacyguides.org/articles/2024/11/17/where-are-...)
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
Related discussion: "Why Not Signal?"
https://news.ycombinator.com/item?id=28544735
https://news.ycombinator.com/item?id=30872361
https://news.ycombinator.com/item?id=39445976
https://news.ycombinator.com/item?id=29888228
https://news.ycombinator.com/item?id=42788647
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
Matrix is the actual solution.
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
I have never understood the unflinching attitude towards Signal relying on phone numbers.
They themselves contain the actual links and also relevant discussions. One more link: https://github.com/signalapp/Signal-Android/issues/13842
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
As opposed to which ethical intelligence service that you have in mind ?
This is the bread and butter of "intelligence". Spying. Both enemies, allies & the populace.
[0] https://www.lemonde.fr/en/pixels/article/2025/05/23/why-is-t...
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.