(I won’t comment on Session, I’m not familiar with the finer details there.)
I live in a country with strict KYC on phone numbers - my signal account uses a phone number from a different country in the world, not associated with any person in a country I have never been to and activated in a very odd location once only before being destroyed.
If you actually care about security / privacy to the extent of hiding from state actors then it is trivial to do. If you are cosplaying as a privacy enthusiast, then different matter and we can all bang on about open-source, audits, 14 eyes, tor, monero.
Phone numbers are recycled so eventually it will become someone else's phone number unless you continue paying for it.
So let me ask you this: What’s your threat model? Does your threat model require you to hide your location from the Five Eyes?
Signal requires extra information that is not necessary for exchanging messages. That is at least suspicious. If you are fine with giving away your number you can just use WhatsApp or Telegram.
We are quite many where the threat model does not depend on hiding our phone number from the government.
https://gulfnews.com/world/asia/india/kashmir-lockdown-arres...
https://thenextweb.com/news/kashmirs-police-want-people-to-r... >Kashmir’s police want people to ‘register’ their WhatsApp groups
https://www.dailyexcelsior.com/police-crackdown-keypad-jehad... >Police crackdown on ‘keypad jehadis’
https://kashmirobserver.net/2022/01/11/jk-police-launches-cr... >J&K Police Launches Crackdown On People ‘Misusing’ Social Media
"misuing" means writing material that is critical to the ruling party.
https://www.greaterkashmir.com/chenab-valley/authorities-in-... here, the police simply take your name/number and pick you up from the street. open and shut case in an hour.
Why should whatsapp/facebook/twitter help them? 1. they have business interests in india and they NEED to please the government if they want to survive in india so there are no court orders or anything needed. the police have carte blanche to demand any information and for them, name/number is good enough because the data is available with them.
an example from my own home. A family member was active on twitter last year and would get into "twitter debates" and that nonsense. they would use their own name because of the websites ask for "firstname/last name" and normally people don't care about that. anyway, during one such online fight, a random opponent apparently told them "you wont listen to me so i will have police explain it to you" or something to that end. 3 days later the police comes home "enquiring" about them. we had a hard time "explaining" the situation and some money exchanged hands after which we were off the hook. "never again they said, later"...
afterwards, i did a checkup of their account and they had 2FA activated on their number which i strongly suspect was passed on to the police. again, no "evidence" but my own anecdata.
>Feel free to explain your threat model.
i am "living" this threat model so the techniques used in iran for example used by dissidents or anti-government protestors or in china by anti-ccp protestors for example, i am going through that myself and PII in any form is dangerous.
sure, lets say i don't use my real name in twitter or use 2fa and twitter gives my "ip address" or something. they would have to corelate that information with a separate demand with ISP.... not low hanging fruit as much. mobile numbers, well they have dumps and mobile numbers dont change hands a lot.
OTOH, if i use my selfhosted matrix for example, the provider, some random DMCA ignore ones would laugh at them. even if they asked for payment, i pay from crypto so what will they get? and its not like the webmaster of my own server(read me) would not give any details to any demand from even PM of india so short of blocking my server IP,what can they do?
Signal uses centralized server with closed source (they hidden code for one year until they finally gave up when users nagged them, nobody knows what they did during that year), Signal requires your phone number, Signal doesn't allow third party apps officially and tried to push some shady crypto, I mean how many red flags you need to avoid such POS app?
Signal has always been transparent about what information get sent to the server: https://signal.org/blog/private-contact-discovery/
Even if some adversary is doing some kind of correlation to glean metadata from your traffic, they are definitely doing the table stakes here to preserve privacy and not just send your information off willy-nilly.
speaking of dense exotic matter https://en.wikipedia.org/wiki/White_dwarf
Feel free to explain how that affects message integrity/message confidentiality in a negative way.
As Signal is on a centralized Google Cloud instance, it can easily be shut down by the providers and that is that.
> nobody knows what they did during that year).
They (and Moxie) were too busy shoving their private cryptocurrency scam project in Signal to later get as many users using it as possible to then pump and dump the coins on exchanges.
Signal is a complete joke.
