💾 Archived View for bbs.geminispace.org › u › wasolili › 22084 captured on 2024-12-17 at 15:50:21. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Re: "How to survive the broligarchy: 20 lessons for the post-..."
fwiw signals use of fcm is just to send a "you may have messages" message to the Android app, which will then download the encrypted messages directly from the signal servers, so your actual messages aren't sent through google's fcm service
i also just briefly searched the signal android github for other uses of gms and nothing suspicious stood out (there's some sms stuff for retrieving registration tokens, some wallet stuff for donations, and the aforementioned fcm) - though I'm on mobile and didn't look too hard so if there's something particular you know of please share.
Nov 23 · 4 weeks ago
so, signal does encrypt text end-to-end, as I was hoping?
So, the message is encrypted but some metadata is visible by googles?
🐦 wasolili [...] · Nov 23 at 17:17:
@HanzBrix I think you're conflating push notifications (which are sent via fcm) with the notifications shown on your phone, which do not need gms and are triggered locally. Signal uses fcm to send your device a "you may have messages" message, your device fetches the encrypted messages via signal's servers, decrypts them, and then (optionally) sends a local notification (which doesn't rely on gms).
That's not say there aren't privacy concerns about local notifications (android allows other apps to read all notifications if they have the permissions for it, notifications may be logged locally, etc), but "sending messages directly to google" is not one of them.
@stack yes signal's messages are e2ee (and, unlike several alternatives, has been audited by cryptographers). the only metadata Google gets is "at x time, signal's servers wanted to let the device know there may be message updates."
I wish there were more reminders to go into 'special permissions' and get rid of apps snooping on notifications. I didn't know about that until this month...
🐦 wasolili [...] · Nov 23 at 19:41:
Signal is most definitely not e2ee, as the desktop client can operate independently of the app now (didn't used to be that way), signifying a one to many relationship.
@HanzBrix this doesn't make signal not e2ee. to simplify it, when you use multiple devices, each device has its own double ratchet session and the sender of a message encrypts it for each device.
How to survive the broligarchy: 20 lessons for the post-truth world | Carole Cadwalladr