964 comments

[ 2.0 ms ] story [ 544 ms ] thread
> Storage: $1.3 million dollars per year.

> Servers: $2.9 million dollars per year.

> Registration Fees: $6 million dollars per year.

> Total Bandwidth: $2.8 million dollars per year.

> Additional Services: $700,000 dollars per year.

Signal pays more for delivering verification SMS during sign-up, than for all other infrastructure (except traffic) combined. Wow, that sounds excessive.

is there any way they can reduce that cost?
Yeah, decouple Signal user identity from the phone number.
This will probably never happen. One of the reasons WhatsApp blew up is because using a phone number as your source of identification means there's much less friction in the signup flow. No username/password to create and your social graph is already there in your contact list.

My mom was able to get our entire extended family on Signal without my involvement, which is a testament to how easy that is.

They're already working on it: https://www.bleepingcomputer.com/news/software/signal-tests-...

Not whether that's a good idea is more debatable; you're not wrong about discoverability.

Those are in addition to the phone number, but it will still require a phone number under the hood.
In the short term it will, and quite possibly in a long-term also, but if you were going to fully make phone numbers optional, I'm pretty sure this is the first step you would take. At the very least it sure looks like they're starting to build the possibility.
They also blew up because it was also quite decent SMS app, so you just had to install Signal and use it instead of your default SMS app. All your messages are there, you can continue to communicate exactly like you did before, except that now, if the other person also has Signal, your messages are encrypted.

They stopped doing that (and I uninstalled Signal as a result), so they can also stop with the phone number thing, in fact, it would make more sense than with the current situation where Signal needs a phone number but doesn't use it (except for registration). I could even reinstall Signal if they do this.

Why not both?

If I want discoverability, let me provide my phone number.

If I want privacy, just assign a random identifier.

Nobody is demanding them to stop supporting phone numbers as identifiers/verification methods.

I'm not mad at all if somebody prefers using their phone number and not having a password for a service – just give me the option to use my email address and/or a username.

There are too many "phone number only" services out there these days.

Usernames are currently available in beta, the post I was replying to wondered if SMS verification could be removed because it's expensive.
> Nobody is demanding them to stop supporting phone numbers as identifiers/verification methods.

Plenty of people are, and for good reasons.

It has nothing to do with friction...
Which might be said to increase privacy. I suppose there's something to the point about combating spam. But surely there are other ways to do this, right?
Getting rid of phone numbers would make anonymity easier, but it wouldn't affect privacy. Signal is explicitly private but not anonymous.

In most countries, you can get an anonymous phone number anyway.

Phone numbers are the easiest login for people, especially in a world where not everyone has an email address.

I know this will invite comments about usernames. I would like usernames a lot too.

If only it was possible for a service to support both!
I know, too bad that possibility was only possible in the past and not with todays technology.

The knowledge of how to do this has forever been lost. Hopefully archaeologists can reconstruct it one day.

Send them via whatsapp. A lot of online services give an option to send OTP via whatsapp along with SMS/Email.
As far as I understand, this is even more expensive than SMS in many cases due to WhatsApp's B2C messaging fee structure.

It's also not a great idea to make sign-ups for an instant messaging service contingent on having an account with another, competing service.

Twitter said that's why they got rid of the SMS 2FA. They said it was costing millions to have that enabled for them.

https://www.cnn.com/2023/02/18/business/twitter-blue-two-fac...

> Twitter said that's why they got rid of the SMS 2FA. They said it was costing millions to have that enabled for them.

Previous Twitter employees have said that this is incorrect. Because Twitter began as an SMS-only (and then SMS-first) application (remember 40404?), they very early on established direct-connection infrastructure for sending SMS, meaning that they have a marginal cost of literally $0.00/message in most markets. Twitter still has to maintain that infrastructure, because they didn't get rid of SMS 2FA - they just restricted it to Twitter Blue users, so the overhead is still the same.

Almost nobody else who delivers SMS today has that infrastructure, because it doesn't make sense for most services to build.

The only place where Twitter was paying significant amounts for SMS was due to SMS pump schemes, which is a consequence of Twitter gutting its anti-spam detection, resulting in them paying for SMS pumping which was previously blocked.

> they very early on established direct-connection infrastructure for sending SMS, meaning that they have a marginal cost of literally $0.00/message in most markets.

I am very, very interested to understand how that works, because without more detail or sources I'm calling bullshit. I definitely understand how Twitter could have greatly reduced their per-message fee with telecom providers, but at the end of the day Twitter is not a telecom and is still at the mercy of whoever is that "last mile" for actually delivering the SMS to your phone, so I don't understand how they have no marginal cost here. Happy to be proven wrong.

Not who you are responding to, but my guess is that it was all fixed costs. They spend $20mm (or whatever) to maintain access, and maintain infrastructure and they get to send as many SMS messages as they want.

So sending 1 costs the same as sending a 10 million. It isn't that they are free to send, its that they are charged for access to the system, but aren't charged per message.

> spend $20mm (or whatever) to maintain access, and maintain infrastructure and they get to send as many SMS messages as they want.

This is not how SMS pricing works in many, if not, most countries.

Is that true at scale? If I tell the telecoms that I want to send a billion messages per year it seems like they might be willing to take a lump sum instead of setting up the systems to bill based on usage.

I have no experience directly with foreign telecoms, so I was simply explaining how something with no marginal cost could still be a very expensive system.

> Is that true at scale? If I tell the telecoms that I want to send a billion messages per year it seems like they might be willing to take a lump sum instead of setting up the systems to bill based on usage.

In most of the world, SMS is billed per-message, so it's basically no extra effort on the Telecoms side at all. In fact, Telecoms' online charging systems are fast enough to calculate users' data usage by seconds in real time, so they don't even blink at counting SMS.

I don't know of countries that mandate a minimum price. If you are doing high volume you are free to work directly with carriers. If you are drawing as much billable traffic as you are sending, then that could even be a wash.
It’s not countries mandating a minimum price (although regulators often impose a maximum), but the carriers themselves.

> If you are drawing as much billable traffic as you are sending

SMS verification traffic is usually unidirectional, so that’s very unlikely to be the case.

Yes but in this case we are describing old-school Twitter, in which people made their tweets via SMS. That's why it was easier for them to make these deals.
Carriers that run their own messaging infrastructure can allow for direct connections from 3rd parties, and set the price per message to whatever they want, including zero.

For something like Twitter where you could post by SMS, the balance of traffic might have been such that giving Twitter free outbound SMS was balanced by the charges incurred by customers sending to Twitter's shortcode. Or it might just be balanced by increased customer happiness when they can use the product more effectively.

If the carrier doesn't run their own messaging infra, they might be paying their IT provider on a per message basis, and might not be able or willing to set the messaging rate to zero.

For a use case where SMS is used to show control of a phone number, getting a zero cost direct route is a harder sell, but it can happen if the routing through aggregators is poor and the carrier is concerned about that, or if there's some other larger agreement in play.

If you require global connectivity, managing hundreds of carrier APIs, contracts, etc seems like major overhead. Also, there are companies whose only purpose for existing is providing messaging, like Twilio, are they just...not doing this or do the carriers just not play ball? In that case, why would the carriers agree to sell to you at a discount?
Aggregators do some of this, and they can negotiate pricing to some degree, but a carrier is unlikely to intentionally give them zero cost traffic, and even if they do, they're not going to pass that through at zero cost.

I ran the engineering side of carrier integrations at WhatsApp. Carriers wanted to sell data plans with special pricing for data with WA and use WA branding in advertising, because it attracted customers that might later convert to a bigger general purpose data plan. As part of that, we would ask for zero rated SMS to their customers for verification. When it was available, it was generally faster and higher success vs sending messages through an aggregator.

We also had some, usually small, carriers approach us asking us to set up direct routes to them for verification, because their customers would not always receive our messages when we sent through an aggregator. Early in my career at WA, we would just send these carriers to our aggregator contacts, and often things would get linked up and then we'd still pay $/message but it would work better. As we got a little bigger and built support for direct routes anyway, it was usually not too hard to set up a direct connection and then there'd be no cost for that carrier. Messing around with IPSEC VPNs and SMPP isn't fun and the GSMA SOAP messaging APIs are way worse, but once you get the first couple implementations done, it becomes cookie cutter (and FB had built way better tools for this, and a 24/7 support team, so I never had to be up, on the phone with telco peeps at 3 am kicking racoon or whatever ipsec daemon we were running until it finally connected)

Thanks very much for sharing your experience and detail! This kind of info is what I was looking for and is super helpful.
Can you say what ordinary (non-discounted) pricing was like, per message? At least in the US, most carriers did I and, believe, still do operate free SMTP -> SMS gateways. They worked okay, although they resulted in oddly formatted messages.
Twilio has a public price sheet[1], I think they haven't actually updated this one lately, but it's a good representation of what ordinary pricing is like. This is not an endorsement (or non-endorsement) of Twilio, but having a public price sheet makes it easy to link to them.

In general, pricing varies widely by destination (country and sometimes carrier), US and some other places are < $0.01, up to $0.10/message isn't uncommon, and some places are $0.20-$0.30/message. Voice calling was usually mor expensive (Twilio should have a price list somewhere for that too; if you can get 6 or 1 second billing, assume a voice verification call is about 30 seconds, but you might have to pay for a whole minute even if you don't use a whole minute).

Those SMTP -> SMS gateways sometimes work in the US, but they don't work much in other countries, and they're not good enough to rely on if your product requires an SMS during the new user flow. SMS costs are real and it's frustrating, but if it costs too much, you need to use something other than phone numbers for ids; I don't think skirting by with email gateways is going to work. But, if you build dynamic routing, I guess you could try.

Also, you've got the use the right email gateway for the user's carrier, and a carrier lookup is on the order of $0.01, unless you have tons of volume, so for the US, you might as well pay for the SMS.

[1] https://assets.cdn.prod.twilio.com/pricing-csv/SMSPricing.cs...

I don’t mean what Twilio charges — I mean what the carriers charge to senders who are directly integrated.
Oh I see... yeah, WA never went direct unless it was zero cost to us, so I don't know what carriers tend to charge. Managing payment to a foreign telecom would be challenging, managing it to enough carriers so the difference in cost is meaningful would be a major endeavor. SMS aggregation is a business with many providers and a low barrier to entry, so while there are margins, I don't think they're very high. There are some telecom groups that run networks in many countries, and some of those offer SMS aggregation services, and the prices were in the same ballpark as pure aggregators, as I recall, but it's been many years since I saw the price sheets.
I really wonder why it’s so expensive to run. I always hear things about scaling but I used to run a top 500 alexia website and it was just a php app running on a mutualized offer for $5/month. Lots of manual caching though but still.

My wild guess is that either the stack is not really optimal (last I heard it was java) or they do other costly things at scale (sgx?)

I guess, then the question is how real time was the website. Was it as real time as supporting, instant messaging, voice/video calls etc
Oh I forgot that signal is not just about forwarding messages. I’m wondering how much the VOIP costs.
FTA: "Signal spends around $2.8 million dollars per year on bandwidth to support sending messages and files (such as photos, videos, voice notes, documents, etc.) and to enable voice and video calls."
how is that in any way comparable? it's not about java vs php
> the stack is not really optimal (last I heard it was java)

how's java relevant here?

Java in theory and in synthetic benchmarks: damn near as lean and mean as C.

Every actual Java project: “oh, did you want that memory and those cycles for something else? Yeah, sorry, I need them all. Why no, I’m not actually doing anything right now, why do you ask?”

100% true in my experience. Literally anything else is far better when it comes to bloat, including C#, RoR etc.

Increasing the Java heap size just makes it so that when garbage collection eventually hits, it causes an even more massive slowdown across the entire application.

In this case we don’t need to speculate at all. Signal is open source. Back when I was at Twilio we even did some at-scale experiments with running Signal. The intensive parts have absolutely nothing to do with Java because the server logic is relatively simple. The hard parts of Signal are the database storage/retrieval and the encryption.
Java is likely the most optimized part of the stack.

Many startups move up to the jam when there is little else that has optimized performance and efficiency like the jvm for 20-30 years.

Of courses this is a moot conversation if you’ve never used Java at scale. Apple and others are Java houses.

Java is entirely performant if you treat it right, and many of the problems with GC in J8 are fixed in later versions.

You can push Java very far.

Of course you can also write horribly ugly code in it.

You can write horribly ugly code in most languages.

But the secret of JVM existing as an option is eventually learned by most who scale.

You can't send an sms yourself like you can an email. Instead of setting up a server, you have to work with a telco provider (an aggregator specifically). Any SMS service eventually hands off to one of these. Many SaaS SMS providers are just frontends for legacy telco services. They charge insane fees because they can, that is all there is to it.

Sending mass email is still difficult. Its probably easier to pay a provider than set up and establish reputation for yourself. But they don't charge near the rates. Last time I compared rates it was something like 10x-100x to send an sms compared to an email, but it has been a while.

Maybe they should flip it on its head - get a thousand? Ten thousand? numbers that can accept SMS and tell people to "text 473843 to this number" to verify.
That's in fact how iMessage does phone number verification. It works really poorly internationally.
It's usually even more expensive to support receiving messages than sending them, beyond keywords like Unsubscribe. If you want any sort of threading its going to be extra. Also its extra for dedicated shortcodes. When you get an SMS from a random shortcode, there might be multiple companies using that code, but they mix the pools enough that its unlikely you will receive two messages from two companies from the same code. Also shortcodes are usually country/region locked. So if you want to international support, you need to buy shortcodes in multiple regions, and different regions have different telco laws. On top of that, provisioning is very manual compared to the modern cloud.

I supported a marketing platform for a while, and it was so much easier to send an email than an sms.

SMS sender isn't generally something you can trust. If you get the SMS directly from the carrier that's responsible for the number, and you have reason to trust their SMS sending to verify the sender, then yes. But in countries with number portability, you still need to pay to lookup the carrier responsible for a number.

And you'll need to maintain ingress numbers in all the countries you support, and maybe numbers per carrier, depending, and you'll need to tell the user the right number to text to ... it's a lot, and it might not work well or might not save much money.

> Many SaaS SMS providers are just frontends for legacy telco services.

I worked on an automated SMS marketing system back in the day so I have seen this in action, at scale. This would be stuff like "text LAKERS to 12345 for Lakers updates"- we didn't handle the Lakers but we did handle many sports teams. Though I wasn't privvy to the financial side, I got the sense that the per-text cost ended up being manageable at scale, but this is because we were one organization who would apply the rules onto our own customers, and if we failed to do so properly we risked losing the interconnects to the various carriers. We typically used a single contracted "aggregator" service which provided a unified API for the carriers. When I left, we were using OpenMarket.

When you have a self-service SaaS offering such as Twilio, the per-text costs are going to go up because the barriers for sending unwanted texts (or fail to follow the rest of the rules mandated by the TCPA) is so much lower, and Twilio has to address that organizationally which adds cost.

Additionally, Twilio does not purchase short codes (ie 12345) which means its harder for the carriers to track bad behavior across their network. There is an initial cost (fairly high) to acquiring a short code, though you can also share short codes across customers in some cases. Acquiring a single short code and sending all messages from that short code would likely reduce costs.

I would love to see more detail from Signal about what sort of SMS interconnection they are using, because directly connecting with an aggregator instead of a SaaS offering (if they haven't already) could save a lot of money, and they are definitely at the scale that would allow for it. And given that they only use it for account verification and are a non-profit, it seems likely they could get a good deal since the risk of TCPA violations is effectively zero.

Yeah, aggregator is a very industry specific term, so I just merged into teclo provider. But yeah, all the issues with short codes, national laws, and reputation, makes it very complex. I worked at a company like Twillio that had contracts with different aggregators across the world, and sold a platform to manage SMS interactions. They added a layer to make ensure customers respected opt-out keywords, or opt-in for specific countries, so it would help manage TCPA (and other) violations. I imagine this helped keep costs down. We would definitely fire customers for trying to get around the safeguards.

I was on the support side, so I just saw when it went wrong, which was a lot.

> Additionally, Twilio does not purchase short codes (ie 12345) which means its harder for the carriers to track bad behavior across their network. There is an initial cost (fairly high) to acquiring a short code, though you can also share short codes across customers in some cases. Acquiring a single short code and sending all messages from that short code would likely reduce costs.

Twilio offers short codes, but short codes are country specific, and the costs for sending to the US are low anyway < ~ $0.01/message for most services, lower with volume; IIRC, short code messaging costs were half, but then you've got some overseas destinations where it's $0.10/message and that's real money.

I did my part to help reduce costs by switching to the decentralized alternative, Session.[0]

Bonus: Session does not demand users' phone number. Also no bundled cryptocurrency.[1]

[0] https://getsession.org/

[1] https://www.stephendiehl.com/blog/signal.html

> Also no bundled cryptocurrency.[1]

It seems like Session relies on Oxen's network, so while there is no inherent coin it is blockchain backed.

> Session’s onion routing system, known as onion requests, uses Oxen‘s network of Oxen Service Nodes, which also power the $OXEN cryptocurrency. Check out Oxen.io to find more information on the tech behind Session’s onion routing.

https://getsession.org/faq#onion-routing

Cool, glad to hear about this - However, it is still coupled to a cryptocurrency (https://oxen.io/) even if not bundled wechat-style
I think simpleX[0] is a better choice at this point with all the recent issues around oxen: not coupled to any crypto, no user ids, can host your own servers if need be, etc

[0] https://simplex.chat/

And as a bonus Session has the best line ever: "Send (encrypted) Messages, not metadata".

They've given Signal quite the fork.

Phone numbers have become the de facto version of "Internet stamps" for identity verification.

They are near-ubiquitous on a per-user level, but hard to accumulate without significant cost. (Unlike email addresses.)

But the down side is that phone verification tends to be on a per-service level. So, for instance, Signal incurs these costs when they verify their users, and every other service incurs these same costs when they verify _their_ users.

There are a number of businesses out there that are trying to act as clearinghouses, where they verify the users once, then allow the users' verified profiles to be confirmed by multiple services.

I wonder if any of those could be used to reduce these "registration" costs.

Phone number verification is used to verify the user's registration intent, so not really.
A Flow:

> Service A => User: Please Enter Your Phone Number and Email

> Service A => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (SMS): Please respond with the Email you used at signup to confirm you want an account with Service A

Later...

> Service B => User: Please Enter Your phone number and Email

> Service B => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (Email): Please verify you want an account with Service B

Not saying it's great (providing email twice is annoying), but it's something.

(comment deleted)
This does not reduce the overall cost, it just shifts it to the clearinghouse. Who pays the clearinghouse so that they can cover their own exorbitant SMS costs?
You miss the crux of it: the second time onward the clearing houses uses email to authenticate the previously-SMS-verified account.
The clearinghouse may not have the user’s most recent email address, which is common amongst non-tech people. My mom and aunts have lost many email addresses this way and forcing them to use an older email would cause many issues.
The app has to ask for email/phone to begin with (see step 1), if the email doesn't match then phone would be used as fallback, or potentially as a "Didn't Receive Code?" gesture.
"Sign in with $Clearinghouse" could bring you to a page that prompts whether you want to share a user ID or the phone number, as required, with that service.

The clearing house verifies you only once, or once a year, instead of every time. If the clearing house were to be a nonprofit, perhaps even set up by Signal themselves to spread costs with similar services, that has to be cheaper.

It also gives users confidence that only a randomized user ID was shared, so it won't be used for cross-service correlation and tracking, if the service didn't actually need your phone number but only some identifier.

A service that requires a telephone number simply shouldn't be called an Internet service. It can't be used purely over the Internet.

Telephone numbers are fundamentally incompatible with privacy. Signal's leadership knows this, but they don't appear to care.

> but hard to accumulate without significant cost

Varies heavily by region. The shop opposite my house has ~50 SIM cards on the shelf, for £0.99/ea.

> we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure

Moving off cloud services to lower-cost provider like Hetzner, Vultr and DigitalOcean might provide a lot of cost savings.

I also imagine they're using managed SMS services from one of these clouds, and moving off them to a combination of local SMS gateways in each country can also further reduce costs (and in one case I've personally observed, by upto two orders of magnitude). This obviously pushes a lot of complexity on Signal's side, but is usually worth it.

Any idea what prevents Signal from using cheaper alternatives?

Edit: I meant moving off cloud to Hetzner, Vultr, DigitalOcean.

As I understand it, you have to often use multiple gateways based on which one is cheaper and can deliver your message to the recipient, and also take care of handling retries in case one gateway fails. This is not something you typically want to handle if you're not aware of it, and the process of having to talk to each vendor and figure out their limitations is tedious.
There's a lower bound on what these services can charge in the form of interconenction fees charged by the mobile service providers delivering the messages.

In the US, that's effectively zero due to the US phone infrastructure largely using a shared-cost model, but in most other countries which use "sender pays", these fees can be significant.

In business, you get what you pay for. Cheaper hosting might raise more issues that need to by handled by your employees, who also are expensive, and also the organization's focus gets disrupted. The hosting company / cloud vendor has an enormous economic advantage, with access to the entire hardware and software stack, the engineers who built it, people whose full-time job is operating it. Often it's cheaper to pay more for better.

As I have to explain about open source, 'Free is only free if your time is worth nothing.' (And I use a lot of FOSS, it just not always the solution.)

>Free is only free if your time is worth nothing

This is the worst take in technology. The main value of FOSS is freedom, not time or money savings. For many people freedom is more valuable than either.

Also, FOSS and managed aren't mutually exclusive.

DO, at least, has bad peering agreements that will cause you noticeable, unfixable (if you stay on DO…) persistent problems at large enough scale.
I use Hetzner, but they have a bad rep for killing services that attract too much attention, e.g. DMCA requests
So ... hire staff to manage that complexity?
Might not be cheaper at scale and truly globally.

The loaded costs should have the numbers run.

It would be a fascination under the covers look with signal.

They probably already have that staff for GCP, Azure, AWS?
SMS rates are absolutely bonkers considering the technical way they're transmitted. The US is an outlier in SMS rates actually being reasonable (usually unlimited or close to) for consumers - but for the rest of the world the insane mark up on that communication method has mostly obsoleted it...

That'd be all well and good... the technology would die naturally, but all my American relatives continue to stubbornly use iMessage.

> for the rest of the world the insane mark up on that communication method has mostly obsoleted it...

For P2P communication. SMS is alive and well for B2C messaging, most importantly for 2FA OTP delivery, but also as a first line of defense against spam/bot account creation.

It's not a good solution to either problem, but it's slightly better than nothing (which apparently makes it good enough for many), so I suspect we're stuck with it for now.

> That'd be all well and good... the technology would die naturally, but all my American relatives continue to stubbornly use iMessage.

iMessage is not SMS, though. It just uses phone numbers as identifiers, but so do many other popular over-the-top messengers, including the most popular one globally.

To clarify - iMessage does not use SMS if you're going from Apple to Apple device and both devices have data/wifi available. iMessage refuses to support messaging to Android clients and defaults to SMS for these messages.

I've got an Android phone so all iMessage transmissions come across as SMS (or MMS).

Ah, I see what you mean. That's not what I'd call iMessage though, that's just SMS:

The iOS application is called "Messages"; iMessage is the over-the-top Apple-exclusive messaging service.

Messages inflexible reliance on SMS for communication to non-Apple devices is definitely an Apple issue, in my opinion. Apple has made it clear that they continue to default to SMS for non-iPhone communication solely because it's unpleasant for everyone involved.
There's apparently even "green bubble bullying"[1] of kids who have Android devices and thus have their messages appear different. In this particular way Apple is happy compromising the mental health of young people to secure a larger market share - it's awful and they deserve a lot more negative PR for it.

1. https://www.wsj.com/articles/why-apples-imessage-is-winning-...

> apparently even "green bubble bullying"[1] of kids who have Android devices and thus have their messages appear different

Bullies will bully. Targeting the articles of bullying versus the source is fruitless; the former is unlimited.

> Apple is happy compromising the mental health of young people

Dramatic exaggeration and attribution of evil intent is counterproductive and disingenuous.

On the other hand, I have saved many a dollar by instantly knowing that I just sent a legacy text to somebody I normally iMessage with.

My carrier charges an arm and a leg for international texting, and if distinguishing between texts and iMessages wasn't as easy as it is, I would probably have to pay hundreds in carrier bills at least once.

> In this particular way Apple is happy compromising the mental health of young people to secure a larger market share

Should we also force luxury brands to offer stipends so that teenagers whose parents can't afford them (or simply don't want to participate in that nonsense) don't feel stigmatized?

It would be a completely different story if Apple were to ban third-party messaging apps on their platform, but as restrictive as they are in other areas, they aren't doing that.

It literally only takes a free app download to get a cross-platform messaging experience at least on par with iMessage (and in my personal view superior in many regards).

Agreed.

It reminds me of the "Blue eyes/Brown eyes" exercise (https://en.wikipedia.org/wiki/Jane_Elliott) so let's say this was a real psychology experiment. Middle-schoolers and high-schoolers are encouraged to communicate via a chat application with rich multimedia functionality. But any conversation that includes even a single individual who belongs to an arbitrarily-defined "out-group" has its functionality degraded and the application highlights who the out-group member(s) are. After a year you compare the mental, social, physical, and academic well-being of both groups. Would your university's IRB approve such an experiment?

I initially gave Apple the benefit of the doubt that this was simply a technical limitation. And of course kids will always bully each other about something. But at this point it does indeed seem like a billion-dollar company is intentionally amplifying and leveraging this sort of bullying to drive marketshare. If you don't find this immoral then I'm not sure what to say.

What does the default Android messaging app do?
Google Messages, which is fast becoming the default Android messaging app across Android OEMs uses RCS when both participants support it and falls back to SMS when that is not the case.

RCS is an open standard that any carrier/OS/messaging app can support, unlike iMessage, which is exclusive to iPhones.

That's exactly RCSs biggest problem: It requires active carrier support. (As far as I understand, Google runs the infrastructure for many international carriers at this point, but they still need to opt into that.)

Using my phone number as an identifier and authentication factor for so many things these days is bad enough; I really don't want the messaging layer itself to touch my phone provider at all.

RCS-the-open-standard is not end to end encrypted.
Android's messaging app does much the same thing.

My preference would be that Apple drop SMS support from Messages all-together and market it as an iOS only communication method. People with iPhones would then have to pick some alternative, perhaps they would use Signal or perhaps something else.

I already have to install a handful of applications to talk to all of my friends and co-workers, at least I wouldn't have to continue to use SMS.

As an iPhone user, I am happy with messages and do not want it to drop SMS support. Note Apple created iMessage way before RCS even existed. iMessage works well and I am happy with it.
It's interesting that you mention that you like it having SMS support; do you only use this function to message Android phones? In my experience, the iPhone people I know are consistently annoyed by me and my SMS messages.

IMHO, RCS isn't a solution to anything since it still requires phone carriers to adopt it. A quick check of the internet indicates that many of these phone carriers are actually charging more to send RCS messages than SMS, making it a non-starter all around.

Maybe Google could create an iMessage-like (internet only) alternative for Android... Although it still wouldn't work with the actual Apple iMessage protocol unless Apple adopted it. IMHO they'd have better luck getting companies like Apple to interoperate if it was pre-installed and worked on all Android phones.

RCS is Google's idea of a solution – a company not exactly widely known for their excellence in all things instant messaging.
Do you have a source that it was started by Google? From looking around, they support its development but it was an industry initiative, and Samsung was one of the first OEMs to support it.
It was embraced and extended by Google.
I was asking for a source so I could look further into this, do you have any?
Neither me nor GP said that it was started by Google. Just that it was adopted by them as a solution.
Adopted by Google yes, but since when would Google adopting a technology give them full control over the future of that technology? Surely the other industry members who started RCS also have a say?

And I would argue that the language used implies Google created RCS themselves (it was their idea): "RCS is Google's idea of a solution"

My phone runs Android, I'm pretty much forced to use SMS in order to communicate with anyone who uses an iPhone and that's most of my family. While it can be argued that iMessage provides a good enough experience on an iPhone for most people, I have wondered if they are the one thing keeping SMS alive.
> I have wondered if they are the one thing keeping SMS alive.

Absolutely they are. Most of my friends and family are Pixel users and we all communicate using RCS. If Apple would just support the modern replacement for SMS (which includes end to end encryption), iPhone users would be much safer and would have a better experience.

I really dislike iMessage, but somehow Google has managed to deliver an even worse alternative with RCS:

It apparently just doesn't work with dual-SIM phones, requires a phone number and an active plan with a supported operator (at least iMessage lets me use an email address!), the multi-device story is non-existent, to just name a few.

> For P2P communication. SMS is alive and well for B2C messaging, most importantly for 2FA OTP delivery, but also as a first line of defense against spam/bot account creation.

In Brazil, businesses use Whatsapp to communicate with consumers. You order pizza and book doctor appointments over whatsapp

I think I understand your comment, since iMessage isn't SMS, but defaults to SMS for those not using it.

There are opensource self hosted solutions like BlueBubble that allow reasonably secure communication through iMessage to the other chat platforms on desktop/Android etc. I have zero affiliation, but I know others who happily use it. There are also less secure and paid solutions I can't speak to.

https://bluebubbles.app/faq/

> stubbornly use iMessange.

Personally, I prefer it over downloading yet another client, dealing with additional credentials, wondering about who can access my messages, and so on and so forth…

And all that just to message the handful of people that I know who use <popular in other country third party app>.

If only someone would release a universal protocol that the app's native messaging apps could utilize to eliminate the need for these 3rd party messaging apps. Oh, right, it's called RCS and Apple refuses to support it.
> only someone would release a universal protocol

Nobody wants this. Universal access means universal access for spammers. iMessage won over SMS because of cost and spam filtering.

> Nobody wants this.

Not nobody.

> iMessage won over SMS because of cost and spam filtering.

Really? I've never used imessage.

> Not nobody

Within the scope of messaging network effects, nobody.

> Really?

Yes. iMessage spam is rare and stamped out fast. Open protocols tend to have spam problems the moment they begin scaling.

RCS is anything but universal. It requires the explicit cooperation of mobile phone providers, which makes it a non-solution in many scenarios – including usage on any device that happens to not be a phone.

RCS is exactly what it says on the box: A modern successor to SMS. That does not make it a good modern instant messenger.

> Oh, right, it's called RCS and Apple refuses to support it.

No one wants to support it. Even telecoms don't want to support it.

Telecoms don't even want to roll out all of the infrastructure they get paid by the government to, I don't know that their willingness to do anything is a point I'd try to stand firmly on.
Exactly, so how on earth does Google think that it is a good idea to put them in charge of running the infrastructure powering the future of instant messaging?

Any chance at all it has something to do with the fact that they've acquired an RCS infrastructure provider that they can sell to telcos?

https://jibe.google.com/

Someone has to run it. Logically, the obvious party to do so the carrier providing network access to the device, which also has a recurring billing relationship with the user from which to recoup its costs, and that the user knows to contact when they have issues. As a standard ostensibly replacing SMS, and coming out of the GSMA, it's also pretty obvious it'd be biased toward a carrier-centric solution.

There are a couple other options of course, but I am not sure they are better:

* Fully federate this, a la Matrix or XMPP. I really wish this was a practical option, but without legislation I doubt any company wants to go willingly in this direction. Even if they did, it'd be difficult to contain spam at scale. It also creates 'first contact' issues; love it or hate it, the general public seem attached to the idea of phone numbers and it seems to work relatively well and unambiguously. It is also the most technically complicated and most brittle and unpredictable for users.

* Phone / OS maker operates it for their devices. You don't seem to want Google running things, so this seems markedly worse than what they have actually done which is give you options (most people can at least choose a carrier, and carriers can choose implementations). It's unclear how operating costs are recouped here, especially for low-end devices. Does this lead to feature stratification? I hope not, but probably. It's a global single point of failure, both from a technical point of view as well as a policy/jurisdiction one (can $country LE subpoena my records because the company operating the service is ${country}an - or perhaps merely operates in $country, for example?). Also unclear how users are 'found', but maybe it's a bit easier than in a fully federated system.

* Phone / OS maker partners operate the service, giving users a few choices. Not really sure why anyone would go in for this, but it's basically the same as if the phone maker operates it.

None of these are great options, but I think the carrier is probably the least-bad one. You have an agreement with them. You have the legal protections offered in your home jurisdiction, with clear jurisdiction over the whole thing. They already have a ton of data on you and access to your traffic. You have a neck to wring if the service doesn't work properly.

They really should have standardized E2EE though, not including it is ridiculous.

Literally nobody wants RCS except Google and a handful of HN commenters. It’s so unwanted that Google had to scrap their original plan of making the carriers host the infrastructure and do it themselves, because the carriers didn’t give a shit.

(And even Google doesn’t really have any love for RCS, they crawled back to it as a fallback plan with their tail between their legs when their own proprietary lock-in messaging apps didn’t work out. Which makes their attempts to shame Apple into adopting it pretty hilariously disingenuous.)

> with their tail between their legs when their own proprietary lock-in messaging apps didn’t work out

For what it's worth, they've worked tirelessly to ensure their failure.

> It’s so unwanted that Google had to scrap their original plan of making the carriers host the infrastructure and do it themselves, because the carriers didn’t give a shit.

To be fair, that wasn't Google's plan, that was the GSMA's plan. GSMA created the RCS spec, failed to get more than a handful of their members to use it, and kind of abandoned it to the wolves. For reasons I don't quite understand, Google decided it'd be a good idea to take it up, and then push it harder than any of their previous messaging services; but it's not like they came up with it.

I see that you feel strongly about RCS, but as far as I know even some of the bigger US carriers dont support the universal profile on all the Android devices they offer. So maybe you’ll get your wish some point after carriers align on RCS.
(comment deleted)
RCS the “universal protocol” is not end to end encrypted.

Google has made some proprietary extensions to RCS to support end to end encryption but this is not the same thing.

For the purpose of 2FA and account registration let’s view it as a tax for fraud prevention, where the real value in SMS is in verifying someone’s identity rather than transmitting messages
If SMS actually worked for this purpose, it would be acceptable. However, SMS provides no guarantees about: 1) If it actually gets delivered 2) If it is delivered to the intended recipient 3) 1 and 2 without anyone reading or tampering the message while in transit

Now, even if stars align, your SMS ends up on a route where nobody is mitm-ing or hijacking it, the telco systems work and it gets delivered, it is STILL not a guarantee of identity. It simply verifies that you have somehow got access to a particular phone number.

Just because consumers get unlimited SMS doesn’t mean businesses get that. The telcos are ruthless about extracting their pound of flesh at business rates.
Why is it that SMS is so damn expensive? (or more specifically, what is it about Twilio et al's businesses that makes them cost so much?)
Nothing just profit and existing system access costs set by the incumbents.
In the US, shafting customers as hard and fast as you can is the current business model. What are they going to do? Move to 1 or 2 remaining competitors with the exact same business model?
Most of that cost is literally coming from sms outside the us though. The rates for us sms are much lower than almost anywhere else.
I'll have to do some research here. Prices in the US for bandwidth, phone services, etc. are insane.
When you control access to the customer you can charge people a lot. Just like Apple can take 30% primarily because they’re the gatekeeper to iPhone users, telecoms are gatekeepers to their users so they can charge you a lot to text them. You don’t really have a choice. L
What's it cost to be an SS7 peer for a year? Could they spin up their own "phone company" for the purpose of delivering SMS verification and nothing else, cheaper than they're paying someone else's markup?
What's expensive isn't (just) the technical infrastructure, it's termination/interconnection fees charged by the destination mobile networks.
Huh, I knew those existed for voice calls, didn't realize they applied to SMS too. Makes sense, though.
Funny, because that's the reason I can't use Signal - I don't have a phone number.
In case one isn't aware, you can get a $1/month throwaway phone number from Twilio for that purpose.
That's a neat workaround for the people that can figure that out, but doesn't change the underlying problem for the majority of users at all.
Majority of users don't have phone numbers?
I'm referring to the majority of users not having (or wanting to use) phone numbers.

Some of these will be willing and able to pay $1/month to Twilio for a workaround, but most probably won't.

Aren't these VoIP? Almost every service blocks VoIP numbers for sign ups these days, but perhaps Signal is an exception.
They work with Signal, Facebook, etc. Sometimes you have to try another one to get it to work.
Sounds like a great case to get the fuck away from SMS and phone numbers.

But hey, they still want your whole address book, and announce you're on signal to everyone else on signal.

The whole "secure" thing is a joke. Its all linked to your identity via your phone#.

They want the address book because if you don't have engagement promotion features like that, there is no way to ever become remotely popular in the chat app space.

Why is the security a joke? The data is e2e encrypted, and isn't related to a phone number in any way after registration. Do you know of a better way of combining privacy and anti-abuse measures? If you don't offload identity checks to telecom providers during registration some bad actor will immediately create a million accounts and send millions of spam messages and destroy the slim chance of this type of app to exist for free.

> They want the address book because if you don't have engagement promotion features like that, there is no way to ever become remotely popular in the chat app space.

Intentionally ignoring the fact that Signal splatters your phone number to everyone else is a humongous problem. And you can even put your phone number block in your address book, and it'll tell you everyone who has Signal. This happens all the time, with Signal servers leaking all of this metadata.

And doing "engagement promotion" is what companies do to sell more shit. So, exactly what are they "selling"?

>Why is the security a joke?

Metadata, pertaining to communication patters and to whom matters just as much as what's being said.

And that metadata, like "your phone number" and "contact's phone number", and "when data is being sent to/from" is that metadata.

> The data is e2e encrypted,

> and isn't related to a phone number in any way after registration.

Bullshit. I see new people hopping on signal fairly regularly. If that was true, it'd be a simple verify-once-and-delete. It aint.

> Do you know of a better way of combining privacy and anti-abuse measures?

I reject your claim of "privacy", with regards to metadata.

Secondly, Tox has an alternate way to handle this, by allowing any number of accounts not tied to anything. Sure, it's a SHA256 id, but who cares. There, its secure AND anonymous.

Basically, I look at Signal as "better than SMS, but not much". It's basically a way to keep the phone company from scanning messages.

Signal actually jumps through quite a few hoops in order to let you and your contacts are on Signal without Signal actually having access to a copy of your whole address book. It's even mentioned in TFA.

I do agree about being linked to your phone number - doing it that way means not considering a lot of people's valid threat models. They are working on moving to usernames, though. It's in beta now.

> Signal actually jumps through quite a few hoops in order to let you and your contacts are on Signal without Signal actually having access to a copy of your whole address book. It's even mentioned in TFA.

It doesn't say how it works. If Alice's phone can tell whether her contact Bob uses Signal without Alice and Bob doing any sort of a priori cryptographic exchange, why couldn't Signal itself do whatever Alice's phone is doing?

Just wondering, are they relying on these big name cloud providers (AWS/Azure/GCP), known for predative traffic and storage pricing? Have they considered cheaper providers such as Backblaze B2 for storage and Hetzner/OVH for servers? The fees for storage, server and bandwidth could be cut by 80% if they did that.
(comment deleted)
Signal agrees: (from the article:)

... legacy telecom operators have realized that SMS messages are now used primarily for app registration and two-factor authentication in many places, as people switch to calling and texting services that rely on network data. In response to increased verification traffic from apps like Signal, and decreased SMS revenue from their own customers, these service providers have significantly raised their SMS rates in many locations, assuming (correctly) that tech companies will have to pay anyway.

...

These costs vary dramatically from month to month, and the rates that we pay are sometimes inflated due to “toll fraud”—a practice where some network operators split revenue with fraudulent actors to drive increased volumes of SMS and calling traffic on their network. The telephony providers that apps like Signal rely on to send verification codes during the registration process still charge their own customers for this make-believe traffic, which can increase registration costs in ways that are often unpredictable.

SMS has become a kind of real-world PoW (proof of work) mechanism. A phone number typically has a recurring fee to keep it working. So a live number indicates that someone is spending money (a proxy for effort) to maintain it.*

It still seems like a lot of money to spend on simple, old technology, but from the PoW perspective, making it cheaper would defeat its purpose.

*Which is why many sites reject Google Voice numbers, for example, for SMS verification.

> In response to increased verification traffic from apps like Signal, and decreased SMS revenue from their own customers, these service providers have significantly raised their SMS rates in many locations, assuming (correctly) that tech companies will have to pay anyway.

There's nothing that requires tech companies to use SMS for registration or for 2FA. The normal way to do it is by email, which continues to be free. For Signal, there is no need to do 2FA registration at all.

Signal is ideologically committed to publicizing your phone number, and apparently they'd rather pay $6 million to hold to their commitment than just... not do that.

I wish their justification for dropping SMS capability from their Android app to move away from phone numbers was a little more transparent about the obvious cost aspect rather than solely sticking to the patronizing "we're saving insecure messaging users from themselves" messaging they had. I found it pretty obnoxious. I think people generally get "valuable nonprofit + huge expense = not-sustainable = bad."
> their justification for dropping SMS capability from their Android app ... was a little more transparent about the obvious cost aspect

I'm not following. Signal gets stung for the registration SMS costs because they send the SMS to the user. They don't pay when one user sends an SMS to another user. If you send an SMS, you're the one who pays.

(I didn't realise they were moving away from phone numbers. Don't they they stay mandatory when PNP comes along?)

I wonder if you could do something clever such that you can have people volunteer their SIM for sending 2FA?
> Signal pays more for delivering verification SMS during sign-up, than for all other infrastructure (except traffic) combined. Wow, that sounds excessive.

Particularly when the phone requirement is the biggest weakness in Signal.

Getting rid of it will make it substantially cheaper to operate and much more private. Win-win.

All things considered. Pretty impressive how cheap it is to run given the adoption of the Signal.
Second time around benefits too, and the guest time was pretty efficient in WhatsApp too.
(comment deleted)
Back in the day Signal was called TextSecure and it did everything over SMS which required no centralized infrastructure aside from the cellular networks. They transitioned to internet-based messaging to support Apple devices. It seems that decision is now a 50 million dollar per year step backwards.
TextSecure! Wow this took me back to 2011.
SMS would be a complete non-starter in Europe. Many (no?) countries lack unlimited texting plans.
It's not a step backwards for me. Our organization uses signal in many situations where SMS isn't an option. When I land in a new country it is normal for my cell/SMS not to work. But I can hop on some local wifi and get signal messages. We had a widespread cell outage in my area last year. Signal not being on cell/SMS meant that I could still communicate with family without need of cell towers. This is a big step forwards imho.
> When I land in a new country it is normal for my cell/SMS not to work. But I can hop on some local wifi and get signal messages.

WiFi calling is a standard feature that does exactly what you describe for texts and calls, without using a third-party. I have cell connectivity turned off constantly on my phone and yet receive texts and calls via WiFi.

It is actually an awesome feature for receiving 2FA SMS at my parent's place where there is great internet but poor cell coverage.

WiFi calling isn’t always free internationally though, it often gets charged according to your phone plan’s international rates, which is discouraging for many people. Signal, on the other hand, just sees WiFi as WiFi.
If you check their costs, SMS (used for registration) is the most expensive part of their operation.
There was no "registration" and TextSecure never sent you messages. It was strictly peer-to-peer.
You're mistaken. I still have my textsecure account registration verification text message (because I'm a data hoarder) from March 15, 2015
Right, I totally hate being able to text, voice, video, send files, and screen share with individuals or groups of people, including half my contacts who use iPhone. Also, fuck them for making all of it sync to all my computers. And I especially hate the fact that I was not billed by telecom carriers for the tens of thousands of messages I've sent and thousands of calls I've made over it over the last 10 years.

Yes, indeed, how backwards. I wish I only used software that spied on me, or permitted others to spy on me, for those features.

(comment deleted)
I've loved Signal. It's been the only consistent way I've been able to send and receive high-quality pictures and videos at all. It's been the only way I've been reliably able to send texts when I'm in an area with poor reception, which is frequent.

The privacy is nice and it's been simple and easy to use.

I hope they stick around. Everyone likes to bash more privacy oriented companies if they aren't absolutely 100% perfect in every single way, but IMO perfect is the enemy of good and Signal has been very good.

The hardest part has been convincing people to use it, and if I have to get people to jump to another one it'll all just fall apart.

I know it's unpopular to say this on here but Signal will never be popular as long as they don't add basic features that all other messaging apps have.

- If you lose your phone or it no longer boots, all your messages are irretrievably lost. There's no way to create backups on iOS. Why the hell can't I enable iCloud backups? I know it breaks privacy in some ways but let me choose the trade off. Put a giant warning if you have to.

- The desktop app is awful and requires signing in again all the time. See the Telegram Desktop app for how to do it better. In my opinion it should be the gold standard for desktop messaging apps

- Desktop app keeps losing message history

As long as Signal treats all messages as if they're so important that even super spies should not be able to read them, and as a result, goofing usability in a way that standard features don't work, I 100% understand that the majority of people won't use it.

(comment deleted)
> Everyone likes to bash more privacy oriented companies if they aren't absolutely 100% perfect in every single way, but IMO perfect is the enemy of good and Signal has been very good.

Signal has not been good. The absolute least we should expect from any "privacy oriented company" is that they're honest and fully transparent about the data they collect and store, and Signal is none of that. Since they started collecting and forever storing sensitive user data in the cloud they've refused to update their privacy policy to alert people to that data collection.

If you advertise your service to human rights activists, journalists, and whistleblowers whose freedom and/or lives are on the line you owe it to them to be extremely clear about what their risks are by using your service, but Signal outright lies to them in the very first line of their privacy policy.

This isn't "perfect being the enemy of good" this is either a massive dead canary warning people not to use/trust Signal, or it's completely immoral and irresponsible.

Every single time I've seen Signal asked for data in a court case, they've basically handed back a unix timestamp of when the account was created and said "that's all we have". Or it was last access time, I could have misremembered.

Either way, that seems quite good to me.

You're right, that's how it used to be. They still have pages on their website bragging about times when they didn't have anything to turn over because they didn't keep any of it. A while ago that all changed. They started collecting and forever storing in the cloud the exact data those requests were asking for. Lists of everyone you've been contacting, along with your profile data (name, phone number, photo).

https://community.signalusers.org/t/proper-secure-value-secu...

If you're a Signal user and this is the first time you're hearing about this, that should tell you everything you need to know about how trustworthy Signal is.

The technical info in that community form is a few notches too technical, I work in a different knowledge base.

If someone broke down what the timeline was, what new info is being stored that wasn't before, how that is known, and how Signal has responded, etc, then that would be useful.

I'll admit it doesn't seem great. Phone number I understand, but name and contacts are more concerning.

There's a good article on the topic here: https://www.vice.com/en/article/pkyzek/signal-new-pin-featur...

Note that the "solution" of disabling pins mentioned at the end of the article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.

There's a lot more information about it in various places, but Signal went out of their way to be as confusing as possible in their communications so it caused a lot of people to get the wrong idea (see for example https://old.reddit.com/r/signal/comments/htmzrr/psa_disablin...)

The forums were in an uproar for months asking Signal to not start collecting data or at least give people a means to opt out. Here's a good thread with links to a bunch of the conversations people were having at the time: https://community.signalusers.org/t/mandatory-pin-is-signal-...

Signal can be better, IMHO, by separating from phone number requirements. In other words, let users have secure random ids, rather than forcing each user to hand over their phone number for phone company verification.

It turns out the budget shows the phone number registration problem: the costs to deal with phone number verification seem to be $6MM, which seems to be 10% of the entire budget.

If Signal staff are reading this, I'd gladly pay $100/year for a phone-free solution for all users.

Focusing on app features is one thing but the bigger picture is that Signal is at risk of not existing without capital… (just donated $20 today and I wish I could buy stickers off of them).
(comment deleted)
How would it be better? Is there anything beyond not having to provide a phone number?

How would it be worse?

The phone number requirement is why WhatsApp won the space over in the first place. There were loads of username+password-based services before it, but none reached the market it did. Why? An incredibly wide user funnel, singing up is frictionless.

You might understand that it's a bad idea, but that makes you an outlier.

I don't really buy this argument. Is signing up with a phone number really that much easier for the average user than using a username/email account? Billions of people seemed to have no problems making a Facebook or Google account.
It’s the building a social network part that’s frictionless not creating user name process that’s frictionless.
The lack of a social network is why I settled on Signal. Before using Signal I tried Telegram, which requires a phone number and if they recognize your number in any of their user's contact list (which many people seem happy to allow access to), they'll send them a notification telling them their contact has joined. I got a nasty message within 10 minutes of making an account from a woman accusing me of pretending to be her deceased father. I had inherited his phone number a decade prior, and it told her I had made an account. I was so shocked they not only allowed, but encouraged such behavior that I deleted it promptly and swore I'd never use it again.
Signal does the same thing. Or maybe it used to but they changed it. I have a bunch of notifications of "so and so is on Signal" from when I joined years ago.

Can't say I've ever gotten any psycho responses from it though.

With WhatsApp, your phone number allowed you to see everyone in your contacts that you could message on there, so you could see everyone straight away. Without that, you'd have to bring your friends along and have them sign up as well, then give you their username so you can connect.
Even Instagram allows you to search your contacts. If they have their number set in their profiles, it'll find a match
Why not support both?

Let one communicate from a computer (or phone) with a username+password account, with people who use the service with phone number account.

This without the mechanism Whatsapp uses, where you can use it in a web browser, but it's still linked to your phone.

Signal has an app to use it with your computer. It's a one time linkage through a QR code. As long as you connect with the app at least once every 30 days, you never have to worry about it and, unlike WhatsApp, your phone doesn't have to be online for it to work.
Using phone numbers as identifiers (and by extension users' phone books as a contact discovery mechanism) is probably at least equally significant as a factor for WhatsApp's success.
You could do both, no?
No, WhatsApp won because it successfully replicated and replaced the SMS experience in the developing world, where the cost of data was dirt cheap in comparison to the cost of a single SMS message.

This is why it still has a stronghold as well…

Experience on WhatsApp, Telegram or any other IM is vastly better than SMS. Unless by SMS you mean iMessage - then it's even simpler - most of the world doesn't use iPhones.
I think that's the gp's point.

Given the choice between SMS and a service that provides the same functionality is free, superior in most ways, borderless, etc. the choice to use whatsapp is obvious.

Mxit existed long before WhatsApp. Possibly a decade. I used it in the developing world and it wasn't anywhere nearly as successful as WhatsApp. For example, nobody in my family used it.
Requiring a phone number also seems like a decent way increase friction for automated account creation - obviously it can be overcome, but it probably reduces automated account creation by a few orders of magnitudes, which I would imagine reduces the amount of botting/phishing/ban evasion, which could all add up to be pretty expensive to an org.
What did WhatsApp win? I've never used it, so I'm not sure what anyone uses it for.
In South America it's the standard messaging everyone uses, even businesses. No one uses SMS
I'd say it's basically standard everywhere outside the US. I lived in Canada and Europe, and eneryone is on it. All my fellow immigrants in the US are all on WhatsApp groups.
Phone verification does have value in adopting the network effects of phone numbers and integrity by making it harder to mass create accounts.
Right, it's a way to create a cost barrier without anyone giving Signal a credit card directly.
It would have very particular ethical trade-offs, but they could just make signing up without a phone number a paid option. That has the advantage of actually turning a cost center into a profit center, at the distinct disadvantage of creating a moral hazard by the exact same virtue.
That exists, and is called Threema
A bit handwavy, but allowing sign-up without a phone number could massively increase bot/spam traffic and ultimately increase hosting costs for Signal.
The deal could just be: no phone number, but you have to pay $x/year (I guess this doesn't work with 501c3?)
Accepting these payments would not be trivial, and linking them to Signal accounts would create a treasure trove of metadata that neither Signal nor its users would likely be very happy about.
Just charge $10 to create an account without a phone number and accept Bitcoin. Most people can avoid the $10 by providing a phone number, privacy-conscious people only have to pay $10, it generates revenue, and the $10 puts the spammers out of business because they don't pay $10 once, they pay $10 every time they get banned, which happens multiple times a day.

You could even automate the bans by banning anyone who gets blocked by more than two people they sent messages to, which anybody can avoid by not sending messages to people who would block them, and if it happens to someone innocent, it's still only another $10 to reactivate your account.

Session.app solved this problem well
Typical HN comment saying I will pay $ for xyz feature (which everyone, including the poster, knows to be BS)
(comment deleted)
I don't understand the concern. Signal has never been about anonymity. If you need to be anonymous, use a different tool. I like the fact that a phone number provides an additional verification that the person I am chatting with is who they say they are. As far as risk associated with having your phone number leaked to bad actors, that ship sailed years ago. I guarantee your number has been leaked a thousand other ways starting with by your phone provider.
If you really wanted to talk to somebody in a "non-decryptable" fashion, could you set up like a channel that encrypts itself with a ton of different encryption methods, keys, etc. (encrypted payloads inside each other)

Signal encryption is its main feature (I think) and how easy it makes it (abstracts handling key transfer and all that), I'm just trying to think through... if I wanted nobody to read what I was saying , would I use an app/target as popular as Signal or something homegrown?

You don't need multiple security protocols (and in fact that is almost always a bad idea). You just need one good protocol and a way to securely exchange the keys. What signal solved for the most part is the secure key exchange.

If you want to talk to one person, you can give them a USB key in person with a set of crypto keys and then use that to encrypt your messages over any transit method and it will be secure.

The hard part is the key exchange.

It's a bit off topic, but I've wondered the same.

We could stack a hundred layers of encryption algorithms, and if just one of them works, then the whole stack is secure.

You could, but you'd be adding complexity to solve a mostly non-existent problem. Security is rarely broken because the algorithm itself is broken. It's usually because one end has a key logger or other vulnerability. Or they are literally storing the unencrypted text in an unencrypted data store after reading it.

In the meantime, the added complexity adds new places for errors.

Yep, people who think about messaging security as a problem of sending data from one computer to another are missing a huge part of the attack surface. To fully understand the entire problem set, we need to consider the entire pathway from one human's brain to another.
lots of drug traffickers went with something homegrown (Anom), which turned out to be an FBI front. they'd have been a lot safer sticking to Signal. and you can audit the Signal client's source code, which is enough to verify its secrecy.
I think the biggest risks for most people are going to be around key management, social engineering, and exploitation of terminal devices (i.e. if somebody has compromised your device running signal and can observe the message before encryption or after decryption).

More layers of encryption doesn't really solve those problems.

> Another $19 million a year or so out of Signal’s budget pays for its staff. Signal now employs about 50 people, a far larger team than a few years ago.

What? I know silicon valley salaries are a thing, but absolutely everywhere else in the world this would be insane. Maybe change the headquarters to somewhere cheaper?

I keep re-reading this section of their blog post trying to figure out what I'm missing here. $2.6 million full load per employee on avg? Is this heavily weighted to a few executives? Can somebody explain this to me?

Edit: I'm stupid and did the math backwards.

Only thing I can think of is it incentives them not to put backdoors into Signal/get fired.
You mathed backwards. It's $380K per person fully loaded. Which is pretty inline with decent tech salary these days.
That is their total cost, not the salary paid.
Yes, which is why I said "fully loaded"
I think your math is off? $19M/50 people = $380,000?
You're doing that division backwards.
Isn't it 380k per person in average? Seems like in-line with FAANG salaries in major US cities.
(comment deleted)
A few employees and their compensation are listed on their Form 990, page 7. Sidenote: did "Moxie" legally change his name from Matthew Rosenfeld?

https://projects.propublica.org/nonprofits/organizations/824...

They have devs and support engineers earning 700k, more than the CTO?
700k to drag your feet on implementing usernames for a full decade, seems cushy.
It's in testing now; you'll soon have to switch to complaining about some other thing.

Anyway, considering usernames required an extensive redesign of how Signal works, it's not surprising it took 5 years (3 years of full time)

Costs for staff are not just salaries. It's also pensions, taxes, benefits, the offices, software licenses and all the other stuff. I've often heard 50% of total cost going to salary, but it varies.

Still does seem high though.

Pensions aren't a thing in the U.S. anymore, especially not for tech. And when a U.S. company says "staffing costs" that does not include licenses, offices, etc. It's strictly salary and benefits.

According to Signal's 990, it's paying multiple employees over $700k. That's above-market for corporate compensation, and it's way above market for non-profit compensation, to the point where it could be considered private inurement.

They cover this pretty substantially in the post on Signal's website (I know they merged the Wired article into this one).

Signal is trying to compete with the richest companies in the world; including for talent. And considering Signal's origins and motivations, they're not going to lower salaries or decrease benefits because some people believe that working for a non-profit automatically means lower compensation.

Engineers doing the same work on iMessage and Meta Messenger, i.e., their direct competitors, make less than 660k/annually in salary and benefits.

This means that the pay packages are likely not based on comparable market wages, which is an actual legal requirement for highly compensated employees for U.S. charities.

$660k total comp (including benefits) is probably right in the median of what an e6 earns at Meta. I don’t know where you’re hearing otherwise.
Signal had 40 million active users in 2021 [1]. With 14 million in infra cost, that comes to .35 per user/year. Total expenses are about 33 million, so about .825 per user/year. All in all that seems very reasonable.

[1] https://www.businessofapps.com/data/signal-statistics/

Based on App Store downloads on both platforms, they are well over 200M at this point.
A lot of people, myself included, have it installed but never use it after they dropped SMS support.

Only a tiny fraction of my contacts use Signal, and most of those are also on Whatsapp, Telegram, Discord, and others.

Signal offers essentially nothing to me.

Except real privacy?
Not even that, because it is linked to phone numbers.
Afaik you can crrate an account without a number.
No. You can just hide it from other users in group chats now (and perhaps 1:1, didn't yet check but you still need one to sign up)
Where is the option for group chats please?
Not yet, but they are working on that.
Username registration is currently being tested: https://community.signalusers.org/t/public-username-testing-...
> and register for a new account with a phone number (you can use the same one you’re using in Production).

I hope that they make it so you can register WITHOUT a phone number. Perfectly fine if it's not the default. This is post is currently implying that is not currently the case.

So this puts signal on par with telegram, not above? Am I missing something?
Telegram's encryption is opt-in which means most people don't use the encrypted chats at all.
Signal is private, but not anonymous. Related, but two different things.
Why is it more private than WhatsApp?
I encourage you to read the article, but Signal minimizes the metadata it stores about you, doesn't hold on to you contact list, doesn't keep information about your IP address, etc.

WhatsApp instead makes tons of money from this kind of metadata.

Using WhatsApp means Facebook/Meta knows the timestamp, sender and recipient of every message sent.
Pay attention to WhatsApp's wording (all privacy/security claims start with "your messages"), and their privacy policy, and you'll see that while message involving with individuals (non-Business users) are secured, your contact list is not, neither are chats with businesses or the metadata about you chatting (destinations, frequency, time)
(comment deleted)
The sms decision made signal go from THE messaging app on my phone to an app I only use with a very small subset of my contacts. It is infuriating that they didn't allow users to retain that functionality when it costs them nothing, and they could have disabled it by default.
You paid them nothing and are infuriated. Interesting.
Many people care about Signal, and it is okay to dislike their decision. OP didn't demand from Signal to support SMS, but they expressed their emotions about the change.

Signal is an awesome project but some of their decisions annoy many users. E.g. Signal does not allow to automatically save all pictures in the gallery. It's a privacy feature, but it's inconvenient since it forces me remember to download each image seperately.

I still use Signal a lot, since most people I frequently talk to use it. However, this was extremely frustrating. Having 1 messaging app for so long was incredibly nice.
My lawyer stopped using signal due to the sms support being dropped. It became too much of a hassle and wasn't worth it.

Many of my family also dropped Signal.

It is now really only used by the hyper-privacy conscious.

I really don't get why people are still using SMS. Is data really that expensive?
I'd be happy to pay $1/year for signal, and I'd pay $2/year if it were decoupled from my phone number.
If you pay Signal $1/year, they'll realistically see about 60-70 cents of that – and that's only considering payment processor fees.

Now add the cost of providing support (it's a paid product now!), payment handling on their end (in a privacy-preserving way, which excludes most common payment methods), and top it off with the immense damage to the network effect by excluding all the users that can't or simply don't want to pay $1/year...

Donations seem like the much better option here.

You can also charge for a 10 year minimum and get to a higher retained %

You don't need to provide support, even much more expensive consumer services live without a proper one, so being explicit about the fact that you only pay for infrastructure could suffice

Not sure why payment privacy has to be so strict for everyone

The network effect damage is real, but maybe it could be limited with donations :)

Selling a service automatically opts you in to all kinds of consumer protections, either legally or de facto through the dispute mechanism of the payment methods your customers use.

Just ignoring customer complaints and selling the service "as-is" is usually not an option.

Why is it not an option when it already exists in many places (all these protections fail all the time)? Your first sentence doesn't imply high/expensive level of customer service

Besides, even now they're not ignoring all the complaints, the do fix bugs?

Maybe to be more specific, how much did it cost WhatsApp when they had $1 price and a tiny team? How does it compare to the cost of SMS?

In a December 2013 blog post, WhatsApp claimed that 400 million active users used the service each month. The year 2013 ended with $148 million in expenses, of which $138 million in losses.[1]

FB acquired them next year and if my memory is correct there were 19 in the team then.

[1]: https://en.wikipedia.org/wiki/WhatsApp

That $ figure tells us nothing as it includes those same huge SMS costs that Signal is on an unsustainable path to rack up

With just a bit more effort you can see that most of those $148 are not related to the extra customer support we're discussing, but rather to the things that Signal is already doing

Costs and expenses in 2013:

Cost of revenue 53 (payment processing fees, infrastructure costs, SMS verification fees and employee compensation for part of operations team)

R&D 77 (engineering and technical teams who are responsible for the design, development, and testing of the features)

G&A 19

So for $10M revenue, they had $53M cost of revenue. I think asking for $1 is never going to be sustainable, even if leave all other costs. My guess is that "employee compensation for part of operations team" is the primary one taking all the cost, as payment processing fees couldn't be more than the revenue itself and one message is pretty cheap.
Why not? Someone calculated above that total costs are below $1 for Signal even with all the SMS waste (also, it doesn't have to be a literal $1)

Besides, the original point was about huge$ from running a paid vs free app, which isn't the case

Thanks for over-analyzing my comment. $1/year, $2/year, $5/year, is all insignificant in the wide array of things I pay for. Sure, I'd pay $10/year for Signal as it is today if they really needed me to. And I never said to make payment mandatory. You're just way over analyzing a simple comment.
I'd pay much more than $2 if they offered account identifiers other than phone numbers. Trying to get a burner SIM or DID while still staying anonymous is getting increasingly difficult.

But I think it's pretty clear by now that this is a feature for FVEY IC, not a bug. FFS, they burned development resources on stickers, but abjectly refuse to offer alternative account identifiers. The standard apologist response is, "but phone numbers make adoption easier". Sure, but nobody is asking to replace the identifiers, or even to make them nondefault. We're just asking for the option. It could be hidden behind a developer mode for all I care, but it should be there.

The fact that they abjectly refuse to do it is enough to tell you about what their true motivations likely are.

Agreed, at this point I don't believe the "privacy" aspect of Signal's sales sheet means anything. Most that I know use it primarily because they can have clients on all platforms, including desktop.
> We're just asking for the option

Indeed, the Wire messenger is done like this - it offers phone number, but has an option to not use them and only rely on the usernames (although I think you need to register in the web browser for that)

I'd pay substantially more for Signal if I could bot accounts.

I'd like a signal daemon on all my servers for alerting which could message me via Signal. This is worth a monthly fee to me.

I know people running small businesses who would really like to have a business Signal account: an ability to send Signal messages as a business identity without tying it to some specific phone number. This would be worth a subscription even if they had to get their customers to install Signal.

Signal need to figure out what product they sell that's going to fund the privacy objective: because there's plenty and they're worth having.

If you want one for just personal use; this works well: https://github.com/AsamK/signal-cli

Just sign up with a Twilio number (using voice call) and you can make your own bot.

I know I could do these things, but the problem is (1) it's a cat and mouse game of trying to keep up with functionality they don't want to support and (2) means I'm not paying them for a service, which is the point of doing it.

IMO Signal need to figure out what they sell to people with the money to say "yes, this service helps me make money" so they fulfill the big mission statement. That's true viability.

Within that bucket there's some real obvious ones: server monitoring and alerting (I have Signal, let my severs have Signal so they can talk to me, maybe at an agreed reduced throughput rate so someone doesn't just try to run TCP/IP over it), and letting businesses have a secure multimedia messaging channel to their clients for notifications.

I find signald better. It also supports acting like a desktop client... so you can just add it to your account easily. signal-cli might do that also, but I stopped using it in favor of signald when I found that one.

But yeah, I hear you. It would be nice if it had a official bot interface where maybe all the bot's receipients have to be whitelisted so that it's easy to use for stuff like server monitoring but not easy to use for spamming.

I wonder how many people paid the $5 for WhatsApp back in the day. It gave you nothing but you were able to do it. I think I did.
I've been using WhatsApp when the nominal $1/year fee was still around, but somehow never ended up being actually charged, and I don't know anyone that did.

It's possible that they were only enforcing it in some regions, though.

Indeed. I just ignored the dialog box the first time it popped up. But next year I paid. It was quite a big deal because back then it was equal to my entire monthly cellphone bill in Pakistan.

But I remember other people started to en masse switch to other messengers like Viber(?). And Whatsapp had to stop enforcing the fee.

I was billed 0,99€ (Germany) exactly once, but was able to use WhatsApp without payment for most of the time just by ignoring the notification. I remember that they repeatedly gave grace periods and just set another payment date a few weeks later.
I have an old receipt in my Google Pay for whatsapp at a whopping 99 cents :)
Definitely reasonable but the ultra privacy-conscious/paranoid can't easily donate or pay privately.
Sure, but privacy isn't black or white. A donation to signal does not compromise the content of your messaging.

So what you've leaked is the information that you have an interest in private conversations. This might be a problem in some countries, but I think it's fair to ask folks in affluent countries with working (sorta) democracies to shoulder that burden. I.e. you don't donate if there's elevated threat to your safety, there are enough people who aren't under elevated threat.

There's also the possibility of using a donation mixer like Silent Donor, though I'd evaluate that very carefully. (There's a record of the transfer in, and the mixer needs to keep temporary records for transferring out. There's also the question how you verify the mixer doesn't skim.)

Some donation mixers accept crypto currency, so for maximum paranoia, I suppose crypto->crypto mixer->donation mixer->charity might be workable. Or hand cash to a friend who donates in your stead.

As always, the best path is to set aside paranoia and build a threat model instead to see what the actual risks are.

There's never enough talk like this and I'm not sure why. It's always about the threat model. In this respect I always like to think of it in terms of probability. Probabilities and likelihoods aren't just about capturing randomness like quantum fluctuations or rolling dice, they are fundamentally about capturing uncertainty. Your threat model is your conditions and you can only calculate likelihoods as you don't know everything. There are no guarantees of privacy or security. This is why I always hated the conversations around when Signal was discussing deleting messages and people were saying that it's useless because someone could have saved the message before you deleted them. But this is also standard practice in industry because they understand the probabilistic framework and that there's a good chance that you delete before they save. Framing privacy and security as binary/deterministic options doesn't just do a poor but "good enough approximation" of these but actually leads you to make decisions that would decrease your privacy and security!

It's like brute forcing, we just want something where we'd be surprised if someone could accomplish it within the lifetime of the universe though technically it is possible for them to get it on the very first try if they are very very lucky. Which is an extreme understatement. It's far more likely that you could walk up to a random door, put the wrong key in, have the door's lock fall out of place, and open it to find a bear, a methhead, and a Rabbi sitting around a table drinking tea, playing cards, and the Rabbi has a full house. I'll take my odds on 256 bit encryption.

They take checks by mail. You definitely can do a cashier's check and I'm sure they'd take the "cash in an envelope" method that places like Mullvad do too. Looks like they also support crypto, and that includes Zcash. So I don't think this is a great excuse. The only "can't easily donate" aspect is going to also be tied with the "can't easily get a cashier's check or find an anonymous person to sell me bitcoin for cash" kinda issues, and when you're operating at that level I'm not sure anything is "easy." (but that's not that hard usually)

https://support.signal.org/hc/en-us/articles/360031949872-Do...

How is a check in any way private? Your name is on it.
A cashier's check doesn't.
Ah ok I didn't know those still existed. In fact even the named checks are long gone here in Europe lol.
Oh yeah, I have an old checkbook that I've had since like 2010 because the only ones I've ever used are for random landlords. Otherwise it's literally easier to get a cashier's check, which you can (in America) do at any bank or grocery store. Note that some are free and some aren't, so check beforehand. I don't think these will ever really go away tbh
I think they will, America is just very traditional. Things tend to stick around for longer. The magstripe also lingers there even though we've got rid of it for years (though unfortunately our cards still have them in case we need to visit the US - I don't like having them because they are skimmable).

Nobody would accept a check here anyway as they're not guaranteed. These days I pay with my watch or phone everywhere (Samsung Pay). I don't even use the chip on my card anymore. And payments between people happen digitally too (a system called Bizum here in Spain).

Have you considered intentionally corrupting the magstripe data by running a strong magnet over it?
Maybe, but these some big utility to cashier's checks. They're essentially cash that can only be deposited by a specific party. I also don't think cash is going away anytime soon. And while it isn't common for me to issue a check, it isn't uncommon to receive a check. They're just always form businesses. Even ones that have my direct deposit information.

Fwiw, in America I use my phone to pay for everything too. But there are edge cases and tools like these often have utilities in domains that might not be common to the average person but are to specific groups. For example, these are often used in situations where cash is preferable but you wouldn't want to cary that around, like real estate down payments and buying a car. Some settings are sensitive to the exchange times (though that money looks like it is in your account instantly, it isn't).

I just wouldn't be so quick to make such a conclusion because it's pretty likely that your experience is not general. Despite America treating corporations like people, I'm pretty confident you aren't a corporation.

> Nobody would accept a check here anyway as they're not guaranteed.

Btw, a cashier's check is. Like I said, it is as good as cash.

Hi, privacy and anonymity are different things. Named transactions can still be private.
Signal requires a real phone number to open an account, you are not anonymous to Signal.
Phone numbers can be obtained anonymously in many countries. I have several anonymous Signal accounts, each with their own anonymous phone number.
It's possible in the US, but it's getting very difficult. I don't know anywhere you can buy or or borrow a DID with Monero anymore. Looks like they got to Telnum recently.

You can still buy a SIM, a prepaid PIN, and a phone with cash, but you'd need to pay a non-correlated person to be seen on CCTV to do it, at a non-correlated time, and hope they don't just take your money and leave you nothing at the dead drop.

Then there's the hassle of setting up the account in a way that's not correlated with your location, normal waking hours, etc.

All of this could just be avoided if Signal did the right thing.

But they won't. Ask yourself why.

Why are you typing my comments?

Exactly. They won't because .... reasons.

Why would you not need to be seen on CCTV? This has nothing to do with the privacy of Signal.

I buy all of my anonymous prepaid SIMs with cash at retail myself, and they are still anonymous.

The only time you’d need to stay off CCTV is if you were using them to commit crimes and expected a significant investigation to be undertaken.

Your casual assertion of malice on the part of Signal is not supported by any facts.

I can pop into almost any phone shop around here and walk out with a free SIM card, which I can top up for cash.
Mastodon org + Mastodon.social also have costs of 0.6 EUR/year, though they have two orders of magnitude less users [1]. This is really what most social media costs. These rates are even payable by many in poorer countries.

[1] https://news.ycombinator.com/item?id=38117385

With how much Mastodon.social tends to fall over when Twitter does something stupid (again), their rates are probably a bit too low for a more robust service like Signal.

Signal also intentionally doesn't store too much data, long term data costs will slowly grow over the years. I imagine for a bigger platform, costs can grow to multiples of the rates for Signal and smaller Mastodon servers.

€10 per year should be more than enough for most users, though, and it should be quite affordable for most countries.

Signal also fell over flat when the whatsapp outage happened a couple years ago. It's just difficult to handle spikes in demand.
Yeah, the issue is more that there is substantial friction in paying any amount of money, especially in poorer countries with no access to e.g. banking or payment cards. I'm sure no one here, and few people even in comparatively poorer countries, would object if Signal/their messenger of choice cost 0.60$ per year to use. The problem is that making the service have a ~1$/yr price tag (as WhatsApp once had) is itself a barrier to a huge portion of the target audience.
In Pakistan at least, sometimes you can donate to charity etc by texting a special number [1]. That subtracts some fixed amount from your prepaid mobile balance (which the vast majority of people use) or adds to your postpaid bill. I imagine its possible for some business to charge customers this way as well.

Then again, instant C2C and C2B digital payments using mobile phones is growing extremely fast in most of the global south.

[1] https://www.app.com.pk/national/pta-introduces-9999-sms-code...

Whatsapp got pretty big at 1 eur/year (iOS) and 1 eur for lifetime (Android) here in the netherlands.

I do fear they'll loose most tech un-savvy users because they don't know how to pay (safely).

That doesn't mean they were actually profitable at those rates though. They could have been in growth hacking mode with venture backing.
They were well-known for not doing that, though.
Hmm but then how did they manage before asking for that 1 euro? There were a whole lot of years where it was completely free (yes before the Facebook takeover). Here in Europe we've only needed to pay once or so until it got taken over.

There must have been some kind of venture backing because there was no money coming in at all from users for a long time.

I looked further and you were pretty spot on! It ran a loss of 138 million in 2013 alone according to their SEC disclosures for that year.
It’s beginning to sound like the 1 EUR/year that at some point WhatsApp wanted to charge and it seemed reasonable to me at the time. Signal is even better and even more so justified.
They used to "require" a subscription of 1$/year but it was not enforced. If you missed the deadline, nothing happened. It was basically the WinRAR model but for an online service.
(comment deleted)
This is kind of the number I was looking for -- "Cover your own costs: $1/year. Cover yourself and five other people: $5/year." I feel like something pointing out that the costs are around $1/year on signing up, maybe with a reminder once a year, would get most people self-funding pretty quickly.
Reminds me of ... WhatsApp :D

(Originally WhatsApp charged $1/year.)

And I was SOOO happy when I heard WhatsApp's business model: Finally, I'M THE CUSTOMER! I gladly signed up for the "free year" and started getting other people to sign up for it... only to have it bought by FB, and never charged my $1 yearly fee. :-(

Then I tried to get people to use Telegram, but hey never implemented encryption by default, instead implementing things like chatrooms with millions of people... then I signed up for Signal, but waited to see what would happen -- and they started doing some weird crypto thing. Thankfully that all seems to have not been an issue, so I might actually start recommending Signal.

Yup. Same, re: WhatsApp and the $1 annual fee. It made so much sense "lightweight service, charge $1/year, have 1 billion customers."

These days I use Signal mainly. But also WhatsApp. And Messenger. And SMS for folks who don't have any of the others.

And my iPhone friends complain about how terrible it is to text Android-users, because iMessage.

Oh I should add that it seems that college students these days have standardized on messaging through ... instagram.

(comment deleted)
I'm paying what works out to about 15 cents per "booking" in my app due to API fees. Maybe more,.. and I'm just now realizing we'll probably be losing money if people used their accounts to their limits. Like 500 bookings would cost me at least $75 but we charge about 50. Anyway $1/year is great
Very reasonable with only 40 million users?! It's shockingly expensive.
Who is the active user base for signal these days? Everyone I knew who was using it dropped off after the SMS debacle, which was a shame.

Edit: Wow some weird haters on HN today. I was honestly curious as an active signal user that was no longer able to use it to message people in North America and had never seen anyone using it in East Asia. Apparently this makes some other signal users very angry.

I've converted all of my friends and family to using it. It's the "social media" for my world now. I'm probably an outlier for that, but it makes me happy!
I've been to a lot of meetups in the last year and exchanged contacts with people. As a nerdy idealist running a deGoogled Android with no proprietary software, I always have to tell them that I don’t have WhatsApp, just Signal. Again and again I have heard the reply, “Oh, yeah, I’ve got Signal, I use it to buy drugs.”

So, that’s some of the active user base in my city, but none of those users are very motivated to use Signal with their network of contacts in general. There WhatsApp reigns.

> “Oh, yeah, I’ve got Signal, I use it to buy drugs.”

Funny, people around here in Germany say that about Telegram.

Buying drugs from shady people online like on Telegram channels is a good way to get you not high or killed. Apparently they're selling HHC now that looks like bud? No thanks. I'll stick to my local guy straight from behind the bushes next to the park.
those users probably have a far lower impact on Signal's operating costs because they're only sending the occasional message instead of using it as a broadcast platform.
That's been similar to my experience in the last year. WhatsApp or even worse, Snapchat, seems to be the preferred "private" messaging platforms, which is depressing to say the least.
Lots people are replacing meta/insta/WhatsApp with signal chats

Especially for long term chats with friends and fam.

I happened to start using it with my spouse only to apple just one kind of messaging notification to come thru.

I still use it, and ask my friends & family to use it as well.

What would you recommend to use instead of Signal?

I have yet to find a replacement that both I like and other people use. Matrix and Session I have yet to find anyone using, telegram seems to be almost entirely bots in my area, and WhatsApp etc are owned by Meta.
Same people who use WhatsApp for example.

The SMS issue was mainly a problem in the US where people used it for SMS and therefore never mattered since that communication was never secure. Those people probably never even cared for security since they, as you said even went out there and actually uninstalled an app. Something people seem to rarely do.

I use it for friends, family and colleagues. People now started asking me for it (or safe alternatives to Facebook Messenger) since Facebook started asking people to pay for non-targeted ads recently. They actually got people to think about the data they share with an outdated social network.

Yep, the whole point of Signal for me was the SMS component. I put up with the old-fashioned UI for that reason. Now it just looks and acts like a Telegram clone.
(comment deleted)
Has anyone tried setting up their own Signal server? Be cool to do this, and then give all your friends the ip for truly private messaging.

https://github.com/signalapp

Seems like all their stuff is open source.

unlikely the people i want to talk will bother setting this up
And the people those friends want to talk to. And the friends of those friends.

To have self-hosted chat services, you either need a niche enough service that you'll never have two parties that would want to talk to each other while being on different servers, or federation. Signal chose the former, so here I am with eight communication apps on my phone.

Maybe the next best thing could be to support multiple servers, like how email clients let you fetch data from more than one email provider, if they're so worried about federation inhibiting their ability to control the ecosystem that they plainly won't go there and hold speeches about how harmful that situation would be. Then we could have self hosting and also Signal wouldn't have to care about federating with my self-hosted server.

Layer it on top of something like Matrix, then?
I mean the idea would be you download the app but use my server instead of of the default ones.
This can be a premium feature. Run your own server and for a little bit of money you can configure your client to use an alternative server. Client code is what make it private and secure, so you want to use their verified client even with your own server.
This makes sense and in the same time it doesn't. You're supposed to pay to use your infra, not theirs?
Offering self-hosted servers would probably just degrade the security guarantees of Signal if people misconfigure them. Doesn't seem to be worthwhile for the Signal foundation to run into this risk of undermining their own reputation for a niche user base who cares about self-hosting.
> Doesn't seem to be worthwhile for the Signal foundation to run into this risk of undermining their own reputation

It's a bit too late for that. They undermined their reputation when they started permanently keeping sensitive user data in the cloud (like a list of every person you contact), and then again when they refused to update their privacy policy which lies to users about their data collection practices, and then again when they killed off the ability to get both "secure" communications and unsecured SMS, and then again when they started adding weird cryptoshit nobody asked for. Signal seems to be telling people as loudly as they can not to use/trust them.

In my mind, the whole point of using Signal is that I don't have to trust the server. Why would it matter who hosts the server if we can trust that the clients' communications are E2E encrypted?
Some of these things raise an eyebrow and I'd like them further broken down (but in the mean time, I'm still donating):

* $19 million for 50 staff

  - That's $338k/head on average. At face value for a nonprofit, I'd like these costs broke down as this seems excessive. There is far cheaper IT labor available outside SV.

* 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year

  - I'd drop these features if possible, or give them to donors.

* Storage: $1.3m, Servers: $2.9m

  - I was actually expecting this to be far higher

  - Long term storage should probably be donor-only

  - Servers could likely be optimized by going hybrid cloud with colocation and owning own hardware, but again, was surprised how "little" they're spending on this.

* Sms registration fees: $6m

  - Stop contributing and supporting the "Your phone number is your identity" problem.

  - Move towards helping educating society and establishing a set of encryption keys as their long term identity


It's easy to criticize from the bleachers. Still thankful for the app and I'll continue to donate.
One thing I question with that is that if you gave features to donors only, wouldn't that mean that signal now needs to track users in ways that aren't privacy preserving? I.e. you'd be able to know if any given user using signal now has given payments to signal. I'm not sure that'd work with what they want to do as an organization.
They need to dump sms entirely. Use on device private keys. If users mess it up, it’s on them. People need to get educated about how to manage private keys.
As someone technically savvy, I don't trust myself to manage my own private keys sufficiently for a service that's the point of contact for all my friends and family. I think it's a much taller order for someone without the technical knowhow – remember that Signal's audience includes very non-technical people who don't have time to learn the technical ins and outs but absolutely require its utility, like journalists and dissidents.
Then few will use it and Signal will die. There is this gap between the ideals of the technically-minded and the reality that users live in. They tried to dump SMS - and people responded by not using alternatives. The entire sales pitch of Signal is that it is easy and unobtrusive.
It's easy to say that "you should do x" from the bleachers but when you're in the arena you run up against reality. For example, Signal had a blog a while ago about how they tried to avoid the sms features, actually for privacy reasons, but they found people just didn't use other alternatives. Here's a reddit thread of users advocating for SMS support https://www.reddit.com/r/signal/comments/y3ymfl/keep_sms_sup... .

So it was the best of all the available options practically, if they wanted to grow and retain the users.

  - That's $338k/head on average. At face value for a nonprofit, I'd like these costs broke down as this seems excessive. There is far cheaper IT labor available outside SV.
You get what you pay for, though. $338k/year seems like a reasonable salary for people working on something as privacy critical as Signal – just because you're working for a nonprofit doesn't mean you have to work for less competitive wages.
Also, employees cost more than just their salary.
I wouldn't be surprised if overhead turned out 1/3 of that figure.
> $338k/year seems like a reasonable salary for people

That $19M/year was total employee costs which, as best I understand these things, can often work out to be double the raw salaries which would bring the average down to a slightly less excessive $170k/year.

IIRC, employees cost the business ~150% of their salary. That means we're looking at more like a $220k/yr salary on average. For a bay area company, that seems completely reasonable.
Nonprofits, as with for-profits, must pay competitive wages or they will have trouble getting the expertise that they need. $338k/head seems reasonable when you also consider taxes the company must pay for each employee.
Whilst competitive salaries are important, it's fair to say that, outside of the US, you can get good people for a lot less than $338k/year.

To give one example of a (not that cheap) market, outside of London average developer salaries are probably under $50k in the UK. Even accounting for additional costs like taxation and equipment, that's likely to be under $100k fully loaded.

> outside of London average developer salaries are probably under $50k in the UK

For top-notch security developers, I call bullshit. Signal would be worthless if it started offshoring development to nickel and dime.

I said Average for a reason :D I didn't say you can get "top-notch" security developers for that.

I don't think there's industry numbers for that set of people in the UK, as it's not a big enough set. However I'd be surprised if they were 150K plus though, that's a very rare salary in the UK.

Also there are cheaper countries than the UK who have great devs.

There's definitely top-notch software and security engineers making well north of £150k in the UK. As you go up in levels, it's indeed a small set of people, but FB / Google comp for a top L7 engineer working in the same space as Signal engineers can be $700k+ in the UK. Just have a look at levels.fyi, and you'll see that even finance will pay over $500k in London. Furthermore, given how small the group of people are at the top of these companies, very few will self-report their incomes publicly, which is why you'll rarely hear about the engineers making $1M+ – but those cases do exist.

The people behind Signal pioneered end-to-end encryption, and as is pointed out in the blog post, there's still a lot of novel cryptography development involved in building a privacy-first messenger. You can't do that without top-notch talent.

"just because you're working for a nonprofit doesn't mean you have to work for less competitive wages"

Actually it does usually. Because when people see real meaning in their work, as opposed to find yet another way to manipulate people on other peoples behalf, then you don't have to buy their consciousness as well.

So sure, it is awesome, that signals employers get to have meaning and money. But I would bet, you would find competent people working for less. (And maybe somewhere else)

But .. they do have a working app and organisation right now and drastic changes could destroy that.

Why shouldn't we want to pay people working at non-profits the same for their labor than they would get at for-profits? If they are doing just as or even more important work, why do we want to bend over backwards to justify them getting paid less for it?
Because funding is limited. And the goal is to maximize the impact, not make some people happy.
costs for a nonprofit are the same as costs for a forprofit

there’s just a bunch of nonprofit employees or personnel that play on the pauper perception because its convenient, but “nonprofit” and no money is not correlated to anything

so if those employee costs were excessive for any organization, saying non profit doesn’t make them more or less excessive

I think tech talent is undervalued and should at least compete directly with FAANG, for many organizations this is not possible, for organizations with other liquid assets they create (like Signal) it is possible. All employment hasnt risen with cost of living, I’m not familiar with other sectors.

> That's $338k/head on average.

Oh come on. Just because the organization is non-profit, meaning that it's not out to make a profit for shareholders, is no justification for the staff to be paid below their market worth. In fact, they could definitely earn more by quitting and working at for profit companies. And that is especially true for those who are getting the higher end of the compensation.

And say that staff number was like, $5m/year less? It doesn't change the fact that costs of running are substantial and more donation is needed from those who want it to remain viable.

< "* 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year - I'd drop these features if possible, or give them to donors."

How about they pull their socks up and use peer to peer technology instead? Messages are asynchronous so they need to be temporarily stored but routing real-time audio and video is a technology problem that they have chosen the expensive way to solve.

If signal adds username only accounts it makes sense to relay calls if users don’t want their IP leaked to the other person.
They are peer-to-peer by default between people in their contacts list. That is for when calling someone that isn't in your contacts list or for people that have enabled the relay all calls option.
Thanks, very interesting. IMO, that is an insane amount of money to pay for a non-default feature of a free product.
> far cheaper IT labor outside

This is a product that solves some of the harder problems of engineering, and has a staff of 50. Cheaper isn’t going to get you the best. If you had a staff of 1000, you could make that argument. Besides that’s not a lot of money to begin with. 340k is a senior engineer salary and I am sure the people running the company are far more capable than senior engineers.

> drop those features

That’s a valid argument, but 1.7M for that 20PB of bandwidth is not a lot of money. Dropping or making the features paid, defeats the purpose. If you’re trying to be the privacy first app that competes with WhatsApp and others, this would make it harder to be a viable alternative.

> sms registration fees

Education is a harder problem to solve, but offloading some of the costs to users may make sense here.

> $19 million for 50 staff. That's $338k/head on average.

How did you compute this? 19/5 is 3.8

(comment deleted)
> I'd drop these features if possible, or give them to donors.

They can't really do that, it deters adoption of something with a network effect.

The real issue here is that direct connections have privacy implications (maybe you don't want the other party to know your IP address), so they relay everything. If they could solve that they could save a lot of money.

For example, detect if the user is connected via a known VPN service (which is likely given Signal's user base) and then let the VPN hide the user's IP address instead of Signal having to pay for it. Or make a deal with popular VPNs to put the relay servers in their data centers, which gives a similar advantage and they might be able to get better pricing from them in general because the VPNs already have a lot of bandwidth, are sympathetic to what Signal does and could use it as PR.

Making it so that only one party need to have a pro account might help a bit
Still doesn't work. Any two people don't have a pro account and they stop using it in favor of a competitor, and then their other contacts use the competitor too. You can't charge for something WhatsApp has for free.
I wish I could use signal without a phone and phone number. Otherwise it is useless to me.
> As a small nonprofit organization, we cannot afford to purchase all of the physical computers that are necessary to support everyone who relies on Signal while also placing them in independent data centers around the world.

This is really the crux of the problem. ~$3M of servers per year is more than enough to start purchasing hardware, I wish there were easier ways for people like me to participate and help Signal on the cheap.

As someone who participated in the builds they complain about being expensive (and ignoring their , I don't think it's a function of centralization or "troubling" as much as it is practical. Meta, Google, etc all have many billions they could be saving if they could figure out how to make it cheaper too.

Is it possible to self host signal? Can signal move towards a model like the fediverse where the software development is decoupled from the hosting costs?
They are actively working against self hosting, which is why I want matrix to succeed and signal to die
Registration Fees: $6 million dollars per year... how come sending sms cost so much?
I donate to signal, and use it frequently. But I would much prefer for the app to simply charge users rather than beg for donations. Even better would be to charge users in a way that reflects the costs.

For instance, maybe verifying a new number over SMS should cost $0.10 if that's going to make up 14% of the operating costs.

Begging for donations to subsidize excessive use by other users just doesn't seem sustainable.

I would certainly prefer the donation begging - chance of getting family and friends to use it with an upfront cost: 0.
How are you going to charge users $0.10? Micropayments is a huge unsolved problem.
Buy 50 invite codes for $5
Yes, let’s tie every user of this privacy-focused messaging platform to a credit card number.
> I donate to signal, and use it frequently. But I would much prefer for the app to simply charge users rather than beg for donations.

Hard disagree. If you charge, the number of people who will use it shrinks by several magnitudes, and then you lose your network effect, you lose the ability to get your less technically inclined friends to install it.

I would pay for a few signal features: 1. encrypted backups or backup integration of my chats, photos and videos. 2. business features (backup, directory integration, search)

I have not used: 1. voice and video

Incredible that SMS costs so much. I wonder if it's worth it because it _saves_ so much in spam and other sorts of fraud or bad behavior?

I have some good news: go into the settings and turn on encrypted backups. The clients also all come with a search function, even if it only matches against start-of-word (which includes URLs, so you can't search for domain names which regularly bothers me).

Directory integration, as in, importing a vcard with everyone's phone number into your device such that you can tap on anyone's name and message them on Signal if they've got Signal installed?

The backup option is Android-only.
O.o TIL. That's weird, apple users already have plenty of lock-in and own-data-inaccessibility, but so maybe they figured they clearly don't care? Weird as heck either way

Then what I can recommend is installing the desktop client on a server somewhere and reading its sqlite-like (but with some flaky encryption extension) messages database

>: go into the settings and turn on encrypted backups.

Fair warning: It will...bloat. It usually keeps 3-4 copies of most recent backups in the folders you select and if you send a lot of photos, imagine it eating tens of gigabytes of storage just for backup.

(My current backups are 9.75 gigs each, approx 3 of them)

I'd prefer a federated solution, but XMPP doesn't yet have decent support for group chat that doesn't depend on being connected. https://xmpp.org/extensions/attic/xep-0369-0.1.html is still experimental.

Bravo to Signal for being easy enough for my family to use!

What about Matrix?
I've tried a few times. It always felt... clunky?

I tried Element. UI felt slow, I was unable to find notifications in scrollback. Clicking the notification button would take me to random messages.

I remembered another issue with Matrix.

Signal and XMPP (via Quickly) have a simple phone number based signup workflow that my family have grown used to.

My family are not happy on having to remember/use passwords/keys. That's a shame, but is ultimately a constraint I have to deal with when persuading them to install/use an IM app.

Replying to myself... looks like some Matrix homeservers support OpenID-style login. That's probably fine for family.
Fwiw, I've seen users suggest hybrid approaches. Interestingly it could reduce some of the costs they list here and looks like a route one could take to slowly build towards a fully or hybrid federated system instead of jumping straight there. But I am unsure how much the community likes the idea and judging by that last post it doesn't seem like the mods do. But this one takes note as two users were willing to place a bounty on the feature request

https://community.signalusers.org/t/signal-airdrop/37402

Matrix fixes that issue (and also the issue of the server your group chat is hosted on disappearing). It has plenty of other issues, of course.
Signal is one of the non-profits I happily donate to. Myself, my family, and my friends use it almost exclusively.
Seriously consider setting up a recurring donation if you prefer Signal. They have delivered consistently over the years. I set the $20/month back when they introduced the option.

I'm curious what the breakdown of donations is. I only have 1 contact with a $10/month and 1 with a $5/month badge. Of course there could be others not displaying the badge. Signal really needs 500,000 people giving $20/month and plus the rich guys giving some millions on top of that to be in a safe financial position.

Maybe something that could be done to encourage donations is have the client estimate how much raw infra costs your usage created and display in the donation screen.

I fail to understand the point of supporting an organization that is completely against self-sovereignty like Signal is. Why would I want to pay someone to develop something that traps me into their platform and does not offer a way out?
Not completely ? Their server seems to be open source too now (with the exception of the spam filter) ?
Can I operate my own Signal server and talk with people on the "main" one?
You're moving the goal post from "self-sovereignty" to supports federation with an infinite number of servers. Nothing is stopping you from compiling your own Signal server and modifying a Signal client to use your server.

Given that Signal is free as a service, supporting federation only increases their expenses.

Without federation, Signal is still working with the advantage of network effects. So an open source server is not enough of a way out.

Element can do it for their Matrix servers. Process.one can do it for ejabberd. Prosody as well. Why can't Signal?

Back to your original point: please don't support an organization that doesn't share important values of yours! That is absolutely your choice!

You've named several products that share your values. Perhaps those would be a better fit if you were to donate.

Because centralisation provides ecosystem agility, which they absolutely value as an upside. Find a way of doing post-quantum secure key exchange? Just roll it out to the server and all the clients essentially overnight.

They've talked about this, a lot.

I'm well aware of their justifications. I'm also aware that centralization brings systemic risks, which they don't talk about.

The internet would be a lot more efficient and able to evolve if we just had it controlled by one single entity like Google or Microsoft. Do you think is a good idea to do that?

The economy would be a lot more efficient and allocation of resources could be a lot more fair if we could put it all in the hands of one single corporation or government. Do you think it's a good idea to do that?

Agricultural output would improve significantly if all crops used the exact same genetic strain and if all soil was artificially managed. Do you think it's a good idea to do that?

In case you are wondering, "ability to quickly roll out post-quantum key exchange" is waaaaay down the list of my worries compared to "facing a catastrophic Black Swan affecting all of the world's communications".

Signal is so far from being a monopoly that runs "all the world's communications" that these comparisons are essentially meaningless.

There's plenty of diversity in the messaging space. Decide your values, choose your compromises, pick your platform. Simple.

Some people avoid platforms out of principle. Look up «protocols, not platforms» if you have never heard of it.
(comment deleted)
Federation can only make security worse and I do not want it. You can have something else.
Genuine question: Does Tor fall under the definition of federation? Either way, a Tor-like model would have security benefits over a centralized system like Signal, right?
Tor is distributed, not federated. And it has drawbacks, like high latency and a lack of a centralized system for human-friendly names (because that would mean a system like DNS, which is centralized). As far as security goes, there's probably little benefit. E2EE doesn't get more secure because there's more encryption.

The most comparable system to Tor that has practical properties I can think of is maybe ipfs, but nobody will store your encrypted chat blobs for you out of the goodness of their hearts. Ipfs also tends to have high latency. A slow system of uncooperative nodes isn't what you want your messaging app built on.

A federated messaging system looks a lot more like Matrix. The obvious problems are that splitting users up over multiple nodes mean encrypted data doesn't live on your instance, it lives everywhere the people are you chat with. Another problem is what you see with bsky, where identifiers come with a domain name (like an email).

IRC is also federated (sort of), and there's a long list of tired, age-old problems. The most common one is simple: different servers have different features, so you can't reliably "just use it" like you can with Signal.

Because code is law, centralized systems that grow bigger than the polity they started in are inherently problematic. See Facebook in Burma/Myanmar as one recent infamous example.
Some centralized systems. But I don't think there's any evidence to suggest that's universally true. Nor is the implication that non-centralized systems don't suffer from similar problems, or other problems which result in substantially bigger drawbacks.
I'm willing to entertain the idea, what would be a counter-example ?

Old enough that the «honemyoon» period is over, say... a decade ?

Security is extremely important, but it is not the only concern one should have when considering the design of a global communications infrastructure.

I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption".

> I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption

I'm glad you worry about this. Me and other people have other priorities.

You're putting an awful lot of effort into projecting your values onto other people, which is a bit weird.

> Me and other people have other priorities.

Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

> You're putting an awful lot of effort into projecting your values onto other people.

We live in a world where people are bullied for not using iPhones and showing up with different bubble colors on the chat apps and family members will refuse to call you on the phone and only accept you if you use WhatsApp.

All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?

> Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

I've literally no idea what this means. Who thinks who's an idiot in this analogy?

> All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?

I don't care what messaging platform you use. You appear to deeply care what other people use, and therefore what should be important to them. Yes, I'm pretty sure.

Given how many activists have used it in overthrowing dictatorial governments, self-sovereignty seems an odd choice of words to claim it doesn’t support.
Perhaps it was a bad choice of words. What I mean is that they say "you don't need to trust us", yet they require you to run through them. They refuse to build their system in a decentralized way, and the more that time goes by the more the decentralized alternatives are showing they are as secure as Signal without forcing us to accept their restrictions like mandatory use of phone numbers for authentication.
> "you don't need to trust us"

you literally don't. It's a fully encrypted service. The literal purpose of encryption is to move data securely through insecure or even adversarial channels. Which you can verify, it's audited and open source.

They refuse to build the app in a decentralized way because decentralization is an ideological obsession that is useless in this context, and because centralized organizations can actually ship polished software that works for normal people and move quickly.

Centralized supply chain, and metadata protection is anchored on SGX.

They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal is a money pit with a pile of single points of failure for no reason.

Matrix is already proving federated end to end encryption can scale, particularly when users are free to pay for hosting their own servers as they like, which can also generate income.

> They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal builds on Android have been reproducible for over seven years now. That's not to mention the myriad of other ways that people could detect this particular attack even without build reproducibility.

Who is reproducing these and publishing results?

Moxie made it very clear he never wants third parties like f-droid -actually- reproducing and signing packages for distribution to de-googled signature-enforcing android distros etc. Providing side-loadable apks as an alternative a joke.

Third party builds and distribution would serve as public canary and be better for privacy forbidden. He argued the tracking advantages of centralized development and distribution outweighed any wins of allowing third party clients.

In reality a build published with a breaking change and a subtle crypto backdoor omitted from public sources may not be discovered for days or longer. Long enough to decrypt most every convo on the planet.

What’s your solution to this?
Something built like any other internet protocol with staying power.

A federated network with multiple strong client and server implementations that are able to be built, reproduced, and distributed by multiple independent parties. Like Matrix.

Matrix is far from perfect yet but it is miles beyond Signal in being a sustainable solution that can survive any single point of failure.

You can trust Signal all you want for data security. It doesn’t help you when they run out of money and shut down and all your messaging is gone.
> can actually ship polished software that works for normal people and move quickly

They can ship it, because they got a fuckton of money. But apparently they can not maintain it, because now they are crying about how expensive it is to run it.

Signal is acting like a sprint runner who signed up for a Marathon and wants to be carried out to the finish line after showing how much faster he was in the first mile. That's what I think is dishonest here.

> Given how many activists have used it in overthrowing dictatorial governments

How many? There's some news about it being recommended for use by BLM protesters, and about it being blocked in China, Iran, etc. Where is this info about it being used in "overthrowing dictatorial governments"?

Just don't use it, don't generate cost for them, don't be trapped by them. Everyone wins.
The 50 million using them all lose because they are locked into a monopolistic platform.
they can communicate to anyone with WhatsApp, SMS, iMessage.... This is a closed system, not a monopoly.
Nobody is locked into Signal. It's free to use, and free to leave.
That’s not how platform lock-in works.
You can export to markdown apparently. Who's locked in? It might be a pain to import that into any other app but I don't think any messaging app is going to make that easy. You still have all your data if you want to bail
> pain

That's how lock ins manifest themselves

Sure. But honestly, what are you hoping for, and does any app provide it? Honest question.

I'd prefer a JSON dump but something's better than nothing.

Yeah this is the one thing I have against signal and why I always advise against it. Their stance against third party clients and federation.
Great, you go ahead and get all your friends in family using Matrix. I'll join you there when all that is sorted out and it's practical to get my lawyers and doctors and accountants and friends and family onboard. Until then, we'll keep using Signal.
First, you talk like Signal never had any issue with usability or functionality, which is far from the truth. Signal amount of bugs and security issues with their client is notorious, and the insistence of requiring phone numbers is just a silly "let them have cake approach" that is conveniently ignored for too long.

Second, are you hedging your bets and supporting Matrix or XMPP as well, or will you only encourage people to "donate" to the platform that you happen to have picked already?

Yes, I am encouraging people to donate to Signal because I prefer it. Why would I be soliciting donations for something I don't favor? If you want to contribute to something else go right ahead, but this is a thread about Signal's financial needs so it shouldn't surprise you that Signal supporters encourage other supporters to donate.

I also use Matrix. Element has been pretty good for a few years now, but it's still not smooth enough for mainstream use. (Encryption state in chats gets messed up sometimes, for example. It feels like Signal 10 years ago, and it's had security issues in its client also)

The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server. You get to choose or run a server, but the protocol still leaks the user info to whoever runs the home server and to any foreign server that has a user in the same channel if you are using it in a federated context. Signal manages all of this by peer to peer messages where cleartext is only available to clients, which is really slick.

XMPP is just dead. Forget about XMPP. Matrix is the clear leader in the federated messaging system category. I'd like to see Matrix displace things like Telegram, Discord, and Slack. I may donate to Matrix affiliated projects in the future, as I also donate to other open source projects from time to time, but I'm not going to promote any of those things in this thread.

> Why would I be soliciting donations for something I don't favor?

Because you are (consciously or not) creating a self-fulfilling prophecy for one champion over the others. Worse still, you are asking everyone else to devote resources to your preferred champion when we have no reason to believe that this is long-term sustainable.

> The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server.

As I said in another thread: I honestly care less about the security guarantees from one protocol over the other than I care about the fact that pushing for Signal would mean that everyone's communication would be tied to one single provider. This is a systemic risk that no amount of "you don't need to trust us, you just need to trust math" can ever mitigate.

I don't care about your preferences. I'm consciously using and giving money to Signal, and I'm encouraging others to do so. Go ahead and work on or use or donate to whatever you like.
You sidestepped the whole point about systemic risk and tried to argue based on my "preferences". My friend, that's as cheap a copout as it gets.

Sorry to break it to you, but if it was only a matter of preference, I would've been fine with Signal or even WhatsApp.

bro, you're working for one of chat programs, yes? never heard of communick before. won't ever use it. if people ask me about it, i will show them how a person related to communick behaves in public.
You are creating an ad-hominem by thinking that I can not criticize Signal because I have a competing offer. And to add insult to injury, you seem to have a misconception of what Communick is.

Communick is not "a chat program". Communick is a service provider, which promotes and works only with truly open protocols. There is no custom client or lock-in based feature that I have. This means that if you are my customer and you want to move out you are absolutely free to get your things and move to a different place instantly.

yes, it's an ad hominem. people need to know who are you and what incentives behind them. if you're from a competing provider, other will need to take that into account.

also, if you want to peddle your stuff, make your own announcements or something.

I'm somewhat flattered that you think Communick is a "competing provider" to Signal. Or anything, really. Maybe I will add that to the "testimonials" section of the website along with other nice things I get to hear from my 8 customers.

Whether Communick exists or not, even if I close it down next week (because if we are being honest it is nothing but a money pit which I keep running out of spite and stubbornness, and unlike Signal I'm not panhandling for donations) my criticism of centralized messaging platforms would still stand: whether it's Signal, or WhatsApp, or FaceTime or Telegram... we should not be supporting any platform that centralizes all communications in one single place, no matter how "well intentioned" or even how "provably secure" it is.

20/month for every chat service I use is very steep. I'd be spending more on chat services than on mobile data + unlimited calling + landline + DSL + streaming services combined!

They actual costs are apparently about 1 USD per year per user. I usually at least double (usually more) my incurred cost when the donation is optional, to cover for those who can't or won't pay, but paying 240× the cost price seems wasteful as well when there are other nonprofits that can do more good with every dollar you give them (be it solving poverty, climate change, whatever you find valuable) rather than one which has mostly fixed fees

how many chat services do you use? and how many are making money off of you in other ways?
not who you replied to, but:

- signal for family and some techy friends

- whatsapp cuz some friends dont really get signal

- imessage cuz some friends dont get whatsapp nor signal

- viber cuz family across seas and that's whats popular there

- slack with some friends cuz it's nice to have focused discussions in channels

- discord cuz its better for gaming

- ig messaging cuz i stay in touch with less close acquaintances and some friends that way, comment on their stories and chat about whats going on in the moment

There's also Wire, IRC, Telegram, and Threema. SMS I also have a subscription on, but that feels different so I didn't include that in my count, and Keybase I haven't used in a while now but that might also be part of the list for some people
I'm not suggesting every chat service get donations. I'm only giving to Signal, the rest of the chat services I have to use get 0.

I'm donating more than my costs deliberately because I fully understand that most users are not going to contribute money, full stop. I need those users though, because they are the people I want to privately communicate with. So the obvious thing to do is pay for as many other users as I can. If there's 50M monthly active users, and if 1% of them are like me and highly value Signal, then each of us 1% users can pay $20/month and cover the entire operation. Then the contributions of the super rich donors can be saved to rebuild the war chest.

$20/month is nothing to me considering the value I get. I understand that most won't feel that way, which is why I'm only appealing to those who do feel as I do to just get that recurring donation going now.

Same. I have been doing the recurring payment since they offered it. Even though I'm effectively only using it with my partner. But that is every day

It feels good supporting something worthwhile.

Did I read that right $19m people cost for 50 people.
It's crazy, 400,000k per person. It would feel like nothing but an unfair waste of my "cheap-country" money to fuel "overpriced-county" with a donation.
But that's not salary, that's the total cost per employee. So if you factor in ~40% cost for healthcare, pension, perks, and various taxes, then the average salary is closer to $240,000 which will still a bit high, is probably less than market for the average engineer working at the company.
Per the 990, which is just salary, multiple employees at Signal are getting paid over $650k. That's way above market for the nonprofit sector for comparable positions.
From page 2 of Schedule J (at the bottom) they break out the components of the compensation, showing that most of those numbers incorporate a base salary that looks fairly normal with 2-600k of bonus & incentive comp on top.

In curious Googling to see if there was an explanation for how their structure works, I stumbled on this interesting Glassdoor review:

> The bonus structure promised up to a 100% match with salary, but in practice the system was set up so that nobody got more than 50%, if that. Had I understood this I probably would have taken a competing offer that ultimately would have had much higher comp.

> The quarterly cliff on the bonus system, where a feature failing to ship within the quarter specified (even if just by a single day) was counted as if you hadn't done it at all. This led to death marches each quarter as everyone scrambled to try to finish unrealistic goals. It wasn't possible to get help from anyone else at these times since of course they too had the same problem.

> Nominally, the quarterly goals were set in a collaborative process. In practice it was a 2 day full day meeting where we were told what Moxie had decided we were going to do - our input wasn't really considered at all, including if it was even viable to complete in a quarter. I'm fine with top down control, that's how most corps work, but I disliked the false patina that this was some democratic process.

> Internal communications are a disaster, because Signal uses Signal for everything, including things Signal isn't at all designed for or good at. Bug tracking is literally done in a giant group chat. I have a newfound appreciation for JIRA.

https://www.glassdoor.com/Reviews/Signal-Messenger-Reviews-E...

After a few hours of reaching out to people about this, the Signal salaries appear to be grossly inflated not only compared to other non-profits, but to what engineers working on iMessage and Meta Messenger make for the same or more difficult work (considering that both of these competitors many several times the users as Signal; Meta Messenger has over 1 billion users).
Even in central Europe $240000 would be way more than what an average engineer would cost. I'd estimate ~$150000 for well paid jobs there.
Would you actually want Signal to be cheaping out on the developers that are maintaining the cryptography software that protects millions of people?

Someone with that level of expertise is going to be expensive.