- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy.
You must log in or # to comment.
deleted by creator
to do with a 1mb text file
God you must be like my wife and write fucking novels as text messages.
Lol I think they probably mean like an entire chat history (or page of one), but yeah that’s pretty big.
deleted by creator
It’s difficult to maintain privacy in a P2P environment. In naive implementations, your IP address will be visible to all the peers you connect to. This is the case in e.g. BitTorrent.
Signal has this issue with video/voice calls as well; by default they operate on a P2P basis for performance reasons, and they expose your IP address to the second party. Signal has an option in the settings to relay voice/video calls through their servers specifically to mitigate this.
There are some workarounds for anonymizing P2P, like routing through Tor or I2P. Tor, however, has known exploits and is probably not suitable if you need to hide your activity from advanced adversaries like world governments (e.g. political dissidents, journalists, etc.)
I2P sounds interesting but I’m not deeply familiar with it. I understand that I2P clients also act as relay nodes, which puts an additional bandwidth burden on users. I’m not sure if I2P is more resilient against government-level attacks than Tor. I’d be interested to hear from anyone who is more familiar with the protocol.
deleted by creator
If you’re using it for personal correspondence with people you know and trust, that’s probably fine. However, a secure and private communications platform should support more extreme use cases as well.
If you’re a journalist, for example, you might need to communicate with people you do not know or trust. You could realistically be talking to someone who wants to kill you, or who is being monitored by people who want to kill you, particularly if you are covering high-profile political issues or working with whistleblowers (or are yourself a whistleblower). Even revealing information as broad as what city you’re in (which would be revealed by your IP address) could be a risk to your physical safety.
Even though I do not personally face such high-level threats in my life, I feel better using services that allow for the possibility. Privacy is a habit, and who knows what tomorrow might bring?
A MitM sniffer would be able to see the source and destination IP addresses, not just the person you’re chatting with. Even if the data is encrypted, P2P is still vulnerable to a layer 3 attack.
Will the same apply if you’re in a lot of open group chats though?
deleted by creator
I‘m not an expert on this topic, so someone correct me if I’m wrong. Signal is only storing stuff temporarily to pass it on, so I’m assuming you’d have the exact same costs even if it weren’t centralized. Maybe even more as it’s probably cheaper to have it managed in one place. I’m assuming all this would do is distribute the cost, but otherwise be the same?
deleted by creator
XMPP maybe. Matrix is a bloated protocol which costs a lot more to host.
You’re not wrong. Federation would have higher costs but distributed over more people. Even with pure P2P a-la BitTorrent things might not be significantly cheaper because you’d likely still need to host authentication centrally or federally. You’d only eliminate the message bandwidth costs.
The thing is, we already have a way to distribute the costs - people subscribe to support Signal. Some pay more, others less. Whether I run a node that serves 100 people or subscribe for $10/month, it’s somewhat equivalent. So the practical takeaway should be - if you want for Signal to keep signalling - subscribe if you can afford it.
The difference is that there’s enough unused capacity on your personal device to handle all the traffic any typical user needs to handle in a day many times over, for simple messaging. Likely, that load is so little it won’t even affect your battery life.
Wouldn’t you still need a server in between to temporarily store the messages if the other person isn’t available?
deleted by creator
Wouldn’t that mean both have to have a connection at the same time? What if one is offline?
deleted by creator
You can also just hook up any old phone or computer, install the app, and let it run as the server.
If you have a static IP address, if you want to bother with securing and maintaining it, if you’re willing to deal with downtime when something inevitably breaks, if you’re willing to deal with lost data or also maintaining a backup solution, if… a dozen other things that most people don’t want to deal with.
Funnily enough their biggest expense (sending SMS during registration) is making the accounts less private.
I imagine not paying for it and being overloaded with spam bots would be more expensive (otherwise they wouldn’t be doing it this way!)
There are lots of reasons to want fewer spam bots and verified identities other than cost.
Privacy and anonymity are not the same thing.
Anonymity is a form of privacy. While for most people it’s not necessary to be anonymous to have privacy, it’s essential in some cases, like whistleblowers or people living under dictatorships (or even in some democracies where governments keeps trying to get their paws on all metadata).
They could save a lot on infrastructure costs if they decentralised their network and stopped using phone numbers as unique identifiers.
I’m all for decentralised networks, but they do have their flaws. I use Matrix every day, and there are a lot of times the keys need to be resent, messages don’t get sent or deleted on shaky internet, etc. Issues like this make it seem broken to normies. Signal Just Works™️
Absolutely, and I use Signal for a few things. It’s not a perfect solution, but it’s far better than most (looking at you, Facebook’s WhatsApp, with your previous Pegasus attack vector).
Signal Just Works™️
Until you drop your phone in the swimming pool, and every message/photo you’ve ever received is just… gone. Forever.
Sorry but I don’t buy any claim that Signal “just works”. It’s pretty clear they care about security more than anything else even when that means making decisions that are user hostile. And that’s fine - if you feel like you need that level of security I’m glad Signal exists. But it doesn’t really align with the general public and Signal is never going to be a mass market messaging service unless something changes (Signal or the general public).
What’s weird to me is an app that excludes itself from phone backups considers SMS a valid form of authentication when a user links a device to a phone number - especially when you can necessarily link a device to a number that is already tied to someone else’s device. Like how is that ever going to be secure? Spoiler: it’s not. It’d make a lot more sense to me if users simply crated a username and shared it with other people instead of a phone number… and if they forget their password… come up with new username.
Signal provides a backup option. The auto backup for SMS on android is provided by google and likely uses google drive. I don’t know for certain but I would guess the encryption options and security of that route would be impossible to guarantee and the public backlash of signal users knowing their data was being sent to Google’s servers would be massive.
I’ve setup my signal backups to a local folder on my phone. I then have SyncThing running on my phone and home computer so it automatically gets sent once it’s created.
You want SimpleX then. No number needed.
+1 for this. From my tests, SimpleX seems fast, reliable, secure, and private. I haven’t tried daily driving it, though.
Downside is minor bugs re inviting friends:
Gets confused by invites from Facebook (can’t automatically strip the trailing tracking code from the URL).
Fails scan of QR invite with your maybe camera app. Must scan from app.
deleted by creator
How?
Quote from the blog post:
Registration Fees
Signal incurs expenses when people download Signal and sign up for an account, or when they re-register on a new device. We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.
SMS verification is expensive.
Obviously, running the infrastructure to support the entire user base is also expensive. Decentralized protocols like Matrix sidestep this problem by allowing anyone to host their own infrastructure to use the network. Even if the largest Matrix server shuts down, the network will live on, and people can migrate to another server or host their own. This distributes the costs and allows for different business models to support those costs – commercial, non-profit, cooperative, whatever. Corporations can (and do) host their own Matrix servers for their employees, for instance. I wouldn’t be surprised to see universities do the same, like they frequently do with email.
There’s an IETF internet standard for federated messaging called XMPP. Just be compatible with the standard. It also allows for extensions if you offer more than the core spec.
There’s a few forks that have done it. You could also look to Matrix to see how they’ve done it.
November 9th, the verge: Signal tests usernames so you can avoid sharing your phone number
the phone number is still going to be required for making an account, you can just choose to not share it with others and give them your username instead.
Yes but you still need one and you still lose access to your account if you lose your number.
Is it just me or is $19 million per year for 50 full-time employees insane?
Even for US salary standards.
Not necessarily.
Signal has people who are experts in their field. They engineer solutions that don’t exist anywhere else in the market to ensure they have as little information on you as possible while keeping you secure [0]. This in turn means high compensation + benefits. You don’t want to be paying your key developers peanuts as that makes them liable to taking bribes from adversaries to “oops” a security vulnerability in the service. In addition, the higher compensation is a great way to mitigate losing talent to private organizations who can afford it.
[0] Signal has engineered the following technologies that all work to ensure your privacy and security:
At least the private contact discovery is not very private:
The client calculates the truncated SHA256 hash of each phone number in the device’s address book.
The client transmits those truncated hashes to the service.Phone numbers are so not-sparse that there even was a game to text your “number neighbor”. I can probably build a pretty effective rainbow table for this with my current hardware.
You’re right, but security and privacy is about layers, not always 100% effective mitigations, especially not when the mitigation is a function (contact discovery) that requires a private list (your contacts) be compared against another one. For anyone where this is an actual security risk, they don’t have to to share their contacts. They will not know which of their friends/family are on Signal, but they can still use the service.
This feature does protect users in that any legal court order for Signal to present who is friends with who (as almost every other messaging provider has actual access to your list of contacts) is not possible. They’ve been subpoenaed multiple times[0] and all they can show is when an account was created and the last day (not time) a client pinged their servers.
Lastly, I’m not sure if this is even a feature or not but it wouldn’t be too difficult to introduce rate-limiting to mitigate this issue even more. As an example, its very unlikely that most people have thousands (or even tens of thousands) of people in their contacts. Assuming we go just a step beyond the 99th percentile, you can effectively block anyone as soon as they start trying to crawl the entire phone number address space, preventing the issue you’re describing.
My guess: People who can be as competent with security as they need are very expensive.
Not at all. That’s $380K per person if everyone is making the same. Engineers with a few years of experience at Meta make $400K+.
Don’t forget the employer taxes, insurance, recruitment costs and so on. It wouldn’t surprise me if the employees are earning on average half that.
Exactly.
For the current distribution I quote from the linked source :
Current Infrastructure Costs (as of November 2023): Approximately $14 million dollars per year.
- Storage: $1.3 million dollars per year.
- Servers: $2.9 million dollars per year.
- Registration Fees: $6 million dollars per year.
- Total Bandwidth: $2.8 million dollars per year.
- Additional Services: $700,000 dollars per year.
Yes, but I was talking about the salary part, which is separate from the costs you mentioned.
It’s 19 million just for people.
Yhea no worries, I was just trying to get all the budgets together. I agree it seems quite an high budget
Also from the source:
To sustain our ongoing development efforts, about half of Signal’s overall operating budget goes towards recruiting, compensating, and retaining the people who build and care for Signal. When benefits, HR services, taxes, recruiting, and salaries are included, this translates to around $19 million dollars per year.
Role of thumb is an employee costs roughly twice their base salary, as the employee still needs to cover insurance, taxes, sick time, and other benefits.
That leaves an average salary of 190K for the 50 employees. That isn’t much for tech.
Would be interesting to see how this compares to XMPP or Matrix. Obviously the development costs something for each of those, but the hosting costs are spread out across each of those hosting an instance.
Forgive the ignorance but does xmpp have the same features as signal, particularly around e2e encryption?
It’s possible to implement XMPP with E2E encryption, there are at least 2 ways to do it.
But of course it only works if both users use a client and server that support it.
Worth mentioning that most modern clients support omemo at this stage.
They should do a charity stream event or something. Do Q&A stuff, get interest of more people, and raise money?
Are decentralised apps like element much less expensive ?
The costs are distributed as there is not one single instance. Just like with Lemmy.
Although there is one huge instance on matrix (matrix.org), a bit like lemmy.ml here. But it doesn’t have to be like that, they can close signups or discourage them similar to the way lemmy.ml is doing that now.
The load distributes across more shoulders automatically.
If you only host a server for yourself and 10 friends it costs next to nothing, if you have a big operation it can get just as expensive, it depends on what you are willing to do.
With centralized systems there is no choice but for the one centralized host to host everything.
Then is it better to use element over signal as decentralised apps may be more sustainable for long term use ?
Element has the same costs as Signal. So far, Element has been lucky in being able to raise money by selling support contracts to governments or companies using Matrix, but even that isn’t enough, which is why Element has been raising money for the Matrix Foundation for almost a year now (with little success).
No but they do have commercial clients, even some government departments.
They’re also trying to sell Element One directly to end users which involved a few bridges like connection to whatsapp, signal and telegram. Not a bad deal for 5 bucks a month IMO, though I run mine myself because I want to.
There’s also beeper which sells a service with (a lot) more bridges than Element One but costs twice the price. Their company sponsors most of the bridge development as they employ the main bridge developer.
SimpleX Chat
Indeed. Same tech as Signal (minus the new quantum insurance thing) but without needing a phone number. Unfortunately it is buggy re invitations.
