On November 16th, Meredith Whittaker, President of Signal, published a detailed breakdown of the popular encrypted messaging app’s running costs for the very first time. The unprecedented disclosure’s motivation was simple - the platform is rapidly running out of money, and in dire need of donations to stay afloat. Unmentioned by Whittaker, this budget shortfall results in large part due to the US intelligence community, which lavishly financed Signal’s creation and maintenance over several years, severing its support for the app.

Never acknowledged in any serious way by the mainstream media, Signal’s origins as a US government asset are a matter of extensive public record, even if the scope and scale of the funding provided has until now been secret. The app, brainchild of shadowy tech guru ‘Moxie Marlinspike’ (real name Matthew Rosenfeld), was launched in 2013 by his now-defunct Open Whisper Systems (OWS). The company never published financial statements or disclosed the identities of its funders at any point during its operation.

Sums involved in developing, launching and running a messaging app used by countless people globally were nonetheless surely significant. The newly-published financial records indicate Signal’s operating costs for 2023 alone are $40 million, and projected to rise to $50 million by 2025. Rosenfeld boasted in 2018 that OWS “never [took] VC funding or sought investment” at any point, although mysteriously failed to mention millions were provided by Open Technology Fund (OTF).

OTF was launched in 2012 as a pilot program of Radio Free Asia (RFA), an asset of US Agency for Global Media (USAGM), which is funded by US Congress to the tune of over $1 billion annually. In August 2018, its then-CEO openly acknowledged the Agency’s “global priorities…reflect US national security and public diplomacy interests.”

[Article continues…]

Archive links:

    • Arthur Besse
      link
      fedilink
      111 months ago

      it sounds like you’re formulating a conspiracy that implicates Signal themselves, claiming you believe they are being technically correct.

      No, again, I think Signal employees sincerely believe that nobody is logging Signal metadata.

      If I’m misreading your argument, please correct me. But there is a fine line between Just Asking Questions to promote a conspiracy theory, and just asking questions authentically, and it’s often hard to tell the difference.

      There isn’t anything theoretical in what I’m saying, except for the implication that Signal’s financial backing might be related to its surveillance-friendly architecture.

      You can use words like “conspiracy” to dismiss the point, but tell me: if you’re completely confident that the adversaries you want to protect against are unable to compromise the server infrastructure, why would you need e2e encryption at all?

      Because I’m not 100% confident, like most people under a broad range of reasonable threat models.

      Good answer. So, when analyzing the security properties of thing that purports to protect against a compromised server, shouldn’t we logically consider the case that the server is compromised? And how does Sealed Sender fare in that case? Do you not see how it is performative cryptography?

      Precisely. I think the design is good, but it’s a single entity controlling basically all the servers, which means that not only can they effectively be considered a single server, but using your argument they can effectively be assumed to be collecting the exact same metadata

      Why do you think the default configured servers are “basically all the servers”? The way SimpleX works, if you’re using one of the default servers, and I am not, and we add each other as contacts, you probably wouldn’t even notice. And then we’d be each sending and receiving to eachother using servers operated by different entities. But again, even if we are both using the same default server, this is not “the exact same metadata” as Signal because there are no phone numbers involved.