Why I still trust Signal and Tor
Image by Gerd Altmann from Pixabay

Why I still trust Signal and Tor

Messaging app Signal has gained massive popularity over the past couple weeks. This is mostly a result of a mass exodus from Facebook-owned WhatsApp, which announced dangerous changes to its data-sharing policy. (WhatsApp has since moved the date for those changes back a few months.) Signal’s servers have had some downtime and seems to have resolved the issue by adding new capacity. Along with the renewed popularity of Signal comes naysayers and conspiracy theorists questioning the origins and security of the app and others like Tor. In response to a number of questions I’ve gotten, I’ll explain here why I trust Signal and Tor.

Looking for more info about Signal? Checkout Tech for the People’s past coverage: Tech for the People Guide to Securing Signal and Signal Downloads See Huge Increase During Protests: Keep it up!

Signal

The primary “concern” about Signal comes back to money. Open Whisper Systems, which was responsible for Signal at the time, received some money from the Open Technology Fund, which was part of Radio Free Asia. RFA is a propaganda arm of the US government.

The Signal Messenger company is an LLC that is entirely funded by the Signal Foundation, a 501(c)(3) nonprofit. You can donate to it here if you’d like. The initial money for Signal Foundation came from WhatsApp founder Brian Acton, who left that company after selling it to Facebook in a dispute over monetizing the chat service. Acton has provided at least $100 million in funding to the Signal Foundation in a 0% unsecured loan that is due to be “repaid” in 2068.

Answering the challenges

Assuming Signal is compromised based on earlier funding from the OTF ignores two facts: First, that the US government itself isn’t interested in secure messaging. Second, that the Signal code itself is open for anyone to look at.

As the world’s most advanced grouping of intelligence agencies, of course the three-letter agencies (CIA, FBI, NSA, NRO, ONI and so on) have a desire to communicate securely amongst themselves and with others. We’ll actually cover this more in the Tor section.

Finally, the Signal source code is publicly available. Anyone can go look at it. It might not make a lot of sense for people who aren’t cryptographers, but regular professional and informal audits of the protocol and application have taken place for years. Sometimes they’ve found minor issues with the applications themselves, which have been fixed.

Critically, the Signal protocol is different than the Signal app. The protocol can be implemented by any app, and in fact has by Facebook and others. It’s a guide for how the actual messages are secured and transferred. An extensive 2019 audit found “our analysis proves that several standard security properties are satisfied by the protocol, and we have found no major flaws in its design, which is very encouraging.”

Tor

Tor is first and foremost an anonymity network allowing people to browse the web and use other Internet services while avoiding detection. You’ve most likely heard of it in the context of the Tor Browser Bundle, a web browser that uses the Tor network.

A future Tech for the People article will get into more detail on using Tor.

Again, money is the primary criticism brought up, not the actual technology itself. The underlying technology was developed by the US Naval Research Laboratory and funded by DARPA and the Office of Naval Research. The Tor Project is a non-profit that maintains the software for the network.

In 2020, The Tor Project launched the Tor Project Membership Program to raise funds from large donors, starting at $10,000/year. The project also accepts donations of any size.

As with Signal, this ignores the fact that the government wants secure communications networks of its own that can’t be broken. The Tor Project is open about its origins and its mission is focused on advancing “human rights and freedoms by creating and deploying free and open source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.”

And again, the source code is available for all who want to look at it.

Final notes

Some people might respond with concerns about supply-chain attacks, malicious builds, server compromises or other opportun1ities for weakening these services. These are valid concerns but this article is not about those things that could apply to any program. It counters the two prevailing conspiracy theories against very useful applications that are growing in popularity.

In summary: The criticisms of both Signal and Tor come from a paranoid, conspiracy theorist mindset that ignore the realities of what governments and corporations alike need for themselves. These tools are not promoted just to avoid censorship by the US government or the Trump administration. They have much wider applicability for everyone.

I trust Signal and Tor until given reason otherwise.