David AndersenApr 24, 2025

sigh. There are a lot of posts going around right now claiming that #bluesky is feeding data to the various data sniffers that the US government uses for surveillance and that #Mastodon is not.

This. Is. Crap.

Anything you post on Mastodon is nearly as easy to vacuum up as things you post on BlueSky. You should treat *all* social media platforms larger than a Signal group of your college friends + Pete Hegseth as "assumed public." It's slightly more work to slurp up almost all of mastodon but really not that much more.

Show threadKevin Karhan Apr 24, 2025

@dave_andersen even @signalapp has to comply with #CloudAct.

  • And we can be very shure they did simply because it's a statistical inevitability by the sheer amount of users they have…

Only real #E2EE (= #SelfHosting-capable with #SelfCustody of all the keys) can be considered safe.

Show threadVincent Sparks 🔜 FurlingameApr 25, 2025

@kkarhan

isn't literally the entire point of Signal that they don't store any data on you and couldn't collect encryption keys even if they wanted to?

@dave_andersen @signalapp

Show threadDavid AndersenApr 26, 2025

@AVincentInSpace @kkarhan @signalapp Yes, basically. They know your phone number, when you created your account, and when you connect to signal.

That may or may not be dangerous information to have potentially available to an adversary depending on your specific threat model, but for most folks, the strong message privacy (which is basically "you trust everyone you send data to, and you trust your and their devices not to be pwned") is probably sufficient. Not all. But most.

If you, e.g., connect to signal from your personal phone from the white house when you're not supposed to have signal or a personal phone, you could still be caught.

Show threadKevin Karhan 

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

  • They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

  • And I've been using Tor for almost 15 years daily now...
Apr 26, 2025 at 3:18amWeb