I would like to open a discussion, one that is very important for any privacy minded individual, that is, how to communicate securely and privately using a messaging app and specifically in the review of the messenger below.
I do understand that on Privacytools there is a list of messaging apps to choose from depending upon whether you want a decentralized, p2p or centralized messenger. However, doing my own research on the matter I have come to the conclusion, one that is also shared by Securechatguide that the recommendation on Privacytools of Signal, is that it suffers from certain weaknesses and vulnerabilities https://securechatguide.org/centralizedapps.html#signal the main one of which is that it requires a phone number to use. Edward Snowden may endorse Signal, but the fact that an agency like the N S A could go to Signal HQ which is located in the good ol US of A with your phone number and demand to get access to any and all data they have on you is disquieting, at least for me. But the biggest grip is that a phone number requires the registration of a SIM with a telco and that is a big red flag for a supposed privacy messenger. According to Securechatguide Signal has access to:
- The phone number used for your registration.
- SHA-2 Hashes of your contacts’ telephone numbers to check for a match. OWS claims to delete this as soon as it is no longer needed.
What Signal claims to keep:
- The day you first joined the service
- The last day you used it.
- People must know your phone number. It is possible to register a burner number or a VOIP number, but this is an advanced-use case.
Alternatives to Signal are few, Keybase is mentioned however not on the list is a new messenger that has received widespread claim by the hacker community. It is opensource, encrypted and available for Android and iOS. The name is BCM Messenger https://bcm.social/index.html
According to their website, "BCM’s encryption method is one of the most secure encryption methods known in the world. The private (one-to-one) chat process uses the X3DH based on the elliptic curve-Curve25519 for key exchange, and implements the Double Ratchet process to ensure that the encryption key of each chat message is different. The chat contents are encrypted by AES-256 symmetric encryption algorithm. " Also, “BCM chat messages pass through the forwarding node (either a user PC node on the P2P network or an officially deployed server). Because the contents are end-to-end encrypted, the forwarding node is only responsible for forwarding the data message and cannot decrypt the forwarded chat content.”
I would request that this messenger is investigated by the community to substantiate their claims and if they are proven valid, that this messenger is included in the recommendation list on Privacytools.