Signal: you were the chosen one!
2022-07-23, 23:20–23:50, Abacus 🧮

This is a rant about how moving ecosystems are not a good reason for centralizing a crucial service, how stickers are no substitute for a desktop client that does not crash, and how effectively shutting out less popular OS platforms is just not cool.

In his seminal work "The ecosystem is moving", Moxie Marlinspike laid out clearly the reasons why it's impossible to do what Matrix, or the Fediverse, or for that matter the Web, have done: create a dynamic, quickly-evolving ecosystem without centralizing it.

For years, as a person responsible for information security of at-risk reporters and their sources, I have been advocating Signal as a secure Internet messaging service. And with good reasons.

Criticizing a security-sensitive tool like Signal is tricky, as it might be misconstrued as a call to abandon it, and move to alternatives that might be in fact worse. But here, at a hacker conference and with little risk of causing confusion and diverting users towards less secure platforms, can we please have an honest conversation about Signal's problems? And how 5 years after that blogpost, moxie's centralization has not solved them?..

There are good reasons to exert a level of control over what connects to a communication network. But effectively shutting out a community of developers that would love to implement Signal clients for less popular OSes (many of which happen to attract the kind of infosec-aware crowd that used to be the core pushers of Signal) is not a good outcome.

Opening up more on the client side and providing some form of independent client development program (starting with a stable API) would already help a ton. Even if it's just the desktop client that gets re-written in something that is not in essence a packaged browser trailing it's upstream on security patches.

Finally, we need to talk federation. Does it make moving fast and breaking things more difficult? Yes, yes it does, and that can be a good thing. It also makes the resulting federated service more resilient (one service provider experiencing issues does not bring the whole network down). And, it lets others innovate without being locked out.

Information Security ISNIC, the .is DNS registry. Co-founder of the Technical Error Correction Collective. Tech, policy, and activism background. Previously Chief Information Security Officer / Head of INfrastructure at OCCRP.

Co-operated with a number of EU-based organisations working in the digital human rights area and participated in a bunch of Internet governance meetings. Main policy interests: information security, privacy in the digital age, Internet governance (including censorship, surveillance, Net Neutrality), copyright reform, digital media literacy.

This speaker also appears in: