> Good, so Open Whisper Systems has no metadata. Do any third parties retain metadata about Signal messages?
I'll try to answer to the best of my knowledge (I'm not associated with project, I'm just a happy customer).
Does your ISP know that you are communicating with Signal servers? Yes, IP addresses.
Does it know to whom you are sending messages? No.
Does Google know you are using Signal? Yes.
Does it know whom of your contacts use Signal? Yes, because they have a full list of your contacts and they know if someone has installed Signal.
Does Google know you've sent a message? No.
Does Google know that you are receiving a message? Sometimes, because Signal servers ping your device via GCM with "wake up".
Does Google knows who from your contact list send this message? No, unless you have only one contact who uses Signal.
Can Google infer from pings who is communicating with whom? Yes, although pings are needed only if app has disconnected from server, and this severely limits usefulness of this technique.
Where else may any metadata coming from usage of Signal be? Nowhere.
As for Google having your contact list... Take a look into Flock.
I get that Signal is probably the best option for smartphones. And that maybe its vulnerabilities are only relevant for "TAO targets". But the problem is that "TAO targets" is in rapid flux, given developments in automation and AI. So arguably, more and more journalists and dissidents are becoming vulnerable.
And there's the fundamental insecurity of devices with cellular-radio connectivity, and operating systems that users can't control and lock down. Signal can do nothing about that. Even something as simple as reliably obscuring identity in connections to Signal servers is nontrivial.
> But the problem is that "TAO targets" is in rapid flux, given developments in automation and AI.
You are implying that cost of TAO consists mostly of labor costs. Which is false. NSA and friends are not really limited by money. They are limited by amount of unpatched software vulnerabilities. Every use of vulnerability in the wild is a chance of revealing it to world and losing it. Snowden docs reveal the existence of automated software which evaluates chance of vulnerability being revealed by attack. XKeyScore or one of related pieces, AFAIR.
It's nearly impossible to find out. But if I trust corporations like Google not to exploit the possibilities, I wouldn't be looking for an open-source alternative to WhatsApp in the first place.
You shouldn't use a smartphone if you expect to be TAO. Even the hardware could be compromised. Use a laptop with Linux for anything anyone might want to track...
Then why is Moxie advertising with Snowden the Signal app as communication for TAO targets?
And for non-TAO targets, WhatsApp is just as good as Signal – the users won’t read the source code anyway, and in both cases President Trump gets your social graph.
Aka NSA's "we really need to get access to this device and will fund diverting backbone traffic / writing firmware malware / whatever else we need to in order to get it" team(s).
I'll try to answer to the best of my knowledge (I'm not associated with project, I'm just a happy customer).
Does your ISP know that you are communicating with Signal servers? Yes, IP addresses.
Does it know to whom you are sending messages? No.
Does Google know you are using Signal? Yes.
Does it know whom of your contacts use Signal? Yes, because they have a full list of your contacts and they know if someone has installed Signal.
Does Google know you've sent a message? No.
Does Google know that you are receiving a message? Sometimes, because Signal servers ping your device via GCM with "wake up".
Does Google knows who from your contact list send this message? No, unless you have only one contact who uses Signal.
Can Google infer from pings who is communicating with whom? Yes, although pings are needed only if app has disconnected from server, and this severely limits usefulness of this technique.
Where else may any metadata coming from usage of Signal be? Nowhere.
As for Google having your contact list... Take a look into Flock.