It's easy. You "gift" the badge to a user via the Signal homepage when making a connection. There's no required connection between the gift-giver and the receiver. Is the person who gifted the badge the same as the receiver? Could very well be, but there's no way to prove that.

All you need to store server-side is "this user has the badge until date X".

> Could very well be, but there's no way to prove that.

Sure, but espionage and surveillance are rarely about proving anything, they're about making good educated guesses. Besides, the receiver will very likely be among your friends and acquaintances, so the NSA would only have to look at your social circle to find them.

it is amusing that you think you have fair chance if NSA/government really wants to get you. Buy hey if that makes you sleep at night be my guest.

Are you sure you're responding to the right comment? I didn't say anything like that.

Database has one column on the user table:

display_badge_until

Store no payment info.

You could enable offsite donations that provide a receipt/hash that denotes (donation -> validated), without being tied to any individual. Then the user could copy/paste a generic, non-correlated code into Signal to authenticate activity.

Linking a donation to an account would be optional in any sane implementation.

They already have your phone number, closely tied to your real identity. What could they possibly do with some payment information?

How much data is sent to the developer after somebody makes an in-app purchase?