You might be interested in the technical reasons for requiring a phone number to use Signal. Not sure if there have been any updates since this blog post.
https://signal.org/blog/secure-value-recovery/
> One challenge has been that if we added support for something like usernames in Signal, those usernames wouldn’t get saved in your phone’s address book. Thus if you reinstalled Signal or got a new device, you would lose your entire social graph, because it’s not saved anywhere else. Other messaging apps solve this by storing a plaintext copy of your address book, social graph, and conversation frequency on their servers. That way your phone can get run over by a car without flattening your social graph in those apps, but it comes at a high privacy price.
This can be solved with a backup that store the address book (but not in the cloud, please!). Signal for Android already have a safe and encrypted backup feature, I use it to keep my message history safe.
Not being forced to add a contact to the phone address book is an extra advantage, as address books are one of the first victims of spyware apps...
Also, with usernames and a desktop app, there is no reason to require a smartphone at all! Seriously, my Android phone is the least secure platform that I use at the moment (lots of proprietary stuff, spyware prone, ...)
Wait what? You specify a username and at least one user-chosen "challenge" in order to verify ownership of it -- phone number, email, password, TOTP, public key which is stored with Signal. Then when you register a new phone you verify the username exactly like you verify the phone number but with the user's challenge.
Like it's more effort, but not some intractable problem, at least stated like this.
I feel like that issue could be solved by creating a random unique say 16 digit UID that users could then add as a phone number for contacts. As long as it does not map to a real routable phone number a phone dialer won't have issues if you call it by accident. Smarter dialers like that in calyxos could recognize it for signal calls if it has a unique prefix.
They could even sell existing users UIDs so they could share their contact info without sharing their phone number if they so desired, e.g. via a website. If they charged some nominal fee users could reset their UID. Maybe with escalating prices if done in short succession to make revenue and discourage abuse.
I'm working on a decentralized storage solution for personal data. To be fair, it's not actually being used anywhere meaningful but I think it has real value (data ownership / privacy, encryption, protection from client code) and we have a proof-of-concept website that you could test it out on.
Those "rare issues" were also caused by a culture of prioritizing profit and speed of development over safety and training. More of those "rare issues" popped up months later.
This is a good idea! Where is the implementation and technical details?
Here is a project I have been working on which tackles these challenges and more (end-to-end encryption, bring your own key, data ownership, open-source, protection from client-side code in browsers, access control and monitoring, etc.): https://redact.ws
I've been working on something that could improve privacy for websites like this. It's basically end-to-end encryption for websites, so you could have a chat with a therapist without the middle-man being able to decrypt the data. Of course the challenge is that these companies are selling or otherwise profiting off the data, so it's hard to see why they would use it unless you can convince them that the privacy is, itself, a big enough differentiator.
I don't think what we're running into here is "human nature" so much as it is investor nature. I'm not particularly familiar with them, but Polkadot has raised $300M. There has to be some return for that investment (i.e. they need to be able to lock users into their ecosystem and prove to investors that a competitor can't come along and provide an equally valuable service without starting from scratch). How can a truly decentralized service / protocol compete with the companies that are getting that kind of investment?
> If someone has control of the application, aren't all bets off at that point?
Great point, but not necessarily. This is what we are trying to solve with Redact. Would be interested to hear your thoughts on our solution: https://redact.ws
Jumping in here to plug a company that I co-founded called Redact. We are developing a trustless way to store and process PII - our tech is end-to-end open source (unlike competitors), we don't use any proprietary encryption algorithms or techniques (unlike competitors), and we give users a way to control and monitor access to their own data. We think this is the future of Web3. Check out our website and I'd be more than happy to answer questions or provide some links to our source code if there's any interest.
https://redact.ws
> One challenge has been that if we added support for something like usernames in Signal, those usernames wouldn’t get saved in your phone’s address book. Thus if you reinstalled Signal or got a new device, you would lose your entire social graph, because it’s not saved anywhere else. Other messaging apps solve this by storing a plaintext copy of your address book, social graph, and conversation frequency on their servers. That way your phone can get run over by a car without flattening your social graph in those apps, but it comes at a high privacy price.