Meredith Whittaker
Meredith Whittaker. Quelle privat.

Meredith Whittaker: the Signal messenger is not for profit

Meredith Whittaker is looking for new strategies as the new CEO. She doesn't want to earn a cent by selling user data to any companies.

Signal basically doesn’t want to sell any data to cover the gigantic operating costs, the new CEO Meredith Whittaker tells us. During our conversation with Tarnkappe.info, we asked how this is supposed to work. The question of the revenue model is particularly interesting. Why? Because Whittaker worked for the data octopus Google, before she changed jobs..

Meredith Whittaker on the history of Signal

Tarnkappe.info: Ms. Whittaker, how did Signal emerge? With what motivation did this happen, who was involved?

Meredith Whittaker: Signal was founded in 2014 by Moxie Marlinspike and grew out of his Open Whisper Systems project. Over the years, many talented people have contributed to building and maintaining Signal. Moxie is very committed to privacy, but I can’t speak to his inner motivation. However, I can say that it motivates me to ensure that Signal continues to exist as a robust, user-friendly messenger – and one that exists outside the web of corporate and government surveillance.

I believe Signal is existential for the future, and I will do everything I can to ensure it grows and thrives and delivers on its strong privacy promises to the people who rely on it.

Signal is a Non-Profit organisation

Tarnkappe.info: I assume our readers will be happy to take note of that. Who is actually behind it today? Who owns the shares? Or is that not public?

signal, surveillance, camera

Meredith Whittaker: There seems to be some confusion at the heart of this question: Signal doesn’t have shares, or investors. It’s not a for-profit company. Signal is a 501c3 nonprofit. Information about our organizational structure and governance model is publicly available for anyone interested: https://signalfoundation.org.

Tarnkappe.info: It has been repeatedly criticized that the financing of Signal is partially non-transparent. So how exactly does the financing work?

Meredith Whittaker: Signal is entirely financed by donations, including a generous loan from Brian Acton. We are incorporated as a 501c3 nonprofit, and as such we submit to an annual audit and publish our financial status publicly. And we chose this organizational form, and a reliance on donations, as a way to avoid and reject the dominant surveillance business model. We offer our services for free, but instead of monetizing surveillance data from the backend, we ask the people who rely on Signal to contribute with a small contribution.

Meredith Whittaker: “People don’t choose where they are born

Tarnkappe.info: Why was it decided that the foundation and Signal Messenger LLC should be based in the USA? Due to the lack of data protection? To put it another way: After the Patriot Act and the Snowden revelations, why should you entrust your data to a company plus a foundation based in the USA?

Meredith Whittaker: Unlike the majority of tech products and services, Signal doesn’t collect data about people, so the people who rely on Signal aren’t “entrusting” any data to Signal. This is core to Signal’s mission, and we take this mission extremely seriously. 

On the question of geography, people don’t choose where they’re born, or where the intellectual and practitioner communities they work and grow with are located. Signal’s founders and collaborators were primarily based in the US. This is where Signal emerged, and where it grew from a hypothesis project to the most widely used private messaging service on the planet.

messenger, smartphone

Meredith Whittaker: Rarely used messengers are unfortunately useless

Tarnkappe.info: Will the servers of Amazon, Microsoft, Google and Cloudflare no longer be used at some point so that they do not receive the IP address (metadata)? Or will an onion routing protocol be implemented as an alternative? Will the server structure eventually change to be decentralized, which means peer-to-peer?

Meredith Whittaker: Unlike almost all other consumer tech, Signal is designed so that nothing, including Signal’s servers, has access to your data. Distributed or decentralized systems don’t increase privacy. In fact, they can reduce privacy. For instance, many years ago Signal calls were always P2P, but people didn’t like that this would disclose IP address to whoever called you. So, for privacy reasons, we changed our system to not be P2P in all cases.

In Signal’s case, we also need to recognize that privacy is collective. It doesn’t matter how much I care about privacy and rigorous security hygiene: in the context of a messaging service, if my friends, colleagues, partner, and those I want to talk to don’t use a service, it is also useless to me.

Robust privacy as the goal

Signal’s goal is to provide real people with robust privacy. To achieve this, we cannot be relegated to the category of privacy thought experiments – iron-clad privacy in theory, but unused in practice because it doesn’t function according to people’s expectations and desires. To be useful, a messaging service today must be instantly available at all times everywhere. This is a norm that has been set by messengers that participate in the surveillance business model, which Signal rejects. However, just because we reject the surveillance business model, doesn’t mean we can reject the “always available” norm if we want to remain useful, used, and relevant.

Cloud services in the hands of a few IT corporations

At this moment, meeting these expectations requires high availability global server infrastructure. This infrastructure – which we generally refer to as “cloud services” – is currently in the hands of a handful of companies due to the consolidation of the tech industry which happened over the last decade thanks to the network effects inherent in the surveillance business model. It is not feasible to develop high availability services like Signal without either being one of these “Big Tech” companies, or licensing cloud servers from them. This is not the world we wish existed, but it is the world that we operate in.

This leads us to a discussion of cost, and the economics of developing and caring for high-availability software like Signal. Cost is one of the biggest challenges of operating a service like Signal while rejecting the lucrative surveillance business model. To keep Signal running, we spend tens of millions of dollars a year. And servers and bandwidth are two of the largest expenses.

suspect
Foto: Lars Sobiraj.

Both servers and bandwidth are associated with significant economies of scale, which provide the companies who own these pooled cloud resources, and the entities that license them, significant advantages in terms of being able to flexibly allocate resources.

Sadly, there is no way around the big tech companies

To take a real example, when Signal use jumped 10X in January 2021, we were able to quickly phone our cloud providers and expand our hosting capacity and bandwidth in a matter of hours. If we were running and hosting our own infrastructure in January 2021, we would have needed to have drastically overprovisioned, globally, to ensure the same robustness in the face of dynamic conditions. In this scenario we would have also needed to lease datacenters, to hire and manage teams of site reliability engineers and hardware operations staff, located globally, in order to ensure we had people dedicated to building and maintaining our infrastructure, a full time job that’s never finished. This model would likely cost not tens, but hundreds of millions of dollars a year to obtain similar robust performance.

In the future, if we develop or discover options that don’t require relying on widely available cloud infrastructure and–importantly–that can support the always-available expectations of the people who rely on Signal, all while being economically viable, we will of course explore them. But there is no such option today, and moving to a distributed architecture without taking these issues seriously would diminish Signal’s utility for the people who rely on it, and potentially its privacy. This is something we’re not willing to do. 

Meredith Whittaker wants to expand donation options

Tarnkappe.info: Why is it not possible to donate with a privacy-friendly money transfer? Paypal and credit card are anything but privacy friendly.

Meredith Whittaker: Using common third-party payment processors makes it easier for our required financial audits, and for the people who want to donate. We are also actively working on expanding these options.

spende, spenden

Note that for in-app donations and donor badges, Signal goes to great lengths to ensure that donor identities are not mapped to individual Signal accounts. We leverage an anonymous credential scheme that we introduced for Signal private groups. Someone using Signal makes a donation to Signal, and we then associate a badge to that person’s Signal profile in a way that allows the server can authenticate that the person is in the set of people who made a donation, without knowing specifically which donation it corresponds to.

Signal plans to keep all mobile numbers secret

Tarnkappe.info: Why do you have to provide your mobile phone number for registration? Other services also work without providing this information. Will that change at some point? As an alternative, will it be possible at some point to only enter nicknames instead of numbers when registering?

Meredith Whittaker
Meredith Whittaker testifies before the House Science, Space, and Technology Committee in 2019. Source, thx!

Meredith Whittaker: We don’t have plans to change the requirement for phone number registration. However, we are working to enable usernames, which will allow people to keep their phone numbers private from the people they’re communicating with on Signal.

Here’s a bit more background on this choice: phone numbers allow people to “import” their social graph to Signal, and, importantly, to take it with them if they decide to stop using Signal. The graph that people bring with them via phone numbers helps people quickly connect with their friends and colleagues. And of course this graph – a map of the people you care about, collaborate with, and want to talk to – is at the heart of a functional messenger service.

“We fight all requests equally, no matter where they come from.”

Phone number registration also helps fight spam, making it harder for a bad actor to spin up many Signal accounts that they use to pollute people’s message feed with unwanted texts and reduce the enjoyment and utility of Signal overall. Traditional account systems, which rely on usernames and passwords, also tend to present security risks to people who get their passwords phished or otherwise compromised. This is something phone numbers help mitigate that the traditional username + password form is still struggling with. We have thought long and hard about the use of phone numbers, and we believe there is no easy way around them, even if we’d like there to be. However, if we do develop or discover a realistic alternative to phone numbers, we will be certain to explore it. 

monitored, iphone

Tarnkappe.info: How many government inquiries does Signal receive each year? Which authorities are involved, including secret services?

Meredith Whittaker: We publish all of the inquiries we are forced to comply with at https://signal.org/bigbrother/. Perusing the site, you will see how little information we have, and how little we are able to turn over even when forced. We fight all inquiries equally, regardless of where they come from. 

In many cases Signal does not know who is communicating with whom

Tarnkappe.info: Can authorities also force you to live monitoring? If so, based on what allegations? If not, why not?

Meredith Whittaker: Were authorities to ask for this, they wouldn’t get much from Signal. The Signal protocol protects against “man in the middle” observation–by Signal or any other entity. This means that even if someone were to attempt “live monitoring,” the contents of the messages would be protected, and not available to scrutiny or capture. Further, the vast majority of Signal messages are sent using Signal’s “sealed sender” system, meaning that we don’t know who has sent the message.

We never have access to the messages of the users

Tarnkappe.info: Are self-deleting messages immediately and permanently deleted from the servers? Or is the history saved? Are there differences in the implementation of manual or automatic deletion?

Meredith Whittaker: Signal has no access to people’s messages, ever.

We do not save messages to Signal’s servers. Our servers are used to deliver encrypted blobs of data that can only be decrypted and read by the Signal users who are meant to receive the messages. These encrypted blobs cannot be read or deciphered by Signal or anyone else. Once they’re delivered to a recipient’s device, these encrypted blobs are permanently deleted from Signal’s servers. We also delete these blobs if they go undelivered after a period of days. 

Manual vs. automatic deletion of messages

Meredith Whittaker

When discussing the difference between manual and automatic deletion of messages, we’re talking about something slightly different.

That is, we’re referring to the deletion of messages from a user’s device. Messages that Signal never has access to. The difference between automatic and manual deletion is simply a difference in what process prompts deletion: automatic deletion is triggered by the delection clock expiring (say, after one week, or one day), while manual deletion is triggered by user action. 

Tarnkappe.info: How far after creation do you delete the metadata from the servers? We know how important metadata can be.

Meredith Whittaker: You can reference https://signal.org/bigbrother, which lists the number of government requests we have been forced to comply with. Then you get a sense of the extremely limited amount of metadata we have access to and can be forced to hand over. You can then compare this to the often extensive data requests made by governments, which surveillant messaging services would likely be able to fulfill, but which Signal–by design–cannot. 

Meredith Whittaker: “To me, there’s nothing more important than making sure Signal grows and thrives in the context of an increasingly centralized and monitored world.”

Tarnkappe.info: What to expect from Meredith Whittaker as the new manager? How will her position affect Signal?

Meredith Whittaker: You can see more on my thinking in my introductory blog post, here. I have been a friend and champion of Signal for nearly a decade. I’ve worked closely with Moxie and others on the team. I’ve served on the Signal Board of Directors for a number of years, and I’m a longstanding and unwavering supporter of strong encryption and privacy. I decided to join Signal because I believe there’s nothing more important I could be doing than ensuring that Signal grows and thrives in the context of an increasingly centralized and surveilled world.

Tarnkappe.info: When can we expect 24-hour stories like Instagram, WhatsApp, etc.?

Meredith Whittaker: Keep your eyes out, we’re actively working on it and you should see an update very soon!

No plans right now to export the settings

Tarnkappe.info: Will there be an option to export/back up the app’s settings to a ZIP with everything and restore it to a new device? So the message history as well? What other options for exporting data from Signal are planned?

Meredith Whittaker: No plans right now. But providing backup options that also preserve our strong privacy promises is something we are looking into. 

Kostenloser Newsletter

Lesetipps und Glosse bequem ins Postfach - Abonnieren Sie jetzt den kostenlosen Newsletter.

Tarnkappe.info: What interoperability plans are in the pipeline, if any?

Meredith Whittaker: We don’t have plans to share right now. Importantly, we won’t interoperate with any service that would require lowering our privacy bar, or that would prevent us from being able to keep our robust privacy promises to the people who rely on us. 

Tarnkappe.info: What will the internet look like in 10 years? Will states regulate it completely from A to Z? How would Signal react to this?

Meredith Whittaker: I’m not a wizard or a psychic so I cannot tell you what the internet will look like in 10 years, or if we’ll even use the term “internet” at that point. I can say that Signal will stay true to its privacy promises. It will will not compromise its strong encryption, whatever else happens.

Ms. Whittaker, thank you very much for your detailed answers. We would also like to thank all the forum users who were really extremely active in submitting questions in advance.

Tarnkappe.info


Lars Sobiraj

Über

Lars Sobiraj fing im Jahr 2000 an, als Quereinsteiger für verschiedene Computerzeitschriften tätig zu sein. 2006 kamen neben gulli.com noch zahlreiche andere Online-Magazine dazu. Er ist der Gründer von Tarnkappe.info. Außerdem bringt Ghandy, wie er sich in der Szene nennt, seit 2014 an verschiedenen Hochschulen und Fortbildungseinrichtungen den Teilnehmern bei, wie das Internet funktioniert.