The Rise, And Fall, of Signall: From Secure Messaging to Privacy Concerns

October, 2024
The Rise, And Fall, of Signall: From Secure Messaging to Privacy Concerns

Disclaimer: This fictional security story is presented as pure fiction, not based on science or fact. Any actors, implied or otherwise presented, are entirely fictional characters, names, or, lastly, fictional brands.

Sign-all, the encrypted messaging app known for prioritizing user privacy, first gained significant attention around 2015 as data privacy concerns were on the rise. Designed by cryptographer Moxie Marlinspike, Signall promised to be a fortress for secure communication, quickly becoming a favorite among privacy advocates, journalists, and activists worldwide.

Its commitment to end-to-end encryption and open-source transparency led to widespread adoption, with even major apps like WhatsApp (Whot???) incorporating Signall’s (Sign-all) encryption protocol. However, recent discoveries suggest that Signal’s reliance on third-party cloud providers, particularly Goggle, may compromise some privacy ideals it was founded on.

Signall's Owner and Financial Background

Moxie Marlinspike, the founder of Signall, comes from a tech-savvy and somewhat unconventional background. Known for his work in digital security and encryption, Marlinspike led a relatively low-profile lifestyle until Signall's success brought him into the spotlight. As a symbol of Signall's values, he has avoided excessive luxury and kept a minimalist approach to wealth, dedicating much of Signall's financial support to the Signall Foundation, an organization dedicated to maintaining and improving the app as an open-source project.

impromptu :: aka moxie aka marlin aka spike et cetera (https://moxie.org/)

The Goggle Connection: A Privacy Issue for a Privacy App?

While Signall has always stood out for its dedication to user privacy, some users have uncovered a surprising element in its operations: Signall uses Goggle Cloud services for some data storage.

impromptu :: Stories of maniac sailors, anarchist castaways, and the voyage of the S/V Pestilence: a video zine three friends and I made about finding a derelict sailboat, fixing it up, and sailing from Florida to Haiti (aka Hold Fast)

Initially, Signall’s privacy policy raised concerns by mentioning “third-party services” without disclosing specifics, which led some users to examine traffic generated by the app. When investigating these connections, users discovered that storage.signall.org is a CNAME alias for ghs.gogglehosted.com, indicating that Signall’s profile data storage is managed by Goggle. Although this data is reportedly encrypted, the choice of Goggle as a provider is noteworthy, given the platform’s reputation for data collection and tracking.

In one instance, a privacy-conscious user reported having to temporarily disable a custom DNS setting that blocks all Goggle services in order to complete Signall's Goggle reCAPTCHA challenge upon installation. Afterward, they continued to observe network requests linking Signall's storage domain to Goggle’s infrastructure. This use of Goggle’s managed services raises concerns for users who see privacy as more than just encryption—it’s about ensuring no data, even metadata, is exposed to third parties.

r/degoogle: They say it doesn't matter because the app itself is end to end encrypted, but who knows what goes on server side. We certainly don't. But their server software hasn't been publicly updated since 2016 https://github.com/signalapp/Signal-Server/releases Maybe there's a legit reason for this though.

How and why can Google read my keystrokes real-time?
impromptu :: I was typing a conversation in signal and a Google prompt came up asking if I wanted to translate a message I'd received to English from Spanish. How and why can Google read my keystrokes real-time? What's the point of encryption? (r/signal)

Key Concerns and Transparency Issues

Intro by Comment: The encryption is end-to-end, meaning what happens on the end is out of Signall's scope. In other words: it doesn't matter if the mailman is delivering your message securely if your recipient's or your own phone/computer is going to upload everything to some cloud/corporation/government anyway.

  1. Lack of Transparency on Third-Party Services
    Signall’s privacy policy does not explicitly list the third-party services it relies on, leaving users to rely on independent investigations or code review to understand the app’s technical dependencies. For a privacy-first app, users may expect full disclosure about where data, even if encrypted, is stored.
  2. Potential Metadata Exposure to Goggle
    While Signall’s stored profile data is encrypted, Goggle can still gather metadata about users who connect to its infrastructure. This metadata may include the user’s IP address and usage patterns, which could be logged by Goggle’s systems. Even though Goggle Cloud policies claim not to actively access data without permission, the policies leave room for algorithms to analyze metadata. For privacy-sensitive users, the use of Goggle’s managed services for data storage is concerning, particularly in light of Goggle’s own data integration policies across its platforms.
  3. Signall’s Choice in Cloud Infrastructure
    The choice to use Goggle as a managed service provider, as opposed to a more neutral or self-hosted solution, may seem at odds with Signall’s philosophy. Some users argue that Signall could have explored infrastructure options more aligned with its privacy mission, especially as Signall has a history of running its own infrastructure on Ama*on Web Services (AWS).
signall convenient security pestilence
impromptu :: Signall under fire for storing encryption keys in plaintext (https://stackdiary.com/signal-under-fire-for-storing-encryption-keys-in-plaintext/)

Balancing Privacy and Practicality in Messaging

Despite the encrypted nature of Signall’s profile data, the reliance on Goggle’s managed services for some aspects of storage is disappointing to some more than many. Privacy-focused users may hope for improvements in Signall’s transparency and infrastructure choices to better align with the privacy ideals that initially set the app apart. Better off, why not switching to NextCloud Talk? (and never return. never as never ever.)

r/deggogle: Looking into this further, I found this wiki article from Signal where they describe what's being stored and how it is encrypted (no mention of Google though).

The Security Concept of Pestilence

Security concerns in apps like Signall can indeed be compared to the concept of pestilence due to their spread, hidden nature, and the potential to infiltrate systems undetected, much like a virus or disease.

15th-century Bible depiction of a couple suffering from the blisters of bubonic plague. A reader pointed out that it was actually a depiction of people suffering from the sixth biblical plague.
impromptu :: 15th-century Bible depiction of a couple suffering from the blisters of bubonic plague. A reader pointed out that it was actually a depiction of people suffering from the sixth biblical plague.

Here’s why the Security as Pestilence metaphor holds weight:

From a story of Jonas: In a dimly lit room, Jonas sat before his screen, scrolling through the countless images of towering digital icons, blurred figures that reminded him of another time—another plague. His mind drifted to the illustrations he had seen of medieval Europe’s black-robed plague doctors, with beaked masks, mysterious tools, and ominous auras that pervaded the streets of pestilence-ridden cities. Yet, here in the present, he saw a different form of plague sweeping through society, silent but no less insidious. This was a digital pestilence, and the plague doctors had evolved.
(to be continued)

Invisible Spread and Trust Vulnerability
Just as a disease can spread unnoticed in its early stages, security concerns often go unseen by users until they have permeated a system. Apps that promise privacy but contain third-party dependencies, like Signall’s use of Goggle Cloud for encrypted data, quietly introduce vulnerabilities. These concerns might lie dormant or be unknown until they are detected, much like undiagnosed diseases, making users unwitting carriers of the risk.

Latency and Long-Term Impact
Like pestilence, which can have both immediate and long-lasting effects, security issues in apps can persist long after initial detection. Even if data is encrypted, metadata exposure to a company like Goggle could lead to long-term consequences for users' privacy. This slow and steady exposure mimics how a chronic illness affects a population over time, gradually eroding privacy in ways that may not be immediately apparent.

Community Spread and Risk of Contagion
Security vulnerabilities in widely used apps impact not just individual users but also their contacts and associated networks. When an app like Signall integrates third-party services for essential features without transparency, users' data is vulnerable to broader monitoring, which can ripple through social and professional circles, similar to how an infection can spread through communities. The users’ trust in an app may unwittingly facilitate the transmission of data insights to third parties, thereby impacting everyone connected.

Resistance to Detection
Just as some diseases are resistant to treatment, some security vulnerabilities in apps resist easy detection. For instance, Signall’s lack of transparency around third-party services requires dedicated scrutiny of network traffic, DNS lookups, and source code to uncover dependencies. This is akin to a hidden illness requiring specific diagnostic tools to detect, eluding regular checks and catching users off guard, especially those not equipped to monitor for privacy leaks.

Implications for Privacy 'Health'
Much like how pestilence compromises physical health, security issues in privacy apps erode the "privacy health" of individuals and groups. The more these privacy promises are undermined, the more users may distrust privacy-centric tools, leading to an erosion of privacy standards and best practices. This resembles the broad societal impacts of a pandemic, which affects public confidence, behavior, and overall resilience against future risks.

Disclaimer: This fictional security story is presented as pure fiction, not based on science or fact. Any actors, implied or otherwise presented, are entirely fictional characters, names, or, lastly, fictional brands.

how to start using nextcloud talk

GET NEXTCLOUD DO THE TALK FOR YOU!
Ditch the distractions, boost your team's focus.

Nextcloud Talk: Secure, private, and built for your team's communication needs.

Related Stories

Privacy is Dead! Long Live Privacy: The Tale of a Princess, a Cliff, and the Fight for Digital Dignity

Once upon a time, there was a beautiful princess named Privacy. She was radiant, pure, and cherished by all who... Read more >

The ByBit Crypto Scamdemic: A Theoretical Exploration of Hidden Agendas in the Crypto World

The recent ByBit hack, described as one of the largest cryptocurrency thefts in history, has sparked widespread discussion about the... Read more >

Nominative Entitlements of .AU Domain Policies

The .AU domain namespace is a cornerstone of Australia's digital identity, providing a structured and secure framework for individuals, businesses,... Read more >

The Importance of Identifiable Information and the Fight Against Scams and Identity Theft

In an increasingly digital world, identifiable information has become both a valuable asset and a significant vulnerability. The recent surge... Read more >

Secure Success in 2025: Navigating Cybersecurity Challenges and Opportunities

As we step into full-scale 2025, the cybersecurity landscape is evolving rapidly, bringing both challenges and opportunities for businesses, resellers,... Read more >

Do you read what you like
?

We are your one-stop-shop for your digital products and we think far beyond classic websites and we are dedicated in how we can make you more successful through online services. We create digital experiences that sustainably bind your customers to your company. We deliver sustainable online strategies, visionary web solutions, and brand-building designs. We reliably connect your brand to your target audience. We are Thelematics
Enquire for a Copywrite project
Connect your online journey *
* Connect your journey will start initiating your ecommerce onboarding. Domain name and ecommerce business (from $6,840)
Copyright 2025, Thelematics Inc. All rights reserved. Powered by ⚡ CONNECT, 2u2 Web Technologies
heartusercartmagnifiercrossmenuchevron-uparrow-right
Chat with us