Good on you for the thorough research, and I like your logic. Things change fast, and it's good to have backups in place. Overcast would probably be my choice if using iOS. I wish there were more open source and privacy-friendly versions available.

-M

more important than expecting ip obfuscation or sealed sender from signal

People are only expecting metadata protection (which is what "sealed sender", a term Signal themselves created, purports to do) because Signal dishonestly says they are providing it. The fact that they implemented this feature in their protocol is one of the reasons they should be distrusted.

For anyone reading along, that means people you send signal messages to can see your user account name maybe even if you click the button that’s supposed to make it not possible to do that.

Change your behavior accordingly.

No, it isn't about hiding your identity from the people you send messages to - it's about the server (and anyone with access to it) knowing who communicates with who, and when.

Michael Hayden (former director of both the NSA and CIA) famously acknowledged that they literally "kill people based on metadata"; from Snowden disclosures we know that they share this type of data with even 3rd-tier partner countries when it is politically beneficial.

Signal has long claimed that they don't record such metadata, but, since they outsource the keeping of their promises to Amazon, they decided they needed to make a stronger claim so they now claim that they can't record it because the sender is encrypted (so only the recipient knows who sent it). But, since they must know your IP anyway, from which you need to authenticate to receive messages, this is clearly security theater: Amazon (and any intelligence agency who can compel them, or compel an employee of theirs) can still trivially infer this metadata.

This would be less damaging if it was easy to have multiple Signal identities, but due to their insistence on requiring a phone number (which you no longer need to share with your contacts but must still share with the Amazon-hosted Signal server) most people have only one account which is strongly linked to many other facets of their online life.

Though few things make any attempt to protect metadata, anything without the phone number requirement is better than Signal. And Signal's dishonest incoherent-threat-model-having "sealed sender" is a gigantic red flag.

Video Clip of Former Director of NSA and CIA: “We Kill People Based on Metadata”

In a public debate with Just Security‘s David Cole at Johns Hopkins University, former Director of the NSA and CIA, General Michael Hayden made the provocative remark, “We Kill People Based on Metadata.” In a post on Saturday, David used Gen.

^{Ryan Goodman (Just Security)}

There’s a big difference between the metadata that the Snowden leaks are talking about and how they’re used and the metadata the signal server (or its subcontracted provider) has and how and under what conditions it’s able to be used.

The metadata that is the subject of the statement “we kill people based off metadata” is unencrypted cell phone signals and other broadly plaintext requests sent over a system that by design also includes location telemetry. That information could be easily obtained en masse through a man in the middle attack or through the lawful intercept backdoors built into the equipment that carries the information itself (which is less of a man in the middle attack and more of a man in the middle design).

This is different from the signal metadata both in form and content. The signal metadata is not vulnerable to a mitm attack and the agencies implicated in the Snowden leaks would have to actually go through the legal hoopla required in order to get just the metadata itself. Same as they would have to if they wanted the actual content.

Amazon does comply with law enforcement requests often without requiring a warrant, but the difference between requiring a request be made as opposed to simply being able to collect that metadata freely and package it as actionable intelligence is significant.

All messaging systems are vulnerable to this attack. If you send or receive a message then you, the other party and any intermediary like a server are subject to the laws of the places they’re physically located.

Again, I’m not arguing, I’m trying to make this very convoluted system clearer.

For chat, something with e2ee and without phone numbers or centralized metadata. SimpleX, Matrix, XMPP, etc - each have their own problems, but at least they aren't centralizing everyone's metadata with a CIA contractor like Jeff Bezos like Signal is.

For email, I'd recommend finding small-to-medium-sized operators who seem both honest and competent. Anyone offering snakeoil privacy features such as browser-based e2ee is failing in at least one of those two categories.

We're considering moving up our timeline on a SimpleX and Matrix chat as we've received interest from others about that, too. Keep an eye on our website or show notes as we'll update those when new chat channels open up.

As for email, are there specific providers you recommend we look at?

-M