Signal-android: Feature / Privacy: disable contacts sync

You can take away the contact permission for Signal on Android.

@sigenc: Revoking the contacts permission some has undesirable side effects: All incoming calls are relayed over the OWS TURN server, only inscrutable numbers (instead of names) are shown for conversations and incoming calls, and you have to copy-and-paste the number to start a new conversation.

@Groxx: For exactly the reason you've described (a server compromise would only need 12 hours to siphon off everyone's address book), I've been using a WIP minimalist patch set that makes contacts sync optional, with IMO reasonable UX. It works like this:

1. Add an avoidContactsIntersection mode in which the contact picker always shows all contacts, and contacts sync transmits an empty list.

2. General Signal bugfix - Remove stale numbers from whisper_directory.db after contacts sync. (Stale numbers = all numbers not covered by contacts sync, either because they were removed from the address book after a previous sync, or because we're in avoidContactsIntersection mode.) To avoid sending a number query to OWS every time the user views an old conversation with a stale number, those stale numbers which are still associated with a conversation only get removed if the contacts sync was triggered manually by pull-to-refresh.

3. Not implemented yet: General Signal bugfix - Refresh unknown numbers during group creation activity (instead of treating unknown as SMS-only), similar to how opening the one-to-one conversation activity with an unknown number will refresh that number's status. I think this is going to require some refactoring. I don't group message a lot, so for my personal use, it's been tolerable to work around the group creation glitch by first opening a one-to-one conversation to make Signal fetch the number status.

4. Not implemented yet: Properly hook up avoidContactsIntersection in the UI. Currently, it is simply enabled if Contacts joined Signal notification is disabled in Settings, but a) this is not quite right semantically and b) IIRC, the Settings activity can't be accessed during registration activity? Until there's a toggle that's accessible during registration, the only workaround for new users would be to install Signal but don't open it, revoke contacts permission, open Signal and register, disable "Contacts joined Signal" notification, kill Signal, grant Contacts permission, and finally start using Signal.

Is this a sound approach? Anyone interested in taking it off my hands and implementing 3 and 4? ;)

The uncontrolled notification is a horrible mis-feature. I don't care so much how it's done (I found it quickly in the FAQ) as the fact that it's done at all and I can't turn it off.

What if I don't want my contacts to know I am using Signal?

Scenario: I work in some high-flying place with a lot of paranoia, say the US White House. Anyone using Signal is immediately under suspicion of being a "leaker". Most of the people I work with are in each others' address books. When I install Signal, it alerts my paranoid bosses that I did it. Chaos ensues.

I was really kind of surprised that something whose whole purpose is to provide secret communications would leak this bit of metadata.

@wjcarpenter:

What if I don't want my contacts to know I am using Signal?

That's a different issue. It's intentional that anyone can freely contact you if they have your identifier, and that they know they can contact you, instead of sending messages into the void. If you dislike the fact that Signal identifiers are tied to the telephone network without any alternative (#1085), I couldn't agree more. But this ticket intends to solve a different problem.

Scenario: I work in some high-flying place with a lot of paranoia, say the US White House. Anyone using Signal is immediately under suspicion of being a "leaker".

"Signal is a general purpose messenger that I use to talk to my friends and family."

I completely agree with @wjcarpenter. This "feature" is a compromise that trades security/discretion for social-media-style discovery of friends. I think there's a big difference between someone contacting me on Signal and therein learning that I also use the app, versus the app freely volunteering the information to anyone who has my number in their address book. The timing matters; this feature leaves clear documentation of _when_ my communications start on Signal. This knowledge could be used to speculate about my communications in all sorts of circumstances.

I'm taking issue with:

• The notification, "rainmaker joined Signal!" being sent at the time when I install the app.
• The notification, "rainmaker joined Signal!", being sent to anyone with Signal who has my number, including those whose numbers aren't in my own address book.
• There is no way to turn this feature off upon installation, even if there are later features to turn off ongoing contact sync. The existing feature to disable my _own_ device's notifications is not helpful here.

In the above scenario by @wjcarpenter, my boss asks "I noticed that you installed Signal yesterday, what's going on there?" I say, "Signal is a general purpose messenger that I use to talk to my friends and family." The next question might be "It's obviously not habitual if you just installed it yesterday. So, why did you suddenly decide to download it?" If something serious has been going on at work, I don't want to risk even _having_ that conversation with a coworker. At that point, I'm backtracking and trying to cover, instead of starting secure to begin with!

In this scenario, let's say that my government is incredibly corrupt and this is my only shot at leaking some crucial information to change things for the better. My primary concern is secure communication with specific individuals whom I trust. I don't care if it takes time for others on my contact list to figure out that they can message me over Signal. That's not a priority for me, and it's not worth the tradeoff if one of my coworkers notices, or if someone already suspects that I'm doing this and has put my number in their address book to watch for the notification.

As far as discovery is concerned, any contact can try to message me on Signal and will see the lock icon to indicate that I'm using it as well. If not, they can choose to invite me. It seems pretty clear. If someone doesn't think to check and still tries to message me over regular SMS, I can ask them to use Signal and smoothly switch over. It's not a big deal.

My request: Users are allowed to disable this " just joined Signal!" feature upon installation. When Alice installs Signal using her phone number 123-456-7891, she can disable the app from sending the "Alice just joined Signal!" message to anyone with the number 123-456-7891 in their address book.

BTW, I'm happy to open a separate issue for this, since it's a different request than the original one here.

+1
Should be the user's decision.

This issue would be solved by the technique described here:
https://signal.org/blog/private-contact-discovery/

This issue would be solved by the technique described here:
https://signal.org/blog/private-contact-discovery/

Or "mitigated" - guarding data with SGX is a weaker property than having no data.

I don't know what part of the SGX thing you think this solves, but I don't think it solves any of it. It maybe keeps the Signal server from knowing my contacts, but it's still telling my contacts that I use Signal and vice versa. But, reading the blog about SGX did clarify for me that Signal is interested in being a social media mechanism. That's not my interest for using Signal, so I guess we are at odds. Too bad.

It maybe keeps the Signal server from knowing my contacts

... which is the topic of this ticket (see the first three messages).

but it's still telling my contacts that I use Signal and vice versa.

... which is a _different_ topic that people keep bringing up in this ticket, for some reason.

If you'd like to continue discussing the notification issue, someone has resurfaced it here https://github.com/signalapp/Signal-Android/issues/7409

Everyone, it would be very helpful if you could try to limit discussion to the forums. If you have an opinion, please use a reaction emoji. If you want people to read your opinion at length, please share that on the forums. We want GH issues to be limited exclusively to a place where material information is used to solve issues. Thanks!

GitHub Issue Cleanup:
See #7598 for more information.