Profile picture
, 14 tweets, 3 min read
My Authors
Read all threads
I've had a bunch of discussions with people here about Signal PINs over the past day.

I don't usually spend this much time on Twitter, so parallel to the direct discussion, these are a few of the adjacent thoughts that have come up for me:

1/14
1) I think it's increasingly important to consider how discussions around technology are perceived across the full spectrum of backgrounds (from technical to non-technical) for everyone interested in the topic of their own privacy/security -- which is basically everyone now!
Its interesting that some folks who see discussion around PINs conclude "switch to app X!" where X invisibly stores the same data in plaintext rather than e2e.

Signal's efforts are a discussion b/c we're designing not to store data in plaintext, while plaintext got no discussion
This is similar to a larger pattern I've seen where projects that make no attempt to provide privacy will never have any discussion about security/privacy bugs that are discovered (can't have vulns if there's no security to break!), and those that do will face periodic headlines.
The latter is obviously important, but it seems to me that we need to think about ways to contextualize those discussions now that everyone *outside* of "infosec" is also watching

Otherwise, I've seen people w/o tech backgrounds watch the headlines and draw the wrong conclusions
2) Building apps without analytics can be a challenge, and if we want developers to do that, we need to figure out how to make it less so.

For instance, one reaction here has been frustration that folks were suddenly forced to create a PIN...
Our goal with PINs is to enable non-phone # based addressing. Since that will mean your Signal contacts can't live in your address book anymore, they're Signal's responsibility. Every other messenger does this by storing them in plaintext, but that's not private, so we built SVR.
In addition to being the basis for non-phone # based addressing, the other big benefit for most users is that rather than Signal contacts syncing to Google and Apple from the address book, they'll remain encrypted within Signal.

But it's a big change that we have to do carefully
The whole project was a long rollout. To get everyone a PIN, we had a non-blocking "create PIN" flow that everyone saw persistently for ~4-5 months with refinement cycles along the way.

But w/o analytics, we don't have insight into how often people see and don't create, or...
...if there's copy we can A/B to make things less confusing, or how often people are looking at it, or what people's reaction is in the app.

Instead we try making incremental changes and talking to users. In this case, most of the people we talked to had gone through the flow.
When we got to the end of the rollout and it became a blocking flow, that's when we realized some people have been living with that prompt at the bottom of their screen for 5 months.

We're working on an option to disable PINs as a result, but ideally we'd have visibility sooner.
We can do that, and folks can take comfort that there are no analytics/trackers in Signal, but it can periodically make for a frustrating UX

If we want "no analytics/trackers" to be standard for all, we prob need to develop methods to get the same insights with privacy.
3) It is sometimes difficult for me to have design discussions with people who work in infosec, in part because of what feels like a gap between what one might consider "practical" and what I've found to be so.

I'm not sure how to bring the user stories Signal sees...
...into a common basis for discussion. I almost wish there were some way that we could open up Signal user support channels, so interested people in this space could have the perspective of doing that for 24hrs (without somehow degrading the quality of Signal user support)?
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Moxie Marlinspike

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @moxie see all

Profile picture
Moxie Marlinspike
@moxie
Many trends in modern programming language design seem to focus on developers pressing fewer keys on the keyboard. To me, that's a strange priority.

For large systems where the industry spends most of its time, I think "readability" is much more important than "writability."
1/5
For example, even simple features like "type inference" feel like misplaced priorities to me.

People say "it's annoying I have to write String foo = new String()," but realistically, you're more often writing "String foo = bar.getBaz()"

If that becomes "val foo = bar.getBaz()"
...what is "foo?"

"The compiler can figure it out!" they say. But what I care about is whether someone looking at the code can figure it out.

We're writing 3 fewer characters one time, at the cost of less information for the ~years people will have to read and understand it.
Read 5 tweets
Profile picture
Moxie Marlinspike
@moxie
First look at Apple/Google contact tracing framework:

1) Once a day, your device derives a new key ("daily tracing key").

2) It uses that to derive a new "proximity ID" every time your device's bluetooth address changes (15min), which is broadcast to nearby BT sensors.

1/10
3) Your device keeps track of all "proximity IDs" it sees.

4) If someone tests positive, they choose to publish their (previously secretly) "daily tracing keys."

5) Your device frequently DLs all published daily tracing keys and KDFs to see if they match recorded proximity IDs.
So first obvious caveat is that this is "private" (or at least not worse than BTLE), *until* the moment you test positive.

At that point all of your BTLE mac addrs over the previous period become linkable. Why do they change to begin with? Because tracking is already a problem.
Read 10 tweets
Profile picture
Moxie Marlinspike
@moxie
When I think about why tech often fails to serve our interests, I think about rooms like this. So long as software requires large rooms of people staring at computers all day, every day, forever -- I think there will often be a mismatch b/t how we wish tech worked and how it does
Many hope to make technology serve us better by making it "distributed." I (controversially) don't think that would be the outcome, in part because distributed systems are usually *more* complex and difficult to reason about, potentially requiring even larger rooms than this one.
Like what if there were Uber, but "decentralized?" Maybe then all the money can go to the drivers instead? Okay, but so long as that requires huge rooms of people sitting in front of a computer 8hrs a day, every day, forever -- I don't think that version will be any different.
Read 4 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!