> The only thing Signal knows about a user is when they registered and their last login time.
Really? Why do I need to provide a phone number in order to register for the username test?
> The only thing Signal knows about a user is when they registered and their last login time.
Really? Why do I need to provide a phone number in order to register for the username test?
Well yes, obviously your phone number since it's how they handle accounts. Their argument is that it makes you the owner of your social graph because it uses the existing contact list on your device.
https://signal.org/bigbrother/cd-california-grand-jury/
Because your account is currently your phone number, so if they want to open the service to a limited number of power users, it makes sense to restrict it to folks who already are signal users, IMO.
As I understand it, the phone number requirement won't be going away - it's just the requirement to share it with your contacts that they're abolishing.
Seems like the right level of tradeoff to prevent abuse and enabling privacy, did you have a different expectation in terms of balance?
No, that's perfectly fine for me too, just wanted to be accurate and manage expectations :)
(In fact, I do still expect public phone numbers to be the "default", i.e. encouraged, experience, because of its viral properties. This is also fine by me, as I want Signal to be used by as many people as possible.)
You don't see any conflict between that and the claim "The only thing Signal knows about a user is when they registered and their last login time"?
Not at all, a user is a phone number.
Do you have a recommendation on how they would prevent fraud and abuse w/o using a phone number while also maintaining the same level of low friction?
What fraud and abuse? They can prevent fraud and abuse by doing anything, including by doing nothing, because those aren't concepts that apply to their product.
Spam is one kind of abuse.
So? What's the threat model? How does having phone numbers help?
You're making assertions about what Signal needs, and you're doing it without knowing their threat model.
s/user/phone number/