Most active commenters

    ←back to thread

    Signal adds a payments feature with a privacy-focused cryptocurrency

    (www.wired.com)
    544 points josh2600 | 14 comments | 06 Apr 21 16:23 UTC | HN request time: 1.386s | source | bottom
    1. airza ◴[06 Apr 21 17:16 UTC] No.26714603[source]
    The technology is cool, but I don't really know if I want KYC regulatory risk in my encrypted messaging client. I just want italics.
    replies(4): >>26714642 #>>26715653 #>>26717558 #>>26718373 #
    2. josh2600 ◴[06 Apr 21 17:18 UTC] No.26714642[source]
    I don't think Signal has any plans to scan your driver's license. What they've built is a non-custodial wallet (IE, they can't help you if you lose your keys, and they have no ability to authorize or deny a payment on your behalf).
    replies(2): >>26714702 #>>26718679 #
    3. airza ◴[06 Apr 21 17:23 UTC] No.26714702[source]
    In my opinion a lot of the spicy regulatory issues around coins with private transactions are still not fully realized because none of them have mainstream adoption. The problem here is that Signal's goal to succeed as a mainstream encrypted messaging client could have the unpleasant side effect of bringing this technology under regulatory scrutiny. Hopefully things won't come to that, of course...
    replies(1): >>26719456 #
    4. lrvick ◴[06 Apr 21 18:41 UTC] No.26715653[source]
    Then why use Signal at all? You had to have KYC to get a phone number in most countries which you had to give to Signal which could expose your location etc via tower pings to anyone you communicate with unless you port it to a VoIP number (how many know how to do that?)

    You also had to provide a phone number to get a Google or Apple account to install Signal because anonymous signed install methods are not supported, which moxie says is intentional to collect analytics.

    Signal may have end to end encryption but being anonymous is a clear non goal.

    replies(1): >>26720339 #
    5. troquerre ◴[06 Apr 21 21:23 UTC] No.26717558[source]
    You don't need to KYC as it's just a mobile wallet — same with all the other crypto wallets out there. I'd be surprised if Signal integrated features in the future that require KYC.
    replies(1): >>26720168 #
    6. frosted-flakes ◴[06 Apr 21 22:51 UTC] No.26718373[source]
    KYC = Know Your Customer/Client.
    7. qqii ◴[06 Apr 21 23:34 UTC] No.26718679[source]
    > To try to tame that volatility problem, Marlinspike and Goldbard say they imagine adding a feature in the future that will automatically exchange users' payments in dollars or another more stable currency for MobileCoin only when they make a payment, and then exchange it back on the recipient's side—though it's not yet clear if those trades could be made without leaving a trail that might identify the user.

    This would have to involve KYC or harsh limits.

    8. senectus1 ◴[07 Apr 21 01:18 UTC] No.26719456{3}[source]
    This is probably why they done sell (MobileCoin) to anyone in or from the US...
    replies(1): >>26729250 #
    9. 3np ◴[07 Apr 21 03:08 UTC] No.26720168[source]
    You already need KYC in form of a phone number that can receive SMS. In many countries, that is not possible without government ID and being a resident.

    In my country it’s actually easier to legally open a verified trading account on a local cryptocurrency exchange than it is to get a voice/SMS SIM if you’re not a registered local resident.

    10. fuzxi ◴[07 Apr 21 03:37 UTC] No.26720339[source]
    >You also had to provide a phone number to get a Google or Apple account to install Signal because anonymous signed install methods are not supported, which moxie says is intentional to collect analytics.

    Signal distributes a standalone APK for android, which does function without google play services.

    https://signal.org/android/apk/

    replies(2): >>26721174 #>>26721630 #
    11. SwimSwimHungry ◴[07 Apr 21 06:33 UTC] No.26721174{3}[source]
    Yes it functions, like on my de-Googled Pixel 3a running GrapheneOS. But it's not particularly reliable in my experience, especially if you don't have the gapps services.
    12. lrvick ◴[07 Apr 21 07:54 UTC] No.26721630{3}[source]
    Functions != secure.

    You must turn on Untrusted Sources which disables meaningful signature verification.

    Now you must hope you don't get MITMed every time you update.

    It is a joke they seriously expect people to sideload.

    They need to provide a deterministic and easily auditable F-Deoid repo or let the F-Droid team compile/sign it for them.

    Neither will happen though because moxie has been very open about the fact he wants the analytics that comes with google/apple tracked installs, user privacy be damned.

    replies(1): >>26722843 #
    13. KAMSPioneer ◴[07 Apr 21 10:31 UTC] No.26722843{4}[source]
    Not entirely true. On recent versions of Android, you are asked to give "install untrusted apps" permission on a per-source basis (e.g. I downloaded an apk from Chrome, now I have to allow Chrome to be a source of installable apks).

    Also, it doesn't disable signature verification at all -- it just changes to what is essentially a TOFU model. You can verify this by installing, say, NewPipe from vanilla Fdroid, then adding the NewPipe repo and installing a build from there. It will fail unless you completely remove the original app (from all the profiles on the device!) and install the new one afterwards. This is due to different signatures between repos.

    In any case, I agree with your wider point about Signal's rather concerning distribution strategy. I would like to see inclusion in Fdroid, or at least a custom third-party repository. Unlikely though.

    14. AJ007 ◴[07 Apr 21 18:50 UTC] No.26729250{4}[source]
    And they need to exhaustively verify who is really buying these to be sure they really aren’t in the US so they don’t end up in a Bitmex style situation.

    The larger problem here for Signal is US legal claims could nuke it off the (very) centralized Apple App Stores and Google Play Store. Then what?