* sub-par user experience: WhatsApp is just nicer and smoother, and people tend to like that
* very few people understand that Signal DOES NOT get your full contact list, while Facebook (through WhatsApp) does
Especially the second point is very relevant with the current situation — you do not necessarily want to expose your entire social graph to Facebook. But so few people understand this, and even fewer grasp that Signal can still work without doing the same thing.
The full contact list is uploaded to Signal servers by the phones. The only protection layer that users have is the questionable security of Intel's SGX.
It's still much better than what WhatsApp is doing, just not a black and white situation.
To add a point to your list: Signal does not have automatic cloud backup of messages, unlike WhatsApp. On WhatsApp, 30% of users have cloud backups enabled [1], meaning that you can basically assume that any reasonably sized group's messages can be accessed by people who have subpoena-power over Google (chance that there is no backup-enabled account in a group of n people is (1-0.3)^n... for 6 people it's already 12%).
That was exactly my point: few people know about this.
Yes, it's hashes of phone numbers instead of the phone numbers themselves, but that's a detail. Phone numbers are easy to brute-force especially for people the protesters are worried about, as well as easy to build rainbow tables for.
I say theoretically because these schemes all have a core problem when they're not federated - you have no idea what your client is really doing and it's the client performing remote attestation with the enclave. You have no control over it. It could update tomorrow and switch every last bit of encryption off. Or it could do RA but not pin the enclave hash to anything audited (i.e. it accepts any enclave signed by Signal).
It's not a theoretical problem. Facebook say that WhatsApp is end to end encrypted, in the same way as Signal. That didn't stop them blocking people from forwarding links related to coronavirus. The literal and entire point of E2E cryptography is to stop them monitoring and interfering with people's communications, Facebook have been assuring governments for years they're powerless to do that, but of course the moment Facebook wanted to fight "misinformation" it all went out the window.
Fundamentally Signal and WhatsApp can never provide meaningful encryption or privacy. They don't allow alternative clients, so regardless of how much code they throw into the mix they control the entire pipe end to end and can just as easily switch it off again. And the moment their employees feel they have a sufficiently good motivation, it'll happen again.
If they were all individually salted, there would be no way to compare against new joiners.
Why does it "really hurt" Signal that are sub-group of the population is ignorant of its features? I doubt that's going to stop people from downloading a privacy app, most people don't care about privacy anyway, and if they do, they will DL signal.
Having a slightly worse UX because that's just security considerations is one thing.
Having a slightly worse UX because reason that isn't related to security is another.
I've tried getting my wife onto signal, and while she's happy to try it out because I ask her to, she struggles to stay on it due to by day to day UX. I'm happy to deal with the issues, the general is not. And because they're not, I'm stuck with WhatsApp too.
If signal wants to have a shot at taking over WhatsApp and help with addressing the core issue at hand, specifically encryption between users, they need to address the UX. Sure if you can't address certain things because it weakens security fine, but if you're not addressing them because they think users won't mind because they're here for something else (i.e. security), it's gonna be a much harder sell, and it'll just stay a niche market.
Ive used both for a while and WhatsApp is aweful, at least on iOS by all standards I can find. Signal feels like iMessage with reactions, voice recordings, and handy tools. WhatsApp feels dated, clunky, and for groups it gets very very messy fast with out reactions.
Source?
Pick any version of the story. Or read their blog post:
https://blog.whatsapp.com/Keeping-WhatsApp-Personal-and-Priv...
How do they know a message is forwarded? The encryption is meant to make identical plaintexts encrypt to different ciphertexts, so obviously they must be leaking the forwarding status in unencrypted parts of the message. And why is an encrypted service trying to combat misinformation to start with - isn't that a contradiction in terms? These things raise difficult questions. You'd hope that once a service decides to go fully encrypted, its staff would believe that what kind of information going over it or how accurate that is, isn't any longer their concern.
Today, Signal is claiming their encryption means the only data they have to give to government is date of install and last use. In the past they also claimed WhatsApp uses the same cryptography as them, at least for messages. These two claims cannot both be true. If there's some incredibly subtle detail that means deliberately exposing forwarding metadata in WhatsApp but not Signal they should really clarify that because it's not something I've ever seen a discussion of, and it doesn't follow from the cryptography they're using.