alt Hacker NewsYou cited this so I think this is what you mean:
"Signal is designed to never collect or store any sensitive information."
I interpret this, I think reasonably, to not include encrypted information. For that matter they collect (but probably don't store) encrypted messages. The question is, does PIN+SGX qualify as sufficiently encrypted? This line is a lie only if it does not.
Sorry I skimmed those articles, I don't want to read them in depth. But it sounds like they are again ultimately saying "PIN+SGX is not secure enough".
Replies
nightpool • last Wednesday at 8:22 PM
"I interpret this, I think reasonably, to not include encrypted information"
Why? Encrypted information is still sensitive information.
➕ show 2 replies
> I interpret this, I think reasonably, to not include encrypted information
I disagree since attacks and leaks can happen/have happened which could compromise that data. Signal was already found to be vulnerable to CacheOut. Even ignoring that guessing or brute forcing a pin is all anyone would need to get a list of everyone a signal user has been in contact with. just having that data (and worse keeping it forever) is a risk that absolutely should be disclosed.
> I don't want to read them in depth. But it sounds like they are again ultimately saying "PIN+SGX is not secure enough".
that was my conclusion back when all this started. The glaring lie and omissions in their privacy policy were just salt in the wound, but charitably, it might be a dead canary intended to help warn people away from the service. Similarly dropping the popular feature of allowing unsecured sms/mms and introducing a crypto wallet nobody asked for might have also been done to discourage the apps use.