Signal’s president reveals the cost of running the privacy-preserving platform—not just to drum up donations, but to call out the for-profit surveillance business models it competes against.

The encrypted messaging and calling app Signal has become a one-of-a-kind phenomenon in the tech world: It has grown from the preferred encrypted messenger for the paranoid privacy elite into a legitimately mainstream service with hundreds of millions of installs worldwide. And it has done this entirely as a nonprofit effort, with no venture capital or monetization model, all while holding its own against the best-funded Silicon Valley competitors in the world, like WhatsApp, Facebook Messenger, Gmail, and iMessage.

Today, Signal is revealing something about what it takes to pull that off—and it’s not cheap. For the first time, the Signal Foundation that runs the app has published a full breakdown of Signal’s operating costs: around $40 million this year, projected to hit $50 million by 2025.

Signal’s president, Meredith Whittaker, says her decision to publish the detailed cost numbers in a blog post for the first time—going well beyond the IRS disclosures legally required of nonprofits—was more than just as a frank appeal for year-end donations. By revealing the price of operating a modern communications service, she says, she wanted to call attention to how competitors pay these same expenses: either by profiting directly from monetizing users’ data or, she argues, by locking users into networks that very often operate with that same corporate surveillance business model.

“By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Whittaker tells WIRED. Running a service like Signal—or WhatsApp or Gmail or Telegram—is, she says, “surprisingly expensive. You may not know that, and there’s a good reason you don’t know that, and it’s because it’s not something that companies who pay those expenses via surveillance want you to know.”

Signal pays $14 million a year in infrastructure costs, for instance, including the price of servers, bandwidth, and storage. It uses about 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year. The biggest chunk of those infrastructure costs, fully $6 million annually, goes to telecom firms to pay for the SMS text messages Signal uses to send registration codes to verify new Signal accounts’ phone numbers. That cost has gone up, Signal says, as telecom firms charge more for those text messages in an effort to offset the shrinking use of SMS in favor of cheaper services like Signal and WhatsApp worldwide.

Another $19 million a year or so out of Signal’s budget pays for its staff. Signal now employs about 50 people, a far larger team than a few years ago. In 2016, Signal had just three full-time employees working in a single room in a coworking space in San Francisco. “People didn’t take vacations,” Whittaker says. “People didn’t get on planes because they didn’t want to be offline if there was an outage or something.” While that skeleton-crew era is over—Whittaker says it wasn’t sustainable for those few overworked staffers—she argues that a team of 50 people is still a tiny number compared to services with similar-sized user bases, which often have thousands of employees.

read more: https://www.wired.com/story/signal-operating-costs/

archive link: https://archive.ph/O5rzD

  • Chobbes@lemmy.world
    link
    fedilink
    English
    arrow-up
    174
    ·
    1 year ago

    There’s something kind of funny about one of the largest expenses being SMS and voice calls to verify phone numbers when one of the largest complaints about signal is the phone number requirement. I wonder how much this cost factors into them considering dropping the phone number requirement.

      • preasket@lemy.lol
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        8
        ·
        1 year ago

        Make phone numbers optional and add a setting to allow/forbid accounts with no phone number to message you. I bet phone numbers have zero effect on the level of spam.

      • WallEx@feddit.de
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        36
        ·
        1 year ago

        Because there are no other possible verifications apart from phone numbers? Do you open a bank account with your phone number, because it’s the only way?

        • TJA!@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          75
          arrow-down
          3
          ·
          1 year ago

          What would you think would be an appropriate alternative to easily verify chat accounts that’s cheaper than validating phone numbers?

            • interceder270@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              2
              ·
              edit-2
              1 year ago

              That’s actually a pretty good idea.

              I’m guessing you generate a unique address to share with someone, and then they add you. Spam is literally solved and it becomes more private.

              Might want to think twice before donating to this company that’s eating up $40m/year with 50 employees.

              • Moneo@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                2
                ·
                1 year ago

                I’m going to go out on a limb and say that the company that is dominating the privacy-messaging space, considered and discarded this idea for reasons they consider valid.

            • jimbo@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              4
              ·
              edit-2
              1 year ago

              Let’s not push a definition of “security” that Signal does not claim. The messages are “secure” in that nobody other than you and the other people in on the conversation can decrypt them.

              Also, no need to be dramatic. A phone number is not “boat loads of data”.

              • interceder270@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                2
                ·
                1 year ago

                A phone number is not “boat loads of data”.

                I mean, your phone number can be used to find out everything about you.

                • jimbo@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  3
                  ·
                  edit-2
                  1 year ago

                  Ok, but that’s changing the goalposts. A phone number itself is not “boatloads of data”. Signal is not storing anything about you other than that phone number and whatever name you entered. They’re not storing messages or anything else. The fact that someone could correlate your phone number with other data (whether accurate or not) has nothing to do with Signal.

                • jimbo@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  1 year ago

                  that grossly violates numerous core tenets of pricey and data freedom

                  I don’t know what pricey is and they don’t keep your data.

          • devfuuu@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            26
            ·
            1 year ago

            I’d be ok with a credit card verification or so something like that, even if still uncomfortable for me, but I hear it reduces a lot of spam.

            But then that would make people confused and make them run away when the app seems to be free and now is asking for a credit card validation… it’s too strange.

            Anyway I never got a single spam message on signal from all the years I use it, so not sure how others view the problem or even if it is a problem.

          • WallEx@feddit.de
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            39
            ·
            1 year ago

            Video call, email, other verificated factors.

            So do you think this is the only option available?

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              59
              ·
              edit-2
              1 year ago

              You think a verification via a video call is cheaper than SMS…?

              That’s not to mention the potential concerns that would arise around the possibility of signal storing (some portion of) the video…

              • WallEx@feddit.de
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                26
                ·
                1 year ago

                Nope, just saying phone numbers are far from the only option. And if telcos are price gauging you should look at the alternatives.

                • Gutless2615@ttrpg.network
                  link
                  fedilink
                  English
                  arrow-up
                  34
                  ·
                  1 year ago

                  No you’ve complained and insinuated there are plenty of other solutions that the world class team at Signal, literally the preminent experts in their field, chose not to use - and then offered to some truly next level terrible options.

                  • WallEx@feddit.de
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    14
                    ·
                    1 year ago

                    Complained? I’ve merely stated a fact. And you think I’m offended? I’m trying to have a discussion you are not interested in it seems.

                    How are the other options terrible? Please elaborate. That way you might actually contribute and not just call names.

                • Dark Arc@social.packetloss.gg
                  link
                  fedilink
                  English
                  arrow-up
                  9
                  ·
                  1 year ago

                  Nope, just saying phone numbers are far from the only option.

                  What would you think would be an appropriate alternative to easily verify chat accounts that’s cheaper than validating phone numbers?

                  It’s the cheaper portion that’s the issue. There are “other options”, but they’re not cheaper and/or they have their own issues.

                  I didn’t touch the email case because email addresses can be so rapidly created (even out of thin air via a catch all style inbox) there’s nothing to it.

                  • WallEx@feddit.de
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    1 year ago

                    But if telcos are inflating the prices that might change. But otherwise I think you’re right.

            • PlexSheep@feddit.de
              link
              fedilink
              English
              arrow-up
              29
              arrow-down
              3
              ·
              1 year ago

              Video call is expensive, and frankly, if I’m gonna sign up at a private service, I’m not going to make a damn video call.

              Email is not enough to go against spam. Email addresses are basically an Infinite Ressource.

              Other verified factors are nothing concrete. Sure we could all use security hardware keys, but what’s the chances that my mom has one?

              • uis@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                3
                ·
                1 year ago

                Other verified factors are nothing concrete. Sure we could all use security hardware keys, but what’s the chances that my mom has one?

                PKI doesn’t require hardware keys

                • PlexSheep@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  True, but it’s not exactly User friendly too, right? If not, tell me. I’ll be happy.

                  • uis@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    edit-2
                    1 year ago

                    If you want user-friendly WebAuthn - firefox does it for you. If you want pgp/gpg, then just install pgp/gpg client of your choice.

                    If you want encrypt emails, Thunderbird should have built-in encryption support.

              • WallEx@feddit.de
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                24
                ·
                1 year ago

                So you do think that phone numbers are the only way to verify the person? This is just stupid. There are enough, like IDs or stuff like that. If you don’t want that, that’s a totally different story.

                • LemmyIsFantastic@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  20
                  arrow-down
                  6
                  ·
                  edit-2
                  1 year ago

                  Jesus Christ you Linux people never learn… It’s 👏 about 👏 ease of 👏 use.

                  If they wanted it to be a pain in the ass and for nobody to use they could put on a ui on top of pgp and call it a day.

                  • This is fine🔥🐶☕🔥@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    14
                    arrow-down
                    1
                    ·
                    1 year ago

                    This comment chain is sending me lol

                    How the hell this guy doesn’t understand how effective phone verification is when it comes to combating spam/bots?

                  • WallEx@feddit.de
                    link
                    fedilink
                    English
                    arrow-up
                    6
                    arrow-down
                    2
                    ·
                    1 year ago

                    How does that have anything to do with Linux? It’s about phone verification as the supposed only option.

                    Does Microsoft need your phone to validate your existence?

                    How does anyone think, that there are no alternatives?

                  • PlexSheep@feddit.de
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    arrow-down
                    1
                    ·
                    1 year ago

                    There was no need to generalize Linux people. This discussion has nothing to do with Linux.

                • PlexSheep@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  It’s a bad problem no? Combatting “spam” Accounts while balancing privacy.

                  Personally, I don’t want to give them any more information than is really necessary.

          • iopq@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            39
            ·
            1 year ago

            Use a 3d face scan, but only send the hash over the net. Can double for account recovery (when user has no email or something)

            • PlexSheep@feddit.de
              link
              fedilink
              English
              arrow-up
              34
              arrow-down
              2
              ·
              1 year ago

              That’s a joke right?

              If not: It does not matter what hash I send, because it’s cryptographically impossible to tell what the hashed thing is. That is the whole point of a hash.

              Also: sending a hash over the network instead of a password or whatever the source material is would be a bad practice from security perspective, if not a directly exploitable vulnerability. It would mean that anyone that knows the hash can pretend to be you, because the hash would be used to authenticate and not whatever the source material is. The hash would become the real password and the source material nothing more than a mnemonic for the user. Adding to that: the server storing the hash would store a plaintext password.

              See: https://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side

              • uis@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                2
                ·
                1 year ago

                It would mean that anyone that knows the hash can pretend to be you, because the hash would be used to authenticate and not whatever the source material is.

                Guess what happens to passwords themselves? Same thing, but user can’t just add nonce. Replay attacks are super easy to mitigate and hashing makes it easier.

                Not saying that biometry authentication isn’t shit for security itself.

                • PlexSheep@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  1 year ago

                  Honestly, I’m not sure what you are talking about. Could you elaborate more?

                  Are you implying that sending some hash is better than sending the secret and let the server deal with it?

                  • uis@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    1 year ago

                    It took a long time to reply to you, sorry.

                    When used for login, it prevents MITM attacker(assuming you are not using app sent to you by attacker) from stealing your password(because hash functions are extremely hard to reverse), while when used both for registration and login, your password doesn’t even leave your computer. There are even password managers that don’t store any passwords, but just generate them by hashing your secret with server name.

              • iopq@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                1 year ago

                The point is to protect your face data, the hash IS the password, but you don’t want people to be able to tell how you look like by sending the raw images of your face over the net

                • PlexSheep@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  5
                  ·
                  1 year ago

                  That would do nothing to validate that the user is real, they can just insert any hash and claim it’s their face’s hash. At that point we can just use regular passwords, but as I said that won’t solve the spam Accounts issue.

                  • iopq@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    You can make sure that the user used the signed binary to generate the token. Each token has a nonce and a validity period. This binary requires the use of the camera API, but also requires liveness analysis by making you move while authenticating. You can change the way the user is forced to move to make sure it’s not the same video feed connected to the camera

            • scorpionix@feddit.de
              link
              fedilink
              English
              arrow-up
              14
              ·
              1 year ago

              Where would one get a 3d face scan from? For my part, I don’t have a scanning rig set up anywhere.

              • iopq@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                4
                ·
                1 year ago

                You turn your face in different angles, creating a 3d scan of your face using your phone camera

        • topinambour_rex@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I open a bank account with a copy of my id, a copy of a bill to my adress, and some money. My phone number can be used along the process, like for a digital signature.

    • Poutinetown@lemmy.ca
      link
      fedilink
      English
      arrow-up
      25
      ·
      1 year ago

      Phone numbers will still be required to sign up, you only won’t need it to add a contact.

    • sndrtj@feddit.nl
      link
      fedilink
      English
      arrow-up
      31
      arrow-down
      8
      ·
      1 year ago

      Interestingly this phone number complaint only shows up among techies and especially Americans. You guys don’t get to keep your phone number? I’ve had the same number now for 20 years here in Europe, it may as well be synonymous with my identity.

      In fact, I’d say the phone number requirement, or at least option, actually promotes adoption in parts of the world. I wouldn’t have been able to get my mother to use Signal if it didn’t work with a phone number, for instance. She’s not gonna make an account just for a chat app. Phone number she already has.

      • devfuuu@lemmy.world
        link
        fedilink
        English
        arrow-up
        41
        arrow-down
        2
        ·
        1 year ago

        Exactly because I have the same phone number for almost 30 years, that is the problem. It’s too deep interlaced with my real and personal identity and I regard it as a very private thing that only few people should have.

        I don’t get the idea that a phone number should just be randomly given as if it was natural.

        It’s good to have it as an option for example so my mother can use it simply and quickly, but when I go to a conference and want to connect to new people which are still strangers and will and don’t give my phone number. So in those situations I have to randomly use other chat system or share emails? When signal already is in my pocket and my main chat application 99% of the time and is perfect for 1 to 1 friendly chats?

      • shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        29
        arrow-down
        2
        ·
        1 year ago

        It’s actually a privacy issue because your phone number is tied to your physical identity so deeply that giving it out is giving too much away.

      • neonred@lemmy.world
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        2
        ·
        1 year ago

        because people might feel uncomfortable sending unnecessary personal information to another party, especially if it does not change often, like the telephone number?

        • Kusimulkku@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          2
          ·
          1 year ago

          I’m mostly contacting people I already know so using phone number (something I already have a collection of) is very handy to me