Signal / Tox
tl;dr – just read the last paragraph.
I’ve got mixed feelings right now. As a teacher and open source/crypto evangelist I promote certain concepts, and that’s more or less simple. But when it comes to less technical people concepts don’t cut it; I have to make decisions for them; offer ready solutions, and simple ones at that.
Moxie and the rest of the Whisper Systems crew understand it well and current Signal is a testament to that. TextSecure/Signal established itself with good code and sleek interfaces. But it also moved off sms/mms framework and changed into a ‚data-only’ internet communicator, one that doesn’t communicate with other OTR capable solutions (OTR being the base for earlier implementation of current Axolotl protocol), but building it’s own, and separate, desktop client. Both beta for the desktop client, a chrome app, and signal on android require a google account. Signal is not on F-droid, the open source alternative android app store. And finally all of it works over open sourced but central servers.
Then comes Tox; slightly shady piece of software that emerged from the Anon movement and embraced by it; unreviewed communication protocol based on OTR and P2P. There’s quite a few clients, but just as the whole project they are mostly in alpha/beta stage, without much visible progress over last two years. Most of the clients are standalone tox apps, but there was an, abandoned due to main protocols progression, attempt to create a pidgin plugin. Anyway it’s OTR over a distributed network, and it mostly works as a skype replacement with audio/video streaming. I can get antox from f-droid (but not google store), and add a repo for one of the linux tox clients (but none are in the default ubuntu repos). No google required. There’s a problem with iPhone’s thought since iOS8 is required. It does require data plan on a mobile obviously.
The bottom line is; if I run into my 1GB data cap I can’t do any crypto from my mobile, and on odd occasions that can mean most of the month. I suspect a lot of activists might have that problem, my attempt at signalling (;P) that issue to whisper systems got a reasonable yet not very useful (for a bad coder) reply encouraging me to fork the sms code base to keep it up, since they wont.
So I end up having to choose between two solutions; both internet dependent. Both have similar features (text + voice), Tox does video in addition, but that’s not that important. One is murky and constantly evolving while the other one reviewed and established. One has broad set of apps for different platforms the other opensourced but surprisingly enclosed ecosystem. Signal currently still requires a phone number, even tho it operates independently of gsm model. But the most important thing when struggling against mass censorship is this; one has a distributed (sustainable) structure, and the other one a centralised and google dependant. That means there’s a central possible point of failure. There is a set list of (8) addresses to be blocked.
At the moment I end up promoting Signal because it’s more popular, and easier to install than Tox (for end users!), while knowing it’s not as sustainable and tied to the very evil corporate I want people to get away from. There’s no publicly available long term plan for Signal that I would know of and so promoting it as is is not a good long term strategy. In the end it’s alpha/beta level but distributed open source versus a safer product of a single company dependant on corporates. And so the question is: wat to do?