Signal’s president reveals the cost of running the privacy-preserving platform—not just to drum up donations, but to call out the for-profit surveillance business models it competes against.

The encrypted messaging and calling app Signal has become a one-of-a-kind phenomenon in the tech world: It has grown from the preferred encrypted messenger for the paranoid privacy elite into a legitimately mainstream service with hundreds of millions of installs worldwide. And it has done this entirely as a nonprofit effort, with no venture capital or monetization model, all while holding its own against the best-funded Silicon Valley competitors in the world, like WhatsApp, Facebook Messenger, Gmail, and iMessage.

Today, Signal is revealing something about what it takes to pull that off—and it’s not cheap. For the first time, the Signal Foundation that runs the app has published a full breakdown of Signal’s operating costs: around $40 million this year, projected to hit $50 million by 2025.

Signal’s president, Meredith Whittaker, says her decision to publish the detailed cost numbers in a blog post for the first time—going well beyond the IRS disclosures legally required of nonprofits—was more than just as a frank appeal for year-end donations. By revealing the price of operating a modern communications service, she says, she wanted to call attention to how competitors pay these same expenses: either by profiting directly from monetizing users’ data or, she argues, by locking users into networks that very often operate with that same corporate surveillance business model.

“By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Whittaker tells WIRED. Running a service like Signal—or WhatsApp or Gmail or Telegram—is, she says, “surprisingly expensive. You may not know that, and there’s a good reason you don’t know that, and it’s because it’s not something that companies who pay those expenses via surveillance want you to know.”

Signal pays $14 million a year in infrastructure costs, for instance, including the price of servers, bandwidth, and storage. It uses about 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year. The biggest chunk of those infrastructure costs, fully $6 million annually, goes to telecom firms to pay for the SMS text messages Signal uses to send registration codes to verify new Signal accounts’ phone numbers. That cost has gone up, Signal says, as telecom firms charge more for those text messages in an effort to offset the shrinking use of SMS in favor of cheaper services like Signal and WhatsApp worldwide.

Another $19 million a year or so out of Signal’s budget pays for its staff. Signal now employs about 50 people, a far larger team than a few years ago. In 2016, Signal had just three full-time employees working in a single room in a coworking space in San Francisco. “People didn’t take vacations,” Whittaker says. “People didn’t get on planes because they didn’t want to be offline if there was an outage or something.” While that skeleton-crew era is over—Whittaker says it wasn’t sustainable for those few overworked staffers—she argues that a team of 50 people is still a tiny number compared to services with similar-sized user bases, which often have thousands of employees.

read more: https://www.wired.com/story/signal-operating-costs/

archive link: https://archive.ph/O5rzD

  • PlexSheep@feddit.de
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    3
    ·
    1 year ago

    Video call is expensive, and frankly, if I’m gonna sign up at a private service, I’m not going to make a damn video call.

    Email is not enough to go against spam. Email addresses are basically an Infinite Ressource.

    Other verified factors are nothing concrete. Sure we could all use security hardware keys, but what’s the chances that my mom has one?

    • uis@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      1 year ago

      Other verified factors are nothing concrete. Sure we could all use security hardware keys, but what’s the chances that my mom has one?

      PKI doesn’t require hardware keys

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        True, but it’s not exactly User friendly too, right? If not, tell me. I’ll be happy.

        • uis@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          If you want user-friendly WebAuthn - firefox does it for you. If you want pgp/gpg, then just install pgp/gpg client of your choice.

          If you want encrypt emails, Thunderbird should have built-in encryption support.

          • PlexSheep@feddit.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I’m using all of these, but with my hardware keys. Didn’t know you could do it without. I knew that it was part of the webauthn concept but no idea how it works.

    • WallEx@feddit.de
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      24
      ·
      1 year ago

      So you do think that phone numbers are the only way to verify the person? This is just stupid. There are enough, like IDs or stuff like that. If you don’t want that, that’s a totally different story.

      • LemmyIsFantastic@lemmy.world
        link
        fedilink
        English
        arrow-up
        20
        arrow-down
        6
        ·
        edit-2
        1 year ago

        Jesus Christ you Linux people never learn… It’s 👏 about 👏 ease of 👏 use.

        If they wanted it to be a pain in the ass and for nobody to use they could put on a ui on top of pgp and call it a day.

        • This is fine🔥🐶☕🔥@lemmy.world
          link
          fedilink
          English
          arrow-up
          14
          arrow-down
          1
          ·
          1 year ago

          This comment chain is sending me lol

          How the hell this guy doesn’t understand how effective phone verification is when it comes to combating spam/bots?

          • WallEx@feddit.de
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            8
            ·
            1 year ago

            I’m not arguing that, I’m arguing the point, that this is the only option. Because it isn’t. If you find that funny, be my guest.

            • PlexSheep@feddit.de
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              1 year ago

              What alternative to phone numbers would you recommend? I’d probably prefer it over giving my phone number away.

              • WallEx@feddit.de
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                1 year ago

                Something like a verified work mail or a cryptographic certificate protected with a password, confirming your identity, I don’t really know ^^ but phone numbers are old and are getting more and more expensive, as the article lays out

                • PlexSheep@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  The infrastructure for none of these exist (in my country at least). Phone numbers suck, but as signal is a application mostly used on phones, I think it is the most common denominator for the user base.

        • WallEx@feddit.de
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          1 year ago

          How does that have anything to do with Linux? It’s about phone verification as the supposed only option.

          Does Microsoft need your phone to validate your existence?

          How does anyone think, that there are no alternatives?

            • WallEx@feddit.de
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              4
              ·
              1 year ago

              Okay. And how are phone numbers validated? Not by using phone numbers. It’s not the only option. They also use personalized domains, certificates, IDs and the likes.

              • LemmyIsFantastic@lemmy.world
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                3
                ·
                1 year ago

                Right, folks are definitely going to sign up when it just needs you to copy you identity information and send it in and wait 4 weeks 🤦‍♂️

                Yes, there is a whole bunch of pain in the ass shit you can try to force prime to use. They won’t, and the service will be worthless for all but 5 neckbeards laughing about how private they are. 🤦‍♂️

                • WallEx@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  4
                  ·
                  1 year ago

                  Probably. Just saying it’s not “the only option”. And I’m also pretty sure they could figure out another way to ID people, if they had enough funds to do so. But maybe this still wouldn’t be adopted, who knows.

        • PlexSheep@feddit.de
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          There was no need to generalize Linux people. This discussion has nothing to do with Linux.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        It’s a bad problem no? Combatting “spam” Accounts while balancing privacy.

        Personally, I don’t want to give them any more information than is really necessary.