this post was submitted on 03 Dec 2023
248 points (100.0% liked)

Technology

37735 readers
356 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 11 months ago (5 children)

Is it just me or is $19 million per year for 50 full-time employees insane?

Even for US salary standards.

[–] [email protected] 31 points 11 months ago (1 children)

Not necessarily.

Signal has people who are experts in their field. They engineer solutions that don't exist anywhere else in the market to ensure they have as little information on you as possible while keeping you secure [0]. This in turn means high compensation + benefits. You don't want to be paying your key developers peanuts as that makes them liable to taking bribes from adversaries to "oops" a security vulnerability in the service. In addition, the higher compensation is a great way to mitigate losing talent to private organizations who can afford it.

[0] Signal has engineered the following technologies that all work to ensure your privacy and security:

[–] [email protected] 1 points 11 months ago (1 children)

At least the private contact discovery is not very private:

The client calculates the truncated SHA256 hash of each phone number in the device’s address book.
The client transmits those truncated hashes to the service.

Phone numbers are so not-sparse that there even was a game to text your "number neighbor". I can probably build a pretty effective rainbow table for this with my current hardware.

[–] [email protected] 1 points 11 months ago

You're right, but security and privacy is about layers, not always 100% effective mitigations, especially not when the mitigation is a function (contact discovery) that requires a private list (your contacts) be compared against another one. For anyone where this is an actual security risk, they don't have to to share their contacts. They will not know which of their friends/family are on Signal, but they can still use the service.

This feature does protect users in that any legal court order for Signal to present who is friends with who (as almost every other messaging provider has actual access to your list of contacts) is not possible. They've been subpoenaed multiple times[0] and all they can show is when an account was created and the last day (not time) a client pinged their servers.

Lastly, I'm not sure if this is even a feature or not but it wouldn't be too difficult to introduce rate-limiting to mitigate this issue even more. As an example, its very unlikely that most people have thousands (or even tens of thousands) of people in their contacts. Assuming we go just a step beyond the 99th percentile, you can effectively block anyone as soon as they start trying to crawl the entire phone number address space, preventing the issue you're describing.

[0] https://signal.org/bigbrother/

[–] [email protected] 11 points 11 months ago

My guess: People who can be as competent with security as they need are very expensive.

[–] [email protected] 9 points 11 months ago (2 children)

For the current distribution I quote from the linked source :

Current Infrastructure Costs (as of November 2023): Approximately $14 million dollars per year.

  • Storage: $1.3 million dollars per year.
  • Servers: $2.9 million dollars per year.
  • Registration Fees: $6 million dollars per year.
  • Total Bandwidth: $2.8 million dollars per year.
  • Additional Services: $700,000 dollars per year.
[–] [email protected] 5 points 11 months ago (1 children)

Yes, but I was talking about the salary part, which is separate from the costs you mentioned.

It's 19 million just for people.

[–] [email protected] 1 points 11 months ago

Yhea no worries, I was just trying to get all the budgets together. I agree it seems quite an high budget

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago)

Also from the source:

To sustain our ongoing development efforts, about half of Signal’s overall operating budget goes towards recruiting, compensating, and retaining the people who build and care for Signal. When benefits, HR services, taxes, recruiting, and salaries are included, this translates to around $19 million dollars per year.

[–] [email protected] 8 points 11 months ago* (last edited 11 months ago) (1 children)

Not at all. That's $380K per person if everyone is making the same. Engineers with a few years of experience at Meta make $400K+.

[–] [email protected] 4 points 11 months ago (1 children)

Don't forget the employer taxes, insurance, recruitment costs and so on. It wouldn't surprise me if the employees are earning on average half that.

[–] [email protected] 1 points 11 months ago
[–] [email protected] 6 points 11 months ago

Role of thumb is an employee costs roughly twice their base salary, as the employee still needs to cover insurance, taxes, sick time, and other benefits.

That leaves an average salary of 190K for the 50 employees. That isn't much for tech.