TasmanianRex:

{{ToneWarning}}

Signal is an open source encrypted messaging service that is frequently recommended to highly vulnerable users such as human rights activists, whistleblowers, and journalists whose lives and/or freedom can depend on their ability to maintain private and secure communication.

Since 2020 Signal has been collecting and keeping sensitive user data in the cloud while lying to their users about their data collection practices.{{DisputedInline|Tone is inappropriate|reason=tone}} Users and potential users of Signal have a right to know what data is being collected and how it is being stored and secured so that they make informed choices about the risks they are taking when using Signal.

==Background==
Over the years Signal has curated a reputation that they do not collect or keep data on their users.

Signal has publicly disclosed that they have received legal requests for subscriber's names, telephone numbers, histories, and contacts and Signal has said that they were unable to supply that information because it was never collected by Signal in the first place. These incidents have been reported in the media.<ref>{{Cite web |title=FBI demands Signal user data, but there’s not much to hand over |url=https://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-data-but-theres-not-much-to-hand-over/ |archive-url=https://web.archive.org/web/20240401002649/https://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-data-but-theres-not-much-to-hand-over/ |archive-date=1 Apr 2024 |access-date=6 Mar 2025}}</ref>

Signal's website states:<ref name=":0">{{Cite web |title=Grand jury subpoena for Signal user data, Eastern District of Virginia |url=https://signal.org/bigbrother/eastern-virginia-grand-jury/ |archive-url=https://web.archive.org/web/20250302042109/https://signal.org/bigbrother/eastern-virginia-grand-jury/ |archive-date=2 Mar 2025 |access-date=6 Mar 2025}}</ref>

''"We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.''

''Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with."''

==Data collection begins==
{{DisputedInline|reason=see further notices in this section, section title is misleading|Misleading section title}}

Signal's data collection practices changed in 2019 when Signal previewed a feature they called "secure value recovery".<ref>{{Cite web |title=Technology Preview for secure value recovery |url=https://signal.org/blog/secure-value-recovery/ |archive-url=https://web.archive.org/web/20241228040757/https://signal.org/blog/secure-value-recovery/ |archive-date=28 Dec 2024 |access-date=6 Mar 2025}}</ref>

This new feature meant that Signal would start collecting the same kinds of information that Signal had been getting legal requests to turn over, and that Signal would permanently keep that data in the cloud.{{DisputedInline|reason=feature does not store user data in the cloud like other messaging apps|Misrepresents the new feature as storing user's data to cloud servers}} Their stated reason for doing this was so that if a Signal user got a new device they could install the app, enter a pin, and the app would pull down the user's data from cloud servers.

The data being collecting and stored in could includes: The user's name, photo, phone number, and a list of every Signal user they have contacted.<ref>{{Cite web |title=What contact info does the Signal PIN functionality actually save |url=https://community.signalusers.org/t/what-contact-info-does-the-signal-pin-functionality-actually-save/16854/4 |access-date=6 Mar 2025}}</ref>{{DisputedInline|reason=contact discovery on Signal is private and does not share the phone number as explained later in the cited sources|Cited source is heavily cherry picked}}

This was a highly controversial change, and some Signal users objected on philosophical grounds,<ref>{{Cite web |title=Don’t want PIN, don’t want anything stored in cloud |url=https://community.signalusers.org/t/dont-want-pin-dont-want-anything-stored-in-cloud/14057 |archive-url=https://web.archive.org/web/20240301015109/https://community.signalusers.org/t/dont-want-pin-dont-want-anything-stored-in-cloud/14057 |archive-date=1 Mar 2024 |access-date=6 Mar 2025}}</ref> requesting that Signal instead provide a means to export encrypted backups that could be imported locally eliminating any need to upload data to the cloud. Signal users also raised technical concerns about the security of the system and doubts that it would protect their data.<ref>{{Cite web |title=Proper secure value security: PINs are too easy to brute force, SGX is not reliable enough |url=https://community.signalusers.org/t/proper-secure-value-security-pins-are-too-easy-to-brute-force-sgx-is-not-reliable-enough/15096 |archive-url=https://web.archive.org/web/20240301015110/https://community.signalusers.org/t/proper-secure-value-security-pins-are-too-easy-to-brute-force-sgx-is-not-reliable-enough/15096 |archive-date=1 Mar 2024 |access-date=6 Mar 2025}}</ref> Some of these concerns were also shared by cybersecurity-experts<ref>{{Cite web |title=Signal’s New PIN Feature Worries Cybersecurity Experts |url=https://www.vice.com/en/article/signal-new-pin-feature-worries-cybersecurity-experts/ |archive-url=https://web.archive.org/web/20250117232443/https://www.vice.com/en/article/signal-new-pin-feature-worries-cybersecurity-experts/ |archive-date=17 Jan 2025 |access-date=6 Mar 2025}}</ref><ref>{{Cite web |title=Signal Going to Cloud? A Discussion with Sean O'Brien |url=https://www.youtube.com/watch?v=PFi-VI7_T3o}}</ref><ref>{{Cite web |title=Does Signal’s “secure value recovery” really work? |url=https://palant.info/2020/06/16/does-signals-secure-value-recovery-really-work/}}</ref> and security researchers demonstrated that the system was vulnerable to attacks which allowed them to access the user data being stored.<ref>{{Cite web |title=SGX CacheOut SGAxe attack. Signal’s cloud storage and contact discovery vulnerable |url=https://community.signalusers.org/t/sgx-cacheout-sgaxe-attack-signals-cloud-storage-and-contact-discovery-vulnerable/14892 |archive-url=https://web.archive.org/web/20230519115856/https://community.signalusers.org/t/sgx-cacheout-sgaxe-attack-signals-cloud-storage-and-contact-discovery-vulnerable/14892 |archive-date=19 May 2023 |access-date=6 Mar 2025}}</ref>{{DisputedInline|reason="In recent weeks, Signal has introduced more features that make it more user friendly to people who may not have extremely paranoid threat models. For example, it’s now possible to migrate all Signal data, including message history, from one phone to another, using a feature that does not rely on cloud servers and is also encrypted, according to Signal. "|Cited vice article explains more nuance}}

===Signal's response===

Signal was not convinced to abandon this data collection and they began to roll out the change in 2020 without clear communication about the new feature.{{DisputedInline|reason=tone|Tone is inappropriate}}{{DisputedInline|Misrepresents PIN feature as it is optional and not properly explained|reason=include the response to the hysteria and a proper explanation of the feature}} It resulted in a lot of confusion for users, many of whom only learned about this feature when they were prompted to create a PIN. There were many social media posts expressing confusion over what the feature was and what it was doing.<ref>{{Cite web |title=What contact info does the Signal PIN functionality actually save? |url=https://community.signalusers.org/t/what-contact-info-does-the-signal-pin-functionality-actually-save/16854}}</ref><ref>{{Cite web |title=Following user backlash, Signal lowers one of its drastic PIN measures |url=https://www.androidpolice.com/2020/05/29/many-signal-users-arent-happy-with-new-pin-requirements/}}</ref> <ref>{{Cite web |title=What exactly is Signal protecting with the mandatory PIN? |url=https://old.reddit.com/r/signal/comments/hymlfd/what_exactly_is_signal_protecting_with_the/}}</ref> Even years after the change was made some Signal users were/are still unsure about what data Signal collects or were/are convinced that Signal doesn't collect any data at all.<ref>{{Cite web |title=What info does Signal store about it's user? |url=https://old.reddit.com/r/signal/comments/q5tlg1/what_info_does_signal_store_about_its_user/ |archive-url=https://web.archive.org/web/20211011111619/https://old.reddit.com/r/signal/comments/q5tlg1/what_info_does_signal_store_about_its_user/ |archive-date=11 Oct 2021 |access-date=6 Mar 2025}}</ref><ref>{{Cite web |title=About data collection and data delivery |url=https://old.reddit.com/r/signal/comments/1id3xu8/about_data_collection_and_data_delivery/ |archive-url=https://web.archive.org/web/20250201072439/https://old.reddit.com/r/signal/comments/1id3xu8/about_data_collection_and_data_delivery/?ref=readnext |archive-date=1 Feb 2025 |access-date=6 Mar 2025}}</ref>

This confusion is understandable,{{DisputedInline|reason=tone|Tone is inappropriate}} since Signal's own website continues to state that they do not collect the information they are collecting. The first line of their "Terms & Privacy Policy" page reads: "Signal is designed to never collect or store any sensitive information."<ref>{{Cite web |title=Signal Terms & Privacy Policy |url=https://signal.org/legal/ |archive-url=https://web.archive.org/web/20250302122622/https://signal.org/legal/ |archive-date=2 Mar 2025 |access-date=6 Mar 2025}}</ref>

This lie{{DisputedInline|reason=tone|Tone is inappropriate}} is also repeated on their support page under the heading: How do I know my communication is private<ref>{{Cite web |title=How do I know my communication is private? |url=https://support.signal.org/hc/en-us/articles/360007318911-How-do-I-know-my-communication-is-private |archive-url=https://web.archive.org/web/20250214030028/https://support.signal.org/hc/en-us/articles/360007318911-How-do-I-know-my-communication-is-private |archive-date=14 Feb 2025 |access-date=6 Mar 2025}}</ref>

There is no indication on Signal's older pages, which claim they don't collect this information, that the data collection policy discussed on those pages is now outdated either. Examples include:

''"Signal is designed to never collect or store any sensitive information. " - https://support.signal.org/hc/en-us/articles/360007059412-Signal-and-the-General-Data-Protection-Regulation-GDPR''

''"The Signal service does not have any knowledge of your contacts. Data is all owned by your phone." - https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts''

''"In addition to the end-to-end encryption that protects every Signal message, the Signal service is designed to minimize the data that is retained about Signal users. By design, it does not store a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars." - https://signal.org/blog/sealed-sender/''

''"Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with." - https://signal.org/bigbrother/eastern-virginia-grand-jury/''

''"Because we’ve built Signal to completely avoid storing any sensitive information...." - https://signal.org/blog/looking-back-as-the-world-moves-forward/''

''Requests have been mad''e for Signal to update their policy following the change in data collection.<ref>{{Cite web |title=Can Signal please update its Privacy Policy |url=https://community.signalusers.org/t/can-signal-please-update-its-privacy-policy/15323 |archive-url=https://web.archive.org/web/20230519120053/https://community.signalusers.org/t/can-signal-please-update-its-privacy-policy/15323 |archive-date=19 May 2023 |access-date=6 Mar 2025}}</ref><ref>{{Cite web |title=Signal’s Terms of Use and Privacy Policy are not very user friendly |url=https://community.signalusers.org/t/signals-terms-of-use-and-privacy-policy-are-not-very-user-friendly/11047 |archive-url=https://web.archive.org/web/20250306164621/https://community.signalusers.org/t/signals-terms-of-use-and-privacy-policy-are-not-very-user-friendly/11047 |archive-date=6 Mar 2025 |access-date=6 Mar 2025}}</ref>

'''Workarounds'''

While some social media posts and articles suggested that opting out of setting a pin would prevent a user's data from being uploaded to the cloud, this is not the case. <ref>{{Cite web |title=A few thoughts about Signal’s Secure Value Recovery |url=https://web.archive.org/web/20200712205333/https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/}}</ref>There is currently no way for a Signal user to prevent their data from being uploaded and stored in the cloud.<ref>{{Cite web |title=PSA: Disabling PINs will now upload nothing to the server |url=https://old.reddit.com/r/signal/comments/htmzrr/psa_disabling_pins_will_now_upload_nothing_to_the/ |archive-url=https://web.archive.org/web/20230616082821/https://old.reddit.com/r/signal/comments/htmzrr/psa_disabling_pins_will_now_upload_nothing_to_the/ |archive-date=16 Jun 2023 |access-date=6 Mar 2025}}</ref>

==References==
{{reflist}}
[[Category:Signal messenger]]

Wemo

2025-03-06T22:12:00Z

TasmanianRex:

{{Incomplete}}
{{InfoboxCompany
| Name = {{PAGENAME}}
| Type = Subsidiary
| Founded = 2012
| Industry = Smart home
| Official Website = [https://web.archive.org/web/20230410053217/wemo.com wemo.com] (https://www.belkin.com/products/wemo-smart-home/)
| Logo = Wemo.png
}}
[[Wikipedia:WEMO|Wemo]] is a subsidiary of Belkin founded in 2012. They are known for smart home devices such as plugs and light switches that use the HomeKit and Thread protocols.

==Consumer impact summary==
[[File:WEMO account closure.PNG|thumb|right|alt=|Screenshot of account closure screen.]]
Through the app, users can delete their account by pressing the "close account" button, which will warn that Wemos cannot be controlled through the app once account data is deleted. The devices can also work by only using the Apple Home app, which does not require a Wemo account to set up.

Since late 2023, the [https://www.belkin.com/legal/privacy-policy/ privacy policy] of Belkin and Wemo have merged, sharing the same terms with each other. The data collected on users includes account information such as email and password, device information, first and third-party cookies, age, location, and IP address.<ref>https://web.archive.org/web/20230107062703/https://www.wemo.com/privacy-policy/#typesofinformation</ref> Belkin shares this info with marketing partners unless the user opts-out.<ref>https://www.belkin.com/legal/privacy-policy/#marketing-anchor</ref> Users are allowed to make requests to access, withdraw consent, object, and delete most of the information Belkin has collected on them.<ref>https://www.belkin.com/legal/privacy-policy/#your-rights-in-relation</ref> Belkin states they may need to hold onto information to "Defending Belkin against legal claims" or "Needing to respond to customer complaints and queries".<ref>https://www.belkin.com/legal/privacy-policy/#retention-of</ref>

The business model of Wemo is to sell smart home devices without the user paying for a subscription service. Although this may seem like a pro-consumer move, the Wemo experience has been diminished due to the lack of income streams. According to the App Store, the app once had a 3-year window without updates, which lasted between February 23, 2021 and May 28, 2024 (the current version as of February 24, 2025).<ref name="AAS">https://apps.apple.com/us/app/wemo/id511376996</ref>

Market control of Wemo has been decreasing over the years, as Wemo is only selling three devices,<ref>https://web.archive.org/web/20240225173134/https://www.belkin.com/products/wemo-smart-home/</ref> down from nine the year prior.<ref>https://web.archive.org/web/20230201232551/https://www.belkin.com/products/wemo-smart-home/</ref>

==Incidents==
===Security vulnerabilites===
On November 5, 2013, Wemo updated its API to prevent future XML injection attacks.<ref>https://www.belkin.com/support-article/?articleNum=80322</ref>

On May 16, 2023, multiple websites reported a Sternum study regarding a buffer overflow vulnerability in the Wemo Mini Smart Plug V2.<ref>https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/</ref> The study mentions the device could be exploited through a program called pyWemo<ref>https://thehackernews.com/2023/05/serious-unpatched-vulnerability.html</ref> and potentially through cloud controls.<ref>https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability</ref> In their official response, Wemo stated "we believe that bad actors cannot exploit this vulnerability unless they have access to the user’s local network",<ref>https://x.com/WEMOcares/status/1658963426230562819</ref> and "We discontinued the Wemo Mini Smart Plug v2 (F7C063) in 2020"<ref>https://x.com/WEMOcares/status/1658963635882938374</ref> despite not making this information publicly available prior. During this report, the Wemo app hadn't been updated in 2 years, with the most recent update being on February 23, 2021, as previously mentioned.<ref name="AAS" />

===Connection issues===
Since 2018, there have been reports of Wemo devices losing connection to networks frequently.<ref>https://www.reddit.com/r/WeMo/comments/8sv90i/the_most_common_problems_and_issues_with_wemo/</ref> This has been the case for dimmers,<ref>https://www.reddit.com/r/WeMo/comments/zwb7wr/comment/j1xqs3h/</ref> plugs,<ref>https://www.reddit.com/r/WeMo/comments/17ur9b2/comment/k97i0dp/</ref> and switches.<ref>https://www.reddit.com/r/WeMo/comments/18iidjr/comment/m6utdkq/</ref> Device rules created through the Wemo app have also been described as unreliable.<ref>https://www.reddit.com/r/WeMo/comments/18iidjr/comment/kdr6n38/</ref> In some cases, the Wemo cloud becomes offline, with users being led to 404 pages.<ref>https://www.reddit.com/r/WeMo/comments/zkd9xc/belkin_wemo_is_the_worst_the_app_is_full_of_bugs/</ref>

Some users have mediated these issues by self-hosting a local server for Wemo devices, such as AutomationManager and Home Assistant.<ref>https://www.reddit.com/r/WeMo/comments/18iidjr/comment/kf6plao/</ref>

===DNS activity===
Some users of Wemo have noticed their switches connect to multiple unrelated domains, such as to CNN and Fastly.<ref>https://www.reddit.com/r/WeMo/comments/1auslst/fun_fact_wemo_switches_act_as_a_dns_server/</ref> Other reports mention each Wemo device making 160,000+ DNS requests in a 24 hour timeframe.<ref>https://www.reddit.com/r/WeMo/comments/1auslst/comment/ktxkqx8/</ref><ref>https://www.reddit.com/r/WeMo/comments/1auslst/comment/krb0i1o/</ref>

==Products==
*Dimmers
**Wemo Smart Dimmer<ref>https://web.archive.org/web/20221130043724/https://www.belkin.com/smart-dimmer/P-WDS070.html</ref>
**Wemo WiFi Smart Dimmer<ref>https://web.archive.org/web/20221129001529/https://www.belkin.com/wifi-smart-dimmer/P-WDS060.html</ref>

*Doorbells
**Wemo Smart Video Doorbell<ref>https://www.belkin.com/p/smart-video-doorbell/WDC010.html</ref>

*Light switches
**Wemo Smart Light Switch with Thread<ref>https://www.belkin.com/p/smart-light-switch-with-thread/WLS0503.html</ref>
**Wemo WiFi Smart Light Switch<ref>https://web.archive.org/web/20221130045654/https://www.belkin.com/wifi-smart-light-switch/WLS040-CA.html</ref>
**Wemo Smart Light Switch 3-Way<ref>https://web.archive.org/web/20221129145512/https://www.belkin.com/smart-light-switch-3-way/P-WLS0403.html</ref>

*Plugs
**Wemo Smart Plug with Thread<ref>https://web.archive.org/web/20230910113415/https://www.belkin.com/smart-plug-with-thread/WSP100.html</ref> (release date): Short summary of the product's incidents.
**Wemo WiFi Smart Outdoor Plug<ref>https://web.archive.org/web/20221201141200/https://www.belkin.com/wifi-smart-outdoor-plug/WSP090.html</ref>

*Scene controller
**Wemo Scene Controller with Thread<ref>https://www.belkin.com/p/scene-controller-with-thread/WSC010.html</ref>

==References==
{{reflist}}
[[Category:Wemo]]

Apple TV+

2025-03-06T22:10:42Z

TasmanianRex:

{{InfoboxProductLine
| Title = {{PAGENAME}}
| Release Year =2019
| Product Type =Streaming Service
| In Production =Yes
| Official Website =https://tv.apple.com
| Logo =Apple_Tv_Plus_Logo.svg
}}

'''{{PAGENAME}}''' is a media streaming service launched by Apple Inc. on November 1st, 2019.<ref name":0"="">“Apple TV+ launches November 1, featuring originals from the world’s greatest storytellers,” ''Apple Newsroom'', 2019. https://web.archive.org/web/20250108192627/https://www.apple.com/newsroom/2019/09/apple-tv-launches-november-1-featuring-originals-from-the-worlds-greatest-storytellers/<nowiki/>(accessed Feb. 06, 2025).</ref> Apple TV+ can be streamed on iOS and iPadOS (version 17.2 or later), supported Android devices, supported smart TVs, and web browsers which support Digital Rights Management (DRM) levels one, two, and, three.<ref name=":0">“Find movies with 4K, HDR, Dolby Vision, or Dolby Atmos in the Apple TV app - Apple Support,” ''Apple Support'', Jun. 28, 2024. https://web.archive.org/web/20250206231807/https://support.apple.com/en-us/119599 (accessed Feb. 06, 2025).</ref>

==Consumer impact summary==
Content downloaded from Apple TV+ is packaged with DRM, making it exclusive to the Apple TV app on Apple devices, as well as devices running Microsoft Windows 10 or later. After, or in some cases, before 30 days, content downloaded will "expire," and you will be unable to view the content. Content publishers have the ability to restrict the amount of titles a user can have simultaneously downloaded, as well as restrict the number of devices that you can download content on.<ref>“Download and stream shows, movies, and events from Apple TV+, MLS Season Pass, and Apple TV channels - Apple Support (CA),” ''Apple Support'', Mar. 21, 2024. https://web.archive.org/web/20250207003958/https://support.apple.com/en-ca/118239 (accessed Feb. 06, 2025).</ref><ref>“Legal - Apple Media Services - Apple,” ''Apple Legal'', 2024. https://web.archive.org/web/20250130091449/https://www.apple.com/ca/legal/internet-services/itunes/ca/terms.html<nowiki/>(accessed Feb. 06, 2025).</ref>

Most shows produced by and for Apple TV+ are made exclusive to Apple TV+, and have no means of archival. Some Apple TV+ series such as Ted Lasso, and Severance have been made available to own on Blu-ray.<ref>B. Mayo, “Ted Lasso series releasing on Blu-ray disc in July [update: now available to order] - 9to5Mac,” ''9to5Mac'', May 07, 2024. https://web.archive.org/web/20250207013934/https://9to5mac.com/2024/05/07/ted-lasso-series-blu-ray-edition-july/ (accessed Feb. 06, 2025).</ref><ref name=":1">H. Charlton, “Apple TV+'s ‘Severance’ to Get Rare Blu-Ray Release Ahead of Season 2,” ''MacRumors'', Oct. 08, 2024. https://web.archive.org/web/20250123130958/https://www.macrumors.com/2024/10/08/severance-to-get-blu-ray/<nowiki/>(accessed Feb. 06, 2025).
</ref> The first season of Severance, which was made available on Blu-Ray in October of 2024, only released in 1080p. Reserving the higher quality 4K version to Apple TV+.<ref name=":1" />

On devices, operating systems, and browsers with no support for DRM, playback is unavailable.

Despite advertising 4K high dynamic range (HDR) streaming, playback is only supported on Apple and Windows devices. Streaming from other devices will result in a degradation of quality.<ref name=":2">Apple, “Apple TV+,” ''Apple''. https://web.archive.org/web/20250130131131/https://www.apple.com/apple-tv-plus/ (accessed Feb. 06, 2025).</ref><ref name=":0" /> On devices that exclusively support level 3 DRM, playback quality is limited to 720p. Android devices that support level 2 DRM are capable of playing back 1080p content in the web browser. The cross-platform Apple TV+ web app does not have a method of changing resolutions, nor does it indicate the current playback quality. On the landing page for Apple TV+, a footnote describing the quality degradation reads:<blockquote>"Not all content is available in 4K or 4K HDR. 4K resolution requires a 4K‑capable device. Accessing Dolby Atmos features requires a Dolby Atmos‑capable system. Playback quality will depend on hardware and internet connection."<ref name=":2" /></blockquote>The landing page does not specify what a "4K-capable device" is. Instead, the criteria for a "4K-capable" device is listed in a support article titled: "Find movies with 4K, HDR, Dolby Vision, or Dolby Atmos in the Apple TV app,"<ref name=":0" /> which is not linked to on the Apple TV+ landing page.

==References==
{{reflist}}

[[Category:{{PAGENAME}}]]