68.3% of people in China use third-party keyboards – many of them use Signal (opens in new tab)

(community.signalusers.org)

93 pointsresynth19435y ago73 comments

73 comments

"many of them use Signal" - where is this conclusion come from? They have WeChat. I've never seen any of my Chinese friends using Signal.

TazeTSchnitzel5y ago

That's kinda irrelevant to whether Signal should try to help Chinese users?

rejschaap5y ago

Totally irrelevant, but it's there, in the headline and it's not true.

They probably tried to say that most of signal users use third party keyboards.

tracyhenry5y ago

Idk. I commented because the title is wrong and misleading.

Aperocky5y ago

This. Absolutely none of my family and friends in China use Signal. There are a few that uses slack though.

jackjeff5y ago

When Donald Trump threatened to block WeChat in the US expats and Chinese people alike started to download Signal.

https://www.nbcnews.com/tech/security/trump-bans-wechat-some...

tracyhenry5y ago

That's about Chinese people in the US. The headline explicitly says "people in China".

Note that even for Chinese people in the US (myself included), Signal was in my experience a pretty minor choice when Trump was trying to ban WeChat. Whatsapp, Line, etc were among the favorite alternatives.

solarkraft5y ago

I'll file this under "security tips". Signal should probably give its users tips for communicating securely - but that's at least one degree separate from "warn users about insecure IMEs".

Additionally, if you're already using a chinese phone, why does it matter whether your IME is compromised? Doesn't the CCP already have its nose in all of the manufacturers' OSes already? Maybe Signal should warn about that as well.

I'm all for helping people communicate securely, something Signal should be very interested in, but the hyper focus on IMEs is confusing.

jstanley5y ago

> Doesn't the CCP already have its nose in all of the manufacturers' OSes already?

What specifically are you saying here? Are you suggesting that every Chinese person's phone is sending off their keyboard inputs to the Chinese government even if they don't use a compromised IME? Because if not, then yes it matters whether or not your IME is compromised. Otherwise your position is just "the phone might be compromised in ways I don't know, so I won't even bother fixing the ways I do know".

solarkraft5y ago

> Are you suggesting that every Chinese person's phone is sending off their keyboard inputs to the Chinese government even if they don't use a compromised IME?

Yes.

You have a point about the rest, though, especially when it comes to more secure systems.

beervirus5y ago

I would assume that any phone purchased in China is compromised by the CCP.

1 more reply

wodenokoto5y ago

Some years ago, the Japanese government send out warnings and restriction on usage of Baidu's IME. It was one of the early ones to sync to the cloud for better predictions.

https://www.techrepublic.com/blog/asian-technology/japanese-...

darkwizard425y ago

I'm not sure the headline reflects the discussion issue...It is anecdotal on how many Chinese users are using Signal, but the concern is that so many use third-party keyboards it could be compromising the secure nature of Signal (and the discussion is advocating for users to be made aware of the risks of using third party keyboards with Signal)

resynth1943OP5y ago

I chose to highlight the Chinese aspect, but you're absolutely right: any keyboard with personalisation puts Signal users at risk.

yorwba5y ago

The guidelines exhort us to:

> ... please use the original title, unless it is misleading or linkbait; don't editorialize.

https://news.ycombinator.com/newsguidelines.html

If you can still edit the title, you should change it to the original "Signal should warn users who are likely using insecure IME apps"

1 more reply

chickenpotpie5y ago

I remember a few days ago there was a post on hackernews to stop being mean to the people that worked at signal. The Twitter user linked in that article is railing into signal devs and she calls them assholes that don’t care about what happens outside of western society.

https://twitter.com/RealSexyCyborg/status/119769537620088012...

cutitout5y ago

> calls them assholes that don’t care about what happens outside of western society

That's hardly her main point:

> For Chinese who are used to a specific IME- like Sogou, trying to type on something else is a tiny bit like a QWERTY user suddenly faced with Dvorak- we can make it work, but it's slow enough day to day that 50/50 they just install Sogou because what's the big deal right?

> The Signal "fix" is "Incognito Mode" aka for the app to say "Pretty please don't read everything I type" to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise.

> Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag. So basically all hardware here is self-compromised 5 minutes out of the box.

> so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.

This is important.

durkie5y ago

I understand Naomi's point here, but I'm unclear how it relates to Signal. Isn't this an issue with 3rd party keyboards in any app?

1 more reply

matsemann5y ago

But if a person has something important to say, calling people that don't know about the issue assholes is not a great way to go about it. I know there is a western, and especially US/English, bias in tech. But it's not like everyone tries to annoy others, it's more an issue of ignorance.

Btw I agree that when Signal says your messages are secure, it should probably do something to warn about ways things still may leak.

3 more replies

zionic5y ago

tweet thread is claiming app store apps are downloaded unencrypted and that they can be modified in flight. Any proof of this?

danbolt5y ago

The thread there is really interesting. Apparently the "OEM" IMEs aren't the ideal standard for Chinese input, so people tend to use a proprietary one like Sogou's. [1]

[1] https://en.wikipedia.org/wiki/Sogou

solarkraft5y ago

The OEM IMEs are also proprietary, which makes me question everyone's points.

solarkraft5y ago

Naomi analyzes the technical side very well, but somehow face plants on the conclusion.

Insecure IMEs exist everywhere and affect every app. Not just Signal, not just in China.

This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).

Signal should show a reminder to help people be secure, but framing this as some kind of obligation towards the people of China is weird.

TaylorAlexander5y ago

I think Naomi wants at least a clear recognition of the issue from signal. All of us on HN can say “well yeah that’s obvious” but signal keeps telling everyone their app is “secure” without caveats that your keyboard could be leaking everything you type, making the system not secure. Saying “well that’s not my department” isn’t acceptable when people are being put at real risk here.

EDIT: The specific request in TFA is to detect users using a third party IME and give them a security warning. Seems pretty reasonable.

philsnow5y ago

> This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).

(ios makes the third-party keyboard ask the user for "full access" in order to hit the internet.)

higerordermap5y ago

It doesn't matter. You can compromise most of the phones (at least non rooted) if you or your people make the OS and thus also the OS level libraries that handle Text input from the IME, or even touchscreen information would be enough in most cases (unless everyone uses the randomized keyboard layout, and guard against "known plaintext" type attacks)

ProAm5y ago

I thought Signal came out with their own keyboard and I was excited.

xster5y ago

Even if they did, creating a Chinese IME is a really difficult problem space. Since typing is generally done phonetically in mainland/HK/taiwan and the real words being typed are ideographic, there's a lot of inference to translate in between.

Considering how quickly the language moves to keep up with internet culture and new newsworthy names, new parlances, new memes, an IME has to do the equivalent of staying up to date with the equivalent of urbandictionary for users to be able to invoke the latest "lit" colloquialism. This is a full-time job on its own.

nucleardog5y ago

Yep this. Even on computers, most Chinese people I know won’t use the OS’s IME and instead use third party programs.

There are entire companies that exist to solve just this problem that is basically orthogonal to Signal’s purpose and mission. While it would be great for there to be a top tier Chinese IME from someone we trust, it’s by no means an easy task like most people are probably envisioning.

higerordermap5y ago

Serious question and not trolling: Is Chinese/Mandarin very hard to romanize? In India we have indic IMEs but romanization works pretty well and it's rare to see people using Indic IME. Especially far-south languages have fewer consonants and there are very few ambiguities on how to pronounce. Is it not possible for Chinese?

1 more reply

novok5y ago

The side effects of chinese not adopting a phonographic writing system when it could, or having both like japanese does so you don’t need to use such an informal ambiguous layer when actually writing.

5 more replies

NikolaeVarius5y ago

How does Signal work in the context of the Great Firewall?

Can china shut down Signal by banning traffic that seems like Signal communication??

u678u5y ago

Agreed this was my surprise about the headline. I assumed it'd be blocked.

upofadown5y ago

It isn't really suitable for political dissent. I think they would be more unhappy with things like Telegram that can have huge group chats.

kombucha1115y ago

It works as is usually on Chinese ISPs though I noticed occasional interruptions. Using a VPN got rid of those disruptions.

powerapple5y ago

People use Twitter, YouTube, Facebook, Telegram with VPN in China. Twitter are mostly for porn, telegram for shady business and porn. I would assume you will probably need to use VPN for Signal.

wffurr5y ago

I wouldn't expect the first party keyboard on a Chinese-manufactured phone to be any safer than a third party IME.

powerapple5y ago

I would say I would be surprised if many>1% of the people. I have yet to know a single Chinese ever mentioned Signal.

mam25y ago

Im confused .. people are debating wether it's good to track what keyboard people use but instead of tracking which keyboard peoeple use, would it be not simpler for signal to basically build their own integrated keyboard and deactivate the android default one ?

toomuchtodo5y ago

This is likely the result of this discussion. To fix an issue (decide to commit dev resources to develop an integrated keyboard, communicate to users the data leakage risk of using a keyboard not integrated into the app), you must first raise said issue and perform discovery.

resynth1943OP5y ago

I think the word 'track' is misleading in this context. The proposal outlines various methods to detect the use of a third-party keyboard, whereas the term 'track' commonly denotes corporate surveillance.

They could do that, but it would have a maintenance cost. I do think we need to find a solution to this, however, as these personalised keyboards actually _track_ what people type. That could have real-world implications.

mam25y ago

The word is not from me, read the messages of the issue

bloody-crow5y ago

Why a keyboard application code even needs access to the internet? Could the OS just not allow it in the first place? I honestly don't fully understand why it's a Signal's problem in any way.

bigpumpkin5y ago

Obviously due to the fact that Chinese input could be better optimized by third parties.

einpoklum5y ago

But are Microsoft or Google's keyboard apps actually secure? That is, is it certain that they don't log keys or phone home somehow?

0xquad5y ago

Net net: what IME is best for a mainland Chinese user of Signal?

j / k navigate · click thread line to collapse

73 comments

tracyhenry5y ago

"many of them use Signal" - where is this conclusion come from? They have WeChat. I've never seen any of my Chinese friends using Signal.

TazeTSchnitzel5y ago

That's kinda irrelevant to whether Signal should try to help Chinese users?

rejschaap5y ago

Totally irrelevant, but it's there, in the headline and it's not true.

They probably tried to say that most of signal users use third party keyboards.

tracyhenry5y ago

Idk. I commented because the title is wrong and misleading.

Aperocky5y ago

This. Absolutely none of my family and friends in China use Signal. There are a few that uses slack though.

jackjeff5y ago

When Donald Trump threatened to block WeChat in the US expats and Chinese people alike started to download Signal.

https://www.nbcnews.com/tech/security/trump-bans-wechat-some...

tracyhenry5y ago

That's about Chinese people in the US. The headline explicitly says "people in China".

solarkraft5y ago

I'll file this under "security tips". Signal should probably give its users tips for communicating securely - but that's at least one degree separate from "warn users about insecure IMEs".

I'm all for helping people communicate securely, something Signal should be very interested in, but the hyper focus on IMEs is confusing.

jstanley5y ago

> Doesn't the CCP already have its nose in all of the manufacturers' OSes already?

solarkraft5y ago

> Are you suggesting that every Chinese person's phone is sending off their keyboard inputs to the Chinese government even if they don't use a compromised IME?

Yes.

You have a point about the rest, though, especially when it comes to more secure systems.

beervirus5y ago

I would assume that any phone purchased in China is compromised by the CCP.

1 more reply

wodenokoto5y ago

Some years ago, the Japanese government send out warnings and restriction on usage of Baidu's IME. It was one of the early ones to sync to the cloud for better predictions.

https://www.techrepublic.com/blog/asian-technology/japanese-...

darkwizard425y ago

resynth1943OP5y ago

I chose to highlight the Chinese aspect, but you're absolutely right: any keyboard with personalisation puts Signal users at risk.

yorwba5y ago

The guidelines exhort us to:

> ... please use the original title, unless it is misleading or linkbait; don't editorialize.

https://news.ycombinator.com/newsguidelines.html

If you can still edit the title, you should change it to the original "Signal should warn users who are likely using insecure IME apps"

1 more reply

chickenpotpie5y ago

https://twitter.com/RealSexyCyborg/status/119769537620088012...

cutitout5y ago

> calls them assholes that don’t care about what happens outside of western society

That's hardly her main point:

> Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag. So basically all hardware here is self-compromised 5 minutes out of the box.

> so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.

This is important.

durkie5y ago

I understand Naomi's point here, but I'm unclear how it relates to Signal. Isn't this an issue with 3rd party keyboards in any app?

1 more reply

matsemann5y ago

Btw I agree that when Signal says your messages are secure, it should probably do something to warn about ways things still may leak.

3 more replies

zionic5y ago

tweet thread is claiming app store apps are downloaded unencrypted and that they can be modified in flight. Any proof of this?

danbolt5y ago

The thread there is really interesting. Apparently the "OEM" IMEs aren't the ideal standard for Chinese input, so people tend to use a proprietary one like Sogou's. [1]

[1] https://en.wikipedia.org/wiki/Sogou

solarkraft5y ago

The OEM IMEs are also proprietary, which makes me question everyone's points.

solarkraft5y ago

Naomi analyzes the technical side very well, but somehow face plants on the conclusion.

Insecure IMEs exist everywhere and affect every app. Not just Signal, not just in China.

Signal should show a reminder to help people be secure, but framing this as some kind of obligation towards the people of China is weird.

TaylorAlexander5y ago

EDIT: The specific request in TFA is to detect users using a third party IME and give them a security warning. Seems pretty reasonable.

philsnow5y ago

(ios makes the third-party keyboard ask the user for "full access" in order to hit the internet.)

higerordermap5y ago

ProAm5y ago

I thought Signal came out with their own keyboard and I was excited.

xster5y ago

nucleardog5y ago

Yep this. Even on computers, most Chinese people I know won’t use the OS’s IME and instead use third party programs.

higerordermap5y ago

1 more reply

novok5y ago

5 more replies

NikolaeVarius5y ago

How does Signal work in the context of the Great Firewall?

Can china shut down Signal by banning traffic that seems like Signal communication??

u678u5y ago

Agreed this was my surprise about the headline. I assumed it'd be blocked.

upofadown5y ago

It isn't really suitable for political dissent. I think they would be more unhappy with things like Telegram that can have huge group chats.

kombucha1115y ago

It works as is usually on Chinese ISPs though I noticed occasional interruptions. Using a VPN got rid of those disruptions.

powerapple5y ago

People use Twitter, YouTube, Facebook, Telegram with VPN in China. Twitter are mostly for porn, telegram for shady business and porn. I would assume you will probably need to use VPN for Signal.

wffurr5y ago

I wouldn't expect the first party keyboard on a Chinese-manufactured phone to be any safer than a third party IME.

powerapple5y ago

I would say I would be surprised if many>1% of the people. I have yet to know a single Chinese ever mentioned Signal.

mam25y ago

toomuchtodo5y ago

resynth1943OP5y ago

mam25y ago

The word is not from me, read the messages of the issue

bloody-crow5y ago

Why a keyboard application code even needs access to the internet? Could the OS just not allow it in the first place? I honestly don't fully understand why it's a Signal's problem in any way.

bigpumpkin5y ago

Obviously due to the fact that Chinese input could be better optimized by third parties.

einpoklum5y ago

But are Microsoft or Google's keyboard apps actually secure? That is, is it certain that they don't log keys or phone home somehow?

0xquad5y ago

Net net: what IME is best for a mainland Chinese user of Signal?

j / k navigate · click thread line to collapse