If I understand correctly it’ll still not be possible to create an account without entering a phone number?
For me this is a requirement to call a service a private service because in Germany at least every phone number is connected with a persons identity. To get a phone number you need to connect it to an identity using a identity card
... but then Signal wouldn't have your phone number either. What they need it for is ... dubious if you ask me.
The reasons they need it aren't really that dubious to me: they want to create a service that actual people will actually use, not just weird privacy geeks who never gave up on PGP. Using phone numbers allows for the kind of user discovery that most people expect in 2024, and requiring them inserts a barrier to mass account creation that can keep spam accounts down to a manageable level (especially given the whole point is they can't do content-based spam-filtering in the way that makes email managable).
Personally, my understanding is they've always been trying to develop the maximally private usable chat app, which requires some compromises from the theoretically maximally private chat app.
But then it's not private. It's linked to your phone number.
You can now hide you phone number, according to the blog post.
[...] Selecting “Nobody” means that if someone enters your phone number on Signal, they will not be able to message or call you, or even see that you’re on Signal. And anyone you’re chatting with on Signal will not see your phone number as part of your Profile Details page – this is true even if your number is saved in their phone’s contacts. Keep in mind that selecting “Nobody” can make it harder for people to find you on Signal.
I can only hide my phone number from other people, and even for that it should have been hidden by default from the start.
Can't hide it from some thought police which may or may not need a court order.
But it’s irrelevant, as the chats are end to end encrypted regardless. So sure, they’d know you had a Signal account, but not the contents thereof.
Well, to link with recent news, do you think talking with the late Alexey Navalni over Signal would protect you from russian police? They'd still be able to see that you talked to him.
And then what's the point of the super duper encryption?
Signal does not know who you correspond with. The only information they keep is the account creation timestamp, and the date that the account last connected to the Signal service.
You may have confused this information with WhatsApp which indeed keeps a lot of metadata on each user.
https://news.ycombinator.com/item?id=39414322
Well, TIL. That does not refute my comment, though. Signal still does not know who you chat with. It's the cloud provider who might log the IP address of the sender. Identifying the person based on that information alone would be non-trivial if not simply impossible.
To me, it's much worse. A non-profit doesn't have my data but Amazon (and NSA) does. With Amazon's scale, it must be trivial to identify everyone.
See also: https://news.ycombinator.com/threads?id=autoexec&next=394457...
Signal absolutely knows who you correspond with. How could they otherwise route your chat messages?
They promise to throw this information away, which is nice but not possible to verify.
They also employ a roundabout way of encrypting this data, but as they rightly point out in their article that describes the scheme, encrypting or hashing phone numbers is not safe from a malicious attacker. The space of all possible phone numbers is so small that it could be brute forced in the blink of an eye.
You place all your trust in Signal (and Google/Apple) when you use them. That may be better than the alternatives, but it's still something we should be honest about.
That said, keep in mind that Signal and Google/Apple can also trivially backdoor your software, so unless you take specific precautions against that, the details of their middleman protection isn't terribly important.
I guess you are right. It's trust-based. For an actual obfuscation Signal would need to implement something like onion routing, right? I think Session does it.
Signal has no access to metadata, including participants in a conversation. All they know is the date of account creation and the date of the last connection.
However, if they got access to Navalni's phone, then they of course can see everything Navalni can.
Aha :)
Do you people also want the relevant xkcd? The one about the wrench...
In Signal, probably no. Signal has this sealed sender functionality hiding significant amount of metadata from passive observer and active examination post-communication: https://signal.org/blog/sealed-sender/
What Russian police would be able to see, that in a given time period of certificate rotation at most X people communicated to Navalny.
Even encrypted data is not irrelevant. The frequency of messages is relevant, as is how many messages are sent how quickly, the total package size can be revealing if they arent hella padding the data, there is a lot you can learn just from the data. Total obfuscation is ideal.
If you are worried of an adversary that is using numerical analysis on the frequency of messages to somehow undermine you, I’d recommend not using a smartphone or internet connected device. And perhaps medication.
Good to hear that you have nothing to hide, comrade.
We don’t insult each other here. Take the cheap potshots to Reddit.
Why worry about nation-state level attacks when you can simply be hit over the head with a mallet until you give up your password?
We don’t insult each other here. Take the cheap potshots to Reddit.
Yes, that would be the point of obfuscation, as opposed to just encryption. End to end encryption does not prevent the $5 wrench attack, obfuscation does.
It's not irrelevant, but the exposure is reduced.
If a person is a member of a terrorist network - or friends with someone who is - the fact that a warrant could force Signal to expose that link could mean that a court is then more likely to approve increased surveillance of your (non-Signal) communications because of that link.
On the other hand if you are a woman on Tinder and using Signal to communicate with matches, this doesn't expose you to the person you have just matched with adding your number to their phone book, uploading it to LinkedIn and then finding where you work (which is what you can do with a phone number).
My feeling is this is a reasonable compromise, but it is important people understand what it does and doesn't protect you from.
Luckily there are other messaging services that are private if you’re going to be that pedantic about it.
But none will be as private as Signal.
Matrix is more private, depending on your threat model.
Yeah, privacy is weird and cringe! Let's call 'em "privacy-bros" or maybe "encryption-bros" to signify that they are low status (I don't want to be like them, ew!)
If you need privacy without usability just exchange pubkeys with your friends?
I think the remark is more about these sort of rhetorical tactics which permeate every topic. It is a fair remark.
It's not a fair remark though, all it did was twist what I said into a inflammatory derailment.
The point is there are a lot of (usually technical) people who are too focused one aspect, but are missing the bigger picture. If you follow them, you'll probably get a communication app that only those people can/will use, which has deal breakers for mass-market adoption. And once that happens, those people probably won't use it either, since they want to communicate outside their group.
Both his and your comments come off as inflammatory derailment to me. That's how it reads, I'm not ascribing malintent. People didn't use to talk like this, I hope you reconsider.
"not just weird privacy geeks who never gave up on PGP." is simply not conducive towards making your point. You can make your (otherwise solid) point and even win the argument on merit without this sort of thing.
I try to figure out another shorthand which communicates as effectively. "Privacy minded geeks with a deep understanding of E2E encryption"?
The main selling point of Signal is privacy. That's basically the only reason it exists - without it, why not just use WhatsApp, Messenger, Snapchat, etc?
What is the usability concern for no longer needing a phone number?
Do people really expect to still exchange phone numbers ?
Fundamentally I don't want people to call me nor SMS me (that's for spam only), most messaging services will allow contact exchange through a QR code inside the app, and if everything else fail an email address will be the most stable fallback.
Yes. This is the norm in the US.
And everywhere else on earth.
Not really, for better or worse.
In many countries SMS was either crazy expensive, unreliable, wall gardened to death (can't message people on other carriers...) and had no traction in the first place.
Then phone calls are also crazy expensive: I'm looking at the phone plans right now and the main focus is the data amount. Phone call options are either to only allow for super short conversations for a flat fee (less than 5min per call, for a 25% increase in the monthly plan) or 30 min to an hour of phone call for double to triple the price of the plans.
Moving to an alternative is just the normal course given these incentives, and that's what people did in droves (looking at Japan for instance)
In how many countries do people not exchange phone numbers as the primary means of contact?
Hmm... North Korea? Sealand?
Well, an even better barrier to reduce spam would be Signal to require some official ID of people...
But that's also a barrier to actual users, which would be counter-productive.
Looks like you're thinking about key exchanges as opposed to phone number exchanges.
Ever heard of user nicknames?
I mean, a phone number is an arbtrary sequence of digits. I'm very happy to use a chat app where I say to someone 'what's your username?'.
I'm not giving a chat app free access to all my contacts - and that includes things like Whatsapp
To me Signal is in the business of collecting metadata and nothing else (for whom, that is a good question: probably some three letter agency).
Perhaps you need a refresher in Signal Protocol.
Do not be sprouting on about things that you do not understand.
https://eprint.iacr.org/2016/1013.pdf
The parent is right: https://news.ycombinator.com/item?id=39414322
No, they're not. It's a pretty long stretch from IP traffic analysis to "who's talking to whom".
Not for Amazon I would guess. See also: https://news.ycombinator.com/threads?id=autoexec&next=394457...
If you're worried about Signal's hosting provider seeing your device's IP address, use a proxy. Personally, I'm not, because there's no trivial way to go from "Here's some IP traffic" to "this human had a conversation with this human".
I also hand BitWarden all my passwords. Therefore, the government has them, right?
My link literally describes viable attacks to deanonymize users.
(But it's broken somehow:
https://news.ycombinator.com/threads?id=autoexec&next=394457...
)
Court requires "what was said" for evidence as in old telcom CALEA, whereas Signal via sealed sender basically guarantees the "Spirit of CALEA".
What they need it for is simply that it's the way the system has always worked, because Signal started life as an encrypted replacement for SMS. The point was that you could switch from the standard SMS app you were already using over to Signal (which was called "TextSecure" at the time) without having to change your habits, because sending messages to people's phone numbers was simply what people did then. There's nothing nefarious about it.
The claim (which generally I'm inclined to believe) is that requiring a phone number drastically increases the cost to sending spam. That in turn drastically reduces the spam amount.
This is not correct. Go to a phone booth, get Signal, never need the phone number again. Any phone will do. Get a phone number from a different country online and without identity check, who cares, you will never need it again.
I haven't seen a phone booth in Europe for the last 7 years.
Just use the wonderful openstreetmap to find the nearest one, it will be closer than you think.
Is there a way to search for it, or do I have to scroll endlessly until i find one?
As an example, this reddit comment points to a procedure:
https://www.reddit.com/r/openstreetmap/comments/96sbd6/comme...
I tested it and it works for me.
Using:
I get 2 hits, one of which says all phones were removed in 2015.Guess I'll continue not using Signal or Telegram.
Just move the map to your location and type "amenity=phone" in the wizard. Does that work? Are you willing to share the country you are in?
Belgium.
"amenity=phone" returns 15 matches worldwide.
"amenity:phone", "amenity:telephone" or "amenity=telephone" (no other filters) returns the same 2 matches.
EDIT:
Belgacom started removing them in 2013 in Brussels, and the rest of country followed suit. The Belgian regulator found it unnecessary to require them with the ubiquity of mobile phones.
https://www.bruxelles.be/sites/default/files/bxl/Com_.%20pre...
wouldn't the next bloke using the booth for same cause get the whole account?
Not if you set a PIN no. But I think the next bloke can't use the booth to create a signal account anymore. I don't think we'll run out of booth though considering how rare the use case is ;)
Well, phone booths ain’t getting more ubiquitous for whatever reason either :)
I feel it’s really 5 HN hard core privacy persons who want it. I have 5 booth in walking distance from my home, they can have them =)
Even the one who want it seem not to know about “registration block” and “PIN” concepts in Signal, so I seriously question if they really want it…
What if I lose my phone and want to login again on a new one. Don't they send a verification code to the number again?
Well if you lost your only credential and it’s a secure solution, it’s gone. You must set it up from scratch again.
Since we’re discussing not providing your phone number out of privacy/security concerns, I assume that “registration lock” and PIN are on the table, which would anyway block you from registering again using the same number after loosing your phone.
Hence, the situation is the same as with your mobile phone number: no backup, no luck.
Yes, this is just Apple level bullshit - trust us with your private data even though no law prevents us from exploiting it ...
Damn, people will never be satisfied, will they. It's not meant to be an anonymous messenger, because those have spam issues.
I never received any spam in Matrix.
That's like saying you've never seen any advertisements in the desert.
https://news.itsfoss.com/matrix-sixty-million-users/
Just like you haven’t received any communication from anyone about any topic other than talking about Matrix. It’s not that Matrix has a magic formula, it’s that a fraction of a fraction a percent of people care even an iota about it.
They could collect a small amount in cryptocurrency to prove user is not a spammer. Telegram tried this but the price for not providing a phone number was too high. Does it mean knowing user's number is so valuable?
Threema is a paid app and I have never received a spam message on it. I have received spam on Signal, though.
It strikes me as hopelessly naive to think that keeping a personal phone number private is the only reason a user would want to be able to sign up for a service completely anonymously. The question is not whether knowing a user's number is worth $X, the question is whether _anonymous access to your platform_ is worth $X; a question that applies equally to both innocent good-faith users and to spammers/phishers/etc. If your platform is actually worth anything, $X is not going to be a small amount.
And yet many people seem to earnestly believe that a tiny token fee will be enough to deter spam, despite clear evidence to the contrary (see for instance how Twitter's "verification" fee has completely failed to stop bots from overrunning the platform, many of which proudly display their blue checks).
Signal has spam issues even with the phone number requirement, as I've experienced lately (though nothing on the scale of Twitter). I dread to think what the spam would be like without the requirement of a phone number.
At least now you can solve the existing spam problem if you want by disallowing people from using your number to message you in the privacy settings and randomizing your username after anyone new adds you - that way your username is like a one time password to add you, kind of like what lots of people here wish existed for phone calls.
Not true I don't have spam on Tox or Briar.
But sadly I don't have contacts either!
I could certainly point out the differences, but the fact that you yourself aren’t acknowledging them indicates to me that you’re throwing intellectual integrity out the window because this product doesn’t work in the way that you want it to work. Engineering is about tradeoffs, and not every company serves to build something that does exactly what YOU want it to. I prefer Signal the way it is. I understand the tradeoffs.
This is a fundamentally different problem for a fundamentally different audience.
If we take privacy issue, it can be divided into 3 segments:
* Privacy of user data. The basic level. When you use Google or Apple, they collect data. Even if you minimize all settings — data is still collected. This data is used to train models and models is used to sell ads, target you or do anything else you have no clue about (like reselling it to hundred of “partners”).
* Privacy against undesired identification. Next layer of privacy. When you want to have some personal life online without sharing much about you. Like Reddit, anonymous forums, or Telegram (to some degree).
* Privacy against governments. The ultimate boss of privacy. When you want to hide from all governments in the world your identity.
Signal was perfect at first layer strong but not perfect at 3rd layer (e2e encryption, no data collection to share nothing with governments who seek for data, good privacy settings, always tell you if your peer logged to new device to protect from cases when government operates with telecom companies and use sms password to make a new login), and almost non present at 2nd because they have no public features except group chats where you share your number.
Now they in one move close gaps at 2nd layer — you can hide phone number and stay fully anonymous, and strength their positions in 3rd layer, leaving the last piece open: government still will know that you have some Signal account.
As for me, this setup solves 99,999% cases for regular people in democratic and semi-democratic countries and address the most fundamental one: privacy of data and actions online.
Yes it is not perfect but barrier for government to spy on me is that high that I reasonably can believe that in most cases you should never be worried about being spied, especially if you live in some places which are named not as Iran or Russia.
The only scenario, in my perspective, you can want to have a login without phone (with all sacrifices to spam accounts, quality of peers and usual troll fiesta in such places) is when you want to do something you don’t want ever be found in your current country.
But in this case, IMO, Signal is the last worry you usually have on your mind and there are a lot of specialized services and protocols to address your need.
That isn't true anymore and hasn't been for years. Signal collects your data and keeps it forever in the cloud.
citation needed. care to elaborate on this?
Check out my post here: https://news.ycombinator.com/threads?id=autoexec#39445866
Signal is not a VPN. How is this relevant? Or did you link to the wrong comment?
Yeah, not sure how that happened, but that link wasn't exactly what I was going for. If you scroll down far enough from there you'd find the parts I tried to point you to, but try this link instead: https://news.ycombinator.com/threads?id=autoexec&next=394457...
Just to be safe here's a copy/paste with the details:
This has been true for many years now. At the time it caused a major uproar among the userbase (myself included) whose concerns were almost entirely ignored. Their misleading communication at the time caused a lot of confusion, but if you didn't know that Signal was collecting this data that should tell you everything you need to know about how trustworthy they are.
Here's some reading from the time of the change:
https://community.signalusers.org/t/proper-secure-value-secu...
https://community.signalusers.org/t/dont-want-pin-dont-want-...
https://old.reddit.com/r/signal/comments/htmzrr/psa_disablin...
https://www.vice.com/en/article/pkyzek/signal-new-pin-featur...
Note that the "solution" of disabling pins mentioned at the end of that last article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
My personal feeling is that Signal is compromised and the fact that the very first sentence of their privacy policy is a lie and they refuse to update it to detail their new data collection is a big fat dead canary warning people to find a new solution for secured communication. Other very questionable Signal moves that make me wonder if it wasn't an effort to drive people away from the platform as loudly as they were allowed to include the killing off of one of the most popular features (the ability to get both secured messages and insecure SMS/MMS in the same app) and the introduction of weird crypto shit nobody was asking for.
Not exactly that but looks relevant unless you trust Amazon: https://news.ycombinator.com/item?id=39414322
If we take privacy issue, it can be divided into 3 segments:
This sounds like a bunch of bullshit.
Sounds like your username.
I just don't want my metadata (contact graph) hoovered because I send a (encrypted) message to someone that may be an over sharer on FB, etc.
I use Signal because I am a "nothing to hide and I like to own my privacy as much as possible" type online person.
Signal == more peace of mind just generally in this online world we have.
1,2 and in part 3 were already fixed with the Signal FOSS fork back then, but Moxie and his army of lawyers decided to send out multiple cease and desist letters against those projects. Which, in return, makes Signal not open source, no matter what the claims are. If they don't hold up their end of the license and argue with their proprietary (and closed to use) infrastructure then I'd argue they are no better than Telegram or WhatsApp. Signal's backup problem is another story which might blow up my comment too much.
Because of your mentioned points I would never recommend Signal, and rather point to Briar as a messenger and group/broadcast platform. Currently, it's still a little painful to use and e.g. QR Codes would already help so much with easing up the connection and discovery/handshake process.
But it has huge potential as both a messenger and a federated and decentralized platform.
I think it is a holdover from the Text Secure days. And like others say, it's a different problem.
But for solutions, can't you just buy a voip number? You just need it for registration and then can dump it. I'm sure you can buy one with cash or zcash if you're really paranoid.
While in the US I don't have to show my gov ID to get a phone number, I don't know anyone who buys a phone with cash except international students. So practically everyone is identifiable anyways. But I'm not sure this is a deal breaker since all I'm leaking is that I have registered a Signal account. AFAIK Signal only has logs of an account existing and last online with 24hr resolution (which avoids many collision deanonymization methods). Even paying with cash is hard as I'm probably caught on camera (but these usually get flushed).
So I'm legitimately curious, why is this a dealbreaker? It doesn't seem like a concern for the vast majority of people, and the problem Signal is solving is secure communication for the masses, not the most secure method possible with unbounded complexity. It's being as secure as possible while being similar in complexity to the average messenger.
No, how would my uncle in the countryside of Vietnam do that? He doesn't have a credit card -- not many here do. He doesn't speak English -- can you find a website that sells voip numbers in Vietnamese? Buying a voip number from a provider in Vietnam has the same exact KYC requirements as buying a SIM, so it is still tied to your government ID and registered forever.
Also buying a VOIP for 1 month costs something like $10 from a quick Google. Average salaries are like $1.50/hour. Nobody is going to pay an entire day's salary to buy an VOIP number they throw for a month just so they can register anonymously for chat.
So, not you can't "just" buy a voip number unless you're a rich Westerner. But who needs privacy more? People in liberal democracies or people in places like Vietnam (literally an authoritarian country where people are routinely imprisoned for speaking against the government)?
Everyone buys a phone with cash here because few people have credit cards, since there is no such thing as "credit ratings" and it is easy for people to disappear from their debts. There are more people in Vietnam than any country in Europe. We all use smartphones and messenger apps here, too.
He’d ask you to do it then like every non technical older person. It’s a non issue.
None of my non technical older relatives in Vietnam have asked for anyone's help signing up for the chat accounts they use.
If they needed signal it be because someone like you told them to get it. Non issue for the billions that use WhatsApp and Facebook.
Your uncle in Vietnam has a smartphone, no internet, no number, and NEEDS the signal app? He might need solar, electricity and internet first.
Indeed. Even most technical people don't have experience setting up VOIP stuff. And needing some techie's intervention just to create an account is not beneficial for a company's user base. Calling this a non-issue is being ignorant about how usability works and influences user engagement.
Briar ('droid only), SimpleX, and Session; optionally with a cheap VPN like Mullvad or Proton to ameliorate anonymity issues in the p2p voice/video features.
in Germany at least every phone number is connected with a persons identity. To get a phone number you need to connect it to an identity using a identity card
Personally, I am totally baffled by this.
Due in large part to C3's positive influence, Germany is at the forefront of privacy issues and legislation on so many areas, except for this one, which ends up turning into a massive backdoor in the whole edifice. Okay, we can't ask for a copy of your identification card... we'll just use a telephone number or SIM code or something trivially tied back to your IMSI (like an app store account or IMEI) instead. Because of the absurd 2017 law, these are equivalent to your government ID card.
I really don't understand why Germans put up with this while simultaneously pushing so hard for positive changes in every other aspect of online privacy. Especially when so many other developed Western countries do not tie SIM cards to identities: Netherlands, Denmark, Finland, Iceland, Ireland, US, UK, Canada, and many many others.
It's like a giant `sudo gimme-your-identity` backdoor in all the other data collection protections. And nobody seems to care about closing the backdoor.
It wasn't always like this - the requirement to give your ID to get a SIM card, as you noted, was only introduced in 2017 (though it certainly feels way longer ago for me).
Anyways - why does nobody care?
Simple: most don't feel this being an issue.
Some may even say that they "don't have anything to hide" and there goes the erosion of privacy, bit by bit - by the time someone notices "ok, this may become a problem" - it'll be too late :(
Simple: most don't feel this being an issue.
Sure, but what's incredibly weird is that many Germans do feel that almost all other digital privacy matters are an issue. It baffles me that they treat this one particular issue differently for some reason.
I wonder if this is some kind of mass-psychology exploit, like it doesn't occur to your average nontechnical person that the ID requirement makes your Apple app store account, and every app you use it to install, equivalent to your government photo ID.
On the flip side, SMS fraud is almost nonexistent from German mobile numbers, which is why scammers just send from other countries to German mobile phone owners. Mostly from France.
SMS fraud is almost nonexistent from German mobile numbers
Even if this is true, how does that benefit Germans?
Nobody's seriously talking about blocking all SMSes at the national border.
That's the entirely wrong cause and effect.
The obvious root cause are a world war and the DDR.
Yes yes, of course; there are root causes and proximal causes. You are correct about the root cause, which is the reason why Germans in general care about these things.
C3 is the catalyst that turned that caring into actual tangible results. Or at least a big part of the catalyst. Their level of political effectiveness is extremely unusual in the hacker world. I'm glad it has been a force for positive change.
That said, it has limits. And I have heard rumblings before about the telecom giants (DT) being an insurmountable political obstacle. So hacker culture has more political influence in Germany than elsewhere, as long as it doesn't upset the telecom giants.
Same in Spain since 2004 Madrid train bombings IIRC.
This is the case in most countries these days. There are very few places left where you can get a mobile phone number without identifying yourself at some point.
I used to care, but at this point it’s obvious that taking a phone number is by far the most effective anti spam and anti trolling method in existence.
Which is great when databases leak. Absolutely brilliant.
There was a forum that used to have as a requirement a non-free email account and seemed to have no issues with spam accounts with tens of thousands of members for more than 10 years. In that use case it seemed the non-free account aspect to sign-up was the threshold which seemed to keep spammers out vs the fact such an email account could be (with relevant authority) traced back to a real identity.
I'd be curious if there is a study that has looked into the thresholds for different use cases at which spam account creation drops to negligible amounts and how much price vs anonymity vs difficulty factors into it.
Not in Finland for example.
Here in Thailand it's the same but phone numbers get recycled and expire very aggressively. I just got a new phone number and I can login to many platforms of some 20 year old guy who really likes pc gaming.
Phone numbers should have NEVER became an ID. Incredibly hypocritical of Signal to claim "privacy focus" when the lowest layer of the system is literally the least secure identification method we have.
same in my country.
I had two SIM cards dedicated to online crap - one for important stuff like banking, another for social media and such.
both have expired after ≈ 3 months of inactivity, when my 2 week trip unexpectedly took 4 months. those SIM cards weren't physically inserted into my phone - I used to do that once a month to call someone and get billed a few cents so it would remain active, until that trip.
there's no way to get those phone numbers back and it's been an enormous pain the dick. I hate this fucking system, but I hate the fact that fucking everything requires a phone number even more.
Why do you need a German phone number? Many countries let anyone have a phone number, with no proof of address or other identifying information. Just use one of those numbers instead. One example service is https://jmp.chat/ but there are many others.
It's a voip service isn't it? Those numbers will not work with many online services and even some more obscure normal providers.
It's still preferable to use a burner number for signal/telegram if you want privacy.
There are many countries where it's completely impossible to get a burner phone.
Just use Wire (wire.com). True end to end encrypted multi device messenger, open source, federated and based on MLS. All you need is an email address, no phone number required. And based in Europe. They allow building your own clients (with some stipulations) and seem to solve everyone’s issues with signal here
Partially off-topic: I've always found this German requirement baffling. In the Netherlands you can just buy a SIM card at a supermarket and pay cash. No identity, nothing.