隐私无价，但信号昂贵

Signal is the world’s most widely used truly private messaging app, and our cryptographic technologies provide extra layers of privacy beyond the Signal app itself. Since launching in 2013, the Signal Protocol—our end-to-end encryption technology—has become the de facto standard for private communication, protecting the contents of billions of conversations in WhatsApp, Google Messages, and many others. Signal also continues to invest in research and development in the pursuit of extending communications privacy. This commitment underlies our recent work to add a layer of quantum resistance to the Signal Protocol, and our previous work on metadata protection technologies that help keep personal details like your contact list, group membership, profile name, and other intimate information secure. This singular focus on preserving the ability to communicate privately is one reason that we work in the open, documenting our thinking and making our code open source and open to scrutiny—so you don’t have to take our word for it.

Signal is also a nonprofit, unlike almost every other consumer tech company. ¹ This provides an essential structural safeguard ensuring that we stay true to our privacy-focused mission. To put it bluntly, as a nonprofit we don’t have investors or profit-minded board members knocking during hard times, urging us to “sacrifice a little privacy” in the name of hitting growth and monetary targets. This is important in an industry where “free” consumer tech is almost always underwritten by monetizing surveillance and invading privacy. Such practices are often accompanied by “growth hacking” and engagement maximization techniques that leverage dark patterns to keep people glued to feeds and notifications. While Signal is also free to use, we reject this kind of manipulation, focusing instead on creating a straightforward interpersonal communications app. We also reject business models that incentivize such practices.

Instead of monetizing surveillance, we’re supported by donations, including a generous initial loan from Brian Acton. Our goal is to move as close as possible to becoming fully supported by small donors, relying on a large number of modest contributions from people who care about Signal. We believe this is the safest form of funding in terms of sustainability: ensuring that we remain accountable to the people who use Signal, avoiding any single point of funding failure, and rejecting the widespread practice of monetizing surveillance.

But our nonprofit structure doesn’t mean it costs less for Signal to produce a globally distributed communications app. Signal is a nonprofit, but we’re playing in a lane dominated by multi-billion-dollar corporations that have defined the norms and established the tech ecosystem, and whose business models directly contravene our privacy mission. So in order to provide a genuinely useful alternative, Signal spends tens of millions of dollars every year. We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy.

Here we review some of these costs and where this money goes, in the name of providing more transparency into Signal. But we hope to do more than that. Where money goes and how it’s made is a bit of a taboo in tech, something that most tech companies avoid talking about. The actual costs of consumer tech are generally hidden behind stories of innovation and the word “free,” and the connection between the product marketing of a highly profitable tech industry and the ingress and egress of profit and revenue is usually unclear. We believe a material map of these dynamics can help clarify just what is required to fulfill the dream of privacy-preserving alternative technology, and contribute to establishing a solid foundation from which we can grow alternatives that contest tech surveillance and the incentives behind it.

This is not a comprehensive overview—this post isn’t meant to provide a full accounting or to review every line item in detail. Instead, we focus on illustrative examples, looking at infrastructure and labor in particular. We’ll also explore average costs that in practice vary dynamically in relation to factors that are often outside of our control. ²

Infrastructurally Different

We’ll start with an overview of some of Signal’s biggest infrastructural costs—what we pay for the utilities and services that let Signal reach you. These include the temporary storage of end-to-end encrypted data for message delivery; the global server network that processes billions of requests every day; the registration fees that cover the delivery of verification codes during the sign-up process to help verify phone numbers and prevent spam accounts; the bandwidth that is required to efficiently route end-to-end encrypted messages and calls around the world; and some of the additional services that keep everything running smoothly. We’ll dive into each of these in more detail, but here’s a quick breakdown:

Storage: $1.3 million dollars per year.
Servers: $2.9 million dollars per year.
Registration Fees: $6 million dollars per year.
Total Bandwidth: $2.8 million dollars per year.
Additional Services: ³ $700,000 dollars per year.

Current Infrastructure Costs (as of November 2023): Approximately $14 million dollars per year.

The Cost of Storing Nothing and Serving Everyone

Data is profitable, and we’re a nonprofit focused on collecting as little data as possible.

Most tech companies collect and create as much data as they can. They build large data warehouses, and then later invent new terms like “data lake” when their unquenchable thirst for more of your private information can no longer fit within the confines of a single warehouse. Their default move is to store everything for as long as they can in an easily accessible and unencrypted format, suffering data breach, after data breach, after data breach, hoping to monetize this data by indirectly (or directly) selling it to advertisers or using it to train AI models. Again, data is profitable.

In contrast, Signal’s default move is to end-to-end encrypt everything that we possibly can and to store as little as possible—all while making sure your messages are delivered promptly and your calls are clear and free of delays. We do this by taking advantage of globally distributed hosting infrastructure and by paying for significant amounts of bandwidth from some of the top providers in the world.

Just like everything else in Signal, messages and files are always end-to-end encrypted. When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity. Even though everything is only temporary, this storage still costs Signal around $1.3 million dollars per year.

This is a lot of money, although it’s less than it would cost if we stored everything forever. But unlike the tech companies that collect and store everything, we don’t have (and do not want to have) any surveillance data to sell or use to recoup these costs. We can’t read or access any end-to-end encrypted messages because the keys that are required to decrypt them are in your hands, not ours. And it’s not just about your messages. Signal also uses our metadata encryption technology to protect intimate information about who is communicating with whom—we don’t know who is sending you messages, and we don’t have access to your address book or profile information. We believe that the inability to monetize encrypted data is one of the reasons that strong end-to-end encryption technology has not been widely deployed across the commercial tech industry.

In order to provide a globally accessible, reliable, and high-performance communications service for the many millions of people around the world who depend on Signal, it’s necessary for Signal’s servers to be globally distributed. Having a geographically distributed network of servers is particularly important for end-to-end encrypted voice and video calls, because latency can result in audio delays or degraded video connections that quickly make the app unusable for real-time communication.

Because everything in Signal is end-to-end encrypted, we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure, and others while ensuring that your messages and calls remain private and secure. We can’t access them, and neither can the companies that provide any of the infrastructure we rent. As a small nonprofit organization, we cannot afford to purchase all of the physical computers that are necessary to support everyone who relies on Signal while also placing them in independent data centers around the world. Only a select few of the very largest companies globally are still capable of doing this, which is a hallmark of a troublingly concentrated industry. ⁴

Signal’s addition of novel privacy-preserving features also affects our server costs. To pick one example, we developed a new approach to private contact discovery in 2017 that uses a trusted execution environment. This made us the first large-scale messaging app to let people automatically find their friends and contacts without revealing their address book to us, keeping these connections private. Because other mainstream apps don’t have this layer of privacy protection in place, they can often access details about your network and relationships without restrictions, and many of them store this highly sensitive information for later use. ⁵

When we first deployed this system in 2017, only a few servers were necessary. But as the number of people using Signal increased, the number of servers required to support private contact discovery also rose. At its peak, nearly 600 servers were dedicated to private contact discovery alone, at a total cost of more than $2 million dollars per year.

This significant cost would have continued to rise. However, thanks to algorithmic research advances and hardware updates, we’ve been able to reduce the total number of private contact discovery servers to around 10 total—despite the fact that the service is handling more traffic than ever. A significant amount of money and engineering resources have been dedicated to ensuring that your address book remains completely inaccessible to us, and Signal will continue to push the envelope and introduce new techniques to enhance your privacy even when the initial costs are high.

Registration Fees

Signal incurs expenses when people download Signal and sign up for an account, or when they re-register on a new device. We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.

Signal’s registration service routes registration codes over multiple telephony providers to optimize delivery across the globe, and the fees we pay to third-party vendors for every verification code we send can be very high. This is in part, we believe, because legacy telecom operators have realized that SMS messages are now used primarily for app registration and two-factor authentication in many places, as people switch to calling and texting services that rely on network data. In response to increased verification traffic from apps like Signal, and decreased SMS revenue from their own customers, these service providers have significantly raised their SMS rates in many locations, assuming (correctly) that tech companies will have to pay anyway.

The cost of these registration services for verifying phone numbers when people first install Signal, or when they re-register on a new device, currently averages around $6 million dollars per year.

These costs vary dramatically from month to month, and the rates that we pay are sometimes inflated due to “toll fraud”—a practice where some network operators split revenue with fraudulent actors to drive increased volumes of SMS and calling traffic on their network. The telephony providers that apps like Signal rely on to send verification codes during the registration process still charge their own customers for this make-believe traffic, which can increase registration costs in ways that are often unpredictable. Of course, Signal does everything we can to reduce or eliminate the impact of toll fraud. We work closely with our voice and SMS verification providers to detect and shut down fraudulent registrations as quickly as possible. But it’s still a game of cat and mouse, with unavoidable expenses along the way.

The Going Rate for Transfer Rates

You are probably familiar with the concept of paying for bandwidth in the form of buying a data plan from your cellular provider or signing up with an Internet Service Provider (ISP) for your home. But it may surprise you to learn that every website, app, and service also pays for the bandwidth they use whenever you connect to them.

Some pay more than others. Most of the major tech companies (like Amazon, Google, and Microsoft) own and operate their own data centers. After spending billions of dollars to build massive hosting facilities, they install their own fiber optic cables and custom networking equipment. This also means they get to earn a lot of money by charging others for the privilege of using that equipment. ⁶ Smaller organizations like Signal can’t afford to build matching infrastructure from scratch, so we (along with almost every startup and tech company) pay rent to the big players in order to access the bandwidth we need.

Millions of people use Signal every day, and it takes a lot of bandwidth to provide a fast and reliable service. Signal spends around $2.8 million dollars per year on bandwidth to support sending messages and files (such as photos, videos, voice notes, documents, etc.) and to enable voice and video calls.

Voice and video calls require significantly more bandwidth than text messages, and Signal’s end-to-end encrypted calling functionality is one of the most expensive services that we provide. Signal also goes far beyond other messaging apps when it comes to protecting your privacy during voice and video calls, and we do this in ways that substantially increase how much bandwidth we use in order to provide a high-quality calling experience.

To take one example, Signal always routes end-to-end encrypted calls from people who aren’t in your contacts through a relay server that obscures IP address information. ⁷

Almost none of our competitors do this, and Signal’s default behavior is much more expensive than the alternative. Automatically relaying 1-on-1 voice and video calls from unknown contacts (instead of always using a peer-to-peer connection whenever possible) provides an extra layer of privacy, but results in considerably higher bandwidth costs for Signal’s calling-related relay servers. At current traffic levels, the amount of outbound bandwidth that is required to support Signal voice and video calls is around 20 petabytes per year (that’s 20 million gigabytes) which costs around $1.7 million dollars per year in bandwidth fees just for calling, and that figure doesn’t include the development costs associated with hiring experienced engineers to maintain our calling software, or the cost of the necessary server infrastructure to support those calls.

The Human Touch

Signal isn’t just a collection of privacy-preserving services that route end-to-end encrypted messages and calls around the world. It’s also a set of cross-platform apps and modular development components (commonly called libraries) that make this type of private communication possible in the first place. Because the norm is surveillance, we’re often required to create or modify our own libraries from scratch, swapping in privacy instead of using more common frameworks that assume surveillant defaults. Swimming against the tide of an ecosystem whose incentives and infrastructure promote surveillance and privacy invasions is, of course, more time-intensive and more expensive, and requires dedicated and experienced people.

First, we have three distinct client teams, one for each platform (Android, Desktop, and iOS). These teams are constantly working: adjusting to operating system updates, building new features, and making sure the app works on a wide variety of devices and hardware configurations. We also have dedicated engineering teams that handle the development and maintenance of the Signal Server and all of its infrastructure, our calling libraries like RingRTC, and core libraries like libsignal. These also need constant development and monitoring.

Product and design teams help shape the future of the app and determine how it will look and function, while our localization team coordinates translation efforts across more than sixty languages. We even have a full-time, in-house support group that interfaces with people who use Signal and provides detailed technical feedback and real-time troubleshooting information to every other team. This is an essential function, particularly at Signal, because we don’t collect analytics or telemetry data about how people are using Signal.

This is a lot of work, and we do it with a small and mighty team. In total, around 50 full-time employees currently work on Signal, a number that is shockingly small by industry standards. For example, LINE Corporation, the developers of the LINE messaging app popular in Japan, has around 3,100 employees, ⁸ while the division of Kakao Corp that develops KakaoTalk, a messaging app popular in Korea, has around 4,000 employees. ⁹ Employee counts at bigger corporations like Apple, Meta, and Google’s parent company (Alphabet) are much, much higher. ¹⁰

To sustain our ongoing development efforts, about half of Signal’s overall operating budget goes towards recruiting, compensating, and retaining the people who build and care for Signal. When benefits, HR services, taxes, recruiting, and salaries are included, this translates to around $19 million dollars per year.

We are proud to pay people well. Our goal is to compensate our staff at as close to industry wages as possible within the boundaries of a nonprofit organization. We know that we can’t provide equity, expensive playpen offices, or other benefits common to large tech companies. We also know that we need to recruit and retain a highly experienced and specialized workforce in an extremely competitive industry if we’re going to offer a service that provides a meaningful alternative to apps with far more people and resources. And we don’t believe that precarity should be the cost of doing good. Compared to most tech companies, Signal’s numbers are a drop in the bucket. ¹¹

Growth in Signal translates into increased infrastructure costs, and having more infrastructure requires more labor. As of November 2023, Signal’s server network is regularly responding to around 100,000 requests per second, and we routinely break our previous records. A funny thing happens when a globally accessible service starts handling billions of requests every day. Suddenly one-in-a-million possibilities are no longer unique or rare, and unlikely situations become more and more common as Signal grows. It’s not unusual for our engineers to do things like write custom code to reproduce an esoteric and complicated IPv6 connectivity issue that’s affecting people running an arcane operating system configuration in specific regions, but only when connected via a certain set of internet service providers. ¹² Troubleshooting such infrastructure issues can be very expensive, because isolating a problem and developing a fix can take a lot of time and expertise.

Identifying and fixing arcane problems is not the only thing that takes time and skill. In the context of building for privacy, adding a common feature or service in a way that avoids surveillance frequently requires significant work and creativity. To take one example, profile pictures and profile names are always end-to-end encrypted in Signal. This means that Signal does not have access to your profile name or chosen profile photo. This approach is unique in the industry. In fact, it has been more than six years since we first announced this additional layer of protection, and as far as we know none of our competitors have yet adopted it. Other messengers can easily see your profile photo, profile name, and other sensitive information that Signal cannot access. Our choice here reflects our staunch commitment to privacy, but it also means that it took Signal more effort to implement support for profile photos. Instead of a weekend project for a single engineer, our teams were required to develop new approaches and concepts within the codebase (like profile keys), which they worked to roll out across multiple platforms after an extended testing period.

The same dynamic played out again when Signal introduced support for animated GIF searches on Android and iOS. Instead of quickly and easily integrating the standard GIF search SDK that most other apps were using, engineers spent considerable time and creativity developing another unique privacy-preserving technique that hides GIF search terms from Signal’s servers, while also hiding who is searching for those terms from the GIF search engine itself. We later expanded those techniques to further obfuscate GIF search information by obscuring the amount of traffic that passes through the proxied connection.

When Meta acquired GIPHY, and many other apps were scrambling to contend with the privacy implications of the deal, Signal employees slept soundly knowing that we had already built this feature correctly several years earlier. ¹³

Even more recently, Signal has started taking steps to protect today’s conversations from future threats by adding post-quantum resistance to the Signal Protocol. The financial costs associated with these research and development initiatives are substantial. They’re also essential for building privacy-preserving technology in a dynamic industry where surveillance is the norm.

By offering a competitive compensation package, Signal helps make it easy for people to choose to develop privacy-preserving technology that benefits the world instead of going to work for the surveillance-advertising-industrial complex. We’re proud of our healthcare plans, family-friendly policies like extended parental leave, flexible schedules, and the many other benefits that help make Signal a great place to work.

These things cost money, but a world where Signal can attract talented people to work on privacy-preserving technology is a world that looks a lot more attractive.

Future Tense

We hope that this cursory tour of some of Signal’s operations and costs helps provide a greater understanding of Signal’s unique place in the tech ecosystem, and of the tech ecosystem itself.

Our goal of developing an open source private messenger that is supported and sustained by small donations is both highly ambitious and, we believe, existentially important. The cost of most consumer technology is underwritten by surveillance, which has allowed people to assume that “free” is the default, and a handful of industry players have accrued eye-watering amounts of personal data and the unprecedented power to use that data in ways that are shaping our lives and institutions globally.

To put it another way, the social costs of normalized privacy invasion are staggeringly high, and maintaining and caring for alternative technology has never been more important.

Signal is working to show that a different approach is possible—an approach that puts privacy at the center, and where organizations are accountable to the people who use and rely on their services, not to investors, or to the endless pursuit of growth and profit.

Thank you for your support. It’s an honor and privilege to work on Signal every day, and we—very literally—couldn’t do it without you. Please consider donating to Signal via our website or learn how to give using the app.

译文

Signal 是世界上使用最广泛的真正私人消息传递应用程序，我们的加密技术提供了除 Signal 应用程序本身之外的额外隐私层。自 2013 年推出以来，信号协议（我们的端到端加密技术）已成为私人通信事实上的标准，保护 WhatsApp、Google Messages 和许多其他应用程序中数十亿次对话的内容。Signal 还继续投资于研发，以追求扩展通信隐私。这一承诺是我们最近为信号协议添加一层量子抵抗的工作的基础，也是我们之前在元数据保护技术方面的工作的基础，这些技术有助于确保个人详细信息（如联系人列表、群组成员身份、个人资料名称和其他私密信息）的安全。这种对保留私下沟通能力的独特关注是我们公开工作、记录我们的想法并使我们的代码开源并接受审查的原因之一，因此您不必相信我们的话。

与几乎所有其他消费科技公司不同，Signal 也是一家非营利组织。 ¹这提供了必要的结构性保障，确保我们恪守以隐私为中心的使命。坦白说，作为一家非营利组织，我们没有投资者或追求利润的董事会成员在困难时期敲门，敦促我们以实现增长和货币目标的名义“牺牲一点隐私”。这对于一个“免费”消费技术几乎总是通过监视货币化和侵犯隐私来保证的行业来说非常重要。此类做法通常伴随着“增长黑客”和参与度最大化技术，这些技术利用黑暗模式让人们紧盯着信息流和通知。虽然 Signal 也是免费使用的，但我们拒绝这种操纵，而是专注于创建一个简单的人际通信应用程序。我们也拒绝鼓励此类做法的商业模式。

我们没有将监视货币化，而是得到了捐款的支持，其中包括布莱恩·阿克顿（Brian Acton）慷慨的初始贷款。我们的目标是依靠关心 Signal 的人们的大量微薄捐款，尽可能地获得小型捐助者的全力支持。我们认为，就可持续性而言，这是最安全的资助形式：确保我们对使用 Signal 的人负责，避免任何单点资助失败，并拒绝普遍采用的监控货币化做法。

但我们的非营利结构并不意味着 Signal 开发全球分布式通信应用程序的成本更低。Signal 是一家非营利组织，但我们正处于由价值数十亿美元的公司主导的道路上，这些公司定义了规范并建立了技术生态系统，其商业模式直接违背了我们的隐私使命。因此，为了提供真正有用的替代方案，Signal 每年花费数千万美元。我们估计，到 2025 年，Signal 每年将需要大约 5000 万美元的运营费用，与其他不尊重您隐私的流行消息应用程序相比，这非常精简。

在这里，我们以提高 Signal 透明度的名义回顾了其中一些成本以及这些资金的去向。但我们希望做得更多。钱的去向和赚钱方式在科技界有点禁忌，大多数科技公司都避免谈论这一点。消费技术的实际成本通常隐藏在创新故事和“免费”一词背后，而高利润科技行业的产品营销与利润和收入的进出之间的联系通常并不明确。我们相信，这些动态的物质图谱可以帮助阐明实现保护隐私的替代技术梦想所需的条件，并有助于建立坚实的基础，使我们能够开发出对抗技术监控及其背后激励措施的替代技术。

这不是一个全面的概述 - 这篇文章并不意味着提供完整的会计或详细审查每个行项目。相反，我们专注于说明性示例，特别关注基础设施和劳动力。我们还将探讨实际中随我们无法控制的因素而动态变化的平均成本。 ²

基础设施不同

我们将首先概述 Signal 的一些最大的基础设施成本，即我们为让 Signal 联系到您的公用事业和服务所支付的费用。其中包括用于消息传递的端到端加密数据的临时存储；每天处理数十亿个请求的全球服务器网络；注册费包括在注册过程中提供验证码，以帮助验证电话号码并防止垃圾邮件帐户；在世界各地有效路由端到端加密消息和呼叫所需的带宽；以及一些让一切顺利运行的附加服务。我们将更详细地探讨其中的每一个，但这里有一个快速细分：

存储：每年 130 万美元。
服务器：每年 290 万美元。
注册费：每年600万美元。
总带宽：每年 280 万美元。
额外服务： ³每年70万美元。

当前基础设施成本（截至 2023 年 11 月）：每年约 1400 万美元。

不存储任何东西并为所有人服务的成本

数据是有利可图的，而我们是一家致力于收集尽可能少的数据的非营利组织。

大多数科技公司都会收集和创建尽可能多的数据。他们建立大型数据仓库，然后当他们对更多私人信息的不可抑制的渴望不再适合单个仓库的范围时，发明了“数据湖”等新术语。他们的默认举动是以易于访问和未加密的格式尽可能长时间地存储所有内容，遭受数据泄露，数据泄露之后，数据泄露之后，希望通过间接（或直接）将其出售给广告商或使用这些数据来货币化这些数据它来训练人工智能模型。再次强调，数据是有利可图的。

相比之下，Signal 的默认举措是对所有可能的内容进行端到端加密，并尽可能少地存储数据，同时确保您的消息能够及时传递，并且您的通话清晰且无延迟。我们通过利用全球分布式托管基础设施并从世界上一些顶级提供商那里支付大量带宽来做到这一点。

就像 Signal 中的其他所有内容一样，消息和文件始终是端到端加密的。当您发送消息时，信号服务会暂时将该消息排队等待传递。一旦您的消息被传递，这一小包加密数据（即您的消息）就可以从队列中删除。端到端加密文件的存储也是临时的，任何未传送的端到端加密数据在一段时间不活动后都会自动清除。尽管一切都只是暂时的，但该存储每年仍要花费 Signal 约 130 万美元。

这是一大笔钱，尽管它比我们永久存储所有东西的成本要少。但与收集和存储所有内容的科技公司不同，我们没有（也不想拥有）任何监控数据来出售或用来收回这些成本。我们无法读取或访问任何端到端加密消息，因为解密它们所需的密钥掌握在您的手中，而不是我们的手中。这不仅仅是关于您的消息。Signal 还使用我们的元数据加密技术来保护有关谁在与谁通信的私密信息 - 我们不知道谁在向您发送消息，并且我们无法访问您的地址簿或个人资料信息。我们认为，无法将加密数据货币化是强大的端到端加密技术尚未在商业科技行业广泛部署的原因之一。

为了向全球数百万依赖 Signal 的人们提供全球可访问、可靠且高性能的通信服务，Signal 的服务器必须分布在全球范围内。拥有地理上分布的服务器网络对于端到端加密语音和视频通话尤其重要，因为延迟可能会导致音频延迟或视频连接质量下降，从而很快使应用程序无法用于实时通信。

由于 Signal 中的所有内容都是端到端加密的，因此我们可以从Amazon AWS、Google Compute Engine、Microsoft Azure等各种提供商租用服务器基础设施，同时确保您的消息和呼叫保持私密性和安全性。我们无法访问它们，提供我们租用的任何基础设施的公司也无法访问它们。作为一个小型非营利组织，我们无法购买支持每个依赖 Signal 的人所需的所有物理计算机，同时将它们放置在世界各地的独立数据中心。全球只有少数几家最大的公司仍然有能力做到这一点，这是一个令人不安的集中行业的标志。 ⁴

Signal 添加的新颖隐私保护功能也会影响我们的服务器成本。举一个例子，我们在 2017 年开发了一种使用可信执行环境来发现私人联系人的新方法。这使我们成为第一个大型消息应用程序，让人们自动找到他们的朋友和联系人，而无需向我们透露他们的地址簿，从而保持这些联系的私密性。由于其他主流应用程序没有这一层隐私保护，因此它们通常可以不受限制地访问有关您的网络和关系的详细信息，并且其中许多应用程序会存储这些高度敏感的信息以供以后使用。 ⁵

当我们在 2017 年首次部署该系统时，只需要几台服务器。但随着使用 Signal 的人数增加，支持私人联系人发现所需的服务器数量也随之增加。在鼎盛时期，仅私人联系人发现就有近 600 台服务器，每年的总成本超过 200 万美元。

这一重大成本将继续上升。然而，由于算法研究的进步和硬件更新，我们已经能够将私人联系人发现服务器的总数减少到 10 个左右，尽管该服务处理的流量比以往任何时候都多。我们投入了大量资金和工程资源来确保我们完全无法访问您的地址簿，即使初始成本很高，Signal 将继续挑战极限并引入新技术来增强您的隐私。

注册费

当人们下载 Signal 并注册帐户或在新设备上重新注册时，Signal 会产生费用。我们使用第三方服务通过短信或语音通话发送注册码，以验证拥有给定电话号码的人是否确实打算注册 Signal 帐户。这是帮助防止垃圾邮件帐户注册该服务并使其完全无法使用的关键一步，这对于任何流行的消息应用程序来说都是一个不小的问题。

Signal 的注册服务通过多个电话提供商路由注册码，以优化全球范围内的交付，并且我们为发送的每个验证码向第三方供应商支付的费用可能非常高。我们认为，这在一定程度上是因为传统电信运营商已经意识到，随着人们转向依赖网络数据的通话和短信服务，短信现在在许多地方主要用于应用程序注册和两步身份验证。为了应对 Signal 等应用程序验证流量的增加以及来自自己客户的 SMS 收入的减少，这些服务提供商在许多地方大幅提高了 SMS 费率，（正确地）假设科技公司无论如何都必须付费。

当人们首次安装 Signal 或在新设备上重新注册时，这些用于验证电话号码的注册服务的成本目前平均每年约为 600 万美元。

这些成本每个月都有很大差异，而且我们支付的费率有时会因“话费欺诈”而被夸大，这种做法是一些网络运营商与欺诈者分享收入，以增加其网络上的短信和通话流量。Signal 等应用程序在注册过程中依赖发送验证码的电话提供商仍然向自己的客户收取这种虚假流量的费用，这可能会以通常不可预测的方式增加注册成本。当然，Signal 会尽一切努力减少或消除话费欺诈的影响。我们与语音和短信验证提供商密切合作，尽快检测并关闭欺诈性注册。但这仍然是一场猫捉老鼠的游戏，一路上不可避免地会产生费用。

现行传输速率

您可能熟悉通过从蜂窝提供商购买数据计划或与您家的互联网服务提供商 (ISP) 签约的形式支付带宽费用的概念。但您可能会惊讶地发现，每个网站、应用程序和服务都会为您连接到它们时使用的带宽付费。

有些人比其他人付出更多。大多数主要科技公司（如亚马逊、谷歌和微软）拥有并运营自己的数据中心。在花费数十亿美元建造大型托管设施后，他们安装了自己的光纤电缆和定制网络设备。这也意味着他们可以通过向其他人收取使用该设备的特权来赚很多钱。 ⁶像 Signal 这样的小型组织无法从头开始构建匹配的基础设施，因此我们（以及几乎所有初创公司和科技公司）向大型企业支付租金，以获得我们所需的带宽。

每天有数百万人使用 Signal，需要大量带宽才能提供快速可靠的服务。Signal 每年在带宽上花费约 280 万美元，以支持发送消息和文件（例如照片、视频、语音注释、文档等）以及启用语音和视频通话。

语音和视频通话比短信需要更多的带宽，而 Signal 的端到端加密通话功能是我们提供的最昂贵的服务之一。在语音和视频通话期间保护您的隐私方面，Signal 也远远超过其他消息应用程序，我们通过大幅增加带宽使用量来实现这一点，以提供高质量的通话体验。

举一个例子，Signal 始终通过隐藏IP 地址信息的中继服务器路由来自不在您的联系人中的人员的端到端加密呼叫。 ⁷

我们的竞争对手几乎没有这样做，而且 Signal 的默认行为比替代行为要昂贵得多。自动中继来自未知联系人的一对一语音和视频呼叫（而不是尽可能始终使用点对点连接）提供了额外的隐私层，但会导致 Signal 的呼叫相关中继服务器的带宽成本显着增加。在当前的流量水平下，支持 Signal 语音和视频呼叫所需的出站带宽量约为每年 20 PB（即 2000 万千兆字节），每年仅用于呼叫的带宽费用就约为 170 万美元，而这个数字不包括与雇用经验丰富的工程师来维护我们的呼叫软件相关的开发成本，也不包括支持这些呼叫所需的服务器基础设施的成本。

人性化的接触

Signal 不仅仅是在世界各地路由端到端加密消息和呼叫的隐私保护服务的集合。它也是一组跨平台应用程序和模块化开发组件（通常称为库），使这种类型的私人通信首先成为可能。因为常态是监视，所以我们经常需要从头开始创建或修改我们自己的库，交换隐私，而不是使用假设监视默认值的更常见的框架。当然，在生态系统的激励和基础设施促进监视和隐私侵犯的潮流中逆流而上，需要更投入的时间和更昂贵的费用，并且需要有奉献精神和经验丰富的人员。

首先，我们拥有三个不同的客户端团队，每个团队负责每个平台（Android、桌面和 iOS）。这些团队不断努力：适应操作系统更新、构建新功能，并确保应用程序可以在各种设备和硬件配置上运行。我们还有专门的工程团队来处理Signal Server及其所有基础设施、RingRTC等调用库以及libsignal等核心库的开发和维护。这些也需要不断的开发和监控。

产品和设计团队帮助塑造应用程序的未来并确定其外观和功能，而我们的本地化团队则协调 60 多种语言的翻译工作。我们甚至有一个全职的内部支持小组，与 Signal 的使用人员进行交流，并向其他每个团队提供详细的技术反馈和实时故障排除信息。这是一项重要功能，尤其是在 Signal 中，因为我们不收集有关人们如何使用 Signal 的分析或遥测数据。

这是一项艰巨的工作，我们是通过一个小而强大的团队来完成的。目前 Signal 共有约 50 名全职员工，按照行业标准来看，这个数字少得惊人。例如，日本流行的LINE消息应用程序的开发商 LINE Corporation 拥有约 3,100 名员工， ⁸而 Kakao Corp 开发KakaoTalk （一款在韩国流行的消息应用程序）的部门约有 4,000 名员工。 ⁹苹果、Meta 和谷歌母公司（Alphabet）等大公司的员工数量要高得多。 ¹⁰

为了维持我们持续的开发工作，Signal 总体运营预算的大约一半用于招聘、补偿和留住 Signal 的构建和维护人员。如果算上福利、人力资源服务、税收、招聘和工资，这相当于每年约 1900 万美元。

我们为能够向员工提供优厚的薪酬而感到自豪。我们的目标是在非营利组织的范围内以尽可能接近行业工资的方式向员工提供报酬。我们知道，我们无法提供股权、昂贵的婴儿围栏办公室或大型科技公司常见的其他福利。我们还知道，如果我们要提供一种服务，为拥有更多人员和资源的应用程序提供有意义的替代方案，我们就需要在竞争极其激烈的行业中招募和留住经验丰富且专业的员工队伍。我们不认为不稳定应该成为行善的代价。与大多数科技公司相比，Signal 的数字只是九牛一毛。 ¹¹

信号的增长意味着基础设施成本的增加，而拥有更多的基础设施需要更多的劳动力。截至 2023 年 11 月，Signal 的服务器网络每秒定期响应约 100,000 个请求，并且经常打破之前的记录。当全球可访问的服务开始每天处理数十亿个请求时，就会发生一件有趣的事情。突然间，百万分之一的可能性不再是独特或罕见的，随着 Signal 的发展，不可能的情况变得越来越常见。对于我们的工程师来说，编写自定义代码来重现深奥且复杂的IPv6连接问题并不罕见，该问题会影响在特定区域运行神秘操作系统配置的人们，但仅限于通过一组特定的互联网服务提供商进行连接时。 ¹²解决此类基础设施问题可能非常昂贵，因为隔离问题并开发解决方案可能需要大量时间和专业知识。

识别和解决神秘问题并不是唯一需要时间和技巧的事情。在隐私建设的背景下，以避免监视的方式添加通用功能或服务通常需要大量的工作和创造力。举一个例子，个人资料图片和个人资料名称始终在 Signal 中进行端到端加密。这意味着 Signal 无权访问您的个人资料名称或选择的个人资料照片。这种做法在业内是独一无二的。事实上，自我们首次宣布这一额外保护层以来已经过去六年多了，据我们所知，我们的竞争对手还没有采用它。其他通讯工具可以轻松查看您的个人资料照片、个人资料名称以及 Signal 无法访问的其他敏感信息。我们在这里的选择反映了我们对隐私的坚定承诺，但这也意味着 Signal 花了更多的努力来实现对个人资料照片的支持。我们的团队需要在代码库中开发新的方法和概念（例如配置文件密钥），而不是单个工程师的周末项目，他们致力于在延长的测试期后跨多个平台推出这些方法和概念。

当 Signal 在 Android 和 iOS 上引入对动画 GIF 搜索的支持时，同样的动态再次上演。工程师们并没有快速轻松地集成大多数其他应用程序使用的标准 GIF 搜索 SDK，而是花费了大量时间和创造力开发了另一种独特的隐私保护技术，该技术可以向 Signal 的服务器隐藏 GIF 搜索术语，同时也隐藏谁在搜索这些术语。 GIF 搜索引擎本身。后来我们扩展了这些技术，通过隐藏通过代理连接的流量来进一步混淆 GIF 搜索信息。

当 Meta收购 GIPHY时，许多其他应用程序都在争先恐后地应对该交易的隐私影响，Signal 员工知道我们几年前就已经正确构建了此功能，所以他们睡得很香。 ¹³

最近，Signal 已开始采取措施，通过为Signal 协议添加后量子抵抗能力，保护当今的对话免受未来的威胁。与这些研究和开发计划相关的财务成本是巨大的。它们对于在监控成为常态的动态行业中构建隐私保护技术也至关重要。

通过提供有竞争力的薪酬方案，Signal 帮助人们轻松选择开发造福世界的隐私保护技术，而不是为监控广告工业综合体工作。我们为我们的医疗保健计划、延长育儿假等家庭友好政策、灵活的工作时间以及许多其他福利而感到自豪，这些福利使 Signal 成为一个理想的工作场所。

这些东西需要花钱，但是 Signal 可以吸引人才从事隐私保护技术的世界看起来更具吸引力。

将来时

我们希望对 Signal 的一些运营和成本的粗略浏览有助于更好地了解 Signal 在技术生态系统中的独特地位以及技术生态系统本身。

我们的目标是开发一款由小额捐款支持和维持的开源私人信使，这一目标不仅雄心勃勃，而且我们相信，这对于存在至关重要。大多数消费技术的成本都是由监控承担的，这让人们认为“免费”是默认的，少数行业参与者已经积累了数量惊人的个人数据，并且拥有前所未有的能力以多种方式使用这些数据这些正在塑造我们全球的生活和机构。

换句话说，常态化的隐私侵犯的社会成本高得惊人，维护和维护替代技术从未如此重要。

Signal 正在努力证明一种不同的方法是可能的——一种将隐私置于中心的方法，组织对使用和依赖其服务的人负责，而不是对投资者或对增长和利润的无休止的追求。 。

感谢您的支持。每天为 Signal 工作是一种荣幸和荣幸，毫不夸张地说，如果没有你们，我们就无法做到这一点。请考虑通过我们的网站向 Signal 捐款或了解如何使用该应用程序捐款。