Signal is an open source, end-to-end encrypted messaging protocol with a centralized Amazon cloud server. Even though the contents of your messages are encrypted, there are still mistakes you can make that compromise your privacy. There is supposedly a system to hide metadata called “sealed sender”, but as we will discuss, it is flawed. Here’s a bullet point overview; then we’ll move into a more detailed description and tips for use. You would get a lot out of subscribing for free to our new content by email, by Session messenger, via RSS feed, our Ethereum push notification channel, or on Nostr.
The advantages of Signal are:
1) It’s open source
2) Its secure end-to-end encryption
3) It’s widely used. It’s popular and easy to use
4) Audio/Video phone calls are high quality due to the centralized server
5) The user can set messages to disappear after a period of time
6) The centralized server has no access to your message contents
The disadvantages of Signal are:
1) Its use of Amazon (AWS) servers, and the dangers of metadata leaks from this. It’s “sealed sender” system has flaws
2) Signal requires a physical phone device to set up (but not required to use it)
3) It requires a phone number (although burner VoIP can be used)
4) It’s based on phone numbers, and tech companies sync user phone contacts. So Big Tech could find out who you’re using Signal to communicate with even if it’s a new anonymous number because the same web of contacts would add you.
5) Because it’s forced to be set up on a physical phone device, your uneducated friends using Google or Apple phones could potentially compromise the communication.
To be both secure and anonymous with Signal, both you and all the people you’re contacting would need to set Signal up with degoogled phones and burner phone numbers. In the real world, this is not very practical if you use Signal as a daily driver. Most of your friends and family will likely have compromised devices.
Signal is great for preserving the content of your communication, but horrible for keeping your web of contacts anonymous. While it’s entirely possible to have multiple Signal clients set up with different setup phone numbers for different groups of contacts, at the end of the day there are better tools for this goal.
Signal is best used for people you know. Session, Briar, and XMPP are better used for people you don’t know. The bottom line is if you want to hide that you know someone, Signal isn’t the best choice to talk to them. It’s not impossible, but you’d be trusting the other person’s security practices for both their phone’s operating system and their contact saving policies.
Signal requires it to be setup on a phone, so you’re going to want to use either a degoogled Android or virtual box Android emulator on a Linux PC.
Sync with Desktop
Once you set up your account on a degoogled phone, you can transfer it to your Linux Desktop, which may be more private if you have a SIM card in your device. Even if a phone is degoogled, it will always be less private than a computer if it has a SIM card because the SIM card presents a backdoor for hacks and leaks your location.
Desktop sync gets encryption keys
When you transfer and sync your Signal account from your phone to the desktop, you’ll need the internet on both devices to scan the QR code. The reason that you have to scan the code is because Signal is transferring the private cryptographic keys from device to device. This prevents the centralized server from having the ability to decrypt messages, which is called “zero knowledge” and makes it trustless for the message contents.
Signal has the advantage of being zero knowledge and private while having a single centralized server to be extremely fast for video calls.
The biggest disadvantage of a centralized server is that the server can collect a large amount of metadata, which is who is talking to who and when. In this case, we’re talking about Amazon’s cloud, which also serves the CIA. Sometimes metadata can be a bigger deal than the contents of the message itself. Signal will claim that this metadata is not collected, and demonstrate it by publishing their server side code as open source, but the end user has no way to verify this code is actually running on the Amazon cloud server. An FBI request to the Signal Foundation has demonstrated that in this one case, they did not collect the metadata, but ultimately we have to trust them.
Sealed Sender is Flawed
Signal has a flawed system called “Sealed Sender”, which encrypts the metadata of who sent the message inside the encrypted packets. However, cybersecurity researchers from the University of Colorado Boulder, Boston University, George Washington University, and U.S. Naval Academy, found that Sealed Sender could be compromised by a malicious cloud host in as few as 5 messages to reveal who is communicating with who. In this paper published by NDSS, headed by Ian Martiny, these researchers found that Signal’s “read receipts”, which lets the sender know that the receiver got the message can be used as an attack vector to analyze traffic because it sends data packets right back to the sender. [Linked here] Therefore, our recommendation to increase metadata protection is turn off read receipts, which can be toggled in the security settings.
What Phone Number
In addition, you’ll want to use a secondary anonymous phone number for Signal. However, as we pointed out earlier in this article, this second anonymous phone number likely will quickly be identified by Big Tech as you. This is especially true if you’re talking to the same contacts as you did on a KYC phone number without Signal, and your friends and family all have regular Google or Apple phones.
As we went over earlier, unless you’re using a degoogled or Linux phone, Signal will sync contacts, and even if your friends don’t save this new number with your real name, the exact same web of contacts will be a match to even the most basic AI model.
You might be wondering what the purpose of using a secondary anonymous VoIP number for Signal is if it’s going to be still identified by Google and Apple as you.
These are the benefits of a second number:
1) It hides your physical location
If you use the same number as your cellphone’s SIM card, then you’ve identified to Google and Apple where you physically are standing even if you have a degoogled phone.
2) Over time the AI’s ability wanes
As you make new friends, talk to old ones less frequently, and your friends change numbers, the ability of Big Tech’s AI to predict which numbers are you will decrease. If you are committed to privacy, it will pay off in the long run.
3) Google isn’t the only tracker
While Google or Apple’s AI might be able to pin a new number as you for a limited time when you first begin with privacy, the random people you meet won’t. If the number is KYC to your name, it’s in all types of databases that are resold or publicly available to search.
4) The legal liability changes
What is done on a phone number that’s KYC registered to your name may change how courts and law enforcement can treat supposed evidence against you in some countries.
How to Avoid the AI
One positive note is that if a person you’re talking to does have a degoogled phone, then the fact that you two know each other wouldn’t be known to Big Tech.
Another possibility is to ask people you’re talking with to not save the Signal number to the phone’s contact list and just keep it within the Signal app as a message. If they are concerned with accidentally deleting the message or losing their phone, we recommend saving it on in a Linux desktop text file (or for “technology noobs,” writing it down on physical paper).
Burner Number Services
We outlined in an earlier article our recommendations for burner VoIP numbers and cellphone service. We highly recommend you read that article for a comprehensive overview to make a decision but if you are extremely busy, here’s a general overview:
Our favorite and recommended service for great secondary anonymous numbers to use for Signal is JMP.chat. JMP.chat allows you to pay in Bitcoin for a burner line for roughly $3 in BTC or XMR a month. This number connects to an XMPP client, which is a free and open source messaging platform working on both desktop or mobile. JMB is reselling Twillio numbers for a higher price. But if you got it directly through Twillio, you’d have to use government fiat which we strongly reject.
Our second recommendation is Hushed, but not to be used directly on your phone. Instead for privacy it should be used on a Linux virtual machine, Lineage emulator. This app is not open source but can be contained to the VM. Hushed will require you to pass Google Captchas and appear to not be using Tor for third party payment processing from Coinbase. While these are annoying obstacles to pass, ultimately Hushed gives anonymous crypto access to the same Twilio VoIP numbers that many other KYC services use.
Our third recommendation is to use a temporary online cryptocurrency burner service, such as ‘SMS US Mobile numbers, which can be found here:
This burner SMS service will let you to pay in cryptocurrency to control a US phone number for 10 minutes to verify accounts like Signal. (It has many other services offered though, such as Gmail verification).
After 10 minutes, when you relinquish control of the burner number, someone else would need your Pin code to access the Signal account’s past and sync devices. But the Pin could be reset to create a new account and override you out.
Therefore, we do not recommend using a temporary burner service for a permanent Signal account. Instead, it should be used for one time or one contact conversations where you also have an alternative contact method.
When setting up Signal, make sure to pick a complex and long password because it’s the only thing that prevents an adversary (such as a malicious government) with access to the phone number from syncing their device also. If they sync their device, they wouldn’t get your past messages, but they’d be able to see new incoming messages.
You will NOT be required to type this PIN/Password to log in, so you should pick as long and random/complex a password as you can, since you’ll barely ever use it. In fact, the only time you’ll actually use it is to restore the account on a new phone. You can generate and store your complex password on a free and open source secure password manager, such as KeePass on Desktop or KeePass XC from the F-Droid Store for degoogled phones.
Issues with International Numbers
You may face issues with adding international numbers. Signal requires the exact spacing on the number to be correct. For example, if your country code is +44, then you’d need to use +44 XXX XXXX, not +4 4XX XXXX. A quick way to figure out the correct spacing is to ask your friend to tap his or her avatar and then screenshot the number.
Issues with Adding New Users
When a user first creates an account, often he or she won’t yet show up to others on their devices. The easiest way around this is to have the brand new user add the experienced user.
You would learn a ton on privacy by subscribing for free to our new content by email, by Session messenger, via RSS feed, our Ethereum push notification channel, or on Nostr. Signal is a powerful tool for privacy that we highly recommend. However, it has some limitations, and so it should be used with discretion. You shouldn’t think just because you are using Signal that you’re invincible.