Signal is flawed in that it’s centralized on Amazon servers, requires a phone number, and can not be self-hosted. However regular SMS is so horrible, and Signal is so intuitive for new users, that telling people not to use it likely does more harm to privacy than good.
Signal also recently announced that in the future there will be usernames, but this is still in beta and requires a phone number in the beta. The beta version can not communicate with the alpha version, so we’ll have to wait for usernames to be mainstream. In the meantime, here are some tips to improve:
1) Turn off read receipts
Signal has a system called “Sealed Sender” to hide metadata, but it’s flawed. It works by putting the metadata of who sent the message inside the encrypted packets. However, cybersecurity researchers from the University of Colorado Boulder, Boston University, George Washington University, and U.S. Naval Academy, found that Sealed Sender could be compromised by a malicious cloud host in as few as 5 messages to reveal who is communicating with who. In this paper published by NDSS, headed by Ian Martiny, these researchers found that Signal’s “read receipts”, which lets the sender know that the receiver got the message, can be used as an attack vector to analyze traffic. This is because read receipts send data packets right back to the sender.
Therefore, our recommendation to increase metadata protection is turn off read receipts, which can be toggled in the security settings.
2) Don’t use an American phone number
In an earlier post on burner numbers, we talked about burner crypto text services, such as virtualsim.net which allow you to pay a tiny bit of crypto for a 1 time SMS code. If you can be anywhere in the world, why would you pick a jurisdiction that’s hostile to privacy? You can reach us on our Cambodian line! Remember that spacing matters on Signal. It’s counting +4 4 and +44 as different countries.
3) Use Signal only for people you know
Signal has poor metadata protection because your real life friends likely don’t have DeGoogled phones, so they’ll save your burner Cambodian line as your real name in their contact list, and then their contact list syncs with Google or iCloud and your anonymity is blown.
So if you want to hide that you’re even talking to someone, then use SimpleX, Session, XMPP, or one of the many other options.
4) You can have multiple profiles with different numbers
With Graphene you can have different user profiles with new numbers, or even within the same user profile on a Work one. If you use a 2nd Work Profile number, just remember that the Amazon server can see two numbers pinging for messages from the same IP, so set your VPN to the largest city you can to disguise and don’t change cities/countries on both accounts at the same time. You could use numbers from different countries to throw them off too, but at the end of the day, Amazon would probably see that your Cambodian and Ohio identities both wake up at the exact same time every day.