Practical privacy and simple cybersecurity.
TheNewOil.org

2021 Review: Signal

Even if you’re not big into privacy or security, you’ve likely at least heard of Signal. The WhatsApp/Telegram competitor rose to mainstream prominence earlier this year, when WhatsApp announced planned changes to their privacy policy and Elon Musk almost immediately tweeted “Use Signal.” Though the app had been around for years, these two factors combined to catapult Signal into the mainstream consciousness overnight, hitting the number one spot in multiple countries’ app stores and even crashing the servers for a weekend. So what is Signal, should you use it (and why, if yes), and how does it rank for those who value their privacy and security?

The Service

Signal is an end-to-end encrypted messenger, similar to WhatsApp or (arguably) Telegram. Based in the US, it was founded by Moxie Marlinspike around July 2014. It allows voice, text, or video chat to any other user (one-to-one or up to five at once) and has a variety of features that might appeal to mainstream users like stickers and GIFs. Signal is based on the Signal Protocol encryption, which I will discuss more in a moment.

The Good

Actually, let’s just go ahead and start there. Signal’s encryption is good. Like, really good. So good that according to the Vault 7 leaks, the CIA has considered pretty much every insane idea to circumvent it because they can’t actually crack it. While Signal has its fair share of detractors and criticisms (some of them valid, many of them not), you can’t knock them for their encryption. It is world-class, and is even used by WhatsApp, Facebook Secret Messages, Skype, and even Google (they know a thing or two about security). The app itself is used by the EU Commission, numerous politicians, journalists, whistleblowers, and law enforcement. Unarguably, you can’t get much better security than Signal.

Setup is – as I like to call it – insultingly easy. Seriously. If you’ve never tried Signal before, go do it right now just so you can see how ridiculously easy set up is. You download it, you basically hit “next” three or four times, and you’re ready to go. On Android, you can even make Signal your default messenger so that if you text another Signal user but don’t know they use Signal, it will automatically make use of the encryption. Actually using the app is also incredibly easy, with very intuitive and plain-English buttons, menus, and options.

Signal is fast, stable, and if you don’t want to use your SIM number (I’ll mention that in a second), you can use a VoIP number with no additional work except that you have to manually enter the verification code rather than Signal pulling it automatically. Messages are end-to-end encrypted by default, unlike services such as Telegram which require you to enable encryption. Perhaps most importantly, Signal as a company has a proven track record of not logging any user data and having virtually nothing to turn over to police when requested.

The Bad

Signal’s downsides are, in my opinion, far and few between. However, they are legitimate and worth noting. One “bad thing” that some people note is that Signal is based in the US. Given that Signal is open source, audited, and has proven themselves to respect user privacy, I personally don’t think this is a big deal. However, the US government is a notorious enemy of privacy. For the vast majority of people, I wouldn’t consider this a reason not to use Signal, but it is worth being aware of what laws Signal is subject to and the hostility the company faces from the government.

The next most obvious flaw is that Signal requires a phone number to use. Phone numbers are as good as social security numbers these days and a quick web search of a phone number can turn up tons of identifying information. While one can use a VoIP number (as I mentioned above), most people won’t (not to mention that this alienates people who don’t have a valid phone number and can’t get a VoIP number). This is a realistic potential privacy and security risk for every user, and while Signal has said they plan to roll out usernames in the future, they’re not here yet and last time I checked there was no real word on when “the future” would arrive.

Let’s address the elephant in the room: the Mobilecoin incident. For those who don’t know, Signal went almost a year between Spring 2020 – Spring 2021 without publicly posting the source code for their server. They continued to share the client source code, and those who examined it found it was still secure, however the client very obviously was contacting an updated server version than the one that was posted and Signal refused to say why they hadn’t updated it. Speculation ran rampant about malicious backdoors, government gag orders, and more. It turned out that Signal was laying the groundwork to integrate a privacy-respecting payment platform with a cryptocurrency called Mobilecoin. This move was considered highly controversial for a number of reasons. Among some of the most valid and popular reasons: it was considered highly unethical and shady to keep users in the dark about the server code updates, integrating cryptocurrency can attract unwanted attention from government regulators like the IRS and FTC, and many users expressed concerns about what impact this would have on the security of Signal and the possibility that this was all a “pump and dump” financing scheme. You can find my take on this story here and you can find a (in my opinion somewhat sensational but factually correct) deep dive here. Here’s the takeway from all this: while this incident – at this time – does not indicate any sort of technical compromise with Signal’s privacy or security, it definitely cast a lot of doubt on them as an organization ethically.

Last but not least, there’s also been a lot of rightful accusations and concerns about Signal’s infrastructure, such as using services like AWS and Google to support their cloud. While – again – there’s no reason to suspect that Amazon or Google have any access to user messages or data, it is understandably troubling that using Signal also means supporting some of the biggest enemies of privacy on the planet by proxy. One could consider this the necessary evil of making Signal reliably available to the masses, but it’s still not comforting. Moxie has also been very strict about refusing to allow Signal to be decentralized or federated, even going so far as to legally pursue and shut down forks that attempt to be interoperable with Signal. Once again, this is done in the name of keeping Signal scalable and reliably secure (if everyone can run their own server, some servers will inevitably fall out of date due to lack of administrative maintenance which will create security risks for everyone involved) but it’s still a ding for people who value decentralization.

Final Verdict

I’ll be honest: I like Signal. The stability, the ease of use, it can’t be matched. I use Signal for 90% of my conversations with friends, family, and even a good chunk of The New Oil conversations. There’s never any issues with key exchange, the messages arrive quickly, the call quality is clear, communication is reliable, and it’s just so freaking easy. There’s no easier messenger out there. However, I’m not a Signal fanboy who will defend them to the ends of the Earth. Their opacity during the Mobilecoin incident was inexcusable, and I’ve already gotten all my close family to sign up for Matrix in the event that we ever have to jump ship on Signal (if Session rolls out voice calls any time soon then I’ll move them all to that instead, Session is also easy to set up). I like Signal, but as soon as I see any reasonable indication that they've been compromised, I'm out.

The moral is this: Signal is not a perfect company. To their defense, I’ve yet to find a “perfect” company or “perfect” anything really. They've made some ethically questionable business decisions and they could check more privacy-enthusiast boxes if they did things differently. But they are reputable, proven, and perfect for the masses. If you have a high threat model or like to go to the extreme for your privacy, Signal may not be for you (at least not yet). But for 95% of people reading this, Signal is just fine. They take user privacy and security seriously and they’re easy to use with a plethora of features. I whole-heartedly recommend Signal to most people. If you’re still looking for a messenger, I think this one is worthy of your consideration.

You can download Signal here.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...