If you want to chat or call someone over the internet, there are plenty of full-featured options you can use. If you want to make sure governments or companies can’t peek into your messages, that list becomes a lot shorter. One of the most lauded secure messaging apps is Signal, an end-to-end encrypted app popular among journalists and other privacy-minded individuals, but simple enough that casual users have little problem setting it up and using it.
Signal is available on both iOS and Android devices as well as desktop PCs, uses data for all communications, and, unlike some other end-to-end encrypted messaging apps, is totally free. The app and encryption tech that keeps its messages secret are open source and have held up to professional scrutiny, though they haven’t entirely escaped criticism.
The tech community has been recommending Signal as a secure messenger for years. The Electronic Frontier Foundation includes guides for using Signal on its Surveillance Self-Defense tools page, and The Intercept, the publication cofounded by Glenn Greenwald, recommended it in a video. Heck, even Edward Snowden has recommended it.
The company behind the secure messenger, Open Whisper Systems (OWS), has shared the encryption tech behind Signal with other messaging services, including those made by Facebook and Google, but many of them still don’t implement end-to-end encryption in all chat options. Plus, those companies have a commercial incentive to collect and sell data. As Western governments pressure tech companies to create encryption-circumventing backdoors that grant law enforcement access to user calls and message data, OWS has remained steadfast in their pledge to collect as little data as possible and has designed Signal’s network to follow that ideal, keeping information safe in transit and only storing data locally on a user’s device.
“The protocol uses state-of-the-art cryptographic algorithms, relying on very good cryptographic assumptions, and has been scrutinized by many experts. Moreover, the cryptographic algorithms used for encryption are ones that we believe even the government cannot break,” said Tal Malkin, director of the Cryptography Laboratory at Columbia University and recent chair of the Center for Cybersecurity, part of Columbia’s Data Science Institute. Which isn’t to say that its tech prevents all conceivable attacks, especially ones aided by government budgets. “The government can issue other attacks which circumvent the cryptography, such as zero-day exploits, although such attacks require much effort and are expensive,” Malkin noted.
Still, Signal’s cutting-edge cryptography and the robust nature of its open-source development have earned Malkin’s approval: “I’d recommend Signal, and I use it myself.”
As Western governments pressure tech companies to create encryption-circumventing backdoors, OWS has remained steadfast in their pledge to collect as little data as possible and has designed Signal’s network to follow that ideal.
While other messenger services have grown under the umbrella of colossal tech corporations, Signal was created by, and remains, the product of a handful of people.
The two messenger services that eventually became Signal were created by security researcher Moxie Marlinspike and roboticist Stuart Anderson. Out of their mobile security software startup, Whisper Systems, which they cofounded in 2010, they released TextSecure for texting and RedPhone for voice calls, both of which provided end-to-end encrypted communication. A year later, Twitter bought the company and Marlinspike became the platform’s head of cybersecurity. They re-released their two encrypted communication services as open-source apps, and in 2013, Marlinspike left the social media platform to found the open-source project Open Whisper Systems.
At OWS, Marlinspike and others continued developing TextSecure and RedPhone, which were combined and released as Signal in November 2015. OWS introduced Signal for PC a month later as a Chrome app; it was relaunched as a standalone desktop client for Windows, Mac, and Linux in October 2017. This is the series of Signal apps we know today.
Back in 2013, the year OWS was founded, its initial members, Marlinspike and Trevor Perrin, also started developing the Signal Protocol, which packaged the cryptographic method that provided end-to-end encryption in Signal for other other services to implement. In the wake of Edward Snowden’s earth-shattering 2013 exposure of widespread U.S. government surveillance, encrypting communications suddenly became a pressing issue. Several major platforms approached OWS about integrating the Signal Protocol into their own messaging platforms, although they’ve gone to different lengths to actually implement it. Facebook started rolling out its Secret Conversations feature, which employs the Signal Protocol, to Facebook Messenger users in July 2016. Google’s Allo app, released in September 2016, uses the Signal Protocol in its optional Incognito Mode. And in January 2018, Microsoft introduced Private Conversations in Skype, also using the Signal Protocol. Each of these features requires conversations to be initiated as “private” in order to end-to-end encrypt all of the content that’s exchanged—existing chats can’t be converted after they’ve begun. Of the major players, only WhatsApp, which finished adding the Signal Protocol in April 2016, provides end-to-end encryption of conversations by default.
OWS maintains that its products are privacy-focused, save minimal personal information, and that, thanks to its end-to-end encryption, they couldn’t access messages or files swapped between users even if they tried. (Or if they were court-ordered: In 2016, the U.S. government subpoenaed the organization to hand over user information on a pair of accounts; the only data they could provide was the time of the accounts’ creation and the last time they had connected to Signal’s servers.)
From its inception, OWS has existed as a project that lives off of grants, free from VC money and the pressure to commodify data. In February 2018, Marlinspike and WhatsApp cofounder Brian Acton officially launched the nonprofit Signal Foundation with a $50 million investment from Acton. The foundation’s goal? To “support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous,” Marlinspike said in an announcement post.
Compared to well-known but functionally less secure apps, Signal is generally deemed a superior choice for privacy-minded users, casual or hardcore. But all communication platforms make trade-offs: Some are content with standard (not end-to-end) encryption to make it easier to scale, while others opt to make cryptographic and system design decisions, like minimizing user-identifiable information and how much data is end-to-end encrypted, that optimize for maximum security.
Signal falls much more into the latter camp, but it does make several trade-offs for accessibility. For example, the service requires a phone number (even with the desktop version), which is shared with someone when you send them a message. To keep your personal number completely private, there are workarounds you can employ, like tying your account to a separate phone, SIM card, VoIP number, or a service that lets you receive SMS for free, as explained in the InfoSec Handbook.
Signal also asks users to grant the app access to their contacts, but it doesn’t require this disclosure. This isn’t an oversight so much as another trade-off: OWS chose to make it easier for Signal users to know when their contacts also have the app and can be contacted securely. Per the service’s FAQ, the app periodically sends out cryptographically hashed phone numbers to Signal servers to discover who among your contact list also has the app, then discards your contact list. If you don’t want to let Signal access your contacts, you can enter phone numbers manually the first time you contact them (the digits, along with profile info like display name and picture, are encrypted and stored client-side). Of course, if you don’t give Signal access to your contacts, you won’t know if any of them have signed up for the service.
Depending on which platform you use, there’s also the potential for metadata leakage—not on Signal’s servers, which only store a bit of randomly generated authentication data, but through the operating system of your device. The content of your conversations is encrypted, but user alerts have to run through a device’s OS. In theory, this means that Apple and Google, for example, could know when you send messages and to whom you send them, according to the EFF’s Signal guides. That information could be handed over to government officials if requested. This isn’t unique to Signal, but it’s a potential problem for those who don’t want to leave any trace of the phone numbers they’ve contacted. It’s a drawback that may not impact other secure messenger platforms in the same way; Threema, for instance, primarily links users to randomly generated user IDs, rather than phone numbers or email addresses.
Those who are extremely concerned about their privacy can opt to use the desktop version of Signal, along with an operating system deliberately designed to maximize privacy, like Tails (which journalist Greenwald allegedly used to safely communicate with Snowden in 2013), Qubes, or Subgraph.
Some have also taken issue with Signal’s network approach. All communications are centralized, meaning they go through Signal’s servers, unlike platforms that use federated setups to run their traffic through many external servers. Marlinspike argued in 2016 that this makes it easier to update the services and maintain the network, especially for the Signal team, which lists less than 10 part- and full-time members.
OWS makes up for its small Signal staff by keeping the messenger’s software—and the Signal Protocol—almost totally open source, a move lauded by the cryptography community. Every commit in its GitHub repositories is visible to the public.
“The academic research community has long held as a principle that ‘security through obscurity,’ i.e., relying on the secrecy of algorithms or code instead of just the secrecy of keys, is not a solid foundation for security,” said Allison Bishop, assistant professor of computer science at Columbia University’s Data Science Institute. In a cryptographic protocol, “it’s rarely the math that breaks. Implementation bugs or unanticipated edge cases can lead to vulnerabilities in cryptosystems even when the underlying algorithms are well chosen. [An open-source codebase] allows it to be more easily tested and vetted by a wide range of practitioners and experts. In my opinion, this is a net benefit to the security of such a system.”
Cryptographically speaking, the Signal Protocol hasn’t been extensively analyzed, but researchers from the University of Oxford, the University of London, and McMaster University in Canada who undertook the first formal security analysis of Signal noted in a November 2017 paper that they had not uncovered any significant flaws. “As with many real-world security protocols, there are no detailed security goals specified for the protocol, so it is ultimately impossible to say if Signal achieves its goals,” they wrote. “However, our analysis proves that several standard security properties are satisfied by the protocol, and we have found no major flaws in its design, which is very encouraging.”
In addition to Facebook Messenger, Google Allo, and Skype, higher-security messaging services like Cryptocat, Silent Circle, ChatSecure, Viber, and Pond implement the Signal Protocol. But not all implementations are equal, and each of these services does things differently, such as how they identify and authenticate users. In that sense, simplified head-to-head comparisons between any of these and Signal belie the distinctly different engines running under the cryptographic hood, so to speak.
“In terms of the core cryptographic design, which is the part I know best, Signal’s approach on end-to-end [encrypted] messages between two parties is a good design, and I don’t think it has any fundamental flaws,” said Douglas Stebila, associate professor in the Department of Combinatorics and Optimization at the University of Waterloo, one of the coauthors of the Signal Protocol analysis paper.
Stebila specifies “two parties” because group messaging might introduce unforeseen vulnerabilities; researchers uncover these every so often. In January 2018, researchers from the Ruhr University Bochum in Germany published a paper revealing a tiny flaw in Signal’s cryptographic setup that could theoretically be exploited. They identified a way for individuals to infiltrate a group message, though pulling it off would be almost impossible. Johns Hopkins University professor and cryptographer Matthew Green wrote: “The good news is that in Signal the attack is very difficult to execute. The reason is that in order to add someone to your group, I need to know the group ID. Since the group ID is a random 128-bit number (and is never revealed to non-group members or even the server), that pretty much blocks the attack.”
Because Signal doesn’t require any specialized knowledge to use, it has the potential to become widely accessible. But traffic to and from Signal’s servers has been inadvertently or intentionally blocked by telecommunications firms and governments attempting to stifle activism. For a time, Signal was able to evade deliberate censorship through a technique known as domain fronting, which involves routing traffic through a much larger provider that foreign governments couldn’t reasonably ban. Signal openly used Google and Amazon’s web services in this way to shield their traffic, but in the spring of 2018, Google halted domain fronting entirely, which stopped organizations like Signal from evading sanctions. Amazon followed suit shortly thereafter, leading the shorthanded Signal team to start searching for a new way to get its services into Iran, Egypt, Qatar, and other countries where it is banned.
Elsewhere, journalists have been able to use Signal as a secure communication method to contact sources. Major publications, including The Washington Post and The Guardian, have listed their Signal numbers for tips and contacts. But they also list less secure services like WhatsApp as alternative communication methods. It’s an example of the compromise news organizations make to connect with sources on the platforms they’re most familiar with—and it may be indicative of a broader challenge to widespread adoption.
Any messenger service’s user base grows based on word of mouth and ease of use. But “encryption” can sound intimidating, and casual users may perceive security-focused apps as too awkward to use in daily life, regardless of their actual usability. Whether casual users need Signal’s layers of security or would be fine sticking with semi-secure services like WhatsApp, Facebook Messenger, or iMessage oversimplifies the issue. Not all users of encrypted messenger services choose them because of clear and present threats to their privacy; some choose greater conversational security on principle, because they believe that nobody should have access to their chats.
We may grudgingly accept tech giants harvesting our data as an inevitability, a sort of payment for using their services. Many casual users don’t even know that they can switch to a more secure service and lose little functionality. But now that you do, what’s stopping you?