A private, open-source secure and encrypted messenger.
"I trust Signal because it’s well built, but more importantly, because of how it’s built: open source, peer reviewed, and funded entirely by grants and donations. A refreshing model for how critical services should be built" — Jack Dorsey
"Out of the three apps, Signal has the best reputation for security and privacy using published encryption that has been thoroughly scrutinised and without any incentive to capture your personal information" — Gareth Owenson CTO of Searchlight Security
I've written before about online privacy, a topic most close to my hermit heart. I've become something of a tinfoil-hatter with regard to my privacy, stopping just short of getting off the online world altogether. It might seem odd that I say this, given that for a tad over twenty years I've been putting my thoughts, events, hopes and fears down in writing here. The truth is that there are things I'm happy for people to see, and those things I put here, for example. But equally, there are things I don't want people to see, and I keep those private.
The best way I can put it is that I don't want people looking over my shoulder at what I'm writing (or reading!) and whilst I have nothing to hide, I will wear clothes in public because I'm very particular about who I let see my winky.
Signal provides apps for both Android and Apple phones, as well as a desktop application written in Electron (which works in Windows and Unix-like operating systems equally well). Whilst the Android app can also be used to send regular SMS messages to non-Signal users, Apple's walled garden mentality means that you still need to keep their Apple Messenger alive for SMS and MMS. The apps also enable you to make and receive encrypted voice and video calls. The project itself is funded by contributions to the non-profit Signal Technology Foundation which channels funds to the development team.
Supporters and users include journalists, rights activists, lawyers (my own lawyer uses it) as well as some well-known figures such as Edward Snowden and Bruce Schneier.
The Philosophy
Simply put, the Signal Foundation believes that communication should be private, secure and protected. Using end-to-end encryption based on Open Whisper System's TextSecure protocol, it keeps nothing except your phone number. Messages sent to another Signal user (including any attachments) are encrypted locally and then sent via Signal's servers and delivered to the other user or users. Group chats, voice and video calls work in the same way.
The phone apps allow the program to be locked until you enter a passkey or token. It's possible to know if another user changes devices by confirming a "safety number" that the users can use to verify the identity of the other. It isn't perfect, of course, but it does provide reassurance that Signal knows what's up.
Being open-source, they invite comment on their encryption and security, and encourage people to examine the code for vulnerabilities. Many groups and individuals have remarked on their security and many have suggested that it is the best method of communicating privately. Even the FBI¹ has to admit that of all the messengers, theirs ranks lowest in terms of what they give away–a Good Thing for Signal users.
"Unsurprisingly, the apps that appear to give up the least information are privacy-focused apps, Signal and Telegram.
"Signal provides the date and time a user registered and the last time they opened the app, while Telegram may disclose IP addresses and phone numbers in the case of confirmed terrorist investigations." — Trusted Reviews
Other privacy features are incorporated, too, and have value depending on one's threat model. One is disappearing messages, which allows each user to give each message a lifetime, or be deleted after being read. This reduces the chances that, even if the device were compromised, the hypothetical agent could not access the exchange.
Other features include the denial of screenshots of the application messages. Whilst they have introduced new features over the years such as the ability to easily add GIFs and other attachments, stickers and many UX additions, they have stuck close to their original brief, namely to provide secure and private means to communicate.
The future looks bright, too. Each time there's a furore about other messaging systems (as when WhatsApp announced changes in 2021 to weaken user privacy), users flock to Signal because of its reputation. Technical changes will further increase privacy, the most anticipated being removing reliance on using a phone number as the primary identifier of the account ². How or when that will happen we don't know, but meanwhile it doesn't deter me from using their products, safe in the knowledge that if I do choose to "show my winky" it will only be to those I trust.
Of course I couldn't leave without another relevant xkcd, this time on the topic of rubber-hose cryptanalysis—here.
¹ FBI infographic
https://en.wikipedia.org/wiki/Signal_(software)
https://signal.org
https://www.trustedreviews.com/news/is-signal-safe-4129801
Feel free to ask me if you want to reach me here.
² Actually, this happened on 20th February, 2024. Huzzah! Even more privacy!