OPEN SOURCE Signal to Move Away from Phone Numbers
SIGNAL PRIVATE MESSENGER, the gold standard for open-source private messaging, is to move away from phone numbers as the primary user ID. This is great news, and may help the app reach more users. At the very least, it will be a boon to privacy.
You might not be comfortable giving up your private number to some individuals.
For as long as I’ve been writing about tech, I’ve preferred services and software that help protect privacy. I switched to using Signal as my default mobile messaging app years ago. Since then, Signal has gotten features such as Giphy integration and video calls. But one thing has always irked me: The use of a phone number as a user ID.
For all its accolades, Signal has been criticized for tying a user to a phone number. For users who might want a new number (to avoid calls from a persistent ex, for example), keeping in touch with Signal contacts meant setting up new conversations, security numbers, and a lot of headache. More importantly, talking to someone over Signal required giving out your phone number.
For friends and family, this is clearly not that big a deal. But what if you want to talk with someone you meet at a conference or over Twitter? You might not be comfortable giving up your private number to such an individual. Some other means of establishing identity would be clearly preferable.
The Signal developers have heard calls for this type of feature, and will be releasing it in an upcoming version of the Android client. The 4.50 release gives each user a universally unique identifier (UUID) that will act as the user ID.
While the consequences are largely (as Signal puts it) “behind-the-scenes,” the implication is that users may be able to offer up their UUID online without worrying about revealing phone numbers.
There are other enhancements, too. The 4.50 release will offer up insights to the user, showing what percentage of recent messages were encrypted versus served over unsecured SMS. The analysis will be computed by the device, requiring no communication with Signal servers. For users like me, who use Signal as their primary messaging app, this can be a valuable tool to see how “secure” their conversations are at a glance. Such privacy auditing tools can be useful for those with more stringent privacy requirements.
Truth be told, the messaging landscape is a mess. Apple users have iMessage, which enables encrypted communication, but only with other Apple devices. (Android users famously show up in green chat bubbles.) SMS and MMS are antiquated and insecure. Other platforms, such as Facebook Messenger, WhatsApp, and others, compete with Signal in the third-party messaging space. (Note that WhatsApp uses a version of the Signal protocol under the hood.) The upcoming Rich Communication Services (RCS) standard is being developed by carriers to modernize SMS and MMS to create something more like Google’s now defunct Allo. Currently, Google’s Messages app is RCS-capable, but the standard isn’t end-to-end encrypted (E2EE) like Signal and iMessage are by default. And if Signal did add support for RCS, it would serve as an unencrypted fallback, much like how Signal handles SMS and MMS.
The heterogeneity of messaging standards makes secure chats a pain. Either you use a system everyone else does, even though you don’t prefer it (such as iMessage or WhatsApp), or you have to convince your contacts to use another (such as Signal). While this barrier may persist for some time, allowing people to use Signal without relying on a phone number could be a boon for those who wish to use it on laptops or other devices without the need to tie it to a phone.
Alex Campbell is a Linux geek who enjoys learning about computer security.