What is Signal?Friday 5 Jun 2020, 10:11 pm
Signal is a free, end-to-end encrypted, open source messaging platform.
Oh, like WhatsApp?
Sort of. Functionality-wise, yes. WhatsApp is also free and end-to-end encrypted.
So WhatsApp is good?
It’s better than Facebook Messenger (unless you use secret conversations, in which case Facebook Messenger and WhatsApp are essentially equivalent).
In fact, WhatsApp uses the Signal protocol for message encryption (the one which was developed by… Signal), as do Facebook Messenger’s secret conversations, and Skype’s private conversations.
So why not use WhatsApp?
Because sometimes, it’s not just the messages which are the issue. Facebook (who own WhatsApp) can and do use the metadata about your conversations to target advertising. They can see who you spoke to, when, for how long (or how many messages you sent), and cross reference this with other data Facebook might have (Instagram photos, Facebook check-ins and likes, etc.) even if they can’t see what you said. They can also track any message which loaded an external link (eg: a YouTube video), and your message back-ups are not encrypted.
Why does that matter if they can’t actually read my messages?
Kurt Opsahl wrote a great article on this back in 2003, here are some examples he shares:
They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood’s number later that day. But nobody knows what you spoke about.
One aspect he doesn’t touch on is drawing inferences based on your social graph:
You and twenty-eight other people communicate in an international WhatsApp group. Twenty-seven are gay and out. In your country, homosexuality carries the death penalty. But encryption means your sexual orientation is a secret.
But can’t Signal gather metadata?
Not really. Obviously, there’s some minimal metadata which is inevitably required, such as who a message is being sent to and at what time, but Signal operate something called ‘sealed sender’, which means that the details of the person sending the message are also encrypted. Signal do not store this data beyond for message delivery, and in fact the only data they have store is your account creation time, and the day of your last log in.
Signal also implement forward thinking ways of minimising metadata. For example, they built private contact discovery to ensure that you can find out which of your contacts are Signal users without Signal knowing who your contacts are. They designed the private group system to make it so it’s not possible to work out who is a member of a group chat (unless you’re a member of the group too).
So why is it free?
Signal is a non-profit, funded by various privacy organisations and an investment from one of WhatsApp’s founders, who left because he disagreed with Facebook’s leadership approach.
Can I trust them?
No, but that’s the point. You’re not supposed to. They’re doing a lot of work so that you don’t have to trust them. First off, their source code is open. That means anyone can read through and help to fix security flaws. Secondly, they’re doing their best to minimise the data they have on you at any one time. Thirdly, they’ve engineered systems into the clients that ‘prove’ cryptographically that your metadata is secure. Right now, it’s probably your best option.
But I’ve never heard of it…
Perhaps not. But the EU want their staff to use it. Major newspapers recommend it for secure whistleblowing. It’s approved as a secure messaging solution by the US Senate. Infamous whistleblower and former NSA analyst Edward Snowden endorses it.
But hey, if you’re not ready to give up WhatsApp yet, that’s cool - you can install Signal alongside whatever other messenger applications you might have.