Following the election of Donald Trump, many concerned about the future of surveillance have signed up for secure messaging systems, like Signal, which saw a 400% increase in daily downloads in the weeks following election day. Yet that app can also provide a false sense of security by revealing who uses it, based on their phone numbers. And as President-elect Trump’s own pick for CIA director, Rep. Mike Pompeo, told Congress, the use of encryption in personal communications can be a factor used against American suspects.
When you sign up for Signal, it plugs into your address book. That lets you see who else in your contacts list uses Signal, and lets others see that you have joined Signal as well (even firing a notification to others about new users). In recent weeks, Signal users have seen their contact lists swell. But as some have pointed out, these user lists, which cannot be opted out of, undermine attempts to communicate securely. Simply put: If you know someone’s number, you can tell whether or not that person is on Signal.
For example, employers, law enforcement, and other government agencies could create and upload address books of suspected leakers to check for matches. This means if a whistleblower signs up for Signal to communicate with a reporter, that whistleblower becomes much easier to identify. The app even calls out new users; when someone in your address book signs up, the app sends a notification encouraging you to greet them. And while you can opt out of receiving these notifications, you can’t opt out of having them sent about you. Worse; nor can users opt out of letting others see whether any given phone number is associated with a Signal account.
“There is definitely some form of privacy leak here,” Matthew Green, a professor at Johns Hopkins University who focuses on applied cryptography, told BuzzFeed News. “If I join Signal with my real number, anyone else who knows my number can see if I'm on Signal. It is definitely something to be cognizant of if you are concerned about people knowing you use the software.”
Moxie Marlinspike, the founder of Open Whisper Systems, the nonprofit behind Signal, told BuzzFeed News, “Using Signal is not supposed to be a secret. We’re trying to develop a messenger that’s for everybody. That is something that people can use for all their messaging, every day, and in every context. It’s not designed just for super-secret spycraft.” For people with concerns about being tied to their phone number, Marlinspike suggested using a throwaway Google Voice or VoIP number to sign up for Signal.
While the app is marketed as a tool secure enough even for secretive figures like Edward Snowden, users may not realize they need to take that extra, cumbersome step of setting up a secondary phone number to enhance their privacy. This could leave them vulnerable to detection.
To its credit, Signal only stores contact lists locally. Signal doesn’t save users’ contact lists on its servers. And when the government subpoenaed Open Whisper for information associated with two phone numbers last year, it turned over just the date a user signed up, and the last time their account connected to the service. That’s the only data Open Whisper had kept. However, even that would still be enough to verify that someone signed up before a leak took place.
“Privacy is not about austerity,” Marlinspike said, making the case that an app that connects people to their existing contacts is part of what makes Signal a robust and dependable tool. “We’re not trying to build something where you live in a vault.”
“Privacy concerns include what information other people keep about us, just as much as what information vendors and providers keep about us,” Wendy Nather, the principal security strategist for Duo Security, told BuzzFeed News.
While Marlinspike did acknowledge that there are “legitimate use cases where people don’t want to publicize their phone number,” he believes that Signal’s encrypted messaging system, based around a user’s phone book, is both “privacy-preserving” and places people in control of their own social network. Marlinspike told BuzzFeed News that allowing people to opt out of showing up in others’ contact lists would create an “unworkable” product that requires users to rebuild their network from scratch anytime they get new phones.
Yet Wickr, another secure messaging app, which claims to have 5 million users, does not require people to enter their phone numbers when they sign up. Chris Howell, Wickr’s co-founder and CTO, told BuzzFeed News that about half its customers join using only a unique handle, while the other half sign up using their phone numbers and email address. A user’s Wickr contacts are stored on Wickr’s servers, but the company encrypts the information in such a way that the service doesn’t know who a person’s contacts are, even when people choose to sync their phone book. Like Signal, Wickr also has an in-app notification for customers who turn on phone book matching when people in their contacts join the service.
Contact list matching does come with a positive tradeoff, Howell explained. It’s easy and quick to connect. And a messaging app that doesn’t sync with phone books could limit its ability to attract and keep users, he said.
One way around the “red flag” of encryption use is for encrypted messaging apps to eventually become so mainstream that most people rely on them.
“Hopefully we get to a day where it’s as ubiquitous as SSL, [like] having a lock on your website when you hit a browser,” Howell said. “That’s not a cause for alarm.”