Signal Usernames Are FINALLY Coming!

Thanks for the mention of the talk in Bangalore, it came up in my feed originally but this video reminded me to go watch it, excellent talk.

Signal still requires phones numbers, which means you have a trackable device, and your identity is findable. I would like secure communications which is not tied to a device, which has no links to me personally, which I can access from anywhere in the world. If I want to say about a political group, I want to do that without worrying about a hammer banging on my head.

You may wish to look at options such as Threema and Session, which do not require the use of a telephone number to create an account.

While I agree that Signal is a great messaging platform and think it has the best chance (it and Matrix) of reaching the mass market, I do think there is some flaws with a phone number based system.

Signal requires a phone number for a simple reason: anti-spam. If they don’t verify their platforms aren’t being used to spam numbers, form bots, and rack up Signal’s already enormous bill. However, this can lead to downsides. Imagine this situation:

Your and your friend (Bob) live in a country where free speech is not allowed, so you both, after seeing recommendations for Signal, install the app. You are extremely careful and never share your viewpoints anywhere but Signal. However, Bob is not so smart and ends up getting arrested for sharing their opinion on a non-ETE platform or by being reported by someone Bob thought was a friend. When the authorities search Bob’s phone, they see that Bob chatted with you over Signal. They can easily see the phone number that is tied to your account. Even if you both have set your messages to delete, they can use this information to get info from your carrier about you. Now, you are under government surveillance and all it takes is one more slip up and you will end up like Bob. (Or if your country is unfair/doesn’t respect rights, you might be arrested for even just being associated and communicating with Bob through Signal) Even if Bob doesn’t get arrested, baybe Signal itself is banned in your country and your ISP reports you to the authorizes when logs show you accessing servers used by Signal.

See how phone number verification and non-anonymous systems can be problematic? Things like Session fix this by not requiring a phone number and also through routing messages through Tor. Again, I think Signal is a great system and for most people it is perfectly enough privacy for their threat model.

For achieving this, you need to buy a phone and SIM card with cash and without is card. Then you should not install banking or govt or any apps that can expose your real identity. I can make the list very long, so before getting worried of being tracked just using your signal number for the registration, there are many issues to consider. Lastly, you cannot be tracked down because your signal number but because your operator shares your location. In that case, you can buy another card after activation or use it with WiFi.

This is absolutely theoretical and wrong. If there is a possibility of your device getting seized, you don’t a luxury of not knowing the technical issues. At least, somebody should make a good setup and you need to have a good awareness. For countries without free speech, it’s generally difficult to buy a SIM card without id. If you can, buy two. One for signal, one for ordinary use. If they arrest you and you are important figure, they can get information with drugs or torture. So, this is not doing a good threat modelling, but making wrong assumptions.

There are hundreds of different attacks to get data from the physical device. Besides, Session does not have PERFECT SECRECY. Just take your recovery code and login in with another device. You will see the messages sent in the last week. That’s far more worse than exposing your number.

Right, I’m not saying that Session is the perfect solution and it definitely isn’t the best for general public use. I was just commenting on how Signal’s system could lead to the de-anonymization of users who don’t go the extra mile to make sure they are safe from government overreach.

I love Signal and think the project is a great way to mass put privacy in the hands of the people by offering a secure, private, and convenient way for people to communicate. Their community is also extremely welcoming and friendly.

I mean, good, I guess. I doubt this will help me convince anyone to adopt it (especially since they cut SMS support, which I’m still salty about - easily the biggest selling point, and now it’s just another encrypted messenger).