For nearly a decade, cybersecurity professionals and privacy advocates have recommended the end-to-end encrypted communications app Signal as the gold standard for truly private digital communications. Using it, however, has paradoxically required exposing one particular piece of private information to everyone you text or call: a phone number. Now, that’s finally changing.
Today, Signal launched the rollout in beta of a long-awaited set of features it’s describing simply as “phone number privacy.” Those features, which WIRED has tested, are designed to allow users to conceal their phone numbers as they communicate on the app and instead share a username as a less-sensitive method of connecting with one another. Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle—or even to prevent anyone who does have your phone number from finding you on Signal.
You’ll now be able to set a unique username as a way for people to find you on Signal in addition to—or instead of—your phone number.
The criticism of Signal’s design has frequently been its use of phone numbers. These latest privacy enhancements addresses these concerns, mentions Meredith Whittaker, the President of Signal. The motive is to create a communications application usable by anyone worldwide for easy private conversations. The word ‘privately’ is emphasized heavily, Whittaker tells WIRED. The aim is to empathize with users in high-risk circumstances who argue that sharing the phone number, which is crucial data, makes them uneasy.
Signal has launched three new features, one default setting, and two optional features. The default setting ensures that your phone number is no longer visible in your Signal profile unless another user has it stored in their phone directory. You may also generate and distribute a distinct username, such as a QR code, with anyone you wish to communicate with. Here, you can use your profile name instead of the username when you start receiving messages. The profile name in Signal does not have to be unique and can be edited by the recipient in their view in the application.
The new adjustments in Signal let you alter the visibility and discoverability of your phone number, both. The default setting turns off the visibility of your number. Turning its discoverability off, a more drastic measure, will be an opt-in setting for high-risk users.
The author of the article is Jennifer M. Wood.
Morgan Meaker
Matt Burgess
Chris Baraniuk
The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number’s visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don’t want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.
The newly introduced phone number protections now enable the usage of Signal for communication with non-trusted individuals, alleviating serious privacy concerns. Reporters can share their Signal usernames publicly on their social media profiles, enabling them to receive encrypted tips without sharing their phone number. Activists can join groups without making their number available to others in the group who they are not familiar with.
Previously, to use Signal without revealing a personal number, one had to go through the inconvenience of setting up a new Signal number on a burner phone or through a service like Google Voice. However, this has changed, and users can now set, change or remove usernames at any convenience. Additionally, Signal leverage the Ristretto hash cryptographic function to store unique strings of characters encoding those handles—instead of usernames, for better privacy.
Despite these enhancements, one function remains unchanged: the obligation to share your phone number with Signal at the time of registration. This requirement, persisting even after Signal’s upgrade, may irritate some critics who advocate for greater anonymity. Their preference is such that not even Signal’s team should know a phone number that could possibly identify users or be handed over to surveillance agencies with court orders.
According to Whittaker, the requirement of a phone number is critical as it prevents spam by limiting account creation and further enabling phone number-linked contact discovery from the address book—key to ensuring usability.
In fact, designing a system that prevents spam accounts and imports the user’s address book without requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That’s the reason that you still need a phone number to register, because we still need a thing that does that work.”
Jennifer M. Wood
Morgan Meaker
Matt Burgess
Chris Baraniuk
The continued phone number requirement means Signal’s privacy upgrade is a compromise, says Matthew Green, a professor of cryptography and computer science at Johns Hopkins University who has in the past consulted for both Google and Facebook in their implementation of Signal’s open source encryption protocol. “It’s a half solution,” says Green. “It’s not a perfect solution.”
Green notes, however, that even if it doesn’t satisfy the most die-hard privacy advocates, it represents a significant improvement for a much larger portion of Signal’s hundreds of millions of users. “There’s a legitimate community of people who wanted to use Signal without giving other people their phone numbers, and they’re going to be very happy with this change. And then there’s a more hardcore set of people who don’t want to ever give their number to Signal,” Green says. “I think getting a big set of people serviced is the right direction, and working on satisfying all the other people is something for Signal to keep working on.”
Signal doesn’t currently have any road map toward dropping its use of phone numbers as a registration mechanism, Whittaker concedes—she says for now, there’s no alternative that wouldn’t sacrifice Signal’s usability, which she argues would represent a net loss for privacy advocates. But she says that the new phone number privacy features are nonetheless Signal’s careful attempt to solve the problem phone numbers represent without losing the qualities that have made Signal popular in the first place.
“It’s really about staying true to our principles,” Whittaker says. “In more and more ways—in better and better ways—to fill that promise of easy, usable, private communications.”
Correction: 2/20/24, 1:25 pm EST: Meredith Whittaker’s professional title is president of the Signal Foundation.