Hardening Signal & Keeping Your Phone Number Private With the New Update

Hardening Signal & Keeping Your Phone Number Private With the New Update

Introduction to Signal

Moxie Marlinspike

Signal is a beacon of privacy in a digital ecosystem with surveillance and data mining. Its story began in 2010 with the launch of two separate apps, RedPhone and TextSecure, by Whisper Systems, a startup co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson. The initial versions were proprietary and intended to provide encrypted voice and text communication exclusively on Android platforms.

Following the acquisition of Whisper Systems by Twitter in 2011, these apps were released as free and open-source software under the GPLv3 license. Marlinspike’s departure from Twitter led to the founding of Open Whisper Systems and the continued development of these apps, eventually merging to form what we now know as Signal in November 2015.

Signal stands out for its staunch commitment to user privacy, utilizing telephone numbers as identifiers and securing communications with end-to-end encryption (E2EE). It offers a suite of features from instant messaging to group chat and voice/video calls, all shielded from prying eyes. The non-profit Signal Foundation, founded in February 2018 with a significant initial loan from WhatsApp co-founder Brian Acton, oversees its development, upholding the mission to “protect free expression and enable secure global communication through open-source privacy technology”.

Moxie Marlinspike – The Architect of Signal

Moxie Marlinspike, a Georgia native, moved to San Francisco in his late teens and quickly became a renowned cryptography and computer security figure. His contributions to the domain, including the cracking of MS-CHAPv2 handshakes and resistance to government surveillance efforts, have made him a respected and sometimes controversial figure. Marlinspike is an avid sailing enthusiast and an anarchist, with several of his essays published on the topic. His dedication to privacy and security is reflected in Signal’s values, which prioritizes these values above all else.

Signal’s Username Feature and Operational Security

Signal has introduced a username feature in a significant shift towards enhancing user privacy. This update allows users to interact without revealing their phone numbers, bolstering Operational Security for those who prefer or need to keep their communication details confidential. With usernames paired with a set of numbers, Signal offers a way to initiate contact while maintaining a degree of anonymity, still requiring a phone number for initial sign-up but not for daily use. For more information, check out the article on this new Signal feature.

Hardening Signal: Advanced Privacy Practices

Securing your communication is paramount. Signal, known for its robust encryption protocols, offers various features that can enhance privacy and security. Here’s a detailed look at how to harden your Signal app with features you may not have known even existed.

1. PIN Reminders

Signal’s PIN is not just another passcode; it’s a safeguard for your profile information and settings. Users should activate PIN reminders to strengthen memory retention over time, mitigating the risk of forgetting this crucial security feature. This setting can be found in the app’s privacy settings under ‘Account.’ The rationale for using PIN reminders could range from ensuring account recovery to preventing unauthorized profile changes, which is especially important for activists or journalists who rely on maintaining strict control over their communication tools.

2. Read Receipts

Read receipts are markers of communication flow, signaling when a message has been seen. However, turning off read receipts is advisable for those who value discretion. This ensures your contacts cannot confirm when or if you’ve read their messages, adding a layer of privacy. To disable read receipts, go to ‘Privacy’ in the settings menu. This may be particularly useful for users who require an additional layer of anonymity, such as individuals in a surveillance-heavy environment.

3. Typing Indicators

While helpful in casual conversations, typing indicators can be a privacy concern. Turning them off

ensures nobody knows when you’re composing a message, thereby preventing any potential timing analysis attacks. This option is also located under ‘Privacy.’ The use cases include scenarios where users might not want others to infer their availability or attentiveness to the conversation, such as in negotiations or when dealing with sensitive topics.

4. Disappearing Messages

Signal’s disappearing messages feature allows messages to self-destruct after a set time, an essential feature for sensitive communications. Activating this under ‘Privacy’ for all chats ensures that no trace of the conversation remains, which could be critical for legal professionals, whistleblowers, or anyone discussing confidential information.

5. Screen Lock

Enabling Signal’s screen lock adds a layer of security, requiring your device’s passcode or biometric verification to access the app. Found under ‘Privacy,’ this feature ensures that even if your mobile device is compromised, the contents of your Signal messages remain secure. This is especially important for individuals who may leave their devices unattended or are at risk of device seizures.

6. Screen Security

Screen security is a feature within Signal that prevents the app from being previewed in the recent apps list and blocks screenshots within the app. By navigating to ‘Privacy,’ users can activate this setting to protect the contents of their messages from being captured and potentially shared. This is particularly useful when sensitive information is being discussed, and there is a need to prevent any form of digital eavesdropping or unintended information leaks.

7. Incognito Keyboard

Incognito Keyboard mode requests your keyboard to stop learning from what you type, which can be enabled from the ‘Privacy’ settings. This is crucial for those who discuss sensitive topics and wish to prevent their keyboard app from storing potentially sensitive predictions. However, it’s important to note that compliance with the keyboard app is not guaranteed, highlighting the need for users to choose their keyboard applications wisely.

8. Payment Lock

Enabling a payment lock is necessary for those utilizing Signal for payment transfers. Accessible under ‘Privacy,’ this requires your device’s screen lock mechanism to authorize any funds transfer, adding a critical verification step to prevent unauthorized transactions. This could be particularly relevant for business transactions or donations, where additional verification is necessary.

9. Always Relay Calls

Signal allows users to relay calls through their servers, which can mask your IP address, thus not revealing it to your contact. This setting, found in ‘Privacy’ under ‘Advanced,’ can significantly reduce the risk of location tracking, which is vital for users in high-risk environments. However, it may affect call quality, so users should weigh the trade-off based on their needs.

10. Censorship Circumvention

The app can detect and enable censorship circumvention in regions where Signal is censored. This option in ‘Privacy’ under ‘Advanced’ ensures continued access to Signal, which is crucial for users in countries with restrictive internet policies.

11. Sealed Sender

Sealed sender is an advanced privacy feature that hides the sender’s information from Signal’s servers. Found in ‘Privacy’ under ‘Advanced,’ this feature is vital for users who need to ensure the confidentiality of their sender information, which can be pivotal for sources sharing sensitive information with journalists, for example.

12. Media Auto-Download

Disabling the auto-download of media in the ‘Data and Storage’ settings prevents the automatic downloading of images or files, giving users the choice to download content manually. This can save data and prevent the automatic receipt of potentially malicious files, an important consideration for users operating in security-critical environments.

13. Proxy Settings and Tor: Enhancing Anonymity in Signal

Signal’s commitment to privacy extends to allowing proxy servers, a beneficial feature for users who aim to keep their communication untraceable. A proxy is an intermediary between your device and the internet, adding a layer of obfuscation to your digital footprint. For those requiring an even higher degree of anonymity, Signal can be configured to work with Tor, an overlay network designed to anonymize internet usage.

Here’s how you might use Tor with Signal:

Install Orbot: Orbot is a free proxy app that empowers other apps to use the internet more securely by using Tor to encrypt your internet traffic and then hiding it by bouncing through a series of computers worldwide.

Configure Signal to Use Tor: In Signal, access the ‘Settings’ menu and navigate to ‘Data and Storage.’ From there, find the proxy settings and enter the information provided by Orbot, which typically involves setting a hostname (often ‘localhost’) and a port (such as ‘9050’ for Tor).

Activate the Proxy: Once configured, activate the proxy within Signal. Your messages will now route through the Tor network, increasing your privacy and security.

By routing Signal through Tor using Orbot, your communications benefit from an additional layer of protection, making it even more challenging for third parties to track or intercept your messages. This setup is beneficial for users in high-risk environments where surveillance is a concern or for those who are meticulous about maintaining online anonymity. It’s important to note that using Signal over Tor may slow down the connection due to the additional hops your data takes through the Tor network.