| |

Elon Musk is wrong: Signal is not the solution to privacy issues.

Nigel Morris-Co...

One of the biggest reasons for migrating away from WhatsApp is privacy. It's been a problem ever since WhatsApp was launched. Indeed, I discussed it with the founders when it was new, ish, and they said that they had deliberately designed the system to create visibility between users. When I pointed out that a combination of various features compromised personal security, that was not something that concerned them... anyone can get your phone number, they said.

In the meantime, WhatsApp has become almost a de facto sole means of communication for many.

The "online" status and the forced linking to each user's phone book increases market penetration but means that users cannot segregate their general contacts list from their preferred messaging system. Worse, the increasing spam by those who use phone numbers to send their indiscriminate messages has become a problem. Viber also insists on integration with the phone's address book / contacts list.

The only solution is to disassociate phone numbers from the user ID.

Wire, Line, WikrMe and WeChat all do this - either by default or via a setting. And they all allow hiding of the ID unless authorised so that, even if someone does get your user ID, they can't send a message unless you have either invited them or temporarily approve open access. It's an effort, but it is also possible (if you act really fast after installation and disable your internet connection before you launch the app) to set Telegram to not connect to your address book. But it remains to be seen whether your phone number as notified to them makes you visible to other Telegram users.

And so to Signal, promoted as the most secure of instant messaging systems.

Well, it might be, insofar as encryption is concerned. Add in auto-deletion of messages and there is message security which may or may not be effective. But when I installed it, I denied it access to my address book. Nevertheless, within, literally, two minutes, I had a message from a contact because I had popped up in her Signal account. She said she, too, had tried to segregate Signal from her address book. She and I have both closed our accounts and uninstalled the software, in my case from both my phone and my Linux desktop (that's two to knock-off the "look how many people have installed Signal figures)

And that's not all. Signal invites user s to send SMS through Signal. It saves money: what you think is an SMS is converted on your phone to a Signal message and sent over your internet connection, thereby avoiding SMS charges. This only works if both parties are using Signal. If the other party does not use Signal, the message is sent as an ordinary SMS. I vaguely remember this being available on another messaging app I'd tried at some time in the past. If it's sent via Signal, it's encrypted; if it's sent by SMS, it's not.

But here's the rub: when you open your signal account, you register your phone number. It's that phone number that Signal uses for messaging. When you send an SMS, Signal intercepts the message, checks to see if the recipient's phone number is registered and, if so, sends the message as a Signal message. And it does this even if the account has been closed.

Instead of fixing this programmatically, i.e. if an account is closed the associated number is automatically de-registered, Signal puts the obligation on the user. When you close the account, there is no intervening step saying "de-register your phone number" or somesuch and it doesn't happen automatically. Moreover, there is no warning. Only by accident did I notice a bulletin board post by someone complaining that they were not receiving SMSs after leaving Signal.

Signal's solution is that users who have already terminated their account and deleted the app can go to a webpage at https://signal.org/signal/unre...

At that page, those who have deleted their account can "unregister" their phone number.

Even that is problematic: inserting the phone number is not enough: you have to also enter the country by choosing it from a pick list. There are a lot of countries and the list is not in alphabetical order. It says it wants to send an SMS to confirm. No SMS arrives. Nor does a phone call if that option is chosen. Click unregister anyway. Get the result "unable to connect to server."

The only saving grace is that, maybe, those SMS spammers who are also Signal users will be blocked. Sadly, so may any other useful messages from, e.g. banks, governments and the like.

Given that regulators are currently criticising Amazon because of the complexity involved in leaving Prime, this really is something Signal needs to look at.


a) if you do use Signal, be aware that your phone number becomes public property because it is shown on every message screen: if someone sends a screenshot of your message, your phone number has just been published outside your circle of approved recipients (it's happened. The Guardian once identified a US politician from just such evidence). Your personal security is compromised and there is nothing (short of registering with a temporary number as some suggest you might) you can do about it. Worse, if you do register with a temporary number, Signal won't be available to someone who later gets that number because they won't have your password.

b) if you do use Signal, don't allow it to be your SMS provider. Yes, of course, that means that the cost savings of sending SMS via Signal is lost. But using it means that you would lose contact if someone closes their signal account without first de-registering the number. And you are not warned to de-register the number before you terminate your account. That leaves you to fail to de-register because the de-registration page doesn't work.

c) if you do use Signal, be aware that there is no way of disassociating it from your full address book so your personal privacy is further compromised.

No, Mr Musk. Unless you made your statement because you have, or intend to have, an interest in Signal and are engaged in some form of stock manipulation (not that you'd do that, of course), your advice to those seeking privacy, as distinct from message security, is deeply flawed because, in this respect, it is no better than WhatsApp.

Oh, and it's a pain in the bum to uninstall from Linux because it uses some oddball repositories not a package manager. But you already know that if you've installed it. However, while Signal provides very clear instructions on installation via the command line, it is silent (or obscure) on how to get rid of it. Use this in Terminal: sudo apt-get remove signal-desktop.

---------------- Advertising ----------------