Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private (wired.com) 38
Encrypted messaging app Signal has launched new feature allowing users to conceal their phone numbers and instead use usernames, in a move aimed at boosting privacy protections long sought by cybersecurity experts and privacy advocates. From a report: Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle -- or even to prevent anyone who does have your phone number from finding you on Signal.
The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's executive director. "We want to build a communications app that everyone in the world can easily use to connect with anyone else privately. That 'privately' is really in bold, underlined, in italics," Whittaker tells WIRED. "So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'"
The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's executive director. "We want to build a communications app that everyone in the world can easily use to connect with anyone else privately. That 'privately' is really in bold, underlined, in italics," Whittaker tells WIRED. "So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'"
And the point is...? (Score:1)
So now instead of having a phone number that identifies your phone, you have a username that identifies your phone. And this accomplishes what, exactly?
Re: (Score:2)
So now instead of having a phone number that identifies your phone, you have a username that identifies your phone. And this accomplishes what, exactly?
When you are baiting scammers, and they ask to chat with you on signal, they don't get your mobile number?
Re:And the point is...? (Score:5, Informative)
Re: (Score:2)
It still doesn't solve the biggest issue though, which is that Signal servers don't federate or allow open source clients.
You have to use Signal's app.
Re: (Score:2)
It accomplishes a lot. In order to reverse-engineer the username, one would have to gain access to Signal's records and link the username to an IP or other identifiers. This requires a subpoena at the least. When a phone number is used, any idiot can go to a data broker website and find out who that phone number belongs to. It also means that law enforcement can subpoena the cell carrier, which tends to be much easier to work with for law enforcement (even having portals setup so they can instantly login and get data) than a company like Signal, which stores very limited information compared to cell providers [signal.org].
I find it very interesting that Americans tend to default to "law enforcement" as the issue when privacy is threatened. I'm much less concerned with the Rozzers knowing my number than I am private businesses and individuals who will use that number in various nefarious ways that aren't technically illegal (or sometimes are but can't be traced back to them). Things like spamming, SIM cloning and doxing are a much bigger threat to me than the boys in blue. These things don't just make my life more difficult,
Re: (Score:2)
Re: (Score:2)
You might not be aware, but you don't need to use your actual name as your user name.
In many countries you do need to use your actual name, backed up by government ID, to get a phone number.
Re: (Score:2)
In many countries you do need to use your actual name, backed up by government ID, to get a phone number.
This.
A friend of mine had to show his passport to purchase a prepaid SIM in Greece a few years ago. Fortunately, I had purchased a SIM plus a cheapo GSM phone in Germany. With cash, no ID required. And it worked just fine in Greece.
Sure, there were roaming charges. But if I was bent on committing some nefarious deed, a few Euros wouldn't really slow me down.
Re: (Score:2)
You need to show your passport in Germany for SIM cards since before 9/11 (2001). Of course there are enough places where you can buy one (especially if you buy a phone too) without much fuss, especially around train stations.
Greece introduced this much later, after some criminal escaped from the prison TWICE by just having a helicopter show up and picking him up. Yes, they caught the dude and then he escaped again with a helicopter. I think the second time a guard shot himself in the foot. You can't make t
Re: (Score:2)
When was that?
2013
Re:And the point is...? (Score:4, Informative)
A few reasons:
1. Providing a phone number can expose more personal information that some people would like as the phone number might tie to other information through external databases. A username would only be able to do that through Signal's databases.
2. People don't want to be contacted via phone/sms and don't want to share that
3. Many 2FA still use SMS which is vulnerable to a sim-swapping attack if the attacker knows the phone number
Re: (Score:2)
Re: (Score:2)
>"It's still not enough because Signal having your phone isn't acceptable either."
+1000
I was coming to post the same thing. There is no reason that Signal should have your mobile phone number. Signal should be usable on any device, including a tablet or deactivated, neither of which have a number. Sure, they need SOMETHING to set you up and for recovery, but why can't that be an Email address? I noticed there is also no way to use Signal within a web browser (web-based). Why?
I am so VERY tired of ev
Re: (Score:2)
These are by design. Companies have learned that they can say security and idiots will accept it. I argue that privacy is not separate from security and that true security and privacy means even the company you are dealing with should have no way to tie an account to a real human if the human chooses for it to not be so. Almost all 2 factor that is put in place in the last 5 years is put in place in the name of security, but it is simply these companies putting in place mechanisms that allow them to tie an
Re: (Score:2)
I think they've been reluctant to do this because of concerns that not having it tied to a phone number will make spam easier. As it is, I get one or two spam messages every couple of months, and while it's not impacting me right now, it could become a major problem later, made worse by Signal being completely unable to filter based on content by design.
On top of that, if they see sharply higher uptake and use enabled by email addresses, they would also face higher bills, and as an organization that is heav
Re: (Score:2)
>"I think they've been reluctant to do this because of concerns that not having it tied to a phone number will make spam easier. [...] made worse by Signal being completely unable to filter based on content by design."
I suppose that is possible. But not sure how/why. If you need to create an account to use Signal and send messages, they can very easily spot any account sending out tons of messages and deduce it is almost certainly spam. Doesn't matter the destination or content. Especially easy to en
Re: (Score:2)
It's difficult to translate username to real-world phone number for making unwanted solicitation phone calls without having a table showing those relationships?
I mean, are you trying to be remarkably obtuse here?
Howto Beta with Aurora? (Score:1)
Not quite yet (Score:2)
Seems like a fundamental security oversight (Score:2)
How did it take this long to correct this problem? And what does it say about the security posture of Signal? What other important security vulnerability is waiting to be discovered and "finally" fixed?
Re: (Score:3)
I don't presume to know Signal's data architecture, but my guess is that when you only have one uniquely-identifying piece of information to tie a user to anything else in the database, that changing out that unique identifier and then completely testing every facet of your software against that massively risky change might just be something you want to take your time with implementing.
Re: (Score:1)
Re: (Score:3)
I get that. But I don't understand why they picked cell number in the first place.
A core security principle is that one should never use an email address or phone number as a person's login. https://community.isc2.org/t5/... [isc2.org]
A core principle in data modeling is cardinality: the concept that one piece of data should never have two meanings. In this case, one piece of data was two meanings: 1) your phone number and 2) your username.
So how did a system that is supposed to be "the most" secure, mess up on such a
Re: (Score:3)
My guess: they did what Whatsapp did, because a billion or so people found it acceptable; and there's a certain logic to saying that if you are making a chat network that is meant for use on smartphones, the one thing you can kind of count on smartphone users having is a unique phone number which is easy to verify and comparatively hard to change (which is why it's a privacy / security problem to begin with).
No, it wasn't secure design, and it absolutely didn't protect anyone's privacy. And, quite frankly,
Re: (Score:1)
As hard as it is to imagine, Signal is old enough that it started as encryption for SMS.
Combine that with the network effects (existing close contacts can discover you without effort) and natural anti-abuse characteristics[^1], and I can see why there'd be so much inertia.
Even in this release, phone numbers are still required and shared by default if already stored in the user's contacts.
[^1] Note: I'm not saying it's perfect, but certainly better than indiscriminate anonymous account creation.
Re: (Score:2)
I wouldn't expect it to be perfect either. But if your *specialty* is security, you'd better get security right...the first time.
Re: (Score:2)
Probably to prevent spam. Getting a new phone number has a cost attached, so spammers tend not to bother.
Re: (Score:2)
I don't buy it. When your *specialty* is security, you need to get at least the fundamentals of security right. Even in 2015 when it started its life, it was a well-known security principle that you don't use phone numbers or emails as your login. And if they decided *intentionally* to use cell numbers despite this, they should have explained why, and documented the rationale for everyone to see.
Re: (Score:2)
I agree it was a bad decision. Fortunately a disposable SIM bought with cash was a viable work-around for some people.
Account doesn't follow username I assume? (Score:2)
As long as the phonenumber is the only real identifier, sim swap vulnerabilities remain as the price for convenience of account recoverability. Registration lock's are a half measure which require you to have an actively used second device and no one blinks an eye on security number change messages.
Signal is the most securely developed messager, but they sacrifice too much in the name of normies and to keep the three letter agencies and the media off their back (with timing attacks and NSA level access to p
Fortunately ... (Score:3)
No matter how you try to obfuscate your name, phone number, hardware serial number, the network needs to know who you are in order to establish a connection. And all LE has to do is to conduct periodic sweeps (see Portland, OR a few years ago), fingerprint the suspects and connect their phones to a Stingray. Unless you are in the habit of throwing your iPhone 15 out every few weeks, they've got you.
obvious is obvious. (Score:1)
How Signal ever claimed to be about privacy while requiring a phone number is beyond my comprehension. I have avoided using it for years for precisely this reason.
Pure hypocrisy. that's it.
Re: (Score:3)