Today Signal makes phone numbers private and rolls out usernames—a historic, overdue step to protect users.
On Saturday night, we had dinner with Meredith Whittaker, the president of Signal, an encrypted messaging app for instant messaging, voice, and video calls. We ordered pasta in a Munich restaurant, about a mile away from where Hitler had announced the reestablishment of the Nazi Party almost exactly a century ago. We discussed how fragile open societies looked. Then we spoke about encryption, phone numbers, and a terrifying Stasi prison.
End-to-end encryption keeps messaging private between end users, thus hiding content from service providers and anybody trying to peak in in the middle. Default end-to-end encryption has been ubiquitous for about a decade now—at least on certain apps. iMessage, Apple’s messaging application, had built-in encryption from the day it was announced, in 2011. WhatsApp, today owned by Meta, started rolling out end-to-end encryption nearly ten years ago, in late 2014. Both platforms were vastly more secure, more reliable, and more convenient than highly insecure and clunky SMS messaging.
WhatsApp will likely surpass 3 billion monthly active users in over 180 countries sometime this year— that’s roughly three-eighths of humanity. Apple’s iMessage estimates over 1 billion active monthly users. Signal, while significantly smaller with around 70 million active users, boasts a dedicated following.
The critical strength of these widely popular messaging is also a critical weakness: Users can find other users by entering their phone numbers. This easy-to-use function made vast growth possible. The downside? These apps routinely disclosed our phone number, whether we wanted it or not. Until today.
The phone has become our most intimate device. We carry it on our bodies at nearly all times, and we reveal our most private secrets either on it, or in earshot of its microphone and in sight of its camera. Our phone numbers, which may seem like an innocuous string of digits, very directly lead to the things we want to keep private: what we talk about, what we look at, what we listen to, what pictures we take, and where we are, right now.
Surreptitiously stealing these details is far easier and cheaper than it should be—for authoritarian governments, for criminals, for digital mercenaries, for foreign spy agencies, and of course for unwanted acquaintances and abusers in all walks of life.
It’s surprising, therefore, that it took until today for a major messaging platform to stop disgorging our numbers, by default, to everybody we interact with, either individually or in groups—while maintaining the ability to grow and scale.
Signal’s nonprofit structure, funding model, and focus on security and privacy has long appealed to tech-savvy individuals, national security and intelligence professionals, and activists globally. And as of today, the messaging app started changing the default privacy for phone numbers for everyone. Phone numbers in the app will no longer be visible to contacts who don’t already have that number, while, at the same time, people can still find others by entering their phone number. From there, users can either lower or raise their privacy level—they can go back to showing their number to contacts old and new, or they can go forward and hide the number from everybody, including new friends. Instead of a number, you’d share a “username.”
Signal’s usernames, unlike social media handles, are neither displayed publicly nor to known contacts, and they can be changed frequently. Usernames are simply an easy way to connect with another person or group without sharing your phone number with them. Because such identifiers don’t define a user like they would, say, on X or Instagram, they can be modified for special occasions: to exchange contacts during a concert, on a first date, or at a pro-democracy rally in an authoritarian country. Signal does not offer a searchable directory of usernames, and indeed does not store the usernames in plain text, only as unique so-called hashes. This means, as the Signal team explained today, “that Signal cannot easily see or produce the usernames of given accounts.”
In an additional design choice made to protect users, the platform also does not log changed usernames, and therefore cannot link past usernames to current accounts and phone numbers.
This long-awaited step, now five years in the making, marks a turning point in the history of direct messaging, the most prevalent form of human communication today. Technologically, the move to usernames may be less impressive than the roll-out of end-to-end encryption to a vast user base a decade ago; yet, in practical terms, phone number privacy may have a bigger real-life security impact for many users.
End points—as security professionals call phones and other devices—are vulnerable. They can get hacked or tracked, and persistently so. Malicious actors often glean new target phone numbers from other contacts and their address books. This is where the magnitude of Signal’s design change today becomes apparent. From now on, secure communication—texting, calling, and video-calling—no longer requires keeping phone numbers in a phone’s contacts, or indeed knowing the number at all. For some of the most security-minded users, and hopefully soon for all casual users of Signal who are looking for easier ways to coordinate the book club group chat, numbers will now begin to disappear as a contact vehicle. As a result, it will get progressively harder for bad actors to contact-trace, and to find, hack, and track the end-points of their targets.
Of course, well-resourced adversaries will still find ways to get to their targets, but the costs will go up.
This welcome news comes on the heels of last weekend’s Munich Security Conference, where we met Signal’s Whittaker. The mood in Munich was dark. Conversations in bars and restaurants inevitably revolved, in some form, around the fateful global election year that is 2024, and the illiberal forces that are gathering in all democracies, on the far right and on the far left.
The most profound moments in Munich included Yulia Navalnaya’s speech about her murdered husband, Aleksei Navalny, a Russian pro-democracy activist, or exiled Belarusian opposition leader Sviatlana Tsikhanouskaya’s description of life under a totalitarian regime a mere two-hour flight away from Munich. The fear of creeping authoritarianism was palpable, particularly among Europeans with living memories of repression at home.
Over that pasta on Saturday, we recalled our respective visits to one of the most bone-chilling sites in all of Europe—the Hohenschönhausen Memorial, the secret political prison operated by the Stasi in Berlin. The Stasi, East Germany’s Ministry of State Security, was a technically highly competent and utterly ruthless intelligence apparatus. Hohenschönhausen was designed to corrode the resistance of political prisoners with shrewd torture techniques in purpose-designed isolation cells, projecting total power through meticulous knowledge of a prisoner’s private life. We shuddered at the thought of what the Stasi could have done with access to mobile phones.
The stakes couldn’t be higher.
– Camille François, Thomas Rid, Published courtesy of Lawfare