Signal: What everyone should use for communications

We’re ready to abandon big tech communication services

A different service from other communication apps

TLDR

What is Signal?

Signal is a communication app that’s been around for nearly 10 years now and recently got a large spike in users after the Whatsapp privacy policy controversy. It works on Windows, MacOS, Linux, Android and iOS as far as I know. Signal is backed by the non-profit Signal Foundation, meaning there isn’t any for-profit business running the service. The main appeal of Signal is its guarantee of privacy; all your data being sent through Signal servers is end-to-end encrypted (E2EE), meaning that only you and the intended recipient is able to see what is being sent. Any outsider will only see garbled gibberish, including the Signal servers.

Signal is also open sourced, meaning that their source code used for servers and client (the app that you actually download) is freely available for inspection, copying, and modifying. I won’t go into details of Free and Open Source Software (FOSS)/OSS here, but this essentially means that programmers and experts can verify that the code isn’t doing anything malicious, and vulnerabilities can be patched quickly.

Some more features of Signal

Your data sent through Signal servers is stored locally, not on a cloud. Signal also stores hardly anything about your account. This has 2 important consequences:

  1. Nothing is stored on Signal’s servers

    If a government agency demanded Signal to send all user data, or if someone were to try to look into what Signal servers have, they wouldn’t find much. Your messages, videos, files and everything else is only stored on yours and the recipient’s devices. Therefore, unless one of you guys gets compromised, no one can steal your data. In fact, Signal has been subpoena’d multiple times by the US government but has never been able to share much data, only the registered phone number and last login time. This is about the best proof you can get that a service doesn’t store information about you.

  2. There is no cloud storage/saving

    When you get a new phone/computer and login to anything like FB Messenger, Whatsapp, Discord, your messages and file history is synced from your old device to the new one. This is possible because all of your data sent through theses services is kept on their servers. Signal doesn’t have any of this, so if you were changing phones, your number, or the phone OS, you’ll have to go through some work to get it done. If you decide to delete Signal from your phone one day or your phone dies without an external backup, you’ll nuke your data so be careful! While cloud sync is definitely a convenient feature for these instances, it leaves room for malicious actions. If these companies were to receive the same subpoenas above or get hacked, all of your data will be exposed. In fact, your data is already out there and is continually leaked and monitored because all big tech companies participate in the PRISM program. Not to mention that these companies are selling your data to advertisers so that within 5 minutes of you saying or texting something, it is shown as an ad. There’s a lot more that can be said, but the summary is that you are voluntarily sharing your personal info with these companies and their ‘privacy settings’ are little more than illusions to make you feel in control.

Signal is banned in several countries with very volatile governments, is used by activists to encrypt communications, and is used by criminals. Now, obviously criminals using the service will give you mixed feelings initially. But when you consider all three facts, they imply that Signal is pretty damn secure. Governments can’t spy on citizens that use Signal so they ban it. People that risk their lives doing dangerous tasks use Signal to encrypt their communication. Criminals use it because law enforcement reliably can’t snoop on them. The same applies when for instance, citizens want to organize protests against a brutal military regime. The EU has started transitioning from Whatsapp, which also is E2EE, to Signal. This make sense since Whatsapp is owned by FB and you shouldn’t trust anything run by them.

Signal has support for most things that average people would want. Stickers, gifs, decent-sized group chat support, video calling, and on Android can replace your default SMS program. It’s also well designed and shouldn’t turn off people visually.

Why Signal over other communication programs?

You should now have a good understanding of the benefits to using Signal versus any other free, corporate-owned service. It’s E2EE, doesn’t have anything stored on servers, proof of security is out there (publicly shared subpoenas, government bans, Edward Snowden endorsed, FOSS and audited cryptography), is run by a non-profit foundation, and has 95% functionality you’ll need from a communications program. Versus every other service out there, which have some combination of the following: makes money off of your data, gives everything they have to law enforcement, tracks you from beyond their app/site, transmits data with plain text (which means literally anyone can read the data if they intercept it), stores and logs everything onto their servers, is completely proprietary, and the public already knows the company behind the service is garbage. Here’s an image that you can sum up the majority of this page into. For any corporate service not listed, it’s safe to assume their privacy invasion is similar to Instagram or Messenger.

Comparing app tracking details

Conclusion

The reason why people keep using giant services is because everyone else uses them. People would move to the smaller/better service if their friends and family would, but everyone is still on the big one. This circular dependency is really the only fact stopping mass-adoption of better, smaller services like Signal, and you can be one of the brave pioneers by moving to a better service. Reclaim your privacy and data, and make one of the biggest moves a person can to move away from big tech: use private communication channels. Signal is by far the best and most accessible one to the masses, and it needs to keep gaining users to change the state of our currently near-dystopian big tech dominated world.

Bonus 1: You sound like a shill

I can see where you’re coming from, I’ve been praising Signal continuously so far. But the real reason why is to contrast Signal to commonly used communication services offered by companies out there and show how big of a disparity there is. Using Signal is infinitely better than using something like FB Messenger, Whatsapp, Telegram, Discord, etc because you don’t become the product and I want to point that out. The more people are willing to move to alternatives like Signal, momentum will build up and mass-migrations will become inevitable. Or at least big tech’s iron grip over the world will weaken. I want to convince people why starting the move is crucial, and that’s why I sound like a shill. I’m really not a shill for Signal; I like the program and think it’s a great middleground between normal people and privacy sensitive people, but there are better (and more niche) solutions out there. I don’t think Signal is the pinnacle of internet communication, but a great milestone to aim for.

Bonus 2: Disadvantages of Signal

In case you’re still convinced I’m a shill, I’ll go to a more negative analysis of Signal and its flaws. Signal isn’t perfect, nothing in this universe is. The downsides it has are honestly kind of nitpicky and won’t matter at all for the average person who uses Instagram. Go ahead and start using Signal, this section goes into a deeper dive about Signal’s problems and approaches from a really privacy focused perspective.

  1. Signal isn’t as feature-full compared to other apps

    This is the only point relatable to normal people on this list. Signal doesn’t support some features some people might consider necessary or important: nicknames, very large group sizes, phone OS transfer (you can’t transfer data from Android ⟷ iOS yet which is a big problem), polls, and other small stuff like camera filters. Non-mobile support is a bit iffy as well in my opinion. Your phone is the primary device that creates the account, and any computer is ’linked’ to it so that your phone is still at the center. Therefore, you can’t just login to your computer and use it independently, it’s connected to your phone in some way.

  2. Signal isn’t decentralized

    Somewhere in the world are centralized (collected, concentrated) groups of Signal servers. There may be multiple clusters of servers across multiple continents, but the key point is that all traffic is routed through Signal servers no matter what. This means that your communication is dependent on Signal’s uptime, the service isn’t peer-to-peer (P2P) like torrents. If their servers are down, you’re SoL. If the servers are taken down by authorities, you can’t do anything about that. The dependency of being tied to Signal’s servers is a turn off for some. In an ideal world everyone would be selfhosting decentralized, federated servers of protocols like XMPP or Matrix, but too bad that’s not the case.

  3. You need a phone number to register

    This is likely the most critical downside to Signal. Most people won’t have a problem with this, it’s not like you need an email to register (thank god) and Whatsapp needs a phone number too. The key point of this complaint is that Signal isn’t anonymous, ie. to register with something not associated to you, you need a burner phone number. This is a valid point, and a service that keeps you anonymous would use some other method to register without the need of any personally identifiable information. In my opinion, I can tolerate this downside because I believe a key milestone for the battle of privacy is to get a significant number of people off of big tech as possible, and Signal’s approach of just using your already-exposed phone number isn’t bad for this goal. Of course, it would be great if future registration can be anonymized.

  4. You can’t really trust the source code Signal release

    Sounds contradictory doesn’t it? Signal releases all of its server, client, and expert-audited cryptography code to the public, why can’t we trust it? The reason is because you can’t be sure that the same code is really being run on their servers. Signal can always just run proprietary servers without us ever knowing, we have to trust the devs that what they show is what they use. This relates to a problem I have with Whatsapp: their claim of E2EE. Whatsapp apparently uses the same E2EE protocol that Signal does uses the same E2EE protocol that Signal does. There’s two problems with this claim, even if it is true. The first is that Whatsapp is now owned by FB, that in and of itself is enough to cast some scrutiny. Do you think FB will just let 2 billion people use their service daily without datamining what they’re talking about? Seems a bit optimistic. The second is that Whatsapp is proprietary, so we have no idea what their server and client is running. We have to trust that the service has proper E2EE working, but I personally wouldn’t. This type of skepticism should apply to Signal as well, except that we can trust them a bit more than Whatsapp.

  5. Signal has some questionable looking decisions in their history

    Trust is one of the backbones of FOSS, and breaking it inflicts massive damage to everyone involved and can cause significant harm in bad scenarios, see the node-ipc incident. For instance, the Signal server source code repository went without any commits (updates) for months, they introduced a suspicious looking cryptocurrency for payment options, and implemented proprietary spam blocking software when the rest of the server is ironically open and licensed under the AGPL. Ultimately, the FOSS aspect of Signal is great and I really like that the AGPL is used. However, those that are very sensitive of privacy and anonymity should be careful when to trust a service that looks good but still has several blemishes like this. One positive thought is that if Signal does go downhill one day and decides to go proprietary, gets bought out by a corporation, or is shut down by authorities, the source code is still available and can be forked by the community.