By Dave McKay | January 23, 2021
Signal Secure Messenger
Signal is a secure messenger app published by the Signal Foundation and Signal Messenger LLC. These are not-for-profit organizations based in Mountain View, California. They were founded by Matthew Rosenfeld aka ‘Moxie Marlinspike’ and Brian Acton, to build on the work of one of Rosenfeld’s earlier start-ups Open Whisper Systems.
Signal is free and open source. One of the glories of open source is that absolutely anyone can review the source code. To that end, the source code for the Signal Messenging Protocol (SMP)—the bit that provides the encryption and security—was reviewed by a joint team from the German CISPA Helmholtz Center for Information Security, the Swiss ETH Zürich University, Cisco, and the Canadian University of Waterloo.
The code was given high praise, a clean bill of health, and the protocol was adopted by other messenger apps, such as WhatsApp.
WhatsApp and Privacy
WhatsApp hit the news recently when it announced that its data sharing agreement with its parent company Facebook was going to change—and for the worse. WhatsApp harvests and logs data about you and your use of their app. You agree to this when you sign up with WhatsApp. It’s the price you pay to use their “free” service. Because the terms of the agreement are changing, WhatsApp are duty bound to inform you of the new terms.
All the data that WhatsApp harvests about you—such as your contact list, who you have contacted, and your geographical location—is stored on their servers. So, although WhatsApp uses the Signal secure protocol, WhatsApp are not upholding your privacy.
You messages might be sent securely, but WhatsApp records everything about your use of their platform—as well as other information that it can scrape from your smartphone—and stores it on their servers. That breaches your privacy.
Facebook has a dreadful track record of safeguarding personal data, with breaches occurring with depressing regularity. More insidious is their business model based on sharing and selling your data. The Facebook Privacy Policy shows that your data is shared with hundreds of other companies. Literally, hundreds. Anyone who uses Facebook’s analytics, all of their advertizers, all of Facebook’s suppliers, and so on, and so on. And ho wknow s what hey are doing with your data, nor how safely or otherwise they are storing and safeguarding it.
Privacy is about you having direct control over your information and personal data, and choosing who has access to it and what they are permitted—by you—to do with it. Security is one of the techniques that can be used to maintain your privacy. If you lock up your data and no one can see it, then you’re private matters will remain private.
A secure protocol like the Signal SMP delivers your messages with security. But everything else that WhatsApp does to gather information about you breaks your privacy. And, because it is all stored on their servers, if those servers are breached your personal data is up for grabs.
So, a secure protocol on its own cannot guarantee privacy.
Signal and Privacy
By contrast, Signal holds three snippets of information on you.
- The smartphone number you registered with.
- When you signed up to use Signal.
- When you last used the service.
That’s it. A phone number and two timestamps. So even if the FBI servers them with a subpoena, that’s all that Signal turn over to them.
So people can find out if you use Signal—which is why Signal does not claim to be anonymous—but that’s all.
The difference is profound.
The Mass Migration
The news that Facebook, often called the most avaricious data gathering machine on the planet, will soon have access to more your data whether you are a Facebook user or not, has hit home. Users are dumping WhatsApp in droves and moving to other apps, such as Signal.
In fact, the influx of new users to the Signal platform overwhelmed their infrastructure and Signal went off-line briefly.
That’s great, as far as future privacy goes. WhatsApp and Facebook still retain—and are free to use—any of the data they already have on you.
To wrestle your data out their hands you should make a Data Subject Access Request asking for a copy of your data to be sent to you, and then make a Data Subject Right to Erasure Request, asking for your data to be deleted from their systems, and from their data processors’ systems.
Reclaim your privacy.