Viewpoint Article Presents Diverse Opinions, Does Not Represent the Position of “WEB3+”
In this era of ubiquitous social media, while I may appear to have accounts on all mainstream apps, deep down I am old-fashioned, using only Signal and Proton Mail. I take this opportunity to apologize to those who have messaged me on platforms like Facebook and Instagram and were ignored; however, those who are reading this article probably know that they should contact me and simply need to send an email to [email protected].
Although the number of people with email addresses is increasing, the number of people actually using email is decreasing. As for instant messaging apps, people in Hong Kong use WhatsApp, people in Taiwan use LINE and Messenger, and people in mainland China use WeChat, making me, who is easy to find, often criticized for being reclusive. Fortunately, more and more people have been using Signal in the past year, from DHK Daoist Pro and Feather V God to the Vice President of the United States, making me gradually become more like a normal person.
Here are three Signal usage tips for readers to test themselves. If you only know one or two of them, your awareness of information security still needs to be strengthened; if you don’t know any of them, you are probably just scratching the surface of using Signal.
Username: Another Line of Privacy Defense
Unlike WhatsApp, which uses phone numbers as identification, Signal users can customize their usernames. You may think this is nothing special, as Telegram, LINE, and even WeChat have had usernames for a long time; indeed, but the details of Signal usernames differ from mainstream tools, always prioritizing privacy. When setting up, it is not default to show your phone number to others. You can further disable the option to “search for yourself by phone number,” completely unlinking your phone number from your username.
For example, if Alice’s phone number is +852 9876 5432, setting her Signal username as alice.852 and disabling the display and search options for that number, even friends already in conversation with Alice cannot see her phone number. Even if others know this number, they can only initiate a conversation with Alice using alice.852, the corresponding QR code, or link. Through this feature, DHK Daoist can maintain privacy in a Signal discussion group of over a hundred people, without having to disclose their phone number or see the numbers of others, unless the other party chooses to make it public.
Note that the display name and username are two different things. The former’s format is “firstname lastname,” such as Alice Bee, which is the name or nickname displayed to the other party during a call, and the other party can set another name for identification. The format of the latter is username.two or more digits, such as alice.852, used only to start a new conversation. After becoming contacts, both parties can no longer see each other’s usernames. Alice, who values privacy, can continuously change her username without affecting communication with established contacts.
To set a username, click on the profile picture in the Signal app, go to Settings, and then click on the profile picture to edit personal information. Here, you can see the set username, corresponding QR code, and link, making it easy for the other party to scan or send directly.
Safety Code: Is “That Person” Really That Person?
Alice and Bob have a conversation using their usernames as identification. One day, Bob’s account is hacked, and the hacker impersonates Bob to contact Alice. How can Alice see through this?
In Signal, each conversation corresponds to a safety code, a 60-digit number known only to both parties. When a hacker attempts a man-in-the-middle attack, impersonating Bob, Alice will receive a message in the conversation with Bob saying, “Your safety number with Bob has changed,” due to the device change. Security-conscious Alice will then contact Bob through another method, even meeting in person to scan a QR code or verify numbers to ensure each other’s identities.
If you have ever seen the message “Your safety number with xxx has changed” in a conversation box and chose to ignore it out of confusion, you are giving the impostor pretending to be Bob an opportunity. Advanced hackers know how to bide their time, so even if you have ignored safety code updates in the past, you should verify them and then mark them as verified, especially if you are a company executive, activist, or journalist (let alone a Vice President), you should be even more cautious.
Although safety codes can effectively prevent account theft, if the other party’s phone is stolen, hacked, or confiscated and forced to unlock, it is up to information security awareness to complete the security. In cases of suspicious messages such as borrowing money, transferring funds, exchanging information, or pumping information, do not be afraid of embarrassment; request a video call and discuss topics that AI cannot easily impersonate to confirm the other party’s identity.
Group Introductions: Passing on Trust Relationships
Alice and Bob communicate through Signal based on trust and safety codes. After a period of time, Bob wants to introduce his friend Carol to Alice. Should Bob give Carol’s contact information to Alice or vice versa? Should they use phone numbers or usernames?
Neither. The correct approach is for Bob to obtain consent from both Alice and Carol and establish a group of three, clearly explaining the background before allowing direct communication between the two.
As mentioned earlier, Signal allows phone numbers to be unlinked from usernames, serving as a bridge between two people without the need to disclose both parties’ phone numbers. Furthermore, in Signal’s network of relationships, Bob may not necessarily have the phone numbers of both parties, and even if he does, it does not necessarily link to their Signal identities. As for usernames, they are only used to start conversations, and Bob will no longer see Alice and Carol’s usernames afterward. Even if there were previous records, they may have been updated, or the usernames may have been taken by another user. Without confirming with Alice and Carol first, giving out their usernames might introduce other people by mistake.
Lastly, and most importantly, trust is a web, and group introductions can connect the trust between Alice and Bob, Bob and Carol, allowing both Alice and Carol to trust each other. Note that this trust refers to “that person is really that person,” not the integrity of both parties. Conversely, imagine when Alice receives a request from a stranger to start a conversation, how can she determine whether to accept it? Even if Bob has informed Carol beforehand about the coming message, how does Alice know that the stranger is indeed Carol as mentioned by Bob? Carol needs to prove her identity.
You may say that the chance of a fourth person impersonating Carol around the same time is very slim, accusing me of overthinking. I won’t argue here, but I encourage those with such thoughts to consider another perspective. Building a group to introduce new friends, connecting Alice and Bob, Bob and Carol, is more in line with social etiquette rather than letting two strangers talk to each other.
It’s not a bug, it’s a feature
Signal is a communication tool that prioritizes privacy and security. I have heard many criticisms that some aspects of Signal’s design are cumbersome and less convenient than some mainstream tools, but in fact, these are deliberate decisions made after careful consideration. If you can deeply understand Signal’s design philosophy of “minimal data, maximum privacy,” you will understand that in most cases, “it’s not a bug, it’s a feature.”
I deleted my WhatsApp account over seven years ago and have relied on Signal ever since. I have much more to share about it, whether it be more in-depth than this article or some basic tips. If you are interested, please feel free to leave a comment and let me know if it’s worth continuing.
Source: “It’s not a bug, it’s a feature”