Video by Lauren Feeney
Whether your private conversations are personal, professional, or political, what you say or type into your phone may be of interest to snooping governments, both foreign and domestic. Criminals might be interested as well, especially when you send someone a password or credit card number. There are others you might worry about too: You might want to apply for a job without your current employer finding out. You might discuss something with a lawyer. You might talk to your friends about attending a protest, getting an abortion, or buying a gun. You might send private selfies to your partner that you don’t want anyone else to see. You might be dating someone new and not want your coworkers to find out. The list goes on.
Fortunately, privacy is a fundamental human right.
Unfortunately, most ways that people communicate with their phones — voice calls, SMS messages, email, Facebook, Skype, Hangouts, etc. — are not as private as you might think. Your phone company, internet provider, and the corporations that make the apps you use to communicate can spy on what you say. Your chats can be accessed by police, the FBI, and spy agencies like the NSA. They can also be seen by anyone who can pick up your phone and sift through it. Some of them can even be read by anyone in a position to simply glance at your phone’s lock screen and read the notifications displayed there.
But it’s possible to make sure that your private conversations are actually private. It starts with installing an app known as Signal, and getting your friends to install it too. Then you’ll want to tweak the settings to lock everything down.
The Signal app is easy to use, works on both Apple’s mobile operating system iOS and Google’s Android, and encrypts communications so that only you and the people you’re talking to can decipher them. It also has open source code, so experts can verify its security claims. You can download Signal from the Android Play Store and the iPhone App Store.
Although Signal is well-designed, there are extra steps you must take if you want to maximize the security of your most sensitive conversations. (I outlined some of these steps last year, but Signal has changed significantly since then.) There are also some useful features in Signal that you might not know about.
I discuss these at length below — and in the video above, created with Lauren Feeney.
If you wish to jump ahead to a specific section, you can click the appropriate link:
You can only send encrypted messages, and make encrypted calls, to other people who are on Signal. There’s not much point in having Signal if all of your most private texts are still going over unencrypted SMS, so get your friends to install the app, too.
If you’re an activist, get everyone at your next meeting to install the app. If you’re a journalist, tell your sources and editors. If you’re running for office, consider using Signal to communicate with your campaign staff.
Signal uses strong end-to-end encryption, which, when properly verified, ensures that no one involved in facilitating your conversation can see what you’re saying — not the makers of Signal, not your cellphone or broadband provider, and not the NSA or another spy agency that collects internet traffic in bulk.
But Signal’s encryption can’t stop someone from picking up your phone and opening the app to read through your conversations. For that, you need to configure your phone to require a passcode, or some other form of authentication, to unlock. You should also make sure that the storage on your phone is encrypted and that you update your phone’s operating system and apps promptly, which makes it significantly harder for anyone to remotely hack into your phone.
If you’re using Android:
If you’re using an iPhone:
Signal’s encryption won’t necessarily help you if other people can see incoming messages displayed on your lock screen. Displaying messages on the lock screen is Signal’s default behavior, but you should change this if your phone is frequently in physical proximity to people who shouldn’t see your Signal messages — roommates, coworkers, or airport screeners, for example.
Left: Signal notification on locked iPhone. Right: Signal notification on locked Android phone.
Here’s how to lock down your Signal notifications.
If you’re using Android:
If you’re using an iPhone:
Left: Hidden Signal notification on locked iPhone. Right: Hidden Signal notifications on locked Android phone.
After your encrypted Signal message is sent to someone, copies of the plaintext message exist in only two locations: on your phone and on the recipient’s phone. (Unlike other messaging apps, the Signal server never has access to your plaintext messages, and only stores your encrypted messages on the internet for a short amount of time.) This means that if you delete the message from your phone, and the recipient deletes it from their phone, the message will no longer exist. It’s a good idea to regularly delete old messages, especially if they’re part of a sensitive conversation. This way, if your phone ever gets searched, the conversations you don’t even remember having from a year ago — as well as the sensitive conversations from last week — won’t get compromised.
Signal lets you send messages that disappear from both your phone and the recipient’s phone after a specified amount of time (between 5 seconds and 1 week). This is useful when you and a friend both want to retain messages from your conversation for a short period of time. But keep in mind, nothing stops the recipient from recording the messages anyway before they disappear (like, by taking screenshots).
If you have contacts or Signal groups (more on that below) that you regularly send private text messages to, I recommend setting disappearing messages to 1 week. It’s also easy to temporarily enable disappearing messages and then disable it when you’re done, for example when you need to send someone a password.
If you’re using Android:
If you’re using an iPhone:
Messages are set to disappear after 5 minutes.
You can also manually delete individual messages, or whole conversations, from your own phone. Of course, this won’t delete them from the recipient’s phone — only disappearing messages will do that.
If you’re using Android:
If you’re using an iPhone:
Signal makes it simple to send people encrypted photos and videos (including animated GIFs!). While you’re in a conversation with someone, just tap the paperclip icon to browse your photo library, or access your camera directly.
But Signal also includes a subtle security feature: If you take photos or video with your camera from within the Signal app itself, these won’t automatically save to your phone’s library. Likewise, when you receive a Signal message containing a photo or video, this also won’t automatically save to your phone’s library. If you’d like to save a photo to your library, you can long-press the photo and choose to save it.
Why does this matter? Many people automatically sync all of the photos and videos on their phones to iCloud, Google, or other cloud services. And people often allow other apps on their phone, such as Facebook or Instagram, to access their photo library as well. While convenient, this means that, after you’ve uploaded your photos to a cloud service provider, that provider can access them as well. And by extension, so can anyone who can convince the provider to hand over your data, like a law enforcement agency, or who hack your account, as in 2014, when nude photos of female celebrities were published online after their iCloud accounts were compromised.
So, if you’re taking a photo of a top secret document to send to a journalist, or if you’re taking a sexy selfie to send to your bae, make sure to take these photos directly from within the Signal app — this way, they’ll have the same level of encryption and privacy as the rest of your Signal messages.
One of the most useful features of Signal, in my experience, is the ability to create encrypted group chats. Anyone can create a Signal group and add as many people as they’d like, and everyone in the group can send encrypted messages to everyone else. As with one-on-one Signal conversations, group chats support disappearing messages as well as photos and videos. Here are a few cases where Signal groups can prove useful:
Here’s how to use Signal groups.
If you’re using Android:
If you’re using an iPhone:
While Signal groups are useful, they’re not without problems. Hopefully these will improve in the future, but as of this writing:
In addition to enabling secure text messaging, Signal can also be used to make encrypted voice and video calls. While you’re in a text conversation with someone, just tap the phone icon to call them. When they answer, you can just start talking to them like on a normal call, but with the assurance that the Signal call is end-to-end encrypted. If you’d like to start a video call, tap the video camera icon on your phone during a voice call to turn on your camera. That’s it.
When you make a voice or video call, it’s possible for the person you’re calling to see what your IP address is, which could be used to learn your location. This probably doesn’t matter most of the time, but occasionally it might — for example, maybe you’d like to have a secure call with someone, but without letting them have any way of knowing what country you’re currently in. Signal has a feature that allows you to relay your calls through their server so that the person on the other end of the call can only see the Signal server’s IP address, and not yours. If you enable it, it will slow down your connection slightly, which might reduce the call quality. Here’s how to enable it:
If you’re using Android:
If you’re on an iPhone:
Most people sync their phone contacts to iCloud, Google, their employer, or other cloud services. This can be very convenient: If you lose your phone and buy a new one, you don’t lose all of your contacts. But this means that your contact list is accessible to the service providers you sync to — and by extension, it’s also accessible to law enforcement that can send data requests to those service providers.
You might have some contacts that you need to talk to securely, but don’t want those phone numbers ending up in your contact list. For example, if you want to leak something to a journalist without becoming a suspect in a leak investigation, you’ll need to avoid having the journalist’s phone numbers in your contacts that get synced to the cloud.
Signal allows you to start conversations with people that aren’t in your contact list. To do this, open the Signal app, tap the pen icon to start a new conversation, and type a phone number in the search field. If that phone number has a Signal account, you can then send an encrypted message — without adding the phone number as a contact in your phone.
Sorry if this section is confusing for you — the inner-workings of encryption are always somewhat confusing. The important part is that you learn how to verify safety numbers below.
I said earlier that Signal ensures your communications stay private when it is properly verified. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.”
A man-in-the-middle attack is where two parties — Alice and Bob, for example — think they’re speaking directly to each other, but instead, Alice is speaking to an attacker, Bob is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors.
You and each of your Signal contacts share a unique “safety number.” For example, Alice has one safety number with Bob, but she has a different safety number with Charlie. When Alice compares the safety number she sees on her phone with the number Bob sees on his, if the numbers are the same, that means the encryption is secure. But if the numbers are different, something is wrong: Maybe Alice is seeing a safety number between her and an attacker, or Bob is seeing a safety number between him and an attacker, and this is why they don’t match.
Because it’s unlikely that anyone is trying to attack your encryption the very first time you send a contact a message, Signal automatically trusts the first safety number that it sees for each contact. (If you discuss anything sensitive, you might want to confirm anyway).
To verify that your encryption is secure, first navigate to the verification screen:
Left: Safety number verification screen on an iPhone. Right: Safety number verification screen on Android.
There are different ways to verify with a friend that your safety numbers match. It’s easiest to do when you’re in the same room, but it’s also possible to verify remotely.
Verifying a Contact In Person
If you’re able to meet up in person, one of you simply needs to scan the other’s QR code. Android users tap the QR code circle to scan, and iPhone users tap the “Scan Code” camera icon at the bottom to scan. Point your camera at your friend’s QR code to scan it, and if it’s successful, that means your encryption is secure.
Verifying a Contact Remotely
If you can’t meet up in person, you can still verify that your safety numbers match remotely — however, it’s kind of annoying.
You need to share the safety numbers you see with your contact using some out-of-band communication channel — that is, don’t share it in a Signal message. Instead, share it in a Facebook message, Twitter direct message, email, or phone call. You could also choose to share it using some other encrypted messaging app, such as WhatsApp or iMessage. (If you’re feeling paranoid, a phone call is a good option; it would be challenging for an attacker to pretend to be your contact if you recognize their voice.)
Once your contact gets your safety number, they need to navigate to the verification screen and compare, digit by digit, what you sent them with what they see. If they match, your conversation is secure.
For both Android and iPhone, you can tap the share icon in the top-right corner of the verification screen to share your safety numbers using other apps, or to copy them to your phone’s clipboard.
Verifying a Contact Who Gets a New Phone
From time to time, you might see a warning in a Signal conversation that says “Safety number changed. Tap to verify.” This can only mean one of two things:
The latter is less likely, but the only way to rule it out completely is to again go through one of the verification processes for text contacts described above.
While you need to install Signal on your phone to begin with, there’s also a desktop app you can install on your computer. It doesn’t have all of the features that the mobile app has — you can’t make calls or modify groups yet. But it can make using Signal much more convenient, especially if you’re like me and are in front of your computer all day long, and rely on Signal for work.
The desktop version of Signal is a Chrome app. So first, you need the Chrome web browser on your computer. Then you can install Signal from the Chrome web store. When you first set up Signal on your desktop, follow the instructions to connect it to the Signal on your phone.
Keep in mind that, by setting up Signal on your computer, you’re opening up new avenues for attackers to read your private Signal conversations. Think of it like this: When you just use Signal on your phone, if someone wants to read your private conversations, they have to hack your phone. But if you use it on both your phone and your computer, they have to hack either your phone or your computer, whichever is easier — and, because of the differences in how desktop and mobile operating systems are designed, chances are it’s easier to hack into your computer.
Your Signal data is also stored more securely on your phone. On Android and iOS, your Signal messages — and your encryption key — are stored within the app, and no other apps have access to it. But on Windows, macOS, and Linux, this same data is stored in a folder on your hard drive, and nearly all of your apps have access to it. So, in some situations, it might be prudent to choose not to use Signal on your computer at all.
Sorry but the NSA can in fact intercept data transmitted over Signal.
People have been using mobile phones for thousands of years. There is no way we can communicate or do anything with one another without one.
Adverts from The Intercept, eh?
Perhaps a well-rounded article might have mentioned *several* apps & solutions that exist within this space. Perhaps at least a link to eff.org’s ‘Surveillance Self-Defense’ (https://ssd.eff.org/)…?
eg. The Tox technology is peer-to-peer with several ‘announcement’ servers around the globe…
Anything that is *centralized* should always be regarded as highly suspect, because the day that quantum computing becomes available to NSA, then Signal will be useless, *because* it is centralized.
What will happen to NSA itself then? Isn’t it centralized?
What about Windows Phone?!
@Micah, I understand Signal on Chrome browser is safe (and I use Signal on my Android) but I am interested in what you think of Chrome in the context of privacy? For me, anything Google is the Privacy Antichrist, and that has to include Chrome, so I don’t have it on my PC. I use Tor and Firefox with a gaggle of privacy plug-ins.
Is there a browser privacy-comparison you could point to, or do you plan one?
Like you I use TOR, firefox, as well as tails, and protonmail.
With Googles past history of collaboration with NSA, I don’t trust anything associated with them. If the government has backdoor access to their servers it stands to reason they can get anything they want.
Your comment is stupid. Every US company cooperates with the US govt. that’s the law. Eschewing Google for that reason proves only that your tin foil hat is on too tight.
@Joe @Dave Well, Google is pretty much the US Government at this point. Read, ‘When Google Met Wikileaks’ by Assange. When you store anything with Google, it is with the US Government.
I read that document back when it was released in 2012. There was nothing damning about it, else why would the CEO approve it’s release? Stop believing all the anti government hysteria and propaganda. It’s good to keep some sane perspective.
You’re the moron here. While all tech companies collaborate in one form or another, everyone but YOU admits Google is the worst, and only little sphincter-sucking sheep tell people not to be suspicious of the Govt.
YOU probably voted for Obama twice (and for Hillary or Sanders twice as well, you little DS).
@Joe – Dave’s comment is not at all stupid. I hope your comment that every US company cooperates with the US govt is not true – I don’t get that impression from Ladar Levison, Signal, Spideroak. But it is probably largely largely so gives a cast-iron imperative to avoid US IT as much as possible. if you don’t like being mass-snooped on by govt weirdos. Non-5-eyes VPN, non-5-eyes end-to-end cloud, Swiss email, Linux non-US distros. And where not possible, use open-source – plenty of password managers, browsers etc available. Non-US IT business has taken a serious hike since 2013 – make good use of it; boycott US IT!
Google stock is up 30% this year. You and a couple of other lunatics avoid it, for the wrong reasons, while the world carries on. “non 5 eyes VPN” … Don’t make me laugh. you’re probably one of those idiots that signs up for PIA or whatever Romanian shell company of the week sets up a service, and think you’re safe. You would have been safer using Google. Ironic.
Hey Joe,
Clapper called, he said when you are finished blowing Bill Clinton, he’s ready for you. BRING YOUR GOOGLE EMBOSSED KNEEPADS.
You can use Chromium, its a chrome FLOS fork, it is not using googleservices.
Hi Micah,
I was wondering if you saw the movie the Circle and your opinion of it?
thanks!
these articles are all “use the cool security warez that you only read about here” … that are probably set up for one-click browsing at the nsa
February 23, 2016 Apple’s Little Secret: There Is Already A Backdoor Installed On Your iPhone
A leaked White House memo reveals that the NSA already have a tool that allows them to bypass security on iPhone devices and access private user data.
http://yournewswire.com/apples-little-secret-there-is-already-a-backdoor-installed-on-your-iphone/
Fake fucking news. Fuck off, spammer.
January 10, 2014 *500* Years of History Shows that Mass Spying Is Always Aimed at Crushing Dissent *It’s Never to Protect Us From Bad Guys*
No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.
http://www.globalresearch.ca/500-years-of-history-shows-that-mass-spying-is-always-aimed-at-crushing-dissent/5364462
Jun 7, 2013 William Binney – The Government is Profiling You
https://youtu.be/qB3KR8fWNh0
1. Can you get any more of a stereotypical IT nerd to do a video? I feel like I am watching a “nerd” from Saved by the bell.
2. This isn’t exactly true. If this guy listened to his own companies podcast you would have heard Assange comment that this makes the signals secure in transit but it does absolutely no good if the device itself is compromised. Which is the S.O.P of these organizations in how they get info from devices.
^THIS!
Send this to family
Useless if they have hacked the base device operating system or I/O sub systems as they have the messages and video before its encrypted and after it has been deciphered for display on the device
I didn’t find it in the Apple Store but I did find it in google apps. Now the CIA will never know what I buy on craigslist?
credit card purchase info has been going thru the pentagon since 1995 – so i heard. If you are in business and are getting special pricing for products, your competitors will want this info. Purchasing power is #1 in retail sales. You should talk to AMEX about this as they may have better control over what info is available to whom. Price protection is key.
Thank you so much ! I didn’t know it was so easy to protect myself. The only problem is that when I tried to find it on the Apple App Store to use it for my IPad I could only findthe guide not the actual app. I looked through everything . I looked under signal and I looked under private messanger
Why the hell is The Intercept pushing this BULLSHIT story? The latest Wikileaks Vault 7 archive clearly shows that the CIA has the ability to root all iOS and Android phones *pre encryption*.
If you possess even the slightest grip on reality and a smidgen of civil courage, you are probably not a US citizen a target of constant surveillance, state organized stalking, and even outright torture; no encryption application is going to help keep your compromised iOS gadgets’ communications secure.
Obviously, Mr. Lee and the rest of Open Whisper System’s marketing department possess neither the slightest grip on reality nor a smidgen of civil courage, and if you are so boring you “have nothing to hide”, Signal is just the thing for you.
Signal is of zero value to people who actually need and deserve privacy.
That markup was meant to be “… you are probably
not a US citizena target of constant surveillance, …”Signal sucks. Any service that relies on a unique identity, ie phone number, sucks. Setting up XMPP on a server takes minutes; hours if you’re a beginner, but you will be much more secure, if you’re a capable sysadmin.
signal is a COMPLETE PIECE OF SHIT.
1) You need a phone number
2) you need to install google garbage if you wamt to run it on real computer, not your shitty phone
3) all trafic goes through signal servers and the metadata goes to the NSA.
early humans, living as they did amongst each other all the time, had pretty much zero privacy .. except inside their own heads
today we barely have even that, as technology threatens to tear open the human mind … revealing that all people are pretty much equally boring
“…privacy is a fundamental human right.”
Where and When was that indicated?
Now see, if I were a Harriet Tubman or Frederick Douglass I might think it actually possible someone wanted to have a secure chat with me; go buy a phone and stuff.
illegal goods and services are not encryptable.
Criminals of organised crime communicate with tossers which are plain speech and text.
Those who use encryption are easily mapped with their hardware id’s and their dealings involve customers and plenty of plain sight evidence that standard police procdure is sufficient.
if you do business on the phone, and you have competitors that could benefit from knowing your conversation, you would be foolish not to encrypt. Lawyer and client? same thing. Election campaigns? especially.
Wallstreet corporat espionage thieves work with some nasty people and do anything for money. If you have a business that has huge potential, beware. They lie, they cheat, they steal. Robbing you is no problem for them. Stay secure.
Can we add signal and able to use signal without a phone number? That would be the something the USA government does not want buy is time to communicate without phone numbers would also be even better and have the option of both but one we can communicate without phone numbers so anyone with a cell phone and just wifi can use signal(my idea and this idea the USA government will not like)
Wikileaks revealed in vault7 the USA government hacks the both end points or both cellphones before you use signal. Glenn why are you not telling the people this as the USA documents proved it. The signal communications, as I shared it a long time ago, are hijacked as you type on your cell phone because they hijacked the phone, hardware and software systems.
my guess is that phone numbers are just cross-reference id’s for account numbers and routable ip’s. If there is a conjob, it would be that their billing on time connected is a ruse if they are actually using http styled connects. Frankly, a voice device running any video or texting software on a public ip issuer would much more efficient and cheaper.
i would also guess that defeating key loggers is a matter of assigning different keystroke id’s
Hey Alejandro. Full disclosure I’m not a Signal official or anything but I use the app and am a fan of it. As of now you can’t use Signal without a phone number. This is because Signal aims to make an app that is extremely easy to sign up to get e2e encryption as widespread as possible. Its focus is security, not anonymity, and it does very well in that field. If you do want anonymity however I’d suggest signing up for Wire over web not mobile. If you sign up on the website I don’t believe you have to give a phone number or email, and if you do have to provide an email you can make a throwaway one online.
Also I wouldn’t worry about Signal having your phone number. They got served with a subpoena by a grand jury for all the info they have on two individuals (identified by law enforcement by their phone numbers) and all Signal could provide was the date they (only one, the other didn’t use Signal) created their account and the last day they logged in. No messages, locations, any other identifiers etc. Basically it was useless for law enforcement. You can find info on the case if you look it up, I’m not sure if I can post links here.
About Vault 7 the claim that the CIA can BYPASS Signal is true, but they haven’t broken it. If they specifically target your phone, which is high risk and expensive, they can bypass anything and that doesn’t have anything to do with Signal. If they can get access to what you type as you’re sending it it doesn’t matter what you use, nothing can save you. You have to get a new phone. I believe WikiLeaks was misleading by tying that revelation to Signal and encryption apps. It’s common knowledge that if you have a key logger on your device you’re screwed, that’s not new information.
99.999% of people reading this article aren’t important enough to have their phones hacked. Stop your paranoia.
You can use Threema. There you do not need any phone number and you can verify your contact using a QR-Code. Seems pretty secure.
does this mean that softie is going to get their lobbyists to petition the elected whores to write and pass a law that says if you dont use SKYPE to communicate, you get charged and go to prison?
This is a good start. For the last few years the act of sending someone a encrypted email took me to these great lengths to explain something that is very easy to do, and of course people always whinge and complain. It’s too hard or whatever. My response, it’s one extra step, we have our keys all you have to do it is use 265 AES and for the receiver even less of a step. It becomes seamless
The chaff going around the web is obviously from shills, they can decrypt you with super computers -uhm no they cannot- trying to discourage end to end encryption that snoopers cannot read. And they, governments, have good reason in their minds, it’s not terrorism, that is less than 20% of their concern, how dare we go around privately communicating with each other!
There is no easy user-friendly way for an organization or group of any kind to set up a robust system of private digital communications and data access for its members. Pretending that there is merely generates a false sense of security.
After all, all the metadata (sender, recipient, time etc.) is open to internet service providers and thus to government agencies; the apps themselves may be compromised covertly by government agencies with backdoors; the phones used by sender and recipient might be compromised by malware from anywhere that captures keystrokes and screenshots; hence none of these strong end-to-end encryption apps guarantee private conversations.
The bottom line is that to create a reasonably secure digital environment for communications, data storage and use, etc. etc. you have to put in a lot of time and effort and get an education in all kinds of subjects – and even then, complete failure is still possible (hence back everything up if important to you). Here’s a good example of how to go about that, with caveat:
http://focus.forsythe.com/articles/364/7-Key-Elements-of-a-Successful-Encryption-Strategy
It all comes down to, what is the Internet anyway? A fantastic invention for sharing information between people on all subjects( the OpenSource/Aaron Swartz vision), the greatest marketing and advertising platform ever built (the Facebook/Google agenda), or the kind of mass surveillance and public manipulation system that George Orwell imagined in 1984 (the NSA/nation-state agenda)?
Correct.
Applications can’t hide from the operating system.
Period.
Microsoft Windows user I see? Then you will say no it’s the BIOS in the chip on the motherboard, then you will say where’s my tinfoil hat?
Snowden says that’s rubbish and a smokescreen from daft people for daft lazy people or industry shills.
You see nothing except that which is in your feeble imagination. And you don’t want to get into an argument with me about digital security — at least not with knowledgeable neutral judges.
I don’t know exactly what Ed Snowden says, upon which you appear to be relying, but (1) it’s unlikely that you are capable of fully understanding it; (2) I greatly respect Snowden and admire his skills as well as his bravery, but he is not the God of the Internet, and I was doing systems engineering before he was born; (3) As is the case with Micah, below, Snowden wouldn’t challenge what I’ve asserted above.
Now, do fuck off.
@ Gravaman:
Professor Salzmann is normally a highly knowledgeable and respected member of the Intercept Community, and you should respect his bombastic views like I usually always do. He is usually a very humble bloke, but on some occasions like this one he does appear to have an outsized ego. Please do forgive his transgressions, like Trump is overlooking Mad Kim”s right now, since he means no harm.
Professor is right about the OS in that your device can be hacked to transmit to a third party practically everything that shows up on the screen. A van parked innocuously in front of your house, or a drone hovering overhead, can read the electromagnetic signals that make your screen visible. So it is meaningless what you encrypt and how you do it. Some years back we caught the nasty Russians doing this from an apartment near the Pentagon, which is why our SCIFs now have to be electromagnetically shielded from snoopers.
NSA is now stepping up funding for Neuralinks, so some day all this encryption business will be passe. Till then enjoy the make-belief world of encrypted privacy.
the funny thing is this text scrambling nonsense – and the idea that it cannot be reversed given resources and time. I tell you, if these security blokes had real imagination, they would scrible onto wrinkled paper, send it thru a fine crosscut shredder, and SEND.
Well said.
Yup. It’s also true that all operating systems have weaknesses, they can all be hacked. But, obviously, this doesn’t mean that when we use operating systems and applications to communicate, we shouldn’t try to make it secure.
I’m not arguing with you, this time, Micah. I’m just making an important, fundamental point that you should always emphasize when writing these pieces.
You don’t, IMHO, always adequately do that.
And another little detail. Applications and OSs running on compromised/sabotaged hardware are hoplessly comprmosied. All intel and amd hardware is fully backdoored with the IME and such, and expect the same thing or from phone manufacturers.
That’s why you use a free as in freedom OS like Linux or BSD, not shitty MicroCock WangBlows or bullshitOS.
Not an option on any widely-available smartphones, now, is it?
Unfortunately not, but one can always use the phone to tether only. Of course laptops have Intel ME and other rootkits, but that’s another risk.
Been using Signal since it was known as “TextSecure.” Fantastic app for messaging, encryption benefits aside.
I especially like being able to set colors for different groups. Employer, parents, etc, are all set to red. This colors every interaction with people in these groups, so I know when I see red to double check what I’m sending. Wife and best friends are set to green, which means I don’t really have to worry when I’m composing messages and see that color.
The encrypted phone calls are especially useful if you are somewhere without cell service but do have access to wifi. Even more so when your service provider doesn’t have a quality voice over data option.
And being able to use your computer for messages if your phone is lost, dead, or stolen, is fantastic.
Basically it’s a great app, even if you don’t have anything to hide.
Anytime you log onto a wifi esp a public wifi, you are at risk for being hacked.
If you’re going to go to such lengths for all this, why choose an option that requires such a public identifier as a phone number?
good point.
This is a great question. The main reason is because Signal is very easy to use by anyone. You just install it, and you can start texting your friends right away. You don’t need to make an account, or understand anything about encryption — it just works. This isn’t quite true with many other tools, like ChatSecure — which is also a great tool, and for some use cases a better option than Signal.
There are some situations where using phone numbers as identifiers isn’t so good, and Signal isn’t the best tool to use in those cases. But for everything else (which is the vast majority of mobile communications, I think), Signal is an excellent option.
Signal seems useful but has several limitations:
https://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/
And
Probably useful for keeping some teenage cybercriminal from hacking your private photos, but anyone who thinks this prevents nation-states and government agencies from reading over your shoulder is deluded. The best advice is probably this:
“So, I will continue to treat all of my digital communications as if someone was listening and if I need to have a private conversation, I will do so by other other, usually Analog, means.”
I think the idea is that if enough people use it for basic communications, it becomes a much larger and more opaque haystack to sift through.
Snowden himself thinks that encryption works, when used properly.
It also depends a lot on what you need it for. I do the bulk of my communicating via text. It makes sense for me to harden that. If I were a highly public investigative journalist, I’d probably rely more on PGP over email.
And to your last point, it likely will keep a nation state from reading over my shoulder. I am not a high priority for my government. They are not going to expend resources to compromise my phone’s operating system. Given that, if my option is no privacy, or almost certain privacy, I’ll go with the latter.
I think your comment is interesting especially this: “I am not a high priority for my government.”
That’s precisely whay a comprehensive mass surveillance program intends to ensure. What makes ordinary citizens into “high priorities?” Do you think publicly questioning the legality of government activities might turn you into a “high priority?” You might get labeled as a subversive dissident and be flagged for intrusive surveillance and all your communications stored long-term at the NSA Data Center. If you ever applied for a government job, that flag would pop up. This encourages people to self-censor their views and statements out of fear of retaliation. It is a program for turning human beings into sheep.
But yes, everyone should go ahead and use encryption by default, it’ll likely keep the creeps at 4chan from leaking private nude photos and so on, but if you are say, organizing a protest against the Keystone Pipeline, it’s not going to ensure confidentiality. And this is the larger point: governments don’t want opposition from their citizenry, particularly oligarchic & plutocratic & authoritarian governments (like the one running the United States today).
But people should realize that the long-term consequences to themselves of allowing such governments to act unchecked are far, far worse than the short-term difficulties created by opposing said governments. This is what history teaches us; look at what happened to Germans under Hitler or Russians under Stalin? You have to nip these bastards in the bud.
Signal is for security, not anonymity. If you want anonymity there’s Wire or XMPP