For nearly a decade, cybersecurity professionals and privacy advocates have recommended the end-to-end encrypted communications app Signal as the gold standard for truly private digital communications. Using it, however, has paradoxically required exposing one particular piece of private information to everyone you text or call: a phone number. Now, that’s finally changing.
Today, Signal launched the rollout in beta of a long-awaited set of features it’s describing simply as “phone number privacy.” Those features, which WIRED has tested, are designed to allow users to conceal their phone numbers as they communicate on the app and instead share a username as a less-sensitive method of connecting with one another. Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle—or even to prevent anyone who does have your phone number from finding you on Signal.
The use of phone numbers has long been perhaps the most persistent criticism of Signal’s design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal’s president. “We want to build a communications app that everyone in the world can easily use to connect with anyone else privately. That ‘privately’ is really in bold, underlined, in italics,” Whittaker tells WIRED. “So we’re extremely sympathetic to people who might be using Signal in high-risk environments who say, ‘The phone number is really sensitive information, and I don’t feel comfortable having that disseminated broadly.’”
In the new features—which are available in beta now, but which Signal plans to roll out in a more final version in the coming weeks—Signal has made three changes, one setting that’s now switched on by default and two that are opt-in features. First, by default, your phone number will no longer be visible in your Signal profile unless someone already has the number saved in their phone’s address book. Second, you can now choose to create and share a unique username, or a QR code that contains it, with anyone you want to connect with. Mine, for instance, is Andy.01. (Once someone does start messaging you, a little confusingly, they’ll see your chosen profile name instead of that username. That profile name, just as before in Signal, doesn’t have to be unique, and the person you’re interacting with can also change it in their own view of you in the app.)
The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number’s visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don’t want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.
The new phone number protections should now make it possible to use Signal to communicate with untrusted people in ways that would have previously presented serious privacy risks. A reporter can now post a Signal username on a social media profile to allow sources to send encrypted tips, for instance, without also sharing a number that allows strangers to call their cell phone in the middle of the night. An activist can discreetly join an organizing group without broadcasting their personal number to people in the group they don’t know.
In the past, using Signal without exposing a private number in either of those situations would have required setting up a new Signal number on a burner phone—a difficult privacy challenge for people in many countries that require identification to buy a SIM card—or with a service like Google Voice. Now you can simply set a username instead, which can be changed or deleted at any time. (Any conversations you’ve started with the old username will switch over to the new one.) To avoid storing even those usernames, Signal is also using a cryptographic function called a Ristretto hash, which allows it to instead store a list of unique strings of characters that encode those handles.
Amid these new features designed to calibrate exactly who can learn your phone number, however, one key role for that number hasn’t changed: There’s still no way to avoid sharing your phone number with Signal itself when you register. The fact that this requirement persists even after Signal’s upgrade will no doubt rankle some critics who have pushed Signal’s developers to better cater to users seeking more complete anonymity, such that even Signal’s own staff can’t see a phone number that might identify users or hand that number over to a surveillance agency wielding a court order.
Whittaker says that, for better or worse, a phone number remains a necessary requisite as the identifier Signal privately collects from its users. That’s partly because it prevents spammers from creating endless accounts since phone numbers are scarce. Phone numbers are also what allow anyone to install Signal and have it immediately populate with contacts from their address book, a key element of its usability.
In fact, designing a system that prevents spam accounts and imports the user’s address book without requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That’s the reason that you still need a phone number to register, because we still need a thing that does that work.”
The continued phone number requirement means Signal’s privacy upgrade is a compromise, says Matthew Green, a professor of cryptography and computer science at Johns Hopkins University who has in the past consulted for both Google and Facebook in their implementation of Signal’s open source encryption protocol. “It’s a half solution,” says Green. “It’s not a perfect solution.”
Green notes, however, that even if it doesn’t satisfy the most die-hard privacy advocates, it represents a significant improvement for a much larger portion of Signal’s hundreds of millions of users. “There’s a legitimate community of people who wanted to use Signal without giving other people their phone numbers, and they’re going to be very happy with this change. And then there’s a more hardcore set of people who don’t want to ever give their number to Signal,” Green says. “I think getting a big set of people serviced is the right direction, and working on satisfying all the other people is something for Signal to keep working on.”
Signal doesn’t currently have any road map toward dropping its use of phone numbers as a registration mechanism, Whittaker concedes—she says for now, there’s no alternative that wouldn’t sacrifice Signal’s usability, which she argues would represent a net loss for privacy advocates. But she says that the new phone number privacy features are nonetheless Signal’s careful attempt to solve the problem phone numbers represent without losing the qualities that have made Signal popular in the first place.
“It’s really about staying true to our principles,” Whittaker says. “In more and more ways—in better and better ways—to fill that promise of easy, usable, private communications.”
Correction: 2/20/24, 1:25 pm EST: Meredith Whittaker’s professional title is president of the Signal Foundation.