[Perspective] What Is the Chat Application Signal, Used by the U.S. Vice President? A Three-Step Guide to Get Started

Viewpoint articles present diverse opinions and do not represent the position of “WEB3+”

In this era of social media, although I have accounts on all mainstream apps, deep down, I only use Signal and Proton Mail. I apologize to those who have messaged me on platforms like Facebook and Instagram and were ignored; however, those who read this article probably know how to contact me or can simply send an email to [email protected].

While more and more people have email addresses, the number of people actually using email is decreasing. As for instant messaging apps, people in Hong Kong use WhatsApp, people in Taiwan use LINE and Messenger, and people in mainland China use WeChat. This often leads to me being criticized for being too reclusive. Fortunately, in the past year, more and more people have started using Signal, from DHK’s Pro to the Vice President of the United States, making me feel more normal.

Here are three Signal tips for readers to test themselves. If you only know one or two of them, your awareness of information security needs to be strengthened. If you don’t know any of them, you may just be scratching the surface of using Signal.

Username: Another Line of Privacy Defense

Different from WhatsApp, which uses phone numbers as identification, Signal users can customize their usernames.

You might not think this is anything special, as Telegram, LINE, and even WeChat have had usernames for a long time. However, the details of Signal usernames differ from mainstream tools, always prioritizing privacy. When setting up, it defaults to not showing your phone number to others and allows you to further disable the option to be found through your phone number, completely decoupling your phone number from your username.

For example, if Alice’s phone number is +852 9876 5432 and she sets her Signal username as alice.852, and then disables showing and searching herself by that number, even friends she is already chatting with cannot see Alice’s phone number. Even if others know the number, they can only start a conversation with Alice using alice.852, the corresponding QR code, or link. By using this feature, DHK’s Pro can maintain privacy in a Signal group of over a hundred people, without needing to disclose his phone number or see others’ numbers, unless the other party chooses to make it public.

It’s important to note that the display name and username are different. The format of the former is “firstname lastname,” such as Alice Bee, which is the name or nickname shown to the calling party, who can set another one for identification. The format of the latter is username.two or more digits, such as alice.852, used only to start a new conversation. After becoming contacts, both parties cannot see each other’s usernames, so privacy-conscious Alice can change her username continuously without affecting communication with established contacts.

To set a username, click on the personal profile picture in the Signal app, go to Settings, and then click on the profile picture to modify personal information. Here, you can see the username you’ve set, the corresponding QR code, and link for easy scanning or sending.

Security Code: Is “That Person” Really That Person?

Alice, using a username as an identity marker, has been communicating with her friend Bob through Signal. One day, Bob’s account is hacked, and a hacker pretends to be Bob when messaging Alice. How can Alice detect this?

Every conversation in Signal corresponds to a safety number, a 60-digit number known only to the two parties. When a hacker uses a man-in-the-middle attack to impersonate Bob, Alice will receive a message saying “Your safety number with Bob has changed” due to device changes. Security-conscious Alice will contact Bob through another method, even meeting in person to scan QR codes or verify numbers to ensure each other’s identities.

If you have ever seen the message “Your safety number with xxx has changed” in a chat box and didn’t understand it, choosing to ignore it, you are giving the impostor a chance to enter as Bob. Advanced hackers know how to bide their time, so even if you previously ignored an updated security code, you should verify it and then mark it as verified, especially if you are a company executive, activist, or journalist (let alone a Vice President), you should be extra cautious.

Although security codes can effectively prevent account theft, if the other party’s phone is stolen or hacked, or if they are forced to unlock it, it’s essential to rely on information security awareness. In case of suspicious messages like asking for money, transfers, exchanges, or leaking secrets, don’t be afraid to request a video call and discuss topics that are difficult to fake with AI to confirm the other party’s identity.

Group Referrals: Passing on Trust Relationships

Alice and Bob have been communicating through Signal based on trust. After some time, Bob wants to introduce his friend Carol to Alice. Should Bob give Alice Carol’s contact information or vice versa? Should they use phone numbers or usernames?

Neither. The correct approach is for Bob to establish a group with Alice and Carol only after obtaining their consent, clearly explaining the background before allowing direct communication between the two.

As mentioned earlier, Signal allows phone numbers to be decoupled from usernames. By connecting the two without revealing their phone numbers, there’s no need to disclose the numbers. Also, in Signal’s relationship network, Bob may not necessarily have the phone numbers of the two, and even if he does, they may not be associated with Signal identities. As for usernames, they are only used to start conversations, and after that, Bob cannot see Alice and Carol’s usernames. Even with prior records, they may have been updated or the usernames could have been taken by others. Without confirming with Alice and Carol first, giving out their usernames could lead to introducing the wrong people.

Lastly, and most importantly, trust is a web of relationships. Group referrals can connect the trust between Alice and Bob, Bob and Carol, allowing both Alice and Carol to trust each other. Note that the trust here refers to “that person really is that person,” not the honesty of both parties. Conversely, consider when Alice receives a request to chat from a stranger, how can she determine whether to accept it? Even if Bob has informed Carol in advance, how can Alice be sure that the stranger contacting her is the Carol Bob mentioned, and how can Carol prove her identity?

You may say that the chance of a fourth party impersonating Carol at around the same time is very slim, accusing me of being overly cautious. I won’t argue with that, but I encourage those who have such thoughts to consider another perspective. Building a group to introduce new friends, rather than allowing two strangers to chat on their own, aligns more with social etiquette.

It’s not a bug, it’s a feature

Signal is a communication tool that prioritizes privacy and security. I’ve heard many criticisms that some aspects of Signal’s design are inconvenient, not as convenient as some mainstream tools, etc. However, all these decisions were deliberately made after careful consideration. If you can deeply understand Signal’s design philosophy of “minimal data, maximum privacy,” you will realize that in most cases, “it’s not a bug, it’s a feature.”

I deleted my WhatsApp account over seven years ago and have been relying on Signal ever since. I have a lot more to share about it, from more in-depth topics to beginner tips. If you’re interested, please feel free to leave a comment and let me know if it’s worth continuing to write about.

Source: “It’s not a bug, it’s a feature”