Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.

Dear DST,

I’ve been seeing this story in the news about U.S. Defense Secretary Pete Hegseth sending attack plans in Signal chats to the editor-in-chief of The Atlantic, who was apparently accidentally added to the group. While it sounds obvious why this is a problem, even I haven’t consistently identified everyone in some of the Signal groups that I’m in. How should someone go about identifying everyone in a group?

Signed,

Groupie

Hi Groupie,

Let’s say that your last name is not Hegseth, and your national security adviser doesn’t inadvertently add the editor-in-chief of the Atlantic to your secret-attack-plan Signal chat. You might still inadvertently message the wrong person when having a 1-to-1 conversation with someone.

Now amplify that problem in a group chat. On all major chat platforms, the more people you add to a conversation, the harder it gets to verify every person’s identity. But Signal does provide some options to help, especially if you can verify someone’s identity in person or over another trusted channel before initiating a conversation.

But first, let’s talk about some history.

Signal has avoided collecting much information about its users, including the list of contacts you want to reach. To avoid gathering information about who you are talking to, by default, it uses your phone’s contacts app to import your contacts privately on your own device.

But this also has a trade-off: For most of its history, Signal users had to use phone numbers as identifiers, which could put people into the uncomfortable position of giving their phone number away to simply speak over Signal. So, in early 2024, Signal introduced some new features to accommodate usernames, and to allow users to hide their phone number or even make it undiscoverable when initiating a conversation.

But now we have a new issue. Unlike a phone number, users can change their Signal usernames any time they want, so this makes it very important that you verify that someone is who they say they are before inviting them to a group.

This is why we recommend verifying someone’s identity on Signal over another trusted channel or in person. For example, if you are already connected to someone you’re certain you know on Instagram, you might send them a direct message on that platform to exchange Signal contact information.

Likewise, if you meet someone in person, you could use Signal’s “safety numbers” — a short code accessible from your conversation settings that represents your conversation’s encryption. Access safety numbers by clicking on an individual user’s name at the top of a conversation, and then tapping “View Safety Number.” If you both see the same safety numbers, you can be certain you’re talking to the right person. The easiest way to use safety numbers is to scan the QR code accessible in your conversation settings.

Screenshot of safety number settings within the Signal app.
Credit: Image provided by Signal.

If you receive an invitation to chat with someone, you will see information about prior groups you may have in common. This might add legitimacy, but there’s no perfect replacement for verifying someone over a channel you trust.

Screenshot from a Signal message reuqest that includes a text box reading, "Profile names are not verified" from a user labeled Maya Johnson who sends the text, "Hey!"
Credit: Image provided by Signal

You can also add nicknames and make notes to help keep track of each person you speak to on Signal. Tap “Nickname” from conversation settings with an individual user, or click on a person in a group chat’s conversation settings. From here you can change how their name will be displayed in your Signal app, and you can also add notes to help jog your memory about each person.

Screenshot from the nickname feature in Signal, featuring Jeffrey Goldberg, the editor-in-chief of The Atlantic. The notes field in the screenshot says, "Reminder: Do NOT add him to secret attack plan group"
Credit: Freedom of the Press Foundation (FPF)

The bigger a group, the harder it is to vet everyone in conversation. So if you’re not certain who you’re talking to, think carefully about what you’re willing to say in that group. Sometimes it’s worthwhile to start over and create a new group with only vetted individuals before speaking.

If you want to learn more, check out our post on Signal’s many identifiers. While you’re at it, dive deeper on maximizing your Signal privacy and security settings. Meanwhile, keep those secret attack plans to yourself.

Best,

Martin Shelton