Beyond Signal phone numbers

Martin Shelton

Principal Researcher

Header image with a graphic of Signal's "speech bubble" logo, with a pattern of silhouettes of phones in the background.

Many journalists rely on Signal, an encrypted messenger, to facilitate secure messaging, voice, and video calls. It’s generally regarded in the security community as the gold standard for its open development and end-to-end encryption, preventing even the developers from eavesdropping on messages. But traditionally, it’s also treated phone numbers much like unique usernames, creating issues for those who prefer not to share their phone number with other users. The good news: The team is now signalling that they’re moving beyond phone numbers.

Some history: How did we land on phone numbers anyway?

Most platforms, including many end-to-end encrypted platforms like WhatsApp, retain a fair bit of information about usernames and contact lists on their servers. This can be a helpful way to ensure you can log in, recover your contacts, and talk to friends on any device. Signal is doing something quite different.

Because it’s been architected to keep as little user data as possible, the Signal team avoided storing contact data on their servers. Instead, they relied on a contact list that you already own — your phone’s built-in contact list. Signal locally recognizes your phone’s contact list and places registered contacts within the app.

One byproduct of this decision is that phone numbers became the user IDs in this “social network.”

Because there are many situations where users might feel uncomfortable giving their phone number away, Signal users have come up with workarounds to avoid using their personal number in the app, such as registering Signal with a Google Voice or Twilio number, or with a secondary SIM card. For better or worse, this may also prevent friends from identifying each other over Signal.

Moxie Marlinspike, the creator of Signal, has argued that it was designed to use phone numbers to let users easily recover their contact network. If you ever reinstall Signal or switch to a new phone, you’ll be able to easily re-import your contact list, while also keeping that list off Signal’s servers entirely.

Storing access to your social network on Signal’s servers would open up new possibilities, but that wasn’t possible without additional privacy compromises. And that’s when Secure Value Recovery came along.

Why Secure Value Recovery matters

Signal has developed techniques to allow users to securely transmit a variety of data types without making it legible to Signal servers (e.g., user profiles, groups), but not contact lists. In late 2019, Signal announced that they were experimenting with a technology to solve this tricky problem. Through some novel architecture and encryption techniques, Secure Value Recovery makes it possible for users to store certain types of data on Signal’s servers, while also preventing the server itself from deciphering that data.

One way the server is prevented from reading your stored data is through the use of a split encryption key — one where Signal’s servers hold some parts, and you hold a part only on your device, together yielding one key that can decrypt your data locally on your device. Your key is represented by a simple PIN.

Prompt within Signal that reads, "Create a PIN: PINs keep information that's stored with Signal encrypted"

Recent updates introduce a PIN or alphanumeric code to protect recoverable data. Your data cannot be recovered without this PIN, so it’s especially important to remember it. Additionally, Secure Value Recovery enforces limitations on the number of times the user can guess before being locked out.

According to their blog, “PINs will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts.”

For now, it’s unclear what these new addresses will look like, and when we will see them in the wild. What we do know is that, in this new world, users’ contacts can be recovered without a phone contact list. With no reason to use phone numbers as IDs, users will no longer need to share their phone numbers to use Signal.

Contemporary journalism depends on secure communication tools like Signal. Freedom of the Press Foundation is honored to have served as fiscal sponsor to Signal, and thrilled to see its progress. We look forward to seeing more in the future.

Support Signal today

Freedom of the Press Foundation is proud to have served as fiscal sponsor of Signal. Show your support by donating today.