Are we safe with Signal?
This is the third in a series of articles about the relative advantages and disadvantages of different secure messaging systems for mobile telephones. The first article considered WhatsApp. The second article considered Telegram. This article considered Signal.
The problem you have to understand with Signal is that there must be something wrong with it or it would not make any money advertising what it says it does. Signal came to the market in 2014 from a software consortium called Open Whisper Systems with various public interest ideals. However they do not own Signal anymore. Take note of this.
The essence of Signal was to create an end-to-end Pretty Good Privacy encryption Application for secure messaging, calls and the sending of files. To prove that their encryption was uninhibited and they had no back doors, they published their source code. Almost overnight, Signal became the spies' messaging Application of choice: so much so that intelligence agencies actually banned their own officers from installing it or using it. Nevertheless many did; and intelligence agents (the real spies that the xivil servants manage) had no intention of complying with government intelligence service decrees about which messaging applications they could use.
Governments had to do something about this, because they wanted to engage in surveillance not just of all their spies but of lots of other people using Signal for various purpose (e.g. the commission of serious crimes). However it took them a long time to work out how to fight the Signal disease. In the end a US company bought Signal with US government money. And then the state could start playing around with Signal..
The way they did it was subtle. Nothing changed superficially, and indeed a Signal Application interface looks much the same now as it did in 2014. However the code downloaded onto the phone was just changed; so it is different, in invisible ways, from the code that Open Whisper Systems originally published as an open source material.
The net result is that the Signal Application on your mobile phone in 2022 has a backdoor installed by the United States government, so they can read and record your Signal communications if they want to. And as with all backdoors, once you create one then other people will discover it and exploit it as well.
We do not currently have an accurate list of which countries' security and intelligence services have access to the Signal backdoor; but it may be longer than you think. The simple fact of knowledge of it implies that access to it will be somewhere on the darknet most likely.
Signal's security is therefore somewhat similar to WhatsApp; save that it does not have the address book security flaws that WhatsApp has, because it is not a commercial product and therefore it does not need to sell people's address books. Rather it is a disguised US government product. And the US Government wants to keep it that way, so that people wanting to commit wrongdoings think they can use Signal as a 100 per cent safe messaging system whereas in fact it is nothing of the kind. It is pretty good; but if a determined and sophisticated government wants to spy on on your Signal communications, they can do.
Signal is not immune to Pegasus (see our first article on WhatsApp to understand what Pegasus is and does )
Signal's software is a bit clunky. Nevertheless it is a reasonable choice for tolerably secure messaging, subject to all the foregoing provisos.
Few people use Signal in practice, because (a) people who want an ease of use messaging Application will not be impressed with Signal's lack of versatility; and (b) people who are really serious about secure messaging know that there are better products out there, as we shall come to explore in later articles in this series.