Locking Down Signal: A Guide for Journalists
The encrypted messaging app, Signal, is quickly becoming a newsroom staple for communicating with sources, accepting tips, talking to colleagues, and for regular old voice calls and messages. While it’s a practical tool for anyone concerned with the security and privacy of their conversations, people working in newsrooms are particularly interesting targets, and should benefit from locking down Signal.
(If you’re not yet using it, learn how to get started here.)
Signal makes it easy to have a secure conversation without thinking about it. On its face, it looks and feels identical to your default text messaging app, but security experts so often recommend it because of what it does in the background.
First, Signal offers end-to-end encryption, meaning only conversational participants can read the messages. While regular phone calls or text messages allow your phone company to unscramble your conversations, even the team behind Signal can’t listen to them. You don’t need to take their word for it. Signal is open source, meaning the code is available for anyone to review. This also makes security audits simpler for independent specialists, who have torn apart the code and published findings that everything works as intended. Finally, Signal retains nearly no metadata — information about who spoke to whom, and when. (The developers proved as much in court.)
These are some of the advantages you want in an encrypted messaging app.
Because newsrooms can attract a lot of attention, journalists who already use Signal should consider hardening it against physical access, as well as unwanted remote access and network-based eavesdropping. So let’s talk about how.
Remote access and network eavesdropping
Confirm your connection security with safety numbers
Most messaging apps will not allow you to ensure the security of your connection with your conversational partners. But Signal allows you to verify that your session is encrypted to the right person (and not an eavesdropping third party).
First, open up a conversation with someone you want to talk to. Next, look for their “safety numbers.” These numbers represent the connection between your device and your conversational partner’s device.
iPhone users: Click your partner’s name (at the top of the screen) > View Safety Number
Android users: Click Settings (the “three-dot” menu) > Conversation settings > Verify safety numbers
You’ll see a your safety numbers and a QR code, representing the numbers.
If you and your conversational partner see the same numbers, your session is secure. You should verify your safety numbers over a different channel where you feel confident you’re talking to the right person, such as Twitter, Facebook, or Google Hangouts. If possible, exchange safety numbers in person.
If you and your contact are together in person, one of you can click “Scan code” on the safety number screen. Now, scan the other person’s QR code with your camera.
If you see a mismatch, something is definitely wrong and you shouldn’t talk over this channel. But chances are, your safety numbers will match. If everything looks good, mark your partner as “Verified.”
You won’t need to verify safety numbers again until someone resets the session. For example, when you begin using Signal from a new phone, you will get new safety numbers.
You’ll receive a notification if your safety numbers with a partner have changed. If this happens, use another channel to verify that the session is secured before you continue communicating sensitive information.
Using secondary Signal numbers
Signal treats your phone number like a “username.” But what if you don’t want to share your phone number? Journalists often want to use Signal to chat with sources, but may not want to use a personal phone number.
The good news: as long as no one else has registered it, we can register Signal with any phone number we have access to.
For those in the United States, the easiest way to set up a secondary number is with Google Voice. (Your Signal messages go over Signal servers, not Google servers.) First, go to voice.google.com and log in with a Google account.
From here, add a phone number you can use for verification. You’ll receive a text message with a verification code. Enter your verification code into Google Voice to complete your registration.
Now, register on Signal using this new phone number. You will receive a Signal registration code in your new Google Voice inbox.
In most countries you can use a secondary SIM card to create another number. Read this post by Jillian York of the Electronic Frontier Foundation to learn more. You can also use an online service called Twilio to create a number for as little as $1 each month. Learn how here.
Whether it’s your regular phone number or a secondary number, you’ll need to maintain access to this number. Why? If you lose access to the number and someone else re-registers it, now they own the Signal number.
You can lock in the registration for your Signal number, using Registration Lock.
iPhone users: Click Settings > Privacy > Registration Lock > Enabled
Android users: Click Settings > Privacy > Registration Lock > Enabled
Enter your preferred PIN. This PIN will prevent your number from being re-registered from a different device, so write it down or keep it somewhere safe. This might be a physically hidden notebook, or password management software. Signal will occasionally nudge you with a prompt to re-enter your PIN to ensure you still remember it.
iOS users: Keep your Signal history off iCloud
Signal allows you to see your call history from your regular phone app. This might be convenient, but will also allow your iPhone to sync this call history with iCloud, including who spoke to whom, when, and the call length.
If you use iCloud and you don’t want to share call history on Signal, confirm it’s turned off here: Settings > Privacy > Show Calls in Recents > Disabled.
Why you want disappearing messages
While Signal lets you delete individual messages, these messages will only be deleted on your device, and are still accessible by anyone else in your conversation. Instead, using Signal’s “disappearing messages” feature allows us to remove messages from a conversation automatically, after whatever amount of time we choose. This is particularly important for journalists concerned about messages on a source’s phone.
To turn on disappearing messages, first open a conversation.
iPhone users: Click on your partner’s name at the top of the screen to open the settings menu for this conversation. Click “Disappearing Messages.”
Android users: Click the settings (three-dot) icon in the top right corner. Click “Disappearing Messages.”
Move the slider to set the amount of time you’d like to keep the messages, between five seconds to one week. This works both for one-on-one conversations and group chats.
The weak points in end-to-end encrypted conversations are the “ends” — the physical devices where the messages arrive in human-readable text.
There are a few things we can do to lock down our devices.
Password protect your device
Encryption won’t help with someone who gets access to your unlocked phone, so you’ll want to password protect your device. Exit Signal and turn on a passcode.
iPhone users: Settings app > Touch ID & Passcode
Android users: Settings app > Security > Screen lock
Consider turning on screen security
Unlocking your phone also means decrypting your messages. You can require one additional step to re-enter your password (or method of choice) before unlocking Signal.
Why might you want to do this?
It doesn’t happen every day, but unlocked phones are stolen in plain sight — while walking down the street, or on the train. Likewise, maybe you allow your son or daughter to entertain themselves on your phone, but you don’t want them to see the bizarre photos from your source.
iPhone users: Click Settings > Privacy > Screen Lock
Android users: Click Settings > Privacy > Screen Lock
Note that this wouldn’t be very helpful in a situation where someone compelled you to unlock your device once (e.g., at an airport). If they can have you enter your password at the operating system lock screen, there’s nothing to stop them from asking for it a second time at the Signal lock screen.
Turn on disk encryption
If your phone is ever lost, stolen, or seized, it’s possible to copy and read any data on the device, including your encrypted messages. The good news: You can easily protect your device with disk encryption.
If you use a modern iPhone, congratulations! Your device is already encrypted.
Many modern Android devices are encrypted by default (e.g., Pixel devices, some phones in the Nexus and Samsung Galaxy lines). Check your Android system settings for disk encryption to make sure disk encryption is enabled. If not, setting up disk encryption is easy.
Seeing a preview of an app in your app switcher is convenient, but if someone were standing over your shoulder, they’d be able to see your messages just fine. Signal gives you options to prevent a preview from being shown, unless you explicitly open the app.
iPhone users: Click Settings > Privacy > Screen Security
Android users: Click Settings > Privacy > Screen Security
Even when your phone is locked with a password, anyone who picks it up can still read the message and sender name from your lock screen.
iPhone users: Settings > Notifications > Show. To receive notifications with no information about the sender or the content of your messages, turn on “No Name or Content.”
Android users: Settings > Device > Sound & notification > When device is locked. To receive notifications with no information about the sender or content, click “Hide sensitive information content.”
Updates and defending against malware
We can’t be sure our messages are safe if your device or your partner’s device has malware. For example, many types of malware are designed to send screenshots of your messages, or recordings of conversations to a remote hacker. The single best thing you can do is stay on top of your software updates. Software updates usually include security patches for holes in your software, both for your operating system, Signal, and any other apps you have on your phone.
The temptation to delay security updates is real, but updates are among the most powerful defenses we have. We can make it much harder for an attacker to break in by simply updating as soon as possible.
Safest choice: Only use your mobile device
As we think about how to defend against malware and keep our devices updated, it’s important to understand where we choose to put our Signal messages. Signal offers a desktop application, but it’s safer to keep your messages only on your mobile device.
While your desktop device typically allows applications to talk to one another, ordinary Android or iOS devices deliberately isolate apps. These mobile operating systems require strict permissions for the data apps can access, and when. Compared to a desktop machine, this means malicious apps have a significantly more difficult time compromising your data on an updated mobile device.
Know the limits of end-to-end encryption
Now that you’ve locked down your device, it’s important to know that Signal is closely tied to your device and no one else’s. This is generally a good thing; you don’t want other people to be able to easily recover your Signal number or messages. But if you lose your device or purchase a new one, this might create short-term problems.
For example, only using Signal on your mobile device is a security win, but means you really need to avoid losing the phone. Likewise, the “registration lock” feature prevents others from taking your Signal number, but it would also prevent you from being able to re-register your number.
One reason we like Signal is that it does not hold onto metadata — information about who spoke to whom, when, and for how long. But it’s also not designed to protect against live metadata surveillance, so it doesn’t protect your identity. Likewise, it can’t protect the identity of anyone else you talk to.
We’ve spoken about the many ways our messages can be compromised, and what you can do to be safer. But even if you’re practicing great security hygiene, if your conversational partner isn’t also being careful, they can put your messages at greater risk. Encourage others in need to lock down their Signal as well.
For news organizations looking for more hands-on assistance with encrypted messaging tools and practices, contact the Freedom of the Press Foundation about their security training options.
This article has been cross-posted with the Freedom of the Press Foundation. Last updated November 9, 2018.