Signal is enjoying a surge up the app charts at the moment, as people flock from Facebook-owned WhatsApp, amid uncertainty about how much WhatsApp data is being fed to the mothership.
Signal is laying it on thick with the privacy message. The app is listed as Signal Private Messenger. “Signal’s advanced privacy-preserving technology is always enabled,” the first paragraph of its Google Play Store listing reads.
“Privacy isn’t an optional mode — it’s just the way that Signal works,” it adds in the next paragraph. OK, we get it. Put down the sledgehammer.
Except… there’s a Signal feature that’s not very private at all: the fact that it broadcasts to all of the people in your phone book that you’ve joined Signal when you first sign up.
Signal — like WhatsApp — uses your phone number as your identifier. When you sign up for the service, it sucks in your phone book so that it can identify other Signal users you might want to chat with.
But that makes the rather large assumption that everyone in your phone book is a trusted contact. My mobile phone contacts include people I’ve worked with fleetingly (ie. PRs who helped with a particular story in my job as a journalist), tradespeople who’ve done work on my home, even subjects of articles I’ve written in the past, so that if they manage to get hold of my mobile phone number, I know it’s them who’s calling.
That doesn’t mean I want these people sent a notification that I’ve joined Signal, but I have no choice in the matter — it’s done automatically. You can stop receiving notifications that contacts have signed up, but you cannot stop it sending out alerts that you’re now on the app.
Isn’t this a massive oversight for an app that uses the word ‘privacy’ roughly every six seconds?