Signal Is A Truly Private Chat App Ideal For Protestors (#GotBitcoin?)
Signal, the encrypted messaging app, is seeing record numbers of downloads amid the pandemic and nationwide protests. It might make sense for you, too. Signal Is A Truly Private Chat App Ideal For Protestors (#GotBitcoin?)
Signal Is Having A Moment
The pandemic drove unprecedented sign-ups on the encrypted messaging app, as people started communicating more online. Then, nationwide protests over police brutality prompted another round of records. Signal saw about one million downloads world-wide in May, according to analytics firm App Annie.
Protesters have flocked to the app. Even though people who organize and participate in protests are protected by the First Amendment, they often seek secure communication, out of caution. And if they do get into legal trouble, Signal is designed to limit the information the messaging service can give to the authorities.
That is what initially attracted privacy die-hards to Signal. In a 2015 talk, the app’s creator, Moxie Marlinspike, declared, “Privacy is at an all-time low, and surveillance is at an all-time high.” Signal was intended as the antidote.
In the intervening years the app has grown in popularity, with 32.4 million installs, according to data analytics firm Sensor Tower. It also has become a very useful, albeit bare-bones, messaging app. While Signal isn’t one of a kind— Facebook Inc.’s WhatsApp and Apple Inc.’s iMessage have similar end-to-end encryption—experts say Signal is the most secure.
If you aren’t already on Signal, you might be wondering: Should I be? This guide will help you answer that.
What Exactly Is Signal?
It’s a messaging app. It’s also a technology—Signal’s encryption protocol is used by platforms such as WhatsApp, and it is open-source, which allows any security researcher to scrutinize its code for flaws and verify that the encryption is as secure as Signal claims.
How Does End-To-End Encryption Work?
Encryption turns your messages and calls into a string of gibberish. Only the intended recipient is able to decrypt the message—no one else, not even the app’s maker. In fact, end-to-end encryption is so secure that it has drawn the ire of government officials, who say encrypted messaging apps make it difficult to track down criminals.
Even if you aren’t a criminal or concerned about government surveillance, there’s a strong argument for using encryption. It protects you from malicious actors keen on intercepting business secrets or credentials, as well as companies wanting to serve you personalized advertising.
Just remember, encryption doesn’t prevent a message’s recipient from taking a screenshot or passing it along, or from someone seeing your messages by gaining access to your phone. (Always use a strong passcode.)
What Can I Do On Signal?
You can send text and audio messages to individuals or groups, and make one-on-one voice or video calls over the internet or a data connection. Everyone involved must be on Signal.
There are mobile apps for Android, iPhone and iPad, as well as desktop apps for Mac, Windows and Linux. There is no support for Chrome OS on Chromebooks.
Over the past year, the app has added a number of fun features, including GIFs, stickers and emoji reactions. (Signal Stickers is a large repository of community-made designs.)
Recently, Signal introduced a blur tool, which can be used to obscure faces or sensitive information on documents. To use it, tap on the camera icon from the main page of the app. Take a picture or select a photo from your library, then tap the checkered-circle blur icon.
How Can I Make Signal Messages Even More Private?
Disappearing messages: Select a conversation, and tap your contact’s name. There you can set a time between five seconds and one week, after which viewed messages will automatically delete.
View-once media: This mobile-only feature automatically removes a photo or video from a conversation once it has been viewed. From the main app page, tap the camera icon. Take a photo or select one from your library. At the bottom left of the screen, tap to switch the infinity-symbol icon to the “1x” icon.
Signal PIN: This prevents someone else from registering your phone number on Signal, an attack known as SIM swapping. Tap on your profile icon (top left), then Privacy, then enable Signal PIN.
Is Signal Really Better Than Whatsapp And Imessage?
Both WhatsApp and iMessage offer end-to-end encryption by default, and it’s likely you already use at least one of them. So is Signal the superior app? Yes…and no.
Signal’s core mission, privacy, is evident throughout the design of the app. For example, when someone initiates a video call on Signal, your video isn’t automatically turned on when you pick up. You accept the call, then turn on your camera.
The app also doesn’t log much information (metadata) about the nature of the messages themselves. “Signal makes it a point to keep as little data as possible while still being able to provide service,” said Lujo Bauer, professor of computer science at Carnegie Mellon University.
In a recent blog post, Mr. Marlinspike boasted that the only data the U.S. government was able to obtain from a 2016 grand jury subpoena was the date of an account’s creation and the date of last use, nothing else.
WhatsApp, on the other hand, tracks things like who you contacted and when, said Prof. Bauer. A spokeswoman said Facebook doesn’t provide WhatsApp data to law-enforcement agencies retroactively—the company only shares the transaction log data collected after it receives a valid legal request.
Apple also retains some metadata from iMessage (aka the Messages app). When you enter a phone number to message someone, Apple verifies whether the number is iMessage-compatible. A date and time of that lookup, along with the phone number, is saved for 30 days, then deleted. An Apple spokeswoman said Apple can’t determine if any communication took place—only whether a user looked at a contact or initiated an iMessage.
While that might not seem like much, metadata can easily serve as evidence. “Just knowing who the contacts of a target are can expand an investigation,” said Mary Fan, a law professor at the University of Washington.
Cloud backups, while convenient, are yet another potential vulnerability with popular apps. Media and messages stored in the cloud aren’t protected by end-to-end encryption on either WhatsApp or iMessage.
All Signal data is stored locally, which means when you buy a new phone, you need to manually transfer your old Signal messages over.
Because Signal isn’t owned by a tech giant and is backed by a nonprofit foundation—with $50 million from WhatsApp co-founder and Facebook ex-executive Brian Acton—it likely won’t ever show you ads.
Why Wouldn’t I Use Signal?
For starters, WhatsApp and iMessage have far more features. To name a few: temporary location sharing, which is useful for meetups, and group video chat—up to 8 on WhatsApp and 32 on Apple’s embedded FaceTime service.
Signal also doesn’t have those apps’ massive user base. WhatsApp has two billion users and Apple has sold nearly two billion iPhones. Your friends and family are more likely to use those companies’ messaging services. “I often find that whatever is the most convenient for people is what they’re most likely to use successfully,” Prof. Bauer said.
In other words, WhatsApp and iMessage are still more private and secure than plain SMS text messaging, and if that’s where your contacts are, then they are still a good option.
Tech Firms That Spy On Your Location Join Government In Pandemic Fight
The industry was under fire from privacy advocates, but now officials are using it to monitor populations as the economy reopens.
While an undergraduate at the University of Virginia, Joshua Anton created an app to prevent users from drunk dialing, which he called Drunk Mode. He later began harvesting huge amounts of user data from smartphones to resell to advertisers.
Now Mr. Anton’s company, called X-Mode Social Inc., is one of a number of little-known location-tracking companies that are being deployed in the effort to reopen the country. State and local authorities wielding the power to decide when and how to reopen are leaning on these vendors for the data to underpin those critical judgment calls.
In California, Gov. Gavin Newsom’s office used data from Foursquare Labs Inc. to figure out if beaches were getting too crowded; when the state discovered they were, it tightened its rules. In Denver, the Tri-County Health Department is monitoring counties where the population on average tends to stray more than 330 feet from home, using data from Cuebiq Inc.
Researchers at the University of Texas in San Antonio are using movement data from a variety of companies, including the geolocation firm SafeGraph, to guide city officials there on the best strategies for getting residents back to work.
Many of the location-tracking firms, data brokers and other middlemen are part of the ad-tech industry, which has come under increasing fire in recent years for building what critics call a surveillance economy. Data for targeting ads at individuals, including location information, can also end up in the hands of law-enforcement agencies or political groups, often with limited disclosure to users. Privacy laws are cropping up in states including California, along with calls for federal privacy legislation like that in the European Union.
But some public-health authorities are setting aside those concerns to fight an unprecedented pandemic. Officials are desperate for all types of data to identify people potentially infected with the virus and to understand how they are behaving to predict potential hot spots—whether those people realize it or not.
That is giving data-collection companies a chance to revive their battered public image.
“When you’re sharing your location data, you’re sharing it to potentially be part of an overall bigger solution that could potentially save someone’s life,” said Mr. Anton of X-Mode, which says it collects location information from about 30 million devices a month in the U.S. “I believe there will be a wide swath of the population that will consent to that.”
Journalists identified dozens of local governments and agencies that are employing or considering using data from companies that market tracking information, particularly as businesses reopen.
Tracking A Pandemic From Your Pocket
Tech companies that harvest user location data from smartphones are supplying that information to governments trying to get a handle on how communities are behaving during the coronavirus pandemic. Here’s how the technology works:
Apps that want to know where you are, say, to deliver a local weather forecast or navigate a mall, sometimes include software from location-tracking companies.
The companies collect information such as your latitude, longitude as well as sometimes speed and direction, along with a unique advertising ID tied to your phone.
That information is stored in a massive database of every breadcrumb of movement for each device, sometimes with advertising IDs obfuscated to make it more difficult to determine the original number.
This is a slice of one of those databases, from Reveal Mobile Inc. Every dot is the location of a mobile device in San Francisco during a single hour on Jan. 31, 2020.
Over a 24-hour period, the data reveals the movement of those devices.
People can be seen moving through downtown San Francisco…
…crossing the Bay Bridge…
…and walking in Golden Gate Park.
Contractors and clients will sometimes get the full data set to visualize, and sometimes they get only aggregated data, showing averages for local data, say at the level of a census block group, which generally include between 600 and 3,000 people.
Some companies are marketing dashboards that summarize the data and generate analytics on hotspots.
Some of these tools allow users to focus on devices that were spotted at specific points of interest, for instance showing where people who gathered in Golden Gate Park later traveled.
Some of the tech companies, including X-Mode and Skyhook Wireless Inc., have supplied detailed location data to federal-government contractors or to agencies such as the Centers for Disease Control and Prevention, according to people familiar with those deals.
These efforts are distinct from an unusual partnership between Apple Inc. and Alphabet Inc.’s Google unit to build an infrastructure to help notify people who have been close to others known to be infected with the virus. That project is one of several, including some spearheaded by universities, that rely on apps that users must find, download and activate before they start collecting data.
By contrast, the data being offered by location-tracking companies usually don’t come from a dedicated app. Instead those companies rely on stores of information they have already collected—and continue to collect—from millions of devices running unrelated mobile apps to which users have granted permission to access their locations.
For privacy reasons, Apple and Google have said they won’t allow the exposure-notification apps using their system to access location services on users’ phones. Some local officials say it makes them less useful for tracking population movements or finding hot spots.
That is paving the way for other data providers to rush in.
Researchers at the University of California, San Francisco, are using data collected from “smart” thermometers made by the private company Kinsa Inc. to track flare-ups of fever around the San Francisco-area, said George Rutherford, a professor of epidemiology, who is advising the California Department of Public Health.
Mr. Rutherford said he and his colleagues, in advising the state’s health department, are also considering other data that companies have been posting free online. When the virus first began to spread in the U.S., Mr. Rutherford turned to data from OpenTable, the restaurant-reservation company, to track where residents of San Francisco were gathering. By the end of February, there were far more vacant seats at restaurants in San Francisco than in Los Angeles and New York, as more people stayed home.
Foursquare launched in 2009 as a social-media darling, allowing users to share their locations with friends and check in as the mayor of their favorite dive bar. Realizing the potential for selling its data, it pivoted to providing location-based services for other apps, such as AccuWeather Inc.
Foursquare collects data from about 25 million devices globally through location check-in apps that it runs, such as Swarm, or dozens of apps that it partners with that it doesn’t disclose.
Less than six months ago, Foursquare was publicly calling for increased regulation, saying it was needed to restore trust in the location-tracking industry.
Now the state of California is using Foursquare data, among other governments Foursquare declined to disclose, for pandemic response.
The data provided by Foursquare is “helping us deliver the right messaging in different jurisdictions,” said Ali Bay, a spokeswoman for the California Department of Public Health. The state says it is accessing free data from Foursquare that tracks population movement on an aggregate, rather than an individual, level.
A Foursquare spokeswoman said it only collects data from users who have apps with location services turned on. “We are proud of our reputation for being a responsible, trusted partner, and we hold ourselves to a high standard,” a Foursquare spokeswoman said.
Antonio Tomarchio, who founded location-tracking firm Cuebiq in 2016 for marketers, is offering several sets of aggregate data free, including the tracking system used by the health department in Denver. Mr. Tomarchio declined to comment on other governments and institutions using its data.
While “the data can be extremely valuable,” Mr. Tomarchio says the company works to make sure users’ privacy is protected.
Mr. Anton, the founder of Washington, D.C.-based X-Mode, first got the idea for Drunk Mode in 2013, after receiving a phone call from an inebriated friend. Users could activate the app to block the ability to call certain numbers for a set period. Later features aimed to help people party more safely, such as by offering a way to track a friend, hail a car, or retrace their footsteps from the night before if they were too drunk to remember.
Early on, the company cycled through business models. At one point, they tried selling a gadget called the Wine Rack, a sports bra with a straw and a bladder to hold a beverage. In 2015, the company began selling data and later offered its software to build into other apps.
X-Mode says it now collects detailed location information from more than 300 apps, such as weather and navigation apps, many of which need users’ location to function well. X-Mode pays the developers of those apps to integrate its tracking software into their designs.
Mr. Anton says X-Mode has been pushing apps that include its software to insert pop-ups that more prominently notify users that their location data may be used for tailored ads and research.
The company doesn’t disclose the apps’ names, citing mainly the risk of tipping off competitors.
Some apps disclose in their privacy policies, however, that X-Mode is built into them. One such app is What The Forecast?!!, a weather tracker that delivers local conditions using curse words.
X-Mode then licenses access to its data sets to other businesses, typically ad-tech companies selling targeted ads, investors looking to analyze business trends or app developers interested in knowing what places their users frequent.
During the pandemic, X-Mode has emerged as among the more prolific location-data providers. The company’s data fed a partnership with Tectonix, a Maryland-based data-visualization company, to produce graphics showing the impact of social distancing—or the lack of it.
One of the visualizations, which Tectonix posted on Twitter, shows its dashboard zooming down into a cloud of orange dots crowding a beach in Fort Lauderdale, Fla., during spring break. The posting then shows the results of what it calls a “spider query” to show how devices on that beach later traveled across the country—with their owners potentially spreading the new coronavirus.
The charts went viral on Twitter.
“The phone started ringing that Saturday across the board, and it hasn’t stopped really ringing, which has been great,” X-Mode’s Mr. Anton said.
Like some other data providers, X-Mode is offering free one-month subscriptions to its Covid-19 data to researchers and nonprofits on a data exchange operated by Amazon. The company has also advertised a commercial 12-month subscription to its “COVID-19 Daily Geolocation Data” in the U.S. for $600,000, according to a posting on the exchange.
In New York City and other cities and states, officials have considered a “Pandemic Management Platform” from the Covid Alliance, which integrates X-Mode data to display aggregated information about population movements in the city, a Covid Alliance spokesman said. A spokesman for New York City confirmed the talks but said no commitment has been made.
Officials could, for instance, use the system to visualize which residential communities are home to many people who work in nursing homes, which it would determine by looking at the nighttime locations of phones that visited the facility every day, a Covid Alliance representative said.
“Everything is a little bit of a privacy trade-off. But in general we do privacy trade-offs every single day in the course of our normal business of life,” said Stephen Levin, a New York City Councilman in Brooklyn. “Nothing I’ve seen so far is any more of a trade-off than taking an Uber.”
X-Mode also has a deal to provide location data to San Francisco-based OmniSci, which is pitching analysis and mapping services using that information, as well as data from other providers, such as SafeGraph, to federal and state authorities. OmniSci says its analyses could help officials identify potential virus outbreaks as the country reopens.
Todd Mostak, OmniSci’s chief executive, recently let a Journal reporter watch as he used his system to filter X-Mode data from five million devices to focus only on those that had spent at least 24 hours in a Florida hospital over the last two weeks of March. Mr. Mostak then drilled down to show which points of interest those phones had visited earlier in the month, including major attractions like Walt Disney World and minor ones, like a large supermarket in Fort Myers, which the data indicated had been visited by 12 of the devices.
“You can kind of determine what the transmission vectors are for the disease and potentially shut down hot spots you might not otherwise be able to see,” Mr. Mostak said.
He added that his company is working on a way to automate such analyses so that they spit out only lists of establishments and their risk scores, making it harder to identify individuals.
X-Mode says it contractually bars its partners from using its data to identify individuals.
Debates over the use of such data have flared up among local government officials nationwide—particularly in cities and counties that have never had to rely on outside companies to track their residents, and are now scrambling to secure contracts.
In Kansas, tensions broke out among state lawmakers and privacy advocates when it was revealed in late March that the state was using public data from the New York-based firm Unacast to track residents.
“The wholesale collection of cellular and GPS data raises significant privacy issues,” wrote the nonprofit Kansas Justice Institute to Gov. Laura Kelly, according to a copy of the letter.
Unacast chief executive Thomas Walle said the company doesn’t give Kansas direct access to its raw data, and that its public data couldn’t be interpreted beyond anonymized and aggregated insights at the state and county levels.
Phunware Inc., an Austin-based enterprise software company that typically builds location-aware tools for companies and organizations, has been bullish on the potential for apps and location data to help the country reopen. The company, which built the new app for President Trump’s re-election campaign, says it can help governments “identify emerging hot zones,” by cross-referencing the location histories of devices belonging to people that governments know to be infected with the histories of devices belonging to other people, according to a presentation viewed by journalists.
The company’s prices for the system range from $42,500 a month to $120,000 a month, depending on how many mobile devices it covers, the presentation showed.
Alan Knitowski, Phunware’s CEO, said in interviews that the company has won a deal to build a “smart city” app for Pasadena, Texas, a suburb of Houston, aimed at helping the city come out of coronavirus lockdown. The app will collect residents’ locations initially to allow the city to send localized alerts and recommendations about new outbreaks, Phunware executives said. The city said it plans to keep using the app for other emergencies, too.
“When you have a global pandemic, privacy will destroy your attempts to resolve the problem,” says Mr. Knitowski.