Librarian of Things

Mita Williams. Her blog.

How I use Signal (and Why)

§1 Get clear on OPSEC and use Signal

I’m unsure how many people know about the messaging app Signal.

I suspect that more people know about Signal than the other software that I’ve previous profiled on my blog in this How and Why series largely because of the actions of one man: Mike Waltz.

Because of this ridiculous and disturbing story, some readers might already know that Signal is a messaging app that offers end-to-end encryption for privacy — which means that the only people who can read a message are the sender and the receiver. Of course, this feature can’t help you if you invite the wrong person into your group chat.

It also begs the question:

MIT Technology Review: With the recent news that the Atlantic’s editor in chief was accidentally added to a group Signal chat for American leaders planning a bombing in Yemen, many people are wondering: What is Signal? Is it secure? If government officials aren’t supposed to use it for military planning, does that mean I shouldn’t use it either? The answer is: Yes, you should use Signal, but government officials having top-secret conversations shouldn’t use Signal. Read on to find out why.

Here’s an excerpt of the answer from the MIT Technology Review:

Why is it a problem for government officials to use Signal?

Signal is very secure—as we’ll see below, it’s the best option out there for having private conversations with your friends on your cell phone.

But you shouldn’t use it if you have a legal obligation to preserve your messages, such as while doing government business, because Signal prioritizes privacy over ability to preserve data. It’s designed to securely delete data when you’re done with it, not to keep it. This makes it uniquely unsuited for following public record laws.

You also shouldn’t use it if your phone might be a target of sophisticated hackers, because Signal can only do its job if the phone it is running on is secure. If your phone has been hacked, then the hacker can read your messages regardless of what software you are running.

This is why you shouldn’t use Signal to discuss classified material or military plans. For military communication your civilian phone is always considered hacked by adversaries, so you should instead use communication equipment that is safer—equipment that is physically guarded and designed to do only one job, making it harder to hack.

(The Citizen Lab is a source of information if you would like to keep up to date with the ongoing threats of state-sponsored communications hacking. State sponsored hacking is much more prevalent than you might think. )

This blog post will go into why I use Signal and how you could as well.

Please understand that I am recommending this software for your personal use and not as a means to circumvent your institutional and public obligations. I would like to add the caveat that it is up to you to assess and determine if your threat model requires more secure technology.

§2 I use Signal because the alternatives are terrible

The official website for Signal is https://signal.org/

At the bottom of this are the links from which you can download Signal for your device that is running Linux, Android, iPhone & iPad, Windows, and Mac.

What some readers might not know is that because Signal is open-source, to allow more eyes to ensure that the there is no malicious code or vulnerabilities within its code base. Because of this feature, there are Signal clones that exist in the world.

You probably shouldn’t use a Signal clone for your private messages:

Aug 10, 2025 
Here's my talk about UNBELIEVABLE INCOMPETENCE from the highest levels of the Trump Administration, for DEFCON 33! 
I gave this talk August 9, 2025, in Las Vegas. 
https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60363

In March, former national security advisor Mike Waltz accidentally invited a journalist into his war crimes Signal group with other senior Trump officials. “We are currently clean on OPSEC,” secretary of defense Pete Hegseth posted to the group. In May, Waltz was photographed clandestinely checking his Signal messages under the table during a cabinet meeting. Only it turns out, Waltz was actually using a knock-off of Signal called TM SGNL. Immediately after that, TeleMessage (the company that makes TM SNGL) was hacked, and the hacker was able to access plaintext Signal messages. It was then hacked again, and the second hacker exfiltrated hundreds of gigabytes of data before TeleMessage took its service offline. This talk is about the entire Signalgate saga: the journalist getting invited to the Signal group; Trump officials lying to Congress; the history of TeleMessage, which was founded by a former Israeli spook; an analysis of the TM SGNL source code that proves the company lied about supporting end-to-end encryption; the trivial exploit that was used to extract data from TeleMessage’s archive server; and an analysis of hundreds of gigabytes of memory dumps full of chat logs from TeleMessage customers.

Also…

You definitely should not trust Elon Musk with your private messages on X. DMs were encrypted for a short time. Now they are not.

Posted May 28, 2025 at 7:58 PM EDT 4Comments (All New) J Jay Peters X’s encrypted DMs are being put on pause. The company is pausing the feature “while we work on making some improvements,” according to a post. X, then Twitter, launched encrypted DMs in May 2023, but they had some limitations.

Also: Do not trust Facebook for handling your private messages.

October 19, 2022 The Office of the Attorney General issued a consumer alert in June 2022 about protecting your data privacy when seeking an abortion. We have now seen this play out in real life, as a Nebraska woman’s Facebook messages were used to charge her with multiple felonies for seeking an abortion. Stories like these confirm the importance of data privacy. While abortion remains fully legal in the District, consumers and those seeking abortions should be aware of how others may use their data, and they should take steps to protect themselves and their data and privacy as much as possible. To learn more about steps you can take, review our June 2022 consumer alert and, in particular, be aware of the risks of sending or receiving sensitive information—including about accessing abortion—by email, text message, or messaging app. If you do need to discuss sensitive information in texts or online messages, use a secure, encrypted messaging app. Apps like Signal use end-to-end encryption, a method that uses cryptography to ensure that when messages pass through an intermediary, like a server, they are encoded and unreadable. Once the message has been sent, it can only be read by the intended recipient, who has the private decryption key needed to decode the message. This is important because, as in the Nebraska case, if a platform is served with a valid search warrant, it is required to turn over whatever they have. If the message is encrypted as it passes through the intermediary, the only thing the platform can send to law enforcement is the encrypted text—which is useless without the private key. WhatsApp does currently offer secure end-to-end encryption for messages. Before you download any app, OAG recommends you look into what data the app collects from you and how that data is used. This article lays out some of the benefits and potential concerns for the most popular encrypted messaging app. Additionally, if you need to send or receive sensitive information through social media, check if the platform you are using allows end-to-end encryption and enable it if you can. If it is not an option, consider using a platform that does allow encryption. For example, the Facebook Messenger app (but NOT the general Facebook app or the Facebook website) allows users to create end-to-end encrypted chats, but you must opt-in to encrypted messages for every chat individually, and it can only be used when the recipient is also using the Facebook Messenger app. Instructions for how to opt-in for each chat can be found here for iOS and here for Android.

You should use Signal.

Signal looks like a regular message app. It has all the features you would expect. On the surface, it behaves just like a regular app that you can use to send dumb gifs to your sister.

Unlike previous ventures in secure telecommunications, there are no encryption keys that you are required to safeguard until the end of time.

It works.

§3 : The threat model for the rest of us: someone might leak the receipts of the group chat

If you are journalist, you should use Signal for delicate situations.

But realistically, for the rest of us, the threat model that we should worry most about is the group chat where we share too much of worst selves with friends who then, months or years later, are no longer our friends. They could leak the group chat. It happens. It also happens with family. And at work.

Using Signal cannot prevent you from putting in writing what you might later regret, but it does offer some features that might mitigate the chance of harm. Of note, Signal allows for you to set your messages to disappear after a certain amount of time.

Of note, Signal does not have a feature that allows notification that others have screen-captured that message that looks terrible out of context. The app only has the ability to set it so that you are unable to screen-capture your own Signal app. While this does not appear to be particularly useful for protecting yourself from the weakest link in the unhinged group chat, the functionality exists to prevent other apps on your phone from secretly capturing your activity within Signal from the likes of …. Microsoft.

Signal says no to Windows 11’s Recall screenshots A new update for Signal’s Windows app will help users dodge Recall’s screenshots, but could cause other problems. by Umar Shakir Umar Shakir May 21, 2025, 6:16 PM EDT

§4 Hey, I just met you and this is crazy / Here’s my Signal username / Call me maybe

I subscribe to The Verge because they have great articles like, How to maximize your privacy using Signal calls and chat. It begins:

When I first started using Signal, I would connect with friends using our phone numbers. Now, I use Signal to find people to interview for stories, which is why some of my social media posts and articles include a note telling folks how they can reach me on the app.

Needless to say, I’d rather not plaster my phone number all over the internet. So it’s a relief that Signal lets you create a username in order to keep your phone number private. Other people can find you on the app using that username, and they won’t be able to see your phone number. (By the way, if you’re a current or former worker for a federal science agency and want to connect, you can reach me on Signal at bqe210.91.) Even if you’re not a reporter, it can be easier to exchange a short username with someone rather than a phone number.

You can keep it mysterious and call yourself whatever you want

In Signal, you actually use two different names: a profile name and a username. As we’ve discussed, the username is what others search for on the app to find you. Once you start messaging each other, they’ll see your profile name. If your username is very different from what people usually call you, you can take this opportunity to use a nickname or real name. Or you can keep it mysterious and call yourself whatever you want.

This is a good time as any to remind ourselves that while Signal allows for more private communications, the use of Signal requires a phone number.

It’s also worth mentioning that Signal is not designed for anonymity. Your Signal account is registered with a phone number, so unless you register using a cash-bought burner phone or an online throwaway number, you’re not anonymous. If you lose control of the phone number used to register your account, someone else could hijack your account. That’s why it’s extra important, if you use an anonymous number to register your account, that you enable the “registration lock” feature.

Signal Fails Zine

§5 Using Signal to keep others safe

I posted this image on Instagram some months ago. (I am not a purist.)

Hey friends. Did you know that Signal app has an automatic face blur function? It’s more useful when publishing photos with young children or folks in the background than for selfies.

If you can’t read the small print in the image, my caption reads:

Hey friends. Did you know that Signal app has an automatic face blur function? It’s more useful when publishing photos with young children or folks in the background than for selfies.

Another use case is when you want to take a photo of a protest while trying to minimize potential harms to the protesters involved.

Right now, people around the world are marching and protesting against racism and police brutality, outraged by the most recent police murders of George Floyd and Breonna Taylor. At Signal, we support the people who have gone into the streets to make their voices heard. We believe that something in America needs to change, and even if we don’t know exactly how, we support and trust in the people who are self-organizing around the country to figure it out. Many of the people and groups who are organizing for that change are using Signal to communicate, and we’re working hard to keep up with the increased traffic. We’ve also been working to figure out additional ways we can support everyone in the street right now. One immediate thing seems clear: 2020 is a pretty good year to cover your face.

To learn more about how to use Signal as a tool for social change, I would recommend Micah Lee’s Using Signal groups for activism that was published in June of this year. Lee has worked for the EFF and The Intercept, and he co-founded the Freedom of the Press Foundation.

Things are heating up. Millions of people are taking to the streets against Trump’s rising authoritarianism. Communities around the US are organizing to defend against ICE raids, to protest Israeli genocide, for mutual aid, and for other forms of fighting fascism. Signal can help people safely organize in all of these contexts.

Signal groups, in particular, are more powerful than you might be aware of, even if you already use them all the time. In this post I’ll show you how to:

  • Turn an in-person meeting into a Signal group using QR codes
  • Manage large semi-public groups while still vetting new members
  • Make announcement-only groups, perfect for volunteer networks rapidly responding to things like ICE raids

§ coda

Lawyers need to know how they can best maintain the privacy of their clients.

That is why on Monday, I’m giving a short presentation about Signal to the students, faculty, and staff of the Faculty of Law at the University of Windsor.

If you or your library have also given workshops on Signal, I’d love to know.

Fediverse Reactions

Mita Williams

Leave a Reply

Your email address will not be published. Required fields are marked *