This newsletter is a free publication by the Institute for Secure Activism (ISA), a 501(c)(3) nonprofit organization dedicated to promoting personal security for activists, advocates, and the organizations that support them. ISA provides training, workshops, education materials, technical solutions, and technical consulting to civil rights and social justice advocacy organizations focused on LGBTQIA+, BIPOC, and other marginalized communities. Please consider making a tax-exempt donation to support our mission.
Oh No Signal Spam?!?
So you’ve helped all your friends, family, and comrades make the switch to secure, end-to-end-encrypted, minimal-metadata, third-party audited, open-source, non-profit-managed messaging. But woe! You woke up this morning to find a spam message request in your Signal app!
A couple of things might have happened here.
- Signal, by default, allows other folks to find your Signal account using your phone number. Your phone number is probably on a list shared among spammers (this is quite common). Some enterprising yet scummy entrepreneur is trying all of the numbers on their list in Signal, just to see whether they can defraud someone through secure messaging!
- The same scammer is trying different possible Signal usernames at random, hoping for the same effect.
Usernames To The Rescue
Many of you new Signal users might now be saying “wait… what’s a Signal username?” Great question! A major complaint from the Signal user community is the requirement for a unique phone number for every new account. To help address this issue Signal introduced usernames. You can give your Signal username to someone else and connect with them without having to share your phone number. We can probably all imagine situations where we might not want to share our phone number with someone.
Signal usernames give us the best of both worlds: they allow Signal users to maintain privacy, while the Signal Foundation can still limit account creation and reduce abuse on the Signal system. There’s no way for anyone to discover your phone number if you give them your Signal username!
Create Your Username
So how do we create a Signal username? Here’s what it looks like on Android (iPhone will be largely the same, just a slightly different way to get into your Signal Settings and Profile):
Note that a Username must have both a text portion and a number portion… but you can edit both portions! Pick a long, unique username, and don’t worry too much what you pick. You can change your username whenever you want without loosing your existing Signal connections! No-one you’re already in a conversation with will see when you change your username, either.
How does this help with Signal spam and privacy? Once you’ve set a username you can disable people’s ability to find you on Signal using your phone number. The Signal Foundation has an article about this. The summary is: in Settings > Privacy > Phone Number, set both “Who can see my number” and “Who can find me by my number” to “Nobody.” If you set a long, unique username along with these settings, your spam should drop significantly and your privacy will get a boost.
Message Securely
Remember that regular text messaging (SMS) is unencrypted and readable both by the cellular provider and the government. Facebook, Instagram, and Threads Messengers along with WhatsApp may technically be end-to-end-encrypted, but they collect an enormous amount of metadata (who, when, and where you message) and make it available to the government on demand. Telegram’s creators have concerning ties to the Russian government, the app has had multiple security issues over the years, and there’s never been a third-party inspection of the app’s security which showed good results. Right now, Signal continues to lead the security and privacy race in the world of messaging applications.
As always, thanks for subscribing and please send me your questions and comments! We’re all in this together.
We take care of us, we keep our community safe, we look out for each other. Go do good work!
