Every time that protests break out somewhere in the world, very similar discussions about the Signal application on mobile phones break out. These discussions are based on some people giving recommendations, and other people spreading reports about things they have heard or experienced. I wanted to write down a few notes about these things to have it in one simple place. Basically, this post will cover whether Signal is safe for use at protests and if so, how to do it. It will also cover some of the more common objects, and finally there are some notes about the concept of mobile phones in general, and whether they are appropriate in a protest setting.

There are a few things I will not specify in this post - I am talking about protests in general. Who the target of those protests are is not relevant for this discussion, but in order to understand your threats properly, you do have to think about the adversaries and their resources. In this post, I will talk about adversaries in general, and assume that they have as much resources as imaginable. In some cases I might qualify discussions around adversary power.

As with everything related to security, having a proper threat model is crucial. And when participating or organizing a protest, this is extremely important. There are many things that can go wrong, and I can't overstress how important it is to think about all aspects.

That said, let's jump into it.

What is Signal

Signal is primarily a messaging application that runs on mobile devices. It allows you to send text messages, voice messages, make phone calls and video calls. It also supports groups. All of these methods are always encrypted, using the same protocol as the basis for communication. It is not possible to send unencrypted data using Signal. Further, the Signal application is open source, which means that anyone who wants to, can inspect the source code implementing the application.

Signal currently requires you to use a phone number to activate its service, and phone numbers is also the primary means of connecting to new people.

There are in fact many mobile applications that are in roughly the same space. Among these are Wire, Wickr, WhatsApp, iMessage, Telegram and many more. What sets Signal apart is the focus on open source, the quality of the cryptographic protocols and implementation, and the singular focus on security. For these reasons, Signal has become the recommended application of choice for security conscious individuals.

Common questions, ideas and misconceptions about Signal

You will hear many different ideas and theories about Signal. These have a tendency to spread wildly, and it quickly becomes hard to judge where a story originated, and whether there's any basis for it at all. There are a lot of rumours out there. Two of the most common ones are that Signal has been compromised and is not safe, and that if you use Signal, you are safe. The second one is certainly not true, but I'll come back to that in a while. The first one is a bit more complicated to answer. So, let's do a deep dive into what Signal being compromised would mean. Note that I am not considering any alternatives that are outside of the control of Signal for this discussion - I'll cover those problems later in this article.

Technically, there are really four different ways you could argue that Signal is compromised. The first one is that there is a problem with the Signal protocol, and an outside party could use this weakness in order to gain access to information they shouldn't have access to. The second alternative is that there is a bug in the implementation of the application. If this happened, it could lead to for example the protocol not being as strong as it should be, but it could also lead to a weakness where someone could exploit the application and get it to reveal data or run unwanted code. The third alternative is that there exists a backdoor in the implementation. In practice, this case is very similar to the previous case, and has the same consequences. Finally, the fourth vulnerability is that someone has access to the servers used, and that this access reveals useful information to an adversary. Let's go through these and look at the implications and likelihood of each one:

Now, about the fourth vulnerability. For getting to the content of the messages, there are a few ways this could happen - one is that the protocol doesn't do what it's supposed to do, and what we think it does. In that case, that would strictly be the first vulnerability. Having access to the servers would make things easier, but it wouldn't be sufficient to exploit this vulnerability. Another way would be if there is a way for the server to change the public keys for a person. However, if that were to happen only from the server side, then there would be notifications to contacts about the change in public key. The only way that this could be achieved would be if there was a mistake or a back door in the implementation that allowed the server to bypass this warning. So for this possibility, either vulnerability two or three are actually the real vulnerability. Finally, it is possible that having access to the server can allow an adversary to track meta data - such as who you talk to, who your contacts are, when you talk to someone, and so on. But once again, the current implementation tries to shield this information. So if it's possible to get it, that would require a weakness in the implementation or the protocols. Basically, as far as I can tell, having access to the servers doesn't actually give you very much on its own, so we can discount it for now.

What about problems with the protocols? The core Signal protocol, which includes the key exchange and the double ratchet algorithm for deciding how to create the initial connection between two Signal instances, and how to generate the keys moving forward, has received a significant amount of analysis. And while the protocol is (as always in security) a compromise between security, efficiency and simplicity, no one has been able to find any serious problems with it - certainly not the kind of break that would allow an adversary to intercept, read or send messages and have them look real to the other party. The key exchange doesn't provide as strong deniability properties as I would like, for example - but that doesn't imply anything for the security of the core protocol. The primitives used, and the composition of them, is fairly straightforward and is generally well regarded by cryptographers.

And what about the other protocols used, then? Well, the group protocol is really just an extension of the one-to-one protocol. Once again, some security properties are not there, or not as strong as I would like, but fundamentally, there doesn't seem to be a way to break it without breaking the one-to-one protocol. However, this protocol has not received as much attention as the core protocols.

The protocols used for contact discovery are a bit more unclear and haven't received as much research either. So, in the worst case, it could be possible that metadata about contacts could be accessed by an adversary, although even this is very unlikely.

What about backdoors or bugs in the implementation? To answer this, we first need to look at how Signal is delivered to end users. Most people will install the application from either Google or Apple. While the application itself is open source, and anyone can read the implementation, there exists no good way to verify that what you install on your phone is actually the same source as what exists in the source code repositories. Thus, it would be possible for someone to insert a backdoor in the process of publishing, that wouldn't be possible to identify from the source. This could be the original application creators or it could be Google or Apple. When it comes to unintentional implementation bugs, that is always a danger and always a possibility. However, since the protocol is fairly simple, the people that implement it are experienced and good at what they do, and many people have looked at the source, it's less likely that a serious implementation bug exists in the source. And if it did, an adversary would like to have to use targeted exploitation in order to have any use for it.

Because of all the above reasons, I would argue that Signal is probably safe enough. It is my opinion that it is, on average, better than the alternatives. And while we can never exclude some of the possibilities above, they are also possibilities for all other messaging applications, and those have additional risks associated with them.

There are two weaknesses in Signal that I do find uncomfortable - the first one is the reliance on phone numbers for activation, and the second is the centralization of services used for it. But even with these problems, I still find Signal safer than the alternatives.

So why do these stories keep cropping up - these stories that say Signal is compromised, or that one of their friends were busted because of using Signal, or any of the other variations? Well, it happens for a few different reasons. First, because Signal is currently the best option, it receives more negative attention as a consequence. It is also a fact that there are many interests around the world that want to make people less comfortable with encrypted applications, and want us to move to alternatives that are easier to control.

But the most common reason why these stories keep coming up - in my opinion - is because people are generally extremely bad at root cause analysis. They see something going wrong, and they associate it with Signal. But there are many ways that a situation can go bad, and Signal being compromised is only one of many alternatives. Other alternatives include the presence of infiltrators in your group, hacking into your phone in some other way, someone in your group talking over other channels or leaking information by mistake, or even good guesses from the adversary based on GPS or other more general information. All of these alternatives will almost always be significantly more likely than Signal being compromised. An adversary will usually not try to crack good encryption - they will try to go around it.

So, for anything you do, please stop worrying about Signal as the weak link in your security. For almost all cases, it will not be a problem - many other things are more important to prioritize first. Threat model your situation and think about it holistically. But also, see the next section.

Mobile phones at protests

While Signal is really almost as secure as you can make a messaging application for a mobile phone, there is still a very big caveat in this discussion - and that is the mobile phone itself. In many ways, a mobile phone is not a safe environment to run secure applications on, and Signal can only be as secure as the surrounding environment.

Should you really bring your phone with you to a protest? This is a complicated question. Purely from the perspective of security, it's usually not a good idea. However, not bringing a phone is also not sustainable in many ways - you will end up needing to communicate with your friends and contacts, you might need to film or photograph violence or police actions and so on. But it's definitely true that having a phone will increase your risk.

Now, I was planning on writing a longer section here on what to think about with regards to phones and protests, but Micah Lee at The Intercept already did something quite similar while I was writing this, so take a look at his article here: https://theintercept.com/2020/06/15/protest-tech-safety-burner-phone/ - it doesn't cover everything about how to stay anonymous, but it contains a lot of useful information to think about, especially from a US perspective.

As always with security, it's a trade off. You have to think carefully about the alternatives and possibilities, and then make choices based on this.