Cost of admission: What info do you give away when signing up for a new private messenger?
Signing up is a critical moment whenever you start using a new service, and sometimes it can feel like signing a deal with the devil — how much are you sacrificing to start sending messages securely? And when you’re making an account on a (supposedly) private messenger, it can feel like this is all defeating the point.
Account systems, especially in messengers, are important. Usually, your account is also your messaging address — it’s how your friends can find and contact you.
On that note, let’s take a look at what it takes to sign up for some of the most popular private messengers: what information you give up when you sign up, and what that means for you.
Private messengers that need a phone number: Signal, Whatsapp, and Telegram
Signal, WhatsApp, and Telegram all require an active phone number to create an account. We’ve covered the pitfalls of phone numbers again and again — they contain a treasure trove of information about you, so exposing your phone number is really bad news for both your privacy and anonymity. Ideally these services are handling your phone number with care, not just sharing them with anyone who asks nicely, although WhatsApp has landed in some hot water for leaking user phone numbers.
In the case of Signal, your phone number is encrypted — although phone numbers are still the primary way to look up a new contact, so your phone number will often be exposed to the people you’re talking to.
Telegram gives you the option to hide your phone number from other users and use a pseudonym instead. This is an improvement, because it means you don’t have to expose your phone number to everyone you want to message.
Signal hasn’t implemented a system like this just yet, so users are stuck using phone numbers to make contact with people. Signal does let you set a profile, including a pseudonym and profile picture, but the people you’re messaging can still see your phone number, which is a thumbs down for privacy.
But Signal still shines when it comes to security, it allows you to use a PIN to lock the registration of your phone number. Like we said before, the list of issues with phone number security is quite long, but at least the PIN feature helps protect your Signal account from SIM swapping and phone number recycling. Your PIN means an extra level of verification is required when connecting a new device to a Signal account. Now, your phone number being compromised doesn’t necessarily mean your Signal account will be too.
This is a good additional security measure. However, the fundamental issue remains — you still have to expose your precious digits at sign-up, and that introduces risk for anyone looking to use Signal, Telegram, or WhatsApp.
Private messengers that don’t need your info: Wickr, Threema, Riot, and Session
When we forked Signal to build Session, one of the major things we set out to do was anonymise the account system.
You don’t need to give up any information when you create a Session ID — you’re just creating a private-public key pair. You do choose a pseudonym which will be displayed when you send someone a friend request — but this nickname has nothing in common with your real identity (unless you want it to, of course). And soon you’ll also be able to anonymously assign a unique name to your Session ID using the Loki Name System.
The Swiss messenger Threema also uses a private-public key pair to create your account.
Wickr and Riot let you sign up using a pseudonymous username — no email or phone number required. They do, however, give you the option to link your phone number (or your email, in the case of Riot), if you want to make it easier for friends (and other interested parties) to find you.
No matter what you’re signing up for, it’s important to keep in mind what information is being asked of you. Sometimes it’s your name, maybe your date of birth, your postcode, your phone number, email, the first street you lived on, your childhood best friend, or your mother’s hairdresser’s second cousin’s first dog’s middle name.
It might seem like this information is harmless, or perhaps even necessary. But always make sure to ask yourself: is it?
Depending on your threat model, giving away your phone number might be OK. But those ten digits contain a lot of information, so you should consider very carefully whether the weaknesses of phone numbers might punch a gigantic hole in your security.
Session Release Roundup #13: It’s all about the UX
September 16, 2021
Why are phone numbers a privacy problem?
September 14, 2021
On the recent Australian surveillance legislation
September 09, 2021
Deleting messages and time-to-live: This message will self-destruct in…
September 06, 2021
Contact discovery: Finding friends without foes
August 09, 2021