Signal’s catch 22 problem?

I have been introducing Signal to friends as a proper alternative to Whatsapp. Its mainly been ok but my friend Hannah has hit a catch 22 problem, in her own words…

Signal should be a great app. It’s secure, easy to use and even my most skeptical and tech-suspicious friend uses it. But since I forgot my pin, I’ve not been able to get onto the app, not been able to reset my account or even been able to delete my account to start again!

I did email to get some advice about this problem but what I got back (after nudging to get a response) wasn’t really helpful. Apparently, you can reset your pin once you’re in the app but since I don’t know my pin, I can’t get into the app to reset the pin I don’t know. I also need to be in the app to delete my account. So basically, in order to access the information I need, I need the information I need. And yes, I did query the logic of this advice but it was just repeated to me!

This is really frustrating because even after deleting the app and waiting 7 days as suggested, the problem remains. In fact, I’ve done this a few times, waiting longer periods and it still hasn’t worked. Signal is effectively holding my phone number hostage, not allowing me to use it to create a new account or access the numerous messages I’m informed I’m missing (through other less secure – but at least reliable – platforms).

I get that not revealing my pin to me is a security thing but to be honest, it seems daft that I can’t even reset that pin using other means. For example, Signal already texts me a confirmation number when I try to sign in – surely this is enough to know that I’m the owner of the phone? They also have my email address.

If I really can’t reset my account, I would be more than happy to delete the current account and start over again. But until there’s a way for me to do this without entering the app in the first place, I’m stuck in limbo.

I’ve sent one last email to try and sort it out… fingers crossed!

If anyone has a solid answer what Hannah can do, that would be massively helpful. Even I’m lost to what she can do now.

Signal what are you up to?

I love Signal and never used Whatsapp because of many reasons included in this great opinion piece. Its gotten better and better but the recent pin number is a worry. I’m not the only one.

“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.

That, according to critics, has now changed.

“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”

I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.

Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”

“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”

Smartphone use
Photo by Gilles Lambert on Unsplash

The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.

Convenience is the enemy of security and I would say privacy. I wouldn’t be surprised if signal gets forked.

It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…

Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.