WhatsApp’s privacy policy update has kicked up a storm recently. According to the new policy, the popular messaging app will share user data such as location, battery level, IMEI number, mobile network and related information with its parent company, Facebook.  Later, WhatsApp was forced to issue a clarification saying the messages between the users will not be shared with Facebook.

Notably, the WhatsApp policy remains unchanged in Europe, thanks to the stringent General Data Protection Regulation (GDPR).

The new policy changes have broken people’s trust in the app. Many are looking for a better and more secure replacement. And Signal App seems to be the popular choice. Unlike other instant messaging apps, Signal only stores the users’ contact info. Further, all messages and calls on the app are end-to-end encrypted, meaning no third-party, not even Signal can access them.

Signal Foundation and Signal Messenger LLC, a non-profit company, rolled out its flagship app in 2014. Ironically, Signal Foundation was set up by WhatsApp co-founder Brian Acton with Signal Messenger CEO Moxie Marlinspike. Acton had exited WhatsApp in 2017, three years after Facebook acquired the messaging app.

Brief History

After the new WhatsApp terms were made public, SpaceX and Tesla CEO Elon Musk tweeted ‘Use Signal’. And Twitter CEO Jack Dorsey retweeted Musk. 

The app was also endorsed by privacy activist and whistleblower Edward Snowden. 

Signal is a one-tap install app available on Google Play Store and Apple’s App Store. The software powering the app is open-sourced and free of charge. 

In 2010, Whisper Systems launched two Android apps — TextSecure and RedPhone. While TextSecure was for sharing encrypted text messages, the latter was for making encrypted voice calls. In 2011, Twitter bought Whisper Systems, and both apps were released as open-source softwares.

In 2013, Moxie Marlinspike, co-founder of Whisper Systems exited Twitter and set up Signal to further develop TextSecure and RedPhone. Later, Acton joined hands with Marlinspike to establish the non-profit under the same name.

How Does Signal Maintain ‘Perfect Secrecy’

Most apps’ encryption systems create a permanent key pair for encryption and decryption of messages. The public key is used to identify the user and is sent to the messaging server, and the private key stays in the user’s phone. If the private key is compromised, due to hack or theft, the messages are vulnerable to decryption.

Signal’s encryption protocol combines Double Ratchet algorithm with triple Elliptic-curve Diffie Hellman handshake.

The sender and receiver use the Double Ratchet algorithm to exchange encrypted messages based on a shared secret key. A new key is generated for every message, and the earlier keys can not be figured out from the succeeding ones. This method is also called the perfect forward secrecy. At the core of this algorithm lies the concept of KDF (key derivation function) chain. KDF is a cryptographic hash function that uses a secret random key and input data to generate the output. The secret key is derived from a secret value such as a password or a passphrase using a pseudorandom function.

Further, along with the double ratchet algorithm, the two parties also use the extended Triple Diffie-Hellman (X3DH) key agreement protocol. X3DH provides forward secrecy and cryptographic deniability. This protocol is used for establishing a shared key between the sender and receiver, who authenticate each other using public keys.

However, the perfect forward secrecy on its own is not a full-proof strategy. In the event of theft, the messages still would be visible to whoever has the device. To that end, Signal App has added a time-bound ‘disappearing messages’ function.

Wrapping Up

Signal App’s popularity soars every time there is a public discourse around privacy and security. Like, in 2020, the downloads spiked at the peak of the Black Lives Matter movement.

However, to think Signal will topple WhatsApp as the most popular messaging app is a bit of stretch, considering WhatsApp still commands an impressive user base of over 2 billion people. However, it is good to see that privacy is being taken seriously, and who knows, Signal’s protocol may even become the industry-standard in the future.