A key part of what makes Signal the leading encrypted messaging app is its effort to minimize the amount of data or metadata each message leaves behind. The messages themselves are fully encrypted as they move across Signal’s infrastructure, and the service doesn’t store logs of information like who sends messages to each other, or when. On Monday, the nonprofit that develops Signal announced a new initiative to take those protections even further. Now, it hopes to encrypt even information about which users are messaging each other on the platform.
As much as it values privacy, Signal still needs to see where messages are going so that it can deliver them to the right account. The service has also relied on seeing what account a message came from to help verify that the sender is legit, limit the number of messages an account sends in a period of time to prevent it from spewing spam, and offer other types of anti-abuse checks.
But having access to metadata about the sender and recipient—essentially the address and return address on the outside of letters—offers a lot of information about how people use Signal and with whom they associate. Think of it as the address and return address on the envelope of a physical letter. So Signal’s developers created workarounds that will now allow the app to encrypt not just the contents of messages, but the identity of the sender.
“While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is,” Moxie Marlinspike, the creator of Signal, wrote on Monday. “It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the ‘from’ address used to be.”
Currently, Signal is testing this “sealed sender” feature in its beta release. Since the mechanism removes Signal’s ability to validate senders, the service is adding workarounds that still let users verify who sent incoming messages, and reduce their chance of receiving abusive content. Most importantly, Signal will only allow “sealed sender” messages to go between accounts that have already established trust, particularly by being in each others’ contact lists. If you block someone Signal has made cryptographic tweaks so they will still be barred from messaging you—even if you are in each others’ contacts.
Thanks to the change, if Signal is compromised, an attacker sitting inside the service will only see encrypted messages going to their destinations, and won’t be able to see where they came from. As “sealed sender” rolls out, users will be able to turn on a status icon if they want an indication of when messages have been sent using the scheme.
Sort of like open DMs on Twitter, Signal will also provide an option to receive sealed sender messages from anyone on the service, not just trusted accounts and contacts. “This comes at the increased risk of abuse, but allows for every incoming message to be sent with ‘sealed sender,'” Marlinspike writes.
“It’s a real step up,” says Johns Hopkins cryptographer Matthew Green. “The service will still reveal IP addresses, but those are probably not logged by Signal, whereas sender usernames probably were, at least for undelivered messages.”
Signal uses Amazon Web Services for hosting, and says that it is still working on finding a viable way to encrypt IP addresses and other metadata that could theoretically allow an attacker to perform certain types of user traffic analysis. And encrypted messaging still isn’t a magic bullet, especially if you leave message threads on your device. But Green emphasizes that every incremental step is valuable. The difficulty of developing the technical frameworks for these steps is one reason WhatsApp cofounder Brian Acton donated $50 million in February to support Signal’s development. The more of a barren data wasteland it is inside of Signal, the better.