Phone lock/unlock security
Signal may be secure, but it is only as secure as the weakest link. The weak link could be someone in your group with a stolen unlock code. Once that barrier is passed, almost anything goes.
Sometimes the easiest way to be compromised is the most obvious. Entering a password in front of someone. Smart phones usually only use a six digit code. And the screen responds to your input with enlarged characters or a line drawn on the screen.
Don’t show your code. Unlocking your phone in full view of someone or a security camera may give away your password. Be aware in public and unlock it close to your chest.
Your smart phone is now the easiest way to access your most private information. Email. Phone records. Financial access. Passwords. Identity. And now Signal.
Two factor authentication is worthless if someone has access to your phone password. With it they can pretend to be you and change your passwords. Move your money into crypto. There is a whole mess of things someone could do to you with access to your phone.
DO NOT USE BIOMETRICS. Biometrics are using fingerprint and facial recognition to unlock your phone. With biometrics on, the police/feds are legally able to access your data by forcing your finger or face to the phone. The fourth amendment kicks in if they have to ask you for a password. (Watch the video below.) Yes, it is a hassle to enter a security code each time you use your phone, but the convenience of biometrics is not worth the risk.
But what we are concerned about is disclosing information about you and your friends. If the spooks don’t have access to your passwords, they may try to con their way into your Signal groups.
They can look up your cell phone number and then enter it on Signal to contact you, pretending to be someone you know. Once they gain your trust, they ask for an invite to one of your groups. You can nip this in the bud by making your phone number unsearchable on Signal in the settings. (Settings>Privacy>Phone Number (Change…) . Then the only way to look you up will be via an optional Username. It is a descriptive word created by you followed by a colon and number in your settings.
Even the Username can be subverted. AI can now imitate someone’s voice accurately enough to fool you into thinking you are talking to a friend asking for Signal acceptance over the phone. If you give them your Username, they’re in as a trusted friend.
Which leads us to another roadblock Signal uses to inhibit spammers and con artists. Acceptance. The first time someone sends you a direct message (DM), there will be an ACCEPT and a DENY button at the bottom of the screen. If you deny, they cannot send you any more messages.
Infiltrators and spooks don’t need to know what you are saying to others to find out about you. If they have access to just one activist’s information, they can find out who they communicated with, when they communicated, and where they were when the communication took place. That information is called METADATA. And if the application you use to communicate saves the metadata, then the spooks can recreate the spiderweb of contacts that make up the resistance. With metadata, the spooks know who to target without having to listen in on every conversation. Practically every social media application uses your metadata against you for advertising. If advertisers can access the data, the government can as well.
Signal does not use or store your metadata. All of your data is encrypted, and it is not stored on the servers. Lawyers have learned not to subpoena Signal for evidence, because there is nothing to be had.
If you are going to call or text someone, Signal is the best option if you both have it. Regular phone calls and texts have almost non-existent privacy. SMS (regular texting) doesn’t encrypt your messages, let alone hide your metadata. Email now encrypts your data in transmission, but the message encryption at the email server is dependent on the email provider. Gmail is not “free”. Your messages are mined for advertising.
If your data is available for sale, it is available for the next kangaroo court.
Meta (Facebook and WhatsApp) may be an easy way to “find” people of similar interests, but it is the worst in terms of privacy, spammers, and infiltrators. Other social media platforms are not much better. Signal is the gold standard and is designed from the ground up to be private.
Phone settings for security
Turn off message preview for a locked phone. If your phone is confiscated, and the Signal messages are displayed while the phone is locked, the feds don’t even need your password to see our messages. All they need to do is place a security camera in front of the locked phone to record all of its messages.
(iOS Settings>Notifications>Show Previews (when unlocked or never)
Android Settings>Notifications and Control Center>Sensitive Notifications (off), and Notifications on Lock Screen (Don’t show any notifications) or Security and Privacy>Notifications on Lock Screen (Don’t show notifications at all))
Back up your phone before you take it to a protest, if you take it. If things go sideways at the protest, reset your phone.
iOS System settings> General> Transfer or reset iPhone, reset
Android System>General Settings>Reset Options>Erase all data (factory reset))
This will wipe all your data (like new) off your phone. Afterwards you can restore the data from your backup. Be familiar with the procedure to wipe (erase) your data if you bring your phone to protests. Be aware that if things go sideways, the last thing on your mind will be to reset your phone. It’s sort of like expecting to put on your seatbelt before an accident.
Backing up your phone is usually done through your Apple account for iOS or your Google account for Android. Third party services are also an option.
When you first set up Signal on your phone, it will ask you if you want to add your phone book contacts to the Signal contacts list. Hopefully you opted out. By adding your phone contacts to Signal, it will use their real names instead of the profile name alias, potentially revealing a friend’s real name to an infiltrator.
Changing this if you opted in can be fixed in your settings. (FIX THIS NOW!)
On iOS go to Signal>Your Avatar(upper left corner)>Settings>Chats>Share Contacts with iOS (off) and Use Phone Contact Photos (off).
For Android go to Settings>Apps>Signal>Permissions>Contacts>Contacts permission (Don’t allow) and also in Signal Settings(Your Avatar)>Chats>Use address book photos (off).
Vetting
Be aware of the chat groups you are in. Some are vetted, some are not. Most are not, especially large ones. This should affect how you interact with the group. It’s easy to forget, or be unaware, of how many people are in the group, or if you know everyone in the group.
Why use these unvetted Democracy groups? They allow your organization to get the word out about an event. Instead of adding unknown people to your organization’s group to widen your notification circle, you can use the organization’s group for vetted member discussions. Use the Democracy groups to promote your activities, and attract new members.
Vetting new group members is best done face to face.
There have been some rumors about folks infiltrating Signal chats in Minneapolis in an attempt to dox folks, that is, to expose personal information of an individual online for physical harassment.
Best practices for Signal
Please don’t leave your profile name blank. It doesn’t help with security, and may make it worse if people don’t have a clue as to who is posting. Adopt an alias (profile name) and use a non-identifying avatar picture.
Avoid calling folks in chats by their actual name. If you do, please go back and delete. That doesn’t completely diminish the exposure, but at least it lessens it.
Signal has a feature called disappearing messages. Messages older than the set time will be deleted automatically and unavailable if your phone or computer was compromised. The Democracy groups’ messages are set to delete after a week. As the admin for a group or in a DM the set time is up to you. DMs are usually set to never disappear, but that is up to you and your security needs.
Direct messages (DMs) are more secure than group chats. Groups can be as temporary or permanent as you want. They don’t need to be announced. Add members as you are setting up the group and/or DM others who may be interested. It doesn’t need to be a “public” Democracy group invite. To create a group link or QR code, go to the Group’s Avatar next to its name. Do not post your group’s link on other social media. That is an easy way for an infiltrator to have access to your peeps.
Planning activities and invites are best done face to face. Even if it’s not as convenient, you know who you are talking to and what their body language is telling you.
Think about what you’re writing before you write. Don’t put any comment in the chat that suggests anything you wouldn’t want to defend out of context. Assume best intent from others in the chat. If someone says something that doesn’t seem right, ask questions before reacting negatively.
Avoid sharing other’s details with folks outside the chat. Some friend circles are deceptively big. In our everyday lives, many of us are connected via our social and professional networks and don’t know it. You never know if something you share might allow someone to connect the dots and expose one of us to potential trouble.
Again, welcome to our Signal group 🙂 Keep active!
Links to more Signal info:
https://support.signal.org/hc/en-us
Signal Support
https://www.confinity.com/blog/social-media-privacy-2025-platforms-trends
Social Media comparison
https://www.youtube.com/watch?v=1XJs5RfSgm4
Smart phone right to privacy.