📲 “Still Signal-ing You Out”: How Phone Numbers on Encrypted Apps Can Expose Your Identity
Freedom of the Press Foundation’s Digital Security Training team has published a revealing article that scrutinizes a major blind spot in Signal's otherwise robust privacy design: its continued reliance on phone numbers as unique user identifiers. While Signal is widely praised for its end-to-end encryption and minimal data retention, this report urges users and developers not to overlook how phone numbers can still leak sensitive information—putting journalists, activists, and at-risk users in danger.
🔍 The Phone Number Problem
Signal, like many other secure messaging platforms, asks users to register with their phone number. While this may seem harmless or even convenient, the report explains how this approach can inadvertently expose users in multiple ways. For instance:
-
Contact Discovery: Signal checks your phone contacts to see who else is using the app. This allows others with your phone number to instantly know you're on Signal—even if you never directly contacted them.
-
Risk to Anonymity: If you're trying to remain anonymous (e.g., as a whistleblower or sensitive source), your phone number could directly link your real-world identity to your Signal profile.
-
Network Mapping: Adversaries or surveillance actors could build a network map by analyzing which phone numbers are registered with Signal—revealing connections between people or identifying members of specific groups or organizations.
-
Burner Numbers Aren’t Enough: Even using a secondary or “burner” phone number isn’t a foolproof strategy. If that number has ever been linked to your identity or patterns of use, your privacy could still be compromised.
-
.
🛡️ What's Being Done — and What You Can Do
The report acknowledges that Signal is aware of this issue and has rolled out features like usernames and phone number privacy settings, which allow users to hide their number from others or prevent unsolicited discovery. However, these features are not yet enabled by default and still require proactive configuration.
The authors recommend that Signal and other encrypted communication apps move away from phone numbers altogether as primary identifiers. They advocate for alternatives such as random user IDs or opt-in username systems—changes that would be more inclusive and safer for vulnerable populations.
In the meantime, users are encouraged to:
-
Use separate, non-personally identifiable numbers for Signal if anonymity is important.
-
Adjust Signal’s privacy settings to limit who can discover or message you.
-
Stay updated on platform changes and advocate for more privacy-forward defaults.
.
🔗 To dive deeper into how phone number identifiers can compromise your privacy—and how to protect yourself—read the full blog post by the Digital Security Training team at Freedom of the Press Foundation here.
