Privacy by Design
Signal is published by the Signal Foundation and Signal Messenger LLC. These two not-for-profit organizations—based in Mountain View, California—were founded by Matthew Rosenfeld (aka ‘Moxie Marlinspike’) and Brian Acton. Together they continue the work started at Open Whisper Systems, one of Rosenfeld’s earlier start-ups.
The Signal application is free and open source. Anyone can review the source code. The source code for the Signal Messenging Protocol (SMP) was reviewed by a joint team from the German CISPA Helmholtz Center for Information Security, the Swiss ETH Zurich University, Cisco, and the Canadian University of Waterloo. They declared the code clean, the motives pure, and the encryption rock-solid. Signal is definitely secure.
But there’s a difference between security and privacy.
RELATED: What Is Signal, and Why Is Everyone Using It?
The Difference Between Privacy and Security
Privacy is about controlling your information and data, choosing who has access to it, and deciding what they can do with it. Security is one of the techniques that you can use to maintain your privacy.
The security provided by the SMP is so strong that other apps, such as WhatsApp, have adopted the Signal protocol to provide end-to-end encryption for their own products. But, although WhatsApp may be secure as far as the transmission of your messages goes, that doesn’t address any privacy concerns. The security of the protocol is completely unrelated to WhatsApp’s policy of data harvesting and data sharing. It’s those activities that affect your privacy, and it’s the gotcha that has catapulted WhatsApp into the public eye and the worst PR storm of its 11-year history.
WhatsApp harvests and logs data about you and your use of their app. The company stores this data—including your contact list, who you have contacted, the details of purchases you have made through the app, and your location when you use the app—on their servers. So although the delivery of your messages is secure, WhatsApp keeps a lot of private data about you. And WhatsApp is owned by Facebook.
By contrast, Signal holds virtually nothing on you. It stores the smartphone number you registered with, when you signed up to use Signal, and when you last used the service. That’s it. A phone number and two timestamps. So even if they’re hit with a subpoena, that’s all they can hand over to the authorities. Nothing about your messages, your location, or anything else.
Signal starts to make a lot of sense when you scratch the surface of how your data is often used as a commodity by other companies.
Installing Signal on Linux
There’s only one way to sign up for Signal, and that is through your smartphone. It works on Android phones and iPhones. So if you don’t have Signal installed on your smartphone, go and do that first. It must be working on your smartphone before you can use it on your computer.
Signal is available in the repositories for some Linux distributions. It is also available as a flatpak and a snap. We’ll install the snap on Ubuntu.
You can use the snap on Fedora too, but to cover all bases, we’ll demonstrate installing the flatpak.
On Manjaro, you can install it directly from pacman.
Starting Signal on the Desktop
Press the “Super” key on your keyboard. This is usually between the “Control” and “Alt” keys at the bottom left of the keyboard. Type “signal” into the search bar. You’ll see the Signal icon.
Click the icon to launch Signal.
Before you can use Signal on your computer, you need to link it to the Signal app on your smartphone. The desktop client displays a QR code. You need to scan this code with your smartphone from within the Signal app. (The QR code in the below screenshot isn’t a real Signal QR code.)
Below the QR code are brief instructions for Android phones and iPhones.
On your smartphone, open the Signal app and tap the menu button.
Tap the “Settings” entry in the menu.
Tap the “Linked Devices” option.
You’ll see a list of the devices you have already linked to this Signal account. Tap the blue “+” button to add a new device.
The Signal QR code scanner appears.
Scan the QR code in the desktop client. When the QR code has been read and decoded, you’ll be asked whether you’re sure you want to link the device to your Signal account.
Tap the blue “Link device” text. On the desktop client, you’ll be asked to provide a name for the device.
Click the “Finish Linking Phone” button when you’ve typed in the name you want the client to be known as. This is the name that will be listed in the “Linked devices” list on your smartphone. It doesn’t have any effect on your identity within Signal.
Signal will sync your contacts and message groups from your smartphone. Note that it doesn’t pull through existing chats and messages. Only messages that arrive after the desktop client is linked to your Signal account will appear in the client.
When it has finished, it will display them in its main client window. If you prefer dark mode, click File > Preferences > Dark.
Now, Signal is all ready for you to send private and secure messages straight from your computer.
Unlinking the Desktop Client
If you want to, you can remove the desktop client from your Signal account. You can do that from your smartphone or from the desktop.
On your smartphone, tap the menu button > Settings > Linked Devices, then tap the linked device that you wish to remove. Tap “OK” in the small pop-up box.
If you’d rather break the link from the desktop client, click File > Preferences > Clear Data.
Security and Privacy From the Desktop
Messaging apps are great. But when you’re sitting at a computer, it can be more convenient to have the app on your desktop so that you’re not switching back and forth between your computer and your smartphone.
Now you can enjoy Signal’s security and guaranteed privacy and a real keyboard.