Setting Up Signal
Signal is a secure messaging platform that utilizes end-to-end encryption. Participants should have already been through a mobile application settings review and added secure lock screens, to ensure that their device is now ready to use with a program like Signal.
Benefits of Signal include the fact that they do not store your messages on their servers, participants can set their conversations to "self-destruct" and users can customize what information (contact name, message preview) is available on their phones lock screen.
About This Lesson Plan
Review date: June 6, 2017
Lesson duration: 15-30 minutes
What will participants learn?
Participants will learn why encrypting messaging is important and easy to set up. They will install Signal, learn how to set and review their privacy settings, verify safety numbers, and explore some of the application's advanced features.
What materials will participants need?
Smartphone: iPhone or Android
How can the trainer prepare?
Two excellent resources on how and why journalists are moving to Signal:
- Martin Shelton on Signal for Beginners
- Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal (The Intercept). This lesson draws from both.
Review the Glossary to think about how you want to explain encryption to the group.
Read Signals, Intelligence for a good critique of some of the things Signal doesn't protect users against.
Additional readings that will help prepare the trainer for questions that come up: Martin Shelton, Jillian York, and Micah Lee all have great walk-throughs on using Signal without giving out your phone number.
Discussion: Why would you want to encrypt calls and text messages? What does it mean to send them in cleartext?
Remind folks that, in addition to keeping their own conversations private, by using encrypted messaging, they can normalize the use of encrypted messaging, which makes it safer for vulnerable people to use encryption without standing out.
Note: this lesson would be much stronger with a better explanation of who does have access to cleartext SMS, and under what circumstances. We'd love it if you wanted to submit an issue with some resources or readings that do a good job of articulating this.
The conversation should include some review of what Signal can protect (messages traveling over the network) and what it can't protect (messages are still stored on your phone, so anyone who is able to unlock your phone has access to them.)
Real questions that users might have: who actually has access to your text messages? The answer is a bit complex. While it is relatively trivial for someone else to read messages sent in cleartext over a public wifi network, messages sent from your phone over the cell network are not as easily intercepted. However, your phone company does have access to the contents of all of your cleartext SMS messages, which means they can be subpoenaed or otherwise acquired by local police, the FBI, or the NSA. It is relatively well documented that the NSA has, historically, swept up phone records in bulk. And that's just inside the US. Around the world, privacy protections can vary widely. And as long as privacy protection is legal, and not technical, individuals are vulnerable to changes in the law or to government overreach.
If you're sure you don't mind the FBI reading all of your text messages there are still good reasons to encrypt them:
- You might change your mind. And by using Signal now, you can ensure that it is there, and working, when you decide you need it.
- Other people need it. The more people there are who use software, the easier it is to use. That's because the simple act of using a tool like Signal effectively creates community around that tool.
- Privacy should be normal. If democracy activists and vulnerable journalists are the only ones encrypting their text messages, their communications stand out. But if everyone encrypts the boring stuff -- the 25 message exchange about who is bringing what to a holiday meal, the back and forth about what time to meet or the dressing room photo of a questionable coat -- then we all clear the way for vulnerable users to use encryption without standing out.
- You never know when you might find yourself working on a story where the risk of a subpoena is higher than usual. By making some small shifts now, you can ensure that the next time you find yourself thinking "I should probably not be sending this in cleartext" your next thought is "oh, right, I'm not. :)" instead of "Ack, what was that app?"
These screenshots reflect the iOS install process.
Start by downloading and installing Signal. Visit https://signal.org for quick access to the most current download links.
Android users: Signal will offer to become your default messaging app. Say yes! You can still use Signal to send cleartext messages to contacts who don't use the app, and you won't miss messages.
You'll know that you've set Signal up correctly when you see the Welcome! popup. You can allow the system to access your contacts and send you notifications. (NOTE: in the newest version of iOS, it is possible to continue without giving access to your contacts)
The steps are very much the same. Signal will offer to become your default messaging app. Say yes! You can still use Signal to send cleartext messages to contacts who don't use the app, and you won't miss messages.
If you do integrate your SMS with Signal messages, you can always long press on the send icon to send cleartext messages to other Signal users (useful when you don't have data but do need to communicate by text.)
Additional privacy and security settings
iPhone users: click the white settings gear in the upper left corner to access privacy settings for Signal
In the Privacy tab, you can see and change:
- Numbers you've blocked
- Whether or not to show message previews when you switch apps.
- whether or not you want Signal calls to be integrated with iOS calls (shown on lock screen, show caller's name and number, show in the phone's call history)
- whether or not to relay calls through Signal's server to avoid revealing your IP address to the person on the other end (which can reveal your location).
- You can also clear all history logs in Signal (all messages, attachments, call history)
In the Notifications tab, you can select whether or not to show the sender's name and message, just the sender's name, or no name or message in your push notifications.
You can also decide how long to keep messages after you've read them.
- Select a name in a conversation, which will bring you to the contact information and conversation settings.
- There you can enable a setting called "Disappearing Messages," which allows messages to disappear after they have been read. You can set the timer to any length from 5 seconds to 1 week.
Activity: 10-15 minutes
Verifying contacts and sending messages
- Ask participants to pair up with a neighbor and exchange phone numbers.
- They can practice finding a contact on Signal, sending a message, setting it to disappear, and verifying that it was sent securely. (On Android devices, they will see a lock icon and a pair of checkmarks. On iPhones, messages will simply display the word "sent" and "delivered")
- Each participant should practice Veryifying one another's Safety Numbers. The EFF has a nice walk-through of that process for Android and iOS.
- If users are not in the same space, they can check verification numbers using a separate channel, such as a phone call, iMessage, Facebook message, Twitter DMs, etc.
- When composing a message, users can click the paperclip icon to attach photos, videos, gifs, and documents to a message. Sending attachments through Signal is secure and encrypted, and does not automatically save a copy to the mobile device.
Creating group chats
- Pairs should pair up in groups of four to set up group chat. A mix of OSs helps here but isn't necessary.
- To create a group chat, select the Compose icon, then select the Group icon.
- Name the group chat, then add multiple contacts who are also Signal users.
- Android users will immediately see who else is in the group and what the group is named, even before you send the first message. iPhone users may not.
- You cannot delete a group once you have created it, but any member can leave the group at any point.
Note: we'd love to know what kinds of questions come up for participants when you lead this session. Feel free to submit an issue and share your experience.
Remind participants that each conversation is only secure as the most insecure member of the conversation. Signal is a tool that has good options to protect both sides, but if a journalist is using Signal with a source who doesn't have a secure passcode or has left message previews exposed on their lock screen, the conversation may still be exposed.
Similarly, the journalist should take as many steps and precautions a possible to protect their sources by encouraging their sources to read guides on using Signal (such as this one, or the ones linked for trainers above).
Links in the news
- How To Keep Your Chats Truly Private With Signal
- Martin Shelton on Signal for Beginners
- Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal (The Intercept).
More great lesson plans