A key part of what makes Signal the leading encrypted messaging app is its effort to minimize the amount of data or metadata each message leaves behind. The messages themselves are fully encrypted as they move across Signal’s infrastructure, and the service doesn’t store logs of information like who sends messages to each other, or when. On Monday, the nonprofit that develops Signal announced a new initiative to take those protections even further. Now, it hopes to encrypt even information about which users are messaging each other on the platform.
As much as it values privacy, Signal still needs to see where messages are going so that it can deliver them to the right account. The service has also relied on seeing what account a message came from to help verify that the sender is legit, limit the number of messages an account sends in a period of time to prevent it from spewing spam, and offer other types of anti-abuse checks.
But having access to metadata about the sender and recipient—essentially the address and return address on the outside of letters—offers a lot of information about how people use Signal and with whom they associate. Think of it as the address and return address on the envelope of a physical letter. So Signal’s developers created workarounds that will now allow the app to encrypt not just the contents of messages, but the identity of the sender.
“While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is,” Moxie Marlinspike, the creator of Signal, wrote on Monday. “It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the ‘from’ address used to be.”
Currently, Signal is testing this “sealed sender” feature in its beta release. Since the mechanism removes Signal’s ability to validate senders, the service is adding workarounds that still let users verify who sent incoming messages, and reduce their chance of receiving abusive content. Most importantly, Signal will only allow “sealed sender” messages to go between accounts that have already established trust, particularly by being in each others’ contact lists. If you block someone Signal has made cryptographic tweaks so they will still be barred from messaging you—even if you are in each others’ contacts.
Thanks to the change, if Signal is compromised, an attacker sitting inside the service will only see encrypted messages going to their destinations, and won’t be able to see where they came from. As “sealed sender” rolls out, users will be able to turn on a status icon if they want an indication of when messages have been sent using the scheme.