I’d just given a talk and was having a nice chat with a young man who was doing similar work and wanted to stay in touch.
“Great, just give me your Signal number,” he said.
I hesitated. I’ve been using Signal for several years, since it was TextSecure. It’s by far the most trusted messaging app in my circles, and although it’s been slow to catch up to WhatsApp and other tools when it comes to fancy features, I use just as much among friends.
But Signal—as well as WhatsApp and Viber—require you to register with and use your phone number as an identifier. What this means practically is that when I meet someone with whom I wish to connect on one of these apps, I have to give them my phone number for them to be able to message me. Other apps, including Wire and Telegram (the latter of which I do not recommend at all), allow you to connect using a handle of your choosing.
I’ve been thinking about this as a security issue for awhile. As a woman, handing out my phone number to a stranger creates a moderate risk: What if he calls me in the middle of the night? What if he harasses me over SMS? What if I have to change my number to get away from him?
I’m not so surprised that the mostly-male developers of these tools didn’t consider these risks. They’ve focused carefully on ensuring that their encryption works (which is key), that their user-verification models are usable and make sense, and I’m grateful for that…but I still don’t want to give my phone number out to a stranger.
Luckily, I have a workaround, and a policy recommendation for app developers. Let’s start with the latter:
Allow users to create alias handles
I’m not a technologist, but I’ve asked around, and a number of smart friends have suggested that it wouldn’t be so hard for apps like Signal to allow for aliases. What do I mean? Well, imagine that young man at the conference had asked me for my Signal, but instead of giving him my number, I could give him a temporary or permanent handle associated with my account. Registration wouldn’t change—my Signal would still be tied to my phone number—but the public-facing identifier could be the phone number or an alias of my choosing.
I don’t know why this hasn’t been done, but I’d love to know. Perhaps the men running these teams simply haven’t thought of it?
A workaround to protect your phone number
A few years ago, I discovered a way to use Signal and WhatsApp while keeping them disconnected from the SIM I carry with me in my phone. It requires you to purchase a second SIM card (I use a pay-as-you-go that I top up every couple of months). Here’s how you do it:
1. Put your secondary SIM card in your regular phone and register your Signal account to that number.
2. After it’s registered, take that SIM card out and put your regular one back in. Do not change your Signal account to that number.
You’ll want to hold on to the SIM card, and make sure it stays operational, because if the number goes back out onto the market, someone can register a new account with it, thus kicking you off of yours (seriously, this happened to a friend in Lebanon, where numbers go back onto the market frequently).
You can treat the secondary number as a public number (mine is on my business cards, and I keep the SIM in an old Nokia so I can take work calls on it), or as your own little secret.