Signal rolls out a new privacy feature making it tougher to know a sender’s identity

Signal, regarded as the gold standard of end-to-end encrypted messaging apps, is rolling out a new feature that will further protect the identities of message senders.

“While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is,” Signal revealed in a blog post Monday.

Dubbed “sealed sender,” the messaging app will soon hide a sender’s information inside the envelope of an encrypted message. The sender’s “from” information will be removed from outside the message’s envelope and will instead be replaced with a short-term certificate — containing the sender’s phone number, public identity key and an expiry time — which can be used to prove a sender’s identity. The whole envelope is encrypted again. Once it’s delivered, the recipient’s device will validate that certificate and decrypts the message as it normally would — without exposing the sender’s identity at any point.

Sounds fancy, but in reality nothing changes at the surface level — the app will send your messages securely over an end-to-end encrypted connection. But behind the scenes at the service level, the new hand-off mechanism makes the service more resistant to metadata.

The new feature will be enabled by default when it rolls out in a future stable release.

Since its inception, Signal hasn’t collected or stored data. By engineering the service so that it can deliver messages while cutting itself out of the loop, the app maker can’t turn over data to governments when they come knocking with a warrant. That point was proven two years ago when the FBI demanded that Signal turn over all the data it had on one particular user.

Signal responded with all the data it had — a timestamp of when the account was created and its last connection date. The information was effectively useless to prosecutors.

“These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance,” the blog post said. “In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development.”

In other words, your data was never stored — but now it can’t ever be.

The new feature will be enabled by default in a future version of Signal. It’s heading into beta in the next few days.