Adding usernames to a messaging app might seem like a standard feature, but for Signal, such identifiers have been anathema to its mission of ultimate privacy and security — until now. The upcoming version 7.0 adds usernames, but company president Meredith Whittaker explained that this wasn’t as simple a decision as it might sound.
The new feature sounds simple: You enter a username and it appears instead of your phone number. But why do this at all when everyone already has contact names and Signal is completely private anyway?
In an on-stage interview at StrictlyVC LAWhittaker explained the intricacies and complications behind what they believe is a critical new protection.
“Let me start by explaining it with an example. In India recently, it has become a requirement that in order to obtain a SIM card, you submit to a biometric facial recognition scan. This isn’t just happening in India, we’re seeing a number of jurisdictions where you can get a phone number, you have to provide more and more personal information. Some, in some places like Taiwan, are linked to government identity databases that are often compromised and cause a lot of problems,” he said.
This isn’t as much of a problem in the US, where burners and SIMs are plentiful, although private data is also available in private markets. But around the world, this trend is accelerating, he said:
“A request we often received from journalists in conflict zones and from human rights workers was: Hey, we like it, but the phone number is a real problem for us. We need to be able to talk to people without sharing that information. We need to be in groups of strangers where we are not afraid that they can scratch it. And we need to be able to start conversations with others without sharing our phone number, because again, that’s my biometrics, that’s everything else, and that can leak a significant amount of information.”
Essentially, Signal’s constant reliance on a durable and increasingly non-private identifier, phone numbers, was going from a legitimate product option to a serious threat to a significant number of users. They decided they needed to add an optional level of obfuscation without negatively impacting usability or security.
“So we basically turned our architecture inside out to support that and support that in a way that I’m really proud of,” Whittaker said.
The clutch move was to unsaddle Signal’s username implementation with new, large-scale management responsibilities.
“We at Signal don’t want to take responsibility for content — we’re not in the content rating business. But of course, with usernames, traditionally, you create a new namespace, right? You’re creating something that you actually have to watch, maybe police, maybe censor.”
Image Credits: signal
It’s a problem that much larger organizations struggle to deal with, as millions or billions of users sign up and change names that could themselves be rule violations — a name is just a short string and can just as easily be “RainbowBubbles” ” Kill_all_[insert slur here].” Impersonation, scams, all kinds of problems are just as likely in username fields as they are in post or profile fields.
Signal’s solution to this is to basically eliminate the ways in which these methods cause harm at scale, rather than trying to prevent them altogether.
“We did what I would say is a kind of design safety that allowed us to stay very true to our principles, which is we just don’t take this work,” Whittaker explained. But this is not just a complete abdication of their role as owners of the platform.
“We’re not willing to, you know, create a block list or things to determine what is and isn’t appropriate. But we’re also reluctant to create new surfaces for evil, right? Like, we recognize that this can be a real issue. So what are we going to do? We’re going to design it so that we’ve minimized or, I believe, eliminated the fault space,” he continued.
“Username is not a handle. It does not appear in the application. it’s not something we have a catalog for. But it replaces the phone number when you go to initiate contact.” (Signal adds numbers to selected usernames to ensure they’re unique.)
In other words, the system is much more restrictive than the public profiles or spam you might get on other platforms that have usernames as normal identifiers for users.
Instead, the username provides a way to identify and hide at the same time. a requester gets all the benefits of Signal’s phone number requirement, but few of the risks of exploiting usernames. You only get the username if you ask for it, which shifts responsibility to users without compromising their needs or ability to discern.
“I think there’s actually kind of a paradigm around secure design with integrity that we’re pushing as we add a very basic level of privacy to the app,” he concluded.
The new feature will be available in the Signal 7.0 client. “And if you’re a beta user, you can go in and claim your username now,” Whittaker added. “If you’re up for it.”
And you can watch the entire interview below:
