By Andrew Moon
February 26, 2021•2 min read
Privacy is the fundamental principle on which every feature of Signal is built from. It’s also the reason tens of millions of new users flocked to the encrypted messaging platform at the start of 2021, sparked by a competitor misstep, and a two-word tweet.
The non-profit’s VP of Engineering, Jim O’Leary, spoke at our most recent privacy_infra() event about how they use end-to-end encryption to power the world’s private communication—and that recent need to scale, fast, following a tweet from Elon Musk and a consumer backlash to a WhatsApp privacy change. Scroll down to watch O’Leary’s full talk.
While it’s easy to attribute Signal’s growth to those two events, O’Leary also pointed to Apple’s Privacy Nutrition Labels feature, and comparisons between the two messaging apps that highlighted the stark difference in what data is collected. The only thing required to sign up for Signal, and the only primary identifier, is a phone number.
To O’Leary, it’s an approach to privacy inspired by a real-world analogy.
“If you meet your friend in a park, every word you’re communicating back and forth, isn’t delivered through some intermediary party. Your eye movements during that conversation aren’t tracked throughout your discussion to increase engagement for future conversations, and nobody eavesdrops to determine the best advertisements to run in order to influence your next luxury item purchase,” he said.
“I never want to have anybody need to make a sacrifice in order to do the secure thing or the private thing.”
Digital communication has evolved from unencrypted plaintext in the early days of the internet, to transport layer encryption in the 2010s, and now end-to-end encryption, or E2EE. Signal’s E2EE messaging standard is known as the double ratchet algorithm and is used by a number of different messaging platforms. (Check out their code repositories and documentation, too).
Signal’s non-profit status and open-source position also gives it a unique perspective on solving for privacy. “We don’t have competitors in the traditional sense,” explained O’Leary. “We compete with insecure technology like MMS, SMS, or other plain text protocols. And so we feel as if we win and our mission is fulfilled when the world is more private.”
O’Leary also spoke about Signal’s push to not just be known as a secure platform, but a fun one, too. They’re adding now commonplace messaging features like reactions, groups, stickers, and more; all the while remaining fully private and end-to-end encrypted.
“Even sticker packs in Signal are fully encrypted end-to-end in a way such that the Signal surface itself doesn’t know the content of your sticker packs,” O’Leary explained.
Finally, a word of advice to engineers working on privacy—be an advocate.
“Be the voice within your organization, if there isn’t one, pushing for private and secure technology—with the rest of your engineers, with the lawyers, the executives, the sales team, and everybody you possibly can as well too.”
“I think in some organizations you can be seen as friction to the overall product development life cycle, but you can have a more delightful time, and get more things done the right way, if you can invest the time and the energy into letting people understand why privacy is important, such that it’s a non-negotiable part of every business or a product decision that gets made.”
Note: This post reflects information and opinions shared by speakers at Transcend’s privacy_infra() event series, which feature industry-wide tech talks highlighting new thinking in data privacy engineering every other month. If you’re working on solving universal privacy challenges and interested in speaking about it, submit a proposal here.
By Andrew Moon