And then it spams all of your contacts who have Signal installed, without asking your first.
And it shares your phone number with everyone in your contacts who has Signal installed.
And then when you scream ARE YOU FUCKING KIDDING ME and delete your account and purge the app, guess what? All those people running Signal still have your phone number displayed for them right there in plain text. Deleting your account does not delete the information that the app shared without your permission.
So yeah. Real nice "privacy" app you've got there.
I'm going back to Facebook Messenger, where at least the privacy failings are obvious.
PS: If you suddenly find yourself in possession of my phone number, please don't share it, with anyone, ever. SIGH.
As you see in the comments below, the developers vehemently deny they are sharing your phone number with people who didn't already have it. I'm willing to accept that they're not lying about this, but let me clarify what I saw with my lying eyes:
- I installed Signal. I allowed it to access my contacts.
I started getting "Hello" messages from people in my Contacts. This is the point when I learned that (however you want to spin it) they had been notified that I joined this network.
I was not informed beforehand that this was going to happen. That's fucked up.
To be clear: when an app says "we don't share your contacts with anyone" and then 30 seconds later, people from your contacts start messaging you because they got a notification -- it's pretty reasonable to assume that something fishy is going on.
I installed this app because I wanted to communicate with one or two particular people. I did not want to wave a big flag saying HEY EVERYBODY HERE I AM. If the flag-waving is non-optional, then that should be made abundantly clear before one activates the account.
This kind of behavior reeks of the sort of spammy boosterism that is endemic on every social network these days: the priority is on building the network. Self-promotion comes first. Get the users, invite invite invite, work that network effect, user experience comes second.
- One of those people who sent me a "hello" message said, "Hey, I seem to have your phone number now, and I'm pretty sure I didn't have it before."
So maybe they were wrong, and they did have my number previously.
That's why I asked another friend who has been using Signal for a while if this was for real:
Is there anyone in your Signal address book with a number who has never messaged you or given your their phone number?
Yes. There are a few people I've never messaged, and at least one whose phone number I didn't know I had.
So maybe they were wrong too.
Then I saw this:
@autolycos: I can verify. I joined Signal and got the number of an army buddy I only had email addresses for.
And then I saw this:
@uplevel_payload: I greeted a colleague via Signal w/o warning and really freaked them out. I only had their professional email prior to.
So maybe those people, and various others on Twitter reporting the same unsettling discovery, are all wrong, too.
There seem to be an unsettling number of people suffering this same delusion, though, huh?
Then I deleted my account and deleted the app. I asked a friend if that had made me disappear from their list.
No. No it did not. So that's fucked up, too.
Then I made this irritated blog post. It's true that I did not take a month to do a full audit of their source code first. I made an inference from what I saw with my lying eyes, plus confirming anecdotes from several other Signal users.
Because they say so, I can accept that Signal isn't leaking your phone number to people who don't already have it, but it sure seems like it is, and these perceptions matter, especially for a purported privacy app.
It's seems especially hinky when this phone number (mis-?)discovery immediately follows that bit where they say "we don't share your contacts", which hinges on a precise reading of the word "share", because your contacts sure do get a notification anyway.
Update, 2018: Subsequently.