Skip Signal and move to Matrix before it's too late

This is an authentic article written by BramvdnHeuvel.

Estimated reading time: 4 mins.

Skip Signal and move to Matrix before it's too late

If you're not very familiar with the digital world, this article will explain to you in layman's terms why Signal is not a long-term solution to an app like WhatsApp.

Recent changes in WhatsApp's policies have made people reconsider whether they want to keep using WhatsApp, and a large migration to Signal took place. This migration even took part in Europe, despite Europe's exemption as a result of data protection law.

Signal was previously mostly popular among journalists and whistleblowers as a result of Edward Snowden's public support, but a tweet from Elon Musk is supposed to be a major cause in why Signal was downloaded significantly more often in the weeks after.

Signal's issues

Before I explain the risks of downsides of Signal, I would like to emphasize that in regards to digital rights, Signal is a much better alternative to WhatsApp. Signal's encryption is incredibly well put together, and it's a great recommendation to anyone who prefers to protect their metadata from the hungry Big Five of tech companies.

That said, there are a few issues that could arise if you keep using Signal for a while. Some of these may seem like issues that every communication app would have, so that's why we're going to compare Signal with Matrix to show that Signal doesn't need to have those issues.

Signal is "open source"

Signal is open source. This means that anyone can look at Signal's software and confirm there's nothing fishy going on there. (Take a look! You'll find everything here, visible for everyone.) You still need to trust that they use that software, but experts have certain tricks to check whether they're honest - and they've earned a good reputation.

A summary of Signal's  most used software

This concept of being open source only works if EVERYTHING remains open-source. However, during the pandemic from the 20th of April 2020 until the 1st of April 2021, the Signal server had received several updates that weren't made public: in other words, for nearly a year, Signal's server has been running software that no one could perform a security check on. Usual business for a server like WhatsApp, but a not-done by a security-aware service that prides itself on its homepage for being open source and constantly peer-reviewed.

You can't get out

What if Signal gets too popular, and gets a grand amount of money offered by a company like Facebook? Would you stick with Signal, or convince everyone around you to move to another app once again?

What if Signal later turns out to show a few security issues, and a better app shows up? For example, an app like Olvid claims to have the same encryption, but even lets you send encrypted emails and even claims to be ready to implement cryptography that even a quantum computer cannot crack. Would you neglect it and stick with Signal, or would you try to get your friends to move to that new app altogether?

The problem with Signal is that it works the same way WhatsApp does: as soon as they get big, they can change their terms of service pretty far before you'll switch again. And some people already experience this. There's a page filled with concerned developers from when Signal didn't update their servers for almost a year.

Lots of concerned developers complained about Signal's lack of updates, with no response

The concept that you rely so much on the service that you use, is called the network effect: a service like Signal is useless if you're the only one to use it, but it's useful if everyone uses it. And Signal loves to abuse this effect:

  • First off, you HAVE to use Signal's software, whether you like it or not. Some developers wanted to build LibreSignal, a Google-free fork of the original Signal app. However, Moxie Marlinspike (Signal's CEO) shut down the project because he didn't want foreign software using Signal servers.
     What this means, is that you get to look at Signal's code, but you're not allowed to change anything that you don't like. In other words, if Signal turns out to somehow spy on you, you can't do anything about it anyway.
  • As an alternative, if Signal ever DOES turn out to spy on you, they deliver a friendly alternative: their code is open source, and you're allowed to set up your own Signal server. However, since you're not allowed to connect your self-hosted server to Signal's server, you'll have to convince everyone to install YOUR new app, in which case you might as well just move to another app. In theory, Signal offers an exit. Very few people can actually use that exit.

An open-source project is a project where you tell people, "if you don't like it, go write your own version". It's NOT an open-source project if you tell people, "if you don't like it, TOO BAD, you can only do something if I let you".

Fishy stuff behind the scenes

So what did Signal update exactly in the year that they didn't update their server? Speculations are going on whether it's intentional, but the developers have been writing some new functionality into the Signal server: they plan on introducing cryptocurrency into Signal. In-app money is coming to your Signal app soon, whether you like it or not.

Why Matrix instead?

If you're not familiar with Matrix, it is very familiar to Signal: except they do allow users to write their own code. And this happens openly: while the Matrix Foundation generally recommends the use of Element, users can also pick apps like FluffyChat, SchildiChat, Syphon, and even some bizarre apps like a CLI, Matrix on a Nintendo 3DS and several files to run Matrix on very minimalistic IoT devices.

Instead of blocking open communication, Matrix even encourages users not to trust them: they offer SDKs that make it easy for developers to program their own Matrix server or app. Additionally, everyone can run a Matrix server and still connect it to Matrix servers. In other words, you maintain a 100% guarantee that your privacy won't be breached - not now, not in the future. Let that sink in: absolute guarantee instead of blind trust.

So why has Signal not done the same thing as Matrix? There's a simple answer for that: they believe that open communication stands in the way of adaptability: up to this day, for example, email is still struggling to implement encryption, while WhatsApp managed to implement worldwide end-to-end encryption overnight. Just like that.

It is an easy strawman to compare Signal to technology from the 90s and completely ignore IRC and Matrix, especially now that Matrix has started growing: Element recently gained Series B funding of about 30 million, how the French government has completely adopted Matrix in the government and all the German armed forces are connected to Matrix. Even though Matrix is not as well-known as Signal, it is already considered the messaging app of choice for top-secret communications. Matrix offers not only protection for you against a government, their scope is big enough for governments to get protection against other governments.

The most important issue is this one though: if you ever change your mind about Matrix, you don't need to convince everyone else to move. Matrix offers bridges to so many other apps, that you don't even need to be connected to Matrix to communicate with people on Matrix: I have a D&D group with two friends on Discord, one friend on Slack, one friend on Telegram and two friends on Matrix, one of whom considers moving to Google Messenger soon. And none of us need to convince the others to switch apps if we ever feel uncomfortable with an app, thanks to Matrix.

Conclusion

Signal is a great app with many benefits. However, if you are currently switching off of WhatsApp, your best option is to switch to Matrix: it is (actually) open-source, its security is already of higher quality than Signal's and you will never have to convince ALL your friends and family to move along with you anymore.

If you're convinced, you can read an article on how to join Matrix. If you need help, you can contact me at @bramvdnheuvel:nltrix.net - I'll be happy to help. If you'd like to know more about Matrix, you can also watch the webinar below which goes into more details on Matrix:

Still not convinced? Is there something you disagree with in particular or something you'd like to see explained? Feel free to reach out as well: contact me on Matrix or by email.