Why Do I Make You Use Signal? A (Mostly) Friendly Explanation

If you've ever wondered why I insist on using Signal for our communications, you're not alone. I get asked this question by clients, coworkers, friends, and family all the time. To many, it might seem like an extra hoop to jump through, but let me explain why Signal is worth it—and why I ask you to use it when communicating with me.

The Flaws of SMS: An Open Invitation for Privacy Breaches

Let’s start with SMS. If you value privacy even a little, SMS simply isn't up to the task. First, SMS is completely unencrypted, which means that any SMS message you send can be intercepted and read by your mobile carrier, government agencies, or anyone with the means to pull off a basic eavesdropping attack. It’s old technology, and its vulnerabilities have made it a favorite target for hackers.

Perhaps even more concerning are SIM swap attacks. This is where an attacker convinces your mobile carrier to transfer your phone number to a new SIM card under their control. The result? They now receive your SMS messages and can impersonate you—a nightmare scenario for anything requiring two-factor authentication.

The iMessage Dilemma: Better, But Still Not Ideal

Now, iMessage offers a far more secure experience compared to SMS—Apple has integrated end-to-end encryption for your messages, photos, and even FaceTime calls. But let’s look at the full picture. Signal edges out iMessage in some key areas.

First, Signal is cross-platform, meaning you can securely message both Android and iPhone users seamlessly. Even with Apple's implementation of RCS support—which is still not end-to-end encrypted by default when cross-platform—it's hard for RCS to compete with Signal's encryption standards.

Access Control and Device Management: Signal vs. iMessage

A more subtle but important difference is in access control measures. With iMessage, you can view all devices logged into your iCloud account, which is reassuring—especially when you use multi-factor authentication as robust as YubiKeys. Signal, however, also lets you see devices signed into your account, but has added layers of security: to sign in on a new device, you need authorization from an existing, trusted device via QR code scanning. Additionally, Signal's registration lock feature allows you to set a PIN up to 128 characters, adding a significant barrier to unauthorized access.

And then there’s ephemeral messaging. Signal lets you set messages to automatically disappear after a designated time period, which isn’t available in iMessage (unless you count the often-forgotten “manual delete” option).

Transparency vs. Trust: Open Source vs. Closed Source

Another critical distinction is transparency. Apple has a stellar reputation, but iMessage is still closed-source. This means the public must trust Apple's claims about the robustness of its end-to-end encryption. Signal, on the other hand, is open source, which allows anyone to verify its claims. True, open source isn’t magic—it requires a vigilant community and assurances that the code being published is what actually runs in production—but it’s certainly easier to audit and verify than a closed system.

Also, while iMessage provides encryption, there’s a significant caveat: unless you’ve enabled Apple's Advanced Data Protection, your iCloud backups may contain decryption keys, leaving your messages potentially vulnerable. Signal, by contrast, avoids this entirely by not allowing cloud backups that compromise encryption.

Identity Verification and Metadata

Signal also allows you to manually verify contacts. This ensures that you are communicating with the correct person and alerts you if their device changes. Apple has introduced a similar feature called Contact Key Verification, but it’s still far from mainstream adoption, even though it's a simple toggle without downsides. And why it's not enabled by default? Well, that remains a mystery.

Moreover, Signal collects minimal metadata. Apple, on the other hand, likely retains more metadata associated with your messages. The extent of this data collection isn’t fully transparent, and it’s worth considering what information might be retained.

A Common Critique: Signal's Phone Number Requirement

One common criticism of Signal is the requirement to use a phone number for registration. Though this remains true, Signal now allows you to hide your phone number behind a username—not a perfect solution, but a step in the right direction. In contrast, iMessage can be registered using an email address, including privacy-forward email aliases like those from SimpleLogin or Addy.io.

Conclusion: Why I Use Signal—and Why I Ask You To

In the end, while both Signal and iMessage far exceed the abysmal standards of SMS, Signal edges out iMessage when it comes to privacy and security. True, it may lack some of the flashy features iMessage offers, like seamless integration into Apple’s broader ecosystem, but Signal’s emphasis on privacy, cross-platform capability, and encryption transparency makes it a powerful choice.

Of course, you don’t need to limit yourself to just one messenger. You can—and probably should—use multiple tools for different purposes and audiences. Just like we don’t use a single key for every lock, there’s no reason to use just one app for all your conversations. But when security and privacy matter most—especially when you're communicating with me—Signal is hard to beat.