draft

Recently (2025 March) a reporter was added to a Signal Messenger group intended for members of the United States of America (USA) government, apparently by accident. So this is a really good time to talk about identity in end to end encrypted (E2EE) messaging with this event as the practical example. This event became hugely political and politics in the USA are well covered around the world right now so most people have at least heard of this.

Politics in the USA are incredibly partisan these days, so I run a significant risk of having readers from that country assume that this article is intended to support one of the factions. Please try to filter out such assumptions, they are unwarranted. In the same vein, I ask that Signal fans do not take my criticism of Signal Messenger too personally. Most or all of the discussion here applies to other systems.

The reporter first received a connection request on Signal from an entity that was labelled “Michael Waltz”, which was the name of the US National Security Advisor. The reporter accepted the request but no messages were forthcoming. Two days later he was included in a group chat. The group chat discussion was used to aid the planning of an upcoming military operation. This was very surprising to the reporter; he was disliked by the government and his inclusion in such a discussion was quite inappropriate in any case. The reporter eventually wrote an article about the experience¹⁾. It is still not entirely clear how this actually happened; the popular theory is that it was accidental. If so, we have a usability problem involving identity …

If you have secrets and you wish to impart those secrets to a select group of others you can gather them all together in a place isolated from anyone else and then just tell them. You can first simply look around and see that you have the correct subset of humanity present. If instead you would like to use some sort of secure messaging system you can no longer just look around. You need a way to be able to insure that your secrets are only transmitted to the correct recipients.

Cryptography provides a solution. A cryptographic identity usually takes the form of a ridiculously long number. If you can match the number with a person you can be sure that you are sending your messages to a device under the control of that person. Some examples of these “identity numbers”:

13CF 39CC BC5D 5D14 BC8A  2B85 6C61 F5BF B71B 8933
_{PGP's “key fingerprint”}

APKTID4R4kNYPKzmQB91fzU3M0d5WaH13LW3HTobpnYabZNU6jUw
_{Apple's iMessage “verification code”}

briar://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci
_{Briar Messenger's “Briar link”}

15139  16505  22878  41839
11784  72420  48908  12689
96973  39111  42705  26562
_{Signal Messenger's “safety number”; WhatsApp's “security code”}

If you can get your correspondent's identity number into your device you can then be sure of the identity of that correspondent from that time forward. Alternatively you might be able to just compare the number on your correspondent's device with a number on yours. Where the hardware permits, a QR code can be displayed on one device and the other device can be used to scan it. For people physically separated, the number can be read out over some sort of voice channel. I am old enough to remember a time when PGP key signing parties were a thing that the nerdy set would engage in. Such parties were all about matching identity numbers to actual people. This is not a recent issue.

All this messing around with huge numbers is inconvenient so a means of mapping the identity number to some already existing aspect of your identity is often provided. When the device is a smart phone that aspect would naturally be a phone number. Then your preexisting phone/address book can be used in a transparent way. The cost is that you have to trust the system that does the mapping to not engage in some sort of deception that would allow that system to impersonate you. You can compare the identity numbers later if you want to eliminate the chance of such deception going forward.

It seems pretty certain from the discussion around the incident in question that identity numbers were not exclusively used here. The reporter did not mention being asked to provide such a number and there were no references to identity numbers in any discussion related to the incident. So Signal's phone number to identity number mapping facility was in use here. That means that the users were effectively trusting the third parties that map the phone numbers to identity numbers. Trusting a third party is not something that you would normally want to do in the case of military secrets. Why did these users use the system in a less secure way?

If you are using Signal and you don't verify a particular user in the first place then you will likely not ever be aware that identity numbers even exist, much less know what they are. If the identity number changes for some reason you will get a notification in unobtrusive grey text (“Your safety number with Jane Noakes changed”). That notification will be visible only until subsequent chat messages scroll it off the screen²⁾. So for the most likely case, that the number does not change, you will see nothing about why you might want to do something with an identity number.

On the Signal web site it says this about the use of their identity numbers³⁾:

Verification of safety numbers is a good security practice for sensitive communication.

That doesn't really give you anything that will help you choose a course of action. It would be better to be explicit. For example, I think this would be better:

If you do not verify your correspondent(s) with a safety number you will have to trust some organizations. Those organizations could impersonate you and/or your correspondent(s). Such impersonation could lead to exposure of your private messages⁴⁾. The organizations:

- Signal Messenger LLC
- Twilio Inc. ⁵⁾
- Your phone company

To be clear here, I am not suggesting that people should never take advantage of the convenience of a secure messenger's phone number to identity number mapping feature. I am complaining that the degree and form of the added risk of such use is not adequately made clear to the users.

Signal is certainly not the worst at accurately imparting the risks here⁶⁾. All this downplaying of the impersonation risk has caused a situation where most users of secure messaging systems are entirely unaware. It would be surprising if any of the people involved in the now famous Signal group chat had done identity verification.

This seems to be an example of how widespread sloppy usability can lead to a misleading legend. That legend being that identity verification using the identity number has little or no benefit.

My parents kept a large red notebook by the model 500 phone that provided all the remote communications in the place I grew up. The book contained a roughly ordered list of names and their associated phone numbers. We would remember all the numbers of people we called regularly. That mostly came from the muscle memory built up by constantly using the mechanical dial. You would pick up the handset, think of who you wanted to talk to, and the rest would be automatic. You probably wouldn't even have to look at the dial. The book was only for the numbers of entities that we rarely called. That was mostly things like businesses, say, the people that delivered the fuel or water; doctor's offices. If our use of or the book itself was deficient and we ended up at the wrong number there was little risk of divulging anything private. In any case where privacy mattered, you would either recognize or not recognize the voice on the other end of the line before the discussion started. That is one of the reasons we say something like “hello” at the start of a phone call. It's a form of biometric authentication.

So correct mapping from name to number was not all that important for traditional phone books. Neither was correct use.

In the case of the mysterious addition of the reporter to the group chat it appears that the phone book ended up with the wrong mapping from name to number. An iPhone feature helpfully suggested the reporter's number for someone else's name⁷⁾. When that someone else was added to the group chat several months later Signal did another mapping from the incorrect phone number to the identity number of the reporter.

So was Apple to blame here? I don't think so. Apple was operating under long established cultural assumptions associated with phone books. Getting the name to number mapping wrong under those assumptions will not lead to a bad outcome. Apple was not expecting the user to then depend on that mapping for secure messaging where the assumptions are much different. By farming out the identity verification to the phone book, Signal suffers from the real risk that the identity information held there is incorrect.

People generally meet other people through introductions. A typical introduction takes the following form:

This is name. They are identity context.

For a very well known person, the identity context is just their title:

This is Mary Simon. They are the Governor General of Canada.

Otherwise the identity context is the relation to the introducer:

This is Jane Noakes. They are my roommate.

Most secure messaging systems do not accommodate introductions very well, or at all.

If you attend an actual physical meeting, what is the first thing you do? You look around to see who else is there. If you see someone who you don't recognize you will expect an introduction from the moderator. If such an introduction does not occur, if this is, say, a meeting about high level government business, you will interrupt the meeting before it gets very far and will demand an introduction. This isn't just to protect the secrecy of the meeting content. You will want to know what you can not say and what you can say and how you should say it with that person present. The members of a meeting are an important part of the context of that meeting.

Again considering the US government group chat… Ideally, no introductions would have been required. Every member of the chat would have compared identity numbers before the chat and then everyone would “know” everyone else. That doesn't really work for group chats.

As much as it is fun to imagine a sort of US government Signal key signing party, Signal is not designed to accommodate such a thing. The Signal “safety number” doesn't represent a single identity as is normal. It represents a combination of your identity and the person you are verifying identities with. That is one of the reasons it is so long. Combining identities in this way makes it so you only have to do one QR code scan to verify both identities at once. It unfortunately prevents a regular key signing party where everyone just checks their number on a list and then proclaims that the mapping is correct, allowing everyone in the room to verify your identity at once. For the Signal case, the US government would have had to set up a sort of QR code conga line where everyone scanned everyone else's QR code. For the 20 members of the chat that works out to 210 QR code scans.

One way to deal with the proliferation of identity verifications required in a group chat is to make the moderator entirely responsible for who ends up in the chat. Then only the moderator has to know who all the participants are. I note that Signal allows anyone to add extra group chat participants by default. I do not think that this is a good default. In the case being considered, any of the 20 participants could conceivably have added the reporter by mistake if this default had been allowed to stand.

Even in the very unlikely event that everyone had verified everyone, Signal doesn't make that sort of status available to the group chat participants. All the members of the chat see are a list of names. About that…

The reporter seems to have shown up on the list of participants as their initials: “JG”. It doesn't seem clear from discussion where those initials actually came from. The person that was supposed to be added to the chat was named Brian Hughes. There were other participants described by only their initials⁸⁾. There is no point in verifying identities if you end up linking those identities to mere initials. There was some speculation that the moderator that added “JG” to the chat was seeing the expected Brian Hughes on their list of participants while the other participants were seeing “JG”. This all seems (I get to use that word again) sloppy and excessively mysterious.

This brings up an interesting question. Where should the identity information come from for a group chat? I can think of three possibilities:

1. Who you think they are.
2. Who the moderator claims they are.
3. Who they claim to be.

That information comes from introductions of various kinds:

1. “Hello old friend. Here is my cryptographic identity number so we can converse privately and so you will know it is truly me”.
2. “Hey group! This is Jane Noakes. She is the head of our philosophy department”.
3. “Hello. I am Jeffrey Goldberg. I am the editor at the Atlantic”.

#1 is the best and #3 is the worst, all other things being equal … which they will usually not be. Signal Messenger for example would invoke the difference caused by the fact that some identities might only be verified via phone number. #2 and perhaps #3 would be made better if the identity context was collected at identity creation time as well as the name. Then the context could be shown when adding a new group participant. Based on the case being considered, it might also be good if participants in a group chat could easily detect inconsistencies in the three types of introduction information. Participants should explicitly be introduced to the existing members of the group chat when being added and at the same time the current participants should be introduced to the new participant.

To be clearer, I am generally suggesting that group chats should be done in terms of introductions. A participant should be able to see all the introduction information available in a way that would be useful to them and introduction information should be collected and preserved.