TL:DR; A bit, but not enough to panic.
As always, I’m gonna lay out my bias up front: I like Signal. That’s not to say I think they’re perfect or that I don’t have a list of complaints with them ranging from trivial to serious, but between their world-class cryptographic security and their ease of use that I like to call “insultingly easy,” I think Signal is a powerful contender in the world of secure messaging apps that shouldn’t be easily dismissed and it has a great blend of security and user-friendliness that makes it a great fit for the masses.
Lately a piece of news has been making the rounds: Signal hasn’t updated their server repository since April 2020. For those who are not familiar with how open source works, here’s a quick crash course: typically developers post the source code in a git repository, which is basically a public document or folder that allows people to view the program in detail. Git repositories offer a lot of useful features for developers, but that’s not important right now. What we’re focusing on is that the publicly posted library for Signal’s internal servers has not been updated in almost a year.
Now it’s important to note that what’s posted publicly is not necessarily what’s running in reality, which is an issue I address on my own blog here. This brings us to two possibilities: either Signal hasn’t actually updated their servers since April 2020, or they have and haven’t updated the public repository since April 2020. Both are worrisome. If they haven’t updated their servers in a year, those servers are almost certainly exposed to critical and rampant security vulnerabilities. New vulnerabilities are discovered and patched daily, and to go so long without an update is an egregious display of irresponsibility and lack of concern with security. Not good for a security app. However, I don’t think this is the case as I have seen others far my knowledgeable than myself claim that the other repositories – which have been updated – have noted a more recent version number in their code when communicating with the server. This means that the more likely scenario is the second one: Signal has updated their servers but not shared the code publicly.
I’m not going to defend Signal. While they have seen an explosion in userbase recently, the biggest explosion did not occur until January of this year, and even if that is what’s taking so long to post the new code, two months is a long time in the software world. If they were really committed to transparency, they would’ve made time to post the new code at some point. Whatever reason they may or may not give in the future for their procrastination, I expect it’ll be a stretch unless it's an extreme story with evidence to back it up.
Now let’s get to the real reason I’m writing this: does this mean we should distrust and ditch Signal? Let’s start with the classic phrase “never attribute to malice that which can be explained by stupidity/greed/incompetence/etc.” Do I think the reason for Signal’s lack of transparency is so they can intentionally insert malicious backdoor codes and sell out their users? No, personally I have no reason to suspect that. They’ve never given us any reason to suspect that before, and in fact they even said they’d have to shut down or leave the US if the EARN-IT Act passed because they'd refuse to comply with a backdoor into their encryption. Frankly they’d lose pretty much every user and go under if they got caught insterting malicious code. They have little to gain and everything to lose.
Having said that, I recently said in another blog post for DT that we should hold our privacy-focused companies to a high standard, and that applies here, too. Signal’s failure to update their public repository for almost a year displays a blatant disregard for their users and at best apathy toward transparency, which is critical when you’re asking someone to trust you with their most sensitive data.
But now we come to the shining light: all is not lost. The Signal apps remain consistently updated, including as recently as a few days ago at the time of this writing. Again, people smarter than me have noted that the encryption still appears to remain firmly in place and there is no reason at this time to suspect that the messages themselves are compromised, even if the servers are. If I understand the concept correctly, this is an example of “zero trust.” We don’t have to trust Signal’s servers with our messages because they’re still safely end-to-end encrypted. It is worth noting that from what I understand, metadata could be still be leaked and that’s still a huge concern in some cases, but the content itself is still safe. Again, this is how I understand the process, feel free to reach out with a correction if I'm wrong.
So where does this leave us? From a technical perspective, the possible leakage of metadata definitely becomes a huge issue of concern, especially when coupled with the fact that Signal requires a phone number – or in other words, most users will be using it on their phones where effectively obscuring your location is next to impossible. However, the actual integrity of the Signal messages should still be intact: nobody else can see your messages, memes, nudes, credit card info, end-of-workday vents, or whatever else you may choose to send. This coupled with the aforementioned “insultingly easy” setup and operation of Signal to me indicates that Signal is still a valid choice for almost any who choose to use it - especially the mainstream, non-technical user. However, one should be aware that metadata is possibly not as well protected as it used to be. That's simultaneously a small issue and a very important one that always bears keeping in mind.
From an ethical perspective, this situation is raising a lot of red flags. As I said before, I will not defend Signal. Even accounting for the explosion of new users that they are undoubtedly scrambling to keep up with, this long without a transparency update is unforgivable and unless they have an incredible explanation forthcoming I’d be extremely hesitant to overlook or forgive it. When you commit to privacy, that means you commit to transparency. You are committing to letting people know why they should trust you, whether that means posting the source code, disclosing any financial ties to the products and service you recommend, or issuing periodic transparency reports. When a company suddenly fails to live up to that standard – which they set for themselves, by the way – that’s a big deal. There has been total radio silence from Signal on this subject. They have not acknowledged their failure to update, and keeping your users and supporters in the dark like this is not a good look.
So what’s the bottom line? I still think Signal is TECHNICALLY safe to use. I think it’s possible – if not likely – that there is an increased risk, mainly from potential metadata exposure. However, given the incredible user-friendliness and widespread adoption alongside the continued assurance of the quality of the encryption and the evaluation of the still-open source apps, I think Signal is still safe for day-to-day use by non-targeted individuals and I would still much rather my loved ones message me on Signal rather than using iMessage or SMS. However, I do think that the ethics of this situation are very worrisome and that if you don’t already have a backup messenger, now is a good time to start looking. Signal is rich in features and stability, and that’s going to be hard to replicate for many users, but this story exactly illustrates why we always need to keep on eye on the privacy community. We should always know what other options exist and be ready to adopt them if things go bad. You probably don’t have to ditch Signal, but I also don’t blame anyone who decides to part ways in light of all this. If you find yourself reading this and thinking “I want to ditch Signal, but for what?” this is your sign to start doing your research. DT offers several excellent messenger reviews, and my own site has some thoughts as well. Whatever you settle on – whether that’s sticking with Signal or moving on – be sure to stay informed. Avoid brand loyalty. Never let yourself be a victim of ignorance.