Skip to content

2022

Important Changes to Signal Registration and Registration Lock

EDIT: This change has been temporarily rolled back after discussions that took place in the Signal community. It will likely be the way things work in the future, but it seems that the old behavior is now back in place for the time being.

Signal has changed how it handles registration. This primarily affects people who are using a number for Signal that they don't have exclusive access to.

How It Used to Work

As outlined in our Signal Configuration & Hardening Guide, if you registered, set up Registration Lock, and checked into the app at least once every 7 days, nobody could use the number you'd claimed and try to re-register it for themselves without knowing your Registration Lock PIN.

How It Works Now

As outlined in this issue on the Signal-Android GitHub repository, if someone tries to register with that number and is able to get the SMS code, they can kick you out of your Signal account. At that point, you have to re-register by receiving an SMS for that number, and inputting your Signal PIN. If you are unable to do this, the Registration Lock is not enforced after 7 days. Someone who tries to register after that will be prompted to enter the Signal PIN once more. If the correct PIN is not entered, the app will prompt you to create a new PIN, and the account is wiped and the number can be claimed by a person who can receive an SMS code for it.

You can find the relevant changes in the code here.

If Alice registers number X and enables reglock, but Bob later proves ownership of number X (by registering and completing the SMS code), then Alice will >be unregistered. However, if a reglock is present, Bob still won't be able to register immediately if he does not know the reglock code. This allows >reglock to still function as a way to prevent someone else from taking over your account.

However, by unregistering Alice, this starts a 7-day timer. After 7 days, if Alice doesn't re-register, then the reglock is removed and Bob will be free to register the number without needing to know the reglock. But if Alice still truly does own the number, she can simply re-prove ownership and things should go back to normal for her.

This is important because phone number can (and are) re-used among cell carriers. If someone gets a new phone number from their carrier, they should not be prevented from registering with Signal indefinitely because the previous owner has reglock.

The intention of reglock is to prevent hijacking of numbers you actually own, not to guarantee the number for yourself for life.

While this change makes sense from the perspective of making it so you cannot "hold a number hostage" as long as you keep checking in, it is particularly important for people who've used disposable phone numbers to know this.

We recommend migrating to a phone number that you own and will be able to own for the foreseeable future in order to avoid getting locked out of your account and losing your contacts.


Special thanks to the Molly community who made us aware of this change soon after it went live.

New Privacy and Security Features in macOS 13 Ventura

macOS Ventura was released this week, and the Apple users among us may be interested in the improvements it brings to your personal privacy and security. We always recommend running the most up-to-date version of your operating system available. Updates add privacy and security improvements all the time—and macOS Ventura is no exception.

iOS 16 Privacy Configuration Guide

There are a number of privacy and security-related settings you should consider changing in the Settings app on iOS.

A Warning About Signal Proxies in Iran and Other Oppressive Countries

People looking to use Signal Proxies to bypass censorship programs should be aware of a number of issues with Signal’s current proxy implementation. Currently, Signal does not tunnel all application traffic through the specified proxy, which means authorities could still track people using Signal.

2022 Signal Configuration and Hardening Guide

Signal is a widely regarded instant messaging service that is not only easy to use but is also private and secure. Signal's strong E2EE implementation and metadata protections provide a level of assurance that only you and your intended recipients are able to read communications.

Hide Nothing

In the wake of the September 11, 2001, attack on the United States, the US government enacted laws that weakened citizen privacy in the name of national emergency. This sent up many red flags for human rights and privacy advocates.

Erasing Data Securely from Your SSD or HDD

Erasing data from your computer may seem like a simple task, but if you want to make sure the data is truly unrecoverable, there are some things you should consider.

Sandboxing Applications on Desktop Linux

Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in macOS or ChromeOS. Applications installed from the package manager (dnf, apt, etc.) typically have no sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem:

Hardening Your Desktop Linux System's Security

There are a number of procedures you can follow to make your Linux desktop system more secure, some more advanced than others. We cover some general techniques here.

Should You Use GrapheneOS or CalyxOS?

GrapheneOS and CalyxOS are often compared as similar options for people looking for an alternative Android OS for their Pixel devices. Below are some of the reasons why we recommend GrapheneOS over CalyxOS.

Removing Metadata from Your Photos, Videos, and Other Files

When sharing files, it's important to remove associated metadata. Image files commonly include Exif data, and sometimes photos even include GPS coordinates within its metadata.

Move Fast and Break Things

Mark Zuckerberg does not look comfortable on stage. Yet, there he was proclaiming that “the future is private”. If someone has to tell you that they care about your privacy, they probably don’t.