Video by Lauren Feeney

Whether your private conversations are personal, professional, or political, what you say or type into your phone may be of interest to snooping governments, both foreign and domestic. Criminals might be interested as well, especially when you send someone a password or credit card number. There are others you might worry about too: You might want to apply for a job without your current employer finding out. You might discuss something with a lawyer. You might talk to your friends about attending a protest, getting an abortion, or buying a gun. You might send private selfies to your partner that you don’t want anyone else to see. You might be dating someone new and not want your coworkers to find out. The list goes on.

Fortunately, privacy is a fundamental human right.

Unfortunately, most ways that people communicate with their phones — voice calls, SMS messages, email, Facebook, Skype, Hangouts, etc. — are not as private as you might think. Your phone company, internet provider, and the corporations that make the apps you use to communicate can spy on what you say. Your chats can be accessed by police, the FBI, and spy agencies like the NSA. They can also be seen by anyone who can pick up your phone and sift through it. Some of them can even be read by anyone in a position to simply glance at your phone’s lock screen and read the notifications displayed there.

But it’s possible to make sure that your private conversations are actually private. It starts with installing an app known as Signal, and getting your friends to install it too. Then you’ll want to tweak the settings to lock everything down.

The Signal app is easy to use, works on both Apple’s mobile operating system iOS and Google’s Android, and encrypts communications so that only you and the people you’re talking to can decipher them. It also has open source code, so experts can verify its security claims. You can download Signal from the Android Play Store and the iPhone App Store.

Although Signal is well-designed, there are extra steps you must take if you want to maximize the security of your most sensitive conversations. (I outlined some of these steps last year, but Signal has changed significantly since then.) There are also some useful features in Signal that you might not know about.

I discuss these at length below — and in the video above, created with Lauren Feeney.

If you wish to jump ahead to a specific section, you can click the appropriate link:

Get Your Friends to Use Signal

You can only send encrypted messages, and make encrypted calls, to other people who are on Signal. There’s not much point in having Signal if all of your most private texts are still going over unencrypted SMS, so get your friends to install the app, too.

If you’re an activist, get everyone at your next meeting to install the app. If you’re a journalist, tell your sources and editors. If you’re running for office, consider using Signal to communicate with your campaign staff.

Lock Down Your Phone

Signal uses strong end-to-end encryption, which, when properly verified, ensures that no one involved in facilitating your conversation can see what you’re saying — not the makers of Signal, not your cellphone or broadband provider, and not the NSA or another spy agency that collects internet traffic in bulk.

But Signal’s encryption can’t stop someone from picking up your phone and opening the app to read through your conversations. For that, you need to configure your phone to require a passcode, or some other form of authentication, to unlock. You should also make sure that the storage on your phone is encrypted and that you update your phone’s operating system and apps promptly, which makes it significantly harder for anyone to remotely hack into your phone.

If you’re using Android:

If you’re using an iPhone:

Hide Signal Messages on Your Lock Screen

Signal’s encryption won’t necessarily help you if other people can see incoming messages displayed on your lock screen. Displaying messages on the lock screen is Signal’s default behavior, but you should change this if your phone is frequently in physical proximity to people who shouldn’t see your Signal messages — roommates, coworkers, or airport screeners, for example.

Left: Signal notification on locked iPhone. Right: Signal notification on locked Android phone.

Here’s how to lock down your Signal notifications.

If you’re using Android:

If you’re using an iPhone:

Left: Hidden Signal notification on locked iPhone. Right: Hidden Signal notifications on locked Android phone.

Don’t Retain Your Messages Forever

After your encrypted Signal message is sent to someone, copies of the plaintext message exist in only two locations: on your phone and on the recipient’s phone. (Unlike other messaging apps, the Signal server never has access to your plaintext messages, and only stores your encrypted messages on the internet for a short amount of time.) This means that if you delete the message from your phone, and the recipient deletes it from their phone, the message will no longer exist. It’s a good idea to regularly delete old messages, especially if they’re part of a sensitive conversation. This way, if your phone ever gets searched, the conversations you don’t even remember having from a year ago — as well as the sensitive conversations from last week — won’t get compromised.

Signal lets you send messages that disappear from both your phone and the recipient’s phone after a specified amount of time (between 5 seconds and 1 week). This is useful when you and a friend both want to retain messages from your conversation for a short period of time. But keep in mind, nothing stops the recipient from recording the messages anyway before they disappear (like, by taking screenshots).

If you have contacts or Signal groups (more on that below) that you regularly send private text messages to, I recommend setting disappearing messages to 1 week. It’s also easy to temporarily enable disappearing messages and then disable it when you’re done, for example when you need to send someone a password.

If you’re using Android:

If you’re using an iPhone:

Messages are set to disappear after 5 minutes.

You can also manually delete individual messages, or whole conversations, from your own phone. Of course, this won’t delete them from the recipient’s phone — only disappearing messages will do that.

If you’re using Android:

If you’re using an iPhone:

Send and Receive Private Photos and Videos

Signal makes it simple to send people encrypted photos and videos (including animated GIFs!). While you’re in a conversation with someone, just tap the paperclip icon to browse your photo library, or access your camera directly.

But Signal also includes a subtle security feature: If you take photos or video with your camera from within the Signal app itself, these won’t automatically save to your phone’s library. Likewise, when you receive a Signal message containing a photo or video, this also won’t automatically save to your phone’s library. If you’d like to save a photo to your library, you can long-press the photo and choose to save it.

Why does this matter? Many people automatically sync all of the photos and videos on their phones to iCloud, Google, or other cloud services. And people often allow other apps on their phone, such as Facebook or Instagram, to access their photo library as well. While convenient, this means that, after you’ve uploaded your photos to a cloud service provider, that provider can access them as well. And by extension, so can anyone who can convince the provider to hand over your data, like a law enforcement agency, or who hack your account, as in 2014, when nude photos of female celebrities were published online after their iCloud accounts were compromised.

So, if you’re taking a photo of a top secret document to send to a journalist, or if you’re taking a sexy selfie to send to your bae, make sure to take these photos directly from within the Signal app — this way, they’ll have the same level of encryption and privacy as the rest of your Signal messages.

Have Secure Group Discussions

One of the most useful features of Signal, in my experience, is the ability to create encrypted group chats. Anyone can create a Signal group and add as many people as they’d like, and everyone in the group can send encrypted messages to everyone else. As with one-on-one Signal conversations, group chats support disappearing messages as well as photos and videos. Here are a few cases where Signal groups can prove useful:

Here’s how to use Signal groups.

If you’re using Android:

If you’re using an iPhone:

While Signal groups are useful, they’re not without problems. Hopefully these will improve in the future, but as of this writing:

Make Secure Voice and Video Calls

In addition to enabling secure text messaging, Signal can also be used to make encrypted voice and video calls. While you’re in a text conversation with someone, just tap the phone icon to call them. When they answer, you can just start talking to them like on a normal call, but with the assurance that the Signal call is end-to-end encrypted. If you’d like to start a video call, tap the video camera icon on your phone during a voice call to turn on your camera. That’s it.

When you make a voice or video call, it’s possible for the person you’re calling to see what your IP address is, which could be used to learn your location. This probably doesn’t matter most of the time, but occasionally it might — for example, maybe you’d like to have a secure call with someone, but without letting them have any way of knowing what country you’re currently in. Signal has a feature that allows you to relay your calls through their server so that the person on the other end of the call can only see the Signal server’s IP address, and not yours. If you enable it, it will slow down your connection slightly, which might reduce the call quality. Here’s how to enable it:

If you’re using Android:

If you’re on an iPhone:

Send Messages to Numbers Without Adding Them to Your Contacts

Most people sync their phone contacts to iCloud, Google, their employer, or other cloud services. This can be very convenient: If you lose your phone and buy a new one, you don’t lose all of your contacts. But this means that your contact list is accessible to the service providers you sync to — and by extension, it’s also accessible to law enforcement that can send data requests to those service providers.

You might have some contacts that you need to talk to securely, but don’t want those phone numbers ending up in your contact list. For example, if you want to leak something to a journalist without becoming a suspect in a leak investigation, you’ll need to avoid having the journalist’s phone numbers in your contacts that get synced to the cloud.

Signal allows you to start conversations with people that aren’t in your contact list. To do this, open the Signal app, tap the pen icon to start a new conversation, and type a phone number in the search field. If that phone number has a Signal account, you can then send an encrypted message — without adding the phone number as a contact in your phone.

Verify That the Encryption Isn’t Under Attack Using Safety Numbers

Sorry if this section is confusing for you — the inner-workings of encryption are always somewhat confusing. The important part is that you learn how to verify safety numbers below.

I said earlier that Signal ensures your communications stay private when it is properly verified. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.”

A man-in-the-middle attack is where two parties — Alice and Bob, for example — think they’re speaking directly to each other, but instead, Alice is speaking to an attacker, Bob is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors.

You and each of your Signal contacts share a unique “safety number.” For example, Alice has one safety number with Bob, but she has a different safety number with Charlie. When Alice compares the safety number she sees on her phone with the number Bob sees on his, if the numbers are the same, that means the encryption is secure. But if the numbers are different, something is wrong: Maybe Alice is seeing a safety number between her and an attacker, or Bob is seeing a safety number between him and an attacker, and this is why they don’t match.

Because it’s unlikely that anyone is trying to attack your encryption the very first time you send a contact a message, Signal automatically trusts the first safety number that it sees for each contact. (If you discuss anything sensitive, you might want to confirm anyway).

To verify that your encryption is secure, first navigate to the verification screen:

Left: Safety number verification screen on an iPhone. Right: Safety number verification screen on Android.

There are different ways to verify with a friend that your safety numbers match. It’s easiest to do when you’re in the same room, but it’s also possible to verify remotely.

Verifying a Contact In Person

If you’re able to meet up in person, one of you simply needs to scan the other’s QR code. Android users tap the QR code circle to scan, and iPhone users tap the “Scan Code” camera icon at the bottom to scan. Point your camera at your friend’s QR code to scan it, and if it’s successful, that means your encryption is secure.

Verifying a Contact Remotely

If you can’t meet up in person, you can still verify that your safety numbers match remotely — however, it’s kind of annoying.

You need to share the safety numbers you see with your contact using some out-of-band communication channel — that is, don’t share it in a Signal message. Instead, share it in a Facebook message, Twitter direct message, email, or phone call. You could also choose to share it using some other encrypted messaging app, such as WhatsApp or iMessage. (If you’re feeling paranoid, a phone call is a good option; it would be challenging for an attacker to pretend to be your contact if you recognize their voice.)

Once your contact gets your safety number, they need to navigate to the verification screen and compare, digit by digit, what you sent them with what they see. If they match, your conversation is secure.

For both Android and iPhone, you can tap the share icon in the top-right corner of the verification screen to share your safety numbers using other apps, or to copy them to your phone’s clipboard.

Verifying a Contact Who Gets a New Phone

From time to time, you might see a warning in a Signal conversation that says “Safety number changed. Tap to verify.” This can only mean one of two things:

  1. Your Signal contact switched to a new installation of Signal, most likely because they bought a new phone, or,
  2. An attacker is trying to insert themselves into your Signal conversations.

The latter is less likely, but the only way to rule it out completely is to again go through one of the verification processes for text contacts described above.

Using Signal on Your Computer

While you need to install Signal on your phone to begin with, there’s also a desktop app you can install on your computer. It doesn’t have all of the features that the mobile app has — you can’t make calls or modify groups yet. But it can make using Signal much more convenient, especially if you’re like me and are in front of your computer all day long, and rely on Signal for work.

The desktop version of Signal is a Chrome app. So first, you need the Chrome web browser on your computer. Then you can install Signal from the Chrome web store. When you first set up Signal on your desktop, follow the instructions to connect it to the Signal on your phone.

Keep in mind that, by setting up Signal on your computer, you’re opening up new avenues for attackers to read your private Signal conversations. Think of it like this: When you just use Signal on your phone, if someone wants to read your private conversations, they have to hack your phone. But if you use it on both your phone and your computer, they have to hack either your phone or your computer, whichever is easier — and, because of the differences in how desktop and mobile operating systems are designed, chances are it’s easier to hack into your computer.

Your Signal data is also stored more securely on your phone. On Android and iOS, your Signal messages — and your encryption key — are stored within the app, and no other apps have access to it. But on Windows, macOS, and Linux, this same data is stored in a folder on your hard drive, and nearly all of your apps have access to it. So, in some situations, it might be prudent to choose not to use Signal on your computer at all.