CaseyJun 16
Micah Lee
I wrote about how to turn in-person meetings into Signal groups, how to manage large semi-public Signal groups while vetting new members, and how to use announcement-only Signal groups, perfect for rapidly responding to ICE raids https://micahflee.com/using-signal-groups-for-activism/
Using Signal groups for activism

Things are heating up. Millions of people are taking to the streets against Trump's rising authoritarianism. Communities around the US are organizing to defend against ICE raids, to protest Israeli genocide, for mutual aid, and for other forms of fighting fascism. Signal can help people safely organize in all of

micahflee
Jun 16 at 6:26pmWeb
Show threadWilliam DentonJun 16
@micahflee To sue or to use!?
Show threadTungsten_carbide 🍉Jun 16
@micahflee Great guide, thank you so much!
Show threadCody Casterline 🏳️‍🌈Jun 16

@micahflee Good article -- I learned some things.

But, right after talking about being in a group with 500 members, you say:

> […] a Signal group [is] all private, and it can't be shared with law enforcement.

A conversation with 500 people isn't private. Any one of their (possibly multiple) devices might be hacked, or confiscated by law enforcement. Some of the members may BE law enforcement.

It's important not to oversell the security of the protocol w/ such a big attack surface area.

Show threadAndy MouseJun 16

@NfNitLoop This. Not to mention each of those 500 members are identified with their phone numbers, and there is no real indication (except "we promise") that Signal isn't passing along group memberships to law enforcement to begin with.

Just use email or whatever texting app you already have. Or use an actually secure alternative, i.e. one where you do not have to provide your phone number to use the service and there is not a single US-based company hosting all the communications.

@micahflee

Show threadnoplasticshowerJun 17
@NfNitLoop @micahflee this seems to have happened with the DoD. LoL.
Show threadulveon.netJun 16
@micahflee Signal has great encryption but is not at all a safe application for all threat models. Threema is much better due to, among other things, not requiring a phone number to use.

https://ulveon.net/p/2025-05-25-effective-security-beyond-encryption/
Effective security beyond encryption

To highly technical audiences, it is unsurprising that Telegram is not cryptographically secure and that Signal is much better. Numerous security experts have pointed out that Telegram’s reputation as a secure messenger is primarily a result of its marketing rather than its technical architecture. Unfortunately, for less technical audiences, Telegram appears to be encrypted. Ars Technica, for example, published an article branding Telegram as an “encrypted messaging app” [archived version].

Ulveon's Thoughts
Show threadAral BalkanJun 17
@ulveon @micahflee Signal no longer requires a phone number to use. It implemented handles a little while ago.
Show threadulveon.netJun 17
@aral @micahflee Your phone number is still your primary identifier, and people can discover your contact via your phone number. Besides, I've been told it is possible to leak the phone number even when you use usernames.

How about not requiring phone number at all? Use Threema.
Show threadLaberpferdJun 22
@aral it still needs a phone number to sign up, so FULL STOP here
Show threadChris WoodJun 16
@micahflee fantastic read. The examples you gave were so easy to understand. You did an amazing job of showing how effective Signal is for organising groups, it’s brilliant to see it all in action.
Show threadTrolli Schmittlauch 🦥Jun 16
@micahflee Thanks for sharing your experiences.
There is one thing I’d like to get your opinion on: While it is an important step that phone numbers are not shared as a public identifier anymore, users still need to enter a name used for _all_ chats.
Those using Signal for personal chats with friends and acquaintances will probably enter their real name. But when planning semi-public events with a semi-trusted group, folks might better not reveal their full identities.
What now?
Show threadRuth [☕️ 👩🏻‍💻📚✍🏻🧵🪡🍵]Jun 16
@micahflee oh wow, the announcement only thing with reacts could be useful for one I’m part of. People are generally great about only replying if doing the thing but every month or so we have a squirrelly day
Show threadKevin Karhan Jun 17
@micahflee good Idea, tho I'd use #XMPP+#OMEMO or #PGP/MIME for the former and #IRC for the latter ...
Show threadcrispycat Jun 17
@micahflee it's even approved by the white house!
Show threadTrammell HudsonJun 17
@micahflee is there a way for announcement-only groups to hide the member list? this would prevent one compromised device from revealing the entire social graph (and would also avoid spamming the recipients with group membership updates).
it seems that only admins should need to know all the identities and public keys.
Show threadKurt KremitzkiJun 17
@micahflee you rock. Thank you o7
Show threadorbmanJul 20
"Signal's servers have no way of knowing who is in the group, or even that the group exists, much less what people are saying. When someone sends a message to the group, from the perspective of the server, it's just 500 encrypted text messages moving through its service." @signalapp