Notices by Martin (mshelton@mastodon.social), page 2

Ever since the welcome rollout of @signalapp usernames and phone number privacy options, we've gotten some questions about Signal's many new types of identifiers. Here are the differences between each one. https://freedom.press/training/blog/signal-identifiers/

Always
Be
Clicking
'Download update'
https://www.securityweek.com/apple-confirms-zero-day-attacks-hitting-intel-based-macs/

Want to try Proton Mail? Note:
-Proton Mail is encrypted between Proton / PGP users. Otherwise it's normal email. E.g., when you email Gmail, it's not private
-Subject lines are not encrypted
-Not anonymous https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/
-Unfortunately it's still email
https://freedom.press/digisec/blog/protonmail-pro/

We often talk to journalists about likely attacks from trolls. One of the most common ways trolls get your personal data (e.g., email, phone number) is through data brokers. If you haven't already, it's a very good time to invest in a data broker opt-out service (e.g., DeleteMe, Optery).

The best time to set up secure communication channels was a long time ago. The next best time is now. Here's a short list of guides to check out to get started: https://freedom.press/digisec/guides/secure-communication/

Something concrete we can do right now to protect journalists and their sources in 2025: Tell your reps to pass the PRESS Act.

Nationwide, the PRESS Act expands protections for journalists from government requests on forcibly giving up confidential sources. We can pass this! Contact your reps here: https://go.peoplepower.org/letter/congress-press-act#

This sounds simple, but the implications of Signal usernames can't be understated. No one knows who you are unless you tell them, or they have your number already. This underscores the importance of building networks of trust. You still need established channels for people to prove who they are.

You can always change the username later. It's important to know that the username is just for beginning a conversation, and not the same as the display name someone sees in the chat. More on all the Signal identifiers here: https://freedom.press/digisec/blog/signal-identifiers/

Okay, so you're using @signalapp for encrypted messaging. Cool. It's a good time to use usernames instead of a phone number to talk to people. That and lots more about how to make the most of Signal's security features in here: https://freedom.press/digisec/blog/locking-down-signal/

Signal's new "call links" feature has important implications:
- This makes it easier to start a call with other users (including strangers)
- You don't have to give away your identity to anyone in conversation
- Again, this all underscores the need for trusted networks, and vetting who is included

Signal now supports an option to send links to calls. This could be a very big deal, because you don't even need to join a group chat to join a call any more. https://signal.org/blog/call-links/

End-to-end encryption only helps if you are talking to people who you trust. The "ends" — the devices used by people in conversation — really need to be trustworthy. Keep those devices up to date, and take seriously the relationships you're going to include in these conversations.

I don't really have any words that can meet this moment. One small thing I can offer is digital security assistance to people at risk. Most of my experience is supporting journalists and media activists with security. If this in any way overlaps with your needs, reach out: https://mshelt.onl/contact.html

This interview with @mmasnick and Don McGowan, a former NCMEC board member, is eye opening. McGowan talks about the board's political alignment and connects this to its selective attention when it comes to its safety efforts. It's a pretty damning interview. https://www.techdirt.com/2024/08/08/the-many-reasons-why-ncmecs-board-is-failing-its-mission-from-a-ncmec-insider/

The AT&T breach underscores the importance of being mindful of call and text metadata — something Signal handles much better than traditional phone calls and texts. Unlike your telecom provider, Signal doesn't retain logs of your calls and texts on their servers. Your activities are stored on your device and with anyone you speak to. https://freedom.press/training/signal-beginners/

If you're a journalist who used AT&T between May 1-October 31, 2022, you're going to want to revisit your call and text history from that time and see which of your sources you were communicating with. These records have been improperly secured by AT&T. https://www.usatoday.com/story/tech/2024/07/12/att-data-breach-who-affected-what-to-do/74379292007/

I like how Elon's own community notes fact check him on @signalapp.

No one's going to respond more effectively than @Mer__edith, so if you want to learn more, just read Meredith's post: https://twitter.com/mer__edith/status/1787958712595784166

The founder behind @mozilla's data broker removal service… Apparently runs data broker sites?

"The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years." https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-company-onerep-com-founded-dozens-of-people-search-firms/

In response to username changes, we've also made some small updates to our guide on setting up a secondary Signal account.
- We try to help people decide if this guide addresses their specific need for a secondary account, or if usernames are sufficient for their needs.
- We no longer recommend an iPod Touch because it has been discontinued, and we encourage people to use devices that have long-term security updates. https://freedom.press/training/secondary-signal-account/