Signal's new 'Sealed Sender' feature makes conversations anonymous

It's like taking the sender's address off a piece of physical mail.

Messaging service Signal is popular with privacy-minded users. It doesn't store any record of your contacts, social graph, conversation list, location, avatar, profile name or group details. Until recently, though, one important piece of data was still visible: who is messaging whom -- kind of like having the sender's address on a physical piece of mail. The latest beta release, however, includes a feature that blocks that, too: "sealed sender."

In a blog post, Signal's Joshua Lund explains that, "While the service always needs to know where a message should be delivered, ideally it shouldn't need to know who the sender is. It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the 'from' address used to be."

Traditionally, sending a signal message involves an authentication process that validates the sender's identity to help prevent spoofing and to provide the recipient with some assurance about who sent the message. It also uses the sender's identity to apply rate limiting and abuse protection. To do away with the "from" address, then, Signal has had to come up with some workarounds, which it's testing with the beta release of sealed sender.

For a start, Signal will only allow sealed sender messages to be sent between accounts that have already established trust, such as being in one another contact's list. You'll also be able to receive sealed sender messages from anyone, if you choose -- like open DMs on Twitter. Signal has also made cryptographic changes that will still recognise a blocked contact, so they won't be able to message you even if they use the sealed sender function. And, as Lund notes, if Signal is compromised, any attackers within the system will only see encrypted messages going to their destinations, and not where they came from.

As the service is rolled out, messages will automatically be delivered using sealed sender whenever possible, and users can enable an optional status icon that will be displayed in the detailed information view for a message to indicate when this happens. But as Lund says, these protocol changes are "an incremental step." You can try it out now in the Signal public beta, but as Lund notes, beta releases are "not for the faint of heart." If you need a stable and reliable messaging service, maybe hold off for the time being.