WHEN THE ENCRYPTED communications app Signal launched nearly seven years ago, it brought the promise of the strongest available encryption to a dead-simple interface for calling and texting. Now, Signal is incorporating what it describes as a way to bring that same ease of use and security to a third, fundamentally distinct feature: payments.
Signal today plans to announce that it’s rolling out the ability for some of its users to send money to one another within its fast-growing encrypted communications network. To do so, it has integrated support for the cryptocurrency MobileCoin, a form of digital cash designed to work efficiently on mobile devices while protecting users’ privacy and even their anonymity. For now, the payment feature will be available only to users in the UK, and only on iOS and Android, not the desktop. But the new feature nonetheless represents an experiment in bringing privacy-focused cryptocurrency to millions of users, one that Signal hopes to eventually expand around the world.
Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describes the new payments feature as an attempt to extend Signal’s privacy protections to payments with the same seamless experience that Signal has offered for encrypted conversations. “There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms,” Marlinspike told WIRED in an interview. “I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.”
Unlike payment features integrated into other messaging apps like WhatsApp or iMessage, which typically link a user’s bank account, Signal wants to provide a way to send money that no one other than the sender and recipient can observe or track. Financial institutions routinely sell their users’ private transaction data to marketing firms and advertisers or hand it over to law enforcement. Bitcoin wouldn’t do the trick, either. As with many cryptocurrencies, its protections against fraud and counterfeiting are based on a public, distributed accounting ledger—a blockchain—that can in many cases reveal who sent money to whom.
So Signal looked to privacy-preserving cryptocurrency, or “privacy coins,” that both circumvent banks and are specially designed to protect users’ identities and the details of their payments on a blockchain. While more established privacy-focused cryptocurrencies like Zcash and Monero have been more widely used and arguably better tested, Marlinspike says Signal chose to integrate MobileCoin because it has the most seamless user experience on mobile devices, requiring little storage space on the phone and needing only seconds for transactions to be confirmed. Zcash or Monero payments, by contrast, take minutes to complete transactions. “You’re using a cryptocurrency with state-of-the-art encryption, but from your perspective, it feels like Venmo,” says MobileCoin’s founder Josh Goldbard.
Signal’s choice of MobileCoin is no surprise for anyone watching the cryptocurrency’s development since it launched in late 2017. Marlinspike has served as a paid technical adviser for the project since its inception, and he’s worked with Goldbard to design MobileCoin’s mechanics with a possible future integration into apps like Signal in mind. (Marlinspike notes, however, that neither he nor Signal own any MobileCoins.)
MobileCoin only began trading as an actual currency with real value in December of last year—until then, it was running as a valueless “testnet”—and its 250 million coins, at around $69 each, are currently worth almost $17 billion dollars in total. For now it’s listed for sale on just one cryptocurrency exchange, FTX, which doesn’t allow trades by US users, though Goldbard says there’s no reason that US exchanges couldn’t also list the coin for trade. Signal chose to roll out its MobileCoin integration in the UK in part because the cryptocurrency can’t yet be bought by users in the US, Marlinspike says, but also because it represents a smaller, English-speaking user base to test out the new payments feature, which he hopes will make diagnosing issues easier.
“You’re using a cryptocurrency with state-of-the-art encryption, but from your perspective, it feels like Venmo.”
Payments present a tough dilemma for Signal: To keep pace with the features on other messaging apps, it needs to let users send money. But to do so without compromising its sterling privacy assurances poses a unique challenge. Despite Marlinspike’s and MobileCoin’s intentions, using any cryptocurrency today remains much more complex than Signal’s other features. Even if users can send MobileCoin back and forth, they’ll still likely need to cash them out into traditional currency to spend them, given that MobileCoin isn’t widely accepted for real-world goods and services. And aside from that need for exchanges and the lack of availability in the US, MobileCoin also remains even more volatile than older cryptocurrencies, with constant price swings that will significantly change the balances in a user’s Signal wallet over the course of days or even hours—hardly the sort of issue that Venmo users have to deal with. (Since March 27, MobileCoin’s value has shot up nearly 600 percent, possibly due to rumors of the impending Signal integration or possibly the result of a “short-squeeze.”)
To try to tame that volatility problem, Marlinspike and Goldbard say they imagine adding a feature in the future that will automatically exchange users’ payments in dollars or another more stable currency for MobileCoin only when they make a payment, and then exchange it back on the recipient’s side—though it’s not yet clear if those trades could be made without leaving a trail that might identify the user. “There’s a world where maybe when you receive money, it can optionally just automatically settle into a pegged thing,” Marlinspike says. “And then when you send money it converts back out.”
The mechanics of how MobileCoin works to ensure its transactions’ privacy and anonymity are—even for the world of cryptocurrency—practically a Rube Goldberg machine in their complexity. Like Monero, MobileCoin uses a protocol called CryptoNote and a technique it integrates known as Ring Confidential Transactions to mix up users’ transactions, which makes tracing them vastly far more difficult and also hides the amount of transactions. But like Monero and Zcash, it also uses a technique called zero-knowledge proofs—specifically a form of those mathematical proofs used in Monero known as Bulletproofs—that can guarantee a transaction has occurred without revealing its value. (Zcash, unlike Monero and MobileCoin, also uses zero-knowledge proofs to obscure the sender and receiver, not just the transaction amount.)
On top of all those techniques, MobileCoin takes advantage of the SGX feature of Intel processors, which is designed to allow a server to run code that even the server’s operator can’t alter. MobileCoin uses that feature to ensure that servers in its network are deleting all lingering information about the transactions they carry out after the fact and leave only a kind of cryptographic receipt that proves the transaction occurred. Goldbard compares the entire process of a MobileCoin transaction to depositing a check at a bank, but one in which the check’s amount is obscured and it’s mixed up in a bag with nine other checks before it’s handed to a robotic bank teller. After handing back a deposit slip that proves the check was received, the robot shreds all 10 checks. “As long as SGX is working as promised, you can prove every robot cashier is working the same way and shredding every check,” Goldbard says. And even if Intel’s SGX fails—security researchers have found numerous vulnerabilities in the feature over the last several years—Goldbard says that MobileCoin’s other privacy features still reduce any ability to identify users’ transactions to low-probability guesses.
If MobileCoin’s privacy promises hold true, Marlinspike says he hopes the cryptocurrency can help Signal reverse a troubling trend toward financial surveillance. If successful, Signal’s use of MobileCoin will also face the same hurdles and critiques that surround all privacy-preserving cryptocurrencies. Any technology that offers a way to anonymously spend money raises the specter of black market uses—from drug sales to money laundering to the evasion of international sanctions—along with the accompanying crush of financial regulations. And that means integrating MobileCoin could expose Signal to new regulatory risks that don’t apply to mere encrypted communications.
“I think it’s phenomenal from a civil liberties perspective,” says Marta Belcher, a privacy-focused cryptocurrency lawyer who serves at special counsel at the Electronic Frontier Foundation. But Belcher points to a coming wave of regulation to control exactly the sort of anonymous cryptocurrency transactions Signal hopes to enable, including a new “enforcement framework” the Justice Department published last fall and new regulations from FinCEN that could force more players in the cryptocurrency industry to collect identification details of users. “Anyone who’s dealing with cryptocurrency transactions, especially private cryptocurrency transactions, should be really concerned about all of these proposals and the government pushing financial surveillance to cryptocurrency,” Belcher says.
Matt Green, a cryptographer at Johns Hopkins University, puts it in starker terms. “I’m terrified for Signal,” says Green, who helped develop an early version of Zcash and now sits on the Zcash Foundation board as an unpaid member. “Signal as an encrypted messaging product is really valuable. Speaking solely as a person who is really into encrypted messaging, it terrifies me that they’re going to take this really clean story of an encrypted messenger and mix it up with the nightmare of laws and regulations and vulnerability that is cryptocurrency.”
But Marlinspike and Goldbard counter that Signal’s new features won’t give it any control of MobileCoin or turn it into a MobileCoin exchange, which might lead to more regulatory scrutiny. Instead, it will merely add support for spending and receiving it. “The regulatory landscape is complicated, but there are ways to do privacy-protecting payments safely,” says Goldbard. “To be frank, there’s a moral imperative to do so, because Signal has to offer payments in order to remain competitive with the world’s top messaging apps.”
As for the possibility of enabling dangerous criminals and money launderers, Marlinspike offers an answer that mirrors one he’s long given for encrypted communications. Just as criminals used encryption for decades before Signal, they’ve used anonymous cryptocurrencies for years before Signal added MobileCoin payments as a feature. For those criminals, the threat of law enforcement made using even clunky, tough-to-use tools necessary. By making those secure communications and payments easier, Marlinspike argues, Signal didn’t enable those criminals, but instead simply made their tools available to more casual, non-criminal users.
“With Signal, we didn’t invent cryptography. We’re just making it accessible to people who didn’t want to cut and paste a lot of gobbledegook every time they sent a message,” Marlinspike says. “I see a lot of parallels with this. We’re not inventing private payments…Privacy preserving cryptocurrencies have existed for years and will continue to exist. What we’re doing is just, again, a part of trying to make that accessible to ordinary people.”