QWE AI Academy The #1 mistake people make when a country threatens to break encrypted messaging? They download Signal, feel safe, and stop there. Default Signal is good. Default Signal hardened against a state-level adversary that wants your messages? Not the same thing.
This matters again because France’s intelligence delegation just dropped a report (as of mid-November 2025) endorsing exactly what cryptographers have been pushing back against for a decade. So let’s flip the usual framing: assume the worst-case political outcome and ask what you can actually configure today.
What just happened in France (the 90-second version)
France’s parliamentary intelligence delegation – an eight-member body of four deputies and four senators – has formally backed breaking the encryption protecting WhatsApp, Signal, and Telegram conversations, recommending targeted access for magistrates and intelligence agents. This is the third push in roughly a year.
The Résilience amendment was supposed to close this debate. It didn’t. On 20 March 2025, the French National Assembly voted down Article 8 of the Drug Trafficking Bill, which would have required encrypted messaging apps to hand over decrypted user data within 72 hours. Then on September 10, 2025, the Assembly passed MP Philippe Latombe’s amendment to the Résilience bill making it explicitly illegal to force providers to undermine end-to-end encryption. The intelligence delegation’s November 2025 report attacks that amendment directly, arguing it weakens legal frameworks for intelligence work. Translation: the political fight is permanent. Your security settings should treat it that way.
Why “I already use Signal” isn’t the end of the story
Signal’s default install protects the content of your messages. Your phone number? Still your identifier. That’s the layer governments target when they can’t break the cryptography itself – metadata is linkable to your real identity in ways ciphertext isn’t.
Two things to hold onto before the hands-on part. First: a backdoor that only the “good guys” can use is not technically possible. Any key escrow or ghost-participant mechanism that exists can be compromised – and once it is, every message on that system is exposed. This is basic cryptographic consensus, not a hot take. Second: Signal president Meredith Whittaker has stated Signal would exit the French market rather than comply with anti-encryption requirements (per reporting from March 2025). Useful in principle. But it means you may need a backup app you already know how to use – not one you’re installing in a panic the day Signal disappears from the App Store.
The 5-minute Signal hardening checklist
Do these now, in order. None require technical skill.
- Set a username. Go to Settings → Profile. A username must be unique and end with two or more digits – those numbers are intentional, making it harder to spoof short handles by registering near-identical ones.
- Hide your phone number.Settings → Privacy → Phone Number → Who can see my number → Nobody.
- Make yourself undiscoverable by number. Same menu: Who can find me by my number → Nobody. After this, someone needs your exact username to connect – which also means people in your life won’t know you’re on Signal unless you tell them. That’s the trade-off; accept it consciously.
- Enable Registration Lock with a strong PIN.Settings → Account → Registration Lock. Use an alphanumeric PIN stored in a password manager – not 4 digits. (Why this matters: see the next section.)
- Lock down notifications and screen previews.Settings → Privacy → Screen Security blocks screenshots and app-switcher previews. Settings → Notifications → Show → set to “No name or message” so lock-screen alerts don’t leak content.
One more thing before you move on. If you ever need to block someone, change your phone-number-visibility settings first, then block. Change the order and you create a permanent leak – more on why in the Honest Limitations section below.
The gotcha nobody mentions: the 7-day window
Registration Lock has a quiet expiration. Turns out the server stops enforcing it after 7 days of inactivity – per Privacy Guides’ Signal hardening guide. That means someone can reset the PIN at registration and take over your phone number on Signal if you haven’t opened the app in a week.
A SIM-swap attack on a dormant Signal install is more viable than most people assume. Practical fix: open Signal at least once a week. If you carry a secondary device with Signal installed, set a calendar reminder. The lock only works if you keep the server aware you’re still there.
Why does Signal do this? The 7-day window exists to prevent users from permanently locking themselves out of their own accounts if they forget their PIN – it’s a deliberate usability trade-off, not an oversight. Knowing the reason helps you decide whether the fix (weekly check-in) is acceptable for your threat model.
If Signal isn’t enough: Molly on Android, or SimpleX from scratch
For Android users with a higher threat model, Molly is the practical next step. Signal once let users set a passphrase to secure the local message database – that option was removed when Android introduced file-based encryption. Molly brings it back. It also encrypts the local database at rest, shreds unused RAM data, and routes your connection via Tor. Updated every two weeks to match Signal upstream, with security patches shipping as soon as they’re available.
Two flavors:
| Version | Includes | Trade-off |
|---|---|---|
| Molly | Proprietary Google code (FCM, Maps) – same as upstream Signal | Battery-efficient push notifications |
| Molly-FOSS | No Google code, fully open source, UnifiedPush notifications | You need a MollySocket server (public ones exist) |
The honest catch: you’re now trusting both the Signal team and the Molly team to deliver safe, timely updates. That’s a real dependency to weigh.
Want to break the link to your phone number entirely? SimpleX Chat requires no phone number, email, or any user identifier whatsoever – connections happen via one-time invitation links or QR codes. It runs on Android, iOS, Windows, macOS, and Linux, and its cryptographic protocols were independently audited by Trail of Bits in July 2024. It’s not a drop-in Signal replacement – battery drain is higher while the team works on push notifications that don’t compromise security, and the network effect simply isn’t there yet. But as a parallel-track install you keep warm for the people who’d care? It’s the most credible choice available. Think of it as a fire exit, not a primary residence.
Honest limitations
None of this protects you from a compromised device. If someone has root on your phone, messages are readable before encryption and after decryption. The French intelligence delegation has noted an alternative path – device-level interception – which would bypass encrypted messaging entirely. They called it inadequate for their needs anyway. So: they want both device access and a messaging backdoor. That context matters for understanding what these legislative pushes are actually trying to build toward.
Hiding your number from Signal’s directory also doesn’t hide it from contacts who already saved it. Per Signal’s support documentation: if you set “Who can see my phone number” to Nobody, people who already have your number in their contacts will still see it in Signal. And the blocking-order issue from the checklist above – if you block someone after they could see your number, the number stays visible to them permanently because blocked users no longer receive profile updates. Change your privacy settings first, then block. This is specific to Signal’s architecture, not a general privacy app behavior.
FAQ
If the French law eventually passes, will my existing Signal chats be readable?
No. The math doesn’t retroactively weaken. Old ciphertext stays old ciphertext – any future backdoor mandate only affects new messages on a compliant client.
Should I switch from Signal to SimpleX right now?
Probably not as a wholesale switch – switch the people you actually message daily and you’ll run into the network-effect problem fast. The realistic move is to install SimpleX, send invite links to the two or three contacts who’d care, and keep it warm. If a future French law forces Signal to pull out of the country – which Meredith Whittaker has explicitly said she’d do rather than comply – you’ll already have a working channel with the people who matter, instead of scrambling on day one. Treat it like a fire exit: you want to know where it is before the alarm goes off.
Does WhatsApp’s encryption count?
The Signal Protocol underneath WhatsApp is the same cryptography, and that part is solid. But WhatsApp is a closed-source client running on Meta’s metadata pipeline, with cloud backups that can re-introduce plaintext. For a state demanding access, WhatsApp gives investigators far more surface area to work with than Signal does – even if the message content itself is encrypted. It’s the weakest of the three main options for this specific threat model, and the gap isn’t small.
Your next move: open Signal right now, go to Settings → Profile, and set a username with the two-digit suffix. That single step costs 60 seconds and is the precondition for every other setting in this guide.