Encrypted communication app Signal is bringing video calling to both its Android and iOS users in a new update today. But with the refreshed app also comes support for CallKit on iOS, which introduces an apparent privacy issue into an app otherwise considered secure.
CallKit, a new iOS 10 feature, makes Signal act more like the regular phone app. It allows Signal calls to be answered from the lock screen and lists those calls in a user’s “Recent Calls” list. But while it might be more convenient, Signal notes that if users decide to opt in to CallKit, some of their data might sync to iCloud, including who they called and how long they talked. That probably won’t sit well with privacy-minded people, so for now, CallKit is optional and if turned on, will only work when both parties opt in so as to avoid data leakage. Video calling is also optional.
Signal tells Wired that it’s still assessing CallKit. In the future it might only display “Signal users” in an iPhone’s call log, or it might offer a privacy tutorial to help users understand their settings options.
This data collection isn’t new. The Intercept reported last year that Apple was storing this call data in a user’s iCloud account for up to four months. FaceTime calls also back up to iCloud automatically. Government officials could theoretically gain access to this information through cooperation with Apple or tools designed to crack iCloud passwords, so to keep Signal secure from Apple, don’t enable CallKit, and to keep all your calls private, turn off iCloud backups.