At least for the moment this hasn’t gotten much attention. So let me point your attention to a new part of the White House Signal chat story which is actually a pretty big deal. You likely saw that yesterday Reuters published a photo of a Trump Cabinet meeting in which Mike Waltz could be seen using Signal on his phone. That was pretty unbelievable. You could see several of the chats, though mainly who he was chatting with more than the contents. Embarrassing, etc. But 404 Media, a newish tech news site, noticed that there was more than that. He wasn’t actually using Signal at all. He was using a third-party Signal knock-off which allows you to use your Signal account but with additional features.
Waltz was using an app created by a company called TeleMessage. And their additional feature is that it allows you to store your conversations off the app. Presumably that is to comply with federal records retention rules. The app says that it retains all of Signal’s end-to-end encryption and security. But as 404 Media reports, that’s clearly not true. What end-to-end encryption means is just what it sounds like, end-to-end, between your phone and your interlocutor. Once you take the secret messages and send them somewhere else, by definition you’ve departed from that encrypted channel. 404 Media asked Signal about this and they replied as you’d expect, which is, essentially, we can’t be responsible for what happens to your data if you’re not using our app.
There are actually two really big security issues involved here and they’re quite distinct.
The first requires understanding Signal’s security. Signal provides very robust security between your phone and the other person’s phone. Your phone itself could be hacked, though. In that case, you’re out of luck. That’s the actual Signal app. In this case you’re using a Signal clone app which takes the data and sends it somewhere else entirely. So by definition it doesn’t have Signal’s security protections. But there’s a second very big security issue raised by using this app. This app is made by some random company we don’t know much about. They could be a front for a foreign intelligence agency. The whole app could be a surveillance backdoor to look at Signal conversations. I’m not saying that is true. But you can’t actually rule it out. So again, you have the inherent lack of security introduced by operating outside of Signal’s security system. Then you have the additional security black box of “who is this company?” — and what do they do with the data?
Security experts trust Signal for two reasons. One is that it has established a very good reputation over a number of years for trustworthiness. But the far more important reason, and what most of that reputation is based on, is that their code is open source. Everyone can look at it. So the hardcore security experts can look at exactly how it functions and say, “Okay, yeah, this is done exactly right. This is super secure.” The set up the White House appears to be using and Waltz himself is definitely using sends the data to some other outfit. And we don’t have any visibility into their code or more generally even who they are. So we have no idea what their security is. We don’t know if they know what they’re doing. And we can’t rule out that their pursuing some nefarious ends.
Anyway, we should soon be hearing more about this. You may not have heard about 404 Media. They’re new. But they have a very strong reputation. Since I’ve been writing, the Times has now also picked up and credited their reporting on this.