The recent revelation that the free messaging app Signal was utilized for a clandestine group chat among senior U.S. officials has sparked significant discussion. This unexpected disclosure came to light after Jeffrey Goldberg, editor-in-chief of the Atlantic, was inadvertently included in discussions regarding a military strike against the Houthi group in Yemen. The incident has drawn sharp criticism, with Senate Majority Leader Chuck Schumer labeling it “one of the most stunning” leaks of military intelligence in history, prompting calls for an investigation into the matter.
The security app
Signal, while boasting an estimated 40 to 70 million monthly users, remains a small player compared to giants like WhatsApp and Messenger, which have user bases in the billions. However, Signal distinguishes itself through its robust security features, particularly its end-to-end encryption (E2EE). This technology ensures that only the sender and recipient can access the messages, rendering them unreadable even to Signal itself.
While several other platforms, including WhatsApp, offer E2EE, Signal’s security measures extend beyond this basic framework. The app’s code is open source, allowing anyone to scrutinize it for potential vulnerabilities. Furthermore, Signal’s commitment to user privacy is evident in its minimal data collection practices; it does not retain records of usernames, profile pictures, or group memberships. As a non-profit organization funded by donations rather than advertising revenue, Signal is not incentivized to compromise user privacy for profit. Meredith Whittaker, the app’s leader, emphasized its status as “the gold standard in private communications” following the recent national security incident.
‘Very, very unusual’
Despite its reputation for security, experts caution that even Signal may not be suitable for high-stakes conversations involving sensitive national security issues. Cybersecurity professionals and journalists often favor Signal for its privacy, yet the inherent risks of mobile communication cannot be overlooked. If an unauthorized individual gains access to a device with Signal open, or if they discover a user’s password, the security of those communications can be compromised. Additionally, the risk of someone observing messages in public settings remains a persistent concern.
Caro Robson, a data expert with experience in the U.S. administration, remarked on the unusual nature of high-ranking officials using a messaging app like Signal for critical discussions. Typically, such conversations would occur on secure government-operated systems that employ advanced encryption protocols. Robson noted that discussions of national security are usually confined to Sensitive Compartmented Information Facilities (SCIFs), which are highly secure environments where personal electronic devices are prohibited. Accessing classified information requires being in designated locations that are routinely checked for surveillance devices, ensuring the highest levels of security.
Encryption and records
Another point of contention surrounding Signal is its feature allowing messages to disappear after a predetermined period. Goldberg mentioned that some messages in the group chat he was part of vanished after a week. This raises potential legal issues regarding record-keeping, particularly if participants do not forward messages to official government accounts.
The debate over end-to-end encryption is not new. Various administrations have sought to establish backdoors in messaging services to monitor communications deemed a national security threat. Companies like Signal and WhatsApp have resisted these attempts, arguing that such measures would ultimately benefit malicious actors. In 2023, Signal threatened to withdraw its app from the UK if lawmakers undermined its encryption standards. This year, a significant dispute arose between the UK government and Apple over similar encryption protections, leading Apple to remove certain features in the UK under governmental pressure. The legal ramifications of these conflicts continue to unfold.
Ultimately, as this situation illustrates, no level of encryption or legal safeguards can protect sensitive information if it is shared with the wrong individual. As one critic succinctly stated, “Encryption can’t protect you from stupid.”
