The free messaging app Signal has recently garnered attention after the White House confirmed its use for a secret group chat among senior U.S. officials.
Jeffrey Goldberg, the editor-in-chief of the Atlantic, was unintentionally included in the group discussing plans for a strike against the Houthi group in Yemen.
This incident has sparked significant backlash, with Senate Democratic leader Chuck Schumer labeling it “one of the most stunning” military intelligence leaks in history and calling for an investigation.
So, what exactly is Signal, and how secure were the communications among these senior politicians?
The Security App
Signal boasts an estimated 40-70 million monthly users, making it relatively small compared to major messaging platforms like WhatsApp and Messenger, which have billions of users. However, Signal leads in security.
At the core of its security is end-to-end encryption (E2EE), which ensures that only the sender and receiver can read messages—Signal itself cannot access them.
While other platforms like WhatsApp also offer E2EE, Signal’s security features extend beyond this. For instance, its code is open source, allowing anyone to verify that there are no vulnerabilities for hackers to exploit.
Signal claims to collect minimal user information and does not store data such as usernames, profile pictures, or group memberships. Furthermore, as a non-profit organization funded by donations, it does not rely on advertising revenue.
“Signal is the gold standard in private communications,” stated its leader, Meredith Whittaker, in a post on X after the U.S. national security story broke.
‘Very, Very Unusual’
This “gold standard” reputation makes Signal popular among cybersecurity experts and journalists. However, even this level of security is considered inadequate for highly sensitive national security discussions.
There remains an inherent risk with mobile communications: the security of the device is only as strong as the user. If someone gains access to your phone while Signal is open or learns your password, they can view your messages. Additionally, no app can prevent someone from looking over your shoulder in public.
Data expert Caro Robson, who has worked with the U.S. administration, noted that it is “very, very unusual” for high-ranking officials to communicate on a messaging platform like Signal. “Typically, you would use a highly secure government system operated by the government with advanced encryption,” she explained, emphasizing that this often involves using devices in “very secure government-controlled locations.”
Historically, the U.S. government has utilized sensitive compartmented information facilities (SCIFs) for discussing national security matters. A SCIF is a highly secure area where personal electronic devices are prohibited.
“To access classified information, you must be in a room or building regularly swept for bugs or listening devices,” Robson added. SCIFs can be found in various locations, from military bases to officials’ homes, and are protected by the government’s highest standards of cryptography.
ICYMT: 10 Foods to Enhance Women’s Libido and Overall Sexual Health
Encryption and Records
Another issue related to Signal involves disappearing messages. Much like other messaging apps, Signal allows users to set messages to vanish after a specified period. Jeffrey Goldberg from the Atlantic noted that some messages in the Signal group he joined disappeared after a week, which could violate record-keeping laws unless users forward their messages to an official government account.
This controversy is not the first involving E2EE. Various administrations have sought to create “backdoors” in messaging services to access messages they believe may pose national security threats. Apps like Signal and WhatsApp have opposed such attempts, arguing that it would also enable misuse by malicious actors.
In 2023, Signal threatened to withdraw from the UK if lawmakers undermined its security features. This year, the UK government engaged in a significant dispute with Apple over its use of E2EE to protect cloud-stored data, ultimately resulting in Apple removing the feature from the UK.
As this situation illustrates, no amount of security or legal protection can safeguard your confidential information if shared with the wrong person. As one critic succinctly put it: “Encryption can’t protect you from stupidity.”
SOURCE: BBC
