This is the script of my national radio report yesterday regarding the
Trump administration's Signal controversy. As always, there may have
been minor wording variations from this script as I presented this
report live on air.
- - -
Yeah so I was actually planning to discuss Signal sometime soon
anyway, to help explain what it is, when it should or shouldn't be
used and so forth, but the current White House Signal controversy has
definitely pushed up the schedule for this.
So let's begin with what Signal is. Signal is a publicly available and
free end-to-end encrypted messaging app that runs on conventional
smartphones. It can also run on desktop systems when linked to
smartphone numbers that are also running Signal. And Signal does
provide good quality encryption and has become very popular for
messaging as a more privacy-positive alternative to various social
media messaging systems and other commonly used publicly-available
communications apps and the like.
Now having said this, it's also very important to realize that the
overall security of an encrypted communications environment is not
determined solely by the quality of the encryption ciphers in use but
rather by the totality of the overall encryption ecosystem -- the
ciphers, key management, the hardware devices in use, the operating
system, other apps present, access controls and so on.
And by these definitions Signal is definitely not a military-grade
encryption ecosystem. Simply the fact that it's running on ordinary
smartphones with the standard operating systems, where users have all
sorts of other apps that can misbehave or be attacked in various ways,
opens up a range of possible vulnerabilities. In fact, apparently a
month before the current situation, the National Security Agency --
NSA -- was warning about potential vulnerabilities in Signal and
attacks on Signal by state actors.
Now a lot of the discussion about this Signal situation has focused on
how a magazine editor was added to the particular message chain in
question. Signal contacts have traditionally been added via phone
numbers, though there is an alias system now that allows for using
identifiers other than phone numbers as well. But really the way you
add people to a Signal chat group is for the user to do the invite
either purposely or accidentally, perhaps sloppily, and for the
invited person to accept.
But the elephant in the room isn't that specific invite, it's the use
of Signal for communications related to a military operation, and of
course the only reason the public found out about such use in this
case was the inclusion of that editor. And there was a report today
that there were apparently other very similar Signal chats involving
national security information with various of the same participants,
that preceded the chat we know about for sure.
Other observers can decide if these messages constituted attack plans
or war plans or if they violated the espionage act or the records
retention act or whatever. But common sense seems to tell us that
discussion of when an attack is about to happen, and what sorts of
military assets (like the type of planes) will be involved and
information about ongoing surveillance and so on should not be on a
public app running on ordinary mobile phones with all their
vulnerabilities, irrespective of what official classification levels
are involved.
There are certified military-grade encrypted communications ecosystems
specifically designed and maintained for these sorts of messages. And
it also seems likely that if a member of the military had been
discovered sending messages like these via Signal they would have been
seriously reprimanded and quite possibly be facing a court martial.
This really isn't a very complicated situation. Signal is a useful tool and like any tool there are situations where it definitely should NOT be used. In fact, there are many firms who would fire employees for discussing sensitive corporate matters on Signal, so discussing active military operations on Signal seems like a rather poor decision to say the very least, and we can certainly hope that it's one decision, that WON'T be repeated going forward.
- - -
L
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Signal: By request on need to know basis
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
google-issues mailing list
https://lists.vortex.com/mailman/listinfo/google-issues
