Signal is not appropriate for military communication, whether you use it well or not
First off, here are two things that are true and not contradicted by my writing that follows:
- The Trump administration is full of people who are incompetent, malicious, and bad at their jobs, whose primary qualifications are sycophancy.
- Signal is an excellent secure messaging app for most people, who are not coordinating military operations.
With that out of the way, I’ve seen a Facebook post that’s kind of misinformation shared around in the past few days. I don’t usually make it my job to correct all misinformation on the internet, but this one was shared enough and touches subjects where I have knowledge. It also provides an opportunity to explore how to think like a security professional!
I’ll caveat that I don’t call myself a security expert. I work alongside experts on a daily basis and have a general idea of what sort of things they think about. Specifically, I work professionally on interface design and product management for projects where security is a core concern.
Here’s a point about security that I think laypeople often miss:
Security isn’t a spectrum from insecure to secure. Things that are more secure in one scenario might be overkill or actively less secure in another. You have to consider the specific threats in play. Security experts call this threat modeling.
The problem with government agents using Signal to conduct military operations is not “they’re morons who used Signal wrong.” Yes, they made a confusing and hard to explain error in their usage of Signal. Also, yes, it’s very satisfying to make fun of them for being bad at this. But the primary error was using Signal at all for this purpose. It’s not designed for that!
As Actual Security Expert Matt Blaze – I recommend a follow, if you’re interested in this stuff – wrote:
Signal provides:
Excellent protection against third party interception of communications (wiretapping).
Limited protection against compromised (hacked) or lost devices
No protection against certain common usage mistakes (accidentally including a reporter in your large group war planning chat).
[…]
The difference is that systems like Signal are designed to facilitate communication with anyone. Classified systems are designed to limit communication to authorized recipients.
Both are sensible for their respective - very different - purposes.
Top officials in the executive branch should not be using Signal to communicate about military actions at all because the threat model for this sort of communication is so extraordinary and unique (and bound by retention laws) that they should be communicating on existing government channels designed for this exact purpose.
It’s actually quite easy to accidentally add someone to a Signal group.¹ Just off the top of my head, it could happen
- if you have a wrong number in your contacts,
- if you have multiple contacts with the same name,
- if you accidentally tap on a name next to the name of the person you’re trying to add,
- if you’re adding multiple people and you accidentally select an additional person without noticing, or
- if your BFF added someone and you happened not to notice the notification or just assumed they were fine because, after all, your BFF added them.
All of these are normal human errors that I could certainly make and I bet you could too.² Confirmation dialogs help, but people also learn to ignore them.
Nor is it a flaw for Signal to make this process easy. Good secure software makes an effort to systematically prevent users from making mistakes like this, but often security trades off with usability. Design needs to balance consequences with interface friction. For most Signal users, adding the wrong person to a group chat might be an embarrassing social faux pas, but mostly it isn’t a felony violation of the Espionage Act.³
I don’t know a lot (anything) about the government systems used for communicating these sort of things, but I imagine they include restrictions that make them better for this purpose that if included in Signal would make it worse for most people. Some features I might speculate they include:
- Strict centralized identity verification
- An onerous approval process for adding new people to a conversation
- A limited number of people who have access to the system at all
- Usage limited to particular locations or devices
(It is possible there are safeguards Signal could add that would be worth the trade-offs for most people. The state-of-the-art on security moves ever forward. I’m sure they’re talking about it.) The Trump administration did demonstrate incompetence in this case, but the incompetence was not primarily that they used Signal poorly but that they used it at all. They also, notably, demonstrated malice by using Signal, most likely, for the purpose of evading data retention laws.
Also: Your web browser is not spying on your Signal chats and reporting their contents to advertisers. There’s a lot of creepy ways that advertisers collect or deduce information about you, but specifically reading messages in Signal isn’t one of them. Both Android and iOS have built-in protections that prevent apps from reading each others’ data. If they didn’t, there would be no reason for Signal to exist at all, let alone for security experts to promote it, as they do.
This is all without even mentioning that the original post details the process for adding someone to a group but not for creating a group, which is likely the process that was used here. ↩︎
I’ve never made the specific error of adding someone to a group chat, but I’ve definitely made the similar error of sending a message to the wrong person, multiple times, and I’ve had it happen to me multiple times. This sort of thing is common, and tolerable for most uses. ↩︎
Sidenote: the Espionage Act is not a great law and is oft-abused by the government. ↩︎