Politicians to Ditch Signal for Homegrown Apps | Lawfare
The upcoming main navigation can be gotten through utilizing the tab key. Any buttons that open a sub navigation can be triggered by the space or enter key.
Search Lawfare
Search
Advanced Search
Tom Uren
Meet The Authors
Subscribe to Lawfare
Politicians to Ditch Signal for Homegrown Apps<br>European governments are trying to move their politicians away from encrypted messaging apps like Signal and WhatsApp and toward sovereign encrypted messaging solutions. This won't be as safe and secure as they think it will, but at least they'll have sovereign control.<br>Back in 2020, the European Commission (EC) told its staff that Signal had been "selected as the recommended application for public instant messaging." The idea at the time was that it would be used for communications between staff and people outside the commission. There were already encrypted ways to send sensitive information internally, like encrypted internal email, but they were relatively inconvenient and clunky.<br>Signal is easy, and adopting it for that relatively narrow use case was a good thing. From a security point of view it was a massive step up from alternatives such as SMS or email, which are more vulnerable to interception and keep plaintext copies lying around on servers.<br>However, there has been a lot of scope creep since then as Signal's convenience as an app on personal smartphones became the universal "good enough" solution for basically everything. Signal, and to a lesser extent WhatsApp, has become the de facto global communications infrastructure for politicians and bureaucrats worldwide.<br>Despite this, the European Union's diplomatic service advice is that these chats should not discuss sensitive information and should be used only for "informal exchanges" like arranging meetings.<br>It's great advice, but absolutely nobody will follow it. The reality is Signal is used for statecraft. In 2024, for example, French President Emmanuel Macron even used Signal to raise concerns about a trade deal with European Commission President Ursula von der Leyden.<br>Of course, this isn't just a European phenomenon. In the U.S., senior members of the Trump administration were using Signal like crazy and accidentally invited a reporter into a group chat that was discussing imminent war plans. Outside of the administration, large Signal group chats have been described as "a kind of dark matter of American politics and media." U.K. parliamentarians and political parties also use Signal and WhatsApp.<br>High-level discussions being held on Signal inevitably attract state-backed hackers, and they've come up with clever ways to phish users and spy on accounts. These phishing campaigns take advantage of Signal's linked devices feature, which allows the app to be used concurrently on multiple devices. In these attacks, the attacker convinces the victim to link an attacker-controlled device by modifying a device-linking request so that it looks like some other legitimate Signal resource. This could involve making a device-linking request look like a group invite QR code, for example. When these attacks are successful, the attacker is able to link a device they control to the victim's account and from then on get persistent access to the victim's Signal communications. The most prolific of these campaigns have been attributed to Russian intelligence services.<br>Over the last year, governments have cottoned on and issued lots and lots of warnings about the attacks.<br>Now, European governments are seeking alternatives to Signal. Fundamentally, these phishing attacks are possible because Signal and WhatsApp do a fairly poor job of verifying who you are talking to, and anyone can sign up for an account. They're open ecosystems.<br>Signal even notes it "does not verify profile names or identities," and it can be hard to know if you are talking to the secretary of defense, the editor in chief of The Atlantic, or even an account controlled by Russia's FSB.<br>So now, Germany, France, Belgium, and Poland are all developing and adopting sovereign solutions built on top of the open-source Matrix protocol.<br>At least in the short term, the Matrix-based systems European governments are developing are intended to provide secure messaging only within government. This reduces the number of potential attackers from "everyone on the internet" to "everyone in government," which makes the support message-style phishing attacks that have been successful against Signal users more difficult to pull off.<br>Helpfully, it also won't be possible for officials to inadvertently invite journalists into government group chats.<br>Matrix-based systems have another advantage in that they are federated. Governments can run their own servers and use their own identity platforms for authentication. These systems could be set up to be far more robust against phishing. They could require, for example, strong identity checks when onboarding...