Politics Foreign Affairs Culture Fellows Program

Don’t Trust Those ‘Secure’ Messaging Apps

Popular communication alternatives provide nothing but a false sense of security, a fun challenge for hackers, and a field day for the CIA.

Recent political turmoil has driven a stampede of smartphone users to encrypted messaging services, so much so that service providers are having a hard time keeping up with demand. The exodus to these digital havens might come across as reasonable given social media’s newfound penchant for censorship and deplatforming. However, the public record shows that encrypted messaging apps, despite the litany of high-profile celebrity endorsements, aren’t what they appear to be. Lurking beneath the assurances of confidentiality are unsettling facts that raise doubts about the wisdom of following the herd.

The mainstream press has been talking up apps like Signal and Telegram. The New York Times in particular. That, in and of itself, should set off alarm bells. Signal, for example, has received millions of dollars over the years from a bureaucratic spin-off of the Central Intelligence Agency (CIA). The Broadcast Board of Governors, rebranded as the U.S. Agency for Global Media, has been an ardent supporter of Signal through its Open Technology Fund. The U.S. Agency for Global Media is the foreign propaganda arm of the State Department and has historical links to clandestine regime-change operations.

The Signal project is run by a guy who won’t tell anyone his real name. Would you buy insurance from someone like that, much less trust them with your physical safety? Another indicator that something is amiss. Said guy goes by the handle of Moxie Marlinspike. He likes to create the impression of a radical anarchist who’s leading a noble battle against government surveillance. Which is unusual considering how acquainted Marlinspike appears to be with government officials. Indeed, they liked him so much they financed him.

Telegram likewise has some notable advocates despite its questionable security. Enrique Tarrio, who currently leads the Proud Boys, described Telegram’s platform as “the darkest part of the web.” Which sounds like a glowing testimonial by an ostensibly credible figure. Readers should note that based on court documents viewed by Reuters, federal officials indicate that Tarrio has worked with law enforcement as an informant on a number of cases. In an interview with Reuters Tarrio stated, “I don’t recall any of this.” Keep in mind that infiltration and subversion are genuine threats to secure messaging systems. In fact, online providers could even facilitate such monitoring by adding hidden members to messaging groups.

Don’t even ask about Facebook’s WhatsApp messenger. The company openly admits that it collects more than enough metadata to dispel any illusions about personal privacy.

All of this underscores an inconvenient truth about apps which Ken Thompson, the creator of UNIX, spelled out nearly four decades ago. In his excellent Turing Award Lecture Thompson warned, “You can’t trust code that you did not totally create yourself.” Primarily because, as the SolarWinds debacle illustrated, backdoors are a grave threat. And it just so happens that the American intelligence community has a heavily documented record of planting backdoors in software, one that goes all the way back to the beginning of the Cold War, with global business interests like Crypto AG that outwardly appeared to be legitimate. The Swiss are neutral, right? Nope, not when they’re in bed with the CIA. Please understand that the organizations which deployed the compromised encryption technology sold by Crypto AG mistakenly believed that it was going to make them more secure. Allied governments naively trusted state secrets to gear that they didn’t design, giving spies a perfect opportunity.

Even if encrypted messaging apps were, by some miracle, free of backdoors (dream on) intelligence agencies would still have a field day breaching app security. Researchers from the National Security Agency concede as much in a paper entitled The Inevitability of Failure. This paper concludes that “current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.”

In plain English: it doesn’t matter how secure a messaging app claims to be if hackers can compromise the underlying code running in the guts of a smartphone. Thanks to WikiLeaks it’s known that the CIA has constructed a whole array of tools for executing that mission. As President Obama remarked during his final year in office, American spies have “more capacity than anybody both offensively and defensively.” And it’s not just surgically targeted attacks; they’re capable of hacking endpoints on an industrial scale.

Proponents of encrypted messaging apps have argued that, hey, they’re still better than nothing. Sadly these apps are often worse than nothing because they provide users with a false sense of security. Rather than being an obstacle to security services they end up acting as a beacon. A sign that users have something to hide. Something which merits further investigation.

It’s not like this sort of vulnerability is a new phenomenon. Consider the failed coup d’état in Turkey which took place in 2016. Participants in the attempted putsch used an encrypted messaging app known as ByLock. Yet instead of protecting the conspirators from counterintelligence officers ByLock made users and their network activity stand out like veritable glow sticks. Out of the total population of 215,000 ByLock users in Turkey at the time of the coup, approximately 23,000 were arrested.

Some encrypted messaging apps blatantly facilitate investigation. The Telegram messaging app has a feature called “People Nearby,” which (when enabled) allows other users to determine how far they are from you. Under normal circumstances this corresponds to a large amorphous region (e.g. somewhere in a 20-mile radius). But experts have found that a malicious user could easily reconfigure their phone to collect three separate distance measurements and thereby triangulate the exact location of your phone. Can you imagine what would happen if this this feature were silently enabled by an automatic software patch?

Dear reader, the road ahead for this republic is fraught with hazards. American political leaders are unaccustomed to cowering in fear. They probably find the sensation completely alien and intolerable. Which might help to explain why the capitol was flooded with way too many National Guard troops. In a spasm of insecurity the elites might be tempted to wield power simply to convince both themselves and their donors that they’re still in charge. Entire swathes of the population may soon find themselves designated as terrorists while lawmakers isolate themselves within “green zones.” If this is our future then one of the worst things you can do is to put your faith in an allegedly secure encrypted messaging app. Expect mainstream technology to fail and seek out new, unexpected, ways to communicate using mechanisms that aren’t controlled by shadowy third parties.

You’ve been warned.

Bill Blunden is an independent investigator focusing on information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.