Site icon Sophos News

Switch to Signal for encrypted messaging, EC tells staff

Imagine that you work in government or at an NGO – both places that want to keep their communications private.
Understandably, given that governments these days use powerful spyware to surveil political activists, NGOs, and each other, you and your colleagues use an encrypted messaging app.
There’s a good chance that you’ve gone with WhatsApp, which has been a trailblazer in end-to-end encrypted messaging. As early as 2016, The Guardian was referring to the app as a “vital tool” to conduct diplomacy – an app with which diplomats could “talk tactics, arrange huddles, tweak policy – and send Vladimir Putin emojis.”
But given recent events, you have to wonder: what happens if holes develop in that supposed cone of silence?
Like, say, the stupidly simple social engineering hack that the UN said was used – allegedly by the crown prince of Saudi Arabia – to infect Amazon CEO Jeff Bezos’s phone with personal-message-exfiltrating malware, with one single click?
Or the zero-day vulnerability in WhatsApp that allowed attackers to silently install spyware just by placing a video call to a target’s phone? Or, as happened this past weekend, the way that WhatsApp and parent company Facebook shrugged off responsibility for private groups being indexed by search engines, thereby rendering them easy to find and join by anybody who knew the simple search string?
What happens, at least in the case of the European Commission (EC), is that you tell your staff to move over to Signal. Last week, Politico reported that earlier this month, the EC took to internal messaging boards to recommend moving to the alternative end-to-end encrypted messaging app, which it said “has been selected as the recommended application for public instant messaging.”
The EC didn’t mention WhatsApp, per se. It didn’t have to. Security experts have been pointing out reasons why it’s a potential national security risk for a while. Besides its recent and not-so-recent security flubs, there are privacy issues that come with being swallowed up by Facebook. One of WhatsApp’s co-founders, Brian Acton, left the company after the Facebook acquisition, saying that Facebook wanted to do things with user privacy that made him squirm. In his words: “I sold my users’ privacy.”
As Politico notes, privacy activists favor Signal not just because of its end-to-end encryption. Bart Preneel, cryptography expert at the University of Leuven, told the news outlet that, unlike WhatsApp, Signal is open-source, which makes it easy to find security flaws and privacy-jeopardizing pitfalls:

It’s like Facebook’s WhatsApp and Apple’s iMessage, but it’s based on an encryption protocol that’s very innovative. Because it’s open-source, you can check what’s happening under the hood.

Signal is recommended by a who’s who list of cybersecurity pros, including Edward Snowden, Laura Poitras, Bruce Schneier, and Matthew Green. “Use anything by [Signal’s protocol, called] Open Whisper Systems,” as Snowden is quoted as saying on the app’s homepage, while Poitras praises its scalability.
Cryptographer Green says he literally started to drool when he looked at the code. While WhatsApp is based on Open Whisper Systems, it’s not open-source, so it’s not as easy to spot something that goes awry. Another plus of Signal: unlike WhatsApp, it doesn’t store message metadata that could expose users in worldwide data centers. Nor does it use the cloud to back up messages, further exposing them to potential interception.
Sorry, WhatsApp, but you just don’t induce drooling among cryptographers.


Unlike WhatsApp, Signal is operated by a non-profit foundation – one that WhatsApp co-founder Brian Acton put $50 million into after he ditched Facebook – and is applauded for putting security above all else. Like, say, in October 2019, when it immediately fixed a FaceTime-style eavesdropping bug. It fixed the bug in both Android and iOS on 27 September – the same day on which it was reported.
It’s not just Signal’s reputation and WhatsApp’s problems that have pushed the EC into recommending that Signal become the private messaging app of choice – also motivating the Commission are multiple high-profile security incidents that have rattled officials and diplomats.
EC officials are already required to use encrypted email when exchanging sensitive, non-classified information, an official told Politico. The recommendation to use Signal mainly pertains to communications between EC staff and people outside the organization, the news outlet reported, and is a sign that diplomats are trying to bolster security in the wake of recent breaches.
The EC isn’t the only governmental body to dump WhatsApp in favor of Signal. As The Guardian reported in December 2019, the UK’s Conservative party switched to Signal following years of leaks from WhatsApp groups.
What’s ironic, of course, is that governments have been hounding companies to put backdoors in all of these products. While law enforcement in multiple governments have been demanding an end to encrypted messaging that they can’t penetrate, they themselves are increasingly turning to ever more reliable forms of encrypted messaging.
What’s good for the gander isn’t quite up to snuff for the goose, apparently.
But while WhatsApp suffers in comparison to Signal, and while at least two government outfits have shed it in favor of Signal, WhatsApp still matters. It’s one of the messaging apps that’s at the heart of the encryption debate. Facebook, alongside Apple, has stood up to the US Congress to defend end-to-end encryption, in the face of lawmakers telling the companies that they’d better put in backdoors – or else they’ll pass laws that force an end to end-to-end encryption.
As Politico reported, in June 2019, senior Trump administration officials met to discuss whether they should seek legislation to ban unbreakable encryption. They didn’t come to an agreement, but such laws are undeniably on the table.
That matters. Regardless of which messaging app the EC switches to, or the Tories, they’re all liable to being outlawed if the world’s superpowers get their way and legislate backdoors into existence. As goes WhatsApp and Apple encryption, so goes Signal, or Wickr, or any other flavor of secure IP messaging.
And, of course, so goes the stronger security that some government bodies are, ironically enough, moving to embrace.
Watch it, goose and gander, before you wind up cooking both yourself and your own sensitive communications.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Exit mobile version