Security lessons from a Signal group chat

It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Teachable security moments from a Signal group

We see a growing number of journalists using Signal, the encrypted messaging app. This includes Jeffrey Goldberg, editor-in-chief of The Atlantic, who received a connection request from a user identified as “Michael Waltz” — a name Goldberg recognized as one shared by the President’s national security advisor. Later, Waltz invited Goldberg to a Signal group chat called “Houthi PC small group” where the journalist began seeing messages about planned airstrikes targeting Houthi rebels in Yemen. To verify if the group was real, Goldberg waited to see if the bombings would happen at the planned times. The bombs fell, all but confirming the conversation was real.

Goldberg’s profile name was simply “JG” and it’s therefore possible he was confused with another person whom Waltz intended to add to the group instead. The reporting walks through a number of questions about the legality of using Signal for transmitting national security information, as well as federal records law when using disappearing messages. Overall, it’s a mess, and you have to read it. But first, journalists can learn a lot from this example.

What you can do

• Normally I like it when journalists get stories through Signal. We help journalists set up Signal tiplines all the time — reach out if you want to set one up! But we do think there is real danger in adding someone you don’t trust to a Signal group, because end-to-end encryption cannot protect you from someone in the group chat. It’s good to verify you are talking to the person who you think you are talking to. If you are meeting someone in person, or get the opportunity to verify their identity over another trusted channel, you can use safety numbers to ensure you are talking to the right person, and that your encryption is working as intended. Learn more in our guide to locking down Signal.
• In the past, Signal users could only be identified by phone number. Now, you can find people with usernames, and people can give themselves a profile name. You can also give nicknames to help keep track of your contacts, as well as look at mutual groups to better understand who is who before adding them to group chats. Learn about Signal’s many identifiers.
• Note that Signal cannot protect the confidentiality of your conversations if your device is infected with malware. My colleague Davis Erin Anderson described in her advice column why it can be difficult to confirm a device is 100% clean, but this underscores the need for journalists to keep devices up to date with the newest security patches. Just don’t count on those patches alone to protect national security information.

Updates from our team

• In our most recent advice column, we wrote about the benefits and trade-offs of journalists’ favorite cloud-based transcription tools. Check it out.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

–

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation