The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Signal chats feature prominently in recent indictment of activists

Last week, the Department of Justice announced an indictment targeting 15 people associated with Direct Action Minnesota, a coalition of protest groups. The indictment, which includes charges of “conspiracy to impede or injure a federal officer,” cites involvement in more than a dozen Signal group chats dedicated to tracking Immigration and Customs Enforcement activities, and includes over 100 messages.

If Signal is end-to-end encrypted, how did they get these messages? According to The Intercept, “The indictment doesn’t provide a clear answer. But sprinkled throughout the document are clues that suggest that law enforcement may have gained access to the physical devices of some of those indicted.” Read more about the case.

What you can do

I sit in journalism Slack channels and Signal groups where some asked, “Does this mean Signal has been compromised?” I think it’s important to dispel potential misinformation here. There is no evidence that Signal has been exploited. Instead, it’s far more likely that investigators have access to some of these protest organizing groups through the devices of at least one of the defendants. Signal offers end-to-end encryption, but the “ends” — your phone or computer — must be properly secured.

  • Stay on top of updates. If your phone’s operating system is compromised with malware, yes, whoever breaks into your phone can read your messages. The same applies to everyone you’re talking to, so encourage them to keep their devices updated as well. Even if you refuse to unlock it, law enforcement may use forensic tools to make a copy of your phone. These tools also depend on exploits that may have been patched in newer devices, as well as in the most recent versions of your operating system.
  • Use a strong passcode. During a visit to the White House, in a room full of cameras, Kanye West once used a six-digit passcode, “000000,” to unlock his iPhone. You can do better than Kanye. Using a passcode that is hard to predict is a good first step, but if you want to be hardcore, using an alphanumeric passcode will make it much more difficult to get into your phone without your permission. Read our guide to mobile maintenance.
  • Keep your sensitive groups tight. No matter what app you use, the bigger a group gets, the more likely it is to have someone untrusted inside, either because of device compromise, or because someone simply invited unfamiliar people to join. Even if you don’t pull a Michael Waltz and inadvertently invite the editor-in-chief of The Atlantic to your secret national security Signal group chat, adding more people introduces more risk of leakage.
  • Use disappearing messages. In case a device is ever lost, stolen, or seized, it’s a good idea to use Signal’s disappearing messages feature to automatically remove unneeded messages from your phone. You can enable this by default for all messages, or for individual conversations. To learn how, read our guide to locking down Signal.
  • Remember: Pick the right profile name before joining a group. When you join a group, everyone in the group can see the name attached to your user profile. If you change it later, everyone will be notified (e.g., “Martin S. changed their profile name to Masked Crusader”). There’s no good way to hide this, so if you are joining a sensitive group, you really want to ensure you choose an appropriate display name in advance. Read all about Signal’s identifiers.

Updates from our team

  • Artificial intelligence is no longer a “future problem.” Whether you asked for it or not, tech firms seem insistent on baking AI features into everything, so we’ve been getting a lot of questions from newsrooms about how they should handle AI safety policymaking. Our newest advice column addresses what should go into these policies so you can help your team make safer decisions. Check it out.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation