Sign up for The Media Today, CJR’s daily newsletter.
When Michael Waltz, the now former national security adviser, accidentally added The Atlantic’s editor in chief, Jeffrey Goldberg, to a private Signal group chat planning a US attack on Yemen earlier this year, it triggered concerns about the information security practices of top White House officials. These included the fact that Signal, despite being a secure communication method, auto-deletes messages after a set time frame; deleting text messages about official acts may violate federal records laws, which require the preservation of certain communications among administration staff. According to Goldberg, some messages in the group chat were set to disappear after a certain number of weeks. Upon learning this, the watchdog group American Oversight sued the administration and sought to recover the deleted messages.
After that, the incident now known as “Signalgate” went relatively quiet. Last week, however, Waltz’s phone made headlines again: on Thursday, the same day that Waltz would be ousted from his position, a Reuters photographer captured an image that showed him checking Signal messages from colleagues beneath a table at a cabinet meeting. As 404 Media reported, Waltz wasn’t using the official Signal app, but rather a modified version called TeleMessage Signal, which collects and archives Signal messages. As such, Waltz may have used TeleMessage to comply with federal recordkeeping laws; on its (now defunct) website, TeleMessage, the Israeli company behind the app, marketed it as an archiving solution designed to help users meet regulatory requirements when using popular platforms like Signal. (The company was acquired last year by Smarsh, a firm based in Oregon.)
Micah Lee, a journalist and security researcher, analyzed TeleMessage’s source code, which is publicly accessible. His analysis found that TeleMessage’s marketing claim—that its version of Signal supports “end-to-end encryption from the mobile phone through to the corporate archive”—appears to be misleading. “It’s recording a local database of all of the Signal messages, and then it’s just sending those plaintext messages to the server,” Lee told me. “The surprising thing is that they just are not at all up-front about that.” According to Lee, TeleMessage can access plaintext chat logs, and its design risks letting outsiders with access to the server do the same. “It’s a pretty reckless design,” he said. (Tom Padgett, the president of Smarsh’s enterprise business, told the New York Times last week that information was not decrypted while being collected for recordkeeping purposes or moved to its final archive. “We do not de-encrypt,” he said. CJR reached out to Smarsh for comment and will update the online version of this newsletter if we hear back.)
The alleged security vulnerabilities of the Signal clone were put front and center over the weekend when a hacker breached and stole customer data from TeleMessage, just as Lee had suspected was possible. (He wrote about the hack with Joseph Cox for 404 Media.) The breach did not include messages from Waltz or cabinet members with whom he spoke, but did show data related to Customs and Border Protection, the cryptocurrency giant Coinbase, and other financial institutions. The hacker told 404 Media that the breach took less than twenty minutes and that they did it because they were “just curious how secure it was.” The next day, NBC News reported that TeleMessage had suspended all services after a second hacker breached the system. As evidence, the hacker provided NBC with a screenshot of TeleMessage’s contact list of employees at Coinbase, which NBC verified with a Coinbase spokesperson. (“TeleMessage is investigating a potential security incident,” a Smarsh spokesperson told BleepingComputer on Monday. “Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”)
Sharon Ringel, a digital-archives scholar at the University of Haifa and former Tow Center fellow, told me that the TeleMessage story goes beyond security concerns—it also raises broader questions about how the government approaches the preservation of its digital records. “We’re missing the bigger issue here,” she said. “If they can’t ensure security, I’m not sure we’ll be able to access these communications five years, ten years, or even thirty years from now.” This is deeply problematic, Ringel said, because these are records that historians and investigators could depend on in the future. It’s unclear whether Waltz began using TeleMessage months ago or after the Trump administration was sued for failing to comply with federal records laws. However, on April 15, shortly after Signalgate, TeleMessage published a now-removed blog post promoting its services as a solution for US government recordkeeping responsibilities. One of the blog post’s subheadings reads, “Closing the Compliance Loop: Why TeleMessage Is the Missing Piece for Signal.” If White House staff were clients of TeleMessage, the company was either unaware of the fact or not publicly acknowledging it at the time.
For an app that seems to bear the huge responsibility of archiving some of the US government’s most important records, relatively little has been known about its design until now. As Wired reported, TeleMessage is a federal contractor, but its consumer apps are not approved for use under the US government’s Federal Risk and Authorization Management Program, and WhatsApp and other messaging companies are reportedly attempting to ban it. Of course, the US is not the only country that struggles with archiving. In general, Ringel said, it’s very challenging to preserve digital communications. It takes accountability and commitment to do it the right way. But failure comes with consequences that can alter how history is written. “When it’s not being properly archived and preserved, it’s easier to delete, and it’s easier to remove,” she said.
Other notable stories:
- Yesterday morning, Liam Scott wrote in this newsletter about Trump’s recent efforts to gut overseas broadcasters including Voice of America and Radio Free Europe/Radio Liberty, noting that the latter was expecting a court to rule that the administration can continue to withhold its funds while a legal process plays out; yesterday, a three-judge panel did indeed vote to stay a prior order to disburse RFE/RL’s money, depriving the broadcaster of twelve million dollars and necessitating further reductions in staff and programming, according to its president. Meanwhile, Scott reported in his Press Freedom Report newsletter that Ulviyya Guliyeva, a VOA contributor in Azerbaijan, was detained yesterday. Colleagues have suggested to Scott that Trump’s attack on VOA and its sister outlets may have emboldened Azerbaijan to target Guliyeva.
- This week, a federal jury ordered NSO Group, the Israeli firm that makes the highly invasive spyware tool Pegasus, to pay more than 167 million dollars to Meta after a judge found the company liable for WhatsApp, which Meta owns, being used to hack more than a thousand people with Pegasus, including journalists and other civil-society figures. The award represents “the largest blow ever dealt to the burgeoning spyware industry,” the Washington Post’s Joseph Menn writes. Meta said that it intends to donate the money to digital-rights groups that have investigated Pegasus hacks; one such group, Citizen Lab, praised Meta for persevering with its case and helping alert governments to the threat posed by spyware. (NSO suggested it will appeal.)
- Earlier this year, a documentary that premiered at the Sundance Film Festival cast doubt on the provenance of the iconic “Napalm Girl” image captured during the Vietnam War, suggesting that a stringer may have taken it, and not Nick Ut, an Associated Press staffer who has always been credited with the photo. After the documentary aired, AP journalists investigated the claim by interviewing witnesses, analyzing imagery, and even building a 3D model of the scene, according to the Post. This week, the news agency released a lengthy report concluding that Ut should retain the photo credit since its analysis showed that he could have taken it, and failed to prove that anyone else did.
- The Malheur Enterprise, a small yet distinguished newspaper in Oregon, published its final print edition yesterday and will shut down by the end of the month after more than a hundred years in existence, The Oregonian reports. Les Zaitz, a high-profile local journalist who published the Enterprise, said that he and his wife, Scotta Callister, the former publisher, are retiring; they tried to transfer the paper—including by merging it with the local Argus Observer—but were unsuccessful. (ICYMI, CJR’s Alexandria Neason interviewed Zaitz in 2018 about the long tail of his reporting on a local cult.)
- And Trump withdrew his nomination of Janette Nesheiwat, a former Fox News contributor, to serve as surgeon general, following reports about the veracity of her résumé and the apparent intervention of Laura Loomer, the far-right media personality and sometime Trump confidante. In Nesheiwat’s stead, Trump nominated Casey Means, a wellness influencer and leading voice in the so-called “MAHA” movement, though Loomer doesn’t seem very happy with her either.
Has America ever needed a media defender more than now? Help us by joining CJR today.
