In the show I’m in right now, there’s an scene when the less-than-pleasant Archdeacon of the Notre Dame Cathedral, Claude Frollo, tells his adopted son, Quasimodo, that “it takes two people to communicate.” But it’s not just the hunchback that forgets this lesson — I’m surprised, but not that surprised, about how easy it is to ignore this fact in everyday life.
Consider the indictment that was just handed down by the US District Court for the District of Columbia against James Wolfe, a former member of the Senate Intelligence Committee. The indictment alleges that Wolfe lied to federal investigators about his communications with three different reporters — sometimes done over “anonymous” messaging applications like Signal and WhatsApp.
Between in or around September 2017 and continuing until at least in or around December 2017, REPORTER #3 and WOLFE regularly communicated with each other using the anonymizing messaging application Signal, text messages, and telephone calls.
“But wait,” you ask. “Aren’t these supposed to be secure messaging applications?”
If either service is subpoenaed, they can’t help investigators recover messages at all (presumably), a much better situation for you and your clandestine practices than if you just straight-up text messaged your spy network over a wireless carrier’s network. (Don’t do that.)
Here’s the problem, though: If you’re dumb and you leave your messages on your device instead of deleting them, investigators can find them if they obtain physical access to your tablet or smartphone. The people you were talking to? Same deal.
Something similar with Manafort: he sent messages and the recipients turned them over. In his case, he was also backing them up to iCloud in plaintext (????♀️) but the key point is the same. If the other party isn’t willing to/can’t keep your secret, encryption is not relevant.
— zeynep tufekci (@zeynep) June 8, 2018
And don’t forget: The party you’re “securely messaging” can also take screenshots of your conversations. If the app you’re using doesn’t warn you when this happens, a la Snapchat, or have some built-in mechanism to prevent screenshots, you’re stuck. Even if it does, a craftier person can just take out a secondary device and take a photo of the screen with your identifying information in it.
What’s a wannabe-spy to do? On Signal, consider using the service’s disappearing messages feature.
Though even Signal itself notes that this won’t stop someone from taking a picture of what you sent, surely you can use other tools at your disposal — like burner phone numbers — to cleverly conceal who you are.
(Or just make a dummy email account, connect to a trustworthy VPN, fire up Tor, and send your secret, encrypted message that way — which is just an “off the top of my head” privacy suggestion. There are plenty of more advanced techniques, like dropping secret information into a SecureDrop, for example.)
On WhatsApp, “disappearing messages” are a more manual technique. You have to delete your messages yourself, which removes them from both your device and your recipient’s device.
Don’t dawdle, though; you only have about an hour or so to eliminate what you’ve sent.
As before, remember that information about you can still be subpoenaed, including what numbers your number has contacted, so you might want to get creative about how you sign up for WhatsApp in the first place if you’re looking to stay as anonymous as possible.
And yes, that’s “anonymous as possible,” since it never feels like you’re truly anonymous when you’re using someone else’s service.