Image: Open Whisper Systems/Jason Koebler
On Thursday, the New York Times reported that government prosecutors had seized years' worth of a national security reporter's phone and email records, in connection with an investigation into leaks of classified information. The indictment against the former Senate Intelligence Committee aide mentioned the end-to-end encrypted messaging app Signal; a tool used by many journalists to communicate securely with sources.
The news prompted several journalists and technologists on Twitter to remind people that when using Signal, there are ways to mitigate the risks of the phone getting seized. For Signal it is generally good practice to enable the 'disappearing messages' feature, which wipes chat logs after a certain amount of time.
But no technology is flawless.
In some cases the Signal disappearing messages feature is not doing the one thing it's supposed to: messages set to disappear, do not disappear. Multiple chat logs reviewed by Motherboard show that sometimes only one side of a conversation is deleted, with the other half left for weeks after Signal should have automatically wiped it. To be clear, there's no indication that this has any connection with Thursday's indictment, but it is a reminder that Signal, which is generally a very secure app, can have issues.
Most likely, this issue is a bug in the Signal app, according to Ryan Duff, the Director of Cyber Solutions at Point3 Security and a former US Cyber Command hacker.
When functioning normally, disappearing messages deletes chats sent after the user has switched the feature on—you can't have a long chat, then turn on disappearing messages, and expect your previous chats to vanish. Instead, disappearing messages works on logs created after enabling the setting.
But in the chat logs reviewed by Motherboard, several sets of messages remained long after they should have been deleted, and after people had received the message.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here .
In one chat that had messages set to disappear after one week, a message from May 22 remained as of Friday—around two and a half weeks after it was sent. In another set of messages, also sent on May 22 and set to disappear after a week, only half of the conversation remains on one phone; Signal did successfully delete the recipient's responses. But the recipient's phone has the same issue; they only have their own half of the conversation, Motherboard confirmed.
A third case had only one side of the conversation wiped, and has continued to store messages that date back to 16 May, even though they should have been deleted. A fourth chat log seemingly contained messages from April, despite disappearing messages being switched on, as did a fifth dated to March.
In most of these cases, which happened in communications between multiple different people on different devices, the messages that have not been deleted are marked as "Sent" rather than delivered. However, in the examples those messages were indeed delivered—two were part of conversations in which the recipients responded, and on Friday, one source confirmed they did indeed open and read the sent message even if they didn't reply at the time.
According to Moxie Marlinspike, the founder of Open Whisper Systems, the non-profit behind Signal, this probme impacted messages sent within a particular time frame.
"This issue only affected a portion of disappearing messages that were sent within a very short timeframe before the Signal iOS release on May 22nd and hasn't yet disappeared," he told Motherboard in a Signal message. "Ongoing messages are disappearing correctly, and any lingering messages can be manually deleted without any negative effects. A future update will handle this cleanup automatically."
Other Signal users have previously reported similar issues in the past. In 2016, several users said disappearing messages did not vanish in a post on Github.
Last month, in what appears to be a completely separate issue, Signal had to push an update to its desktop app to purge self-destructing messages that were being stored on Mac computers. In May, security researcher Patrick Wardle found that 'disappearing' Signal messages could be stored indefinitely on Mac hard drives due to the computer's notification bar storing a copy.
Bugs like the Mac problem and the latest Signal issue, Duff argued, show why people should be careful even using disappearing messages.
"It's a feature that nobody should rely on for security," Duff told Motherboard in an online chat. "It's nice to have, and I use it. But I don't rely on it."