Mike Waltz, who was until Thursday U.S. National Security Advisor, has inadvertently revealed he is using an obscure and unofficial version of Signal that is designed to archive messages, raising questions about what classification of information officials are discussing on the app and how that data is being secured
404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”
TeleMessage is an Israeli software company based in Petah Tikva, Israel.
I may be wrong, but it seems to me that they’re using this version of Signal to comply with record keeping. This app is pre-installed on government devices.
I think the source code only needs to be made available to their customers, and not the public, so if the government can read the source code then it is compliant with the license.
So they’re basically using an unofficial Signal fork (like Molly) that has archiving all messages feature.
Regarding that 404 news, what does this mean?
In other words, the robust end-to-end encryption of Signal as it is typically understood is not maintained, because the messages can be later retrieved after being stored somewhere else.
Afaik, end to end encryption has nothing to do with local archiving of received messages. The official Signal app, unlike Molly, does not offer local database encryption, and therefore locally saved messages can be retrieved. Am I missing something?
I think it’s just an odd wording. The author is indicating that while Signal’s implementation of E2EE is not flawed the end user is ultimately responsible for protecting the messages before or after transmit.
Personally, I do think Signal could be better about conveying to other users when they are communicating with an entity who has compromised the environment. For example, a warning to the sender when the recipient is using Beeper, TM SGNL, etc.
And yes you are right, only those with a copy of the software are entitled to ask for the source code, but then the people who asked could share it publicly, thus rendering this system useless (speculation, please correct if I am wrong)
You would be correct in your understanding of the GPL. Whether that makes it “useless” depends on the circumstances. To start with, distribution nowadays, while generally quite cheap because of how the internet developed (remember in the earlier GNU/GPL days access wasn’t as ubiquitous), could still be a cost factor, so not being forced to distribute it yourself digitally or physically can be a boon. But then there are also cases where you might want to distribute a modified version of GPLed software to one or a very small number of special customers, and as long as everyone is very interested in keeping the source code secret, that could work out fine without any license violation.
In the case of TeleMessage, I guess they have too many customers and also never intended for the source to be secret, so it makes sense they just put it up themselves for easy compliance.