A Signal Failure

by Peter Saint-Andre

2025-03-30

It's rare that I comment on day-to-day political happenings. Not only are they quite distressing of late, but in general I prefer to read not the Times but the Eternities, as Thoreau said. However, the recent kerfuffle regarding use of the Signal messaging app by Trump administration officials is too tempting a target, because I worked on secure messaging systems for 25+ years and can offer some insights.

The messaging technology I worked on started out as the Jabber open-source project in 1999 and was standardized at the Internet Engineering Task Force under the acronym XMPP in 2004. In fact, I authored the documentation, codified in RFC 3920 and RFC 3921 (updated by RFC 6120 and RFC 6121 in 2011). Once this protocol was published as an industry standard, it was widely deployed within the U.S. government, NATO, etc. The beauty of XMPP is that anyone can run their own server with their own access control policies. As an example, the U.S. Department of Defense ran an XMPP service on their own secret communications network and used DoD "common access cards" for authentication. As a result, only DoD employees could use the service.

By contrast, although Signal is a fine consumer-oriented app with strong security and a friendly onboarding process and all that, pretty much anyone can create a Signal account. As a result, it's possible for senior administration officials to invite journalists to their chat groups, which would have been impossible if said officials had been using a government-run XMPP service instead.

Of course, this all assumes that the U.S. government is still running internal XMPP services (I'm no longer in the loop on such things) and, even more challenging, assumes that administration officials would give up their consumer apps in favor of internal messaging systems running on secret communication networks. That would be the responsible thing to do, but responsibility seems to be in short supply these days...

(Cross-posted at Beautiful Wisdom.)

FOR FURTHER EXPLORATION


Peter Saint-Andre > Journal