Should the EU really endorse Signal?

Matthew Hodgson at Element argues that the European parliament’s encryption endorsement misses the mark 

 

The European Parliament’s recent call for lawmakers to embrace Signal for encrypted messaging has been lauded as a victory for privacy. While its intentions are well-placed, the endorsement reveals a fundamental misunderstanding of the security requirements for sensitive governmental communication. 

 

Signal, while a robust platform for everyday users, is simply not equipped to handle official and often legally mandated needs of government bodies. It is also a centralised service, run from the US, on a US cloud (Amazon), by a US-funded and US-based Foundation. 

 

Championing it as the solution for secure parliamentary communication for Europe is not just a misstep; it’s a potential disaster waiting to happen, particularly given the shifting geopolitical landscape and the increasing pressure on European nations from foreign state actors. 

 

The need for accountability 

Signal has a strong security posture encompassing end-to-end encryption, minimal metadata, and other privacy-preserving features. For personal conversations, this level of security is very welcome and even crucial in an age of pervasive surveillance.

 

However, Signal is a poor choice for public sector or workplace use. It’s a consumer-grade app with zero record keeping, which means a lack of compliance and a brewing storm of information governance nightmares. 

 

An end-user organisation has no oversight and control of employees using Signal, as would be commonplace for traditional email or collaboration tools. For example, no identity and access management exists to support Single Sign On systems. 

 

Beyond end-user inconvenience, that means no management of joiners and leavers (guaranteeing data leaks), and not ensuring that specific roles or departments are included in conversations. In the UK, the public outcry surrounding the COVID inquiry’s vanished WhatsApp messages highlighted the critical need for transparent and accessible government records. 

 

Conflating privacy with security 

Government communication demands more than just privacy. It requires audit trails, robust archiving, and the ability to retrieve information when necessary, often years later. 

 

These are not features typically prioritised in consumer messaging apps. In fact, they often run counter to the core principles of such platforms, which often emphasise user control and data minimisation. Such a fragmented approach is not only costly but also undermines interoperability and coordination. 

 

The European Parliament’s recommendation inadvertently conflates privacy with security and accountability. While privacy is undoubtedly a crucial component of secure communication, it’s not the only one. In the context of government, security encompasses a broader range of considerations:  sovereignty, end-to-end encryption, accessibility, interoperability and long-term preservation.

 

A truly secure system for government communication must balance the need for confidentiality with the imperatives of meeting workplace requirements, transparency and accountability. 

 

A single point of failure

Reliance on a single centralised platform creates a single point of failure and a huge honeypot. While Signal’s encryption is strong, and even if a minimal amount of data is stored on the servers, no system is impenetrable. 

 

It should also be recognised that, being a centralised system, Signal is prone to global outages. If bad actors wanted to leave their target without communications, it would be easy for them to know what to take down at a critical attack moment. 

 

The history of cyber-security is littered with examples of even the most secure systems being compromised, and deliberate outages to deny communications at critical times. Relying solely on one consumer-grade app, increases the risk of a catastrophic data breach or outage.

 

A more robust approach would involve picking a decentralised standard for real-time communications that ensures interoperability and network resilience. 

 

The European Parliament’s endorsement of Signal also raises questions about interoperability. Government agencies and international bodies need to communicate seamlessly, and relying on a single platform can create barriers to communication with those using different (often proprietary) systems.

 

A more effective approach would be to promote developing and adopting an open standard for secure communication, allowing for interoperability between different platforms. This would ensure that government agencies can control their own communications yet still communicate effectively with their counterparts around the world. This is precisely the advantage offered by platforms designed with interoperability in mind. 

 

Strategic solutions, not superficial fixes 

The call for end-to-end encrypted communication is, of course, commendable. In an era of increasing surveillance and data breaches, this should be table stakes.

 

However, simply recommending a readily available consumer app is a superficial solution that fails to address the complex security and governance challenges inherent in government communication. This is particularly true in the context of evolving transatlantic relations and the need for greater European self-reliance. 

 

The European Parliament’s intent is correct, but its approach is flawed. Mandating a secure consumer app doesn’t transform it into a suitable tool for government communication. Genuine security requires a holistic approach that considers not just encryption, but also data governance, accessibility, interoperability, and long-term preservation. 

 

It also involves that principle important to any government entity: sovereignty. In this context, it means technological independence and using technology that the end-user organisation owns and manages. Features such as open-source software being available for inspection on the technical level would aid this. 

 

Until these factors are adequately addressed, and until Europe embraces a more unified and strategic approach to its own communication needs, the European Parliament’s endorsement of Signal remains a well-intentioned but ultimately dangerous misstep. It’s a siren song of security that, if heeded, could lead to a data disaster of epic proportions, leaving its communications backbone vulnerable.

 

The solution isn’t just to pick an app. It is to formulate a strategy that keeps communications sovereign, interoperable, available and secure. 

 

---

 

Matthew Hodgson is CEO of Element

 

Main image courtesy of iStockPhoto.com and mediaphotos