The Risks of Sending Secret Messages in the White House

Orhan Cam/

Communication apps with disappearing text could run afoul of presidential records laws—and might not be as secure as they seem.

By some accounts, the deluge of leaks detailing the hurdles and setbacks that have troubled the first weeks of the Trump administration have provoked panic among its highest ranks—and prompted top officials to try to identify the leaky staffers. President Trump has tweeted his dismay at the leaks several times, once calling them “illegal.” That’s why, according to a report in The Washington Post, some White House employees have turned to technology to cover their tracks.

The app of choice: Confide, a platform that encrypts messages end-to-end, so that they can only be seen by the sender and the recipient, and deletes every trace of a message as soon as it’s read. (Axios reported last week that Confide has also been taken up in larger Republican circles looking to avoid the fate of Democrats who had their emails hung out to dry by WikiLeaks.)

There are two problems with using Confide to chat with your colleagues in the White House. One has to do with digital security; the other with the law of the land.

The legal question is more straightforward than the technological one. The law that governs the preservation of presidential records requires the president and his or her staff to retain copies of all sorts of documents, including electronic correspondence. If the White House wants to dispose of a record, it needs to ask permission from the U.S. Archivist first—and notify Congress, which will have 60 days to review the proposal.

“There are very clear rules regarding the retention and deletion of records under the Presidential Records Act,” said Adam Marshall, an attorney at the Reporters Committee for Freedom of the Press. “The use of messaging apps that automatically delete communications by persons subject to the PRA is incredibly troubling.”  

The White House was not available to comment on its policies for retaining Confide messages.

Even if White House staffers were allowed to delete traces of their communication, however, Confide may not be the most secure app to use for doing so. Jonathan Zdziarski, a security researcher who specializes in digital forensics, took a brief look at the app’s security features on Tuesday. He found that the app uses a combination of open-source encryption methods and some unvetted techniques of its own creation, leaving questions about their security. Some of the app’s other functions are unusual—but not necessarily problematic.

“The application doesn’t smell fully kosher, but at least it uses some standard encryption routines, which many other applications fail to do,” Zdziarski wrote. “I did not see any obvious red flags in terms of forensics artifacts or other overtly nefarious behavior, but this was a quick once-over.”

He recommended that the White House submit the app to a full cryptographic review before allowing staffers to use it. “On the whole, it may be fine for personal conversation, but I would recommend a more proven technology, such as Signal, if I were to have my pick of the litter,” he wrote.

I asked one of Confide’s co-founders, Jon Brod, whether the app had been vetted by an independent security researcher, but didn’t get an answer. Brod did say that he was happy to hear that staffers were making use of his app. “We think it makes perfect sense, regardless of which side of the aisle they're on,” he said, given the sensitive nature of their work.

Brod said it’s up to users to play by any applicable rules that govern communication in their workplace. “We expect people to use Confide in a way that complies with any regulation that may be relevant to their particular situation, just like they would with other communication platforms,” he said.

Confide isn’t the first secure-communications app to find popularity among politicians and their aides. Signal, the gold standard of encrypted messaging and calling, is used by staffers who work for President Trump, Barack Obama, Hillary Clinton, New York Governor Andrew Cuomo, and New York City Mayor Bill de Blasio. But now the app has recently added optional features that allow messages to expire, which could bring up the same records-retention issues as Confide.

The popularity of encrypted communications apps has caught the attention of Congress. This week, two members of the House Committee on Science, Space, and Technology—including its chairman—sent a letter to the inspector general of the Environmental Protection Agency, responding to reports that some of its employees were using encrypted-communication apps to discuss how they’d respond to certain actions from the Trump Administration. In the letter, the representatives wrote that the practice may “run afoul of federal record-keeping requirements” and shield important information from Freedom of Information Act requests or congressional inquiries.

Since the EPA is a federal agency, its records are subject to the Federal Records Act, not the Presidential Records Act. But the requirements are essentially the same.

A document published by the National Archives and Records Administration in 2015 clarifies guidance for how to manage electronic records other than email: Google chat, Skype, iMessage and SMS, Twitter direct messages, and Slack, to name a few. According to the document, these messages are federal records, and must be treated as such. Depending on the nature of the messages, they may need to be kept either temporarily or permanently. That includes official business conducted over personal accounts, the document says.

Consternation inside the government over disappearing messages—at the EPA, the White House, or elsewhere—seem motivated mostly by politics. The Republican-led Science, Space, and Technology Committee is wary of rebellious federal workers, and top White House officials hope to crack down on damaging leaks. But if it continues to spread, disappearing-message apps could become a black hole that sucks away important records that should, by law, be preserved.