LEILA FADEL, HOST:

The country's most senior security officials chose the messaging app Signal to discuss U.S. air strikes in Yemen. It is not a secure government network, but it is used by many government officials, as well as journalists, tech workers and a lot of people looking for a secure place to communicate. But how secure is Signal? Matt Blaze is a cybersecurity expert and a professor at Georgetown University Law Center, and he joins me now to help answer that question. But before we dive in here, we just want to note that NPR's CEO, Katherine Maher, chairs the board of the nonprofit Signal Foundation. Good morning, Matt, and thank you for being on the program.

MATT BLAZE: Good morning. Thanks for having me.

FADEL: So with this group chat fiasco playing out here in Washington, I have to ask if this messaging app, Signal, is as secure as the secured communications the U.S. government uses to protect sensitive and classified information.

BLAZE: Right. And that's an interesting and good question. Yeah, and the answer is yes and no. Signal is a general-purpose text and voice communication app that uses a technique called end-to-end encryption to protect calls and texts from interception by a third party. And this includes everything from your internet service provider, you know, government eavesdroppers, foreign or domestic, and even the Signal organization itself. And this is a much more comprehensive form of protection than you usually get on a regular smartphone. So in that sense, it's comparable to the level of protection you get against eavesdropping that the official government systems use. But there are a number of important differences. And those are actually very important when you start using Signal for a purpose it's not intended for, which is, you know, classified discussions. So...

FADEL: And what are those differences?

BLAZE: Well - so, you know, the encryption is very similar, but apps like Signal are designed to facilitate communication with basically anyone on the internet who has the app, even if they're from different organizations, even if you've never met before. And essentially, any two people who have the Signal app can use it to exchange messages or call each other. The systems for protecting classified communications, on the other hand, actually try to do the opposite. They have special features to restrict communications to ensure that it only goes to places that are authorized to get it. So in the, you know, government systems for doing classified communications, it would be pretty much impossible to accidentally add a reporter to a war-planning chat group.

FADEL: I mean, I guess it's really easy to eavesdrop if you're invited in, but it is also supposed to be vulnerable at times to phishing attacks. I mean, the Pentagon warned about not using it.

BLAZE: So - and, you know, the Pentagon, again, warned for good reasons because it's just not designed for the kinds of requirements that classified information protection has, like knowing exactly who you're communicating with. What clearance level do they have? Are they really in the organization you think they're in?

FADEL: Now, Signal can also - you can set timing to disappear messages. I mean, how does that work with laws around official record keeping when it comes to...

BLAZE: Well...

FADEL: ...Government communication?

BLAZE: Yeah. That's another reason that Signal isn't appropriate for high-level government communications. It's not designed to comply with, or even make possible, rigorous record-keeping requirements.

FADEL: Matt Blaze is a professor of computer science and law at Georgetown University Law Center. Thank you for talking with me.

BLAZE: Thanks for having me.

