On Thursday, the New York Times reported that government prosecutors had seized years’ worth of a national security reporter’s phone and email records, in connection with an investigation into leaks of classified information. The indictment against the former Senate Intelligence Committee aide mentioned the end-to-end encrypted messaging app Signal; a tool used by many journalists to communicate securely with sources.
The news prompted several journalists and technologists on Twitter to remind people that when using Signal, there are ways to mitigate the risks of the phone getting seized. For Signal it is generally good practice to enable the ‘disappearing messages’ feature, which wipes chat logs after a certain amount of time.
But no technology is flawless.
In some cases the Signal disappearing messages feature is not doing the one thing it’s supposed to: messages set to disappear, do not disappear. Multiple chat logs reviewed by Motherboard show that sometimes only one side of a conversation is deleted, with the other half left even after Signal should have automatically wiped it. To be clear, there’s no indication that this has any connection with Thursday’s indictment, but it is a reminder that Signal, which is generally a very secure app, can have issues. (Update: Signal has pushed an update that fixes these issues).
Caption: an example of Signal retaining a message that the app should have automatically deleted. Image: Motherboard
Most likely, this issue is a bug in the Signal app, according to Ryan Duff, the Director of Cyber Solutions at Point3 Security and a former US Cyber Command hacker.
When functioning normally, disappearing messages deletes chats sent after the user has switched the feature on—you can’t have a long chat, then turn on disappearing messages, and expect your previous chats to vanish. Instead, disappearing messages works on logs created after enabling the setting.
But in the chat logs reviewed by Motherboard, several sets of messages remained long after they should have been deleted, and after people had received the message.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here .
In one chat that had messages set to disappear after one week, a message from May 22 remained as of Friday—around two and a half weeks after it was sent. In another set of messages, also sent on May 22 and set to disappear after a week, only half of the conversation remains on one phone; Signal did successfully delete the recipient’s responses. But the recipient’s phone has the same issue; they only have their own half of the conversation, Motherboard confirmed.
In these cases, which happened in communications between multiple different people on different devices, the messages that have not been deleted are marked as “Sent” rather than delivered. However, in the examples those messages were indeed delivered—two were part of conversations in which the recipients responded, and on Friday, one source confirmed they did indeed open and read the sent message even if they didn’t reply at the time.
Caption: One example of a disappearing message that did not disappear. Image: Motherboard
According to Moxie Marlinspike, the founder of Open Whisper Systems, the non-profit behind Signal, this problem impacted messages sent within a particular time frame.
"This issue only affected a portion of disappearing messages that were sent within a very short timeframe before the Signal iOS release on May 22nd and hasn't yet disappeared," he told Motherboard in a Signal message. "Ongoing messages are disappearing correctly, and any lingering messages can be manually deleted without any negative effects. A future update will handle this cleanup automatically."
Other Signal users have previously reported similar issues in the past. In 2016, several users said disappearing messages did not vanish in a post on Github.
Last month, in what appears to be a completely separate issue, Signal had to push an update to its desktop app to purge self-destructing messages that were being stored on Mac computers. In May, security researcher Patrick Wardle found that ‘disappearing’ Signal messages could be stored indefinitely on Mac hard drives due to the computer’s notification bar storing a copy.
Bugs like the Mac problem and the latest Signal issue, Duff argued, show why people should be careful even using disappearing messages.
“It's a feature that nobody should rely on for security,” Duff told Motherboard in an online chat. “It's nice to have, and I use it. But I don't rely on it."
Update: This piece has been updated to clarify the examples of apparently non-deleted messages in April, March, and early May. These only appeared to be subject to the disappearing messages feature because of how the tag was displayed in an earlier version of Signal. The issue of Signal messages not disappearing around the May 22 date remains. A second update added that Open Whisper Systems has now pushed an update to Signal that fixes the issues.