Mike Waltz Accidentally Reveals App Govt Uses to Archive Signal Messages
124 comments
·May 2, 2025IG_Semmelweiss
>>> overnment agencies have paid for versions of encrypted messaging apps that also have archive abilities before. In 2021, Customs and Border Protection (CBP) paid encrypted app company Wickr $700,000.
This seems like a perfect use case to support Signal. Have large, corporate or govt entities, pay for a custom fork of the app, built by the app developers themselves.
Why is telemessage getting the money ? Does the Signal Foundation not make it easy to do paid fork implementations ?
steamrolled
If Signal becomes financially dependent on government contracts, the govt gains a lot of leverage over the app. I'm not sure that's a great position for this particular platform to be in.
Nifty3929
This is a good point - but at some point we have to trust someone. I feel that the Signal folks are worth trusting. Plus it's open source, so the more technie among us can meaningfully audit what's going on. That's not foolproof, but it does seem better than most alternatives.
Certainly it's better for the gov't to pay Signal than to try to do it themselves.
Freak_NL
> I feel that the Signal folks are worth trusting.
The MobileCoin integration and the long standing refusal to support a way to use the messenger without using a phone number (or a smartphone at all) make me wary. To me they sit pretty much on the same level of trust as Meta's WhatsApp, which is a sad thing to have to conclude.
bigfatkitten
Wickr is owned by AWS, and only has a government/enterprise product now. The personal version has been discontinued.
andrewinardeer
Pardon my ignorance here, does this mean that governments approach Wickr and buy licences to use their encrypted messenger? If so, what does Wickr do better than other encrypted messenger apps?
bigfatkitten
In short, paperwork.
Government has a ton of policy requirements around data retention, audit logging, where their data is stored, who can access it etc, as well as technical requirements for things like encryption algorithms. They also have a requirement to operate on isolated networks.
It is difficult for an ordinary consumer messaging app to meet these requirements. Matrix is really the only competitor.
dmix
90% of the work is probably compliance and gov contract hoop jumping, not the code.
inhumantsar
that seems optimistic tbh. I'd guess 70/30 lobbying/compliance.
mmooss
Maybe Signal needs to devote all their resources to develping the main app, which is their mission - secure communications for the general public.
photonthug
Katherine Maher, the CEO of NPR, chairs the board of the Signal Foundation.
mmastrac
> TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them
denkmoon
Crikey that's terrifying. Not even a US company either.
Titan2189
TeleMessage is an Israeli software company based in Petah Tikva, Israel. Founded in 1999 by Guy Levit and Gil Shapira, it provides secure enterprise messaging, mobile communications archiving and high-volume text messaging services. https://en.wikipedia.org/wiki/TeleMessage
bb88
Even though Israel is our "Ally" -- we really shouldn't trust a foreign company with our sensitive messaging.
If you're in the government, you should treat Hegseth and anyone who uses Signal and TMSIGNL as compromised.
jmathai
FTA, fwiw: "404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”"
Hobadee
Telemessage got bought out by Smarsh a couple years ago. (Which several other commenters are saying is a US company) Their service has gone way downhill since.
Source: use them for several of my clients.
diamondage
Distilx has a non publically advertised service
esafak
What is the point of using Signal if you are going to let a (foreign) company intercept your communications? I guess they wanted the UX of a commercial product instead of whatever clunky app that's approved for government. Does anyone know what the alternative was?
sorcerer-mar
It makes a lot more sense if you don't assume from the start these people have one iota of intellectual horsepower.
Signal is approved for government uses, just not non-public DOD information. They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
UnreachableCode
> They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
Sort of like the drug dealers from The Wire
ezst
> Signal is approved for government use
[Ref. needed]
sorcerer-mar
Approved for government use: https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
Not approved for non-public DOD information: https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-...
fiddlerwoaroof
From last year after Salt Typhoon became public:
> Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms.
https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
pokstad
Traditionally you would use the plain old telephone system to communicate non-classified information. All of the major telcos services (voice and text) are no longer considered secure per CISA. CISA also recommended to instead use e2e encrypted services (specifically calling out Signal).
https://investigations.cooley.com/2025/01/15/federal-law-enf...
coliveira
They need to let their foreign handlers know what they're doing... It is probably in the contract somewhere.
EasyMark
The alternative is not installing Signal on a phone with spy software on it. They aren't "intercepting" as in man-in-the-middle. They are intercepting by spying on the personal phone where signal is. signal is just another app on your phone. If you're using it for secrets comms you'd best have minimal or no software on the phone you're using and protect it every way you know how with passwords and encryption
t0lo
I don't get it. Why risk secuity vulnerabilities to archive when you can just ask israel and pegasus for the archives anyway.
cge
As some details:
TeleMessage is/was an Israeli company [1], but was acquired last year by Smarsh [2], itself a subsidiary of K1 Investment Management, both US companies. It me whether the company moved. While not necessarily related at all, their terms of service also seem to explain specific arrangements for messaging in China that appear to involve disclosures to the Chinese government.
It's unclear to me how the app works. It appears to be advertised as a fork of the Signal client which uploads all content to a remote server, thus, of course, breaking the E2E encryption, unless the archive is considered an end and the connection to it is secure. It also appears to be advertised as being the same interface as Signal.
However, both the iOS and Android Signal clients are AGPLv3. I can't find any indication that the TeleMessage clients are anything other than proprietary. So are they going the route of giving the software and source only to paying customers under AGPLv3 (with those customers then free to distribute it)? Did they completely reimplement the client? Or are they an illegal proprietary fork?
The first option seems unlikely, and the latter two seem rather ominous for the security of the app.
[1]: https://en.wikipedia.org/wiki/TeleMessage [2]: https://en.wikipedia.org/wiki/Smarsh
cwillu
> breaking the E2E encryption
E2E doesn't mean what I think you think it means; specifically, it has nothing to do with what the intended recipient (or their software) does with the message.
cge
That very much depends on who is running the archive system, and how it is implemented.
But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
IgorPartola
The point of E2E is only to make sure that Alice is talking to Bob and nobody else can pretend to be either of them or eavesdrop. There is no reason whatsoever to include where else the message may be sent, encrypted or not.
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
tptacek
Smarsh is apparently a big deal in the compliance space. They're not randos. That doesn't take away the hilarity of using a Signal clone that defeats the whole purpose of Signal, though.
fluidcruft
Just wondering... if you work for a company and your employer provides you with modified GPL software, it's not considered distributed to you in ways that GPL would apply (so you are not free to further distribute it). At least that's how GPLv2 used to be explained as as business friendly--"private" modifications remain private and employees are not considered exterbal distribution. I'm not familiar with AGPL though.
giancarlostoro
AGPL is essentially GPL but over the network, if you can reach the service (be it website, or any other protocol) you should be able to receive a copy of the source code. TruthSocial was based on AGPL'd code, they had to comply.
sterlind
if your company itself modified the GPL software, you can't demand the modified source code from your boss. if your company purchased modified GPL software from a third party vendor, your company's legal department could force the vendor to cough up the source code.
wmf
The realpolitik here is that you can get fired if you leak the code, legal or not.
Hobadee
> unless the archive is considered an end and the connection to it is secure
LMAO NO! I have quite a few clients using Telemeasage, and most of them use Global Relay on the backend. It's a little terrifying actually, as Global Relay just ingests everything via SMTP. I haven't checked if they have DNSSEC or MTA-STS set up, but with how Global Relay operates I would be surprised if they did. I suspect a well-placed proxy or DNS poisoning could siphon off a good chunk of sensitive emails being sent to Global Relay.
giancarlostoro
> Or are they an illegal proprietary fork?
As long as their clients can redistribute it, its not illegal, especially if their clients have 0 interest in leaking the source code, the real trick is, has anyone who is NOT using that client hit any of the AGPL relay servers?
For context, I worked for an employer that sold a custom software solution, which used GPL'd software, client was in the military space, so I guess DOD, anyway, for over a decade nobody asked for any of the code, till some years back. I am guessing they just wanted to have it evaluated, but it was a workhorse of many many things, good luck trying to fork it, LOTS of moving pieces involved.
Nothing illegal unless someone who touches a TM SGNL server (somehow) requests the source and they reject you from having it.
obitsten
[dead]
giancarlostoro
Looks like the app is this one?
https://www.telemessage.com/how-to-install-and-register-sign...
UnreachableCode
Christ. Install it using an App Centre distribution
null
arghandugh
This is because they are lawless, careless, under the thumb of foreign interests, and have no intention of serving the interests of the people of the United States of America.
JumpCrisscross
Waltz was chosen for loyalty. He simply isn’t very smart. There is no grand plan behind getting your screen photographed while chatting with the VP, DNI and SecState.
UnreachableCode
Shouldn’t any government issued smartphone have privacy screen protectors at the very least?
qingcharles
Would love to know what the message from JD means: "I have confirmation from my counterpart it's turned off."
brewdad
OMG. He turned off the Pope!
null
cryptonector
At least this takes care of the open records issues, no?
JumpCrisscross
“On Thursday Reuters published a photograph of Waltz checking his mobile phone during a cabinet meeting held by Donald Trump. The screen appears to show messages from various top level government officials, including JD Vance, Tulsi Gabbard, and Marco Rubio.”
Head of NatSec, ladies and gentlemen. Once the domain of Kissinger, Brzezinski, Powell and Rice. Now with the opsec of a brain-damaged cocaine dealer.
grg0
Pin is 1234.
stateofinquiry
"That's amazing! I've got the same combination on my luggage!"
cantrecallmypwd
Looks at each other disapprovingly.
(It was 1-2-3-4-5.)
pseudo0
They are shuffling him off to be UN ambassador per recent reporting. Better late than never, I suppose.
timmytokyo
I'm sure his replacement will be so much better. /s
KerrAvon
Kissinger and Rice are war criminals who should have gone to jail for the rest of their respective lives. Trump’s guy can’t even manage that level of evil.
wiseowise
War criminals or not, you can’t deny they were smart. Unlike current administration.
cantrecallmypwd
Intelligence isn't a respectable quality in the face of illegal (allegedly), unethical, and/or immoral behavior.
Kissinger shared culpability for what happened in Cambodia, Laos, and Vietnam.
Rice shares culpability for what happened in Afghanistan and Iraq.
Hegseth may still participate in war crimes regardless of being a dim bulb. One can only hope his disability makes him less effective in causing harm deliberately, but he still may cause great harm inadvertently as well.
America needs to acknowledge that it has a multitiered system of selective criminal prosecution where some people get away with crimes because of who they are.
https://archive.ph/oXYXe