David Huerta Transcript: June 2, 2025
Rachel Jones/NPF (00:01):
Session three of the June, 2025 widening the pipeline virtual training. We’ll get some exclusive insights into a communications tool that made global headlines in recent weeks. David Huerta is here to help us explore the signal messaging app and its potential to boost our coverage. David is a senior digital trainer at the Freedom of the Press Foundation, where he trains journalists in privacy-enhancing technology to empower a free press. He’s taught hundreds of trainings across the world and has previously organized the digital security track at the National Association of Hispanic Journalist Conference. You can read David’s full bio on our website@nationalpress.org. David, thank you so much for joining the Widening Pipeline family today. So take it away.
David Huerta/Freedom of the Press Foundation (01:00):
Thanks, Rachel. I’m just going to go ahead and share my screen real quick. All right, there we go. And everybody see that? Looks like it’s working.
(01:15):
Very good. All right, so I just want to talk a little bit about the organization that I worked for. So of course as mentioned, freedom of the Press Foundation. We have a few different projects that we work on, one of which is the Press Freedom Tracker, which is a joint project with CPJ, the Committee to Protect Journalists. And this is a searchable database of incidents against journalists since 2017. So various attacks on the press, et cetera. And that is something that we dedicate sort of a small newsroom of reporters to sort of a make attacks on journalism, the story when journalists don’t want to make themselves a story. So we kind of helped cover that. We’re also unique in that one of our strengths, I would say, is our technical capacity, and we showcase that in many cases, but one of the kind of main ways, one of our sort of flagship things that we create and maintain is something called Secure Drop, which is a whistle blind platform used by newsrooms all around the world to help create a safe and incredibly secure way for whistleblowers to reach out to you.
(02:26):
There is also a relatively new project that we’ve started kind of taking the helm on called Danger Zone. This is a way to essentially take PDFs from strangers for something that we all do as part of our everyday work and create safer copies of that. So another thing to check out, and last but not least, there’s my team. So we’re the digital Security education ran by our chief Information Security officer, Harlow Holmes. And basically what we do is we do things like this. We can come to your newsroom and talk about digital safety. We can talk about secure communications with sources, handling leaked files and any number of other topics. We also have a lot of guides online. So many of the resources and things that we’ll be talking about today, we have a written guide for on Freedom Press, so definitely check that out out. And then of course, we also have a weekly newsletter. We kind keep people up to date on new developments as they go on. We’ve been sort of chronically, the Signal Gate saga was one of the things that we’ve covered through our newsletter and kept people up to date help fact check what is being discussed in discourse.
(04:00):
And today we’re going to focus in on the specific topic of having safer communications with sources, which can be a very, very, very tricky thing to do for a variety of different reasons. Partially because the thing we use to talk to our sources may have a certain variability on whether or not it makes sense. It might not always be the right tool for the job, so to speak. So there’s a few questions to ask besides the security ones that we’ll dive into is of course also the question of whether or not they’re going to be willing to use it. So you may run into a source that literally just doesn’t know how to install apps on their smartphone. It is something that their job gave to them. They might either not know how to install apps or they might have a phone that is locked down so they’re not able to install apps.
(04:56):
So you may have to think through, it’s like, well, what do they already have access to that we can use? Use that in a way that’s safe. There’s also the question of adoption because there are places in the world where certain apps are banned and are just not available either because of a government sort of legal constraints or because of the fact that they simply don’t want do business in that country. So those are things to consider. And advice in this case is not universal. It can vary very wildly. This is kind of the two ends of that spectrum. So over here on the left, we have a post, basically a guide from Michael Lee who is a person that we worked pretty closely with at Freedom of the Press Foundation actually, who used to work for The Intercept, talking about how to prepare a phone for covering a protest for mass demonstration in the United States.
(05:59):
And Signal of course is a huge part of that. It’s a very safe tool to use. It makes sense. It’s available within the US and it works over on the right though in a completely different legal framework and different political context. You see a story about police in China, in this case in western China where there’s a heavy amount of surveillance on the Uyghur population there. Basically saying that somebody was arrested, not just questioned, but straight up arrested for having an app that was not standard, not popular. So that’s something to consider into this equation here. And although we might not be necessarily talking to people in China or even in other countries, there may be workplaces where having something like Signal may be a little bit suspect. So that’s just something to keep in mind, even though I still think and we’ll go into the reasons why Signal is kind of the best.
(07:03):
So when it comes to the security questions, there’s a question of privacy because if we want to have a confidential conversation with our sources, that might be something most things might be good. Hey, are you good? How are you with Lemonade all? So yeah, basically in this case, we’ll want to make sure that it’s a private tool and the reason that privacy is guaranteed in this case is through encryption. However, and this is something important to point out, is that everything on the internet has encryption to some degree or another. So the type of encryption actually matters a huge amount. So let’s dive into that.
(08:04):
All right, so most of the internet already has some form of encryption when you use it. So most of the websites you use, most of the apps that you use probably use what is called in transit encryption, and that’s the ability to guarantee the confidentiality of your communication between you and a particular platform. And that’s normal. That’s not particularly special. It’s what Gmail has, it’s what Facebook has, it’s what Twitter has. All these different platform providers that you can think of offer that. And that’s great news because 22 years ago we were definitely not there, but in this case, you can kind of see in this diagram who can see what. So if we have, for example, any kind of service provider that we use on our day-to-day life, whether it’s Outlook, Gmail, X, all these other kind of places where we might have a DM or an email or some other message being sent or received, you can see here that the wifi operator, the cell network, anything kind of tapping into just the raw sort of cabling of the internet, they’re cut out of the equation. They cannot see your dms on basically any real platform that people actually use. They cannot read your emails, and that’s really good news. That’s an amazing achievement that has been sort of ramped up since the Snowden revelations by a lot of these platforms.
(09:37):
But there’s limitations to that. One is kind of the sort of huge important thing to point out is that yes, you have intrans and encryption and that’s great, but if you look at this green bubble here, the actual platform itself, the platform owners can see what you’re doing on their platform. And that could be something tricky to navigate because in this case, for example, if you have a whistleblower that’s like your source for reporting on Elon Musk, it’s probably not a good idea to do that on an XDM because Elon Musk can literally read those dms.
(10:16):
However, there’s encryption that’s a little bit better than that or a lot better than that, and that’s called end-to-end encryption, and that’s the good stuff. Basically end to end, end-to-end encryption ensures that the content that you have cannot be decrypted by a third party or in addition to that, the platform that operates that app or a service. So things like signal, things like proton melt in some circumstances, things like WhatsApp in most circumstances work like this. They are set up in a way that data going through the systems are protected in a way that even they cannot see the contents of. So if you’re sending a proton mail message from one proton mail user to another, the company Proton cannot actually see what the contents of that email is. They’ll be able to see who you sent it to and what time, but they’re not going to be able to see what the actual message says when it comes to Signal and WhatsApp, kind of the same story in this case, signal, WhatsApp, those two companies, in this case, WhatsApp is on my meta.
(11:34):
Meta will not be able to see what the contents of that message is necessarily, but they would be able to see the who the two, the from all this kind of metadata. So data in this case, the way I’ve been talking about, I’ve been referring to mostly as the content. So the content in this case is that specific message that you’re having, that conversation that you’re having with your source, the what basically. There’s also metadata, which is the who, when, where and how. So there’s a lot that could be sussed out by that, and that’s something to consider when choosing one of these platforms. Before we dive into that, I’m curious to know, feel free to shout out in the chat, which of these communication platforms are you already using at work, either to talk to sources or just to talk with your colleagues?
Leah Kincaid | WGXA News (12:33):
Hi, I’m Leah with WGXA. We do use Microsoft Teams and we use text messages a lot of times with sources we communicate via it, just regular cell phone or Instagram dms, Facebook dms, things like that. Yeah,
David Huerta/Freedom of the Press Foundation (12:52):
Okay, good to know. All right. And I’m seeing a lot of WhatsApp usage which tracks because WhatsApp is one of the most popular apps that exist on the planet and some teams users. All right, so there’s a rubric to consider that sort of takes this question of how to balance source willingness and security. In this case, we kind of call it, we have this basically Rubrik. So there’s a few apps that were mentioned already on here, some are not, but basically we’ll just start from the bottom is text messages. This is something that is built into every single phone going back to our dumb phones that we all use in 2003 or whatever. Unfortunately there’s no real encryption on that. It’s basically just hot garbage. And that’s something that unfortunately I learned the hard way. I was originally when I was a young kid, a 19-year-old living out my own for the first time I was on a family plan, and apparently the family plan means that every single text that you send as a sort of child on that family plan gets printed out and included in your bill basically that my mom was able to see.
(14:14):
So yeah, text messages have no encryption on them. I learned that the hard way. There’s been some interesting stories in the past like 10 years about also how phone companies have been very fast and loose on that data and how they’ve done things like sold that data to debt collectors, for example. So that’s something to keep in mind is that text messages exist in this space where there’s just no real privacy protection outside of some wiretapping laws, et cetera. But ultimately the cell carriers have a lot of autonomy over what they do with that data and they generally are not very interested in your privacy sometimes. So as the reporting is gone down here, we also have Slack and I would also put Microsoft teams in this category. So they both have what is called int transit encryption, which we talked about earlier. If you’re on a public wifi and you’re sending a Slack message, you’re fine.
(15:13):
That wifi network isn’t going to be able to see what your Slack messages are. They’re going to be able to see that you’re connecting to Slack, they’re going to be able to see that you’re connecting to teams. They’re not going to be able to see much else. So that’s really great news for most of the things that you will probably talk about with your coworkers unless it’s super, super sensitive because if it is, there is a risk of what happens if there’s a legal order to one of these companies, which does happen. If you look at the Slack terms of service for example, you’ll see a little bit about what happens when they do have a legal request, when they have legal hold. And what happens is basically if you go through the terms of service it outlines, it’s like, well, normally we delete your data after this amount of time, but if there’s legal hold, it’ll just look like it’s disappearing, but it’ll actually still be there.
(16:00):
So that’s something to keep in mind. Microsoft in this case probably has a different retention policy, although they probably more aggressively retain that and don’t necessarily make deletion an easy thing. So that’s definitely something to look out for. The Microsoft Unified terms of service kind of goes through the exemptions of when they would basically circumvent the normal legal process back in hold they have with lawyers going back to the government. So there are exceptions to that rule where you may with teams because it being a Microsoft product, there may be some situations where that data is basically just handed over to police due to a time-sensitive investigation. So something to keep in mind there. And yeah, slack, Microsoft teams, these are not end-to-end encrypted. These are only in transit encrypted. That is why they’re vulnerable to things like legal requests.
Rachel Jones/NPF (16:55):
I see a comment from Mark Edwards. He’s asking, is RCS chat any more secure than standard SMS texting?
David Huerta/Freedom of the Press Foundation (17:04):
It’s slightly more. RCS does add a little bit. I haven’t looked at the standard too closely yet, but ultimately it’s still vulnerable to the issue of just the cell providers having a copy of that message. But it does have some in-transit protections that are a little bit better than text messages from what I understand from a cursory read of that. I’d have to dig into it a little bit more further. But yeah, so RCS is definitely better than text messages. So you had to choose if those are your only two top options. And RRCs is definitely better just because text messages SMS text messages are just so bad. Alright, so going into things like these meta products. So we have things, Instagram, Facebook, messenger, it’s a mixed bag generally speaking if you use back in the day anyway, if you were to use Facebook Messenger messages or Instagram messages, those would only be in transit encrypted.
(18:05):
Nowadays you do have the ability to have end-to-end encrypted messaging in both Facebook Messenger and Instagram. In Facebook Messenger it’s a little bit easier to have that sort of start and get going. With Instagram, you have to have go out of your way to go into a conversation with somebody and then say, have an end-to-end encrypted conversation and it’s kind of deep in the settings. And then from there you can start a separate conversation. So you’ll see two conversations with the same person. One of ’em has a lock on it, one of ’em doesn’t, and then one with the lock is basically the end-to-end encrypted one, one. So if your source, for example is not going to install signal or it would look weird if they had signal in their workplace, there are ways of making it work in Instagram, you just have to both be really, really careful to make sure that you are in the correct version of that chat.
(19:01):
There will be two of them a regular in intrans and encrypted Messenger app and a end-to-end encrypted app conversation. So that’s just super important to keep in mind because it is really easy to make that mistake. Speaking of making mistakes easily thinking you’re in a secure conversation Telegram, kind of useful for looking into what cybercrime folks are doing, but not super useful into having necessarily fully end-to-end encrypted conversations. In many cases with Telegram, you have to really go out of your way to start a one-to-one secure chat because their implementation of how they do end-to-end encrypted group chats or secure group chats is maybe not as great as what security community would recommend. So that’s just something to keep in mind there. It’s still a great platform to look into what people are doing in real time as a social media platform to see what people in Russia or Ukraine are talking about, for example, or what’s going on in cyber crime groups.
(20:05):
But when it comes to secure one-on-one chats, it’s really, it’s a little bit dicey. So that’s just something to keep in mind. Now going up to sort of the kind of better top shelf of what we would consider good privacy protecting apps like we have WhatsApp, we have iMessage, both of these work pretty well. iMessage in this case is not all the way partially because if you are talking to an Android user on iMessage, that turns into a SMS text message and that’s not great because the worst of the options here. But if you are having just a straight up blue bubble conversation with another iPhone user, that’s great. That’s fully end-to-end encrypted. The protocol seems like reasonably well built. That’s basically good news there. However, if you are backing up messages on iCloud, that is where things get a little bit dicey because now you have basically an unencrypted copy that exists in your iCloud that can then be subject to legal order.
(21:19):
And unfortunately this does happen sometimes, and the same thing with WhatsApp. So with WhatsApp, if you’re backing up your messages to iCloud, then now you have this computer that Apple has with your iCloud messages that could be subpoenaed or have some other ordered levied edit to get access to that data. And if you’re backing it up on Google Drive, which is an option you get when you set up WhatsApp on Android, then now that court order would basically be redirected to Google instead of meta. So those are things to keep in mind. There are ways to turn those backups off and delete them, so there’s documentation available on that from Meta for example. Same thing with Apple. On Apple though. If you are on a newer Apple device, you have the ability to turn on what’s called iCloud, advanced Data protection, which basically lets you choose specific types of data that iCloud has and end-to-end encrypt it.
(22:22):
And this is a very, very new feature. It’s not available everywhere. I think Apple is actually turning off that feature for the uk, but if you’re in the us, you still have that feature available to you. It is something that I recommend everybody just turn on because that basically makes it so that you will have iMessages that are already end to encrypted, but then the backs of those messages can also be end to encrypted if you turn on this advanced data protection feature that Apple has, and that’s something that’s in your settings on your iPhone or on your Mac. So definitely check that out. Under iCloud here is signal. Signal of course in this case is not very popular, definitely not as popular as WhatsApp, but if you’re for example in DC a lot of people are using Signal, so that’s not necessarily a bad place to start and in this case, the official Signal app, not the sort of stuff that some government agencies are using, but the official Signal app does not allow backups.
(23:20):
So that means that unfortunately as it sounds, you don’t have backups of your signal messages, but it also means that there’s no way to accidentally have your messages in a vulnerable place. There’s just also just a lot of other little security features that are really great that it has. We’ll dive into some of those, but one of the things to consider here when backups is that yes, this is a thing that happens. This is an older story, but this is a very recurring story. There’s one of these every single year where it’s like, oh, somebody thought their WhatsApp messages were secure and the messages themselves going through meta service were in fact end to encrypted, but the backs of those in this case went to either Google or Apple as backups and were subpoenaed and read aloud to them in court. The other issue with tools like these is that they contain metadata. So I talked a little bit about what metadata is. This is kind of an example from an older form of encryption called pgp, which underneath the hood of the car that is proton mail, that is basically what is the engine. So in this case, if you can see here, feel free to shout out and chat what exactly you can see that is the metadata of this message.
(24:50):
All right. Any guesses on the types of metadata we see here? Yes. Perfect. Yeah, who sends and receive the message and what date and time? So yep, timestamps. So the timing and the who basically. So if it is a situation, if you’re in a situation where you’re talking to a source where you both want the rest of the world to maybe not know that you’re talking to each other, that can be a potential issue there when it comes to metadata. So that’s something to keep in mind when it comes to the kind of platform you use to talk on these things. For example, if you do end up having to go through with Instagram or WhatsApp or Facebook Messenger, there is metadata collected by meta on those platforms. That’s something to keep in mind. But luckily when it comes to, oh, sorry, before we dive into that, it’s like there are a lot of ways that these things can be levied against journalists.
(25:56):
This is a story from Australia that basically was about this metadata retention law that required internet service providers to start collecting metadata about communications going through them, not the data itself, but the metadata. And this was in fact used to dig into what journalists have been up to. So that’s not great, and you can see if the blueprint for what’s happened in Australia is there, you can only imagine that it’s only a matter of time before that sort of thing is happening here if it’s not already. So that’s why we like apps, platforms that don’t collect that metadata at all. Signal is an example of one of them. So here is in the Signal website, they kind of talk a little bit about grand jury subpoenas that they’ve received, and these are sort of the ultimate kind of legal requests that you can get when the us So you can see, yeah, you got to give us absolutely everything you have on this user with this phone number.
(27:06):
And if you look at the actual thing they sent, you will see here that it is the time that they last connected to two Signal, the time of when the account was created, and in this case the phone number of the user. But in this case, they already had the phone number, how they knew which user to request. That’s it. Just those three data points total. Nothing about who they were talking to, nothing about who their contacts are, and because of that, it is a very sort of elegant solution to this particular issue of confidentiality with sources.
(27:44):
So now that we kind of learned about the theory side of things, we’ll dispel the elephant in the room so to speak, of Signal Gate and how that actually happened. So simply to keep in mind with this story is this has kind of been developed. Whoops, let me go back to the slides. This has kind of been a thing that has been developed, a story that’s been developing over time. It turns out in this case that there are sort of unofficial signal apps, like the way that there are unofficial WhatsApp apps, unofficial telegram apps, and there were some that were developed to basically make a copy of those signal messages and place ’em elsewhere, much like the way WhatsApp does when it allows you to back up messages elsewhere.
(28:32):
So there’s a few kind of lessons learned from this that I want to kind of point out. One is just there is this idea of what’s called operational security is that you can have really, really, really amazing technology that is perfectly implemented, but if you accidentally invite the editor to the Atlantic to the room, there’s not really anything that technology can do for you at that point. So you just got to be careful. All right, so there’s a few ways to be careful because honestly, this is something that is a little bit honestly annoying about Signal, just to be real with everybody, is that you just see the presented name of somebody or maybe the name in your address book and sometimes they’re just first names. So for whatever reason, I know I have 15 mats on Signal and I have six Sarahs, and if you’re just seeing when you create a group chat, which person should I add?
(29:37):
They just show their first name or whatever name is there, which is usually just the first thing, just like which one’s the right Matt? So that’s why this nickname feature is really good. And so there’s a story here by 4 0 4 Media, which I recommend checking out because their reporting has just been pretty amazing on all this stuff, not only on Signal Gate, but just all kinds of issues relating to technology and ai. But they basically have, so they talk about using this nickname feature with Signal has, which lets you as a person that is using Signal on your app, basically choose like, okay, I can choose to display the name that is present if I have them in my address book on iOS or whatever, I can have it show that name or within Signal I can create a nickname for that person. So they can say David from Freedom of the Press Foundation, so that if you have a big list of David’s, which David you’re talking about, super recommend using that feature to avoid those kinds of mistakes.
(30:40):
So yeah, again, going back into the necessity for trust in who you invite to a group chat. If you invite somebody to the group chat, that’s going to rat on you. It’s kind of an issue that technology in this case cannot solve. So there’s this word endpoint that is brought up and that basically means when we talk about end-to-end encryption, it’s encrypting so that only the two endpoints can talk to each other, only those two intended devices. So your phone and your conversational partner’s phone, and in this case, those phones can maybe not necessarily be in the best of health security wise. So there’s a few just normal recommendations no matter what app you end up choosing to use that we recommend you use for yourself, but also perhaps to pass along that recommendation to sources is to run security updates to make sure that you have a strong password on lock code and to just make sure that your settings on your phone are good for that.
(31:47):
When it comes to one of those settings, and kind of the main one we kind of want to emphasize is to turn on what’s called device encryption or full encryption. So if you have an iPhone, great news that’s already there, you can’t turn it off, it’s ready to go. If you’re on Android, you kind of want to go in your settings, look for encryption, and then make sure that the, your phone option is already turned on in many Android phones, it’s already turned on, but not all of them. So that’s just something to be careful about.
(32:21):
All right, so when it comes to Signal, it’s like, all right, this sounds great, I’m ready to roll on this. There’s a few different places to start on that. Of course, you’ll want to make sure to get the official Signal app. You can go to signal.org and it’ll link to the Google Play Store or the iPhone, the Apple App store. And there’s a few things that we can talk about actually when it comes to which features we want to learn to use. We only have about less than a half hour of time, so we’re not going to be able to go through all of these, but feel free to shout out in the chat which one seems like the most interesting to you, and we’ll go over the steps on how to get started for that. So these are the options here. We have updating your username, so that’s the username is what you share with sources and the Publix so that they can reach out to you in the past. Signal required you to share your phone number. That’s no longer the case. Signal Now has the ability to let you share a username instead of a phone number. There’s things like verifying contacts if you wanted to make sure that we’re talking to the right people, managing notifications so that we make sure that somebody looking over our shoulder, I cannot see what we’re talking about creating a pin. So basically ways to protect our signal account from account hijacking and sending documents and files, which is something that we may be interested in doing with sources.
(33:54):
All right, so let’s see here, what do we got? We got a few things. We have verifying contacts and sending files. Cool, I think we have time to do both. So let’s see how much we can do here. So when it comes to verifying contacts, there’s a few ways to do that. So if you have Signal Open, go ahead and open up your Signal app. We’re going to show you exactly step by step how to do this in your conversation basically that you have here. You’re going to have, so if you have a conversational partner and if you open up that sort of like their profile, basically you’ll see a few different options here. You can set up a nickname, which is the thing that we talked about previously in that 4 0 4 article that was mentioned about how you can kind of disambiguate between different Maths or Sarahs in your address book, and you can do a few other features here as well.
(34:59):
So one of which is what is called the safety number. So safety numbers are ways for you to basically check to make sure that you’re talking to the right person and have a little check mark that shows up on that person’s profile to mean like, Hey, this person reached out to me, they say they’re David Weta, but how do I know if that’s true? We’re going to verify in person to make sure that I am talking to the correct person. So if you have the chance to meet in person, you can basically use this QR code feature that basically says, Hey, each of these endpoints, each devices has a unique identifier called the safety number. And when you combine, that’s this, when you combine those identifiers, you get this safety number for a conversation and you can scan those using signal with this QR code.
(35:55):
So each of you basically goes to this place in view safety numbers, and then once you scan them, and if those numbers match, then that means that you can basically mark them as being verified after that point, as long as you’re using the same phone. If you see a message from that person, you’ll see that little checkbox saying that you’ve previously verified them. If you change phones or if they change phones, if they upgrade it for example, that’s a different device. So that identifier changes. So that’s just something to keep in mind to maybe give people a heads up if you’re about to change your phone or if you lose your phone, for example.
(36:38):
Alright, so that’s kind of how that works. It’s pretty easy. That’s a way to do that. I would also recommend adding a nickname on top of that, and it’s basically in the same place. It’s literally just you hit the nickname button instead of the view safety number button and then you can set up a nickname for them, which is cool. As far as, let’s see. When it comes to managing, sorry, sending documents and files. Signal has actually a lot of really great features around this, which I’m really happy about. So one in this case is you have the ability to use what is called node to self. For example, if you want to, when it comes to receiving files from sources, that’s pretty easy to do because it works just like any other Messenger app, you just hit this plus button and then you can just send things.
(37:36):
You also have this note to cell feature where if you want to send yourself something on a different device, for example, if you have a different work phone or if you have Signal Desktop and you want to work on a file you got sent on your computer for example, so you can get it ready for publication, you can use this note to sell feature and basically take the file that is on your phone and then share it to yourself on your own account so you have access to it later. The cool side effect of this is that it removes a lot of image-based metadata. If you are sharing, for example, a JPEG photo or a PNG, like a photo that somebody sent to you, if you’re worried it might do things like include location, that’s something that it takes care of. So yeah, basically that’s another thing you can do there.
(38:30):
And let’s see. So here for example, you have the ability to include different kinds of files. So if you’re, for example, wanting to share something that saved your photo roll, you can do that here. If you want to share a photo that doesn’t get saved at the photo roll, you wouldn’t use the plus icon, you would use the little camera icon next to the message box, and then that way it just kind of sends you a photo directly from where you are to whoever your recipient is, whether it’s your notes self or someplace else. This might be useful if you’re working on a situation where you don’t want to save something on your photo roll because you want to make sure, because that might be getting backed up to Google Photos or something. If it’s not something that’s super sensitive, it’s fine to just use the normal sort of photos button here instead of the camera button. But yeah, if you look at it here, like Android iPhones, they might ask for what permissions, you provide a signal to have access to certain photos or not. So that might be something you want to set up first, but otherwise you should have access. If you allow full permissions, you can just kind of let it choose which photos from your photo roll to include. You also have the ability to include just files. So if you have somebody that sent you A PDF, you can send a PDF as well.
(40:03):
So that’s how that goes there. And then from here, you can just kind of go ahead and have this photo sent to yourself. Can include, you can do multiple ones, you can crop it, you can sort of mark it up if you want. There’s a lot of standard teachers that you see in really, really basic photo editing basically that’s available to you. Something that I recommend kind of going through is this guide here that we have called Signal for Beginners. It’s really, really useful kind of for everybody, but if you’re new to Signal, you just want to get started on it, you just want to learn the basics before you jump into the more advanced features. This is a really good place to start. It was written by my coworker, Dr. Martin Shelton, who also runs the newsletter, so definitely check that out. Also useful to share with potentially, but sources who are maybe installed Signal but don’t really know much about it and want to learn more.
(41:14):
And there is also in this case, a locking down signal where we talk about a lot of specific features that we also recommend people use. So this can be a few of really basic things. How do you make sure that your notifications aren’t showing the contents or the name of the person that’s reaching out to you, or how do you turn on discipline messages, for example, so that if your phone gets stolen or seized, how can you make sure that in this case the amount of messages that are available on that phone are minimized so that it’s not just the full entire history of everything you’ve ever said to a person, but just the last week or so. So all that is kind of talked about a little bit online on our guide on locking down signals. So if you go to Freedom Press, there’s also a lot of other articles that we talk about in there that relate to Signal.
(42:19):
There’s also this guide that we have here called Your Smartphone N You, and that is, it’s in the same place at Freedom not Press, but that one basically talks about securing the endpoint. What do you have to do to make your phone a secure place for confidential conversations to even exist in? There’s a lot of guidance in what to do here. I would say though, if there’s one thing, one piece of advice when it comes to smartphone security that I want remembered over above all other smartphone security advice is to make sure that you are running your OS updates. So if you’re running Android, making sure that you’re up to date on your Android updates if you’re on iPhone, making sure that you’re up to date on your iOS updates, the reason for that is is that when there’s a flaw that compromises the security of a system like iOS or Android, the way the fix gets rolled out into the world is through the update mechanism.
(43:31):
And you’ll see this if you look at the fine print on these OS updates, if you look at the fine print on the iOS updates, on the Android updates, you’ll see the specific things that have been discovered and the security vulnerabilities and why it’s urgent that you update it. So it’ll kind of go through and be like, oh, this makes it so that somebody could take it over your phone by plugging in a device connected with the audio, connecting something to the audio jack, and you’re like, huh, that’s bad. I should probably update that. So if you ever want or curious about the details about how these things work, that is kind of a place to see the story behind the software updates, so to speak. So yeah, out of everything that I could advise when it comes to smartphone security, making sure that updates are probably at the top of the priority there. So that basically goes through the kind of things that I wanted to cover. Of course, I want to make space for questions, and if you want to quickly run through some of the other kind signal things that tips that we’ve talked about or just mentioned but didn’t deep dive into, I can also kind of talk a little bit about those as well. So feel free to ask a question in the chat or unmute yourself. I see a raised hand from Chloe.
Keerti Gopal/Inside Climate News (44:58):
Hi. Yeah, this question is less specifically for Signal and more for any of the communication things. I work a lot with sources from outside of the US and Canada. So I guess my question is more on, in the case of a subpoena or in the case of any kind of data leak, is that more region based because of the country’s laws or would it be more based off of the actual company itself? Basically, my question is does the company’s policies on data encryption or whatever, is it based off of the company or based off of what country we’re operating in?
David Huerta/Freedom of the Press Foundation (45:37):
It’s really both. So for example, Google has what’s called the transparency report. So let me see if I could find it here. And what this is is that, I’ll just put a link to this. This is actually just really intriguing sort of reading, but it kind of talks a little bit about which countries they receive legal requests from and which ones they actually honor and disclose user data. There are some cases where they just don’t really work with the government that they’re talking about in question. So for example, you’ll see a lot of requests for user data within the US that will basically end up procuring user data. But if you look at legal requests for Google data from the Russian government for example, they’re just going to be like, no, we’re not going to give that to you. That being said, though, every company operates and takes different approaches to how they work within different countries.
(46:43):
For example, I mentioned earlier that Apple will straight up not offer advanced data protection in the uk. So that kind of end-to-end encrypted iCloud option straight up doesn’t exist for Apple users in the uk. And the way Apple, for example, also does business in China is that there there’s a complete separation of data for servers basically as we call ’em, where user data is stored, where if it’s a China-based user that’s on Apple’s infrastructure, that data will exist in servers that are within China. So there’s different rules applied to that that make it more compliant with the legal system there, which could have deeper data access than it would have for example, if those servers were in the us.
(47:35):
These are all things to keep in mind, and there are interesting ways to work with those advantages and disadvantages. For example, there’s companies like Dropbox which are very popular in the US but incredibly obscure in the rest of the world. And if you look at Dropbox’s transparency report, you can kind of see which countries they just basically ignore data requests for but have not necessarily been blocked in that country yet. And things change. Unfortunately, a lot of these regimes do get more sophisticated over time. We’ve kind of gotten used to China being the only sort of advanced firewalls part of the world, but those kind of sophisticated technologies for that sort of great firewall infrastructure are now unfortunately pretty much being rolled out in a lot of other places where that infrastructure was very basic. So a lot of the same kind of things are being rolled out in places like Russia and places like Egypt in places like Turkey. So those are kind of other things to keep in mind as well as all this is happening is some of these, there may be tools available that make sense for the present day, but it could be that the next month Dropbox could cave and start honoring legal requests for data or they become blocked in one country or another. So when it comes to talking to people in censored countries, unfortunately it is a bit of a cat and mouse game and we’re the mice. So
Keerti Gopal/Inside Climate News (49:15):
Thank you.
Rachel Jones/NPF (49:18):
While I’m waiting to see if there are any other questions, I’m wondering what you’re hearing from journalists and newsrooms around the country about their confidence in Signal and also what are you hearing about new evolutions or other apps that are coming along?
David Huerta/Freedom of the Press Foundation (49:39):
Yeah, that’s a great question. So I would say that so far people are still using Signal, at least in places where Signal has been very popular. So coming from New York, most if not all journalists here have signal on their phone. It’s very much been kind of a standard thing that people have been using for almost a decade now. Well maybe not a decade, but maybe a little bit five years at least. Whereas, and that’s true for dc, that’s true for San Francisco, but when it comes to the rest of the country, I feel like most people have not heard of Signal and have only heard of it through Signal Gate, which is kind of interesting because it’s kind of in my opinion, kind of the wrong introduction of what it is since they weren’t actually using the official Signal app. So there is sort of this confusion I think that exists with some journalists that are new to it to just say like, Hey, isn’t the app that this guy leaked things by accident too?
(50:46):
Can we trust it? And I was like, yeah, you just got to trust yourself to be able to navigate the settings to make sure you’re talking to the right person. The other thing too though is just I think a lot of people were caught off guard by the existence of these third party signal apps that use the Signal network and infrastructure, which technically according to their terms of service, they think they’re not supposed to, but then create these insecure copies of what’s being said in Signal over into a different place, which frankly from a security perspective, as somebody that thinks about cybersecurity constantly, if you’re just going to create copies of everything you do in non-encrypted databases, then why don’t you just use email? Why even bother with Signal at that point? But that is kind of just the way it exists right now is it is one of those things where people might not in the government, for example, might not even know they’re using Signal.
(51:40):
It turns out not everybody in the government is good at using smartphones or technology, which we can’t blame them. None of us were born with Smartphone knowledge and honestly, smartphones have gone way more confusing and then they were in 2010, I am old enough to be alive. I remember when these things were really easy to use and now there’s too many features and it’s understandable that they’re confusing, but people might not necessarily know that they’re not using Signal, that they’re actually using some government provided third party signal app that nobody’s ever heard of. So that is something to just be careful with, especially in DC with some of these federal sources. And it’s just like, is this real signal? Can you please chat on your personal phone and not your work phone? Those are all kind of important considerations and what the temperature check on Signal is right now because it is still for people that use it. It is still the way to go. People set up tip lines with it, which there’s special considerations when doing that, but for most newsrooms it is actually a relatively working system for most of their needs.
Rachel Jones/NPF (52:48):
Are you hearing that journalists are actually able to develop sources that they might not otherwise have had because people are more willing to talk to them on Signal?
David Huerta/Freedom of the Press Foundation (53:01):
Yeah. I’m not going to name names of course, but I will say that there are journalists that I’ve talked to where they will only work with them over specific secure communication platforms. Whether that’s a little bit yes on Signal for sure, some services will be like, I am not talking to you over email. We need to take this to Signal. It’s interesting that now there’s an awareness of it from the other side because we’re used to hearing that conversation start from the journalist end, but also Secure Drop. So there are, anecdotally, I’ve heard journalists share, yeah, we want to set up Secure Job, some sources that we really want to get to, and they won’t only talk to us through that. So it’s a mixed bag, but it is kind of secure. It is something where people still basically trust signal but understand a certain extra level danger to their whistle blowing that they’re like, actually I want Secure Doc. That takes things even more further than that.
(54:03):
And as far as new and emerging apps, I would say that there’s not really, I feel like other apps are catching up. Like Instagram for example, I would’ve never imagined would have End-to-end encryption ever four or five years ago. And now it does as an option, as an optional feature, and that’s kind of nice to see. I think that’s great. There’s always new apps being developed and coming out and others adding new features. For example, all the Proton Suite, so it used to just be Proton Mail and now it’s Proton Drive and Proton Password Manager and Proton Calendar and things like that, proton contacts, and that’s cool. I am happy to see these kind of platforms become more robust over time. I’m not
Rachel Jones/NPF (54:54):
Seeing any other hand, so I want you to wind us down and take us home, as they say, with some advice. For the journalists who may feel like this is all for elite investigative teams, I mean, yeah, they need to have this kind of security and anonymity, et cetera. How can the journalists covering cops or education or whatever, how can they best utilize these kinds of tools to enhance their reporting?
David Huerta/Freedom of the Press Foundation (55:32):
Yeah, I mean honestly I would say no matter what your beat is, it’s very, very useful to just become familiar with this kind of tooling. Partially because we’re in an era of volatility. Things are changing very rapidly. Yesterday’s benign story could be, tomorrow’s is hot take, so to speak. And I think a really good way to approach this is through the perspective of preparation of knowing, hey, I don’t think this is particularly spicy as a story that can change. And if so, maybe it’s a good idea at the sort of start being prepared for that to be a thing. Because it may be that doing things like environmental reporting may be very benign right now, but in the future may be a huge target of subpoenas and surveillance. That’s another thing to keep in mind. Also, beats can change. You may end up with just landing a huge story. A lot of the Washington Post reporting in the seventies, et cetera, some big stories came out of somebody basically just doing regular old crime beat reporting and then finding out that somebody that broke into Watergate worked for the CIA. If you find yourself in that situation, you may want to become familiar with the tools that will let you build the story and get your people, sir. So
Rachel Jones/NPF (57:02):
I’m translate that for you, David. What you’ve just said is you need to stay ready so you don’t have to get ready. Is that
David Huerta/Freedom of the Press Foundation (57:09):
Exactly
Rachel Jones/NPF (57:10):
Where we are? And this session has been very enlightening for me, and I’m sure the journalists will reach out to you if they ever run into any challenges or need to get a little bit more information. So
David Huerta of the Freedom of the Press Foundation, thank you so much for joining the Widening the Pipeline family.
David Huerta/Freedom of the Press Foundation (57:32):
It was a pleasure. Thank you for your time.
