“There are very clear rules regarding the retention and deletion of records under the Presidential Records Act,” said Adam Marshall, an attorney at the Reporters Committee for Freedom of the Press. “The use of messaging apps that automatically delete communications by persons subject to the PRA is incredibly troubling.”
The White House was not available to comment on its policies for retaining Confide messages.
Even if White House staffers were allowed to delete traces of their communication, however, Confide may not be the most secure app to use for doing so. Jonathan Zdziarski, a security researcher who specializes in digital forensics, took a brief look at the app’s security features on Tuesday. He found that the app uses a combination of open-source encryption methods and some unvetted techniques of its own creation, leaving questions about their security. Some of the app’s other functions are unusual—but not necessarily problematic.
“The application doesn’t smell fully kosher, but at least it uses some standard encryption routines, which many other applications fail to do,” Zdziarski wrote. “I did not see any obvious red flags in terms of forensics artifacts or other overtly nefarious behavior, but this was a quick once-over.”
He recommended that the White House submit the app to a full cryptographic review before allowing staffers to use it. “On the whole, it may be fine for personal conversation, but I would recommend a more proven technology, such as Signal, if I were to have my pick of the litter,” he wrote.
I asked one of Confide’s co-founders, Jon Brod, whether the app had been vetted by an independent security researcher, but didn’t get an answer. Brod did say that he was happy to hear that staffers were making use of his app. “We think it makes perfect sense, regardless of which side of the aisle they're on,” he said, given the sensitive nature of their work.
Brod said it’s up to users to play by any applicable rules that govern communication in their workplace. “We expect people to use Confide in a way that complies with any regulation that may be relevant to their particular situation, just like they would with other communication platforms,” he said.
Confide isn’t the first secure-communications app to find popularity among politicians and their aides. Signal, the gold standard of encrypted messaging and calling, is used by staffers who work for President Trump, Barack Obama, Hillary Clinton, New York Governor Andrew Cuomo, and New York City Mayor Bill de Blasio. But now the app has recently added optional features that allow messages to expire, which could bring up the same records-retention issues as Confide.
The popularity of encrypted communications apps has caught the attention of Congress. This week, two members of the House Committee on Science, Space, and Technology—including its chairman—sent a letter to the inspector general of the Environmental Protection Agency, responding to reports that some of its employees were using encrypted-communication apps to discuss how they’d respond to certain actions from the Trump Administration. In the letter, the representatives wrote that the practice may “run afoul of federal record-keeping requirements” and shield important information from Freedom of Information Act requests or congressional inquiries.