The Trump administration’s spectacular security breach, in which it seemingly shared details of a planned military strike in Yemen with a journalist, highlights just what can go wrong if you use consumer messaging apps to run your government.
It’s beyond all reasonable logic that any government would use a consumer messaging app for even the most mundane chat. That it’s commonly used by the highest echelons of government on the most sensitive of topics is simply mind-boggling. Trump’s administration is using Signal to arrange airstrikes, the UK’s Boris Johnson administration used WhatsApp to manage the Covid crisis and Macron’s team used Telegram for its initial election campaign before France chose to standardise on Element.
Sweden recently encouraged its Armed Forces to use Signal, the EU recommended Signal too, and just last week The Office of the Australian Information Commissioner released a report showing extensive use of Signal and WhatsApp within its government.
It is inconceivable that the situation described by The Atlantic’s Jeffrey Goldberg even happened, and yet of course it did. It was always going to happen because consumer messaging apps offer absolutely no control over who is in a chat group, nor do they consistently ensure that their identity is who they really claim to be. There’s also no record keeping, which means a lack of compliance and information governance nightmares. In this instance, the conversation could violate either the Presidential Records Act or Federal Records Act.
This should be a wake up call for all governments, but especially the Trump administration. It was recently urged by Senators Ron Wyden and Eric Schmitt to move away from insecure centralised platforms and instead adopt the decentralised Matrix protocol for sovereign, secure and interoperable communications.
Why this would never happen with Element
A proper government deployment of Element takes advantage of Element Server Suite (ESS), an enterprise-grade backend that gives the IT function all it needs to professionally manage its platform and end-users. Within ESS are Advanced Identity and Access Management features that enable an Admin to restrict the sets of people who are allowed to participate in a given conversation, linking it through to an existing directory system such as LDAP or Microsoft Active Directory.
Crucially it ensures that as users are onboarded and offboarded they are only given access to relevant conversations, as specified by the end-user organisation. So no accidental invites to random people, such as journalists or foreign spies. You'd also require verified identity to ensure that only users whose online identities have been explicitly verified to belong to the expected person would be able to participate in the conversation (or indeed voice/video calls and conferences). If required, you could also archive the conversation to comply with public record keeping legislation through Auditing functionality, or apply Data Loss Prevention (DLP) rulesets to ensure sensitive data isn’t accidentally leaking at the wrong classification.
Moreover Element Server Suite would be run on a dedicated instance hosted specifically for the personnel in question, potentially configured to (privately) federate with other governmental deployments at the same classification through the use of Secure Border Gateways, or Cross-Domain Solutions for high-side and low-side environments. There’s even air-gapped options specifically for high-side environments. Built for huge government deployments, optimisations within ESS enable it to cost efficiently support literally millions of end-users if needed, with multiple back-ups and fail-overs to ensure continuous uptime.
That said, it’s worth noting that the fact that Element lets you run your own communication service can be a double-edged sword. It’s obviously a positive that Element Server Suite provides a commercially supported, best-in-class enterprise distribution which lets organisations operate deployments with full peace of mind. However sometimes we see critical deployments improvise their own setups by freeriding on Element’s community open source components. This introduces significant risks, with the deployment then deprived of access to Element’s support, best practices, advanced security advisories, audits and accreditations - and without any of the high-availability, scalability and enterprise functionality (e.g. group access control) found in Element Server Suite. In-house teams and irresponsible systems integrators beware…
Why do governments use consumer messaging apps?
Senior politicians are not technologists. Like most other people they just default to the quickest and easiest solution, and feel safe because messaging apps wave end-to-end encryption around as though it’s a silver bullet. The fact is people like consumer-style, easy to use apps. No one has ever downloaded Microsoft Teams, Webex or Salesforce to their phone because they like it. Given a free choice they choose something like WhatsApp or Signal.
People’s preference for the usability of consumer messaging apps is natural, but within government - or any workplace - it creates shadow IT. You can only address it with beautifully usable, consumer-style apps that hide all the enterprise-grade complexities a government solution needs behind a simple and familiar user interface. It’s precisely why we invest so heavily in user experience (hence Element X). People simply don’t put up with clunky tools in the name of security.
Why are consumer messaging apps unsuited to government use?
Governments need to ensure their digital sovereignty, which should eliminate the use of vendor-controlled cloud-based solutions in favour of self-hosted solutions. Genuine digital sovereignty also requires open source software, for complete auditability and to protect against vendor lock-in. The need for interoperability - which is absolutely critical for communications - makes siloed solutions unsuitable.
| The problems with Signal |
|
| The problems with WhatsApp | WhatsApp presents governments with all the same problems as Signal, as well as:
|
| The problems with Telegram | Telegram presents governments with all the same problems as Signal, as well as:
|
None of the above is to discredit the technical security of Signal. It has a strong security posture, encompassing end-to-end encryption, minimal metadata, and other privacy-preserving features. But this story just shows that security - especially national security - goes beyond privacy features. Organisations need to be able to restrict who is allowed to participate in given conversations, and guard against fat-fingered invites. Governments need to be held accountable for the technology they use. Complex military operations require appropriate records, audit trails, and the ability to retrieve records. They most definitely cannot be managed in the Wild West of a consumer messaging app.
How else is Element different?
Element is uniquely placed to serve governments. It uses the Matrix open standard to provide the cornerstones of digital sovereignty, security and interoperability - and then builds on that to give public sector organisations the same oversight and control of their deployment that they would expect from other corporate solutions.
The decentralised Matrix protocol enables an end-user organisation to own, host and control its solution and data. It also ensures more robust and reliable communications than a centralised technology, especially in moments of crisis and break-down of intercontinental connectivity.
Taking digital sovereignty a step further, both Matrix and Element are open source, which gives end-user organisations the transparency to be able to trust their communications platform. And because Matrix is a popular open standard, end-user organisations also benefit from a competitive ecosystem helping to drive innovation and protect against vendor lock-in. Perhaps most important, the open standard interoperability Matrix delivers allows each party to use their own solution, while still being able to federate and communicate securely with each other. That’s very much how SMTP works for email, only for secure real-time communications that standard is Matrix.
A new era of secure government communication
Progress isn’t linear. Encryption goes back to at least Ancient Egypt. Modern day end-to-end encryption dates back to the arrival of Pretty Good Privacy (PGP) in 1991. The iPhone launched in 2007, Signal was released in 2014. The Covid pandemic, which really drove the use of consumer messaging apps within the workplace, struck just five years ago.
The French government began rolling out Tchap, its French-branded fork of Element, in 2019. Germany’s Armed Forces started to deploy BwMessenger, its German-branded fork of Element, at the very end of 2020. The US Department of Defence started using Element in 2020. NATO ACT began investigating Element in 2023 and created NI2CE Messenger, its branded fork of Element, in 2024. The United Nations International Computing Centre (UNICC) selected Element as its secure communications platform in 2024.
As more and more governments realise that their use of consumer messaging apps presents unacceptable risk, we’ll see the proliferation of Element and other Matrix-based communication across governments worldwide ushering in a new era of sovereign, secure and open standard based real time communication.
