The revelation that a journalist was included in a highly sensitive Signal group chat for Trump officials planning a military operation on Yemen has raised questions about the broader use of encrypted apps by politicians and public servants in Australia.
The Atlantic reported on Tuesday that its editor, Jeffrey Goldberg, was accidentally included in a group chat on the encrypted messaging app with more than a dozen senior Trump administration officials.
The news sparked alarm about a potentially catastrophic breach of military information and raised questions about the use of commercially available encrypted apps among public officials in the US and beyond.
So what’s the situation in Australia?
Do Australian agencies use encrypted apps?
Politicians and their staff in Australia have long been known to use apps such as Signal to communicate. Use in the public service and political service is believed to be common, to the point where last week Australia’s information regulator released an investigation into how agencies were using encrypted apps and what security and record rules were in place for work-related conversations occurring on them.
In it, the Office of the Australian Information Commissioner (OAIC) reported that, of the 22 government agencies that responded to a survey on encrypted app use, 16 permitted its use by staff for work purposes. Of those, just eight had policies on the use of the apps, and five of those addressed security requirements for communicating on the apps.
Guardian Australia contacted Penny Wong and Richard Marles’ offices for comment on the use of encrypted apps by the foreign affairs and defence departments.
In a response, a government spokesperson said: “The Government complies with the obligations under the Archives Act and the FOI Act” but did not answer specific questions about whether ministers used Signal for sensitive communications with department staff or officials.
The home affairs department was also asked about its use of encrypted apps and did not provide an answer before publication.
What are the rules for those who do?
One unnamed large agency mentioned in the OAIC report had a “comprehensive” policy on the use of Signal and endorsed its use for app security reasons, but only on mobile devices managed by the agency.
It had cybersecurity guidelines and a requirement that the disappearing messages functionality should be turned off. It also included instructions on how to copy information from Signal to the agency’s primary record-keeping system.
In a response to the report, the Attorney-General’s Department – which oversees the OAIC – said it would support government agencies with “information management recommendations and guidance” on the use of messaging apps. A spokesperson said all commonwealth agencies had legal responsibilities to preserve records “under Australian archival law, privacy law, and freedom of information law”.
“The report will assist the National Archives of Australia and Office of the Information Commissioner (OAIC) to provide effective regulatory guidance in this area,” the attorney general’s spokesperson said.
The National Archives of Australia (NAA) has responsibility for the repository of official documents of the government.
Does Australia’s approach hold up?
The OAIC did not comment on the US news but the commissioner, Elizabeth Tydd, told Guardian Australia last week that most agency policies, where they existed, were left wanting when it comes to security and record requirements.
“In the main the policies did not properly address archive, privacy, FoI requirements, and I think you can say with only five addressing security requirements that they’re not adequate to support staff in upholding their responsibilities or delivering the rights that are provided to the community through legislation and that are [overseen] by the OAIC,” she said.
Has this been an issue before?
In 2016, it was reported then prime minister Malcolm Turnbull and former prime minister Kevin Rudd communicated via Wickr about the Australian government supporting Rudd’s push at the time to be appointed secretary general of the United Nations.
It was also reported in 2018 that the then foreign affairs minister, Marise Payne, and her Indonesian counterpart, Retno Marsudi, communicated over WhatsApp about the Morrison government’s decision to recognise West Jerusalem as the capital of Israel.
What should agencies be doing?
Toby Murray, a former public servant and professor at the University of Melbourne’s School of Computing and Information Systems, said the use of commercially available encrypted messaging apps in government was the next step in the encroachment of consumer technology such as smartphones into the workplace.
He said it was important for agencies to have policies in place.
“It’s very easy to make the assumption that because these apps are encrypted that that therefore means that they are quite secure … when in fact that may not be the case,” he said, adding that having clear guidance around use was “really important”.
Murray acknowledged that politicians and their staff were “in quite a tricky position” when it came to setting rules – “in the sense of being very time-poor, having access to all sorts of information and also being potential targets from, say, foreign intelligence services”.
He also highlighted the importance of security hygiene for individual device users.
“It’s difficult to get people to understand, for instance, that just because the app might be, you’d hope, highly secure, that doesn’t mean the device that you’re running on is necessarily going to be,” he said.
“Of course, it would be great if all of our politicians thought very hard and put a lot of effort into their security hygiene of their devices but I think we all have to acknowledge the reality that’s probably not the case.”
An NAA spokesperson said: “Messaging apps may present recordkeeping and risk management challenges for agencies to consider when authorising their use.
“Australian government agencies are required to meet their recordkeeping obligations regardless of the tools and technology being used.”
