The ‘SignalGate’ scandal in the US shows the need to build a ‘strong culture’ for information exchange, according to the data protection expert who led the review into the Scottish Government’s use of mobile messaging apps.
Emma Martins, who conducted a review of how ministers and officials used platforms such as WhatsApp during the pandemic, said the Trump administration’s reliance on the encrypted Signal app shows how ‘relaxed we have all become and how familiar we feel with the apps we use’.
“They are on our phone and they are in our hands, so there is often a misplaced sense of control, safety, proximity, and security. That means at moments of risk, our guard may be down,” said Martins, the former Channel Islands data protection commissioner.
Martins’s independent review of the Scottish Government’s use of mobile messaging apps and non-corporate technology was published in December. In all, she made twenty recommendations, which included using the skills, knowledge and resources around behavioural science to support a stronger culture of compliance for civil servants when it comes to information sharing. She also recommended developing the role of propriety and ethics to be more visible, proactive and involved across the organisation, with ministers and officials receiving the appropriate training.
In response, ministers committed to banning WhatsApp for official government business after concerns were raised about the retention and deletion of messages by politicians and civil servants during Covid.
On the scandal in the US, Martins said she was not ‘sighted’ on the details of the case – whereby senior politicians including defence secretary Pete Hegseth, national security adviser Mike Waltz and vice president JD Vance had shared information on Signal about the upcoming US strikes on the Houthi-led rebel government of Yemen. The case came to light after The Atlantic political magazine editor Jeffrey Goldberg had been added to the group chat, prompting a national security media storm.
“I am clearly not sighted on all the details in the case of the US Government case, but from what I have seen and read, the mobile messaging app in question was not authorised for corporate use,” said Martins.
“I have not seen evidence of many governments authorising such use. There are good reasons for that, particularly when communications include or relate to sensitive, confidential or otherwise protected information and data.”
She added: “There are risks to individuals whose personal data may be contained or referenced in the communications and there are risks to the individuals who own the devices. No protection is perfect, but using corporate secure platforms for all government communications is absolutely going to reduce those risks.”
The risks to individuals, given the nature of the classified information discussed by Trump administration officials, and the implications for national security, were “unsurprisingly heightened” during times of geopolitical tensions and hostilities, Martins said.
The National Security Agency had reportedly warned about the use of the Signal app – which had its initial release in the United States in 2014 – a month before the military action against Houthi rebels, who have been attacking shipping lanes in the Red Sea and Gulf of Aden with anti-ship missiles and drones. The agency, the equivalent of GCHQ in the UK, sent out a bulletin in February warning about a vulnerability in the app which could expose users to phishing scams.
“A vulnerability has been identified in the Signal Messenger Application. The use of Signal by common targets of surveillance and espionage activity has made the application a high value target to intercept sensitive information,” the internal memo said.
Martins said the subsequent use of the app by senior administration officials pointed to “serious failings”.
She said: “It is easy to write a policy. It is much less easy to ensure people know what the policy says and then comply with it. My focus on the culture and values during my review was for exactly that reason. Government needs to proactively build and nurture a culture of strong compliance, stemming from a clear sense of what its role is, who it represents, and the accountability that surrounds both of those things.”
She added: “Humans are fallible. The higher the stakes, the greater attention needs to be paid both to the formal structures around them (policies and procedures etc), and the ‘soft power’ tools that are available. Hence the emphasis on both these areas in my review.
“In the case of the US Government, the fact that such a clear warning from such an important agency was clearly ignored points to very serious failings in all of these areas.”
She added: “It is extraordinary to think that a message from the NSA had so little impact on those at the heart of the US Government. I would be very surprised if our own national security agencies were disregarded in this way by the UK Government.”
If mobile messaging apps are going to be used as alternative or additional ways of exchanging information, Martin argues that “clear rules” need to be in place as to how officials use them. It matters for the sake of democratic accountability that information is properly documented and retained, and that civil servants receive the appropriate training.
The experience of Covid has shown that apps such as WhatsApp were widely used by ministers and civil servants across the UK, and as a result “the ease of communicating through mobile messaging apps has blurred the boundaries”, according to Martins.
She said: “As we have seen from the Covid Inquiry evidence, many officials and ministers throughout the UK were communicating on WhatsApp. Some of those conversations were clearly personal and did not relate to government business, but many were not, and it will be interesting to see what is said about this area when the Covid Inquiry publishes its findings.”
The Scottish Government has to date been the only administration in the UK to have conducted an official review into how platforms such as WhatsApp have been used by officials, albeit following public disquiet relating to the pandemic.
Martins believes that the process has been a helpful one for the Scottish Government in order to ‘learn from mistakes’, and also that SignalGate will help remind all governments of the importance of data protection, privacy, and data security.
“Having accepted all my recommendations, the Scottish Government is well placed to respond to the very serious issues this raises for governments across the globe. I was, and remain proud of the work we did,” she says.
“I hope this is a moment of reflection for everyone who has the privilege of calling themselves a public servant or elected official. Data and information are the lifeblood of almost every aspect of our lives, none more so than government. Taking its protection and governance seriously is not an optional extra, it is both a legal and ethical imperative.”