A few days ago, a BBC journalist wrote an article with the headline, “Signal: Firm claims to have cracked chat app’s encryption”. The problem? Both the claim and the article were compete & utter rubbish.
Firstly, both the headline and the article were changed without any notice to readers (it’s common practise for readers to be notified of corrections in articles on news sites). The BBC added so-called “scare quotes” to the word “cracked” after the BBC realised that its claims were nonsense. That is, the BBC read Signal’s blog reply and then realised that they were wrong.
Here’s the original headline:
Here’s the current headline:
Moreover, the BBC have further edited the article — without a note to readers — to include comments from Marlinspike and many other points. This is incredibly poor journalism from the BBC, whose inability to admit fault and incompetence is clear.
Likewise, a common journalist practice — and trick — is to claim that the journalist has reached out to an organisation or individual for comment, and that no one has got back to the journalist. Jane Wakefield, the author of the article, claimed to have reached out to Signal for comment. Moxie Marlinspike’s reply said that Signal wasn’t given a chance to reply. The “trick” from journalists is to give organisations and individuals only a few hours to reply to claims before an article is published, thereby technically giving Signal a chance to reply. And receiving a reply over Christmas? Good luck.
Whilst I have no proof that what I wrote above happened, there is clearly a discrepancy between Marlinespike and Wakefield’s claims of being given a chance to comment.
Embarrassingly, Cellebrite edited its blog post about its claims, too, which were exaggerated. Marlinespike was right to call this story “amateur hour”. Ironically, the BBC pointed out Cellebrite changing its blog post. And, ironically, I used the same service to point out the BBC changing its article.
One problem with tech journalism is the ability to judge the accuracy of technical claims. Here Wakefield fails to make a distinction between network-layer encryption (e.g., TLS), at rest encryption (e.g., default iOS at rest encryption), and end-to-end encryption. Which was broken? As it turns out, none, but the article is obviously talking about at rest encryption. Even if the at rest encryption were cracked, the vulnerability would most likely be due to Android or Apple’s at rest encryption implementation, not Signal being “cracked”.
Cyber security is a heavily specialised area of expertise, and I know plenty of IT people who do not understand cyber security. Wakefield is clearly out of her league, which is why the BBC were forced to edit its article.
Another aspect to tech journalism is that anyone with the expertise to report on Cellebrite’s claims probably wouldn’t be working as a journalist. Why write about tech when one can do tech? Why take a journalist’s salary when one can take an IT salary?
Anyone with any familiarity with cyber security understands that if a device is compromised, the data on that device is at risk. Given iOS’ walled garden approach — and sandboxing of apps — it should not be a surprise that if the app is accessible to a third party (i.e., someone has the unlocked device in his hands), the data is also accessible.