WikiLeaks dump does not say CIA compromised Signal or WhatsApp

The reports show that the CIA targets devices, and apps have not been compromised.
(Photo by Andrew Mager CC BY SA 2.0)

When WikiLeaks posted thousands of documents on Tuesday allegedly the Central Intelligence Agency, it came with a press release claiming the CIA could “bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide and Cloackman [sic]” by hacking the iPhones and Androids the apps run on to collect the communications before encryption is applied and sent to the recipient.

This paragraph led to outlets like the New York Times to write confusing and misleading reports claiming that “the CIA. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram.”

The outlet later said they deleted tweets that referenced the claim, but the story remains unchanged.



The truth, according to the latest WikiLeaks documents, is that the CIA’s Engineering Development Group builds tools to hack into iPhones and Android phones, among other devices, to gain control and full visibility. There is no indication that the apps themselves have been compromised, despite a growing confused tide of conversation on social media networks.

The takeaway here is merely a core tenet of information security: if your device has been hacked, the encryption protocols built into your apps won’t protect your information. If you’ve been targeted by the CIA, they can likely break into your device. Anything on your device is owned by them at that point. The apps are incidental because the information is collected before apps can possibly do anything for your security.

The mistake of claiming that the encryption apps are compromised — news that will “rock the tech world,” according to the Times — is spreading like wildfire. NBC News made a similar error in its early reporting and Twitter was full of alarmed secure app users early on Tuesday wondering what it all meant.


We’ve reached out to the messaging apps in question for comment.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts