clock menu more-arrow no yes

A messaging startup used by White House staff is getting sued for allegedly not being as secure as it promises

The suit says Confide has some holes that make it possible to screenshot “secure” messages.

Donald Trump Is Sworn In As 45th President Of The United States Chip Somodevilla / Getty

Confide, an “off the record” messaging service, has been mentioned several times as a tool that White House staff, as well as Republican insiders, use to privately send information.

But now the New York-based startup has a new headache: A lawsuit filed today in the Southern District of New York alleges that it’s possible under specific circumstances to capture information on who sent messages, as well as the content of those messages.

The suit isn’t about Confide’s servers or encryption technology, but instead it takes issue with a more manual problem: That messages sent on the platform are not always safe from being captured with a screenshot.

On Confide’s website, the company boasts its messages are “screenshot protected.”

“Confide prevents screenshots on most of our platforms,” its website says today. “Where prevention is not technically feasible, our patent-pending reading experience ensures that only a sliver of the message is unveiled at a time and that the sender’s name is not visible. We also kick the recipient out of the message and notify the sender that a screenshot has been attempted.”

But according to Chris Dore, an attorney with the law firm representing the plaintiff, it’s possible to toggle the settings on Windows so that when using the desktop version of the app, users can take a screenshot of the entire message, along with the sender’s name in full view. The app also fails to alert the sender that someone has taken a screenshot, the suit claims.

The suit further alleges that Confide’s “sliver” feature, which is supposed to only show a portion of the message at a time and hide the identity of the sender, doesn’t work on the desktop versions of the app.

Here’s a photo, cited in the lawsuit, that demonstrates how the sender’s name, as well as the contents of their message, is fully visible on both Windows and Mac versions of the desktop app:

Confide says it disagrees with the claims spelled out in the lawsuit.

“The accusations set forth in the complaint are unfounded and without merit,” Jon Brod, Confide’s co-founder and president, said in a statement to Recode. “We look forward to responding to this frivolous complaint and seeing this case swiftly thrown out of court.”

It’s also worth noting that — as with any “secure” app, screenshot alerts or not — it’s possible to take a picture or video of the “decrypted” message with another camera, like a second iPhone.

(Security researchers also found critical vulnerabilities in Confide earlier this year, but reported that they alerted Confide of the problems and that they were quickly resolved.)

Read the lawsuit against Confide here.


This article originally appeared on Recode.net.