For some time, the public has known that Donald Trump does a lot of his tweeting himself, from the account @realDonaldTrump, and from an Android smartphone. But many cybersecurity experts believed that would change once Trump took the oath of office, because White House-approved communication devices are much more secured — and stripped down — than the smartphones the rest of us use.
In fact, former President Barack Obama once compared his official White House smartphone to a child's toy. "It doesn't take pictures, you can't text," Obama told Jimmy Fallon in 2016. "The phone doesn't work. You can't play your music on it. So, basically, it's like — does your 3-year-old have one of those play phones?"
A few recent reports indicate that President Trump might still be tweeting from his old Android, and he may not even be following all the security protocols he should.
Soon after Trump's inauguration, an enterprising hacker found that Trump's @realDonaldTrump account was still tied to the Gmail account of a staffer, a move seen as insecure. (The account now seems to be connected to more official and secure White House email accounts.) And a January article in The New York Times reported that Trump continues to tweet from an "old, unsecured Android phone."
Several cybersecurity experts told NPR, if that's the case, it's not good.
"Donald Trump for the longest time has been using a insecure Android phone that by all reports is so easy to compromise, it would not meet the security requirements of a teenager," says Nicholas Weaver, a computer scientist at the University of California at Berkeley.
Weaver doesn't have any first-hand knowledge of the security standards on Trump's phone. But he says knowing that a sitting president has an insecure Android, "we must assume that his phone has actively been compromised for a while, and a actively compromised phone is literally a listening device."
Other cybersecurity experts didn't offer predictions that dire, but half a dozen of them told NPR that if Trump is still using an unsecured Android, even if only to tweet, malware could infiltrate the phone's camera or microphone, or even use geolocation to tell hackers the president's whereabouts.
Melanie Teplinsky, a privacy expert at American University, says even without those worst-case scenarios, just hacking into Trump's Twitter account alone could wreak havoc.
"Another concern is that someone tries to influence stock markets or politics through the use of a Twitter account by making false posts," she says.
NPR reached out the White House for comment on Trump's tweeting and smartphone use. We asked a few questions:
- Is Trump tweeting from a secured device?
- Are those reports of Trump using an old, unsecured Android true?
- Is the Trump administration following all the cybersecurity protocols it should?
The administration gave no answers to those questions, and no confirmation or denial of all those reports that Trump is using an unsecured device. But deputy White House press secretary Stephanie Grisham tells NPR, "We don't comment on security protocols of any kind."
The absence of a clear statement from the White House on the security of Trump's communications, matched with the continued reports of unsecured smartphone use, has led some to accuse Trump of hypocrisy.
"He and so many during the campaign were so critical of Secretary (Hillary) Clinton for what they felt were inappropriate practices," says Michael Sulmeyer, director of the Cyber Security Project at Harvard's Kennedy School of Government. "And it really is the height of hypocrisy to ... on day one, be doubling down on the exact type of behavior they had no problem riling up the base with."
Avi Rubin, a professor of computer science at Johns Hopkins University, says: "If President Trump is carrying around an unsecured Android phone, that's 1,000 times worse than using a personal email server."
To ensure that President Trump can tweet securely, he'd have to use a smartphone that "cannot speak on the general Internet," Weaver says. "It has to basically cut itself off from the rest of the world to be secure."
But Bill Anderson, CEO of security firm OptioLabs, says there might be another option: Security professionals in the federal government should use this moment to find a way for security and technology to keep up with the Tweeter-in-Chief.
"I think the challenge is for the security people that are supporting White House communications to improve their capability to secure the platform," Anderson told NPR. "That platform could let him tweet and yet not be at risk. So, they need to catch up with what you can actually do with technology, not just say 'no.' "
Rubin says, in that regard, Twitter could help. "If I were Twitter," he says, "I would set up a separate, encrypted channel that I would give all of the credentials and the keys to the president to use."
A spokesperson for Twitter said the company doesn't comment on individual accounts.
But Rubin imagines a verification system created by the White House and the company, in which Twitter would confirm each @realDonaldTrump tweet before it was sent. But Rubin points out, that strategy would only secure the president's Twitter account; it would do nothing to change the vulnerabilities of an old Android smartphone.
AUDIE CORNISH, HOST:
Donald Trump campaigned for months on the idea that Hillary Clinton's use of a private email server put national security at risk. Now cybersecurity experts are saying Trump's continued Twitter use possibly on an older phone raises its own set of security risks. NPR's Sam Sanders reports.
SAM SANDERS, BYLINE: We've known for some time that Donald Trump tweets a lot himself from the account @RealDonaldTrump on an Android smartphone. We also know that Trump's continued tweeting might not be so secure. Soon after Trump took the oath of office, a hacker found out that Trump's Twitter account was linked to a basic Gmail account which really isn't that secure.
That's since changed. And just a few days ago, The New York Times reported that Trump continues to tweet from an old, unsecured Android smartphone. Several cybersecurity experts I've spoken to say this is not good.
NICHOLAS WEAVER: Donald Trump for the longest time has been using a insecure Android phone that by all reports is so easy to compromise it would not meet the security requirements of a teenager.
SANDERS: That's Nicholas Weaver. He's with UC Berkeley's International Computer Science Institute, and he went even further. Weaver says if those reports are true...
WEAVER: We must assume that his phone has actively been compromised for a while, and a actively compromised phone is literally a listening device.
SANDERS: Half a dozen cyber experts told me it's possible for an unsecured Android to be compromised and the owner of that phone to not even know it at all. And even if President Trump only uses that Android to tweet, malware could still infiltrate the phone's camera or microphone or even tell hackers where Donald Trump is.
Melanie Teplinsky is a privacy expert at American University, and she says even without those worst-case scenarios, just hacking into Trump's Twitter account alone could wreak havoc.
MELANIE TEPLINSKY: Another concern is that someone tries to influence stock markets or politics through the use of a Twitter account by making false posts.
SANDERS: So I asked the White House a few questions. One - is Trump tweeting from a secured device? Two - are those reports of Trump using an old, unsecured Android true? And three - is the Trump administration following all the cybersecurity protocols it should?
I got no answers to these questions and no confirmation or denial of all those reports that say Trump is using an unsecured device. But Deputy White House Press Secretary Stephanie Grisham did tell me, quote, "we don't comment on security protocols of any kind." So what should we think?
WEAVER: He is too valuable to be on a smartphone at all.
SANDERS: That's Nicholas Weaver again. He says the president won't be really secure until he's using an entirely different kind of phone than you or I use.
WEAVER: To actually build a smartphone that is locked down sufficient that a high-value target such as the president of the United States can run cannot speak on the general internet. It has to basically cut itself off from the rest of the world to be secure.
SANDERS: But that might not happen. Bill Anderson is the CEO of a security firm called OptioLabs, and he says instead of telling Trump no when it comes to how he can tweet or what phone he can use, security staff should try to meet the tweeter in chief where he is.
BILL ANDERSON: I think the challenge is for the security people that are supporting White House communications to improve their capability to secure the platform. That platform could let him tweet and yet not be at risk. So they need to catch up with what you can actually do with technology, not just say no.
SANDERS: And maybe that's already happening. Maybe his phone and his tweets are secure. But if that is the case, President Trump has yet to let us know. Sam Sanders, NPR News.
(SOUNDBITE OF A TRIBE CALLED QUEST SONG, "ELECTRIC RELAXATION") Transcript provided by NPR, Copyright NPR.