For some time, the public has known that Donald Trump does a lot of his tweeting himself, from the account @realDonaldTrump, and from an Android smartphone. But many cybersecurity experts believed that would change once Trump took the oath of office, because White House-approved communication devices are much more secured — and stripped down — than the smartphones the rest of us use.
In fact, former President Barack Obama once compared his official White House smartphone to a child's toy. "It doesn't take pictures, you can't text," Obama told Jimmy Fallon in 2016. "The phone doesn't work. You can't play your music on it. So, basically, it's like — does your 3-year-old have one of those play phones?"
A few recent reports indicate that President Trump might still be tweeting from his old Android, and he may not even be following all the security protocols he should.
Soon after Trump's inauguration, an enterprising hacker found that Trump's @realDonaldTrump account was still tied to the Gmail account of a staffer, a move seen as insecure. (The account now seems to be connected to more official and secure White House email accounts.) And a January article in The New York Times reported that Trump continues to tweet from an "old, unsecured Android phone."
Several cybersecurity experts told NPR, if that's the case, it's not good.
"Donald Trump for the longest time has been using a insecure Android phone that by all reports is so easy to compromise, it would not meet the security requirements of a teenager," says Nicholas Weaver, a computer scientist at the University of California at Berkeley.
Weaver doesn't have any first-hand knowledge of the security standards on Trump's phone. But he says knowing that a sitting president has an insecure Android, "we must assume that his phone has actively been compromised for a while, and a actively compromised phone is literally a listening device."
Other cybersecurity experts didn't offer predictions that dire, but half a dozen of them told NPR that if Trump is still using an unsecured Android, even if only to tweet, malware could infiltrate the phone's camera or microphone, or even use geolocation to tell hackers the president's whereabouts.
Melanie Teplinsky, a privacy expert at American University, says even without those worst-case scenarios, just hacking into Trump's Twitter account alone could wreak havoc.
"Another concern is that someone tries to influence stock markets or politics through the use of a Twitter account by making false posts," she says.
NPR reached out the White House for comment on Trump's tweeting and smartphone use. We asked a few questions:
- Is Trump tweeting from a secured device?
- Are those reports of Trump using an old, unsecured Android true?
- Is the Trump administration following all the cybersecurity protocols it should?
The administration gave no answers to those questions, and no confirmation or denial of all those reports that Trump is using an unsecured device. But deputy White House press secretary Stephanie Grisham tells NPR, "We don't comment on security protocols of any kind."
The absence of a clear statement from the White House on the security of Trump's communications, matched with the continued reports of unsecured smartphone use, has led some to accuse Trump of hypocrisy.
"He and so many during the campaign were so critical of Secretary (Hillary) Clinton for what they felt were inappropriate practices," says Michael Sulmeyer, director of the Cyber Security Project at Harvard's Kennedy School of Government. "And it really is the height of hypocrisy to ... on day one, be doubling down on the exact type of behavior they had no problem riling up the base with."
Avi Rubin, a professor of computer science at Johns Hopkins University, says: "If President Trump is carrying around an unsecured Android phone, that's 1,000 times worse than using a personal email server."
To ensure that President Trump can tweet securely, he'd have to use a smartphone that "cannot speak on the general Internet," Weaver says. "It has to basically cut itself off from the rest of the world to be secure."
But Bill Anderson, CEO of security firm OptioLabs, says there might be another option: Security professionals in the federal government should use this moment to find a way for security and technology to keep up with the Tweeter-in-Chief.
"I think the challenge is for the security people that are supporting White House communications to improve their capability to secure the platform," Anderson told NPR. "That platform could let him tweet and yet not be at risk. So, they need to catch up with what you can actually do with technology, not just say 'no.' "
Rubin says, in that regard, Twitter could help. "If I were Twitter," he says, "I would set up a separate, encrypted channel that I would give all of the credentials and the keys to the president to use."
A spokesperson for Twitter said the company doesn't comment on individual accounts.
But Rubin imagines a verification system created by the White House and the company, in which Twitter would confirm each @realDonaldTrump tweet before it was sent. But Rubin points out, that strategy would only secure the president's Twitter account; it would do nothing to change the vulnerabilities of an old Android smartphone.