Signal, the most secure widely available messaging app, has become a go-to resource for journalists, leakers and other people concerned about privacy. But it’s not infallible. And its shortcomings and limitations are precisely why its use by Defense Secretary Pete Hegseth and other top Trump administration defense officials has rocked the worlds of politics and national security.
The app made headlines Monday after Atlantic editor-in-chief Jeffrey Goldberg published the bombshell news that the Trump administration had accidentally added him to a Signal group chat this month to discuss military strikes on Houthi targets in Yemen.
At first glance, it might not seem a major problem. Cybersecurity experts widely consider Signal to be the leading easy-to-use encrypted messaging service, and there are no public reports of its ever having been compromised by hackers.
Signal’s encryption protocol — the complicated algorithm that scrambles messages as they’re sent, then descrambles them for recipients — is the basis for some of the most popular messaging apps, including WhatsApp and iMessage. In 2023, Signal began updating its encryption to address the hypothetical threat of a quantum computer that could break less complicated encryption codes.
But Signal can’t protect people, even Cabinet members, if they accidentally tell it to message the wrong person, said Mallory Knodel, the founder of the Social Web Foundation, a nonprofit organization that has helped social media networks in the fediverse implement encryption.
“Signal is as secure as it gets for end to end encrypted messaging, but this leak was because they added an untrusted party to the chat,” she told NBC News over Signal.
According to the Atlantic article, Goldberg was seemingly added to a Signal group chat that included sensitive national security discussions among Hegseth, Vice President JD Vance, National Intelligence Director Tulsi Gabbard and national security adviser Mike Waltz. Goldberg described the discussions’ continuing for six days before he removed himself, all while the rest of the group appeared to be unaware that he was in the chat.
Goldberg chose not to publish what appeared to be highly sensitive, classified information, including the name of a high-ranking CIA official included in the chat and some specific details about the military operation.
A Signal spokesperson declined to comment.
Discussing sensitive military matters over smartphone group chats is far outside normal protocol, regardless of the messaging app. Military coordination is usually done over one of two government systems: a more routinely used system called the Secret Internet Protocol Router Network, or SIPRNet, for communications deemed to be secret, and one called the Joint Worldwide Intelligence Communications System, or JWICS, for top-secret ones. Both networks operate as isolated communications systems not connected to the larger internet, making them less vulnerable to hacks and attacks.
Signal uses end-to-end encryption, which is designed for a specific threat: that someone, perhaps a government or law enforcement officer, might intercept a message as it travels between one person’s phone to another’s.
