The Trump administration is facing heavy blowback for using Signal, a messaging app, to discuss sensitive military plans. On March 24, officials’ usage of the app was revealed after The Atlantic editor Jeffrey Goldberg published a story titled “The Trump Administration Accidentally Texted Me Its War Plans,” in which Secretary of Defense Pete Hegseth, among others, discussed upcoming military strikes on Yemen.
The U.S. government previously discouraged federal employees from using the app for official business. Some experts have speculated that sharing sensitive national security details over Signal could be illegal, and Democratic lawmakers have demanded an investigation. “If our nation’s military secrets are being peddled around over unsecure text chains, we need to know that at once,” New York Democrat Chuck Schumer said on the Senate floor. 
Signal is one of the most secure and private messaging platforms that exists for general public use. But cybersecurity experts argue that the app should not have been used for this level of sensitive communication. “Signal is a very robust app: a lot of cybersecurity professionals use it for our communications that we want to protect,” says Michael Daniel, president and CEO of the Cyber Threat Alliance and a cybersecurity coordinator under President Obama. “But it’s not as secure as government communications channels. And the use of these kinds of channels increases the risk that something is going to go wrong.”
Signal’s Strengths
Signal was launched in 2014, with the goal of creating a privacy-preserving messaging platform in an age of increasing mass surveillance. Signal conversations are protected by end-to-end encryption, a technique that makes it extremely hard for a third party to intercept or decipher private messages. While other messaging tools may collect sensitive personal data, Signal prides itself on securely protecting information such as messaging contacts, frequency, and duration.
The app has other privacy features, such as automatically disappearing messages after a set period and preventing screenshots of conversations. Signal data is stored locally on user’s devices, not the company’s servers. “Our goal is that everyone in the world can pick up their device, and without thinking twice about it, or even having an ideological commitment to privacy, use Signal to communicate with anyone they want,” Signal President Meredith Whittaker told TIME in 2022.
Read More: Signal’s President Meredith Whittaker Shares What’s Next for the Private Messaging App
Over the last few years, Signal has been used by dissidents and protestors around the world who want to keep their conversations safe from political enemies or law enforcement. In Ukraine, the U.S. Embassy in Kyiv described Signal as critical to their work in its ability to ensure secure, rapid, and easily accessible communications. The app now has 70 million users worldwide, according to the tracking site Business of Apps.
Government Use
The usage of Signal for government purposes is more contentious. In 2021, the Pentagon scolded a former official for using Signal, saying that it did not comply with the Freedom of Information Act, which decrees the government has legal obligations to maintain federal records. Goldberg, however, reported this week that the Trump officials’ Signal chat was set to automatically delete messages after a period of time.
Sam Vinograd, who served in former President Barack Obama’s Homeland Security Department, told CBS that sharing sensitive security details over Signal could violate the Espionage Act as well. Top intelligence officials testified this week that no classified information was shared over the group chat. CIA Director John Ratcliffe said that Signal was a “permissible work-use application” for the CIA.
Read More: Top Trump Officials Defend Signal Chat in Testimony to Congress
Last week, a Pentagon advisory cautioned military personnel against using Signal due to Russian hackers targeting the app.
The Cyber Threat Alliance’s Daniel says that he was surprised that top officials were using Signal, given that they have access to government-specific channels that are more secure. When discussing sensitive information, officials are typically required to do so in designated, secure areas called Sensitive Compartmented Information Facilities (SCIFs), or to use SIPRNet, a secure network used by the Defense and State Departments.
“These are very senior officials who have a lot of options. They have people whose entire jobs are is to make sure that they’re able to communicate at all times,” Daniel says. “We’ve had that for decades now, and those procedures are really well honed.”
Daniel contends that government tools could have prevented what went wrong in this instance: the human error of an outside party mistakenly being added to a message chain. He says that government channels have a “much higher level of authentication” to ensure that members of communication channels are supposed to have access.
Dave Chronister, the CEO of the cybersecurity company Parameter Security, says that the government’s bespoke communications channels prevent other kinds of interlopers or hackers attempting to use phishing or malware techniques to learn information. “If you’re on a cell phone, I don’t know who could be looking over my shoulder to see what I’m typing, not to mention I don’t know what else is on that mobile device,” he says.
Chronister adds that officials’ use of Signal, as opposed to internal channels, also makes it harder for the government to identify and contain breaches once they’ve happened. “We could have data out there we didn’t know was compromised,” he says. “If top cabinet officials are using Signal, I’m wondering how much is being done on a daily basis—and I think there’s going to be a lot more fallout from this.”
A representative for Signal did not immediately respond to a request for comment.
