The free messaging app Signal has drawn significant attention after the White House confirmed that senior US officials used it for a private group chat to discuss classified military plans. The situation escalated when Jeffrey Goldberg, editor-in-chief of The Atlantic, was inadvertently added to the group, where officials were reportedly discussing a planned strike against Houthi forces in Yemen. The incident has sparked intense backlash, with Senate Democratic leader Chuck Schumer calling it one of the most shocking intelligence leaks in history and demanding a formal investigation.

Despite having an estimated 40 to 70 million monthly users, Signal remains relatively small compared to mainstream messaging platforms like WhatsApp and Messenger, which boast user bases in the billions. However, Signal distinguishes itself through its advanced security features, particularly its end-to-end encryption (E2EE), which ensures that only the sender and recipient can access messages. Even Signal itself cannot decrypt them. Unlike many other messaging services, Signal is open-source, allowing experts to scrutinize its code for vulnerabilities. It also collects minimal user data and does not store usernames, profile pictures, or group affiliations. Operated by the nonprofit Signal Foundation, it relies on donations rather than ad revenue, allowing it to maintain strong privacy protections without financial pressures to compromise security. Meredith Whittaker, Signal’s president, reinforced its reputation for security by calling the app the “gold standard” in private communications following the leak.

However, even the highest level of encryption cannot fully protect sensitive government discussions. Experts argue that Signal is not appropriate for handling classified information, as security ultimately depends on how a device is used. If an unauthorized person gains access to a phone with an open Signal app, learns the password, or simply observes someone using it, the encryption becomes meaningless. Cybersecurity specialist Caro Robson, who has worked with US government agencies, described it as highly unusual for top officials to use a commercial messaging app for national security matters. Traditionally, classified discussions occur within government-controlled systems designed with advanced encryption and operated in secure locations.

For highly sensitive communications, US officials typically rely on Sensitive Compartmented Information Facilities (Scifs), which are ultra-secure rooms where personal electronic devices are strictly prohibited. These facilities, found in military bases, government offices, and even officials’ residences, are regularly inspected for surveillance threats. Access to classified information is tightly controlled, requiring officials to be physically present in these facilities to review or discuss sensitive matters. The government’s own encryption and security measures far exceed those of any commercial messaging app, including Signal.

Another concern surrounding the use of Signal in this case is its disappearing messages feature. Signal allows users to set messages to self-delete after a specified time, and Goldberg revealed that some of the leaked messages vanished after a week. This raises serious legal questions, as federal regulations require official government communications to be preserved. Unless officials forwarded their Signal messages to secure government channels, they may have violated record-keeping laws.

The controversy surrounding this leak also ties into a broader debate over encryption and government access to private messages. Various administrations have attempted to introduce legal backdoors into encrypted messaging platforms, arguing that law enforcement and intelligence agencies need to monitor potential security threats. However, companies like Signal and WhatsApp have strongly opposed these efforts, warning that any government-mandated backdoor could be exploited by cybercriminals or foreign adversaries. In 2023, Signal threatened to withdraw from the UK if encryption laws were weakened. Similarly, Apple clashed with the UK government over encrypted cloud storage, ultimately removing the feature in Britain rather than granting authorities access. The Signal leak underscores a fundamental truth about security: even the most private and encrypted communication platform cannot prevent human error. No matter how advanced an app’s security features are, sensitive information remains at risk if shared with the wrong person or accessed in an unsecured environment.

Disclaimer: This image is taken from BBC.