Imagine this: you’re a journalist invited to a secret group chat with some of the most influential figures in the U.S. government. Among them are the National Security Adviser (NSA), the Secretary of Defense, and even the Vice President. They’re all discussing a potential plan to launch an attack in a foreign country.

This is what happened with Jeffrey Goldberg, the editor-in-chief of the Atlantic magazine. He initially got a connection request on the Signal app from NSA Michael Waltz on March 11. Two days later, Mr. Goldberg received a notification from Mr. Waltz on being added to the ‘Houthi PC small group’ in the app. This group was set up to establish a principals committee “for coordination on Houthis, particularly for over the next 72 hours”.

What followed was a series of messages from high-ranking U.S. officials, regarding air strikes in Yemen. The exchanges in the group provided intricate details about military operations, raising questions on whether government officials can use Signal, a privately-owned, end-to-end encrypted communication tool, particularly when it comes to sensitive information.

Co-founded by Moxie Marlinspike and WhatsApp co-founder Brian Acton, Signal is a free and encrypted communication platform for calls and instant messages. Supported by the non-profit Signal Foundation, the app prioritises privacy and security by ensuring past communications remain secure even if the encryption keys are compromised.

High level of trust

The app is widely regarded as more secure than other messaging apps like WhatsApp. Signal’s code is open-source, which means its security protocols are transparent and subject to public review. This openness helps maintain a high level of trust among users, including many government officials in several parts of the world.

Signal encrypts both content and metadata, while WhatsApp encrypts only the content of the communication, meaning users’ profile information can be accessed by the Meta-owned application.

Numerous security experts and anti-surveillance activists have strongly recommended Signal for secure communication. Edward Snowden, the U.S. whistleblower known for exposing the National Security Agency’s surveillance capabilities, uses Signal regularly. The app was also endorsed by Trump adviser and world’s richest man Elon Musk.

Signal’s popularity has grown in recent years, particularly since WhatsApp updated its privacy policy in 2021, forcing users to opt in to sharing their metadata with Facebook. Millions of users worldwide flocked to Signal and Telegram over privacy concerns.

Despite its reputation for security, Signal is not immune to vulnerabilities. In 2022, a phishing attack targeted a company that provides phone number verification service for Signal, and exposed the phone numbers of 1,900 users. However, this attack affected only a small percentage of Signal users, and it did not compromise the private and secure information related to the affected users.

In February, Google’s Threat Intelligence Group warned that Russian intelligence services had attempted to compromise Signal users by exploiting the app’s ability to link multiple devices. Once again, this phishing attack exploited human error rather than technical vulnerabilities within the app.

However, the real risk arises when a user’s device is already compromised, for instance, through the installation of malware. In such scenarios, hackers could potentially monitor the user’s keystrokes and view the screen before encryption is applied.

This is why U.S. officials are generally required to discuss sensitive matters in specially designated, secure facilities known as Sensitive Compartmented Information Facilities. These rooms are designed to prevent electronic eavesdropping and are equipped with safeguards to ensure that devices cannot be used to compromise the integrity of classified information. Despite these precautions, some officials travel with special equipment that allow them to access classified systems while on the move.

Ultimately, the ‘Signalgate’ underscores the complexities of balancing security with the need for effective communication among high-ranking officials. While apps like Signal offer significant protection against interception, they cannot mitigate all potential risks.