Phishing and auto-deleting messages are some of the key concerns around using Signal for official purposes.
Signal, the open-source, free to use, encrypted messaging app has been at the centre of the latest massive controversy within the US government.
It all started when The Atlantic’s editor-in-chief Jeffrey Goldberg dropped a bombshell article earlier this week, revealing that he was mistakenly added to a Signal group chat on 13 March with senior White House officials.
The group, titled ‘Houthi PC small group’, included defence secretary Pete Hegseth, national security advisor Michael Waltz, vice-president JD Vance and the secretary of state Marco Rubio among others.
Moreover, the ‘PC’ in the group’s title stands for a principals committee – a group of the senior most national security officials – and Jeffrey Goldberg, who has decades of experience in reporting on security matters, admits to never having heard of a PC being convened over a commercial messaging app, let alone being invited to one.
The discussion, which was detailed and included sensitive – one could even say secret – information, was about a US military mission in Yemen, where the US was allegedly targeting a Houthi group.
And just hours after the discussion, bombs fell. Al Jazeera reports that more than 50 people have been killed since the US began attacking the area on 15 March.
Soon after the article was published, chaos ensued in Washington, with president Donald Trump, who seemed frustrated at the line of questioning from reporters, calling the controversy a “witch hunt”.
And while Goldberg, in his article, said that Signal is not approved for government use, White House press secretary Karoline Lewitt disagreed, calling it an “approved app” for government use and the “most safe and efficient way of communication”.
What’s the problem with using Signal?
Setting aside the fact that senior White House officials added a journalist to a group chat he was not supposed to be in, the controversy highlights other issues around using a commercial app for high-stake security-related communications.
One, Signal automatically deletes messages, which opposition leaders and experts say could be used by officials to skirt federal laws which mandate that government records, including official communications, be preserved.
The Presidential Records Act and the Federal Records Act require officials to preserve communications related to government business.
As a result of this scandal – now dubbed as ‘Signalgate’ – a federal court in the country has ordered the Trump administration to preserve all Signal messages from 11 to 15 March.
Two, Signal is an open-source application, meaning researchers can audit it and independent experts can verify its security. It is generally considered more secure than more popular messaging apps such as WhatsApp because it doesn’t collect metadata.
However, in an interview with the Guardian, Prof Alan Woodward, a cybersecurity expert at the University of Surrey said that personal devices are not entirely secure. Officials must use approved intelligence communications systems which ensure safety, he explained.
News outlets report that senior White House officials have their active Signal accounts connected to their personal phone numbers.
Moreover, days after The Atlantic report surfaced, NPR reported that a Pentagon-wide advisory was issued against the usage of Signal, even for unclassified information.
“A vulnerability has been identified in the Signal Messenger Application,” reads the department-wide email, dated 18 March, which was obtained by the publication.
“Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations…The hacking groups embed malicious QR codes in phishing pages or conceal them in group invite links,” the email continues.
“This allows the group to view every message sent by the unwitting user in real time, bypassing the end-to-end encryption.” The Pentagon email clarifies that third-party messaging apps like Signal are permitted only for unclassified “accountability/recall exercises”.
However, a Signal spokesperson told the publication that once they learned the app was being targeted, they introduced “additional safeguards and in-app warnings” to help users avoid falling victim to phishing attacks.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.