The recent national security breach involving a Signal group chat has raised concerns regarding the messaging app’s security.

Concerns about the Atlantic‘s editor-in-chief, Jeffrey Goldberg, being mistakenly added to a Trump administration Signal group chat extended beyond the blunder itself, sparking outrage over the platform’s use to share sensitive information.

Recommended Stories

• Driverless Waymo taxis to arrive in DC by 2026
• Perplexity AI makes bid for TikTok as Oracle emerges as frontrunner
• Trump administration intensifies civil action against Google that Biden’s team started

Cybersecurity experts are split on how secure the encrypted messaging system actually is, but all agree it is less secure than government-operated communication channels.

John Maly, cybersecurity expert and tech futurist/artificial intelligence expert witness for AI and tech court cases, told the Washington Examiner that Signal is the “most secure of the mainstream private messaging apps.”

“It’s open source, which some other private messaging apps are as well, but since it’s so widely used, its source code is better vetted than the others,” he said. Its message payloads are protected by a “widely-respected crypto algorithm,” and it maintains minimal metadata, unlike most other messaging apps.

“Lastly, unlike Telegram, Signal’s founder has never (that we know of) been put in a compromising situation by foreign law enforcement, so there’s less chance that Signal’s operators have been coerced into adding some sort of backdoor or data logging. The fact that top officials have chosen Signal indicates that they don’t know of its being compromised by any federal agency,” Maly said.

Telegram founder and owner Pavel Durov agreed to turn over some data to law enforcement after French police arrested him on charges related to refusal to communicate upon request from authorized authorities, complicity in criminal activity, and provision of cryptology services.

Signal is owned and operated by the American nonprofit group Signal Technology Foundation, founded by two U.S. citizens: Signal creator Moxie Marlinspike and WhatsApp co-founder Brian Acton.

Juda Engelmayer, CEO of crisis public relations firm HeraldPR, agreed that Signal is one of the most secure messaging platforms available today.

“It employs the Signal Protocol, a state-of-the-art end-to-end encryption system that ensures only the sender and the intended recipient can read the content of a message or hear a call. Not even Signal’s own servers can access the plaintext of your communications,” he said.

“Messages can be set to disappear after a defined time interval, reducing the risk of exposure if a device is seized or subpoenaed. Even with forensic tools, recovering expired disappearing messages is virtually impossible due to the way Signal stores messages only on devices, not in the cloud,” Engelmayer added.

Rob DeCicco, a digital forensics testifying expert and an expert on Signal and other ephemeral messaging platforms such as WhatsApp, Telegram, and Wickr, said the app is “very secure” but “less secure than [the Non-Secure Internet Protocol Router Network] and [the Secret Internet Protocol Router Network]” — two government-operated communication networks.

The one major vulnerability isn’t the Signal app itself but the device it is used on. If someone’s device in a chat is compromised or under surveillance, third parties could monitor the chat. The app doesn’t appear to be at risk of hacking, even when used on an unsecured network — including from within the Kremlin.

“If you hack the firmware or operating system, then you could always monitor what is typed on the keypad, or what the contents of the display are as the user is reading/writing their messages, thus revealing the data regardless of whether the (downstream) message payloads are securely handled later on,” Maly said.

Maly said the security standards of a third-party app compared to one developed for government use are different, but given how secure Signal is, it is “not a big practical difference. “

One problem with government communication over Signal is the lack of record retention, which is unrelated to security.

Maly said, “If government officials are subject to any federal statutes or regulations requiring communications to be retained for some period of time, Signal almost certainly does not comply with these. If used to circumvent such requirements, Signal is essentially a ‘this message will self-destruct after reading’ type of medium, which could be used to cover the tracks of officials who use it in violation of such a federal employment requirement.”

“When all traces of a communication between two federal employees/agencies are destroyed after being read, it’s not hard to imagine accountability decreasing as a result,” Maly added.

At a Tuesday hearing, CIA director John Ratcliffe said that the government loaded Signal on his work device, allowing him to communicate with colleagues, a policy inherited from the Biden administration.

“One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer at the CIA, as it is for most CIA officers,” he said. “One of the things that I was briefed on very early, senator, was by the CIA records management folks about the use of Signal as a permissible work use. It is. That is a practice that preceded the current administration to the Biden administration.”

The National Security Agency put out an operational security bulletin a month before Goldberg inadvertently infiltrated the Signal group chat between Trump administration officials, warning of a “vulnerability” in the form of phishing scams.

“A vulnerability has been identified in the Signal Messenger Application. The use of Signal by common targets of surveillance and espionage activity has made the application a high value target to intercept sensitive information,” the internal bulletin warned, noting phishing scams from professional Russian hacking groups, which could gain access to conversations by bypassing the app’s end-to-end encryption.

WHAT WE KNOW ABOUT THE SIGNAL MESS

Signal responded to the bulletin in a post on X, saying the “memo used the term ‘vulnerability’ in relation to Signal-but it had nothing to do with Signal’s core tech.”

“It was warning against phishing scams targeting Signal users. Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology,” the company said. “Phishing attacks are a constant threat for popular apps and websites.”