Signal was a 'risky' choice for sharing classified plans. Which is the most secure messaging app?

ADVERTISEMENT
A mere three days after US Defence Secretary Pete Hegseth boasted on national television that America "no longer looked like fools," it emerged that he was part of a group of high-ranking officials who
inadvertently texted plans
for an attack in Yemen to a journalist.
Hegseth, alongside Vice President JD Vance, Secretary of State Marco Rubio, National Security Advisor Michael Waltz and others, had been using the messaging platform Signal to discuss highly sensitive and classified information.
Democratic lawmakers swiftly condemned this as an "egregious" security breach, and US President Donald Trump said he knew "nothing about it," as his team claimed
a "glitch"
was to blame for the addition of journalist Jeffrey Goldberg to a message chain named "Houthi PC small group".
Related
What is Signal and should US officials have used it to share Yemen air strike plans?
Though encrypted and technically secure, the platform is "full of risks" related to human error and spyware, and was not the appropriate choice for such a conversation, argues Callum Voge, Director of Governmental Affairs and Advocacy at Internet Society.
"Governments have specific protocols for protecting classified information, and those protocols usually state that classified info can only be shared under certain conditions. So when people say Signal isn't appropriate for sharing state secrets, it's not just about Signal - it's about any consumer messaging app. Whether it's WhatsApp, Signal, or Telegram, they all pose risks," Voge told Euronews Next.
A key danger is that
Signal
is available to the general public and used by millions worldwide.
"Anyone in the world can create a Signal account. So, for example, someone without security clearance could be accidentally added to a group chat. That's one way secrets could be leaked - by accident, human error, or on purpose," Voge added.
"Also, Signal is used on personal devices. That introduces the risk of spyware - software that can record what's happening on your device in real-time and send it to a third party. So even if Signal is the most secure app in the world, if your phone has spyware, it's still a leak".
Related
'My concerns are more about people, institutions than the tech': Signal's Meredith Whittaker on AI
Warnings Signal was a target for hackers
In fact, the Pentagon issued a department-wide memo just days after the Signal group chat leak, warning that Russian professional hacking groups were actively targeting the app.
According to the memo, the attackers were exploiting Signal's "linked devices" feature - a legitimate function that allows users to access their account across multiple devices - to spy on encrypted conversations.
If a device is compromised - whether through malware, unauthorised access, or sophisticated spyware like Pegasus - encryption becomes irrelevant.
Gustavo Alito
Cybersecurity expert, Equans BeLux
"Signal's effectiveness depends on the security of the device used. It's like installing the most secure alarm system in a house without doors," Gustavo Alito, a cybersecurity expert at Equans BeLux, noted.
"If a device is compromised - whether through malware, unauthorised access, or sophisticated spyware like Pegasus - encryption becomes irrelevant. Attackers can monitor and capture all device activity in real time, including messages being written," he told Euronews Next.
"A surprising development in this case is that reports indicate Signal was pre-installed on US government devices. While this suggests an institutional push for encrypted communication, it also raises concerns," Alito added.
"The fact that Signal was made widely available may have led officials to assume it was approved for classified discussions, despite warnings from the NSA and the Defence Department against using it for sensitive matters".
Related
What is Pegasus, the Israeli mobile phone spyware used by governments around the world?
Signal, WeChat, WhatsApp, Telegram: Which is the most secure platform?
On the low end of the spectrum, where messages are most vulnerable, are platforms that either lack end-to-end encryption or don't enable it by default.
ADVERTISEMENT
According to Voge, "that means it's encrypted from endpoint to endpoint. So, for example, one endpoint is your phone and the other is mine - and as the conversation or text goes back and forth between us, no third party can decrypt it, not even the provider".
Apps like WeChat, for instance, do not offer end-to-end encryption, meaning messages can potentially be accessed by the service provider or government authorities - a major concern in countries like China.
Similarly, Telegram does not encrypt group chats or even one-on-one chats by default; users must manually enable "secret chats" for end-to-end protection. Because of this, messages on these platforms are more susceptible to interception.
At the high-security end are apps like Signal, WhatsApp, and to a limited extent, iMessage, all of which offer end-to-end encryption by default.
ADVERTISEMENT
Among them, Signal stands out for its open-source protocol, non-profit governance, minimal metadata retention, and default encryption across messages, calls, and group chats.
Related
Whatsapp faces strictest EU platform rules, but not Telegram
WhatsApp, while also encrypted using Signal's protocol, is owned by Meta and retains more metadata, which some view as a potential vulnerability. iMessage is considered technically secure, but it's a closed-source, Apple-only system, which limits transparency and auditing.
So,
Signal
is widely regarded by experts as the gold standard for encrypted messaging, but, as we've just seen, it is not immune to risks stemming from user error, device compromise, or misuse in contexts requiring classified communication protocols.
"Like any company, Signal regularly audits other parts of their app - like how users verify their phone numbers or add new devices. Sometimes issues come up, and they respond with security patches, which they publish on their website with details," said Voge.
ADVERTISEMENT
"You may have heard of a recent vulnerability involving Russia. This was a phishing attack used in Ukraine: attackers sent fake QR codes to trick people into joining Signal groups. When someone scanned the code, it linked a new device to their account - effectively hijacking it," he continued.
"It wasn't a flaw in the encryption protocol, but in how Signal handled device linking. Signal responded with an update - now, if you want to link a new device, you need Face ID or Touch ID".
Related
Report shows how messaging apps are used to spread political propaganda
What's the best way to message securely?
So what should Hegseth, Vance, Waltz and the rest of the Houthi PC small group have done instead?
The US government almost certainly has its own systems for handling classified information.
ADVERTISEMENT
"Government officials are generally expected to use special devices and systems not available to the public. You might imagine a platform that only government officials can download, and maybe even has levels of classification built in - like confidential, secret, and top secret," said Voge.
Indeed, he pictures "a government setting in which officials go to a secure room, leave their personal devices behind, and use a special computer that's not connected to the Internet to access sensitive information".
"Since people travel, there are probably government networks or apps only accessible to officials using government-provided devices. These systems wouldn't be available to the public, and probably have built-in ways of handling classification levels," he added.
Related
Telegram ban: Which countries are clamping down on it and why?
Or, as Alito puts it, "a government-approved, end-to-end encrypted system designed specifically for classified communications. Secure platforms like the NSA's Secure Communications Interoperability Protocol (SCIP) or classified networks such as SIPRNet and JWICS are more aligned with a governmental organisation's security and encryption needs".
ADVERTISEMENT
The system should also allow for records of conversations to be kept, which ties into record-keeping laws.
"Some governments require policymakers to retain a record of their messages or emails. But Signal has features like disappearing messages. So if government officials use it, that record of communication could be lost, which may go against transparency or accountability laws," Voge said.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

France 24

3 hours ago

• France 24

New 'massive' Russian drone attack kills at least one person in Kyiv, says Ukraine

Ukraine said Monday "another massive attack" on Kyiv by Russian drones was underway, a day after the country's top military commander vowed to increase the "scale and depth" of strikes on Russia. At least one person was killed and several wounded in Russian strikes on Kyiv and the surrounding region, Ukraine authorities said Monday. Diplomatic efforts to end the three-year war have stalled, with the last direct meeting between the two sides almost three weeks ago and no follow-up talks scheduled. "Another massive attack on the capital. Possibly, several waves of enemy drones," said a statement from Tymur Tkachenko, head of Kyiv's military administration. "Unfortunately, as a result of the enemy attack in Bila Tserkva district, a woman born in 1957 died from her injuries," said Mykola Kalashnyk of Kyiv's military administration. Two people were hospitalised in the Solomianski district, said Kyiv Mayor Vitali Klitschko, and two others were injured near a metro station in the Sviatochinski district, Tkachenko later said. AFP journalists in Kyiv heard the buzzing of a drone flying over the city centre and explosions, as well as gunfire. They saw around 10 people sheltering in the basement of a residential building in central Kyiv waiting for the attack to end, most of them scrolling their phones for news. The latest strikes came after Ukrainian commander-in-chief Oleksandr Syrsky vowed to intensify strikes on Russia. "We will not just sit in defence. Because this brings nothing and eventually leads to the fact that we still retreat, lose people and territories," he told reporters, including AFP. 06:31 Syrsky said Ukraine would continue its strikes on Russian military targets, which he said had proved "effective". "Of course, we will continue. We will increase the scale and depth," he said. Fair response Ukraine has launched retaliatory strikes on Russia throughout the war, targeting energy and military infrastructure sometimes hundreds of kilometres from the front line. Kyiv says the strikes are a fair response to deadly Russian attacks on Ukrainian infrastructure and civilians. At least four people were killed in an overnight Russian strike on an apartment building in the eastern Ukrainian city of Kramatorsk, while a strike on a Ukrainian army training ground later in the day killed three others, officials said. In wide-ranging remarks, Syrsky conceded that Russia had some advantages in drone warfare, particularly in making fibre-optic drones that are tethered and difficult to jam. "Here, unfortunately, they have an advantage in both the number and range of their use," he said. He also claimed that Ukraine still held 90 square kilometres (35 square miles) of territory in Russia's Kursk region, where Kyiv launched an audacious cross-border incursion last August. "These are our pre-emptive actions in response to a possible enemy offensive," he said. Russia said in April that it had gained full control of the Kursk region and denies that Kyiv has a presence there. Russia occupies around a fifth of Ukraine and claims to have annexed four Ukrainian regions as its own since launching its invasion in 2022 -- in addition to Crimea, which it captured in 2014. Kyiv has accused Moscow of deliberately sabotaging a peace deal to prolong its full-scale offensive on the country and to seize more territory. The Russian army said Sunday that it had captured the village of Petrivske in Ukraine's northeast Kharkiv region. Russian forces also sent at least 47 drones and fired three missiles towards Ukraine between late Saturday and early Sunday, the Ukrainian air force said.

France 24

4 hours ago

• France 24

Ukraine says 'massive' Russian drone attack on Kyiv

Diplomatic efforts to end the three-year war have stalled, with the last direct meeting between the two sides almost three weeks ago and no follow-up talks scheduled. "Another massive attack on the capital. Possibly, several waves of enemy drones," said a statement from Tymur Tkachenko, head of Kyiv's military administration. Two people were hospitalised in the Solomianski district, said Kyiv Mayor Vitali Klitschko, and two others were injured near a metro station in the Sviatochinski district, Tkachenko later said. AFP journalists in Kyiv heard the buzzing of a drone flying over the city centre and explosions, as well as gunfire. They saw around 10 people sheltering in the basement of a residential building in central Kyiv waiting for the attack to end, most of them scrolling their phones for news. The latest strikes came after Ukrainian commander-in-chief Oleksandr Syrsky vowed to intensify strikes on Russia. "We will not just sit in defence. Because this brings nothing and eventually leads to the fact that we still retreat, lose people and territories," he told reporters, including AFP. Syrsky said Ukraine would continue its strikes on Russian military targets, which he said had proved "effective". "Of course, we will continue. We will increase the scale and depth," he said. Fair response Ukraine has launched retaliatory strikes on Russia throughout the war, targeting energy and military infrastructure sometimes hundreds of kilometres from the front line. Kyiv says the strikes are a fair response to deadly Russian attacks on Ukrainian infrastructure and civilians. At least four people were killed in an overnight Russian strike on an apartment building in the eastern Ukrainian city of Kramatorsk, while a strike on a Ukrainian army training ground later in the day killed three others, officials said. In wide-ranging remarks, Syrsky conceded that Russia had some advantages in drone warfare, particularly in making fibre-optic drones that are tethered and difficult to jam. "Here, unfortunately, they have an advantage in both the number and range of their use," he said. He also claimed that Ukraine still held 90 square kilometres (35 square miles) of territory in Russia's Kursk region, where Kyiv launched an audacious cross-border incursion last August. "These are our pre-emptive actions in response to a possible enemy offensive," he said. Russia said in April that it had gained full control of the Kursk region and denies that Kyiv has a presence there. Russia occupies around a fifth of Ukraine and claims to have annexed four Ukrainian regions as its own since launching its invasion in 2022 -- in addition to Crimea, which it captured in 2014. Kyiv has accused Moscow of deliberately sabotaging a peace deal to prolong its full-scale offensive on the country and to seize more territory. The Russian army said Sunday that it had captured the village of Petrivske in Ukraine's northeast Kharkiv region. Russian forces also sent at least 47 drones and fired three missiles towards Ukraine between late Saturday and early Sunday, the Ukrainian air force said. © 2025 AFP

France 24

10 hours ago

• France 24

Democrats assail 'erratic' Trump over Iran strikes

Members of the Senate and House of Representatives argued that US intelligence had not shown an imminent threat from the Middle Eastern country that justified Trump's unilateral action. "President Trump's actions in bombing Iran puts the US on the brink of a wider war in the Middle East, all without constitutionally required Congressional approval," Senate Democratic Whip Dick Durbin said in a statement. Democrats were divided between those demanding a vote on a war powers resolution to constrain Trump's authority to launch further action and a smaller group, who maintained that the strikes were grounds for the Republican leader's impeachment. They included Illinois moderate Sean Casten and New York leftist Alexandria Ocasio-Cortez, who accused the president of having "impulsively risked launching a war that may ensnare us for generations." Chuck Schumer and Hakeem Jeffries, the Democratic leaders in the Senate and House respectively, said Trump had "dramatically increased" America's risk of becoming embroiled in a new Middle Eastern conflagration. "No president should be allowed to unilaterally march this nation into something as consequential as war with erratic threats and no strategy," Schumer said. The Democrats have foreign policy hawks in their ranks and many were quick to point to the threat that a nuclear-armed Iran would pose --- while still upbraiding Trump for acting without consulting lawmakers. "The Constitution makes clear that the power to authorize war lies with Congress... The American people deserve more than vague rhetoric and unilateral decisions that could set off a wider war," said Mark Warner, vice chairman of the Senate intelligence committee. The loudest Democratic voice in support of the strikes was staunchly pro-Israel Senator John Fetterman, who singled out Trump for praise -- something even party colleagues who support the strikes have avoided. "As I've long maintained, this was the correct move by (Trump)," the Pennsylvania centrist posted on X. "Iran is the world's leading sponsor of terrorism and cannot have nuclear capabilities." Republicans have been lining up since the strikes to praise Trump and endorse his decision to hit three Iranian nuclear facilities -- with little dissent among the ranks. But Kentucky conservative Thomas Massie accused Trump of escalating the conflict between Israel and Iran. "When two countries are bombing each other daily in a hot war, and a third country joins the bombing, that's an act of war," said Massie, who introduced a bipartisan resolution earlier this month to require any military action to be approved by lawmakers. "I'm amazed at the mental gymnastics being undertaken by neocons in DC (and their social media bots) to say we aren't at war... so they can make war."