Last week, senior US administration officials—including Defense Secretary Pete Hegseth, CIA Director John Ratcliffe, Director of National Intelligence Tulsi Gabbard, National Security Adviser Mike Waltz, and Vice President JD Vance—used the encrypted app Signal to discuss a planned military strike in Yemen. But in a critical misstep, they mistakenly included The Atlantic’s editor-in-chief, Jeffrey Goldberg, in the group conversation.

The incident has sparked widespread backlash and prompted Democratic lawmakers to call for a congressional investigation into what they describe as a serious national security breach.

Signal is an open-source, end-to-end encrypted messaging platform that operates on centralised servers maintained by Signal Messenger. It stores users’ messages and data on their own devices, not on external servers, and allows for disappearing messages. 

Despite its reputation for strong encryption, Signal is not hosted on government-controlled infrastructure, nor does it use US government-certified encryption—raising questions about why top officials entrusted with national security would opt for a third-party app.

Is Signal, with its 70 million users worldwide, truly as secure as its reputation suggests—or simply more convenient?

Encryption without barriers

The text-and-voice app that is a little over a decade old, is widely regarded by mobile security specialists as the gold standard for end-to-end encrypted communication. Its use has become common not only among privacy-minded activists, but also among government officials, members of Congress, lawmakers, generals, and corporate leaders.

The phrase “Let’s take this to Signal” has become a universal cue for a conversation that needs to go off record. 

A recent review by the Associated Press, found more than 1,100 government officials across all 50 states are currently using Signal.

But Signal’s popularity does not eliminate the risk of user error or platform misuse. The Trump administration’s chat exchange reportedly took place just two hours before a planned military strike targeting a Houthi leader in Yemen, according to screenshots obtained by The Atlantic​. The messages included time, location, and military assets involved—details that would typically be classified.

The fallout was swift. "I am appalled by the egregious security breach from top administration officials," Republican Senator Lisa Murkowski wrote on X. "Their disregard for stringent safeguards and secure channels could have compromised a high-stakes operation and put our service members at risk"​.

The decision to bypass secure, government-controlled communication systems has raised alarms in Washington, with lawmakers demanding answers. But cybersecurity experts say the issue may stem less from ideology and more from usability. 

“The issue is not encryption, but access control,” said M. Angela Sasse, Professor of Human-Centred Security at Ruhr University Bochum and University College London.

“Anyone can join Signal, send invitations, and be included by accident, as seems to have happened in this case. With a government-controlled system, this would not happen because the government can restrict access to specific participants with government-issued identities and access permissions.” she explained to TRT World.

Government platforms, by contrast, often require clearance, registration, and administrative permissions that can delay real-time communication. Signal allows anyone with a phone number to create a group in seconds—with no gatekeepers. 

“The primary reason has nothing to do with ideology, it is usability and functionality,” Sasse added. “If you and your friends are already using Signal or WhatsApp, you can quickly set up a group without asking anyone. With a government-controlled system, someone would have to give you and the people you want to talk to access, and to be honest, many of those systems are incredibly clunky.”

From leak to investigation

While some administration officials initially downplayed the incident, claiming the group had not shared actual war plans, The Atlantic's editor-in-chief later released screenshots showing operational details. 

Now, Senators Roger Wicker and Jack Reed, the top Republican and Democrat on the Senate Armed Services Committee, have formally asked the Pentagon to investigate whether classified information was moved to unsecured platforms—and whether policies around information-sharing were violated​.

Beyond functionality, there may also be a cultural or ideological factor at play. “In this particular case, there may also be an ideological angle – being against anything with traditional government and its systems,” Sasse said.  

“Ironically, past US government agencies actually funded the development of Signal as it is today, a usable encrypted chat app for everyone.”

In 2023, the non-profit, which is funded by donations and a $50 million investment from WhatsApp co-founder Brian Acton in 2017, said in a blog post that it would need $50 million each year to operate by 2025.

Despite its encryption credentials, Signal’s open-access design is precisely what made the breach possible.

“You have a system with Identity and Access Management to avoid things like this happening,” Sasse explained. “If you don’t want to use a government system, Signal is actually the most secure choice.”

But this isn’t the first time high-level figures have bypassed official systems opting for ease over protocols. From Hilary Clinton’s private email server to UK officials using WhatsApp during the pandemic, government figures around the world have turned to private platforms despite the risks.

“The lesson that only usable security is secure has [still] not been learnt,” said Sasse.