Sign up for the Slatest to get the most insightful analysis, criticism, and advice out there, delivered to your inbox daily.
The one news story that’s been all but inescapable this week is the Trumpworld embarrassment crudely recognized as “Signalgate”—the awkward, alarming saga of how the Atlantic’s editor in chief became an inadvertent witness to the government’s military planning via a group chat on the privately owned, encrypted messaging app Signal.
It was such an obvious fuck-up, an unmistakable national-security breach with such troubling implications, that the parties responsible had a difficult time owning up to things. Somehow, as my colleague Ben Mathis-Lilley noted, President Donald Trump briefly emerged as the Adult in the Room, giving the most honest plausible explanation for the fiasco—that it was a contact mix-up on national security adviser Mike Waltz’s part—as the others stammered their way through accusations that Jeffrey Goldberg had wiggled his way in. (It was likely harder for them to keep up the charade after the German newsmagazine Der Spiegel reported Wednesday that private contact info for Secretary of Defense Pete Hegseth and Waltz is “particularly easy” to find online.) Of course, Trump’s moment of relative integrity was never bound to last. On Wednesday evening, according to Forbes, he wafted away any individual blame by telling reporters: “I don’t know that Signal works. I think Signal could be defective, to be honest with you. … It could be a defective platform, and we’re going to have to figure that out.”
Let’s be very clear about a couple of things here. One, there was no reason for any of these people to be planning bombing campaigns over Signal. A 2023 Pentagon memo forbids staffers from using any unclassified communication network “to access, transmit, process non-public DoD information,” since there’s already a specialized Defense intranet system for classified info. Other departments are similarly discouraged from using private chat networks for official business, though they are not banned from doing so if officials have been explicitly “targeted” by foreign adversaries or, as the CIA’s John Ratcliffe recently told Congress, if staffers follow specific governance measures in turn.
Two, even if there were no government guidance on Signal usage, it doesn’t change the fact that the error that led to Signalgate is not Signal’s fault. To imply otherwise, as Trump did, is not just to deny reality—it is to engage in a dangerous, long-running propaganda campaign that could undermine the very foundations of privacy in modern American society.
Yes, Trump officials lie all the time, but they’re not the only ones casting unfounded aspersions upon Signal’s basic functionality. On Tuesday, a screenshot of an NPR scoop made its way around the social media mines, noting vaguely that “a Pentagon-wide email went out last week about the vulnerability of using the messaging app Signal.” A follow-up then delved into the specifics: that Russian hacking groups had been targeting certain Signal accounts with phishing attempts. But the initial message spread far more widely, getting pickup from Democratic Party operatives as a gotcha against Hegseth—that he obviously should have known better than to use such a flawed platform. Signal’s leaders, recognizing that “there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging,” were forced to clarify that the “vulnerability” in question “had nothing to do with Signal’s core tech.”
Indeed, there seems to be a general misunderstanding around what Signal is and how it works. One write-up of this whole incident has referred to the service as “a commercial messaging app,” even though Signal is run by a nonprofit foundation that shares its name. So it’s worth clearing up some misconceptions.
Signal is a 10-year-old messaging app that emerged from software developed for the mobile-security company Whisper Systems in the early 2010s. These involved two separate apps—one for end-to-end encrypted voice calling, the other for end-to-end encrypted text messaging—that were combined into one service called Signal and released in 2014, making history as the first free nonprofit all-in-one encrypted communications system. The platform gained further traction that year when WhatsApp, the messaging service that had just been bought by Facebook, incorporated Signal’s open-source protocol into its own encryption framework, which encouraged rival messengers from Microsoft and Google to offer encryption settings as well. Signal also earned admiration for working around an infamous subpoena from the Obama administration, which had demanded that Signal’s nonprofit turn over browsing information affiliated with two users’ phone numbers as part of a federal grand-jury investigation. The thing is, Signal could not have done that even if it wanted to, since it does not track and collect such information from its users.
Instead, Signal requires only minimal information and doesn’t keep much in its servers. Users (like myself) have special passkeys to verify their identity with the app, and all messages and media transmitted are stored on each individual user’s phone—not anywhere in Signal’s back-end chambers. Over the years, Signal has added even more features to beef up its privacy settings: allowing for messages to disappear from users’ phones after a set amount of time, incorporating an automatic face-blurring tool for potentially sensitive images, and using servers based outside the United States that can obscure users’ IP addresses. Unlike Telegram, which does not automatically encrypt messages in its larger-size chat rooms, Signal limits the size of its group chats and keeps encryption as the default.
Does that mean Signal is perfect and foolproof? Not at all. The Signal Foundation’s small size and tightly controlled budget (mostly grants and donations) make it hard for the app to handle sign-up surges, like the influx of users in early 2021 who left WhatsApp after it expanded the types of user info that could be shared with other Facebook companies. (Signal’s servers have also been known to crash in other circumstances.) In 2022 the company Twilio—which contracts with various tech companies to offer communications software—suffered a breach that exposed the phone numbers of nearly 2,000 Signal clients, highlighting the vulnerabilities inherent in requiring phone numbers for user verification. Still, on the whole it’s far more trusted by its users than just about any other encrypted chat app. And it has avoided the types of controversies that have plagued far more popular alternatives, like WhatsApp and Telegram, around the incitement of violence and crime.
So the flailing fearmongering from Trump around Signal’s being “defective” is wrong, but it’s not hard to guess from whom he might have gotten that idea. Last year, a right-wing campaign accused NPR of acting as a Marxist propagandist network (a charge that led to a congressional hearing on the matter this week). The well-known fabulist Christopher Rufo pointed out that NPR CEO Katherine Maher also sits on the Signal Foundation’s board and implied baselessly that this may have “compromised” Signal’s integrity. (Maher’s position with the Wikimedia Foundation, which runs Wikipedia, has similarly inspired far-right trolls to smear the internet encyclopedia as biased.) Elon Musk, previously a longtime Signal fan, glommed onto Rufo’s posts to allude to “known vulnerabilities with Signal,” in a tweet that saw him get corrected by his own beloved Community Notes feature. Last month, Musk even went so far as to block Signal links on X.
For now, Signal’s co-founder may feel comfortable quipping about this whole matter, but don’t be surprised if the fallout from the whole affair leads to more conspiracizing around the app—especially now that Musk is so close to Trump. Apparently, Musk has already been assigned to investigate Signalgate with the assistance of his “technical experts” at DOGE. Don’t expect the truth to come out.
