‘Signalgate’ continues to rumble on, with even more of the Signal messages that were shared between Trump officials – and, inadvertently, The Atlantic – revealed today. But how exactly did this group chat debacle happen, and what does it say about Signal? We’ve answered all of this and more in our one-stop explainer about the app that’s in the eye of a political storm.
With robust privacy credentials, Signal has long set the standard for secure messaging. But in the wake of those revelations that US government officials inadvertently added a journalist to a group chat where confidential military plans were discussed, there are fresh (and mostly unfair) question marks over how reliable the app’s protections really are.
Signal’s reputation has made it popular with journalists, politicians and privacy advocates. Used correctly on an Android or iOS device, it can absolutely make your conversations more secure. Even so, it’s not a tool designed for sharing classified information.
So why have senior US politicians been using it for sensitive national security communications? And how safe were those messages? Here’s what you need to know about Signal – and how to use it properly for private messaging.
What is Signal?
- Signal is a secure messaging app with end-to-end encryption
- It’s operated by the Signal Foundation, a non-profit organization
- Open source code makes the platform more resilient
Signal is a messaging app that’s available for iOS and Android devices. Like the best messaging apps, it supports cross-platform text, voice and video chats. What sets Signal apart is its robust privacy features: it’s regarded as the benchmark for secure mobile communications. Which makes Signalgate all the more ironic, even though it has little to do with the app’s technical security.
End-to-end encryption ensures messages can only be read by the sender and receiver, while open-source code ensures that there are fewer vulnerabilities for hackers to exploit.
Signal was created in 2012 by Moxie Marlinspike. It’s now run by the Signal Foundation, a non-profit organization founded in 2018 by Marlinspike and WhatsApp co-founder Brian Acton. The Foundation relies on donations rather than ad revenue to fund its services. That means users can enjoy an ad-free and tracker-free experience, knowing that their data won’t be sold to third parties.
In our in-depth Signal review, we noted that the app offers “fewer bells and whistles than the more popular (and less secure) messaging apps”. Instead, its developers have focused on creating a secure, minimalist communications tool.
It’s this approach which has made it popular with everyone from whistleblowers and activists to journalists and privacy advocates, who favor its more secure architecture.
How safe and secure is Signal?
- Used correctly, Signal is the most secure messaging app
- It’s only as secure as the devices sending and receiving messages
- User error can compromise the privacy of group chats
Used correctly, Signal has the most robust privacy credentials of any major messaging app. It has the most layers of security at both the front-end and back-end. Messages themselves are deeply protected against hacking, while the app offers a toolkit to ensure communications are only seen by who they’re intended for.
So how did a journalist from The Atlantic end up on a group chat with US government officials, including Vice-President JD Vance and White House chief of staff Susie Wiles? Signal CEO Meredith Whittaker maintains that the app is “the gold standard” in private communication. Here’s the challenge: as strong as Signal’s security features are, they are reliant on the end user understanding how they work.
This incident was not really a failing of Signal. The journalist in question did not infiltrate the group chat through a backdoor. Instead, a member of that chat – which included 18 people – unintentionally but actively added the reporter to the group, who was then privy to sensitive messages discussing air strikes in Yemen.
Any group chat is only as secure as its members. Even with disappearing messages enabled, there is a window in which anyone in that group can read them. By mistakenly adding the journalist to the group, the US official became responsible for compromising its integrity.
Some voices have criticized the fact that the app allowed this, but the option to add a contact to a chat is a core function of group communications. The fault here doesn’t lie with Signal – the reality is that, as secure as the app is, it’s not an appropriate platform for sharing highly confidential state information.
What’s more, messages sent on Signal are only as secure as the device that is receiving them. If a smartphone is compromised or left unlocked, all of the Signal messages on that device can be read. There is also nothing to prevent someone simply reading messages over your shoulder.
Matthew Mittelsteadt, a technology policy research fellow for the Cato Institute, said as much in a statement emailed to CNN. “Messages may be secure when they are in transit between phones, but once they reach the recipient, security can indeed fail.”
This is why the use of Signal by top US officials fell far short of government security protocols. Data expert Caro Robson, quoted by the BBC, said communications like these would usually take place on “a very secure government system that is operated and owned by the government using very high levels of encryption.”
While officials from the Trump administration have claimed that none of the information shared was classified, a memo from the Defense Department circulated in 2023 and obtained by NPR banned the use of mobile apps for “controlled unclassified information”. Since the leak, the Pentagon has issued an advisory prohibiting the use of Signal even for “unclassified information”.
National Security Adviser Mike Waltz has acknowledged the failing. Speaking to Fox News, he described it as “embarrassing” and took “full responsibility”.
How does Signal work?
- Signal uses open-source, end-to-end encryption to secure messages
- The Signal Foundation doesn’t monetize user data or sell ads
- User features are designed for security, including personal PINs
Signal offers greater security in three key ways. The first is through end-to-end encryption, which means messages are scrambled in transit, then decoded when delivered to the intended device. No-one else can read these messages, not even Signal.
While other messaging apps also offer end-to-end encryption, Signal’s is more secure because it’s open source. Not only does this make the platform more transparent, but it also allows absolutely anyone to examine the code for potential vulnerabilities. This community scrutiny makes it more likely that problems are found and fixed before hackers can exploit them.
Then there are the Signal Foundation’s principles. The app itself collects less user data than other services, with message history stored on user devices rather than Signal’s servers. Of the very limited information that is collected by Signal, none of its is monetized: as a non-profit, the Foundation relies on donations rather than advertising revenue. That also means users won’t be tracked or encounter ads on the platform.
Finally, there are the safety features integral to the user experience. These include a personal PIN to secure your profile and the option to hide your phone number. Every one-to-one Signal chat also has a safety number, which can be used to verify that you’re communicating with the right person. In addition, you can’t be added to a group chat without giving your express approval.
How to get started with Signal
- The Signal app is available for iOS and Android devices
- Setup requires a phone number to receive a verification call or text
- Privacy features include personal PIN numbers and disappearing messages
Getting started with Signal is pretty easy – the app is free to download from the App Store for iOS devices and the Google Play Store for Android smartphones. To create an account, you need a phone number which will be verified by phone call or text message. Once you’ve set up your account, your number will be hidden from other Signal users by default (see below).
The app’s interface and basic functions will be familiar to anyone who has used a messaging app such as WhatsApp, Messenger or Telegram. Tap the pencil icon to start a one-on-one or group chat. Within a chat, you can share messages, photos and voice notes. You can also tap the phone or camera icons to start voice or video calls.
If you’re keen to secure your messages, there are a few more advanced features to explore and configure. A Signal PIN can be used to recover your profile and settings on a different device. It’s configured by going to Signal Settings, tapping Account then selecting Change your pin.
Signal also encourages users to verify Safety Numbers. These are generated for every one-on-one chat to confirm that you’re sending messages to the right person. To view a Safety Number, open a chat, tap the header and select View Safety Number. To verify it, you would ideally compare numbers with the recipient in person. Otherwise, you can share it using a trusted channel.
Disappearing messages add an additional layer of privacy. After a set period of time, the contents of messages are no longer visible, whether they’ve been read or not. You can set a default timer by going to Signal Settings > Privacy > Default timer for new chats. You can also configure timers for specific chats. Just go to chat settings and select Disappearing messages.
Signal also offers features to keep your communications activity hidden. Screen Security stops a preview of Signal appearing when you switch apps. You can enable it by heading to Settings > Privacy and selecting Screen Security on Android or Hide Screen in App Switcher on iOS.
In addition, you can hide Signal calls from your device’s call log. This is enabled by default, but to double check, head to Signal Settings > Privacy and look for Show Calls in Recents.
Finally, to manage the visibility of your phone number, go to Signal Settings > Privacy > Phone Number and tap ‘Who can find me by my number’. To set up a unique username that you can use instead of your number, go to Signal Settings > Profile.
Even with all of the above features enabled, remember that your Signal communications are only as secure as your smartphone itself. To avoid a leak of information like the US government suffered, be sure to activate your device’s full set of security features, keep it locked with a passcode when not in use and don’t access sensitive messages in public. For more tips on how to keep your phone safe, read our dedicated feature here.