SignalGate Isn't About Signal

The controversy surrounding the Trump cabinet's accidental invitation to The Atlantic's editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal. As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

The reaction from the Trump cabinet's critics and even the administration itself has in some cases seemed to cast blame on Signal vulnerabilities. However, security experts argue that this is a misdirection. "The security of Signal itself is not one of the issues here," says cryptography researcher Andy White. "If anything, Signal has been doing a great job of protecting its users from phishing attacks and other threats."

The Real Problem: Lack of Security Hygiene

So, what went wrong? According to experts, it's not the security of Signal itself that's the issue – but rather the lack of proper security hygiene among the Trump administration officials who used the app. "Putting aside for a moment that classified information should never be discussed over an unclassified system," says US Army veteran and founder of Gate 15, Andy Jabbour, "it's also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?"

Even with decision-making authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As Jabbour puts it, "If you spill milk on the floor, you can't just say, 'That's actually not spilled milk, because I intended to spill it.'"

The Trump Administration's Deflection Tactics

The Trump administration has tried to downplay the severity of the situation by claiming that no classified material was discussed in the Signal chat. However, sources close to the matter tell WIRED that even non-classified information can be extremely sensitive and is typically carefully protected.

US Senator Mark Warner, a Virginia Democrat, said during Tuesday's Senate Intelligence Committee hearing: "Putting aside for a moment that classified information should never be discussed over an unclassified system, it's also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?"

Signal's Response to Criticism

Signal has pushed out an update to make phishing attacks far harder to pull off. "Phishing attacks against people using popular applications and websites are a fact of life on the internet," Signal spokesperson Jun Harada tells WIRED. "Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

And yet, some have sought tenuous connections between the Trump cabinet's security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google's security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app's users in Ukraine.

The Real Lesson Learned

The real lesson learned here is not about Signal itself – but rather the importance of following proper security protocols and procedures. As Andy White puts it, "If the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts."