SignalGate: What is it and why are people upset about it?
Have you heard about something the internet is calling “SignalGate”? Whether you have no idea what it is or you’re struggling to separate fact from fiction, we’ve put together this guide to help you sift through everything on the internet to actually understand what’s going on and why so many people are upset about it.
What is Signal?
Signal is a call and message app that promises it can’t read your messages or listen in on your calls because it uses end-to-end encryption to protect your data and unencrypted data is only stored locally on your device. That makes it a lot harder for people to read your messages as they get sent and prevents Signal itself from being able to read your messages and sell information about your conversations to other companies. Signal also gives you the ability to delete a message you sent for everyone, either immediately or automatically after a certain amount of time, allowing you some control over who has access to information you send and for how long.
Is Signal trustworthy?
Signal Foundation, the nonprofit that designed Signal, released the app’s code to the public for free; this allows anyone with some coding skills to verify that the app is doing what Signal Foundation claims its code is doing. Additionally, Signal Foundation is more transparent than most companies about when they receive subpoenas and warrants for user data and how they respond to them. There is no indication that they have been secretly saving and reading user data.
So Signal is pretty secure, right?
Yes and no. Normal text messages and default messaging apps don’t tend to be very secure, as they don’t always protect your data as it’s being sent. Many experts recommend that you use apps like Signal that provide end-to-end encryption, even when you’re not talking about anything particularly secret, to protect yourself against surveillance.
But this doesn’t mean Signal is appropriate for classified information. Signal has known innate vulnerabilities (some of which even Elon Musk has called out) and reported spear-phishing attempts on specific employees of defense industry firms and the armed forces. Google Threat Intelligence Group has also warned that Russian hackers are using a “group link” feature in Signal to connect to other users’ devices and get access to user chats.
The Pentagon reminded employees that while Signal could be used for “unclassified accountability/recall exercises,” it was “NOT approved to process or store nonpublic unclassified information,” much less classified or highly classified information. U.S. government employees are typically expected to use government-secured methods, such as Sensitive Compartmented Information Facilities (SCIFs) to store, use, and discuss sensitive information, to avoid these concerns.
So what was the "breach"?
On March 24th, editor-in-chief of The Atlantic Jeffrey Goldberg published an article reporting that he was inadvertently added by national security advisor Mike Waltz to a Signal group chat on March 13th called “Houthi PC small group.” The group included some of Trump’s top officials, including Waltz, U.S. Secretary of Defense Pete Hegseth, U.S. Secretary of State Marco Rubio, CIA Director John Ratcliffe, Director of National Intelligence Tulsi Gabbard, and Vice President JD Vance. On March 15th, Goldberg claims, Hegseth texted a war plan for a U.S. bombing of Houthi targets in Yemen to the group, just hours before the bombing actually occurred. A National Security Council spokesperson confirmed that screenshots of the text messages that Goldberg had taken while still in the chat appeared “to be an authentic message chain” and that the Council was reviewing “how an inadvertent number was added to the chain.” Both the accidental disclosure of sensitive information, as well as the use of a commercial app for said information, has lawmakers on both sides of the aisle calling this a breach of classified information and security protocols.
Was the information in the chat actually classified?
Classified information is defined as information whose unauthorized disclosure could cause serious damage to national security. Government officials typically take active steps to classify information about “military plans, weapons systems, or operations.”
Ratcliffe and Gabbard testified that classified information was not provided in the group chat, but refused to reveal what was discussed in the chat, despite being obligated to provide relevant unclassified testimony—casting doubt on their claim that the information wasn’t classified or sensitive. Hegseth himself also said to reporters that there were no discussions of war plans in the group chat. In response, Goldberg published a follow-up with screenshots of the conversation, which included a text from Hegseth reciting a schedule for the military operation to be performed that day. Anonymous defense officials told CNN reporters that the information Hegseth disclosed was highly classified at the time.
So there wouldn’t be a problem here if Signal fixes the vulnerabilities you mentioned above and if people just try harder to add the correct people to chats, right?
Not so fast. The National Counterintelligence and Security Center requires a whole host of physical safeguards to prevent a computer with classified information from being accessed, hacked, or stolen, including only allowing certain information to be accessed in specific facilities requiring badge access and including air gapped computers and physical barriers to remove the computer. A personal phone with Signal installed does not have these safeguards; even with updates to fix known vulnerabilities, Signal would never be able to prevent physical access to a device with classified information, risking the possibility that the device is stolen or hacked, or even that the classified information is exposed just from someone opening a classified chat in public and a random person glancing over at their screen.
What else is wrong with using Signal for official government business?
Using Signal in this way violates the Federal Records Act, which was enacted to ensure records about government activity are preserved. Records include “all recorded information, regardless of form or characteristics, made or received by a Federal agency … or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, polities, decisions, procedures, operations, or other activities of the United States Government.” The texts about the Houthi military operation could fall under either category.
GOP and Democratic lawmakers raised concerns with Signal’s “disappearing messages” feature, which allows users to have messages automatically deleted after a period of time or allows one user to delete a message present in everyone’s chat. The released Signal chat, for example, shows that Waltz set messages to be automatically deleted after four weeks. So voters can’t verify, for example, whether this is the first breach of potentially classified information—or just the first we know about.
As someone on the left, why should I care?
Signal’s best privacy features are also the worst nightmare for advocacy groups that want to make sure the government is complying with laws that promote government transparency, such as the Freedom of Information Act and the Federal Records Act. Because Signal doesn’t log when messages are sent or received, doesn’t store any messages (encrypted or unencrypted), and lets users delete messages stored on everyone’s devices, there’s no way to figure out what Hegseth and others using Signal are or are not preserving—even if Hegseth is sued or arrested over SignalGate.
As someone on the right, why should I care?
Breaches like this put our military in jeopardy. While Goldberg waited until after the strike to publish his article, he wasn’t necessarily required to. A different journalist might have published the classified information, putting lives at risk. Or worse, if the Houthis or another threat had gotten access to the Signal chat, they’d have gotten advance warning to deploy their air defenses—and American pilots flying the mission would have been in grave danger. Someone else might have just stayed in the chat as long as possible, to collect as many secrets as possible to sell to our enemies. Since no one made sure only authorized people were in the chat, someone could have fed classified information to foreign governments for months, or even years. Plus, this kind of mistake makes us look weak and incompetent to our allies and enemies.
If I’m in the center, why should I care?
Democratic and Republican senators raised concerns during Hegseth’s confirmation about his qualifications and fitness for the role. For many, this breach is proof of their concerns that Hegseth is not fit to be Secretary of Defense, to handle classified information, or to protect military personnel. The breach has also raised concerns across the political spectrum over whether officials are following proper protocols generally to protect sensitive information.
How do I know the information in here is reliable? If I want to learn more, where can I go?
For this article, we rely on primary sources where possible, including citing directly to the actual texts released, rather than to a summary of them. When we discuss an Executive Order, we include a citation to the order itself, not just an article about it. When we discuss Signal, we try to cite from its website directly. We cite articles from reputable news agencies that lean left, right, and center—not blogs or podcasts. If you’re skeptical about any of the information in this article, we highly recommend you take a look at the sources, and then take a look at the information those sources relied upon.
If I'm concerned and want to do something about this, what should I do?
There’s a lot you can do! Start by sharing this article with your friends and family who are trying to get up to speed on SignalGate, so that they can be informed, too.
Be sure to contact your federal representatives to let them know that you’re concerned and that you want a full investigation of this incident to ensure things like this cannot happen again. Let your reps know that you consider Hesgeth’s and others’ behavior unacceptable and expect them to face consequences.
Do you have your own perspective that you’d like to share? Volunteer with Mass 50501 using this link and you could write your own op-ed or article for this newsletter.
Are you not really a writer, but are looking for other ways to get involved? Check out upcoming events to see how you can get involved, or sign up as a volunteer to suggest additional events and ways to contribute!
Enjoyed this article? Get updates on the movement, volunteer opportunities, and more by clicking below.