About that Signal Chat

Audio of this conversation is available via your favorite podcast service.

Every now and again, a story that has a significant technology element really breaks through and drives the news cycle. This week, the Trump administration is reeling after The Atlantic magazine's Jeffrey Goldberg revealed that he was on the receiving end of Yemen strike plans in a Signal group chat between US Secretary of Defense Pete Hegseth and other top US national security officials. User behavior, a common failure point, appears to be to blame in this scenario. But what are the broader contours and questions that emerge from this scandal? To learn more, I spoke to:

• Ryan Goodman, the Anne and Joel Ehrenkranz Professor of Law at New York University School of Law and co-editor-in-chief of Just Security. He served as special counsel to the general counsel of the Department of Defense (2015-16).
• Cooper Quintin, a senior staff technologist at the Electronic Frontier Foundation (EFF). He has worked on projects including Privacy Badger, Canary Watch, and analysis of state-sponsored malware campaigns such as Dark Caracal.

What follows is a lightly edited transcript of the discussion.

Justin Hendrix:

Good morning. I'm Justin Hendrix, editor of Tech Policy Press, a non-profit media venture intended to provoke new ideas, debate, and discussion at the intersection of technology and democracy. Every now and again, a story with a technology element really breaks through and drives the news cycle.

Media Montage Clip 1:

The Atlantic Reporter mistakenly added to a text chain with top security officials just released the messages that have started a massive national security controversy. Jeffrey Goldberg says he was accidentally added to that chat, which he says included sensitive details about US military strikes in Yemen.

Media Montage Clip 2:

The Atlantic reports [US Defense Secretary] Hegseth notified the group of a planned timeline for flights of F18 fighter jets, MQ-9 Reaper drones, and Tomahawk cruise missiles that were launched for the mission. The White House today says those are not war plans, claiming the entire story is a hoax.

Media Montage Clip 3:

These are shockingly detailed descriptions of the bombs that are about to fall in Yemen, and Jeffrey Goldberg is getting these details many minutes before the bombs fall. If this is not classified information, I would like the president to tell us what would count as classified information.

Justin Hendrix:

This week, the Trump administration is reeling after The Atlantic magazine's Jeffrey Goldberg revealed that he was on the receiving end of Yemen strike plans in a Signal group chat between US Secretary of Defense, Pete Hegseth, and other top US National Security officials. User behavior, a common failure point, appears to be to blame in this scenario. Inviting the wrong person into an encrypted chat group obviously compromises the security of that group. That hasn't stopped folks like Mike Waltz, the National Security Advisor, from appealing to a certain special government employee.

Mike Waltz on Fox News:

We're going to get to the bottom of it. I just talked to Elon on the way here. We've got the best technical minds looking at how this happened.

Justin Hendrix:

To discuss Signalgate, as some are calling it on social media, I invited two individuals I've had the pleasure of collaborating with to share their expert considerations.

Ryan Goodman:

I'm Ryan Goodman. I'm a professor of law at NYU School of Law and co-editor-in-chief of Just Security.

Cooper Quintin:

I am Cooper Quintin. I am a senior staff technologist at the Electronic Frontier Foundation.

Justin Hendrix:

I'm pleased to have the two of you here today. I've collaborated with both of you in different ways in the past, with Ryan on various projects at Just Security, where I am privileged to be on the editorial board. And Cooper Quintin, we've worked together, of course, on a report around encrypted and secure messaging applications in 2023. And we'll talk a little bit about that as we get into today. But everybody's talking about it, it seems, everyone in the political classes talking about Signal, encryption, secure messaging, or lack thereof. It's been, what, 48 hours now? A little bit more than 48 hours of Signalgate since the news broke in The Atlantic of this chat conversation between various top Trump administration officials. Ryan, where are we at on this at the moment? There are already lawsuits, there are already recriminations, calls for resignations. Where would you situate this particular scandal in its arc?

Ryan Goodman:

So I think this scandal just got another boost today in the sense that one of the major political issues is the content of the Signal chat conversations. So in the first 12, 24 hours, the administration was denying that this included classified information or war plans. And so The Atlantic turned around and then published all the text messages that did contain that information. So that's significant in the sense that it will hurt some of the initial supporters of the administration on this.

Democrats on the Hill have called for investigations, resignations and things like that. There's reporting from Axios and others that there's internal division in the administration of some trying to point the finger at Pete Hegseth because he's the one that shared the most highly classified information on the Signal group. And there are definitely Republicans on the Hill that are at a minimum saying that this was a mistake and the administration should own up to it. But they don't go as far as of yet to say that this has to be investigated or people need to resign. So that's the political side.

The legal side, we'll probably get into this, I did a bit of an analysis of what would be the criminal laws that would apply. Where there an independent justice department looking into this? And there's a lawsuit from American Oversight on one of the aspects that I'm sure we'll get into, which is that there's a very likely violation of Federal Records Act in the use, not just of this unsecure platform, but rather that they are disappearing messages is the equivalent of destroying federal documents.

Justin Hendrix:

I want to ask you one more question to situate us on this. Given your history of covering these types of things at Just Security, covering various other scandals around visual documents or national security secrets or that sort of thing, how would you characterize the level of the infraction here versus prior events? What are you comparing it to?

Ryan Goodman:

There is, in some ways, no comparison. I've never seen anything like this in my life, and so much so that I can give an example of a past criminal case that is not anywhere near the magnitude of this one in a certain sense of what happened. But in fact, a senior member of the administration at the time was going to be charged. John Deutch was the head of the CIA in the 1990s. It's discovered after he leaves office, when they're cleaning up his home office, that he's been using his personal computer device for classified information. The Justice Department, under Attorney General Janet Reno, basically declines to prosecute or indict. I think just sweeping it under the rug, there's an outcry on the Hill that does not match the way that other people are treated when they mishandle classified information, and she's pressured to appoint a special prosecutor. The special prosecutor recommends indictment under the very part of the Espionage Act that they would apply to the Signalgate that we're just experiencing now, which is gross negligence in the handling of national defense information.

So that's the recommended indictment of the head of the CIA, former head of the CIA. And they actually get from him a plea agreement. And the story ends with the following, which is it's a Friday, they don't get the signed plea agreement to the court on time. And the next day is Saturday, the last day of the Clinton administration. And on the last day of the Clinton administration, he surprises the Justice Department by pardoning Mr. Deutch. But it shows you how far it got. And so I think that's to me the greatest equivalent. And it really is the legal frame that's most relevant under the criminal law, which is the gross negligence in the mishandling of national defense information. And I keep saying the word national defense information. It does not matter whether or not it was classified. So that's a red herring. We can get into that, in all likelihood this information was classified, but that shows you where we're at.

Justin Hendrix:

Cooper, I want to bring you in here as someone who has trained people on secure messaging, who has thought a lot about encryption, both from a design perspective, but also from an engineering perspective. You're seeing lots of headlines go past about Signal. You're seeing memos about Signal vulnerabilities, apparently sent at the Pentagon, which I know Signal has attempted to correct the record on. I don't know, what were your first thoughts when you saw this situation start to unfold?

Cooper Quintin:

I mean, my first thought is that it's just funny in one sense and it's horrifying in another sense, right? It's horrifying because war is always horrifying, but it's hilarious how bad these... Signal can't save you from your own screw-ups, right? There's nothing that any secure messenger can do to save you from adding a reporter to your group chat and not vetting the members of your group chat, right? That's just not a problem that technology can solve.

And actually, I want to roll us back a little bit, Ryan, you used a term of art that was that this was not a secure platform. And I know that there's a specific meaning behind that, but I don't want to leave listeners confused. Signal is a very secure platform. It is a secure platform for encryption, however, it's not a platform that should be used for sharing classified info. Can you just unpack what you meant a little bit there, Ryan, by secure platform?

Ryan Goodman:

Sure. I think the same term might mean different things in our different sectors. So inside the US government, if you say you're on an unsecure line or you're on an unsecure platform, you basically are saying, we're not in a classified system, we're not in secret, we're not top level. We're using a commercial app on its own terms. So, I understand that from your perspective in your sector, it is a form of secure messaging, but the same word is used differently.

Cooper Quintin:

Classified documents should be shared on servers that are meant to handle classified documents or within a SCIF, right? A sensitive compartmented information facility, not on private sector chat apps, even if those apps are secure in the cybersecurity sense.

Ryan Goodman:

100%.

Cooper Quintin:

But yeah, I think the overall, my biggest takeaway here is that Signal is a fantastic application. They've really done amazing things with cryptography. They've really done an amazing job of making it easy to use and having as few ways to shoot yourself in the foot as possible. But nobody can stop you from adding people that you shouldn't have added to your group chat if that's what you do. It's up to you to verify that the members of your group chat aren't working for The Atlantic. And I think that nobody should take away from this that Signal is insecure. What you should take away from this, if you work in government, is that you should continue to use the appropriate networks and facilities for sharing classified information. Although personally, I have no problem with this if government workers want to keep adding journalists to their group chats, that's fine by me.

Justin Hendrix:

Cooper, let me just ask you one more set of questions, just maybe to dig a bit deeper. Signal, as you say, is end-to-end encrypted. So, from end point to end point, you can be sure that no one's looking at that message. There are other ways that people can get access to information on encrypted messaging apps that occur at those endpoints. What are the types of concerns you would have about individuals like the Secretary of Defense or the National Security Advisor communicating in this way over presumably mobile phone devices? What other types of security concerns might that create?

Cooper Quintin:

Yeah, so the main thing that people need to understand about Signal is that messages are encrypted from my phone to your phone in such a way that Signal can't read them as they go through their servers. The government could not read them off of Signal servers even with a warrant, even if they really wanted to. But if somebody has access to your phone, they can read those messages the same way you can by looking at them with their eyeballs because the messages have to be decrypted for you to read.

Now, there are a lot of ways that you can get access to somebody's phone. You can look over their shoulder while they're reading their messages, right? You can find out their password and unlock their phone, right? You can use forensic tools that police have like a Cellebrite or a break-in device to unlock phones, and then you can read the messages that way. You can also use malware. Installing malware on somebody's phone is a way that governments often gain access to people's private encrypted communications. Things like Pegasus malware or they're recently written about malware from Paragon Solutions that was going after WhatsApp messages, which was also end-to-end encrypted.

A concern about national security folks using these devices for the communications is that it makes it much more likely that their devices will get targeted by malware. And there's a lot of countries that have espionage capabilities that have the capability to target people's phones that would be very interested in knowing what Pete Hegseth is talking about, or what other high-level cabinet officials are talking about. So that makes for a very juicy intelligence target for foreign intelligence, and I think it's safe to assume that's something that many countries are now going to be going after.

Justin Hendrix:

Ryan, this is another topic that Just Security covers all the time. Seems like the conversation really around spyware has just exploded just in these last few months. I was just at RightsCon in Taipei, there was a whole track essentially of conversations about spyware, including Just Security contributors who presented there. Is this a dimension we're seeing play out right now in the conversation around this particular scandal, or just the potential technical dimensions of the compromise of secrets here?

Ryan Goodman:

So not yet in the sense that I think the conversation both on the Hill and then in media has been unsophisticated, very superficial. They're just almost getting their heads around could somebody have added Jeffrey Goldberg, the journalist, without them having Mike Waltz's device? So that's the level we're at. And then the other one that we're at, which is interesting because it's starting to get deeper and deeper there, and it's a little bit about what Cooper is just saying, that it is the case that some government employees are authorized to use Signal.

And the CIA director Ratcliffe said that yesterday in the Senate hearing... And then it just came up this morning in the House hearing that the head of NSA, General Haugh said he encourages the use of Signal among his employees and their families. And this is interesting in the sense that I think one of the initial, Cooper maybe correct me if I'm wrong, but I think one of the initial misimpressions that was given is that people saying, "Hey, look at this. The Pentagon last week and the NSA last month warned their people about use of Signal because of its vulnerabilities." And the answer is it's a little bit more complicated. They actually are warning them because they know that they are using Signal, and it's just saying, know that it's vulnerable.

And then the one question that they're not asking, this is the follow-up question, nobody on the Hill has asked it yet as far as I know, I haven't tracked every moment of the hearing this morning, but what are they using it for? So Cooper, would you think that it's okay that the NSA tells their employees and their families to use Signal because it is better than iMessaging or whatever, regular messaging, if they're going to talk about where they're traveling to and their next vacation spot and things like that and that's proper and appropriate and it's actually better to be on Signal for them? But just lo and behold never obviously classified information. Does it create the vulnerability that you're describing as well, which is that maybe some adversaries would say, "Hey, those folks are using Signal. That makes me think that they are more available target?"

Cooper Quintin:

For non-government work, for things that are not subject to FOIA, for things that are not classified information, yeah, government employees should absolutely be using Signal. It is far better than the alternatives. Far better than sending unencrypted chats. If you're sending unencrypted messages to your family, China is already going to have those because of the hacks that they did into all of the major telcos, right? The Salt Typhoon hacks. So yes, absolutely, I think it's great that government employees are using Signal. I actually think it's great that the NSA and other agencies are encouraging them to use Signal for their communications with their families and stuff. And I think that everybody should be doing this.

I think that vulnerabilities are actually a bit overblown. I wouldn't call these vulnerabilities as a term of art in my space. Vulnerability, these don't rise to the level of vulnerabilities. There are precautions you can take to make your Signal account more secure from takeover. Yeah, there's an issue where some Russian actors are phishing, trying to phish people's access to people's Signal accounts basically through a QR code. And this is something that Signal has addressed, and this was something that started in the war in Ukraine, but I think they calling it a vulnerability is a bit overblown. But there are some settings.

What I saw was the NSA advising people to check these, a few specific settings to make that sort of phishing much harder. But again, that's a phishing attack, right? That relies on phishing attacks. I think that phishing attacks don't necessarily... You can't say, because I phished your account on Gmail, Gmail is insecure, right? It's that you fell for the phishing attack, not that Google is inherently insecure. But yeah, overall I think I have no problem with government workers using Signal, not for work. If you're using it for work, then that's where it becomes a problem for me with regard to government transparency and things like that.

Justin Hendrix:

So Cooper, I haven't been through all of the messages that have been published today at The Atlantic in terms of the types of material that's being shared. What I have seen... I haven't yet seen any instances, for instance, where folks are sharing URLs. But one thing I wanted to ask you about in particular is whether in the case of sharing URLs that that potentially opens up a vulnerability, or maybe I should say not a vulnerability, but a potential vector like phishing or other mechanisms that might create a complication for people in the situation that these individuals are certainly in, where foreign intelligence agencies are almost certainly attempting to follow their communications.

Cooper Quintin:

Yeah, there is one issue that we pointed out in our report with link previews on Signal, which is where when you send a link, it displays a graphical preview of that link and the issue there... So I recommend that people turn those off if they're concerned about security because the issue there is that those link previews are fetched by Signal when you send them, right? So they're fetched by your Signal client when you send them and generated on your Signal client, and they reveal to the person who controls the link that you are using Signal, right? Your IP address and the fact that you're using Signal. And then if that link is unique, if it has a tracking ID at the end of it, question mark, share ID, equals blah blah, blah. Like you see on Instagram messages.

When other people click that link, they are then associated with you. And it could be known by the person controlling that link that you shared that link on Signal and who you share that link with. And so you could use that to identify who your network on Signal is and possibly identify specific groups or things like that. Again, this is not a vulnerability, but this is a... That's the term of [inaudible 00:19:48], right? And Signal is still by far the most, in my opinion, the most secure messenger of its class. The takeaway here is that there are steps people can take to increase the offset within Signal. From big things like not adding reporters to your Signal chat to small things like turning off link reviews and setting a pin in Signal so that somebody can't transfer your account over to a new phone without your knowledge.

I think that there are a number of things you could do to make your Signal experience even more secure. Overall, I don't want to scare people away from Signal. It's still, I think by far the best option. I realized that I hadn't answered what I think was a really good question from Ryan is that, does installing Signal on your phone make you more of a target for hacking? I don't think that's the case at all. If you are somebody who is important in national security, you make a good target for hacking regardless of whether you're using Signal or SMS messages. I don't think that it makes it more likely that your phone is going to get targeted because you're using a specific app. What makes it more likely to get targeted is who you are and what you do in the world.

Justin Hendrix:

Ryan, I'm just going to ask you a last question about the contents of the communications. From what I've seen so far, I think there's ultimately an extremely dystopian aesthetic to these messages, seeing US officials celebrate the murder of individuals from the sky with emojis and fire symbols and things of that nature. I don't know, is there anything in that that you would care to comment on, just the nature of the communications, what it reveals about the way we're doing business?

Ryan Goodman:

So, just in answering the question, coming from another hat that I wear as a matter of law, I'm not sure I'd sign onto the word murder if we're in an armed conflict with the Houthis and the like, but everything else that you said, yeah, there's something very distasteful and unusual and we've all gotten a deep insight into it. And I know from a colleague who works with people on the ground in Yemen that they're reading these text messages in a different way that I think maybe some Americans are like, "Good God, is this how you consider our lives?" Because there's also a potential for civilian casualties, all sorts of things like that.

And on the Hill today, I thought it was a poignant remark that one of the members on the Hill with military experience and background said there's just also a lack of sobriety in these text messages. I don't know if they were trying to do a little hit on Hegseth that way, but the idea that they're sharing emojis and the like, and there's certainly this weird-ass—that's what I was going to say. I shouldn't pause—backslapping. And it does also give you this feel of new people to the administration, and there they are with immense power to take people's lives. And it seems like there's an element to which there's an elixir to that rather than the opposite approach, which is to understand the sober nature and the gravity of those kinds of decisions and what's being done. So yeah, I thought that was another aspect of this that we should not lose sight of because there were other dimensions to the scandal that are also important, but this is one, too.

Justin Hendrix:

And perhaps that goes too far using that word. But I will say there is one instance at least, where a single individual is apparently being targeted. And it's noted that he was targeted when walking into his girlfriend's building and the entire building was flattened. So hard to know exactly what the scenario was there.

Ryan Goodman:

Good point.

Justin Hendrix:

It seems like an extraordinary amount of force. And, of course, there's a likelihood of innocent bystanders, civilians being targeted along the way. Last thought as we close: what will the two of you be looking for the next couple of days on this? Cooper, is there any technical dimension to this that you're looking for more information on? Or Ryan, what are you watching on the legal side? Cooper, you first.

Cooper Quintin:

What I'm hoping doesn't happen is that I'm hoping that people don't look at this and go, obviously, I shouldn't use Signal and move to less secure alternatives. Like, God forbid, Telegram. Signal is definitely still the best option for most people for secure messaging. And it is very secure, right? And I wish people would stop using the term vulnerabilities for the issues that have been raised because these are things you can do to improve your security even more within Signal, but they're not vulnerabilities.

So the main thing that I'll be looking for is people wrongly yelling about Signal is compromised or Signal is vulnerable because it lets you add journalists to your classified group chats. And that's not the takeaway here. I think the takeaway should be that Signal is so good that even high ranking members of government are tempted to use it for classified conversations, which they of course shouldn't be doing. And I think that should be the focus here, is that this is an inappropriate use of Signal by the government, not that Signal... I don't think that Signal should really even be the focus of the conversation here, right? The focus should be that this is not how classified conversations are supposed to happen.

Ryan Goodman:

And I guess I'd just say briefly that I'm thinking about any form of accountability in somebody having to resign, and maybe Pete Hegseth will be scapegoated in a certain sense because he's most responsible, it seems for sharing the most highly classified information that's now for everybody in the world to see. And is there enough pressure in the administration? Also, just there are so many institutional effects of this kind of breach that I think is super damaging to US national security, which is how do you then continue to educate the workforce to respect highly classified information and secure systems and things like that when they see their higher-ups doing this kind of thing and getting away with it? So I think that's another reason why there needs to be some kind of real reckoning. And I imagine that's in the heart of hearts of many members of Congress, but whether or not they can break out of their tribes to do something for the country on this. That's what I'm looking for.

Cooper Quintin:

As a last thing, I started out by saying that this is incredibly funny, and it is in some sense, right? But we should also not lose sight of the fact, as you said, Justin, that this is actually... There are people dying in Yemen because of this, and this is the latest strike in sort of a US proxy war that's been going on there since the last decade, where tens of thousands of people have died, millions of people have been brought to the brink of starvation. And like you said, even in this strike, they brought down an entire apartment complex. It's almost certain that there are civilian casualties involved in that, and we shouldn't lose sight of that, that this is something that... We can sit about and read here in America, but it means actual bombs dropping on people in Yemen.

Justin Hendrix:

Ryan, Cooper, thank you very much.

Cooper Quintin:

Thank you for having us on.

Ryan Goodman:

Thank you.