Human error is often at the heart of a cybersecurity catastrophe. That’s why, in our private messaging app reviews, we note that secure messaging services are only as safe as those using them. For example, you shouldn’t use a free, open-source messaging app to discuss war plans. Even if that app is an Editors’ Choice winner for the best end-to-end-encrypted (E2EE) messaging, like Signal.
An app is only as secure as the person who is using it. A recent example of this occurred earlier this week, when The Atlantic’s editor-in-chief, Jeffrey Goldberg, reported that a Trump administration official invited him to a group chat on Signal. The chat group’s membership included several high-ranking US government officials, including Vice President JD Vance, Secretary of State Marco Rubio, and Secretary of Defense Pete Hesgeth. The topic of conversation? The then-upcoming airstrikes in Yemen.
Adding a journalist from a highly influential publication to your secret chat group is a mistake, but the biggest security risk comes from using a communication platform incorrectly.
Don’t Shoot the (Private) Messenger
Let’s get this out of the way. In the above example, Signal was not the problem. The security team here at PCMag has been testing private messaging services for more than a decade, and Signal is one of the best we’ve tried because it combines an intuitive, easy-to-navigate interface with the protection that comes from end-to-end encryption (E2EE).
E2EE means no one can read your messages except the person they’re sent to, including the company running the chat app. An E2EE messaging app will protect your messages as they leave your device and go to someone else’s.
Signal also has a good security pedigree. It’s run by a non-profit organization registered in the US, which is great because it has little to no incentive to sell or share your data with third parties. Profit-driven corporations use your data to serve targeted ads or sell your information to another company.
Signal is open-source, and researchers have evaluated the code. Meta trusts the Signal Protocol enough to use it for WhatsApp, and even the FBI admits that it’s hard to get info about Signal users.
Early attempts on social media to blame the secure messaging app were refuted by Signal’s president, Meredith Whittaker:
(Credit: Bluesky/PCMag)
She’s referring to the repeated phishing campaigns Google’s Threat Intelligence Group (GTIG) reported in February. In the report, GTIG believes Russia-aligned attackers are behind the attacks.
The phishing attempts do not signal that the app is inherently insecure. Instead, they show that the app has been identified as a place where many high-value targets like activists, journalists, military officials, and politicians congregate. In other words, Signal has been a big target for a while because it’s a secure, trusted option many people use. That alone is a good reason for any US official to avoid discussing matters of state on the app.
Stay Under the Radar
It’s not safe to discuss anything truly sensitive on the clear web because you don’t know who is monitoring the communication or how sophisticated their surveillance tech is. I mentioned this when discussing how to lock down your phone for a protest, but it’s advisable to leave your internet-connected devices at home when discussing something that may draw ire from the government or anyone else. That’s because if you communicate online, you risk being monitored.
Whether it’s your ISP monitoring your home network traffic, your company checking on your devices, or spyware running silently in the background on your device, no online communication is totally private. If someone really wants to listen to or read your conversations, governments, hackers, or organized criminals all have the means to do so. That doesn’t mean your personal security isn’t important. It just means they have more resources to get your data than you do to protect it.
Know When to Use the Right App
The average person’s threat level is likely fairly low, and there aren’t many reasons for foreign adversaries to monitor your calls or chat messages. A secure messaging app is helpful for combatting scams and spam messages since the people on these platforms have been verified via a phone number or another form of identification.
Get Our Best Stories!
Like What You’re Reading?
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Why Signal is the messaging app everyone is talking about
That said, if you are a high-ranking government official, you should assume that your devices and your home network are being monitored by someone at all times and act accordingly. It’s not normal for US government officials to use a chat app to plan a military operation. Typically, classified or sensitive government information would be discussed via SIPRNet, the government’s own version of the internet, or in person.
(Credit: Signal/PCMag)
Signal makes it easy to hide extra information about yourself on the app. First, you can get around the phone number requirement using a private phone number, like those provided by Google Voice.
It’s a good idea to create a username for identification on the platform and then visit the Settings menu to change “Who can find me by my number” and “Who can see my number” to “Nobody.”
Recommended by Our Editors
The best part of any secure messaging app is the option to make conversations disappear. This means your messages are deleted automatically for every chat participant.
Signal is secure enough for most people, but it still has room for improvement. Though the app’s group chats are encrypted, messages to group chats containing people not using Signal will be delivered via SMS, which is not a secure option. Also, you don’t get an alert or notification if someone takes a screenshot of your group chat. Be mindful of what you share on the platform and with whom.
No Signal? No Problem
If you’re an activist, journalist, or anyone else who needs to chat about sensitive information, consider using Briar. It’s an Android-only chat app for private texting. Unlike the other apps I’ve mentioned here, Briar doesn’t use a central server to sync messages between people, so you don’t need to worry about your messages being intercepted in transit. Instead, Briar uses the Tor network for peer-to-peer communication. It’s a pretty stripped-down application with a few fun features that are best for brief texts rather than maintaining regular correspondence.
Like Signal, other well-known secure messaging apps like Telegram and WhatsApp offer ways to turn on Disappearing Messages. In most circumstances, this is enough protection for most people.
These platforms allow you to use video chat or voice chat, and the apps include social networking features that allow you to find new friends or broadcast to an audience. For example, late last year, Signal improved its group calling feature, making it easier to add people to groups. It’s a great feature and fairly easy to use, but you should stay alert and aware while using these apps.
What is end-to-end encryption, and what makes it so secure?
Don’t Be the Weakest Link
Check to make sure everyone in the group call or chat is someone you intentionally added to the group. If you see someone you don’t recognize or shouldn’t be there, all these apps have blocking and removal options, so use them.
For most people, Signal or other consumer-level secure messaging apps have more than enough security baked in. However, people in positions of power are not most people, so they should not use the same apps when discussing matters of national security. However, everyone should be extra cautious when disclosing sensitive information online. You never know who else is reading over your shoulder.
About Kim Key
Senior Security Analyst
