Signal took the spotlight this week after a group chat, involving Defence Secretary Pete Hegseth, landed with a journalist by mistake. Donald Trump labelled the app defective.
The conversation, which spoke on plans for strikes, drew attention. Texts showed timings and targets. People questioned if the app’s security was at fault or if human error caused the breach.
Screenshots appeared online, exposing sensitive information. Trump declared Signal might be compromised, prompting questions. Some said the bigger mistake came from adding a journalist, rather than any flaw in the platform.
How Did Officials React?
Officials in Washington asked whether the chat contained classified content. Defence leaders insisted the texts were harmless, but a few lawmakers believed certain details should have been locked away from public eyes.
A Senate committee demanded an inquiry to see if any rules were broken. Judge James Boasberg then told the government to keep all messages, explaining that deleting them would violate record-preservation laws.
Outside groups filed motions to stop any removal of the chat. They insisted those communications deserved public review. White House officials played down the drama, insisting the data was minor and overblown.
Where Does Signal Stand Now?
Signal’s team says end-to-end encryption kept the content safe. They point out that no outside party can access chats without permission. The real slip involved adding unexpected participants, not an app malfunction.
Some technology fans say the fiasco points to user mistakes instead of software faults. They warn that group administrators must double check who they invite. One wrong tap can lead to massive disclosure.
Some stand by Signal, praising its privacy record. They assert that encryption succeeded in guarding data, since no outside hacker broke in. The confusion came from an accidental invite, not a system weakness.
7 Ways Your Encrypted Messaging App Isn’t Protecting Your Privacy + How to Choose a ‘Truly’ Secure Messenger App, according to Kee Jefferys, Co-founder of Session:
“In today’s digital age, instant messaging has become an integral part of our lives. We rely on these platforms for everything from casual chats to mission-critical communications. While many popular messaging apps boast “end-to-end encryption,” the reality is that they often fail to provide true privacy. The issue lies not just in the content of your messages, but in the vast amount of metadata these platforms collect.
“In an era of mass surveillance, data breaches, and digital tracking, privacy-conscious users have turned to encrypted messaging apps to secure their conversations. However, while many platforms market themselves as private and secure, the reality is that they often fall short of providing true anonymity. Even the most well-known apps—like WhatsApp and Telegram —still leave users exposed in ways they may not realise.
Here’s why your encrypted messaging app might not be as private as you think:
1. Metadata Collection: The Silent Tracker
Even with end-to-end encryption, apps like WhatsApp and Telegram collect metadata, including your IP address, phone number, timestamps, and who you’re communicating with. This data can be just as revealing as the message content itself, allowing governments, corporations, and hackers to track your activities.
End-to-end encryption protects message content, but it does nothing to stop metadata collection, which can include information like:
- Who you are messaging
- When you send and receive messages
- Your IP address, location and phone number
- The device you use
Even if a service cannot read your messages, it can still compile detailed behavioural profiles based on metadata alone. Governments, corporations, and malicious actors can analyse this data to track movements, map social networks, and infer behaviours.
2. Personal Identifier Requirements Compromise Anonymity
Apps like WhatsApp, Telegram and Signal require a phone number for registration. This links your online identity to your real-world identity, compromising your anonymity. For journalists, activists, or individuals in sensitive situations, this can be a serious risk.
3. Centralised Servers Are Vulnerable to Surveillance and Attacks
Many popular messaging apps rely on centralised servers, creating a single point of failure. These servers are vulnerable to government requests, data breaches, and corporate misuse, putting your data at risk. Centralised servers pose risks for significant exposures, including:
Hacks and Data Breaches: If a centralised server is compromised, vast amounts of user data can be exposed.
Single Point of Failure: A centralised infrastructure makes it easier for despotic governments or hackers to shut down or intercept communications.
Government Requests: Authorities can compel these companies to provide user data or enforce censorship.
More from News
- Searches For Golden Visas In Türkiye Spike 46% After Political Unrest
- Global Artificial Intelligence And Cloud Computing Tech Consultancy Launches In The UK
- Does Yahoo Want To Purchase Google Chrome?
- Sorair Technologies Partners with Argenbright Security Europe Limited (ASEL) To Release Collaborative Security And Surveillance Solutions
- Why Is EU Fining Tech Giants, Apple And Meta?
- Tougher Rules Target Fake Reviews and Sneaky Fees Under New UK Consumer Law
- UK Small Businesses Can Now Win £300K Worth Of Free Advertising On Channel 4
- Experts Share: How Important Is YouTube To Businesses, And Why?
4. Compromised Anonymity: Not All Encryption Is Equal
While some apps advertise end-to-end encryption, they may not be using it by default in all scenarios. For example:
Telegram does not use end-to-end encryption by default, users must specifically use “Secret Chats” to enable end-to-end encryption. This allows the Telegram server operators to read the content of the vast majority of messages stored on its servers.
Some apps use proprietary encryption methods that have not been independently audited.
Some platforms allow unencrypted backups, meaning your messages can be accessed if a backup is compromised.
5. Tracking Pixels and Link Previews Leak Data
Some apps generate link previews by fetching URLs in the background. This can expose your IP address to third parties or even result in unwanted metadata leaks. Tracking pixels embedded in messages can also report when, where, and by whom a message was viewed.
6. Logging and Data Retention Policies
Even if messages are encrypted, some services keep logs of:
- Login activity
- Connection times
- IP addresses
- Contacts lists
If this data is stored, it can be subpoenaed, hacked, or otherwise exploited.
7. Lack of Transparency
While some apps use robust encryption protocols, their closed-source nature limits transparency. Without public scrutiny and independent audits, it’s difficult to verify their security claims.
How to Choose A Truly Private Messenger
If you’re serious about privacy, you need a messaging app that prioritises security beyond just encryption. Here’s what to look for:
No Phone Number or Email Required: Your messaging app should not require personally identifiable information like a phone number or email address to register. Instead, look for apps that generate anonymous cryptographically secure identifiers, fully protecting your anonymity.
Decentralised Infrastructure: Choose a platform that operates on a decentralised network rather than centralised servers. This reduces the risk of surveillance, censorship, and single points of failure. Optimal solutions use community-operated nodes to route and store messages. This eliminates single points of failure and enhances censorship resistance.
Metadata Minimisation: A truly private messenger should collect and create as little metadata as possible—or none at all. Look for a “no logs” policy and open-source transparency. Ensure that even the developers of the app don’t know who you’re communicating with.
Open-Source and Audited Encryption: Only trust messaging apps with publicly available, open-source encryption protocols that have been independently audited. Open-source code allows for public scrutiny and independent audits, which ensures transparency and builds trust.
Onion Routing or Multi-Hop Encryption: For enhanced privacy, apps should use onion routing or multi-hop routing to obscure sender and receiver identities. This technology masks your IP address and location, adding an extra layer of privacy making it extremely difficult to track you.
Non-Profit Governance: Give precedence to apps run by non-profits and foundations, which can ensure that the app’s development is driven by privacy and security, rather than extracting value from users’ data.
If you value real privacy, don’t just settle for encryption—demand anonymity, decentralisation, and complete metadata resistance. By eliminating the creation and collection of metadata, users can send messages—not metadata. In a digital landscape where privacy is constantly under attack, choosing a truly secure messaging app is more critical today than ever before.
Experts Comment On What Happened To Signal?
Denis Erturan, Paid Media & Insights Lead, Seen CONNECTS
“Most of the coverage is harping on the ‘oops wrong group chat’ angle / weighing up if Signal’s encryption holds up (and it actually does, technically). But nobody’s talking about is how the current fiasco hints at Signal’s role as a prop in the domain of digital security.
“Think about it: these officials didn’t use a bespoke, government-grade system (Pentagon rules famously discourages apps like Signal for sensitive stuff, obviously). Yet they used it anyway. Why? Because Signal’s brand screams ‘unhackable’ to the non-tech-types, and its disappearing messages feel like a spy movie schtick, even if the real risk (human error / device compromise) isn’t hampered by either.
“Every time a story like this hits the newsfeed, Signal gets a PR boost, and not as a failure… as the app ‘important’ people use. The breach didn’t tank the apps credibility, it amplified it. Opinions are split – some call it a wake-up call to ditch consumer apps for serious ops, while others double down, arguing it proves Signal’s tech isn’t the weak link, people are. Either way, Signal wins the attention game.
“It’s just ironic how the camp that was sending for the Clinton campaign’s use of emails as ‘not secure’ got caught for something probably less secure than the emails.”
Jeff Le, Managing Principal, 100 Mile Strategies
“Appropriateness and Security: I can’t imagine how much more vulnerable personal phone messaging would be for operational security. Every employee with a security clearance in the U.S. Government understands there are processes and procedures in handling this information. Every one received a training and regular updates.
“Is it appropriate to send emojis and trash allies for everyday constituents? Ok sure. But the national security team at the highest levels of government? The protocols and decorum alone, absolutely not. Also disappearing messages are not simpatico with Public Records requirements for the National Archives.
“But the security decisions where China, Russia, Iran, North Korea and other adversaries have geofencing surveillance outside of classified areas seems wholly a violation of security. Any of these players could have alerted the various targets and risked American interests and lives, undermining the mission.
“Risk Associated – Corporate and Government Environments: In the age of powerful AI-powered offensive tools, operational security is under even more threat. With more vulnerable cybersecurity, the assumption should be that everything is a security weakness and that everything is being read. There is a reason why work phones and personal phones are separate. There is a reason why government phones do not have certain applications, such as TikTok, etc.
“While Signal has some modicum of rigor, the powers of our adversaries of massive countries surely outmatch any one app. And with the recent Volt and Salt Typhoon hacks from the Chinese across global critical infrastructure and the U.S. telecommunications system, deemed the worst hack in the country’s history, any communication by phone is an issue. Especially when they had already been spying via phone on VP Vance and others in the Administration from the campaign and beyond.
“From a corporate perspective, there are similar threats, but especially as it relates to gaining privileged credential access and intellectual property theft, a regular occurrence in this current environment. This could also lead to potential blackmail or leverage from state-sponsored actors, especially in areas of vulnerability such as healthcare with massive tech debt. A growing concern from these attack vectors are in the third-party risk space, where vendors, contractors, partners, and subcontractors are the entry way into broader enterprises, as seen from Change Healthcare, Halliburton, Colonial, and Uber.
“Despite the level of operational security vulnerabilities, at present I do not see the [U.S] President making a change to his national security team.”
