In the U.S., controversy has arisen over a journalist who was able to read along in a group chat of the Trump administration. It is, by any measure, a textbook case of sloppiness and irresponsibility — one that jeopardized not just information, but potentially human lives. To pin the blame on the app they were using is, at best, an attempt to deflect from their own failings.

The editor-in-chief of The Atlantic magazine was accidentally added to a Signal group chat. In this group, the vice president, the secretaries of Defense and State, and other close Trump confidants were planning military actions in Yemen. In doing so, they leaked classified state information. Oops…

The hard truth about OPSEC

Anyone who now thinks—like the U.S. government suggests—that Signal is unsafe is mistaken. For most people, Signal remains one of the most secure options for private communication. It is so secure that it is widely used by journalists, activists, and people fearing for their physical safety. And apparently, the top of the U.S. political hierarchy also feels safe using it.

What this leak reveals is not the weakness of the app, but the difficulty of enforcing operational security — or OPSEC — consistently and effectively. OPSEC is the entire process by which organizations—such as the military, government, and corporations—protect sensitive information from being gathered by adversaries. It demands careful consideration of what information is sensitive, a realistic assessment of potential threats, an understanding of vulnerabilities, and implementing measures to prevent leaks.

Oops!

For most of us, OPSEC is fairly simple. We use Signal because we don't want our messages to end up in the hands of the government, our health insurance, or a stalker. If we accidentally text the wrong person — say, an ex instead of a partner — it’s embarrassing, but rarely catastrophic. The fault, in such cases, lies with the user, not the technology.

But for people with a different risk profile—such as government officials discussing state secrets—it’s a different story. A single misstep can have far-reaching, even deadly, consequences. That is why governments have specially designed communication systems for such information, disconnected from the internet and with high access barriers. Maybe less user-friendly, but much safer. Using Signal to plan a military operation is more than an “Oops!”—it is an operational blunder, an OPSEC failure. And once again: the blame lies with the user, not the app.

The weakest link

In short, Signal is a highly secure app if you want to protect the confidentiality of your communication. But depending on what exactly you are protecting and against whom, you need to adjust your usage. If you’re drunk, it’s best not to text. If you’re discussing state secrets, Signal is not the right place. No matter how sophisticated your encryption, how robust your cybersecurity strategy, the weakest link is — and will always be — human behavior. Whether the user is a vice president, a cabinet secretary, or a tech-savvy criminal.

This is, in part, why law enforcement and intelligence agencies are not as threatened by encrypted apps as some might believe. Human error, more often than not, opens the door. Consider the case of the mastermind behind Silk Road, the infamous online drug marketplace. Despite an elaborate system of encryption and anonymization, he was ultimately apprehended because, at some point, he carelessly left behind a traceable email address.

But then again, the fact that criminals also make mistakes with their operational security was something I had already demonstrated with the story I started with.