Commsrisk has written before about the privacy dangers when using group chats on messaging apps, but I can infer from the audience statistics that not enough people take these risks seriously. Attitudes may change now that messages about military operations by the Vice President and the Defense Secretary of the USA were inadvertently shared with a journalist who was invited to join their group chat on Signal.
Jeffrey Goldberg reports in The Atlantic:
The world found out shortly before 2 p.m. eastern time on March 15 that the United States was bombing Houthi targets across Yemen.
I, however, knew two hours before the first bombs exploded that the attack might be coming. The reason I knew this is that Pete Hegseth, the secretary of defense, had texted me the war plan at 11:44 a.m. The plan included precise information about weapons packages, targets, and timing.
Goldberg was added to a group chat by somebody with access to the Signal account belonging to Michael Waltz, who was appointed the national security advisor to President Donald Trump at the start of Trump’s second term. So the first takeaway is that somebody needs to train national security advisors that using unofficial messaging services to discuss military affairs is bad for national security. Signal has the merit of being securely encrypted end-to-end, which explains why it is popular with many journalists and politicians. Its users include politicians who keep complaining that every communications service needs a backdoor that allows their government to break the encryption (and hence makes it possible for other governments to break the encryption too). However, no amount of encryption can mitigate the risk of lousy controls over who is invited to participate in a group chat.
On Tuesday, March 11, I received a connection request on Signal from a user identified as Michael Waltz. Signal is an open-source encrypted messaging service popular with journalists and others who seek more privacy than other text-messaging services are capable of delivering. I assumed that the Michael Waltz in question was President Donald Trump’s national security adviser. I did not assume, however, that the request was from the actual Michael Waltz. I have met him in the past, and though I didn’t find it particularly strange that he might be reaching out to me, I did think it somewhat unusual, given the Trump administration’s contentious relationship with journalists — and Trump’s periodic fixation on me specifically.
Waltz sat in the House of Representatives until he began his new role in the Trump administration. This makes it easy to find examples of Waltz’s opinions on the use of encrypted messaging apps. For example, he complained in August 2024 that Trump’s would-be assassin had used encrypted messaging services run by businesses outside of the USA, making them “harder for [US] law enforcement to get into”.
Goldberg had no idea he would soon be learning how the US military intended to attack Houthis in Yemen in order to safeguard the ships that pass through the Suez Canal.
I accepted the connection request, hoping that this was the actual national security adviser, and that he wanted to chat about Ukraine, or Iran, or some other important matter.
Two days later — Thursday — at 4:28 p.m., I received a notice that I was to be included in a Signal chat group. It was called the “Houthi PC small group.”
Members of this chat group included Vice President J.D. Vance and Defense Secretary Pete Hegseth. The views they expressed in the chat were not limited to the attacks on the Houthis. Some of the discussion involved the cost of the military action to the USA and Europe’s perceived reliance on the USA to defend shipping lanes that are also vital for European trade. Vance accepted the need for military intervention but ‘hated’ the fact that the USA was ‘bailing Europe out again’.

Hegseth replied to Vance by describing European ‘free-loading’ as ‘pathetic’.

The chat then discussed the potential to force Europe to reimburse the cost of the military strike against the Houthis by ‘extracting’ an economic concession. Goldberg did not reveal his access to the chat until after the planned attack had occurred in case he was the victim of an elaborate hoax. He contacted Waltz and other members of the group when it became apparent that the chat was genuine. The authenticity of the chat was then confirmed by Brian Hughes, the spokesman for the National Security Council. Hughes stated they would review how Goldberg had inadvertently been added.
Goldberg’s subsequent article in The Atlantic has created news worldwide, but no scandal has been prompted by the content of the messages themselves. Trump, Vance and other leaders of the USA have already been plain and open in stating their opinions about how much Europe spends on defending itself. The story here is about the potential ramifications of allowing a journalist into a private conversation with people who determine the actions of the world’s most powerful military force. Using an unofficial channel to communicate messages like these may be a violation of US security laws. Whether this was legal or not, the risks associated with modern communications have been made obvious by this mistake.
But what do we really expect? Common flaws in human nature are not only apparent but they keep recurring throughout history because people do not learn from them. Last year Commsrisk published a story about confidential patient information being shared in Whatsapp chat groups by doctors and nurses working for the UK’s National Health Service. I expect thousands of NHS employees will have laughed when they learned this story about the stupidity of Trump’s advisors but far fewer will have changed their own Whatsapp behaviors as a consequence.
Most of us can tell a personal story about sending or receiving an email that was addressed to the wrong person. You can tell people to be careful, and you can tell yourself to be careful, but mistakes are inevitable. That is why it is good to have fundamental methods of securing communications that do not depend on people making the right choices. This includes end-to-end encryption of communication channels, irrespective of the hypocrisy of politicians who think backdoors will only be used when it is convenient for them. Some powerful people cannot be trusted to keep the front door closed, never mind the back door.
The final takeaway is that Europe has to pay for its own security. Europe will be made to pay, either one way or another. That is the attitude of the men and women who run the US government. They are right. Free-riding on somebody else’s commitment to security is a foolish policy. It may seem like a good way to save money in the short term, but the costs soar when the guarantees are withdrawn. The question for Europe is how it pays for security, and whether Europe will continue to buy it from the USA. That question is as pertinent to the security of communications channels as it is to shipping lanes.



