Most Americans hadn’t heard of the messaging app Signal before a recent fiasco involving Yemen war plans and an Atlantic reporter. It will be unfortunate if this creates a bad first impression.

I consider Signal the most secure commercial messaging app available. I encourage private sector clients who need a secure instant messaging platform to choose it. It’s designed and operated by top notch cybersecurity professionals who know what they’re doing, including its co-inventor, highly regarded cyber expert Matthew Rosenfeld (aka Moxie Marlinspike).

Signal’s end-to-end encryption protocol is the de facto gold standard. Rival messaging apps Facebook Messenger, Google Messages, Skype, and WhatsApp have all adopted Signal’s protocol. One key difference from its rivals, Signal publishes its code as free open source so that experts and amateurs alike can examine it. It has been formally audited many times.

Signal isn’t the problem here. Those federal officials should have used a secure government network like SIPR instead of the Internet. They should have used hardened mobile devices instead of consumer grade smartphones. They should have been inside a SCIF such as the White House Situation Room, or at least a security tent if no SCIF was readily available.

But their biggest mistake was adding an unauthorized Atlantic reporter to the group chat, then failing to recognize his presence even as the SecDef proclaimed “We are clean on OPSEC.”

It’s not Signal’s fault. No messaging app, no matter how secure, can protect its users from such boneheaded mistakes. 

Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.