"We are currently clean on OPSEC": Why JD Can't Encrypt
2026-04-21 • Cryptography and Security
Cryptography and SecurityComputers and SocietyHuman-Computer Interaction
AI summaryⓘ
The authors study the 2025 Signalgate leak where sensitive US military messages were leaked despite being encrypted using Signal. They show through formal modeling that the leak was likely because using encryption alone doesn’t stop information from being shared insecurely, especially when power dynamics cause people to share too much. The authors emphasize that encryption tools alone don’t guarantee true message security if users are influenced by social and political factors. They also warn that relying on cryptography without considering human behavior can lead to serious problems. Overall, they conclude that everyday users still cannot achieve full message privacy just by using encrypted apps.
encryptionSignalpi-calculusinformation securityoperational securitypower imbalancecryptographic toolsmessage leaksocio-technicalgeopolitical harm
Authors
Maurice Chiodo, Toni Erskine, Dennis Müller, James G. Wright
Abstract
We analyse the 2025 Signalgate leak of sensitive US military information by the Trump administration, addressing why confidentiality was violated (messages leaked to the press) in spite of encryption (Signal), to deepen the socio-technical considerations when designing and deploying encryption. First, we use applied pi-calculus to formally model the boutique secure facility setup requested by the US Defence Secretary, to prove that a leak would not be prevented. We then examine how using a secure channel might still not give overall information security, as, in this case, power imbalances between personnel and officials led to the application of cryptography that compromised their operational security. We look at how cryptographic tools may have instilled a false sense of security, and led officials to "overshare". We then apply this analysis to the Trump administration's general desire to burn through political, legal, and now technical process, and demonstrate geopolitical harms that may arise from such ineffective use of cryptography in a brief use case. We conclude that, even with advancements in usability of cryptographic tools, genuine message security is still out of reach of the "average user".