pith. sign in

arxiv: 2604.19711 · v1 · submitted 2026-04-21 · 💻 cs.CR · cs.CY· cs.HC

"We are currently clean on OPSEC": Why JD Can't Encrypt

Maurice Chiodo , Toni Erskine , Dennis M\"uller , James G. Wright This is my paper

Pith reviewed 2026-05-10 02:07 UTC · model grok-4.3

classification 💻 cs.CR cs.CYcs.HC
keywords encryption securityoperational securitysocio-technical analysisSignal messaginginformation leaksapplied pi-calculusfalse sense of securityUS military communications
0
0 comments X

The pith

Encryption apps like Signal fail to deliver genuine message security because socio-technical factors and false confidence lead users to overshare.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper analyzes the 2025 Signalgate incident where sensitive US military messages sent over Signal were leaked to the press. It first builds a formal model of the requested secure facility setup in applied pi-calculus and proves that this model cannot prevent leaks. The authors then show how power imbalances between officials and personnel caused the encrypted channel to be used in ways that violated operational security, with the tools themselves creating a false sense of safety that encouraged oversharing. They extend the case to broader patterns in the Trump administration's approach to processes and highlight resulting geopolitical risks. The central conclusion is that improvements in cryptographic usability have not made real message confidentiality reachable for typical users.

Core claim

Formal modeling in applied pi-calculus demonstrates that the boutique secure facility cannot prevent leaks under the stated conditions. Power imbalances between personnel and officials led to the application of cryptography in a manner that compromised operational security, while the presence of secure tools instilled a false sense of security that prompted officials to overshare sensitive information. This ineffective use of cryptography, combined with a general disregard for technical process, produced the observed leaks and potential geopolitical harms.

What carries the argument

The applied pi-calculus model of the US Defence Secretary's requested secure facility setup, which formally proves leaks cannot be prevented, together with the socio-technical analysis of how cryptography was deployed under power imbalances.

If this is right

  • No encryption setup alone can guarantee confidentiality when users operate under hierarchical pressures that encourage oversharing.
  • Cryptographic tools can reduce operational security by creating misplaced confidence in message protection.
  • Geopolitical harms arise when political actors bypass technical and legal processes while relying on encryption.
  • Usability improvements in messaging apps do not extend genuine message security to average users in high-stakes settings.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Security training focused on recognizing false confidence may be more effective than adding new cryptographic features.
  • Similar oversharing risks could appear in corporate or governmental use of encrypted apps when superiors pressure subordinates.
  • Designers of secure systems should model behavioral compliance and power dynamics alongside technical protocols.

Load-bearing premise

The real-world secure facility and user behaviors can be faithfully captured in an applied pi-calculus model that shows leaks are inevitable, with socio-technical factors as the dominant cause rather than unmodeled technical issues.

What would settle it

A detailed forensic report on the actual leak path that traces the disclosure to a technical flaw in Signal or the facility hardware rather than to human oversharing or policy violations under the modeled conditions.

read the original abstract

We analyse the 2025 Signalgate leak of sensitive US military information by the Trump administration, addressing why confidentiality was violated (messages leaked to the press) in spite of encryption (Signal), to deepen the socio-technical considerations when designing and deploying encryption. First, we use applied pi-calculus to formally model the boutique secure facility setup requested by the US Defence Secretary, to prove that a leak would not be prevented. We then examine how using a secure channel might still not give overall information security, as, in this case, power imbalances between personnel and officials led to the application of cryptography that compromised their operational security. We look at how cryptographic tools may have instilled a false sense of security, and led officials to "overshare". We then apply this analysis to the Trump administration's general desire to burn through political, legal, and now technical process, and demonstrate geopolitical harms that may arise from such ineffective use of cryptography in a brief use case. We conclude that, even with advancements in usability of cryptographic tools, genuine message security is still out of reach of the "average user".

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper analyzes the 2025 Signalgate leak of US military information via Signal, claiming that encryption failed to ensure confidentiality due to socio-technical factors. It uses applied pi-calculus to formally model the US Defence Secretary's boutique secure facility and prove that a leak would not be prevented, then examines how power imbalances, false senses of security from crypto tools, and oversharing compromised operational security. The analysis is extended to the Trump administration's approach to processes and a brief geopolitical use case, concluding that genuine message security remains out of reach for the average user despite usability advances in cryptographic tools.

Significance. If the claims hold, the work would highlight the gap between technical encryption and overall information security in high-stakes settings, emphasizing socio-technical considerations in crypto deployment. The integration of formal modeling with case-based socio-technical analysis could inform more robust secure communication designs for non-experts, though the single-incident basis limits broader applicability.

major comments (2)
  1. [Abstract and formal modeling section] Abstract and formal modeling description: The paper asserts that applied pi-calculus is used to model the boutique secure facility and prove a leak is not prevented. However, applied pi-calculus provides no primitives for the socio-technical factors (power imbalances, false security leading to oversharing, human operational decisions) that the paper identifies as the dominant cause of the actual leak. The formal result therefore only shows leakage is possible under purely technical assumptions and supplies no evidence that leaks cannot be prevented once those unmodeled factors are present. This gap is load-bearing for the generalization to the 'average user'.
  2. [Conclusion] Conclusion and generalization: The claim that 'genuine message security is still out of reach of the average user' is based on analysis of one incident without evident supporting data, baselines, or comparative cases. Because the pi-calculus model excludes the socio-technical causes attributed to the leak, the formal component does not substantiate the broader conclusion.
minor comments (2)
  1. [Abstract] The abstract asserts a formal proof but supplies no model details, verification steps, or error analysis, reducing clarity on the technical contribution.
  2. [Introduction] Notation and terminology around 'OPSEC' and 'boutique secure facility' could be defined more explicitly on first use to aid readers unfamiliar with the specific incident.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which help clarify the boundaries of our formal and socio-technical analyses. We address each major point below and indicate where revisions will be made to improve precision without overstating the results.

read point-by-point responses

  1. Referee: [Abstract and formal modeling section] Abstract and formal modeling description: The paper asserts that applied pi-calculus is used to model the boutique secure facility and prove a leak is not prevented. However, applied pi-calculus provides no primitives for the socio-technical factors (power imbalances, false security leading to oversharing, human operational decisions) that the paper identifies as the dominant cause of the actual leak. The formal result therefore only shows leakage is possible under purely technical assumptions and supplies no evidence that leaks cannot be prevented once those unmodeled factors are present. This gap is load-bearing for the generalization to the 'average user'.

    Authors: The applied pi-calculus model is restricted to the technical communication setup and participant actions within the boutique facility (e.g., message transmission, encryption, and possible forwarding or extraction steps). It establishes that confidentiality is not guaranteed even under the modeled technical assumptions, as certain actions permitted by the protocol can result in leakage. The socio-technical factors are examined separately via the case study and are not claimed to be captured by the formal model. We agree that the abstract and modeling section should more explicitly state this separation to avoid implying the formal result addresses human or organizational elements. We will revise accordingly to clarify that the broader argument integrates the technical demonstration with the case analysis, rather than relying on the formal component alone for the generalization. revision: partial

  2. Referee: [Conclusion] Conclusion and generalization: The claim that 'genuine message security is still out of reach of the average user' is based on analysis of one incident without evident supporting data, baselines, or comparative cases. Because the pi-calculus model excludes the socio-technical causes attributed to the leak, the formal component does not substantiate the broader conclusion.

    Authors: The manuscript is structured as a case study of the Signalgate incident, using the formal model to isolate the technical limitations of encryption and the subsequent analysis to examine the socio-technical contributors in this specific context. We recognize that a single high-profile case does not constitute statistical evidence, baselines, or comparative data, and that the formal model does not incorporate the socio-technical elements. We will revise the conclusion to present the finding as an illustration of persistent challenges for non-expert users, supported by this incident, while explicitly noting the limitations of generalizing from one case and suggesting the need for further empirical work. revision: yes

Circularity Check

0 steps flagged

No circularity: independent formal model applied to setup, followed by separate socio-technical analysis

full rationale

The paper's chain begins with an applied pi-calculus model of the described secure facility, used to prove that leaks are not prevented under the model's technical assumptions. This formal step is self-contained and does not define its inputs or conclusions in terms of the later socio-technical factors (power imbalances, false security, oversharing). The subsequent analysis attributes the actual leak to unmodeled human and organizational elements without feeding those elements back into the pi-calculus proof or redefining the formal result. No self-citations, fitted parameters renamed as predictions, or ansatzes smuggled via prior work appear in the derivation. The overall claim that genuine security remains out of reach for average users rests on the combination of these distinct parts rather than any reduction of one to the other by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, invented entities, or detailed axioms are stated beyond the implicit assumption that the real-world setup can be modeled in pi-calculus.

axioms (1)
  • domain assumption The boutique secure facility setup can be accurately represented in applied pi-calculus to prove leak prevention failure
    Invoked to support the formal proof that the setup would not prevent leaks.

pith-pipeline@v0.9.0 · 5502 in / 1251 out tokens · 73208 ms · 2026-05-10T02:07:07.458906+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages

  1. [1]

    Jack Douglas Teixeira Criminal No.23-10159-IT (2024)

    United States vs. Jack Douglas Teixeira Criminal No.23-10159-IT (2024)

    work page 2024

  2. [2]

    Evaluation of the Seceraty of Defense’s Reported Use of a Commercially Availiable Application for Official Business. Tech. Rep. DODIG-2026-021, US Department of Defense Office of the Inspector General (2025)

    work page 2026

  3. [3]

    Abadi, M., Blanchet, B., Fournet, C.: The applied pi calculus: Mobile values, new names, and secure communication. J. ACM65(1) (2017)

    work page 2017

  4. [4]

    In: Security Protocols

    Bella, G., Bistarelli, S., Massacci, F.: A protocol’s life after attacks... In: Security Protocols. pp. 3–10 (2005)

    work page 2005

  5. [5]

    In: Information Security and Privacy Research

    Bella, G., Coles-Kemp, L.: Layered analysis of security ceremonies. In: Information Security and Privacy Research. pp. 273–286 (2012)

    work page 2012

  6. [6]

    from more international organisations

    Cameron, C.: Trump withdraws the U.S. from more international organisations. The New York Times (2026, 7 January), https://www.nytimes.com/2026/01/07 /us/politics/trump-withdraw-un-organizations.html

    work page 2026

  7. [7]

    DAVOS (2026, 20 January), https://www.weforum.org/stories/2026/01/davos-2026-speci al-address-by-mark-carney-prime-minister-of-canada/

    Carney, M.: Special address by Mark Carney, Prime Minister of Canada. DAVOS (2026, 20 January), https://www.weforum.org/stories/2026/01/davos-2026-speci al-address-by-mark-carney-prime-minister-of-canada/

    work page 2026

  8. [8]

    Chiodo, M., Müller, D., Siewert, P., Wetherall, J.L., Yasmine, Z., Burden, J.: For- malising human-in-the-loop: Computational reductions, failure modes, and legal- moralresponsibility.In:TheFourteenthInternationalConferenceonLearningRep- resentations (2026), https://openreview.net/forum?id=KR8viVTrX4

    work page 2026

  9. [9]

    Chow, A.R.: What is Signal, the app used by Trump staff, and is it safe? Time Magazine (2025, 26 March), https://time.com/7271850/signal-app-attack-plans-t rump-officials/

    work page arXiv 2025

  10. [10]

    The Hill (2026, 20 March), https://thehill.com/policy/international/5794275-russian -hackers-target-americans-signal/

    Davis, S.: FBI: Russia targeting ‘high intelligence value’ Americans on Signal. The Hill (2026, 20 March), https://thehill.com/policy/international/5794275-russian -hackers-target-americans-signal/

    work page arXiv 2026

  11. [11]

    In: Weller, M

    Deeks, A.: Taming the doctrine of pre-emption. In: Weller, M. (ed.) The Oxford HandbookoftheUseofForceinInternationalLaw.OxfordUniversityPress(2015). https://doi.org/10.1093/law/9780199673049.003.0030

    work page doi:10.1093/law/9780199673049.003.0030 2015

  12. [12]

    Dooley, J.F.: A brief history of cryptology and cryptographic algorithms, vol. 21. Springer (2013)

    work page 2013

  13. [13]

    The New Republic (2025, 1 May), https://newrepublic.com/post/194739/mike-w altz-signal-phone-cabinet-meeting-photos

    Ferguson, M.: Mike Waltz caught checking Signal on his phone in cabinet meeting. The New Republic (2025, 1 May), https://newrepublic.com/post/194739/mike-w altz-signal-phone-cabinet-meeting-photos

    work page 2025

  14. [14]

    TechCrunch (2026, 9 March), https://techcrunch.c om/2026/03/09/russian-government-hackers-targeting-signal-and-whatsapp-use rs-dutch-spies-warn/

    Franceschi-Bicchierai, L.: Russian government hackers targeting Signal and What- sApp users, Dutch spies warn. TechCrunch (2026, 9 March), https://techcrunch.c om/2026/03/09/russian-government-hackers-targeting-signal-and-whatsapp-use rs-dutch-spies-warn/

    work page 2026

  15. [15]

    The Atlantic (2025, 24 March), https://www.theatlantic.com/politics/archive/2025/ 03/trump-administration-accidentally-texted-me-its-war-plans/682151/

    Goldberg, J.: The Trump administration accidentally texted me its war plans. The Atlantic (2025, 24 March), https://www.theatlantic.com/politics/archive/2025/ 03/trump-administration-accidentally-texted-me-its-war-plans/682151/

    work page 2025

  16. [16]

    The Atlantic (2025, 26 March), https://www.theatlantic.com/politics /archive/2025/03/signal-group-chat-attack-plans-hegseth-goldberg/682176/

    Goldberg, J., Harris, S.: Here are the attack plans that Trump’s advisers shared on signal. The Atlantic (2025, 26 March), https://www.theatlantic.com/politics /archive/2025/03/signal-group-chat-attack-plans-hegseth-goldberg/682176/

    work page 2025

  17. [17]

    BBC News (2025, 6 April), https://www.cbsn ews.com/news/trump-national-security-adviser-spokesperson-not-journalist-sig nal-chat-sources/ 18 M

    Jacobs, J.: Trump national security adviser meant to add spokesperson not jour- nalist to Signal chat, sources say. BBC News (2025, 6 April), https://www.cbsn ews.com/news/trump-national-security-adviser-spokesperson-not-journalist-sig nal-chat-sources/ 18 M. Chiodo et al

    work page 2025

  18. [18]

    In: Computer Security – ESORICS 2009

    Jagadeesan,R.,Jeffrey,A.,Pitcher,C.,Riely,J.:Towardsatheoryofaccountability and audit. In: Computer Security – ESORICS 2009. pp. 152–167 (2009)

    work page 2009

  19. [19]

    Lamport,L.:Time,clocks,andtheorderingofeventsinadistributedsystem21(7), 558–565 (1978)

    work page 1978

  20. [20]

    The Guardian (2025, 4 June), https://www.theguardia n.com/us-news/2025/apr/06/signal-group-chat-leak-how-it-happened

    Lowell, H.: Exclusive: how The Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat. The Guardian (2025, 4 June), https://www.theguardia n.com/us-news/2025/apr/06/signal-group-chat-leak-how-it-happened

    work page 2025

  21. [21]

    https://doi.org/10.48550/arXiv.2509.07053

    Lowry, P.B., Moody, G.D., Willison, R., Posey, C.: The Signalgate case is waiving a red flag to all organizational and behavioral cybersecurity leaders, practition- ers, and researchers: Are we receiving the signal amidst the noise? arXiv preprint arXiv:2509.07053 (2025). https://doi.org/10.48550/arXiv.2509.07053

    work page doi:10.48550/arxiv.2509.07053 2025

  22. [22]

    Bloomsbury Academic, London, UK (2021)

    Lukes, S.: Power: A Radical View. Bloomsbury Academic, London, UK (2021)

    work page 2021

  23. [23]

    Information and Computation100(1), 1–40 (1992)

    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, I. Information and Computation100(1), 1–40 (1992)

    work page 1992

  24. [24]

    Information and Computation100(1), 41–77 (1992)

    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, II. Information and Computation100(1), 41–77 (1992)

    work page 1992

  25. [25]

    Mitchell, G., Gosztola, K.: Truth & Consequences: The U.S. vs. Bradley Manning. Sinclair Books, New York, NY, USA (2013)

    work page 2013

  26. [26]

    Cambridge Forum on AI: Law and Governance 1, e51 (2025)

    Müller, D., Chiodo, M., Sienknecht, M.: Integrators at war: Mediating in AI- assisted resort-to-force decisions. Cambridge Forum on AI: Law and Governance 1, e51 (2025). https://doi.org/10.1017/cfl.2025.10030

    work page doi:10.1017/cfl.2025.10030 2025

  27. [27]

    New York Post (2025, 25 March), https://nypost.com/2 025/03/25/us-news/national-security-adviser-mike-waltz-takes-full-responsibilit y-for-embarrassing-signal-leak/

    Nava, V.: National security adviser Mike Waltz takes ‘full responsibility’ for ‘em- barrassing’ Signal leak — claims he’s unaware how ‘vile’ Atlantic editor’s info got ‘sucked into’ his phone. New York Post (2025, 25 March), https://nypost.com/2 025/03/25/us-news/national-security-adviser-mike-waltz-takes-full-responsibilit y-for-embarrassing-signal-leak/

    work page 2025

  28. [28]

    New York Times (2025, 24 March), https://ww w.nytimes.com/issue/todayspaper/2025/03/25/todays-new-york-times

    New York Times: Today’s paper. New York Times (2025, 24 March), https://ww w.nytimes.com/issue/todayspaper/2025/03/25/todays-new-york-times

    work page 2025

  29. [29]

    Rucker, P., Costa, R.: Bannon vows a daily fight for ‘deconstruction of the admin- istrative state’. The Washington Post (2017, 23 February), www.washingtonpost.c om/politics/top-wh-strategist-vows-a-daily-fight-for-deconstruction-of-the-adm inistrative-state/2017/02/23/03f6b8da-f9ea-11e6-bf01-d47f8cf9b643_story.html

    work page 2017

  30. [30]

    In: Mistrust: Ethnographic Approximations

    Ruh, N.: Trusting the math and mistrusting humans. In: Mistrust: Ethnographic Approximations. pp. 23–48 (2018)

    work page 2018

  31. [31]

    The New York Times (2026, 8 January), https://www.nytimes.com/2026/01/08/us/politics/trump-interview-p ower-morality.html

    Sanger, D.E., Pager, T., Rogers, K., Kanno-Youngs, Z.: Trump lays out a vision of power restrained only by ‘my own morality’. The New York Times (2026, 8 January), https://www.nytimes.com/2026/01/08/us/politics/trump-interview-p ower-morality.html

    work page 2026

  32. [32]

    Cam- bridge University Press, Cambridge, UK (2003)

    Sangiorgi, D., Walker, D.: The Pi-Calculus: A Theory of Mobile Processes. Cam- bridge University Press, Cambridge, UK (2003)

    work page 2003

  33. [33]

    Signal: Signal terms & privacy policy (2018, 25 May), https://signal.org/legal/

    work page 2018

  34. [34]

    Amazon Digital Services LLC - Kdp (2023)

    van Steen, M., Tanenbaum, A.: Distributed Systems. Amazon Digital Services LLC - Kdp (2023)

    work page 2023

  35. [35]

    The Guardian (2025, 5 May), https://www.theguard ian.com/australia-news/2025/may/05/home-affairs-let-staff-use-signal-and-disap pearing-messages-amid-covid-lockdowns-documents-show

    Taylor, J.: Australia’s home affairs department has let staff use Signal since Covid lockdowns, documents show. The Guardian (2025, 5 May), https://www.theguard ian.com/australia-news/2025/may/05/home-affairs-let-staff-use-signal-and-disap pearing-messages-amid-covid-lockdowns-documents-show

    work page 2025

  36. [36]

    United Nations Charter: https://www.un.org/en/about-us/un-charter/full-text

    work page

  37. [37]

    Valentish, J., Zhou, N.: How The Chaser invaded Apec: ‘A small video tape was secreted behind his scrotum’. The Guardian (2020, 19 January), https://www.th Why JD Can’t Encrypt 19 eguardian.com/tv-and-radio/2020/jan/20/how-the-chaser-invaded-apec-a-small -camera-was-secreted-behind-his-scrotum

    work page 2020

  38. [38]

    CBS News (2025, 28 March), https: //www.cbsnews.com/news/trump-officials-in-signal-group-chat/

    Watson, K.: Which Trump officials were in the Signal chat? Here’s who was in the group The Atlantic editor was added to. CBS News (2025, 28 March), https: //www.cbsnews.com/news/trump-officials-in-signal-group-chat/

    work page 2025

  39. [39]

    In: 8th USENIX Security Symposium (USENIX Security 99) (1999)

    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: 8th USENIX Security Symposium (USENIX Security 99) (1999)

    work page 1999

  40. [40]

    Zhou, J., Gollmann, D.: Evidence and non-repudiation. Journal of Network and Computer Applications20(3), 267–281 (1997) 6 Appendix: Appliedπ-calculus background Overview of appliedπ-calculus: [3,23,24] give a detailed introduction to (applied)π-calculus. Here we review the elements and operations used to model SCIF processes. Equation 14 defines the set o...

    work page 1997