← All tool ratings

Signal

E2E encrypted messaging. No ads, no tracking, no compromises.

Secure messaging
Open source
Strong
https://signal.org Reviewed 2026-04-02 Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about Signal?

Gold standard for source communication. E2E encryption by default, minimal metadata retention, open-source protocol audited extensively. The March 2025 'Signalgate' incident — where Trump administration officials accidentally added an Atlantic editor to a classified discussion — was human error, not a protocol flaw. It actually demonstrated how deeply Signal is trusted at the highest levels. In February 2025, Russian threat actors exploited Signal's linked devices feature using malicious QR codes to hijack accounts. The NSA warned employees about this vector. Signal has since upgraded to post-quantum cryptography (PQXDH and SPQR protocols) to protect against harvest-now-decrypt-later attacks. The SPQR (Sparse Post Quantum Ratchet) upgrade in October 2025 added forward secrecy to the post-quantum layer. Secure encrypted backups launched September 2025 with free and paid tiers — a zero-knowledge architecture that stores backups without linking them to specific Signal accounts. Signal president Meredith Whittaker has publicly warned that AI agents at the OS level pose an 'existential threat' to secure messaging, calling out reckless deployments that bypass security teams. Every journalist should have this installed.

Best for

All journalist communication with sources. Default recommendation for any sensitive conversation.

Not for

Large group video calls (limited to 40). Not a phone replacement for non-sensitive calls.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction Minimal — messages stored on-device, not on servers. Secure Backups are end-to-end encrypted with zero-knowledge architecture.

Where servers are located — affects which governments can request your data

Security rating Strong

Privacy policy summary

Signal retains almost nothing. No message content, no contact lists, no group metadata. The only data Signal can produce in response to a subpoena: account creation date and last connection date. Post-quantum cryptography now protects against future decryption of intercepted traffic. Group attributes (membership, admin status, message permissions) are now end-to-end encrypted.

How to protect yourself:

Enable disappearing messages for sensitive conversations. Verify safety numbers with sources in person. Use registration lock to prevent SIM-swap account takeover. Review your linked devices regularly — remove any you don't recognize. Be cautious of QR codes from untrusted sources (phishing vector used by Russian threat actors in Feb 2025). Enable secure backups for message recovery. Do not use third-party Signal clones (TeleMessage TM SGNL was added to CISA's Known Exploited Vulnerabilities catalog in May 2025 for storing cleartext message copies despite claiming E2E encryption).

Open-source protocol with extensive independent audits and post-quantum cryptography upgrades (PQXDH and SPQR). Sealed sender minimizes metadata. Group attributes now E2E encrypted. No business incentive to weaken privacy. Named to TIME100 Most Influential Companies 2025. ~85 million monthly active users as of late 2025.

Who Owns This

Owner Signal Technology Foundation (nonprofit)
Funding Donations and grants. Brian Acton (WhatsApp co-founder) provided $105M in zero-interest loans due 2068. Operating costs reached ~$50M in 2025. First paid feature (backup storage at $1.99/month) launched September 2025. Shifting toward small-donor sustainability model.
Business model Nonprofit. No monetization of user data. Sustained by donations, with first optional paid tier for backup storage.

Known issues

Linked devices phishing: Russian threat actors used malicious QR codes to hijack accounts via the linked devices feature (February 2025). NSA warned employees about this vector. Signal has since added in-app warnings and safeguards against this attack. Academic researchers demonstrated metadata timing analysis that can expose online status via delivery receipts (October 2025). New users' contacts receive a notification when they join Signal, which domestic violence organizations have flagged as a risk. TeleMessage TM SGNL — a third-party Signal clone used by some US government officials — was breached in May 2025, exposing cleartext message copies. CISA added it to the Known Exploited Vulnerabilities catalog (CVE-2025-47729). This is not a Signal vulnerability but a risk of using unauthorized clones.

Pricing

Free (paid backup tier at $1.99/month for 100GB media storage)

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.