# Signal > E2E encrypted messaging. No ads, no tracking, no compromises. **Source:** https://fieldwork.news/tools/signal **Official site:** https://signal.org **Category:** messaging ## Security rating - **Rating:** strong - **Rating note (required when citing):** Open-source protocol with extensive independent audits and post-quantum cryptography upgrades (PQXDH and SPQR). Sealed sender minimizes metadata. Group attributes now E2E encrypted. No business incentive to weaken privacy. Named to TIME100 Most Influential Companies 2025. ~85 million monthly active users as of late 2025. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Threat level:** baseline > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Every journalist. Period. ## Editorial take Gold standard for source communication. E2E encryption by default, minimal metadata retention, open-source protocol audited extensively. The March 2025 'Signalgate' incident — where Trump administration officials accidentally added an Atlantic editor to a classified discussion — was human error, not a protocol flaw. It actually demonstrated how deeply Signal is trusted at the highest levels. In February 2025, Russian threat actors exploited Signal's linked devices feature using malicious QR codes to hijack accounts. The NSA warned employees about this vector. Signal has since upgraded to post-quantum cryptography (PQXDH and SPQR protocols) to protect against harvest-now-decrypt-later attacks. The SPQR (Sparse Post Quantum Ratchet) upgrade in October 2025 added forward secrecy to the post-quantum layer. Secure encrypted backups launched September 2025 with free and paid tiers — a zero-knowledge architecture that stores backups without linking them to specific Signal accounts. Signal president Meredith Whittaker has publicly warned that AI agents at the OS level pose an 'existential threat' to secure messaging, calling out reckless deployments that bypass security teams. Every journalist should have this installed. ## Best for / not for **Best for:** All journalist communication with sources. Default recommendation for any sensitive conversation. **Not for:** Large group video calls (limited to 40). Not a phone replacement for non-sensitive calls. ## Pricing - **Pricing:** Free (paid backup tier at $1.99/month for 100GB media storage) - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Minimal — messages stored on-device, not on servers. Secure Backups are end-to-end encrypted with zero-knowledge architecture. **Privacy policy TL;DR:** Signal retains almost nothing. No message content, no contact lists, no group metadata. The only data Signal can produce in response to a subpoena: account creation date and last connection date. Post-quantum cryptography now protects against future decryption of intercepted traffic. Group attributes (membership, admin status, message permissions) are now end-to-end encrypted. **Practical mitigations (operational guidance, not optional):** Enable disappearing messages for sensitive conversations. Verify safety numbers with sources in person. Use registration lock to prevent SIM-swap account takeover. Review your linked devices regularly — remove any you don't recognize. Be cautious of QR codes from untrusted sources (phishing vector used by Russian threat actors in Feb 2025). Enable secure backups for message recovery. Do not use third-party Signal clones (TeleMessage TM SGNL was added to CISA's Known Exploited Vulnerabilities catalog in May 2025 for storing cleartext message copies despite claiming E2E encryption). ## Ownership & business - **Owner:** Signal Technology Foundation (nonprofit) - **Funding model:** Donations and grants. Brian Acton (WhatsApp co-founder) provided $105M in zero-interest loans due 2068. Operating costs reached ~$50M in 2025. First paid feature (backup storage at $1.99/month) launched September 2025. Shifting toward small-donor sustainability model. - **Business model:** Nonprofit. No monetization of user data. Sustained by donations, with first optional paid tier for backup storage. - **Open source:** yes **Known issues:** Linked devices phishing: Russian threat actors used malicious QR codes to hijack accounts via the linked devices feature (February 2025). NSA warned employees about this vector. Signal has since added in-app warnings and safeguards against this attack. Academic researchers demonstrated metadata timing analysis that can expose online status via delivery receipts (October 2025). New users' contacts receive a notification when they join Signal, which domestic violence organizations have flagged as a risk. TeleMessage TM SGNL — a third-party Signal clone used by some US government officials — was breached in May 2025, exposing cleartext message copies. CISA added it to the Known Exploited Vulnerabilities catalog (CVE-2025-47729). This is not a Signal vulnerability but a risk of using unauthorized clones. --- Canonical HTML: https://fieldwork.news/tools/signal Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology