BreachExpress

Cybersecurity, explained for the rest of us.

VPN & Privacy

Signal Explained: What It Is and Why It Matters

Margot 'Magic' Thorne@magicthorneMay 6, 20269 min read
Smartphone displaying Signal app interface with lock icon overlay

Signal is a messaging app that encrypts your conversations so that only you and the person you're talking to can read them. Not Signal. Not your phone carrier. Not law enforcement. Not anyone who intercepts the data in transit.

That's the core promise. Everything else flows from that.

You install Signal on your phone. You register with your phone number. You send messages, make calls, share photos and videos. The interface looks like any other messaging app. The difference is invisible to you but absolute in its effect: every message, every call, every piece of media is encrypted on your device before it leaves, and only the recipient's device can decrypt it.

This is called end-to-end encryption, and Signal built the protocol that most other secure messaging apps now use. The Signal Protocol is open-source, audited by cryptographers, and widely considered the standard for private communication. WhatsApp uses it. Facebook Messenger uses it as an option. Google Messages uses it for certain conversations. But Signal uses it for everything, by default, with no way to turn it off.

The app launched in 2014 as a merger of two earlier projects: TextSecure (encrypted text) and RedPhone (encrypted voice). The nonprofit Signal Foundation runs it. No shareholders. No advertising. No business model that depends on monetizing your attention or data. The foundation is funded by donations and grants, which means Signal's incentives align with yours: keep your conversations private.

How Signal encryption actually works

When you send a message through Signal, your phone generates a unique encryption key for that conversation. The message is encrypted on your device using that key. The encrypted data travels through Signal's servers to the recipient. The recipient's device uses a corresponding key to decrypt the message. Signal's servers see only encrypted data. They cannot decrypt it. They do not store it longer than necessary to deliver it.

This is different from how most apps handle messages. Gmail, for example, encrypts messages in transit and at rest on Google's servers, but Google holds the keys. Google can decrypt your messages if compelled by law enforcement or if an employee with access decides to look. Signal cannot. The keys exist only on the devices at each end of the conversation.

The Signal Protocol uses a technique called the Double Ratchet Algorithm, which generates new encryption keys with every message. Even if an attacker somehow obtained the key for one message, they could not decrypt past or future messages in the same conversation. This property is called forward secrecy, and it means a single compromised key does not compromise the entire conversation history.

Signal also uses sealed sender technology for metadata protection. When you send a message, Signal's servers do not see who sent it to whom. They see only that a message needs to be delivered to a specific recipient. The sender's identity is encrypted inside the message itself, visible only to the recipient. This prevents Signal from building a social graph of who talks to whom, even though they relay the messages.

Contact discovery is another area where Signal takes extra steps. When you open the app, it needs to know which of your contacts also use Signal. Most apps upload your entire contact list to a server, which scans it and sends back matches. Signal uses a cryptographic technique called Private Contact Discovery, which allows the server to check for matches without ever seeing your contact list in plaintext. The server learns nothing about who you know.

What Signal collects and what it doesn't

Signal's privacy policy is short because there is not much to say. The app collects your phone number when you register. That's it. No email. No name. No profile data unless you choose to add it. No message content. No call logs. No contact lists. No location data. No device identifiers beyond what is necessary to deliver messages.

When law enforcement has subpoenaed Signal's records in criminal cases, Signal has provided exactly two pieces of information: the date the account was created and the date it was last active. That is the full extent of what Signal stores about you. Everything else is encrypted on your device and inaccessible to Signal.

Compare this to WhatsApp, which is owned by Meta. WhatsApp uses the Signal Protocol for message encryption, so your message content is protected end-to-end. But WhatsApp collects metadata: who you message, when, how often, your device type, your IP address, your phone number, and your contact list. Meta uses this metadata for advertising and shares it across its family of apps. The message content is private. The metadata is not.

iMessage, Apple's default messaging app, also uses end-to-end encryption for messages between Apple devices. But iMessage backups to iCloud are not end-to-end encrypted unless you enable Advanced Data Protection, a setting most users do not know exists. If you back up to iCloud without that setting enabled, Apple holds the keys to your message history and can decrypt it if compelled by law enforcement. iMessage also ties your conversations to your Apple ID, which links to your payment information, purchase history, and other Apple services.

Signal avoids these tradeoffs by design. No cloud backups. No integration with other services. No metadata collection beyond what is technically necessary to deliver messages. The result is a messaging app that knows almost nothing about you.

Who uses Signal and why

Signal is not niche anymore, but it is not mainstream either. Around 40 million people worldwide use it, according to estimates from researchers. That is a fraction of WhatsApp's 2 billion users or iMessage's roughly 1 billion, but it is enough to make Signal viable for everyday use if the people you talk to are willing to install it.

Journalists use Signal to communicate with sources. Activists use it to organize without surveillance. Lawyers use it to discuss cases with clients. Whistleblowers use it to share information with reporters. Security professionals use it because they understand the threat model. These are the early adopters, the people for whom privacy is not theoretical.

But Signal is also used by people who just do not want their conversations monetized. Parents who do not want Meta scanning their family photos. Couples who do not want their private messages backed up to a cloud server controlled by a corporation. Friends who prefer not to feed their social graph into an advertising algorithm. The threat model here is not state surveillance. It is corporate data collection.

Signal works for both. The encryption protects you from both government overreach and corporate exploitation. The same technology that keeps a journalist's source confidential also keeps your vacation photos out of a data broker's database.

What Signal does not protect you from

Signal encrypts the content of your messages. It does not encrypt the fact that you are using Signal. Your phone carrier knows you installed the app. Your internet service provider knows you are connecting to Signal's servers. Anyone monitoring your network traffic can see that you are using Signal, even if they cannot see what you are saying.

Signal also does not protect you if someone has access to your unlocked phone. End-to-end encryption protects data in transit, not data at rest on a compromised device. If someone unlocks your phone, they can read your Signal messages the same way you can. Use a strong passcode. Enable biometric unlock if your phone supports it. Do not leave your phone unlocked in places where someone else might access it.

Signal does not protect you from screenshots. If the person you are messaging takes a screenshot of your conversation and shares it, your private message is no longer private. Signal has a feature called disappearing messages, which deletes messages after a set time, but this does not prevent screenshots. It only removes the message from both devices after the timer expires. Trust is still required.

Signal does not protect you from phishing. If someone tricks you into giving them your Signal registration code, they can link your phone number to their device and impersonate you. Signal sends you a code via SMS when you register. Do not share that code with anyone. If someone asks for it, they are trying to take over your account.

Signal does not protect you from malware on your device. If your phone is infected with spyware, the spyware can read your messages after they are decrypted on your device. End-to-end encryption assumes both endpoints are secure. If your device is compromised, encryption cannot help you.

How Signal compares to other messaging apps

WhatsApp uses the Signal Protocol for message encryption, but it is owned by Meta, which means your metadata is collected and used for advertising. The message content is private. The context is not. If you need to message someone who will not install Signal, WhatsApp is better than SMS, but it is not as private as Signal.

iMessage is end-to-end encrypted between Apple devices, but backups to iCloud are not encrypted by default. If you use iMessage and back up to iCloud without enabling Advanced Data Protection, your message history is accessible to Apple and can be turned over to law enforcement. iMessage also does not work on Android, which limits its usefulness if you message people outside the Apple ecosystem.

Telegram markets itself as a secure messaging app, but its default chats are not end-to-end encrypted. Only Secret Chats use end-to-end encryption, and most users do not enable them. Telegram's encryption protocol is also proprietary and has not been audited as thoroughly as the Signal Protocol. Security researchers generally do not recommend Telegram for private communication.

Google Messages supports end-to-end encryption for one-on-one conversations between Android users, but group chats and messages to non-Android users fall back to unencrypted SMS or MMS. The encryption is based on the Signal Protocol, but the implementation is controlled by Google, which collects metadata and integrates Messages with other Google services.

Facebook Messenger offers end-to-end encryption as an opt-in feature called Secret Conversations, but it is not enabled by default. Most Messenger conversations are not encrypted end-to-end, which means Meta can read them. Meta uses message content and metadata for advertising and other purposes.

Signal is the only app in this comparison that uses end-to-end encryption by default for all messages, calls, and media, collects minimal metadata, and is run by a nonprofit with no financial incentive to monetize your data.

Setting up Signal and using it effectively

Download Signal from the App Store or Google Play. Do not download it from third-party sites. Open the app and register with your phone number. Signal sends you a six-digit code via SMS. Enter the code to verify your number. Do not share this code with anyone.

Set a PIN. Signal uses this PIN to back up your profile, settings, and contacts to Signal's servers in an encrypted format. If you lose your phone or switch devices, the PIN lets you restore your account. Choose a PIN you can remember but that is not easy to guess. Do not use 1234 or your birthday.

Enable registration lock. This prevents someone from registering your phone number on a new device without your PIN. Go to Settings, then Account, then Registration Lock. Turn it on. This protects you from SIM-swapping attacks, where an attacker convinces your phone carrier to transfer your number to a new SIM card.

Add a profile name and photo if you want. These are optional. Signal does not require you to use your real name. Your contacts will see whatever name you choose, or your phone number if you do not set a name.

Invite your contacts. Signal works only when both people have the app installed. Tap the compose button and select a contact. If they do not have Signal, the app will prompt you to invite them via SMS. This is the main barrier to adoption: you need to convince the people you talk to most often to install Signal. If they will not, you will end up using multiple messaging apps.

Use disappearing messages for sensitive conversations. Open a conversation, tap the contact's name at the top, then scroll down to Disappearing Messages. Set a timer. Messages will delete from both devices after the timer expires. This does not prevent screenshots, but it reduces the window of exposure if someone gains access to your phone later.

Verify safety numbers for high-stakes conversations. Each Signal conversation has a unique safety number, a string of digits that confirms you are communicating with the person you think you are. If someone intercepts your connection and tries to impersonate your contact, the safety number will change. To verify, open a conversation, tap the contact's name, then tap View Safety Number. Compare the number on your screen with the number on your contact's screen, either in person or over a voice call. If they match, your connection is secure.

The cultural reference that fits

In Star Trek: The Next Generation, the Enterprise crew encounters the Tamarians, a species that communicates entirely through metaphor and shared cultural reference. "Darmok and Jalad at Tanagra" means cooperation. "Shaka, when the walls fell" means failure. The universal translator can render the words, but it cannot decode the meaning without the cultural context.

Signal's encryption works the same way. Anyone can intercept the encrypted message. It is just a string of meaningless characters without the decryption key. The key exists only on the devices at each end of the conversation. Without it, the message is gibberish. The encryption is the shared context that makes the message intelligible to the intended recipient and incomprehensible to everyone else.

The Tamarians' communication system failed when they encountered a species that did not share their references. Signal's encryption fails when one endpoint is compromised. The system assumes both participants hold the necessary context. If that assumption breaks, the message is either unreadable or readable by the wrong person.

Should you use Signal

If you want your conversations to remain private from corporate data collection, yes. If you communicate with journalists, lawyers, activists, or anyone who handles sensitive information, yes. If you do not want your message history backed up to a server controlled by a company with a financial interest in analyzing it, yes.

If none of that matters to you, maybe not. Signal requires everyone in the conversation to install the app. If your friends and family use WhatsApp or iMessage and will not switch, Signal becomes one more app you have to check. The privacy benefit is real, but the practical cost is fragmentation.

The threat model matters. If you are worried about a government with the resources to compromise your device, Signal will not save you. If you are worried about Meta scanning your photos or Google reading your messages to serve you ads, Signal solves that problem completely.

I use Signal for conversations I do not want stored on a corporate server. I use it with people who understand why that matters. I do not use it with everyone, because not everyone will install it. That is the tradeoff. Privacy requires participation.

Two phones exchanging encrypted messages with padlock symbols
→ Filed under
signalencrypted messagingend-to-end encryptionprivacy appssecure communicationmessaging apps
ShareXLinkedInFacebook

Frequently asked questions

Signal uses end-to-end encryption by default for all messages, calls, and media. Unlike WhatsApp (owned by Meta) or iMessage (tied to Apple's ecosystem), Signal is open-source, collects minimal metadata, and is run by a nonprofit foundation with no financial incentive to monetize your data.
Yes. Signal uses the Signal Protocol, which cryptographers consider the gold standard for messaging encryption. Messages are encrypted on your device before transmission and only decrypted on the recipient's device. Signal itself cannot read your messages.
No. Signal uses end-to-end encryption, so your messages are encrypted before they leave your device. Signal's servers relay encrypted data but cannot decrypt it. Contact discovery happens using a cryptographic technique that prevents Signal from seeing your contact list.
Yes. Signal only works when both sender and recipient have the app installed. If you message someone without Signal, the app will prompt you to invite them. This is a feature, not a bug—it ensures all conversations remain encrypted end-to-end.
Yes. Signal is completely free, with no ads, no subscription tiers, and no paid features. It's funded by donations and grants to the Signal Foundation, a nonprofit organization dedicated to privacy-preserving technology.

You might also like

Traveler working on laptop in airport terminal with public WiFi network list visible on screen
VPN & Privacy

Airport WiFi Safety in 2026: Reality Check on What Actually Matters

Airport WiFi isn't the universal threat security advice suggests. Here's what actually matters when you connect in 2026, what's changed, and what hasn't.

11 min · Margot 'Magic' Thorne · May 14

Laptop open on a coffee shop table with a privacy screen, hands typing, coffee cup beside it
VPN & Privacy

Working from Coffee Shops Securely: A Step-by-Step Guide

Public spaces create specific security risks for remote workers. Here's what to configure, what to skip, and why each step matters when working from coffee shops.

12 min · Margot 'Magic' Thorne · May 13

Abstract visualization of data flowing between browser window and multiple server nodes
VPN & Privacy

How Online Tracking Actually Works: The Mechanism Behind the Surveillance

Websites track you through cookies, fingerprints, and pixels. Here's the technical mechanism, what gets collected, and how tracking follows you across the web.

12 min · Margot 'Magic' Thorne · May 12