The client is open source, so it doesn't matter what the server code is, you can see everything the client sends and therefore tell what possible data is being collected.

It's run by a non-profit so there's no shareholders to please.

Your messages and decryption key are not stored on their servers.

It's been independently audited.

They have publicly posted responses to user information requests where they only provide the account creation date and last access time.

The (admittedly incompetent) US government recommends using Signal (for non-classified information) and top officials have been caught using it (Houthi Working Group).

You can never be 100% sure, but it appears to have excellent security and privacy.

A lot of people use Signal. It may not be the best solution out there, but it is so, so, so much better than the proprietary alternates.

One good thing is that a normie can easily use it as an alternative to WhatsApp, since the app design is so similar. I mean, it is easy for family and friends to understand and start using Signal, compared to something like Matrix or XMPP.

And if someone needs a little more hardening, they could use the fork called Molly, which has a few more security benefits over the stock app.

Yes. You will find a lot of randos saying no, but the consensus among security professionals and researchers is that it is still the current standard. Not to say that it doesn't deserve scrutiny or criticism, or that other projects aren't important to develop.

Who do you want privacy from and why?

That's not a rhetorical question. It matters. If you want privacy from corporations and governments doing mass surveillance because you're against mass surveillance in principle, Signal is great! As long as you don't give janky apps permission to read your notifications, or you limit what Signal shows in its notifications, your device won't leak to those kinds of threat actors. You can't be sure everyone you talk to is as fastidious though.

If the cops, gangsters, or similar are likely to target you and the people you're talking to directly, there's a good chance just using Signal without a security plan won't keep them from getting the contents of the conversation as in this recent incident where the FBI extracted deleted messages from notification logs. To defend against that specific attack, everyone needs to configure Signal to keep message content and contact details out of the notification. Dedicated devices for secure communication set up by someone who knows what they're doing are ideal in this situation. Signal is still a good choice here, but Signal alone won't guarantee privacy.

If you're being targeted by an intelligence agency from a rich country that has allocated a significant budget to surveil you in particular, you're probably screwed. There's plenty of public information about how US government officials and contractors are required to work with classified information to get a sense of how you might try to mount a defense. It's guaranteed to be inconvenient.

If you don't care about sharing your phone number with Signal and a third-party company (Signal refuses to state what company it is) that send the text message with the activation code to you. And if you don't care that everything will be saved on servers maintained by Amazon in USA.

Then yes, Signal is the right app for you even in 2026.

But if you do care (ans you should) about your phone number and the location of your data, you should focus on something more privacy like XMPP (Snikket would be the easiest way to setup your own server) and SimpleX.

XMPP (for an example Snikket) uses OMEMO and OMEMO is based on Signal Protocol.

PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.

It's hosted in the US, subject to its pervasive spying laws including national security letters.

Also I need all your phone numbers.

Also no you can't host this yourself, I run the only server.

Everyone who uses signal and supports it, is falling for this pitch.

Why not signal?

While centralisation continues to be a problem (as the recent AWS outage has shown), Signal continues to be the a sufficient compromise between privacy and usability that a non-technical user will actually use.

That said, I'm making contingency plans to set up an alternative for close family in case the US goes full retard and makes it inaccessible.

In my experience, the bigger issue is folks just completely ignore OPSEC once they get on signal.

The centralized component is pretty concerning. Imagine if protests like in Iran earlier this year were to occur in the States. The Feds would immediately seize or DDOS those servers during nationwide unrest, before cutting the internet which is basically an inside out panopticon.

EOD it depends on your threat model. You're probably not on Signal if your life depends on it anyway.

Plus, its always useful to not have my texts immediately read and sent to advertisers.

The stories I've heard where Signal messages have been extracted or otherwise accessed was from beyond either end. Someone invited a journalist to a private group chat. Someone handed someone else an unlocked device. The most alarming one is apparently Apple uploads every push notification your device gets to their servers. So if you are concerned about privacy there's a feature in Signal to set push notifications to only say "you got a message" and not include the sender or message contents in the notification.

I haven't heard of Signal itself leaking messages.

https://github.com/mollyim/mollyim-android

You may want to read Why not Signal?, but I still use it.

As per usual, the answer is "depends on your threat model". For a lot of sensitive communications, the centralised design and therefore ability to correlate metadata is a no-go. But if you're just using it e.g. as a WhatsApp replacement to message your friends, it's fine. It's still the most polished and normie-friendly e2ee foss messenger.

Just remember that if you, or anyone you are talking to, has notifications turned on (in the app itself), that conversation is now outside of signal and a lot easier to get to.

if you are super private person or want to be anonymous, maybe you can choose SimpleX.

IMHO the question depends on :

• who you are (boring, rando, political dissident, journalist, etc)
• who you talk to (family, friends, work, etc)
• what alternatives actually exist

So... sure Signal is not perfect but if you can't convince your family members to move to DeltaChat it sure beats using WhatsApp, Telegram, etc.

I think for talking to friends and family it's fine I think.

If you're someone that would get more scrutiny from goverment organizations because of your activities (journalist, crime boss, sex worker, etc) you might want to use something more secure.

~~I have no idea what these more secure applications are.~~

Edit: Just did a quick search to see what i2p has for messaging:

I2P has messaging applications such as I2P-Messenger and I2P-Talk, which provide end-to-end encrypted communication without the need for servers. These applications allow for anonymous messaging and file transfers.

I2P-Messenger: A serverless, end-to-end encrypted instant messenger that allows users to chat anonymously. It does not log conversations, ensuring privacy. File transfer is also supported.

I2P-Talk: Another instant messaging application that provides similar security features as I2P-Messenger but is incompatible with it.

The above our super hardcore solutions that isn't neccesary for regular day to day messaging, but useful for more extreme cases. I've never used i2p or these two chat apps so I can't speak to how well they work.

Signal for people I know IRL, Simplex for those I don't.

I trust Signal and like it a lot, but I do wish they’d remove the stupid MobileCoin rubbish.

use xmpp like me