Is it still viable to use Signal for privacy in 2026? It’s centralized, and has had many suspicious occurrences in the past.(Unopen source server code, careless whisper exploit which is still active as far as I know, and the whole mobile coin situation.)
Thoughts?
I think the text is somewhat dubious in its arguments, but this (and the arguments built on this assertion) is just plain wrong:
Signal clients implement the Pond protocol. As a result, Signals servers know who a message is for (obviously, how else do you get the message) but cannot know who it is FROM.
I’ve been playing around with implementing a secure/private messenger demo for myself, and have been consistently impressed with how privacy preserving Signal is when reading their papers and code. I wish it was selfhostable, but apart from that, it’s great.
The server would be NICE to be OSS, but ultimately, privacy breaches are prevented client/protocol side.
Give me ssh access to signal’s centralized US-hosted server so I can verify this (IE that their centralized DB doesn’t store).
Otherwise this is a “trust me bro” claim, considering they have the phone numbers of everyone who signed up, and are the routing service for the messages you send.
I don’t really understand why you think this, can you explain? Signal stores, and has access to, no message metadata. They don’t know who your contacts are, which group chats you’re in, when you’re sending messages, or who you’re talking to.
To be convinced of this, take a look at the client source code, and compile the app yourself. None of this information ever leaves your phone without being encrypted or otherwise masked. No analysis of their server code is required to be convinced of this.
Phone numbers are the most important metadata you can give them, far more important than message content. It means your real identity / name and address. With phone numbers you can build social networking graphs: who talked to who, and when.
Client source code is irrelevant here. Signal is a centralized service, you can’t verify what their US-based server is actually running (although they did go a full year without publishing any server updates at one point, until they received a lot of backlash for it).
You gave them your phone number / real identity when you signed up. The most important piece of info they could possibly give them, you already did.
Can you explain how signal will build a social network graph when it doesn’t know who sent any message, which group chats you’re in, or who is on your contact list? Again, none of this ever leaves your device without being encrypted, which you can check by looking at the client source code.
They have your phone number. You gave it to them when you signed up.
Signal wouldn’t know how to route messages if it didn’t store this info.
These are super cool parts of signal’s architecture, that are not obvious to understand, but you can truly verify client side that (1) signal only sees an IP address, no phone number, associated with each outgoing message, and (2) signal has no idea who is in which group chat and which permissions you have in those chats.
The first one is pretty simple: you don’t prove to signal who you are, signal just routes packets and lets the receiver verify that the sender is who they say they are by verifying a short lived certificate attesting your identity.
The second one is more interesting: group chats are implemented as a complete graph of direct messages between all participants. In order to update the group state, you send Signal a zero-knowledge proof that you are a member of the group, which convinces Signal that you can add or remove people, without ever revealing your identity. This same mechanism is used to prevent griefing, spam, and DDOS attacks for sealed sender.
Again, both of these can be verified by only looking at the client source code, and nothing else.
More info: https://signal.org/blog/sealed-sender/ https://signal.org/blog/signal-private-group-system/
These are all “trust me bro” claims.
Give me ssh access to their server so I can verify that this “sealed sender” is working correctly and not using the info you already gave them. We would demand this transparency of open source messengers, so why not signal?
I’ll just say one last time: none of this information ever leaves your client device, so even if signal wanted to know the phone number of a message sender, or which group chats you’re in, they have no access to this because it all never leaves your phone. As long as you’re running the correct client code, the server can be arbitrarily malicious, and it doesnt matter.
Have a great day