In March 2026, the ACLU helped unseal a government subpoena that had been sitting under a gag order for months. A federal grand jury in Washington, D.C. had demanded subscriber information for 37 phone numbers from Signal. This wasn’t hypothetical. It wasn’t a marketing claim. It was an actual government agency, with actual legal authority, demanding actual data from the most recommended private messaging app on the internet, widely considered the most secure messaging app in 2026.
Here’s what Signal handed over: nothing usable. Not messages. Not contact lists. Not who talked to whom. Just account creation dates and last-connection timestamps, the same two data points Signal disclosed in an almost identical case a decade earlier, in 2016. Two different subpoenas, ten years apart, same government, same result: there was simply nothing else to give.
That gap, between what governments demand and what a well-architected messaging app can actually produce, is the real story this guide is built around. Every ‘best private messaging app’ article ranks Signal vs WhatsApp privacy, Telegram, and Session by feature checklists, or lists messaging apps that don’t require a phone number without explaining the trade-offs. Almost none of them show you documented proof of what happens when the promise gets tested by an actual legal demand. This guide does exactly that, for messaging apps specifically, the same way the previous guide in this series did for private email.
- What two real government subpoenas against Signal, a decade apart, actually produced
- The documented WhatsApp whistleblower case and what it reveals about “encrypted” messaging at Meta
- Why Session removed a core cryptographic protection in 2021, and what that trade-off actually means
- How Threema’s Swiss jurisdiction compares to Proton Mail’s, and where the parallel breaks down
- Element/Matrix’s federation model and the metadata leak most reviews don’t explain clearly
- A threat-model framework for choosing between phone-number-based and anonymous messaging apps
How We Evaluated These Apps

This comparison doesn’t rank apps by feature count or user ratings. Every app in this guide was evaluated against five specific, verifiable criteria:
- Documented legal test results: Has the app’s privacy claim ever been tested by a real subpoena, court order, or formal legal demand, and what was the documented outcome?
- Independent security audits: Has the app’s protocol and implementation been audited by a third party, and are the results publicly available?
- Metadata architecture: What metadata does the app’s design make it technically possible to collect, regardless of what the company’s policy says?
- Business model alignment: Does the company’s revenue model create structural incentives to collect or monetize user data?
- Known trade-offs and limitations: What has the app’s own team, or the independent security community, identified as acknowledged weaknesses?
Apps that couldn’t meet at least three of these criteria with publicly verifiable evidence, including Telegram, which doesn’t enable E2EE by default, were excluded from this comparison entirely.
What “End-to-End Encrypted” Actually Guarantees for Messaging Apps
Before comparing apps, it’s worth pinning down a definition precisely, because messaging app marketing uses “encrypted” more loosely than the term deserves.

End-to-end encryption (E2EE) means a message is encrypted on the sender’s device and only decrypted on the recipient’s device, the company operating the servers in between cannot read the content, even if legally compelled to hand over everything it stores. This is a real, cryptographically verifiable property, and every app in this guide, Signal, WhatsApp, Threema, Session, and Element (when configured correctly), implements it for message content.
What E2EE does not automatically guarantee is metadata protection: who messaged whom, when, how often, from what device, and from what IP address. As the two Signal subpoena cases above demonstrate, that distinction is the entire ballgame. WhatsApp’s messages are end-to-end encrypted using the same underlying Signal Protocol Signal itself uses, and yet, as covered further below, WhatsApp’s parent company has been formally accused of employee-level access practices that go well beyond anything Signal’s architecture would even permit.
Quick takeaway: “End-to-end encrypted” tells you what happens to message content. It tells you nothing about metadata, employee access policies, or what the company collects around the encrypted core. Those three things vary enormously between the apps in this guide, and that variance is what actually determines your privacy in practice.
What Metadata Each App Can Technically Access
This table shows what each app’s architecture makes it technically possible to collect or produce under a legal demand, not what the company says it collects by policy, but what its system design permits:
Signal: What Two Real Subpoenas, a Decade Apart, Actually Prove
Signal is the default recommendation for good reason, a 501(c)(3) nonprofit structure with no advertising business model, a fully open-source and independently audited protocol, and metadata minimization built into the architecture rather than bolted on. But the strongest evidence for Signal’s design isn’t a whitepaper. It’s what happened when the U.S. government actually tried to use legal process against it, twice.

The 2016 Case: The First Test
In the first half of 2016, Signal’s own published transparency record shows a federal grand jury subpoena arrived from the Eastern District of Virginia, demanding information about two Signal users. Signal’s response, worked out with the ACLU after fighting an accompanying gag order, disclosed exactly two data points per account: the registration date and the date of last connectivity. Nothing about contacts. Nothing about groups. Nothing about who those users had been communicating with, because, as Signal’s blog explains, that data was never collected in the first place.
The 2025-2026 Case: The Same Result, a Decade Later
This is the detail almost no current messaging-app comparison article has caught, because the case was unsealed only recently. Signal’s own government-requests page documents a grand jury subpoena from the United States District Court for the District of Columbia, requesting subscriber account information for a list of 37 phone numbers, along with a nondisclosure order barring Signal from even acknowledging it existed. Thanks to renewed ACLU representation, that order was modified in late 2025 to allow partial disclosure, and Signal published the response in March 2026.
The exact breakdown, published by Signal itself, is more precise than most summaries of this case capture: of the 37 accounts named in the subpoena, seven simply did not exist. For 24 of the remaining accounts, Signal held no responsive information at all for the relevant time period. Only 6 accounts had any data to disclose, and even then, that data was limited to account creation date and last-connection date, the identical two data points from the 2016 case a decade earlier.
What This Actually Proves (and What It Doesn’t)
This is real evidence of architecture working as designed, not a policy promise. Out of 37 targeted phone numbers, only 6 produced any data whatsoever, and none of it went beyond basic account timestamps, a concrete illustration of Signal’s own stated aim to hold “as close to no data as possible,” specifically so that when a legally valid request arrives, there’s nothing more to share.
It does not mean Signal is invisible to a targeted, sophisticated adversary, device compromise, court-ordered access to a specific unlocked phone, or metadata inference from network timing are all still theoretically possible outside what a subpoena to Signal itself can produce. What it does prove, concretely and twice now a decade apart, is that Signal’s minimal-data design isn’t a marketing language. It’s been tested against real federal legal process on two separate occasions and produced a negligible result both times.
Best for: The overwhelming majority of people who want audited, nonprofit-backed encryption with mainstream usability, and whose threat model is data-mining and casual surveillance rather than the specific need to avoid any phone-number linkage at all.
WhatsApp: The Documented Gap Between Encryption and Employee Access
WhatsApp uses the same Signal Protocol as Signal itself for message content, a detail WhatsApp’s marketing leans on heavily. What that marketing doesn’t mention is a formal whistleblower lawsuit, filed in September 2025, that alleges the protection stops well short of the server room.

The Whistleblower Lawsuit, In Detail
Attaullah Baig, WhatsApp’s former head of security, filed suit in the U.S. District Court for the Northern District of California in September 2025, naming Meta and several senior executives including CEO Mark Zuckerberg. According to the complaint, a red-team security exercise Baig ran shortly after joining WhatsApp in 2021 found that roughly 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information, and that this access could be used to move or exfiltrate that data without any audit trail.
The suit further alleges WhatsApp lacked a comprehensive inventory of what user data it even collected, a requirement under both the CCPA and GDPR and under the FTC’s 2020 privacy order following the Cambridge Analytica settlement.
The lawsuit claims Baig repeatedly escalated these findings to senior leadership, including a detailed report citing six specific compliance failures, and that he was terminated in February 2025, which the complaint frames as retaliation for his SEC whistleblower filing, made in November 2024. Meta disputes the characterization directly: the company states Baig was a level-1 software engineering manager, not “head of security” as the suit describes him, and says he was dismissed for poor performance. Meta also notes that OSHA dismissed Baig’s initial retaliation complaint, finding no violation.
What This Means for the Encryption Claim Specifically
The lawsuit does not allege that Meta broke WhatsApp’s end-to-end encryption, that specific technical claim remains intact and unchallenged. What it alleges is that a large internal engineer population could access account-level and metadata information surrounding that encryption without meaningful oversight. This is precisely the distinction this guide keeps returning to: message content protection and organizational data-access discipline are different guarantees, and a company can hold one while a lawsuit alleges it failed at the other.
Given the case is still working through litigation and is actively disputed by Meta, it should be read as a serious, documented allegation rather than a settled fact, but it’s a genuinely different category of concern than anything raised about Signal, and no messaging comparison is complete without it.
Best for: Users who need to reach the largest possible existing contact network and are comfortable with Meta’s broader data practices around (not within) the encrypted core, with the whistleblower allegations above as a documented, contested factor to weigh.
Session: The App That Removed a Core Protection to Solve a Different Problem
Session began in 2020 as a fork of Signal’s protocol, with one foundational design change: no phone number, no email, nothing that ties an account to a real-world identity at all. Registration generates a cryptographic key pair on-device, and your identity within the app is a long, random alphanumeric Session ID.

How Session’s Architecture Actually Works
Rather than routing messages through Signal’s centralized servers, Session uses a decentralized network of community-operated Service Nodes, built on the Oxen network, with onion routing conceptually similar to Tor. Messages route through multiple independent nodes before reaching a recipient’s “swarm”, a small cluster of nodes responsible for temporarily holding that user’s messages. No single node sees both the sender’s identity and the message’s final destination, and there’s no central company with a subpoena-able log of who’s messaging whom.
The Trade-Off Almost No Comparison Article Explains Clearly
Here’s the detail that deserves far more attention than it typically gets: Session removed Perfect Forward Secrecy (PFS) in 2021, citing stability problems when combined with its decentralized architecture. Perfect Forward Secrecy is the property that ensures a compromise of your long-term encryption key doesn’t let an attacker decrypt past messages, each conversation session generates fresh keys that get discarded afterward.
Removing it means that if a Session user’s key material were ever compromised, previously sent messages could theoretically become readable in a way Signal’s architecture specifically prevents.
This isn’t a secret Session has tried to hide, the team has been transparent that it’s a known limitation, and independent audits, including one by Quarkslab in 2021, found no fundamental security flaws but did flag exactly this forward-secrecy gap as an area needing improvement.
The consequence was concrete: Privacy Guides, a widely-referenced nonprofit recommendation site, stopped recommending Session for an extended period specifically because of the missing PFS, a real-world signal of how seriously the security community weighed this particular gap. As of December 2025, Session announced a “V2 Protocol” reintroducing PFS alongside post-quantum encryption, though the rollout isn’t yet finalized.
There’s a second honest limitation worth flagging: Session’s parent organization is based in a jurisdiction subject to Australia’s Assistance and Access Act, which includes mandatory backdoor provisions for “systemic” capabilities. Whether this legal framework could be applied to Session’s specific decentralized architecture remains legally untested.
Best for: Users whose primary threat is phone-number linkage specifically, pseudonymous organizing, environments where Signal might be blocked, or situations where any tie between a messaging account and a real identity is unacceptable, who understand the current forward-secrecy trade-off and are watching for the promised protocol update.
Threema: The Swiss Jurisdiction Parallel That Doesn’t Fully Hold
Threema is a paid, Swiss-based messaging app that requires no phone number or email to register, uses the open-source NaCl cryptography library, and has undergone professional security audits. It’s often described in privacy roundups with language borrowed almost verbatim from Proton Mail coverage, “Swiss privacy laws,” “doesn’t need to monetize your data because it’s paid”, and the parallel is worth examining directly rather than repeating uncritically.

Where the Proton Parallel Holds
The paid model is a genuine structural advantage: Threema has no advertising business model creating pressure to monetize user data, which is a real and meaningful difference from Meta’s messaging properties. Anonymous registration, no phone number, no email required, combined with the option to purchase the Android app with cryptocurrency, gives Threema a lower identity footprint at signup than Signal’s phone-number model.
Where the Parallel Breaks Down
This is the part most roundups skip: Switzerland’s Article 271 framework, which governs Proton’s disclosure obligations and requires foreign requests to pass through Swiss courts, applies to Threema’s jurisdiction in the same general sense, but the documented pattern of Swiss authorities approving international requests, covered in this series’ guide to private email, applies just as structurally to any Swiss company, Threema included.
Threema hasn’t faced a public case as widely documented as Proton’s, but that’s a difference in scrutiny and public record, not necessarily a difference in the legal obligations a Swiss court order could impose. The “Swiss jurisdiction equals immunity” framing deserves the same caution here as it did for email.
Best for: Users who want a paid, ad-free messaging model with genuinely low-friction anonymous signup, and who understand Swiss jurisdiction as a meaningful but not absolute legal barrier, the same nuance that applies to Swiss-based email providers.
Element (Matrix): Federation’s Power and Its Metadata Cost
Element is the most popular client for Matrix, an open, federated messaging protocol that works more like email than like a typical messaging app: anyone can run their own Matrix server (called a “homeserver”), and those servers communicate with each other, so users on different servers can still message one another.

Why Federation Is Genuinely Powerful
This architecture means no single company controls the entire network, an organization, government agency, or individual can self-host a homeserver and retain full control over their own data, rather than depending on a single corporate provider’s continued existence, policies, or goodwill. For teams, NGOs, and organizations wanting infrastructure independence, this is a real and distinct advantage over every centralized app in this guide.
The Metadata Cost Most Reviews Gloss Over
Federation has a structural downside that deserves more explicit treatment than most comparisons give it: message content between Matrix users is end-to-end encrypted when configured correctly, but metadata about who is communicating with whom necessarily passes through and is visible to every homeserver involved in a conversation, not just your own.
If you’re on a self-hosted homeserver but message someone on a large public homeserver, that public homeserver operator can see metadata about your conversation, even though the message content itself stays encrypted. This is fundamentally different from Signal’s model, where Signal’s own servers are the only ones ever in the loop.
Best for: Organizations and technical teams who want infrastructure independence and control over their own server, and who understand that federation trades some metadata privacy for that independence, best mitigated by self-hosting and using a single, trusted homeserver rather than federating broadly.
| App | Registration | Forward Secrecy | Architecture | Best Trade-off |
|---|---|---|---|---|
| Signal | Phone number | Yes (full) | Centralized, minimal data | Proven track record, mainstream use |
| Phone number | Yes (Signal Protocol) | Centralized, Meta-owned | Largest network, contested data practices | |
| Session | None (random ID) | No (in progress) | Decentralized, onion-routed | Strongest anonymity, acknowledged crypto gap |
| Threema | None (paid, anonymous) | Yes | Centralized, Swiss jurisdiction | No-ad model, anonymous signup |
| Element/Matrix | Email or self-hosted | Yes (when configured) | Federated | Self-hosting independence, metadata trade-off |
Which Messaging App Matches Your Actual Threat Model?
Real-World Scenarios: Which massaging Apps for Which Situation

Scenario 1: A journalist protecting a source
Best choice: Signal (if the source already has it) or Session (if the source needs to avoid phone-number linkage entirely).
Why: The journalist needs proven encryption that has survived legal challenges. Signal’s two subpoena cases demonstrate this directly. If the source is in a situation where even registering a phone number to a messaging app could identify them, Session’s anonymous ID system removes that specific risk, with the forward-secrecy trade-off acknowledged.
Scenario 2: A family group chat replacing WhatsApp
Best choice: Signal.
Why: The barrier to adoption matters here. Signal is free, available on all platforms, and functionally similar enough to WhatsApp that non-technical family members can switch without friction. The phone-number requirement is actually an advantage in this context, it makes finding existing contacts automatic.
Scenario 3: An NGO coordinating across multiple countries
Best choice: Element/Matrix (self-hosted).
Why: The organization controls its own infrastructure, isn’t dependent on any single company’s continued service, and can enforce its own data retention policies. The metadata trade-off of federation is mitigated by keeping all team members on the same self-hosted homeserver.
Scenario 4: Anonymous political organizing in a high-surveillance environment
Best choice: Session.
Why: No phone number, no email, onion-routed messages, decentralized infrastructure with no single subpoena target. The forward-secrecy gap is a real trade-off, but in environments where the primary threat is identity linkage rather than retroactive decryption of seized devices, Session’s anonymity architecture addresses the more immediate risk.
Scenario 5: A privacy-conscious professional who wants to pay for a service rather than be the product
Best choice: Threema.
Why: The paid model eliminates advertising incentives entirely. Anonymous purchase with cryptocurrency is possible. No phone number required. For someone whose threat model is corporate data mining rather than state-level surveillance, Threema’s combination of paid model + anonymous signup + Swiss jurisdiction is a coherent package.
Mistakes That Undo Your Messaging App’s Privacy

Assuming “uses the Signal Protocol” means “as private as Signal.”
WhatsApp uses the same encryption protocol as Signal for message content, and the whistleblower allegations above show exactly why that single fact tells you nothing about internal data access policies, metadata collection, or organizational incentives around that encrypted core.
Enabling cloud backups without checking if they break encryption
A message that’s end-to-end encrypted in transit can become plaintext-readable the moment it’s backed up to iCloud or Google Drive with a company-held key rather than a user-held one. Always verify a backup uses the app’s own end-to-end encrypted backup option, not a generic device cloud backup.
Treating a phone-number-based account as anonymous just because messages are encrypted
Signal’s own subpoena cases show the account’s existence and connection dates can still be confirmed for a specific phone number, even when no other data exists. If your threat model requires no linkage between your identity and your account at all, a phone-number app is the wrong category of tool regardless of its encryption strength.
Assuming a federated protocol is automatically more private than a centralized one
Element/Matrix’s federation model is a genuine advantage for infrastructure independence, but as shown above, it introduces a metadata visibility trade-off that a purely centralized, minimal-data app like Signal doesn’t have. More decentralization isn’t automatically more private, it depends specifically on what gets shared across that decentralized structure.
Choosing an app based on marketing language instead of documented, testable claims
Signal’s minimal-data claims have been tested against real federal subpoenas twice with matching results. Session’s forward-secrecy trade-off is openly documented by the team and by independent audits. Look for this kind of testable, falsifiable claim before trusting a messaging app’s privacy positioning, and be equally skeptical of claims that haven’t been tested by anything more than the company’s own marketing page.
Quick takeaway: The apps that deserve the most trust are the ones whose privacy claims have survived contact with an actual legal demand, an independent audit, or a formal dispute, not the ones with the cleanest marketing copy.
Before and After: What Actually Changes
- Before switching from SMS or an unencrypted chat app: Every message passes through your carrier’s infrastructure in a format that’s been vulnerable to interception for decades, the SS7 protocol underlying SMS dates to the 1970s and has known, exploited weaknesses. Message content, timing, and metadata are all available to your carrier and, in the U.S., accessible to law enforcement with minimal legal process for messages over 180 days old.
- After switching to any app in this guide: Message content becomes genuinely unreadable to network-level interception and, for Signal, Session, Threema, and correctly configured Element, unreadable to the provider itself. This is a substantial, real privacy gain regardless of which specific app you choose.
- What doesn’t automatically change: Metadata protection varies enormously between these five apps, from Signal’s tested minimal-data model to Element’s federation-wide visibility to WhatsApp’s disputed internal access practices. Picking any app in this guide over SMS is a clear improvement. Picking the right one for your specific threat model requires the distinctions this guide has walked through.
How to Switch Without Losing Privacy in the Process

Switching messaging apps sounds simple, but the transition itself can create privacy gaps if done carelessly. Here’s a step-by-step approach:
- Don’t announce your switch on the old platform with specifics: A message saying “I’m moving to Signal, here’s my number” on an unencrypted platform creates a permanent record linking your identity to your new secure account. Simply tell contacts you’re available on a new app and share details privately.
- Set up the new app before deleting the old one: Verify your encryption keys, enable registration lock (Signal) or set a backup password, and confirm messages are sending and receiving correctly before you lose access to your old communication channel.
- Check your backup settings immediately: The single most common privacy mistake during a switch: your new encrypted app backs up to iCloud or Google Drive with a platform-held key, making your “encrypted” messages readable to Apple or Google. Disable cloud backup or enable the app’s own encrypted backup option on day one.
- Revoke old app permissions: If you’re leaving WhatsApp, revoke its access to your contacts, photos, and storage before uninstalling. Data already uploaded won’t be deleted, but you stop the ongoing collection.
- For high-risk users: use a secondary number. If your threat model requires it, register Signal with a VoIP number or secondary SIM rather than your primary number. This adds a layer of separation between your messaging identity and your real-world phone number, though it doesn’t provide the full anonymity of Session’s no-number model.
The Bottom Line
Two government subpoenas against Signal, ten years apart, produced the same negligible result, real evidence, not a marketing claim, that minimal-data architecture works as designed under actual legal pressure. A formal whistleblower lawsuit against Meta alleges that WhatsApp’s encryption exists inside an organization whose internal access controls have been called into serious question, even as the encryption protocol itself remains unbroken.
Session traded a cryptographic protection for stronger anonymity, transparently, and is working to close that gap. Threema’s Swiss-jurisdiction advantage deserves the same nuanced reading as Proton Mail’s. Element’s federation is powerful for independence and costs something in metadata privacy.
None of these apps is a universally correct choice. Each represents a different, specific answer to the question “private from whom, and at what cost”, and the evidence in this guide, not the marketing copy, is what should decide which answer fits your situation, whether you’re looking for the most secure messaging app overall, or specifically for private messaging apps that don’t require a phone number.
Frequently Asked Questions
Has Signal ever handed over user data to the government?
Yes, twice on public record — and both cases show how little there was to disclose. A 2016 grand jury subpoena from the Eastern District of Virginia produced only account creation and last-connection dates for two accounts. A subpoena unsealed in March 2026 from the District of Columbia targeted 37 phone numbers: 7 accounts didn’t exist, 24 had no responsive data at all, and only 6 had any data — limited to the same two timestamp fields as the 2016 case. Signal’s architecture is designed so there’s no expanded category of data to disclose even under a valid federal legal demand.
Is WhatsApp actually as private as Signal since they use the same encryption?
No. Both apps use the Signal Protocol for message content encryption, but a September 2025 whistleblower lawsuit from WhatsApp’s former head of security alleges around 1,500 WhatsApp engineers had unrestricted access to user data, and that Meta lacked a comprehensive inventory of what user data it even collected. Meta disputes the plaintiff’s title and characterization of events, and the case remains in litigation. Regardless of outcome, the lawsuit highlights that encryption protocol and organizational data-access discipline are separate guarantees — sharing one doesn’t mean sharing the other.
Why did Session remove Perfect Forward Secrecy?
Session’s team removed PFS in 2021, citing stability issues when combined with the app’s decentralized, onion-routed architecture. This is an openly acknowledged trade-off, not a hidden flaw — independent audits, including one by Quarkslab, confirmed no fundamental security break but flagged the missing forward secrecy as an area for improvement. The Session team has stated a rebuilt protocol restoring PFS is in active development.
Does Threema’s Swiss jurisdiction make it safer than Signal or Session?
Swiss jurisdiction provides a genuine legal barrier — foreign data requests must pass through Swiss courts — but it is not an immunity guarantee. Documented cases involving Proton Mail, also Swiss-jurisdiction, show Swiss authorities have approved international requests routed through legal assistance treaties on multiple occasions. Threema hasn’t faced a comparably public disclosure case, but that reflects less public scrutiny, not necessarily a different legal obligation a Swiss court could impose if tested.
Is Element/Matrix more private than Signal because it’s decentralized?
Not automatically. Element/Matrix’s federated model gives you infrastructure independence — you can self-host your own server rather than depend on a single company — but metadata about who’s messaging whom is visible to every homeserver involved in a conversation, not just your own. Signal’s centralized model means only Signal’s servers are ever in that loop. Decentralization trades one kind of privacy risk (dependence on a single company) for another (broader metadata visibility across federated servers), rather than eliminating privacy risk entirely.
Can I use Signal without a phone number?
Not currently for registration — a phone number is still required to create a Signal account, though since 2024 Signal usernames let you hide that number from other users and searchers. If avoiding phone-number linkage entirely, even at the registration level, is essential to your threat model, Session or Threema are architecturally better fits, since neither requires a phone number or email at any point.
What’s the safest messaging app for journalists and activists?
Signal remains the security community’s default recommendation, given its audited protocol, nonprofit structure, and the two documented subpoena cases showing minimal disclosure under real legal pressure. For situations where phone-number linkage itself is the primary risk — not just message content exposure — Session’s anonymous, decentralized registration is a reasonable specialized alternative, with the acknowledged forward-secrecy trade-off weighed against that specific need.









[…] Read the Full Article → […]