Almost every messaging app now claims to be "encrypted" or "private." WhatsApp puts a lock icon on every chat. Telegram markets itself as "the most secure messenger." Facebook Messenger added an encryption toggle. But encryption marketing and actual privacy engineering are entirely different things, and the differences between messaging apps range from "genuinely private" to "actively misleading."
This comparison examines three messengers — Signal, Telegram, and Session — that represent three fundamentally different approaches to messaging privacy. Signal is the cryptographic gold standard, used by journalists, activists, and every cybersecurity professional who practices what they preach. Telegram is the feature-rich platform that markets itself as private while leaving most messages readable on its servers. Session is the radical approach that eliminates metadata through decentralized onion routing, at the cost of convenience and adoption.
Signal: The Gold Standard for Encrypted Messaging
How the Signal Protocol works
Signal uses the Signal Protocol — the most scrutinized, formally verified, and widely adopted encryption protocol for asynchronous messaging. Two core mechanisms work together:
X3DH (Extended Triple Diffie-Hellman) key agreement: When you first message someone on Signal, your device needs to establish a shared encryption key with theirs — even if the recipient is offline. Signal solves this with pre-uploaded key bundles. Each Signal user uploads a set of one-time pre-keys and a signed pre-key to the Signal server. When you initiate a conversation, your device downloads the recipient's key bundle and performs three Diffie-Hellman exchanges using different key combinations to derive a shared secret. The Signal server never sees this shared secret — it only stores the public key bundles. Once the shared secret is established, X3DH's job is done and the Double Ratchet takes over.
Double Ratchet algorithm: This is where Signal's forward secrecy comes from. Instead of using one encryption key for all messages (which would mean compromising that key reveals everything), the Double Ratchet derives a new, unique encryption key for every single message sent. The "ratchet" advances in one direction — you can derive future keys from the current state but cannot reverse-derive past keys. This means if an attacker compromises your current message key, they cannot decrypt past messages (forward secrecy). When the other party responds, a new Diffie-Hellman exchange resets the ratchet, providing future secrecy — even if your current key material is compromised, future messages will use completely new key material that the attacker does not have.
The result: every message has a unique encryption key, past messages are protected even if current keys are compromised, and the protocol self-heals from key compromise through ongoing DH ratchet steps.
What Signal actually stores (almost nothing)
Signal's privacy claims are not marketing — they have been tested under legal pressure. In 2021, a federal grand jury in the Central District of California served Signal with a subpoena demanding subscriber information, addresses, correspondence, contacts, groups, and call records for specific Signal accounts. Signal's response, published on their website for transparency, included exactly two pieces of data per account: the Unix timestamp of when the account was created and the Unix timestamp of when the account last connected to Signal servers. That was everything Signal had. No message content (end-to-end encrypted and not stored on servers). No contact list (contacts are discovered through hashed phone number matching and never uploaded). No group membership data (group information is encrypted and opaque to Signal servers). No profile names or avatars (encrypted). No call records or call metadata.
Signal further minimizes metadata exposure through Sealed Sender — a technology that encrypts the sender's identity so that Signal servers route messages without knowing who sent them. The server knows who should receive a message (necessary for delivery) but not who sent it. This was independently audited and confirmed.
Signal's limitations — honest assessment
Phone number requirement: Signal requires a phone number for registration. Your phone number is linked to your identity through your carrier. While Signal introduced usernames in 2024 (allowing you to hide your phone number from contacts), the number is still required at registration. For threat models where phone number linkage is unacceptable, this is a meaningful limitation.
Centralized infrastructure: Signal operates centralized servers (hosted on AWS and other cloud providers). While these servers cannot read message content, they can observe connection patterns — who connects when, connection frequency, and IP addresses (though Signal uses techniques to minimize this). A well-resourced adversary monitoring Signal's infrastructure could potentially identify Signal users and roughly when they communicate, even without access to message content.
US jurisdiction: Signal Technology Foundation is a US 501(c)(3) nonprofit. Signal is subject to US legal processes, including subpoenas, national security letters, and FISA orders. Signal's protection here is engineering-based: they cannot produce what they do not store. But jurisdiction-sensitive users should understand Signal's legal context.
Telegram: The Privacy Illusion
What Telegram actually encrypts (and does not)
Telegram is the most misunderstood messaging app in terms of security. Its marketing emphasizes privacy and security, but the technical reality is far less impressive:
Standard chats (the default): All regular one-on-one conversations, group chats (up to 200,000 members), channels, and bot interactions use client-server encryption with Telegram MTProto 2.0 protocol. This means messages are encrypted between your device and Telegram's servers, and between Telegram's servers and the recipient's device — but Telegram's servers decrypt, store, and have full plaintext access to every standard message. Telegram can read your messages, Telegram can hand your messages to law enforcement, and Telegram does store all standard chat history indefinitely on their servers (this is how the "cloud chat" feature works — your chats are accessible from any device because they are stored server-side in readable form).
Secret Chats (opt-in only): Telegram does offer end-to-end encrypted chats called Secret Chats, but they must be manually initiated for each conversation, only exist on the specific device where they were started (no multi-device sync), do not support group conversations at all, are not available on Telegram Desktop for Windows or Linux (macOS only), and use Telegram's custom MTProto 2.0 E2E encryption rather than the widely audited Signal Protocol. The percentage of Telegram users who regularly use Secret Chats is negligible — Telegram's own interface does not prominently encourage their use.
Telegram's security track record
Government data sharing: Telegram has shared user data with governments, despite its privacy marketing. After Telegram CEO Pavel Durov was detained in France in August 2024 and subsequently charged, Telegram updated its privacy policy in September 2024 to explicitly state that it would share user IP addresses and phone numbers with authorities in response to valid legal requests. Even before this, Telegram had shared data with German authorities (BKA) on at least 20 occasions between 2022 and 2024.
The MTProto question: Telegram uses its own proprietary encryption protocol (MTProto 2.0) rather than the Signal Protocol or another well-established, widely-audited encryption standard. While MTProto 2.0 has not been demonstrably broken, the cryptographic community generally considers purpose-built protocols riskier than battle-tested standards. Multiple academic analyses have identified theoretical weaknesses in earlier MTProto versions, and the protocol has received far less independent scrutiny than the Signal Protocol.
Metadata collection: Telegram collects substantial user metadata: IP addresses, device information, phone numbers, contact lists (if phone contacts are synced), group membership, channel subscriptions, bot interactions, username history, and usage patterns. This metadata is stored on Telegram's servers and is accessible to Telegram and, under legal processes, to governments.
When Telegram IS the right choice
Despite its privacy limitations, Telegram excels in use cases where encryption is not the priority: large public communities and channels (up to 200,000 members), content distribution and broadcasting, bot ecosystems for automation and information delivery, large file sharing (up to 4 GB per file), and public group discussions. Telegram is a communication platform first and a private messenger second. Use it for public-facing activities, not for conversations you need to keep private from Telegram or governments.
Session: Metadata-Free Messaging Through Onion Routing
The metadata problem that Session solves
Even Signal, with its minimal data collection, has a metadata gap: Signal's servers know that two Signal users are communicating (even though they cannot see message content through Sealed Sender), Signal requires a phone number for registration, and connections to Signal's servers reveal your IP address. For most users, these are minor concerns. For journalists communicating with sources in authoritarian countries, activists under state surveillance, or whistleblowers whose association with certain contacts could be life-threatening, metadata alone can be fatal.
Session was built specifically to close this gap. Created by the OPTF (Oxen Privacy Tech Foundation), Session eliminates metadata through three mechanisms:
No phone number or email required: When you create a Session account, the app generates a cryptographic key pair (Ed25519). Your "Session ID" is your public key — a string of characters with no connection to your phone number, email address, or any personally identifiable information. You share your Session ID (or a QR code) with contacts to communicate. There is no registration server that maps your real identity to your account.
Onion routing for all messages: Session does not use centralized servers for message delivery. Instead, messages are routed through a decentralized network of 2,000+ community-operated nodes called "Service Nodes" (part of the Oxen network). Each message passes through three nodes, similar to the Tor network — the first node knows your IP but not the recipient, the last node knows the recipient but not your IP, and the middle node knows neither. No single node sees the complete routing path. This makes traffic analysis and metadata collection structurally impossible for any individual node operator.
Decentralized message storage: Messages for offline recipients are stored temporarily on Service Nodes using a "swarm" architecture — groups of nodes that collectively store messages for a subset of Session IDs. Messages are stored encrypted and are automatically deleted after a retention period (default 14 days). No single entity controls or has access to the stored messages.
Session's tradeoffs
Encryption protocol: Session originally used the Signal Protocol but forked to its own "Session Protocol" to remove the phone number dependency and adapt to the decentralized architecture. The Session Protocol uses X25519 for key exchange and XSalsa20-Poly1305 for message encryption. While these are strong cryptographic primitives, the Session Protocol's specific implementation has received less independent scrutiny than the Signal Protocol. Session has undergone a security audit by Quarkslab (results publicly available), but the protocol has not been formally verified by academic cryptographers to the same degree as the Signal Protocol.
Smaller user base: Session has a significantly smaller user base than Signal (millions) or Telegram (950+ million). This means the contact you want to reach is less likely to have Session, and the smaller anonymity set provides less crowd cover for high-risk users.
Performance: Onion routing adds latency. Messages on Session take longer to deliver than on Signal or Telegram, especially when nodes in the routing path are geographically distant or under load. File transfers are slower. Voice and video calls were only recently added and are less reliable than Signal's calls.
Feature gaps: Session lacks some features that Signal and Telegram users expect: no read receipts, limited group sizes (100 members maximum), no SMS fallback, no integration with phone contacts, and a simpler media sharing experience.
Choosing by Threat Model
Threat: commercial surveillance (Google, Meta, data brokers) — Signal is sufficient and recommended. End-to-end encryption prevents content access, minimal metadata limits profiling, and Signal's nonprofit status means no advertising incentive. Session works but is unnecessary for this threat model.
Threat: ISP or network-level surveillance — Signal encrypts all content, preventing ISP content inspection. However, your ISP can see that you connect to Signal's servers. If hiding your Signal usage from your ISP is important, use a VPN or connect to Signal through Tor. Session's onion routing hides both content and the fact that you are using Session from your ISP.
Threat: law enforcement with legal process — Signal is strong due to minimal stored data (subpoena returns almost nothing). Session is stronger due to no registration data at all and no centralized server to subpoena. Telegram is weak — standard chat content, IP addresses, and phone numbers can all be obtained through legal process.
Threat: state-level surveillance (intelligence agencies) — Session provides the strongest protection through onion routing, no phone number linkage, and decentralized infrastructure. Signal's Sealed Sender helps but centralized servers create metadata pressure points. Telegram is unsuitable for this threat model entirely.
Threat: physical device seizure — All three apps are vulnerable if your device is unlocked or poorly secured. Use a strong device PIN/password, enable full-disk encryption, and configure disappearing messages on Signal (5 minutes to 4 weeks auto-delete) or Session. On Signal, enable Screen Lock to require biometric/PIN authentication to open the app. Consider using Signal on a secondary device that stays physically secured.
Practical Setup Recommendations
For most people: Install Signal. Set it as your default messaging app. Enable disappearing messages (1 week is a good default). Enable registration lock (prevents someone who obtains your phone number from re-registering your account). Set up a Signal PIN (encrypts your profile, contacts, and settings). Enable Screen Lock. Encourage your contacts to switch — Signal's value increases with network effects.
For elevated risk (journalists, activists, researchers): Use Signal for daily communication with known contacts. Install Session for situations requiring metadata protection — communicating with anonymous sources, coordinating with contacts whose association with you could create risk. Use separate devices for Signal and Session if possible. Enable disappearing messages with short timers (5 minutes to 1 hour). Never use Telegram for sensitive communications.
For public communities: Telegram is the best tool for large public groups, channels, and bot-driven communities. Accept that standard Telegram chats are not private and do not share sensitive information through them. If a Telegram contact wants to discuss something privately, move the conversation to Signal.
The honest reality: most people should use Signal for everything private and Telegram only for public communities where the content is meant to be public anyway. Session is for the subset of users whose threat models specifically require metadata protection and anonymous registration — a smaller group, but one for whom Session provides protections that no other messenger can match.
