Both Apps Use the Same Encryption. They Are Not the Same App.
Signal and WhatsApp share the same core cryptographic protocol. The differences that actually matter have nothing to do with encryption — they are architectural decisions about what gets collected before the message is sent and what survives after it arrives.
In 2016, a federal grand jury in the Eastern District of Virginia subpoenaed Signal's records on two of its users. Signal complied. It handed over the date each account was created and the date each account last connected to Signal's servers. Nothing else. No messages. No contacts. No conversation history. No location data. No device identifiers.
By the end of 2021, Signal had received two more subpoenas — one from the Central District of California in the spring, another from Santa Clara County in the fall. Same result each time. Two data points per user.
WhatsApp uses the same cryptographic protocol as Signal.
What the Protocol Actually Does
The Signal Protocol is a cryptographic system developed by Open Whisper Systems and released in 2013. It combines the Double Ratchet algorithm, elliptic curve Diffie-Hellman key exchange, and one-time prekeys to achieve two properties: end-to-end encryption and forward secrecy.
End-to-end encryption means a message is encrypted on your device before it leaves, passes through the provider's servers in scrambled form, and is unscrambled only on the recipient's device. The server moves data it cannot read.
Forward secrecy means a unique encryption key is generated for each message. If one key is ever exposed, it cannot be used to decrypt earlier messages. Each key is derived, used once, and discarded.
Both Signal and WhatsApp implement this protocol. WhatsApp completed a full rollout across all message types in 2016. Will Cathcart, WhatsApp's head, has said explicitly that WhatsApp uses the same security protocol as Signal. That is accurate. The layer protecting message content is the same on both platforms.
Metadata
When you send a message on WhatsApp, the content is encrypted. The metadata — who you sent it to, when, how often, from which device, from which IP address, how large the message was, whether it contained media — is not. WhatsApp's privacy policy confirms it collects this and shares it with Meta: account information, device identifiers, usage patterns, connection information, IP addresses, location data, and information about the people and groups you communicate with.
In 2014, former NSA director Michael Hayden said at a public debate at Johns Hopkins University that the US government kills people based on metadata — not message content. Communication patterns alone, who contacts whom, at what times, from what locations, with what regularity, can be enough to identify and target individuals. WhatsApp's messages are protected. The records surrounding them are collected and retained.
Signal's privacy policy states it retains almost none of this. The three subpoenas are the most concrete evidence of what that means: the records were requested, the company complied, and there was almost nothing there.
Sealed Sender
In 2018, Signal introduced a feature called Sealed Sender. Even with end-to-end encryption in place, a messaging server traditionally needs to know where to route each message — which means knowing, at minimum, who sent what to whom.
Sealed Sender restructures the message so the server can deliver it without learning the sender's identity. The sender encrypts the entire message — including their own identity — using the recipient's public key. The server receives a package it can route to the recipient's device, but cannot open to determine where it came from.
The recipient's device decrypts the outer layer, recovers the sender's identity, and verifies it. The server handled delivery. It had no record of who initiated it.
Signal published the full technical specification in 2018. WhatsApp does not implement Sealed Sender. Meta's servers have a record, for every message sent through WhatsApp, of who sent it to whom.
The Backup Problem
For most of WhatsApp's history, the most significant gap between the two apps had nothing to do with what happened inside them.
By default, WhatsApp backs up message history to Google Drive on Android and iCloud on iOS. For years, those backups were stored in a form that Google and Apple could read. A conversation protected from Meta in transit was sitting unprotected in third-party cloud storage after delivery — accessible to those companies, and to any legal process directed at them.
WhatsApp introduced encrypted backups in 2021, protected by a user-held password or a 64-character key. The feature is opt-in and not enabled by default. For users who haven't turned it on, that message history remains in third-party cloud storage without encryption.
Signal does not back up message history to external cloud services.
What Can and Cannot Be Verified
Signal's client application is open source. Independent researchers can read the code, audit it, and verify that the app behaves as described.
WhatsApp uses the Signal Protocol, which is open source. WhatsApp's client application itself is proprietary. The protocol is publicly verified. What happens inside the app before a message is encrypted — how data is handled, what runs in the background, how keys are managed — cannot be independently checked. WhatsApp's privacy claims depend on trusting Meta's representations.
In 2019, a vulnerability in WhatsApp's proprietary code allowed attackers to install spyware on a device simply by placing a call that didn't need to be answered. The flaw was unrelated to the Signal Protocol. It was in the closed application code, and was being used against journalists and activists before it was identified and patched.
Post-Quantum
In September 2023, Signal updated its key exchange to include a layer designed to resist future quantum computing attacks. The concern is a specific scenario: an adversary records encrypted traffic today, stores it, and decrypts it years from now once quantum computers capable of breaking current encryption exist. The capability doesn't currently exist, but it's a plausible enough long-term risk that it has a name — "harvest now, decrypt later."
The update, called PQXDH (Post-Quantum Extended Diffie-Hellman), adds a second cryptographic layer based on a different class of math — one considered harder for quantum computers to break. In October 2025, Signal extended this further with SPQR (Sparse Post-Quantum Ratchet), which applies that protection not just to the initial connection but to every message in a conversation.
WhatsApp has not announced comparable changes.
What the Differences Add Up To
WhatsApp retains metadata about who communicates with whom and when. Its servers have a record of sender and recipient for every message. Users who haven't opted into encrypted backups have message history stored in Google's or Apple's infrastructure. The application code cannot be independently audited.
Signal retains almost no metadata. Its Sealed Sender feature means even Signal's servers lack a complete sender record for messages. Message history stays on-device. The application code is open to review.
Signal's own limitation is worth stating: an account is tied to a phone number, which in most countries links back to a government-issued identity. Signal added usernames so users don't have to share that number, but the phone number remains the underlying account identifier. For someone who needs their identity protected — not just their messages — that's a structural limitation.
Key Takeaway: While both apps share the same cryptographic foundation, their architectural priorities result in two very different privacy profiles.
| Feature | Signal | |
|---|---|---|
| Core Protocol | Signal Protocol | Signal Protocol |
| Metadata Collection | High (IP, Logs, Contacts) | Minimal (Timestamps) |
| Sender Anonymity | No (Server knows sender) | Yes (Sealed Sender) |
| Quantum Resistance | No current implementation | SPQR (as of 2025) |
| Cloud Backups | Encrypted (Opt-in) | On-device only |
| Code Verification | Proprietary (Closed) | Open Source (Auditable) |
Signal was asked three times, across multiple jurisdictions, for user data. Each time, it produced two timestamps.