Encrypted Communications Standards

Requirements

1. Signal must be used for sensitive communications on mobile and desktop where end-to-end encryption is required. It is the only major messaging application whose encryption protocol has been independently audited, whose infrastructure does not retain message content, and whose codebase is open-source. No equivalent substitute exists.
2. iMessage is acceptable for Apple-to-Apple communications where Signal is not in use. iMessage provides end-to-end encryption between Apple devices. When one party is on Android or a non-Apple platform, messages fall back to unencrypted SMS — indicated by a green bubble. Green-bubble messages must not be used for sensitive exchanges.
3. WhatsApp uses the Signal encryption protocol for message content but retains significant metadata — who communicates with whom, when, and how frequently. It is acceptable for communications where the parties have accepted this metadata exposure. It must not be used for communications where counterparty identity itself is sensitive.
4. Standard SMS must not be used for any communication involving sensitive topics, credentials, codes, or financial information. SMS is transmitted unencrypted and stored by carriers. Authentication codes received via SMS are a necessary exception — they must be used promptly and not retained.
5. Disappearing messages must be enabled on all Signal conversations involving sensitive topics. The timer must not exceed one week. Shorter timers — one day or one hour — are appropriate for particularly sensitive exchanges. Ephemerality is not a substitute for security; it is a layer applied on top of it.
6. Voice and video calls involving sensitive matters must use Signal, FaceTime (Apple devices), or an equivalent end-to-end encrypted service. Standard mobile calls and unencrypted VoIP services must not be used for sensitive conversations.
7. All communications applications must be kept fully updated. Messaging applications are high-value targets for vulnerability discovery and exploitation. Unpatched versions represent a known, addressable risk.

Transit Encryption vs End-to-End Encryption

These are not the same thing, and the distinction matters significantly. Transit encryption — used by most web services, email providers, and messaging applications — encrypts the connection between your device and the server. The service itself can read the content, and is legally compellable to produce it. This is how Gmail, Telegram's default chats, and most workplace messaging tools work.

End-to-end encryption means the content is encrypted on your device and decrypted only on the recipient's device. The service operator cannot read it, because they do not hold the keys. Signal and iMessage (Apple-to-Apple) operate this way. The distinction is whether the platform is a trusted intermediary or a party that can access the content.

The Application Hierarchy

Not all encrypted messaging applications are equivalent. The relevant considerations are: the strength of the encryption protocol, whether the platform retains metadata, whether the codebase has been independently audited, and whether the operator is legally compellable in your jurisdiction.

Signal leads on all of these criteria. The Signal Protocol is the gold standard for messaging encryption and is used, with modifications, by WhatsApp and iMessage. Signal's own infrastructure is designed to retain the minimum possible data about users and their communications — by architecture, not merely by policy. iMessage provides strong encryption but is tied to Apple's ecosystem and its relationship with law enforcement varies by jurisdiction. WhatsApp provides strong content encryption but retains metadata at scale and is owned by Meta.

Metadata

Encryption protects the content of a communication. It does not protect the metadata — who communicated with whom, at what time, for how long, and from what location. Metadata is retained by carriers, platforms, and network operators even when content is encrypted. For most purposes, strong content encryption is sufficient. For communications where the identity of the parties involved is itself sensitive — the existence of a relationship, the fact of a conversation — metadata is a meaningful exposure.

Signal is designed to minimise the metadata it collects. It cannot confirm who you communicate with, because it does not retain that information. This is an architectural choice with meaningful security implications for anyone whose counterparty relationships are themselves sensitive.

Disappearing Messages

Disappearing messages serve a different purpose from encryption. Encryption prevents interception. Disappearing messages limit the duration of exposure after a message has been received. A device that is lost, stolen, or seized carries less risk if sensitive messages have expired. A conversation that no longer exists cannot be produced in discovery.

The timer should be set proportionate to the sensitivity of the conversation and the need for the other party to retain the content. For routine operational discussions, one week is a reasonable default. For particularly sensitive exchanges — financial matters, member-related discussions, anything where retention creates meaningful risk — one day or shorter is appropriate.