The Signal Story · Signal vs Matrix

Signal fixed WhatsApp.
Matrix fixed Signal.

Signal promises: "Neither we nor anyone else can read your messages." That is true — and it matters. But "neither we" still means Signal is in the chain. The next step is removing the chain entirely: you host your data, in your jurisdiction, on your terms. That is what Matrix delivers.

Read the story → See the comparison
Signal: US 501(c)(3) — one order reaches all 40M+ users simultaneously Signal: Cannot satisfy GDPR or PDPL data residency requirements AMVLET · Matrix: Sovereign. Self-hosted. No US jurisdiction.
The Signal context
CLOUD Act: Signal Foundation is a US 501(c)(3) — a single government order compels disclosure for every user on earth simultaneously
Data residency: Signal's US infrastructure means personal data cannot remain within EU or KSA borders — GDPR Art. 44–49 and Saudi PDPL Art. 29 cannot be satisfied
SignalGate 2025: Modified Signal clone (TeleMessage) used by US officials hacked in under 20 minutes — Signal clones cannot inherit Signal's security guarantees
Signal says: "We can never be acquired." True — but that says nothing about compelled disclosure, metadata exposure, or the fact that your data flows through US servers you do not control. You can only own your data if you host it in your jurisdiction.
$850M
In unvested Facebook stock Brian Acton voluntarily walked away from to co-found Signal — the most expensive privacy statement in technology history
3
Pieces of data Signal can produce under a government subpoena: your phone number, account creation date, and last connection date. Nothing else. No messages, no contacts, no groups.
1
Single point of compulsion: a US government order to Signal Foundation affects every user on earth simultaneously. Unlike Matrix — where each organisation controls its own server.
115M+
Matrix accounts across thousands of independent homeservers worldwide — each one sovereign, each one beyond any single government's reach, all speaking the same open standard
The origin

The story most people have never heard

WhatsApp was not built to make money. It was built by a man who grew up under Soviet surveillance — and never forgot what it felt like.

Jan Koum was born in 1976 in a village outside Kyiv, in Soviet Ukraine. His childhood apartment had no hot water. Electricity was unreliable. His parents spoke carefully on the phone — they knew the government was listening. State surveillance was not an abstraction. It was the shape of daily life.

At 16, Koum emigrated to the United States. His family lived on food stamps. He taught himself computer networking from manuals bought at secondhand shops. He eventually joined Yahoo, where he met Brian Acton — a Stanford graduate with a different background, but the same conviction that technology should serve people, not harvest them.

In 2009, both were rejected from Facebook job applications. That same year, they co-founded WhatsApp. The founding principle was non-negotiable: no ads, no data collection, no surveillance. For Koum, this was personal — he had lived under a system that monitored its citizens. He built WhatsApp to be structurally opposite to that.

The betrayal

The $19 billion promise that was broken

In February 2014, Facebook acquired WhatsApp for $19 billion — the largest acquisition of a venture-backed company in history. Mark Zuckerberg made explicit public promises: no ads, no data mining, full independence for WhatsApp. Both founders stayed on.

Almost immediately, pressure began. Facebook wanted to monetise WhatsApp through targeted advertising, sell user behaviour analytics to businesses, share WhatsApp phone numbers with Facebook's social graph, and weaken encryption to allow content scanning. Koum — the man who grew up watching a government surveil its citizens — was now being asked to build that same surveillance infrastructure himself, for a corporation instead of a state.

"I sold my users' privacy to a larger benefit. I made a choice and a compromise. And I live with that every day."

Brian Acton — WhatsApp co-founder, Forbes interview, September 2018

Brian Acton left Facebook in September 2017, voluntarily forfeiting $850 million in unvested stock options — money he had legally earned but chose to walk away from, months before it vested, rather than stay through the changes he had helped set in motion. Jan Koum left in April 2018 after Facebook formally changed WhatsApp's privacy policy to allow data sharing for advertising.

In 2021, WhatsApp updated its terms requiring users to consent to Facebook data integration or lose access. Millions migrated to Signal in a matter of days — so many the Signal servers temporarily collapsed under the load. By 2025, ads appeared on WhatsApp. Every promise made at acquisition had been broken.

The parallel story

Meanwhile: the man who invented the encryption

While Koum and Acton were building WhatsApp, a cryptographer named Moxie Marlinspike was quietly building something more fundamental. In 2013, Marlinspike and Trevor Perrin developed the Double Ratchet Algorithm at Open Whisper Systems — a cryptographic protocol so elegant, so secure, and so mathematically sound that it became the global standard for private messaging.

In November 2014 — after the Facebook acquisition, not before — Open Whisper Systems partnered with WhatsApp to integrate the Signal Protocol into WhatsApp's encryption. By April 2016, end-to-end encryption using the Signal Protocol protected every form of communication on WhatsApp. Facebook had inadvertently funded the world's most trusted encryption being embedded into its product — a protocol it neither owned nor controlled.

The founding

Signal: the non-profit that cannot be sold

In February 2018, Brian Acton and Moxie Marlinspike co-founded the Signal Technology Foundation — a 501(c)(3) non-profit. Acton invested $50 million of his own money (growing to $105 million by year's end). One month later, he publicly tweeted #DeleteFacebook.

The non-profit structure was deliberate and irreversible. Signal cannot be acquired. It has no shareholders. It has no advertising model. It cannot be sold to Facebook — or anyone. The Signal Foundation is Brian Acton's structural answer to what he believes he did wrong the first time: he created a legal entity that is incapable of repeating his mistake.

Signal's mission: "protect free expression and enable secure global communication through open source privacy technology." For individual users, Signal remains one of the most trustworthy communication tools ever built. But it was designed for people — not for governments, organisations, or sovereign deployments. And that distinction matters.

"Neither we nor anyone else can read your messages or listen to your calls."

Signal — signal.org — official homepage

This is Signal's strongest claim — and it is accurate for message content. But "neither we" still means Signal exists as a US entity in the chain. Signal holds metadata. Signal's infrastructure is the only option — you cannot self-host it. A government order can reach Signal Foundation. A network block in Iran, Russia, or China cuts off every Signal user in that country simultaneously. The claim is true. The architecture is still centralised. And centralisation is the problem that Signal itself cannot solve.

The future of private communication is not a better centralised service — it is sovereign infrastructure. You can only truly own your data if you host it in your jurisdiction. When your organisation runs its own Matrix homeserver, there is no "we". There is no Signal Foundation to subpoena. There is no US company in the path. There is no single server to block. That is not a marginal improvement on Signal's model — it is a structural leap beyond it.

The evolution

The timeline: from surveillance to sovereignty

09
2009
WhatsApp founded by Jan Koum and Brian Acton
Privacy-first, no ads, no data collection. Rejected by Facebook for jobs the same year, they build the alternative. Koum's Soviet childhood shapes everything.
13
2013
Moxie Marlinspike creates the Double Ratchet / Signal Protocol
Open Whisper Systems develops the most mathematically rigorous E2EE algorithm ever deployed at consumer scale. The protocol that will define a generation of messaging.
14
February 2014
Facebook acquires WhatsApp for $19 billion — "no ads, no gimmicks"
Zuckerberg's public promise: WhatsApp stays independent, no advertising. Both founders stay on. The pressure to monetise begins almost immediately.
14
November 2014
Signal Protocol integrated into WhatsApp — after the acquisition
Open Whisper Systems partners with WhatsApp. By April 2016, the Signal Protocol protects all WhatsApp communications. Facebook now owns WhatsApp but not the encryption.
15
2015
Matrix team builds Olm — the Signal Protocol, decentralised
The Matrix project implements the same Double Ratchet algorithm as an Apache-licensed open standard, adapting it for federated, multi-server architecture. The foundation for sovereign communication is laid.
17
September 2017
Brian Acton leaves Facebook — forfeiting $850 million
Rather than vest his remaining stock, Acton walks away. The dispute: Facebook wants ads, data mining, weakened encryption. Acton refuses. He spends the next year building the alternative.
18
February 2018
Signal Foundation co-founded — $50M from Acton, Marlinspike as co-founder
A 501(c)(3) non-profit that structurally cannot be sold or monetised. The atonement made permanent in law. One month later: #DeleteFacebook.
21
2021
WhatsApp breaks its final promise — millions flee to Signal
New terms require data sharing with Facebook. Signal's servers crash under the migration wave. The market verdict on Zuckerberg's broken promises.
25
2025
SignalGate: TeleMessage clone exposes US officials' messages
Trump administration officials use a modified Signal clone (TeleMessage) for national security discussions. The clone is hacked in 20 minutes, exposing plaintext messages. Signal clones cannot inherit Signal's security guarantees.
Now
Today
Matrix: what Signal built — without the last point of control
Matrix takes Signal's encryption (same algorithm, open standard), removes US jurisdiction, removes centralisation, enables self-hosting, and bridges to Signal — so Matrix users can reach Signal users without Signal installed. The evolution is complete.
Feature comparison

Signal vs AMVLET · Matrix — the same values, different architecture

Signal is exceptional for individuals. AMVLET on Matrix is what governments, enterprises, and sovereign deployments need — the same encryption algorithm, your jurisdiction, your infrastructure.

Capability Signal Free · Non-Profit AMVLET · Matrix Sovereign
Encryption
End-to-end encryption Double Ratchet Olm (same algorithm)
Group E2EE Sender Keys Megolm
Cryptographic key ownership Your devices Your devices + server
Forward secrecy
Architecture & Sovereignty
Self-hostable Signal servers only Your own infrastructure
Federated / decentralised Centralised Fully federated
Data residency control US infrastructure only Your jurisdiction
Air-gapped deployment
Single point of failure / compulsion YES — Signal Foundation (US) No — each org owns its server
Compliance & Jurisdiction
CLOUD Act exposure YES — US 501(c)(3) NO
GDPR data residency (Art. 44–49) Cannot satisfy Satisfied by architecture
Saudi PDPL Art. 29 compliance Cannot satisfy KSA-resident deployment available
Government subpoena producible data Phone number, account date, last seen Not applicable — no central authority
Gag order risk (§ 2705(b)) YES Not applicable
Communication Features
1:1 messaging
Group messaging
Voice & video calls
File & media sharing
Phone number required for registration YES — de facto government ID No — username-based
Disappearing messages
Bridge & Interoperability
Reach Signal users from Matrix via mautrix-signal bridge
Signal app required for Matrix bridge No — bridge handles it
Open standard protocol Open source, centralised Matrix — open & federated
Vendor lock-in Signal platform only None — open standard
NIS2 supply-chain compliance Cannot satisfy Full documentation
Where Signal ends

Signal is exceptional. But not for governments and sovereign deployments.

Signal was designed for people, not for states. Its architecture is honest about this. These are not flaws in Signal's design — they are the boundary of what Signal was built to solve. For sovereign, institutional, or government use, they are structural blockers.

Jurisdiction

US 501(c)(3) — CLOUD Act applies regardless of non-profit status

Signal Technology Foundation is a US non-profit incorporated under California law. The CLOUD Act (18 U.S.C. § 2713) applies to all US-based entities regardless of non-profit status. Signal cannot be compelled to produce message content it does not have — but it can be compelled to produce the metadata it does hold, and it can be served with orders that affect its infrastructure and all 40M+ users simultaneously. A single US government action against Signal Foundation reaches every user on earth. There is no sovereign alternative homeserver to fall back on.

CLOUD Act § 2713 · US jurisdiction follows provider nationality — non-profit status provides no exemption
Identity

Phone number as registration requirement — a structural identity exposure

Signal requires a phone number for registration. In most countries, phone numbers are issued by state-regulated carriers linked to verified identity documents — passports, national IDs. Even though Signal does not link your number publicly, it knows your number. And a subpoena produces it. For intelligence operatives, diplomats, journalists in authoritarian states, or anyone whose phone number is a de facto identity document, Signal's registration requirement is a structural exposure that cannot be engineered away by Signal's architecture.

CLOUD Act § 2713 + subpoena · Phone number, account creation date, last connection date are producible on legal demand
Metadata

Metadata is "enormously powerful information" — and Signal holds some

Signal cannot produce message content. But the CLOUD Act and broader surveillance law make metadata — who communicated with whom, when, from where — legally compellable and operationally decisive. Knowing that a government official's phone number connected to Signal's servers at a specific time, correlating that with location data from a carrier, inferring communication patterns from connection timestamps: these are intelligence techniques that metadata enables. Signal is transparent about this limitation — it publishes every government request it receives. But it cannot eliminate what it structurally holds.

18 U.S.C. § 2703 + CLOUD Act · Metadata capture does not require message content — timing and connection data is legally accessible
Data residency

Cannot comply with GDPR or Saudi PDPL data residency requirements

GDPR (and many national data protection frameworks) require that personal data of EU residents is processed within the EU or under adequate protection mechanisms. Signal's infrastructure is US-based. Personal data — including phone numbers — flows through US servers. There is no Signal deployment option that keeps data within the EU, within Switzerland, or within the Kingdom of Saudi Arabia. Saudi PDPL Article 29 requires NDMO authorisation for cross-border data transfers — and there is no mechanism for Signal to comply with this for Saudi users. Signal cannot be self-hosted within a country's borders. This is not a flaw in Signal's design — it was never designed for national data residency compliance.

GDPR Art. 44–49 + Saudi PDPL Art. 29 · Cross-border transfer of phone numbers to US servers — no national deployment option
Single point of failure

One Signal Foundation. One point of compulsion for the entire network.

Signal is architecturally centralised. All users globally rely on Signal's servers at any given time. A sufficiently aggressive legal order against Signal Foundation — or a technical failure, a state-level network block, or a policy change — affects every Signal user simultaneously. There is no federated fallback, no alternative homeserver, no sovereign relay. Iran, Russia, China, and other states have blocked Signal precisely because its centralisation makes it vulnerable to national-level censorship. An organisation that depends on Signal for critical communication has no alternative path if Signal becomes unavailable.

Centralisation risk · One server network, one jurisdiction, one point of failure for all 40M+ users
SignalGate 2025

Modified Signal clones can — and did — expose everything

In 2025, US national security officials including Cabinet secretaries and intelligence directors used TeleMessage — an Israeli commercial clone of Signal — for sensitive national security communications. The clone was hacked in under 20 minutes. Plaintext messages were exposed. The incident proved a critical risk: Signal's security architecture protects the authentic app, but it cannot protect modified versions. Governments and organisations under pressure to use "something like Signal" may be handed a clone — and Signal's security guarantees do not transfer. Only the authentic, unmodified application, on verified infrastructure, is Signal.

TeleMessage breach, May 2025 · Modified Signal clone used by Trump officials hacked — plaintext messages exposed in under 20 minutes
The evolution

Matrix: what Signal built — decentralised, sovereign, and bridged back

In 2015, the Matrix team built Olm — an Apache-licensed implementation of the same Double Ratchet algorithm that Moxie Marlinspike had created for Signal. The same cryptographic security. The same mathematical rigour. But adapted for a fundamentally different architecture: federated, multi-server, self-hosted, with no single organisation in control of the network.

Matrix did not replace Signal. It extended Signal's mission to the institutional world Signal was never designed for. And then it did something remarkable: it built a bridge — mautrix-signal — that lets Matrix users send and receive messages with Signal contacts directly, without either party needing to change their app. Signal users stay on Signal. Matrix users stay on Matrix. The bridge handles the translation on your own sovereign infrastructure.

AMVLET is built on Element Server Suite (ESS Pro), the enterprise-grade implementation of the Matrix standard. For governments, financial institutions, and sovereign deployments subject to GDPR, PDPL, or national data residency requirements, Matrix is the only architecturally sound path: the same encryption Signal's founders created, deployed on your jurisdiction, your infrastructure, with no US company in the data path.

Read the Matrix specification →
Same encryption algorithm as Signal — Olm / Double Ratchet
Matrix's Olm library implements the same Double Ratchet algorithm that Moxie Marlinspike built. The cryptographic security model is identical. The difference is architecture: Matrix deploys that encryption on your server, in your jurisdiction, without Signal Foundation in the path.
Self-hosted — no US company in the data path at any layer
Matrix servers deploy in your own data centre, a sovereign EU cloud, or a KSA-resident facility. No Signal Foundation, no US infrastructure at any point in the architecture. CLOUD Act compelled disclosure is not mitigated — it is structurally impossible because no US company controls the data.
GDPR and PDPL compliance by architecture
When no US company is in the data path, the GDPR Article 44–49 conflict and the Saudi PDPL Article 29 conflict cease to exist. Data stays in the jurisdiction where it is governed. Compliance is an architectural fact — not a contractual assurance from a US non-profit that remains subject to US law.
mautrix-signal bridge — reach Signal contacts without Signal installed
The open-source mautrix-signal bridge runs on your sovereign Matrix homeserver. It translates Signal ↔ Matrix protocol, supporting DMs, groups, media, reactions, and read receipts. Signal users stay on Signal. Matrix users stay on Matrix. Neither party needs to change their app. The bridge runs entirely within your infrastructure.
Federated — no single point of compulsion or failure
Matrix's federated architecture means each organisation runs its own homeserver. There is no central Signal Foundation to compel. No single server block shuts down the network. Each organisation is sovereign: your data, your encryption keys, your jurisdiction, permanently.
The platform choice

What you accept when you use Signal vs what you control with Matrix

Signal — what you accept

Signal is honest. US law is the one constraint it cannot remove.

  • US jurisdiction follows Signal Foundation regardless of data centre location — CLOUD Act (18 U.S.C. § 2713) applies to every US company, non-profit or not
  • Phone number required for registration — a de facto government-linked identity document in most countries, producible under subpoena
  • Metadata (connection timing, account dates) is legally compellable even when message content is not — and Signal holds it
  • GDPR Art. 44–49 and Saudi PDPL Art. 29 data residency requirements cannot be satisfied — Signal's US infrastructure is the only option
  • Single point of compulsion: one legal order against Signal Foundation affects all 40M+ users simultaneously — no sovereign fallback exists
  • Modified Signal clones (TeleMessage) cannot inherit Signal's security guarantees — governments under pressure to use "Signal-like" tools are exposed
VS
AMVLET · Matrix — what you control

No "we". Your server. Your jurisdiction. You own the data because you host it.

  • You host the server — in your jurisdiction. When there is no third party, "neither we nor anyone else" becomes literally true. There is no "we" to compel, subpoena, or block.
  • No US company in the data path at any layer — CLOUD Act applicability is structurally eliminated, not contractually managed or hoped away
  • GDPR and PDPL compliance by architecture: data stays in the jurisdiction where it is governed because it never leaves your infrastructure
  • No phone number required — username-based identity, no carrier-linked government document in the registration flow
  • Federated: each organisation controls its own homeserver — no single server to block, no single authority to compel, no single point of failure
  • mautrix-signal bridge: reach Signal contacts directly from your sovereign server — without either party changing their app
Common questions

Signal, Matrix, and sovereign deployment: what organisations ask

Does Signal's non-profit status protect it from the CLOUD Act?+
No. The CLOUD Act (18 U.S.C. § 2713) applies to all US-based entities — corporations and non-profits alike. The legal basis for compelled disclosure is the provider's nationality and US jurisdiction, not its corporate structure. Signal Technology Foundation is incorporated under California law and headquartered in the United States. A CLOUD Act order can compel Signal to produce the data it holds (phone numbers, account creation dates, last connection dates) and can also be used to compel disclosure of infrastructure-level information or to impose technical requirements. Signal's non-profit mission does not alter this legal reality. Signal's own Transparency Report confirms it receives government data requests and complies with those it is legally required to comply with.
Can Matrix users actually communicate with Signal users? Do they need the Signal app?+
Yes — and no, they do not need Signal installed. This is one of the most important things to understand about the Matrix ecosystem. The mautrix-signal bridge is an open-source bridge (AGPL-licensed) that runs on your sovereign Matrix homeserver. It translates between the Signal protocol and the Matrix protocol, enabling Matrix users to send and receive messages with Signal contacts — including direct messages, group chats, media, reactions, and read receipts. The bridge runs entirely within your own infrastructure. Signal users stay on Signal. Matrix users stay on Matrix. The bridge handles the translation on your server, not on Signal's servers. Neither party needs to change their application. This is how Matrix completes what Signal started: the encryption is the same algorithm, the bridge preserves interoperability, and sovereignty is maintained at every layer.
Why did the Matrix Foundation build on the Signal Protocol? What is the relationship?+
The Matrix project built Olm in 2015 — an Apache-licensed implementation of the same Double Ratchet algorithm that Moxie Marlinspike and Trevor Perrin created at Open Whisper Systems in 2013. The Matrix Foundation did not fork or copy Signal's code — Olm is an independent implementation of the same publicly documented cryptographic algorithm. The reason is straightforward: the Double Ratchet is the most mathematically rigorous end-to-end encryption algorithm ever deployed at consumer scale. For Matrix to offer equivalent security to Signal, it needed to implement the same underlying cryptography. The difference is architecture: Signal implements the Double Ratchet on a centralised, US-jurisdiction server. Matrix implements it on a federated, self-hosted, open standard where each organisation controls its own server. Signal and Matrix are not competitors — they are successive answers to the same question: how do you give people private communication? Signal answered for individuals. Matrix answered for institutions and sovereign deployments.
Why did Brian Acton walk away from $850 million?+
Brian Acton left Facebook in September 2017, months before his unvested stock options would have fully vested — forfeiting approximately $850 million by leaving early. The dispute was fundamental: Facebook wanted to monetise WhatsApp through advertising, use WhatsApp phone numbers to enrich Facebook's social graph, mine user behaviour data for targeting, and weaken encryption to allow content scanning. Acton had co-founded WhatsApp on an explicit anti-surveillance, anti-advertising principle. Jan Koum, who had grown up under Soviet state surveillance, built WhatsApp to be structurally opposite to a surveillance system. The changes Facebook wanted were, for Acton and Koum, a betrayal of the founding principle. Acton later said in a Forbes interview: "I sold my users' privacy to a larger benefit. I made a choice and a compromise. And I live with that every day." In February 2018, he co-founded Signal with Moxie Marlinspike and invested $50 million of his own money into the Signal Foundation — building the legal structure that would make his mistake impossible to repeat.
Is Signal's encryption actually the same as Matrix? Which is more secure?+
The underlying cryptographic algorithm is the same: both Signal and Matrix (via Olm) implement the Double Ratchet Algorithm created by Moxie Marlinspike and Trevor Perrin. The mathematical security properties are identical — forward secrecy, break-in recovery, and post-compromise security. Neither is "more secure" at the cryptographic layer. The security difference is architectural. Signal's encryption is excellent. But the CLOUD Act can compel Signal Foundation to produce what it holds (metadata) and can serve orders affecting its infrastructure — reaching every user simultaneously. With Matrix self-hosted on your own infrastructure, there is no US company to compel, no central server holding your metadata, and no single point at which a legal order affects your entire network. The security advantage of Matrix for sovereign deployments is not in the cryptographic algorithm — it is in the elimination of the third party.

You can only own your data
if you host it in your jurisdiction.

Signal says "neither we nor anyone else" — and means it for message content. The next step is removing the "we" entirely. Self-hosted. Sovereign cloud. Your jurisdiction. That is AMVLET on Matrix: the same encryption Signal's founders built, deployed on infrastructure no government can reach through a US company.

Talk to our team → Explore Enterprise