Overview
Activist communication faces unique threats: state surveillance, device seizure, network monitoring. This guide covers four secure messaging platforms—Signal, Briar, Session, and Cwtch—each designed for different threat models. No messaging app is perfect; this guide helps you choose based on your specific risks.
Threat Model Spectrum
Before choosing a tool, understand your risks:
Low Risk (Domestic journalist, researcher):
- Threat: Corporate data harvesting, IP tracking
- Requirement: Encryption in transit, no logging
- Tool: Signal (sufficient)
Medium Risk (Activist in semi-authoritarian country):
- Threat: Network-level surveillance, metadata collection
- Requirement: No phone number requirement, metadata hiding
- Tool: Signal or Session
High Risk (Dissident in authoritarian state):
- Threat: Device seizure, network interdiction, state-backed attacks
- Requirement: Encrypted storage at rest, offline capability, deniability
- Tool: Briar (offline mesh) or Cwtch (mixnet routing)
Extreme Risk (Journalist covering dangerous protests):
- Threat: Physical capture, torture, forced decryption
- Requirement: Hardware encryption, burner device, data destruction protocol
- Tool: Signal + Ricochet IM (decentralized) + hardware wallet setup
Signal
Signal is the most-used secure messenger. It’s backed by Signal Foundation (non-profit), uses Double Ratchet encryption, and has been audited multiple times.
How It Works:
- Download Signal app (iOS, Android, Desktop)
- Verify phone number (SMS or voice call)
- Contact list auto-loads (checks Signal users)
- Messages encrypted end-to-end (Double Ratchet protocol)
- All contacts see if you’re “online” (metadata leak)
Encryption Strength:
- Messaging: Signal Protocol (Double Ratchet, post-quantum resistant design concept)
- File sharing: AES-256-GCM
- Group messaging: Sender keys (per-group, not per-message)
- No forward secrecy in groups (historical messages can be decrypted if group key is compromised)
Metadata Leakage:
- Server sees: Your phone number, contact list hashes, IP address (can hide with VPN)
- Server doesn’t see: Message content, read receipts
- Device stores: All message history (unencrypted at rest unless device encryption enabled)
- Network observer sees: Timing (when you message), frequency, message size
Strengths:
- Easiest to use (just a phone number)
- Largest user base (easiest for organizing)
- Official client is well-audited
- Desktop app synchronized with phone (convenient)
- Group messaging (up to 1000 members)
- Voice/video calls (encrypted end-to-end)
- Open-source code (inspectable)
Weaknesses:
- Requires phone number (ties to identity)
- Server logs IP addresses (mitigated with VPN)
- Metadata visible to Signal servers (timing, frequency, group membership)
- All contacts see when you’re “active” (if not disabled)
- Android backup to Google Drive (breaks encryption)
- Doesn’t work offline
- Groups lack forward secrecy
Best For: Journalists, civil rights organizations, organized activism (not clandestine)
Phone Number Alternative: Use a Google Voice number (USA) or Twilio number (BYOD), but Signal may suspend accounts it suspects are burner numbers.
Briar
Briar is a decentralized peer-to-peer messenger. It works over Tor and offline (via Bluetooth/WiFi direct). No server required.
How It Works:
- Download Briar (Android only, unfortunately)
- Create username + password (no phone number needed)
- Share unique QR code to add contacts
- Messages encrypted and stored locally
- Transmit over Tor, Bluetooth, or WiFi mesh
- Works completely offline with local contacts
Encryption Strength:
- Per-message encryption (recipient-specific key)
- Stored encrypted on device (SQLCipher database)
- Tor transport encryption (triple-layer anonymity)
- Forward secrecy by default
Metadata Hiding:
- Tor onion routing hides IP
- Offline mode leaves no network trace
- No server knows your contacts or message frequency
- Bluetooth/WiFi direct is local-only (zero network exposure)
Strengths:
- No phone number (complete anonymity)
- No central server (no metadata collection point)
- Works offline via Bluetooth (doomsday scenario capable)
- Full message history encrypted at rest
- Open-source and peer-audited
- Group messaging (via private groups)
- Tor built-in (no VPN needed)
- Blog feature (decentralized publishing)
Weaknesses:
- Android only (no iOS or desktop)
- Smaller user base (harder to convince people to use)
- Slower than centralized apps (decentralized routing)
- Requires Tor to be running (extra step)
- If device is seized, password can be brute-forced (given enough time)
- Bluetooth range limited (~30 meters)
- WiFi mesh requires multiple Briar users nearby
Best For: Dissidents, journalists in authoritarian countries, high-risk activists, decentralization advocates
Device Seizure Scenario: If arrested with Briar:
- Use weak password (so “I forgot it” is plausible)
- Or have separate Briar account for public discussions (deniable)
- Or use biometric unlock that can’t be forced (in some jurisdictions)
Session
Session is a fork of Signal that removes the phone number requirement. It uses Tor-based onion routing (Session Open Group Server network) instead of a central server.
How It Works:
- Download Session (iOS, Android, Desktop)
- Create Session ID (cryptographic, no phone number)
- Download Tor (automatic, built-in)
- Contact others via Session ID (QR code or username)
- Messages routed through decentralized Loki network (Session’s backbone)
- Open groups (public, non-encrypted) or closed groups (encrypted)
Encryption Strength:
- One-to-one: Signal Protocol (via Loki network)
- Closed groups: Session group encryption (similar to Signal)
- Open groups: No encryption (public, like IRC)
- Message history: Encrypted on device (local SQLite)
Metadata Hiding:
- IP hidden by default (Tor routing through Loki)
- No phone number (Session ID is cryptographic)
- Timing/frequency visible on network (less than Signal)
- Loki network sees message size, not content
- Public open groups are visible to anyone
Strengths:
- No phone number requirement (complete anonymity)
- Tor-based routing (built-in, not optional)
- Decentralized (no single server)
- Fork of Signal (familiar UX)
- Works on iOS, Android, Desktop (mobile-first)
- Larger user base than Briar (easier adoption)
- Deniable groups (can claim you didn’t start a group)
Weaknesses:
- Loki network is centralized (Session Foundation runs nodes)
- Less audited than Signal (smaller security team)
- Metadata timing attacks possible (message size + timing)
- No offline mode (requires Tor connection)
- Closed groups don’t scale (group key management is complex)
- JavaScript desktop client (less secure than native)
- Session ID could theoretically be logged (if Loki node is malicious)
Best For: Privacy advocates, activists in high-surveillance regions, those avoiding phone number requirement, intermediate-risk scenarios
Loki Dependency Risk: If Session Foundation is compromised or forced to log metadata, Session users are at risk. This is a centralization weakness compared to Briar (fully decentralized).
Cwtch
Cwtch (Welsh for “hug”) is a decentralized messenger built on Tor. It uses mixnets (sender ambiguity) and onion routing for extreme privacy.
How It Works:
- Download Cwtch (currently beta, limited mobile support)
- Create profile (no identity needed)
- Connect to Tor (automatic)
- Add contacts via unique address (Cwtch identity)
- Send messages (routed through Tor + Ricochet-IM infrastructure)
- Complete anonymity (even server doesn’t know sender)
Encryption Strength:
- Per-message encryption (recipient-specific)
- Mixnet routing (sender anonymity, even to receiver)
- Stored encrypted (local database)
- Forward secrecy (new key per message)
Metadata Hiding:
- Tor + mixnet (no IP, no sender identity visible)
- Server never sees plaintext sender
- Message timing is obscured (batched)
- No contact list stored on server
- Even receiver can’t prove who sent message (deniability)
Strengths:
- Maximum anonymity (mixnet sender obscurity)
- No identity required (completely pseudonymous)
- No metadata visible to anyone (Tor + mixnet)
- Deniable messages (receiver can’t prove origin)
- Open-source and academic (published research)
- Works on Tor-only (no clearnet mode)
Weaknesses:
- Beta software (not production-ready)
- Extremely slow (mixnet delays messages 5–30 seconds)
- Very small user base (nearly unknown)
- Limited mobile support (desktop-first)
- Not suitable for real-time conversation
- Learning curve (requires Tor knowledge)
- No official funding (volunteer project)
- Group messaging not ready yet
Best For: Academics researching privacy, extreme-risk dissidents, theoretical privacy exercises, long-form asynchronous communication
Use Case: Whistleblowing (slow, anonymous, deniable messages), not organizing (requires real-time)
Comparison Table
| Feature | Signal | Briar | Session | Cwtch |
|---|---|---|---|---|
| No Phone Number | ✗ | ✓ | ✓ | ✓ |
| Offline Capable | ✗ | ✓ | ✗ | ✗ |
| Decentralized | ✗ | ✓ | Partial (Loki) | ✓ |
| Metadata Privacy | Low | Very High | High | Maximum |
| Ease of Use | Excellent | Good | Good | Poor |
| User Base Size | 10M+ | 100K+ | 500K+ | 10K |
| Platforms | iOS, Android, Desktop | Android only | iOS, Android, Desktop | Desktop (beta) |
| Audit Status | Multiple audits | Peer-reviewed | Limited | Academic |
| Group Messaging | ✓ | ✓ | ✓ | ✗ (beta) |
| Voice/Video | ✓ | ✓ | ✗ | ✗ |
| Setup Time | 2 min | 5 min | 5 min | 15 min |
| Cost | Free | Free | Free | Free |
Threat Model Decision Tree
Q: Do you need to use a phone number?
- NO → Briar, Session, Cwtch
- YES (e.g., within organization) → Signal
Q: Do you need offline capability?
- YES (anticipate network shutdown) → Briar
- NO → Signal, Session, Cwtch
Q: How important is user base size?
- CRITICAL (need others to use it) → Signal
- IMPORTANT (growing community) → Session
- SECONDARY → Briar, Cwtch
Q: What’s your device seizure risk?
- HIGH (likely to be arrested) → Briar (offline, local encryption)
- MEDIUM → Signal + biometric unlock
- LOW → Any tool
Q: Do you need anonymity even from receiver?
- YES → Cwtch
- NO → Briar, Session, Signal
Device Seizure Preparation
Before Arrest (Signal):
- Disable “Send Read Receipts” (Settings → Privacy)
- Disable location sharing
- Disable message previews on lock screen
- Enable biometric lock on Signal
- Disable backup to cloud (Settings → Chats → Backups)
- Pre-arrange with team: “If I’m arrested, delete our group chat” (if possible)
- Use trusted contacts only (mutual OG relationships)
Before Arrest (Briar):
- Use strong password (but memorizable)
- Create separate “public” account (for plausible deniability)
- Store contacts locally (don’t email them)
- Document Briar ID on paper (hidden location)
- Test Bluetooth mesh with trusted people
- Have offline conversation plan (Bluetooth as fallback)
Before Arrest (Session):
- Use strong Session ID password
- Turn OFF cloud backups
- Store Session ID on paper (hidden)
- Pre-arrange group key with trusted contacts
- Create deniable open group (claim you didn’t start it)
- Disable message notifications
During Arrest:
- Do NOT unlock phone voluntarily
- Do NOT provide passwords
- Request lawyer (your rights vary by country)
- Biometric unlock cannot be forced (in some jurisdictions)
- Know your local laws (some countries can compel passwords, others cannot)
Post-Arrest (if released):
- Do NOT use old phone (device trust compromised)
- Do NOT reuse passwords
- Assume contacts are burned (law enforcement knows them)
- Contact trusted people via new number/device
Real-World Scenarios
Journalist Covering Protests:
- Primary: Signal (easy, wide user base)
- Backup: Briar (for offline scenarios, offline mesh with photojournalist)
- Threat model: Police surveillance, device seizure
- Setup: Signal on burner phone, biometric lock, no cloud backup
Human Rights Documenter (Authoritarian Country):
- Primary: Briar (offline, no phone number, Tor)
- Secondary: Session (if Briar users unavailable)
- Threat model: State surveillance, network shutdown, forced unlocking
- Setup: Briar with strong password, separate Briar account for decoys, Bluetooth mesh with trusted network
Whistleblower Communicating with Journalist:
- Primary: Cwtch (extreme anonymity, deniability)
- Secondary: Signal (faster, journalist already uses)
- Threat model: Forensic phone analysis, message sender attribution
- Setup: Cwtch for documents, Signal for real-time coordination
Labor Organizer (Democratic Country):
- Primary: Signal (large group chat, video calls)
- Security: Encrypted backups, biometric lock, no cloud sync
- Threat model: Employer surveillance, police metadata collection
- Setup: Organization-wide Signal, clear communication about what’s and isn’t encrypted
Operational Security (OPSEC) Tips
-
Don’t mix identities. Don’t use Signal with your real phone number + Briar anonymously on same device. Use separate devices or virtualized profiles.
-
Assume group chats are compromise points. If one member is infiltrated, assume all messages are read. Share only what’s necessary.
-
Use code words. Instead of “protest at main square,” use “Tuesday meeting at usual place.” Understand that message timing is visible (even if content is encrypted).
-
Verify contacts in person. For high-risk organizing, verify Session/Briar IDs face-to-face. QR codes can be spoofed.
-
Delete often. Set message auto-delete (if available). Manual deletion is not secure against forensics.
-
Use disappearing messages. Signal supports disappearing messages (24 hours default). Turn it ON for sensitive groups.
-
Assume network-level surveillance. Even with encrypted messaging, law enforcement can see: who talks to whom, when, frequency, message size. Use randomized patterns (don’t always message at 9 AM).
-
Have offline plans. If Signal fails, how do you communicate? Pre-arrange dead drop locations, Briar mesh fallback, burner phone protocols.
Backup and Recovery
Signal:
- DON’T backup to Google Drive (breaks encryption)
- Manual backup to encrypted external drive only
- Screenshots are unencrypted in phone storage (be careful)
Briar:
- Automatic encrypted backup to device storage
- Export contacts as encrypted backup file
- Password is your only recovery method (no “forgot password” recovery)
Session:
- Export Session ID recovery code (save offline, not cloud)
- Seed phrase written down (not in phone storage)
- No cloud backup (intentional for privacy)
Cwtch:
- Export identity file (encrypted)
- Paper backup of identity code (not recommended; too complex)
- No recovery if lost (very strong forward secrecy)
Integration with Other Tools
Signal + Dead Drops:
- Use Signal for real-time coordination
- Use dead drops (physical locations) for documents
- Reduces risk of full communication compromise
Briar + Tor Browser:
- Use Briar for messaging
- Use Tor Browser for web research
- No single point of failure
Session + ProtonMail:
- Use Session for ephemeral coordination
- Use ProtonMail for formal communications (retention requirement)
- Separate tools for different threat levels
When NOT to Use These Tools
Don’t use any encrypted messenger if:
- You’re being actively monitored by military-grade adversaries (assume compromise)
- You’re in a jurisdiction with mandatory decryption laws and you can’t refuse (e.g., UK)
- Your threat model is rubber-hose cryptography (torture to reveal password)
In those cases:
- Use in-person communication only
- Verbal agreements (no records)
- Short dead drop windows (minimize forensic evidence)
- Legal counsel advising all communication
Bottom Line
For general activism/organizing: Signal. Easiest to use, largest user base, sufficient security for most scenarios.
For high-risk/offline scenarios: Briar. No phone number, offline mesh capability, maximum decentralization.
For privacy advocates avoiding phone numbers: Session. Good balance of privacy, ease-of-use, and user base.
For extreme anonymity/whistleblowing: Cwtch. Theoretical maximum privacy, but slow and not production-ready.
No messaging app protects you from physical torture, legal pressure, or state-backed surveillance. Use encrypted messaging as one tool in a broader OPSEC strategy. Combine with dead drops, offline planning, legal support, and—most importantly—community networks you trust.
Verify Signal Setup via CLI
# Signal CLI (signal-cli) — send messages programmatically or verify setup
# Install: https://github.com/AsamK/signal-cli
# Register a number (requires SMS verification)
signal-cli -u +1234567890 register
signal-cli -u +1234567890 verify 123456
# Send a test message to verify end-to-end delivery
signal-cli -u +1234567890 send -m "Test secure message" +0987654321
# Check safety numbers (verify contact identity)
signal-cli -u +1234567890 listIdentities
# For maximum operational security: run Signal on a dedicated device
# with no other apps, a burner number, and Wi-Fi only (no SIM)
Related Reading
- Signal vs Session vs SimpleX
- Turkey Secure Communication Guide For Activists And Ngos Ope
- Matrix Vs Signal Decentralized Messaging
- Threema Vs Signal Vs Wickr Enterprise Encrypted Messaging Co
- Secure Audio Messaging Apps That Encrypt Voice Messages End
Built by theluckystrike — More at zovo.one