Signal vs Session vs Briar: Which Messenger Can't Be Traced

Most people know to use Signal. But Signal isn’t the right tool for every situation, and two alternatives — Session and Briar — solve problems Signal wasn’t designed to solve.

The short version: Signal is the right choice for almost everyone. Session removes the phone number requirement. Briar removes the server entirely. Which one you need depends on who you’re protecting yourself from.

Signal

Signal is end-to-end encrypted by default for all messages and calls. The cryptographic protocol it uses (the Signal Protocol) is open source, has been audited repeatedly, and is now the foundation for encrypted messaging in WhatsApp, Facebook Messenger’s secret conversations, and Google Messages. If you’re using any of those apps’ secure modes, you’re using Signal’s math.

What makes Signal private:

The messages themselves are encrypted. Signal cannot read them. Law enforcement agencies that have served Signal legal demands have received nothing useful — Signal’s architecture means they have nothing to hand over except account creation date and last connection time.

What Signal requires:

A phone number to register. That’s the main limitation. Your contacts see a phone number associated with your account (though you can now set a username and hide your number from most contacts). Signal knows your phone number and what time you registered. They don’t know who you talk to or what you say, but the phone number creates a link to your real identity.

When Signal is the right choice:

For the overwhelming majority of people with legitimate privacy concerns — journalists communicating with sources who know each other, activists coordinating in democracies, anyone who wants their messages kept from corporate surveillance and casual interception — Signal is the right tool. It’s well-maintained, fast, has a good interface, and works for calls and group chats.

Session

Session is a fork of Signal that removed the phone number requirement entirely. You register with a randomly generated Session ID. No email. No phone. No account at all in the traditional sense.

What Session adds over Signal:

No phone number means no link to your real identity at registration. You can give someone your Session ID without revealing anything about yourself. This is the main differentiator.

Session also decentralizes message storage. Unlike Signal, which routes messages through Signal’s servers, Session uses a network of community-run nodes (it’s built on a network called Lokinet). The idea is that there’s no central server to compel or compromise.

The tradeoffs:

Session’s cryptography was originally based on the Signal Protocol but has diverged significantly. The Session team has made architectural decisions — like removing perfect forward secrecy in some configurations to support offline message delivery — that security researchers have noted. The project is less audited than Signal and has a smaller security community scrutinizing it.

Session is also slower to receive messages in some configurations because of the decentralized routing.

When Session is the right choice:

When the phone number requirement is genuinely a problem. If you need to communicate anonymously with someone who doesn’t know your phone number and you can’t safely get a SIM anonymously (in many jurisdictions you can’t), Session solves a real problem Signal doesn’t.

Briar

Briar is different in kind from both Signal and Session. It doesn’t route messages through servers at all.

Briar syncs messages peer-to-peer: over Bluetooth, local Wi-Fi, or Tor. There’s no central infrastructure. If you and someone else are on the same Wi-Fi network, messages sync directly between your devices over an encrypted channel. If you’re not on the same network, messages route through the Tor network.

What Briar enables:

Communication in situations where the internet itself is monitored or unavailable. Briar was explicitly designed for activists in high-surveillance environments, journalists operating under repressive governments, and situations where network infrastructure is unreliable or hostile.

Because there are no servers, there’s nothing for an adversary to compel. There are no metadata records anywhere. Every message goes directly from sender to recipient without touching any third-party infrastructure.

The tradeoffs:

Briar only works on Android (iOS support has been in development for years). Both parties need to be active and connected for synchronous communication. The Tor routing option is slower than any server-mediated approach. The interface is basic compared to Signal or Session.

Briar is not designed for comfortable daily messaging. It’s designed for high-stakes situations where the alternative is a compromised communication channel.

When Briar is the right choice:

When you’re in or anticipating a situation where network infrastructure is controlled by a hostile actor — a protest environment where authorities are monitoring cell traffic, a country with deep packet inspection on messaging apps, a situation where you need to communicate without creating server-side records of any kind.

The Decision Framework

Use Signal if you want strong encryption and the phone number isn’t a problem. This covers most people.

Use Session if you need to communicate without revealing a phone number. The privacy tradeoffs compared to Signal are real but manageable for most threat models that care about identity separation rather than state-level adversaries.

Use Briar if you’re in a situation where internet infrastructure itself is the threat vector, or if you need communication that leaves zero server-side trace. Accept the limitations.

Use multiple if your threat model requires it. Signal for daily use, Session or Briar for specific high-stakes situations. These tools aren’t mutually exclusive.

The common thread across all three: they’re meaningless if you log in to accounts associated with your real identity, if your device is compromised by malware, or if you tell the wrong person what you said. The tools protect the channel. They don’t protect against bad operational security.