The Encryption Map: Why Signal Beat WhatsApp, and What That Means for the Rest of Us

On 14 June 2026, a panel that included Stratechery's Ben Thompson sat down on the daily tech-business show TBPN and walked through one of the most consequential architectural decisions in modern software: how a chat app handles the message after a user hits send. The starting point was a journalist accidentally added to a senior US official's Signal group chat — and the Pentagon's quiet instruction that government devices use Microsoft Teams for text because Teams is not end-to-end encrypted. The conversation quickly moved past the embarrassment and into something more durable: a structural map of which platforms hide what, from whom, and at what cost.

The reason this matters now is not the leak itself. It is that the three apps most people use to send a private message — iMessage, Signal, WhatsApp — have made three different bets about what "private" means, and those bets have very different consequences for governments, advertisers, and anyone trying to build a social graph out of who talks to whom.

The three architectures, in plain language

iMessage, Apple, closed. When an iMessage user texts another iMessage user, the message is encrypted on-device and decrypted on-device; no Apple server can read the content in transit. The protocol is the most secure of the three by that measure. The cost is scalability: iMessage group chats top out at 32 participants. Beyond that number, the architecture breaks down, and Apple falls back to SMS, which is plain text. The design that maximises confidentiality also caps the size of the conversation a user can have.

Signal, non-profit, open. Signal is built on an open protocol and an open-source client. There is no proprietary server component that a third party has to trust to keep messages private. Because the protocol is open, anyone can implement it — including, famously, the underlying encryption that WhatsApp adopted years ago. Signal's trade-off is reach: it works because trust flows through the code itself rather than through a vendor's brand.

WhatsApp, Meta, server-side fan-out. WhatsApp uses the same Signal Protocol for message content. The encryption of what you say is not the question. The question is what the server sees around the message: who is in the group, when the group was created, who invited whom, when each member joined, how often they message, who has been added and removed. Meta sees all of that. It cannot read the words, but it does not need to. A social graph is a complete map of relationships, and Meta already has the most comprehensive one ever assembled.

The distinction is the point. Encryption protects content. It does not, on its own, hide metadata. And metadata — who talks to whom, how often, in what pattern — is what an advertiser, a security service, or a hostile actor actually needs to build a picture of a network.

What the Pentagon is actually saying

The DoD directive that came up in the Atlantic/Signal incident, as read out on TBPN from Thompson's Stratechery analysis, does not direct officials to Signal. It directs them to Microsoft Teams. The reason, Thompson argued, is not security. It is record retention. Teams is not end-to-end encrypted, which means the chat exists on Microsoft's servers in a form Microsoft (and, by contractual arrangement, the US government) can read. That is the feature, not the bug, in the eyes of records-management and FOIA compliance officers.

The irony is sharp. Officials moved sensitive operational chatter to Signal not because it was the policy but because the mandated tool was, by design, transparent to the enterprise. The encryption tool provided confidentiality. The mandated tool provided accountability. Officials who wanted the first ended up using it on personal devices, where there was no institutional record at all.

This is not an argument that DoD policy is wrong. It is an argument that encryption and record-retention are two different requirements, and most enterprise chat software is engineered around the second. Teams, Slack, and similar products are built to be searchable, exportable, and discoverable. Signal is built to be the opposite. Asking one product to do both jobs produces exactly the kind of policy friction that ended up in a magazine article.

What WhatsApp's fan-out means for Meta

For most of the past decade, the conventional wisdom in tech policy held that end-to-end encryption broke advertising surveillance — that once the words in a message could not be read, the platform lost the ability to monetise the conversation. WhatsApp's architecture complicates that wisdom.

Meta does not need to read message content to build a map of who knows whom. The server-side fan-out model means Meta's servers handle group creation, group membership, invitation events, role changes, and message-routing decisions. Each of those events produces a metadata record. Aggregated across two billion users, those records describe the world's social graph in higher resolution than any telephone company ever managed.

The implication: a platform can be end-to-end encrypted and still be perfectly capable of mapping relationships, ranking influence, inferring topics from message frequency, and selling access to that map to advertisers through adjacent surfaces like Facebook, Instagram, and Threads. The encryption guarantees that Meta cannot read what you said. It does not guarantee that Meta does not know who you said it to, when, and how often.

That is the architecture civil-society groups flagged when WhatsApp updated its terms of service in 2021, and it is the architecture that has not changed. The encryption was real then. The metadata exposure was real then. Both are real now.

The trade-off the public rarely sees

The panel discussion surfaced a different way to frame the choice. There are essentially three positions a chat product can occupy, and each carries a different cost.

Maximum confidentiality, minimum scalability. That is iMessage. The encryption is the strongest of the three in deployment. The product cannot grow beyond a small group without losing the property. This is a defensible choice for a vendor that also sells you the hardware and wants conversations to stay inside that hardware.

Maximum confidentiality, maximum openness. That is Signal. The protocol is open, the client is open, the metadata-minimisation is real but limited by the fact that Signal still has to know who is sending to whom in order to route the message. Signal cannot see content; it can see some routing. The trade-off is reach — Signal has never approached the user base of WhatsApp — and the corresponding dependence on a small non-profit's continued operation.

Maximum reach, content-encrypted, metadata-exposed. That is WhatsApp. The world's largest private-message network is also the most metadata-rich private-message network in human history. The encryption protects the words. The architecture protects Meta's business model.

There is no fourth option currently in production at scale. Matrix, the open-source decentralised protocol, comes closest, but its usability gaps and federation problems have kept it from becoming a consumer default.

What the leak did and did not change

The Signal group-chat incident is unlikely to change DoD policy in any structural way. Government devices will continue to be configured to use Teams, and the record-retention rationale for that policy will continue to be correct. Officials who want to have off-record conversations will continue to use personal devices, and the security services that audit those conversations will continue to find them.

What the episode has done is drag the metadata question into public view for a non-technical audience. For most of the past decade, the encryption debate has been framed as a fight between privacy and law enforcement, with tech companies on one side and governments on the other. The Signal debate is showing the public a different axis: encryption of content versus exposure of metadata, and the corresponding question of who gets to map the relationship graph even when the words are hidden.

For Meta, the architecture is the moat. For Signal, the architecture is the mission. For Apple, the architecture is the lock-in. None of those incentives is going to change because a journalist was accidentally added to a chat. What might change is that the next time a regulator asks whether end-to-end encryption is "really" private, the answer on the record will be: it depends on what you mean by private, and which app you are using.

Wire provenance

This editorial synthesis draws on the following public wire/social posts:

• https://www.youtube.com/watch?v=1AkuLL-RPfY