Signal is a metadata-spreader in the sence of the US-Services. All traffic of the SignalApp goes over the clouds of Google, Amazon, Microsoft & Cloudflare - here are the subdomains: Amazon: textsecure-service.whispersystems.org, cdn.signal.org, sfu.voip.signal.org Google: storage.signal.org, contentproxy.signal.org Microsoft: api.directory.signal.org, api.backup.signal.org Cloudflare: cdn2.signal.org You can check it by yourself by making a tracert on these subdomains in your console! Signal only talks about "third partys"! Not telling their users how long they store their (encrypted) messages and who got access to them. As 85% of all smartpones run on googles Android - which sends information to google about their users every day - incl. the IP ! So with all the messages from signal google can easily tell who is talking to who. Which gives them a huge amount of metadata. Especially in combination with US (Spy) Cloud-Act https://en.wikipedia.org/wiki/CLOUD_Act all US Services can access the cloudstorage of Signal Messages. If you are looking for a really secure messenger: Check out Threema - which is no. 1 in all messenger-comparison-charts!