TL;DR
Signal and Shoal are not the same kind of product. Signal is the cryptographic high-water mark for two-party private communication: pure end-to-end encryption, minimal metadata, no business model that conflicts with privacy. Shoal is built to give parents structural oversight of children’s chats while keeping everyone else’s private. Those goals require different architectures, and we want to be straight about which one Shoal isn’t.
What Signal does well
Signal is exceptional at what it sets out to do. The Signal Protocol is the gold standard for E2EE messaging — used (under licence) by WhatsApp, Google Messages, and others. Sealed sender minimises the metadata Signal itself can see. The app is open source, audited, and run by a non-profit foundation funded primarily by donations. There is no advertising, no analytics SDK, no quiet metadata harvesting.
If your need is “I want to talk to a specific adult and have very high confidence that no one — not even the operator of the messaging app — could be compelled to read what we say,” Signal is the right answer.
Where Shoal is different (and we should be honest about this)
We’ve been clear elsewhere on this site that Shoal is not Signal-grade in the strict cryptographic sense. The privacy page goes into the architectural detail; the short version is:
- Shoal stores encrypted backups of device decryption keys on our servers, protected by a server-side environment secret. Signal stores nothing of the sort on its servers.
- The protection on at-rest data in Shoal is operationally enforced (no decryption code currently exists; the environment secret isn’t exposed in normal staff workflows) rather than cryptographically enforced against the operator. With Signal, the operator has nothing to enforce — the keys aren’t there to be unwrapped.
- Shoal admins are cryptographic recipients of their children’s family conversations, by design. Signal has no equivalent because Signal is explicitly not in the parental-oversight business.
These aren’t bugs. They’re the deliberate trade-offs Shoal makes to be useful for families with kids who need to be on the same chat as their parents under structural oversight. Signal would say — and we’d agree — that they are exactly the trade-offs Signal refuses to make.
Side by side
| Shoal | Signal | |
|---|---|---|
| End-to-end encrypted | Yes, with operator caveat (see /privacy#encryption) | Yes (Signal Protocol) |
| Operator can build code path to decrypt user data | Possibly (we have not built one) | No (architecturally ruled out) |
| Sealed-sender / metadata-minimising | No | Yes |
| Parental oversight built in | Yes (admin = cryptographic recipient) | No (out of scope by design) |
| Kids without phone numbers | Yes (paired device) | No (phone number required) |
| Family / multi-family structure | Yes | No |
| Operator | Independent UK company (for-profit) | Signal Foundation (US non-profit) |
| Open source | Not currently | Yes |
When to pick which
Pick Signal if your priority is the strongest possible cryptographic separation between yourself and the messaging app’s operator, you want no parental oversight in the picture, and the people you’re talking to are adults willing to install Signal too.
Pick Shoal if you want an encrypted messenger built specifically around families with children — including kids who can’t have a phone number, conversations that admins should be able to oversee, and a single chat that works across every device in the family.
You can use both for different purposes. We do.
Signal is a registered trademark of the Signal Foundation. We have no affiliation with Signal and we admire what they’ve built.