The FBI seized a Washington Post reporter’s phone. It contained 1,200 Signal sources.

What happened

On January 14, 2026, FBI agents arrived at the home of Washington Post reporter Hannah Natanson and executed a search warrant. They seized her personal phone, her work laptop, her personal laptop, a Garmin smartwatch, a portable hard drive, and a recording device. Natanson had spent the previous year covering the federal workforce under the Trump administration and had accumulated 1,200 contacts on Signal, current and former government employees who had trusted her with their stories. The warrant was connected to an investigation into a government contractor, Aurelio Perez-Lugones, charged with illegally retaining classified materials. Natanson was not accused of wrongdoing. As of April 9, 2026, the DOJ was pressing a federal court to conduct its own direct search of the seized devices.

The seizure-then-search pattern is the same one documented in how border agents seized a journalist’s laptop. The legal mechanisms differ. The operational lesson does not. A device in custody is a device that may be read.

Signal encrypts messages. It does not protect the device.

This distinction matters and is almost never made clearly.

Signal’s encryption is genuine. The Signal servers hold almost nothing. Law enforcement requests to Signal produce near-zero results because near-zero data is stored. This is documented and correct.

What Signal does not do: protect a physical device from seizure. When the FBI arrives at your home with a warrant and takes your phone, Signal’s encryption protects the content of individual messages only to the extent the app’s settings are configured correctly. What it does not protect is the contact list. The metadata. The record that a specific Signal account communicated with 1,200 other specific accounts over a period of years.

That record, once the device is in physical custody, is the investigation.

The compartmentation failure

Natanson had 1,200 sources in a single Signal account on a single device.

From an operational security standpoint, this is a single point of failure. One seizure event. One warrant. One moment. And every source relationship accumulated over years of reporting becomes accessible to investigators, not through the message content, which may be protected by disappearing messages settings, but through the fact of contact itself.

Who she spoke to. When. How often.

For a source who trusted Signal because they believed it was secure, the question now is not whether their messages can be read. It is whether the fact that they contacted a Washington Post journalist at all is now documented in a federal investigation.

The two things are not the same. The first is an encryption question. The second is a compartmentation question. Most journalists are only thinking about the first one.

What compartmentation actually requires

The operational answer is not a stronger password on the same device. It is separation.

Different sources represent different risk levels. A source inside a federal agency under active investigation has a different threat profile than a source discussing policy matters with no legal exposure. Treating them identically, putting all 1,200 in the same account on the same device, means that the highest-risk situation determines the exposure for all of them.

Compartmentation means separate accounts for separate risk levels. A dedicated device for the highest-sensitivity source relationships. Disappearing messages enabled by default, not as an afterthought. No years of accumulated contact history sitting on a device that can be seized with a single warrant.

The reasoning behind treating different sources as different threat models, rather than a single homogeneous category, is mapped in how to build a threat model that actually holds up. The 1,200 Signal contacts in the Natanson case were not all the same risk. Treating them as one bucket created the failure mode.

This is not a hypothetical discipline. It is what the seizure of Natanson’s devices demonstrated, in documented form, is necessary.

The Garmin watch

The FBI also took a Garmin smartwatch.

Wearable devices log location data continuously. They sync to accounts. They contain movement patterns across months or years. For a journalist whose sources sometimes met her in person, location history is not a marginal data point.

Most journalists think about phone security. Almost none think about the devices on their wrists.

The same blind-spot pattern, where the secondary data source becomes the operative leak, is documented in how a journalist was arrested because of an email. The wearable is the next iteration of that same lesson.

What disappearing messages protect and what they don’t

If disappearing messages were enabled on Natanson’s Signal conversations, the message content may be gone. The setting destroys messages after a defined period on both devices. Content that doesn’t exist cannot be compelled or extracted.

What disappearing messages do not destroy: the fact that two accounts were in contact. Signal’s architecture minimises metadata, but the device itself, the contact list, the account associations, the notification history, exists outside the message content.

Enable disappearing messages. That part is not optional. But understand what it protects and what it does not.

The second seizure attempt

In February 2026, a magistrate judge ruled the government could not directly search Natanson’s devices. Too much unrelated material. Too much risk of accessing protected journalistic sources beyond the scope of the warrant.

The DOJ appealed. On April 9, prosecutors pressed a federal judge to overturn that ruling and conduct their own search with a filter team.

The legal fight is real and ongoing. It may result in protection for Natanson’s sources. It may not.

Operational security is not a legal defence. It is what exists before the legal fight begins.

Frequently asked questions

Does Signal protect journalists’ sources from government investigation?

Signal protects message content when disappearing messages are enabled and the app is correctly configured. It does not protect a device from physical seizure. It does not prevent investigators from seeing who you have been in contact with. Source protection requires compartmentation at the device level, not just encryption at the message level.

What should journalists do differently after this case?

Separate high-risk source relationships from everyday contacts. Use dedicated devices for the most sensitive communications. Enable disappearing messages by default on every sensitive conversation. Never accumulate years of source contact history on a single device. Assume that any device can be seized and plan accordingly.

Does a Garmin watch or fitness tracker create a security risk?

Yes. Wearable devices log continuous location data and sync to cloud accounts. For anyone whose physical movements are operationally sensitive, journalists meeting sources, lawyers visiting clients, NGO workers in the field, wearable devices are a data collection risk that is rarely factored into security planning.

For the full operational protocol, see our complete guide to digital security for journalists in 2026.

---

The question is not whether Signal is secure. It is. The question is what happens when the device that runs it is sitting in an FBI evidence room. Those are different questions. Most people only ask the first one.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.