The FBI recovered deleted Signal messages from a seized iPhone. The encryption wasn’t broken.

What happened

During the federal trial of defendants charged in connection with an attack on the Prairieland ICE detention facility in Alvarado, Texas, FBI Special Agent Clark Wiethorn testified on March 10, 2026 about digital evidence recovered from a seized iPhone belonging to defendant Lynette Sharp. The evidence, documented as Exhibit 158, consisted of incoming Signal messages recovered after the app had already been deleted from the device. Disappearing messages had been enabled. The app was gone. The messages were still there. Investigators used Cellebrite to extract them from Apple’s internal notification database. The trial concluded with guilty verdicts. The testimony became public in April 2026 through reporting by 404 Media.

What the notification database is and why it matters

When a Signal message arrives on your iPhone and you have lock screen previews enabled, iOS does something Signal cannot control. It stores the message content in an internal notification database before displaying it on your screen.

That database is not part of Signal. It is part of iOS. Signal’s encryption covers the message in transit between devices. Once the message arrives and iOS prepares a lock screen preview, a copy of the readable content exists inside the phone’s operating system, outside Signal’s control entirely.

That copy persists. When Signal deletes a message, it deletes its own record. It cannot reach into iOS’s notification subsystem and delete what iOS stored there. When disappearing messages activate, they delete from Signal. The notification database is untouched.

Cellebrite, with physical access to the device, can extract that database. The FBI did exactly that.

The full inventory of what those forensic tools recover from a device once it is in custody is in what forensic tools extract from a seized device. The notification database is one artefact. There are others.

What was and was not recovered

Only incoming messages were recovered, not outgoing ones. This is the technical fingerprint of this specific method. The notification database stores what arrives on your lock screen. It does not store what you send.

Signal’s encryption was not broken. The cryptography is intact. What failed was the assumption that deleting messages from Signal meant they were gone from the device. They were gone from Signal. They were not gone from iOS.

The setting that prevents this

Signal has a setting that suppresses message content from lock screen notifications entirely. When this setting is enabled, iOS receives only a generic alert with no readable content. Nothing is stored in the notification database. There is nothing for Cellebrite to extract.

The setting exists. It works. It is not enabled by default.

To enable it on iPhone: Signal Settings, then Notifications, then Show, then select No Name or Message. On iOS system level: Settings, then Notifications, then Signal, then Show Previews, then Never.

Either change prevents content from entering the iOS notification database. Neither affects Signal’s encryption. Neither affects message delivery.

The same mechanism applies to every messaging app

This is not a Signal vulnerability. It is a property of how iOS notification previews work. WhatsApp, Telegram, iMessage, any app that displays message content on the lock screen creates the same forensic artifact in the same iOS database.

The Prairieland case surfaced it in a Signal context. The underlying exposure exists wherever lock screen previews are enabled.

What physical access changes

This technique requires physical custody of the device. The FBI needed the phone. This is not a remote attack. It is not a network intercept. It is forensic extraction from a seized device.

The same physical-custody pattern is documented in the parallel case where the FBI seized a journalist’s phone containing 1,200 Signal sources. Different exhibit, same operational lesson: encryption is the perimeter, the device is the inside.

For most people, that means a lawful arrest or search warrant. For journalists crossing borders, it means a border search. For lawyers whose devices are subpoenaed. For NGO workers operating in countries where detention is a realistic scenario. For anyone in a situation where their device might leave their hands.

The baseline protection Signal’s encryption provides against remote surveillance remains intact. The gap is what happens after physical access.

The remote variant of the same problem, where the device is compromised before any seizure, is documented in how Pegasus does not need you to click anything. The two cases bracket the threat: spyware reaches the device while it is in your hand, forensic tools reach it once it is not. Configuration is what reduces both.

Frequently asked questions

Was Signal hacked or broken in this case?

No. Signal’s end-to-end encryption was not compromised. The messages were recovered from Apple’s internal notification database, which stores lock screen preview content independently of Signal. The vulnerability is in how iOS handles notification previews, not in Signal’s cryptography.

Does disappearing messages protect against this?

Not fully. Disappearing messages delete content from Signal after the set timer. They do not delete content from iOS’s notification database, which is stored separately. The only protection against this specific extraction method is disabling lock screen message previews entirely.

Does this affect Android?

Android uses Google’s push notification infrastructure rather than Apple’s, but the underlying principle is the same. Any messaging app displaying content in Android notifications creates a similar record. The specific forensic technique described in the Prairieland testimony targets the iOS notification database. Android extraction methods differ technically but the exposure from notification previews is not unique to Apple.

Should I stop using Signal?

No. Signal remains the correct tool for sensitive communications. The Prairieland case is not an argument against Signal. It is an argument for configuring Signal correctly before you need it to matter.

The full comparison between Signal and the alternatives, including where each one outperforms the others, sits in Signal versus ProtonMail versus Wire. Signal remains the right default for most threat profiles. The Prairieland testimony does not change that.

This case is one piece of a larger picture. We compiled the full operational playbook in our pillar guide on digital security for journalists in 2026, twelve steps covering threat modeling, devices, messaging, accounts, travel, and incident response.

---

Signal did not fail. A default setting that most people never change did. Those are different problems with different solutions. The solution takes thirty seconds.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.