"Cwtch" is a Welsh word that roughly means a hug, or a safe place to keep something. The project is developed by the Open Privacy Research Society, a nonprofit based in Canada, and its goal is unusual in the messaging world: not merely to encrypt message contents, but to minimize the metadata an observer or an operator can collect about your communications in the first place.
That framing matters because metadata surveillance is often more revealing than content. Knowing that a journalist exchanged twenty messages with a government employee at 2 a.m. tells you almost everything, even if the words are sealed. Most popular encrypted apps still require a phone number, run on central servers that see the social graph, and log who connects to whom. Cwtch is an attempt to design those leaks out.
Built on Tor Onion Services
The foundation is Tor. Every Cwtch profile is, in effect, a Tor v3 onion service — your contact address is an onion address derived from a key pair, not a phone number or email. There is no central directory mapping you to an identifier a third party can subpoena, because there is no phone number to map. You add a contact by exchanging onion addresses out of band.
For one-to-one conversations, this means messages travel directly between the two participants' onion services over the Tor network. No server sits in the middle holding the conversation or watching the connection. The lineage here traces back to Ricochet, an earlier metadata-resistant Tor messenger; Cwtch generalizes the same idea and adds group support on top.
Cwtch aims for "untrusted infrastructure": even the servers that help it function should not be able to learn who is talking to whom, when, or what is said. The privacy shouldn't depend on trusting the operator — it should hold even if the operator is hostile.
The Clever Part: Untrusted Servers for Groups
Pure peer-to-peer messaging has a hard limitation: both parties have to be online at the same time for a message to deliver. That's tolerable for a one-to-one chat but impossible for group conversations, where members come and go. Cwtch's answer is to introduce servers — but to design them so they learn as little as cryptographically possible.
A Cwtch group server stores and forwards messages, providing the asynchronous "leave a message, they read it later" behavior people expect. Crucially, those messages are end-to-end encrypted blobs. The server's design intent is that it cannot read the contents, cannot reconstruct the group's membership or social graph, and functions as a dumb relay holding opaque data. Anyone can run a server, and because the server is untrusted by design, you don't have to vet whose hardware your encrypted blobs are sitting on.
The shift from "trust the server not to look" to "build the server so it can't" is the same instinct that separates a privacy promise from a privacy guarantee. It's the difference worth caring about. — On untrusted infrastructure
What You Give Up
Cwtch's strengths come with real costs, and an honest review has to be blunt about them.
| Strength | The trade-off |
|---|---|
| No phone number or email; pseudonymous onion-address identities | Adding contacts means exchanging long onion addresses out of band — less convenient than "find by number" |
| Everything routed over Tor, hiding network metadata | Higher latency and battery use; connections can be slower and less reliable than direct internet apps |
| Peer-to-peer one-to-one chats with no server at all | For direct chats, both people generally need to be online at once; servers are what enable asynchronous delivery |
| Untrusted, anyone-can-run servers for groups | Smaller ecosystem and fewer servers than mainstream apps; you may rely on community infrastructure |
| Open source, nonprofit, research-driven | Smaller user base and a younger, still-maturing codebase compared with battle-tested incumbents |
Profiles can be protected by a password and encrypted at rest, and Cwtch runs on Android, Windows, Linux, and macOS. But the experience is firmly in the territory of "tool for people who specifically need metadata resistance," not "drop-in replacement for the chat app your family already uses."
Who It Is Actually For
Cwtch is a good fit when the threat you're defending against is the pattern of your communication, not just its content:
- Journalists and sources where the existence of contact is itself sensitive — see the broader secure communications for journalists considerations.
- Activists and at-risk communities who can't safely tie an identity to a phone number.
- Anyone who treats the social graph as the crown jewels and is willing to trade convenience for it.
For most everyday users, a mainstream encrypted app is a more practical default, and the right comparison is against other identifier-minimizing tools like Session and SimpleX Chat, or offline-first options like Briar. Each makes a different bet about which leaks matter most. Cwtch's bet is specifically on metadata, and on building servers that can't betray you.
Where Haven Fits
We have a lot of respect for the Cwtch approach, because it shares Haven's core conviction: privacy should be a property of the architecture, not a promise in a policy. Where Cwtch optimizes hard for metadata resistance at the cost of mainstream usability, Haven targets a different point on the curve — strong end-to-end encryption with an interface and feature set built for everyday email and chat under one identity.
They're not competitors so much as different answers to "what's your threat model?" If hiding the very existence of a conversation is your priority, a Tor-native tool like Cwtch deserves a serious look. If you want robust encryption that the people you talk to will actually adopt, that's the gap Haven is built to fill. Either way, the right question is never "which app is best" — it's "best against what."