End-to-end encryption protects what you say. It does much less for the metadata around it — who you talk to, how often, when, and from where. For many threat models, that social graph is the more sensitive asset. A government doesn't always need to read your messages if it can prove you exchanged thousands of them with a particular journalist.
Most encrypted messengers still hold that graph. Signal ties accounts to phone numbers; Session and Threema assign persistent random account IDs. Even when contents are unreadable, the server knows that account A is connected to accounts B, C, and D. SimpleX Chat is an open-source messenger that takes the unusual position of having no user profile identity on its servers at all.
The Core Idea: Address Queues, Not People
SimpleX's design inverts the usual model. Instead of "send a message to user X," the unit of addressing is a unidirectional message queue sitting on a relay server. Each queue is identified by a random ID and exists to carry messages in one direction between two people.
When you connect with a new contact, the two of you establish separate queues for each direction of the conversation, each with its own random identifier and access credentials. The relay server holding a queue knows only "messages are arriving for this random queue ID and being collected by someone." It is never told which person that queue belongs to, because there is no account, no login, no profile to attach it to.
Because each contact pair uses distinct queues with separate credentials — and you can route different conversations through different servers — no single server sees a map of your contacts. There's no account record that says "this user knows these 40 people." The graph that other messengers store centrally simply isn't assembled anywhere in SimpleX's design.
How You Connect Without an Address
The obvious question: if there are no usernames or numbers, how does anyone reach you? The answer is one-time invitation links (or QR codes). To start a conversation, one person generates an invitation and shares it through any channel — in person, over another app, on paper. The other person opens it, and the two clients negotiate their queues.
This is deliberate. There is no global directory to search, which means there's also no global directory for an adversary to scrape, no way to enumerate users, and no central list to subpoena. The trade-off is that connecting is more hands-on than typing a phone number — closer to exchanging keys than looking someone up.
The Encryption Underneath
SimpleX isn't reinventing the cryptography, which is reassuring. Message contents are protected with the Double Ratchet — the same algorithm Signal uses — layered with additional encryption between client and relay. The transport runs over its own protocol (SMP, the Simplex Messaging Protocol), and the project has added post-quantum protection to the ratchet to hedge against future quantum attacks on the classical key exchange.
It's worth being precise about what the metadata protection does and doesn't cover. SimpleX is strong against the server building a contact graph. It does not, by itself, hide your IP address from the relay — for that you'd route the connection over Tor, which the app supports. Network-level observers and the relay still see connection traffic; the protection is specifically against linking that traffic to a durable identity.
How It Compares
| Messenger | Identifier required | Server holds contact graph? |
|---|---|---|
| Signal | Phone number | Minimized (sealed sender), but account exists |
| Session | Random account ID | Routes over onion network; persistent ID exists |
| Briar | None (peer-to-peer) | No servers at all — but needs peers reachable |
| SimpleX | None | No — queues are not linked to identities |
Briar is the closest philosophical cousin — it also rejects central identifiers — but Briar's peer-to-peer model means both parties generally need to be reachable, which is awkward for everyday async messaging. SimpleX keeps relays in the picture (so messages wait for you while you're offline) but strips the identity out of them.
The Honest Trade-offs
No design is free, and SimpleX's identity-free model has real friction:
- Connecting is manual. Sharing invitation links is more effort than searching a username, and there's no way to "find" someone you've lost contact with.
- Multi-device and message history have historically been harder than in account-based apps, precisely because there's no central account to sync against. The project has been improving this, but it remains more involved.
- Push notifications on iOS are constrained by Apple's model, which expects a central service to push to a registered device — at odds with SimpleX's architecture. The team has engineered around it, but it's an inherent tension.
- Smaller network. Privacy is partly a network-effect problem; the people you want to reach have to be on it too.
The right messenger is the one whose trade-offs match your threat model — not the one with the longest feature list or the strongest marketing claim.
Who Should Care
For most people, Signal's metadata posture is already a dramatic improvement over WhatsApp or SMS, and its usability is hard to beat. SimpleX earns its place for users whose threat model specifically includes the existence of a discoverable social graph — activists, sources, researchers, anyone for whom "who you talk to" is the dangerous fact. For them, an architecture that never builds the graph in the first place is qualitatively different from one that promises not to look at it.
That's the lens we'd encourage when weighing any tool, SimpleX or otherwise, including ours. At Haven we made a different set of trade-offs — integrating encrypted email and MLS-based group chat under one identity, which deliberately keeps a usable account model rather than going identifier-free. That's a reasonable choice for some users and the wrong one for others. SimpleX is a genuinely interesting point on the spectrum, and a useful benchmark for thinking clearly about what metadata protection actually requires.