The Messaging Network That Cannot Count Its Users
Most privacy messengers hide what you said. SimpleX hides the fact that you exist.
Key Takeaways
- SimpleX is the only mainstream messaging platform with no user identifiers of any kind — no phone numbers, usernames, emails, or random IDs.
- The platform's own operators cannot count how many people use it — a property no other major messenger shares.
- The architectural choice is not "better encryption." It is the elimination of identity as a stored artifact. Every other privacy messenger protects a user; SimpleX refuses to construct one in the first place.
- The series traces what this single design decision forces — in queues, in cryptography, in governance, and in the price the user pays.
- The payoff, measured behaviorally: 12 law-enforcement requests received in 2025; 0 records produced. That is not a marketing claim. It is the architectural residue.
---
"You were born without an account."
The line opens docs/WHY.md, the shortest file in the entire SimpleX repository — twenty lines, no code, no diagrams. It is also the most quoted line, because the rest of the project is the slow, technical vindication of it. I want to spend this series showing why that sentence is not rhetoric, why it produces a network with a measurable behavioral signature, and why every other "private messenger" you have used stops one architectural step short of where SimpleX begins.
A 100-million-user market with a population count of zero
When a company says "we have X million users," the number usually comes from a database column — a counter incremented on signup. Signal has phone numbers. Matrix has account IDs. Session has identity keys. Telegram has phone numbers or usernames. Even the privacy-first systems that reject *real* identities still hand out *pseudonymous* ones: a random number, a public key, a hash. The system needs the identifier to deliver the message. The identifier becomes the graph.
SimpleX has none of these. The README states the fact flatly:
"Unlike any other existing messaging platform, SimpleX has no identifiers assigned to the users — we do not even know how many people use SimpleX." (README.md, lines 195)
I want to sit with that sentence for a moment. The platform's own founders do not know the size of their user base. No other major messenger in the public market today can say this — not Proton Mail, not Threema, not Signal, not Wickr. The first architectural claim of this series, therefore, is a numerical one: the user-count column is empty, by design, and the absence is the product.
The mechanism is brutal and simple. To send Alice a message, Bob's client does not look up "Alice." It looks up a *queue* — a temporary, disposable, single-use container held on a relay server. Different conversations live in different queues, hosted on different servers, addressed by different opaque strings. There is no Alice-record anywhere. There is no address-book. The relay cannot answer the question "who do you know?" because the question literally has no referent in its data.
Why "encrypted but identified" still loses
The distinction matters because most privacy discussions conflate two different problems. *Content protection* is the property that an adversary cannot read your messages even if they intercept them. *Graph protection* is the property that an adversary cannot tell who you communicate with even if they monitor all the traffic. The two are independent. The first is solved by good end-to-end encryption — Signal, WhatsApp, iMessage, and SimpleX all do it competently. The second is the unsolved problem of the privacy-messenger industry, because every existing platform except SimpleX still ties content delivery to a persistent identifier.
This is why a privacy advocate who recommends "Signal with disappearing messages enabled and phone-number visibility turned off" has not actually solved the second problem. The phone number is still there. The Signal server still maps it to an account record. The subpoena still produces a graph. SimpleX is the design that refuses to construct the graph in the first place — not because the team is paranoid, but because they are solving the harder problem.
A note on skepticism
I want to be transparent about something. I came into this analysis skeptical of "no identifiers" claims — they are easy to make and hard to verify. What changed my mind during research was reading the protocol specification alongside the 2024 Trail of Bits cryptographic review. The pairwise-queue model is not a slogan. It is a different routing topology with different objects, and the audit specifically validated the property that the queues are pairwise — meaning no two queues share an address. When the third witness — the 2025 transparency disclosure, 12 requests and 0 records produced — lined up with the architecture and the audit, the claim became a position I was willing to defend, not a marketing line I was cataloging.
What the reader walks away believing
By the end of this series, I want you holding five concrete shifts:
1. Architecture substitutes for policy. The privacy guarantee does not come from a server's promise; it comes from the server having nothing to promise *about*. 2. Repudiation is a feature, not a bug. Cryptographic deniability — the ability of the recipient to forge messages, and therefore the inability of any third party to prove who said what — is the property that makes private speech private. 3. The 9-layer defense is not paranoia. It is the *cost* of operating in an adversarial network. Each layer addresses an attack the others don't. 4. No board seat is a structural choice. Both SimpleX pre-seed rounds (Village Global 2022, Dorsey/Asymmetric 2024) explicitly waived control provisions. The company is steering toward non-profit governance. That posture is rare and it is part of the architecture. 5. Privacy costs you something. Losing your phone with a SimpleX profile is more like losing a hardware wallet than forgetting a Facebook password. The series will not hide this.
How the chapters build
E01 traces one message — Alice to Bob — through the architecture. I want you to see why there is no central graph to subpoena, and why the same design choice that protects against dragnet surveillance also makes the system harder to use. E02 opens the cryptographic envelope and inventories nine defense layers, including post-quantum key rotation added in v5.6 (March 2024) and private message routing added in v5.8 (June 2024). E03 walks the audit trail — Trail of Bits' November 2022 implementation review, their July 2024 cryptographic protocol review — and the investor structure that waived control provisions in both rounds. E04 is the bill: what the architecture takes from you in convenience, what it returns in return, and a decision framework for when SimpleX is and is not the right tool.
A first comparison to fix the categories
Before I move into architecture, the diagram below fixes the comparative space. It is not a benchmark; it is a topology. The columns are *what the platform uses as a persistent identifier for you*. The rows are well-known messengers. SimpleX is the only row whose identifier column is blank.
| Platform | Persistent user identifier | Identifier visible to servers? | Centralized account? | |----------|----------------------------|-------------------------------|----------------------| | WhatsApp | Phone number | Yes | Yes (Meta) | | Signal | Phone number | Yes (server-side mapping exists) | Yes | | Telegram | Phone number + optional username | Yes | Yes | | Matrix | Account ID + homeserver | Yes | No (federated) | | Session | Random identity key (ed25519) | Pseudonymous | No (decentralized) | | Cwtch / Ricochet | Onion address | Pseudonymous | No | | Nostr | Public key | Pseudonymous | No (relays) | | SimpleX | None | N/A | No client/server identity boundary |
The third column is where SimpleX's distinction lives. Even the systems that hide your *real name* still keep a *pseudonym* — and pseudonyms accumulate graph data over time. SimpleX replaces the persistent pseudonym with a disposable, conversation-scoped address. Two contacts of yours can confirm *neither* that they talk to the same person *nor* that they don't. That is a stronger property than "encrypted messaging" — it is "unlinkable messaging."
What this series is not
It is not a Signal hit-piece. Signal is doing important work under hostile conditions and a phone-number binding is the cost of staying interoperable with the SMS-era phone system. The series is also not a privacy absolutist tract. SimpleX makes explicit trade-offs — UX friction, group fragility, no cross-device profile sync — that I will name honestly in E04. The series is an attempt to do one thing well: trace what happens when a small team takes one architectural claim — *no user identifiers* — and refuses to compromise it for the usual reasons. The codebase is the evidence; the audit reports are the second witness; the 2025 transparency disclosure is the third.
The rest of this series is the proof.
---
References:
- SimpleX Chat README — source of identity-elimination claim and platform overview.
docs/WHY.md— the manifesto quoted in the opening.docs/SIMPLEX.md— the comparison framing used in the matrix above.docs/TRANSPARENCY.md— source of the 12-request, 0-complied figure.docs/GLOSSARY.md— the cryptographic definitions used throughout the series.