Programming /

What_The_Architecture_Costs_You

# What the Architecture Costs You > Privacy by elimination is not free. The same design that hides you from dragnet surveillance also makes you responsible for things the cloud has always done for you. ## Key Takeaways - The no-identifier design forces **four user-visible trade-offs**: no cross-device profile sync, no server-side backup, group-owner key loss is permanent, and groups are experimental. - SimpleX is the right tool when your threat model includes **graph-level adversaries** — state surveillance, subpoenas that target contact networks, large-scale traffic correlation. - It is the wrong tool for users who want **frictionless multi-device sync, server-side history, or social discovery** — every convenience the cloud provides is, by design, gone. - The decision matrix at the end of this chapter is the framework I want you to leave with. The architecture is not a moral upgrade. It is a *fit* for specific threat models and a *misfit* for others. - The biggest mental shift: treat your SimpleX profile **like a hardware wallet key**, not like a social-media account. The analogy is the company's own, and it is the most accurate one. --- Imagine your phone falls into a river. Not stolen — gone. The case pops off on a rock, the screen dies, and the recovery is a four-hour drive to a data-recovery shop that tells you the NAND was submerged for forty minutes. The board is dead. The SIM is in another pocket and the contacts that mattered are not on the cloud — they were SimpleX contacts, exchanged one-by-one via QR codes, stored only on this device. Now you sit down at a new phone, install SimpleX, and ask the app: **recover my profile.** The app does not have a recovery option. There is no "forgot password" link to send your phone number to. There is no cloud backup to restore. The 100,000-strong Google Play install base does not include any "Sign in with Google" integration. The profile — the chats, the contact list, the group memberships, the connection keys — lived on the device that is now a brick. `docs/BUSINESS.md` makes this explicit: > "There is no data recovery if device/passphrase is lost (the price of privacy)." > "Same profile cannot be accessed from multiple devices without security compromises." > "Group owner role cannot be restored if the device is lost — recommend creating 'owner profiles on multiple devices' 'like keys to your cryptowallet.'" The cryptowallet analogy is the company's own, and it is the most accurate single sentence about user-facing trade-offs in the entire repository. ## The bill, itemized Five costs the architecture imposes, ranked by how often they bite the ordinary user: 1. **No cross-device profile sync.** Logging in on a new phone means establishing new connections. Your existing contacts do not auto-transfer. (You can run multiple profiles on one device, but you cannot run one profile on multiple devices without compromising the threat model — E02's nine layers assume a single trust root.) 2. **No server-side history.** When you delete a message, it is deleted from the local database; the relay already discarded it after delivery. There is no "undo" server-side. This is a feature for privacy and a footgun for users accustomed to the cloud-as-undo-button. 3. **Group-owner key loss is permanent.** In a SimpleX group, the owner role holds the cryptographic key that defines the group identity. Lose that device, lose the group. The workaround — running owner profiles on multiple devices "like keys to your cryptowallet" — is real but adds operational complexity most consumer messengers do not require. 4. **Connection is by exchange, not discovery.** You cannot "search for Alice" on SimpleX. You must be handed a link or QR code. No people-you-may-know. No contact-graph onboarding. This kills spam — and also kills the cold-start problem of getting your non-technical friends onto the platform. 5. **Groups are explicitly "highly experimental"** in the company's own customer-facing documentation. Possible message delivery delays. v6.x has been working on large-group scalability, but as of early 2026 the documentation still flags the category as in development. A sixth cost is structural rather than operational: **you cannot be found.** This is the property the architecture was built to produce. It is also the property that makes SimpleX a poor choice for any user whose goal is to be reachable by strangers (customer service, dating, public figures, sales). ## The honest comparison I want to fix the trade-off space against the alternatives a reader is likely choosing between. The table is opi

Chapter 5 of 5 8m Article Learning path

What the Architecture Costs You

Privacy by elimination is not free. The same design that hides you from dragnet surveillance also makes you responsible for things the cloud has always done for you.

Key Takeaways

The no-identifier design forces four user-visible trade-offs: no cross-device profile sync, no server-side backup, group-owner key loss is permanent, and groups are experimental.
SimpleX is the right tool when your threat model includes graph-level adversaries — state surveillance, subpoenas that target contact networks, large-scale traffic correlation.
It is the wrong tool for users who want frictionless multi-device sync, server-side history, or social discovery — every convenience the cloud provides is, by design, gone.
The decision matrix at the end of this chapter is the framework I want you to leave with. The architecture is not a moral upgrade. It is a *fit* for specific threat models and a *misfit* for others.
The biggest mental shift: treat your SimpleX profile like a hardware wallet key, not like a social-media account. The analogy is the company's own, and it is the most accurate one.

---

Imagine your phone falls into a river.

Not stolen — gone. The case pops off on a rock, the screen dies, and the recovery is a four-hour drive to a data-recovery shop that tells you the NAND was submerged for forty minutes. The board is dead. The SIM is in another pocket and the contacts that mattered are not on the cloud — they were SimpleX contacts, exchanged one-by-one via QR codes, stored only on this device.

Now you sit down at a new phone, install SimpleX, and ask the app: recover my profile.

The app does not have a recovery option. There is no "forgot password" link to send your phone number to. There is no cloud backup to restore. The 100,000-strong Google Play install base does not include any "Sign in with Google" integration. The profile — the chats, the contact list, the group memberships, the connection keys — lived on the device that is now a brick.

docs/BUSINESS.md makes this explicit:

"There is no data recovery if device/passphrase is lost (the price of privacy)."

"Same profile cannot be accessed from multiple devices without security compromises."

"Group owner role cannot be restored if the device is lost — recommend creating 'owner profiles on multiple devices' 'like keys to your cryptowallet.'"

The cryptowallet analogy is the company's own, and it is the most accurate single sentence about user-facing trade-offs in the entire repository.

The bill, itemized

Five costs the architecture imposes, ranked by how often they bite the ordinary user:

1. No cross-device profile sync. Logging in on a new phone means establishing new connections. Your existing contacts do not auto-transfer. (You can run multiple profiles on one device, but you cannot run one profile on multiple devices without compromising the threat model — E02's nine layers assume a single trust root.) 2. No server-side history. When you delete a message, it is deleted from the local database; the relay already discarded it after delivery. There is no "undo" server-side. This is a feature for privacy and a footgun for users accustomed to the cloud-as-undo-button. 3. Group-owner key loss is permanent. In a SimpleX group, the owner role holds the cryptographic key that defines the group identity. Lose that device, lose the group. The workaround — running owner profiles on multiple devices "like keys to your cryptowallet" — is real but adds operational complexity most consumer messengers do not require. 4. Connection is by exchange, not discovery. You cannot "search for Alice" on SimpleX. You must be handed a link or QR code. No people-you-may-know. No contact-graph onboarding. This kills spam — and also kills the cold-start problem of getting your non-technical friends onto the platform. 5. Groups are explicitly "highly experimental" in the company's own customer-facing documentation. Possible message delivery delays. v6.x has been working on large-group scalability, but as of early 2026 the documentation still flags the category as in development.

A sixth cost is structural rather than operational: you cannot be found. This is the property the architecture was built to produce. It is also the property that makes SimpleX a poor choice for any user whose goal is to be reachable by strangers (customer service, dating, public figures, sales).

The honest comparison

I want to fix the trade-off space against the alternatives a reader is likely choosing between. The table is opinionated and I will defend each cell:

| Use case | SimpleX | Signal | Matrix | Session | |----------|---------|--------|--------|---------| | Sensitive one-to-one conversation with a journalist | Strong fit | Strong fit | Strong fit | Acceptable | | Replacing a phone-number-bound chat app for daily use | Poor fit — discovery is missing | Strong fit | Strong fit | Acceptable | | Multi-device profile sync across laptop / tablet / phone | Poor fit — explicit design exclusion | Strong fit | Strong fit | Acceptable | | Group chat with friends who are not privacy specialists | Marginal — UX burden on the introducer | Strong fit | Strong fit | Acceptable | | Protecting a network of contacts from each other | Strong fit — pairwise queues defeat this | Weak — phone number mapping exists | Weak — homeserver has the graph | Weak — identity key is the graph | | Operate under subpoena without producing records | Strong fit — 2025 record 12/0 | Acceptable — small subset of records | Depends on homeserver operator | Weak | | Survive endpoint compromise (malware on device) | Equal — no messenger survives this | Equal | Equal | Equal |

The middle row is the cell that matters. SimpleX is a *better* privacy tool than Signal in scenarios where the adversary wants the connection graph. It is a *worse* consumer product than Signal for users whose threat model is "I want encrypted chats with my phone contacts on all my devices." Both statements are true. Picking the wrong one for your use case is the most common failure mode I see in privacy-tool advocacy.

When the architecture is the right answer

The architecture is correct when the threat model includes one or more of:

State-level adversaries with subpoena power and infrastructure visibility. The pairwise-queue design + the in-memory relay + the repudiation-by-default are tailored to this adversary. The 12-and-0 disclosure record is the proof.
Graph correlation as an attack vector. If the danger is not "they read my messages" but "they know who talks to whom," SimpleX is one of very few messengers (alongside Cwtch and Pond) that defeats graph reconstruction by design.
Long-term traffic-analysis adversaries ("record now, decrypt later"). The PQ-on-every-ratchet-step addition (v5.6, March 2024) is the direct defense. Most messengers have no PQ plan at all.
Spam resistance is a hard requirement. Because there is no address book, there is no addressable spam. The cost is that you cannot be discovered — but if you do not *want* to be discovered, the cost is free.

When the architecture is the wrong answer

It is the wrong answer when:

You want to be found by people who do not yet have your address. Customer service, dating, marketplace, social discovery — all require an address book or a public key. SimpleX has neither.
You switch devices frequently. The cross-device-sync exclusion is by design; it is also a daily friction for users with a phone + tablet + laptop.
Your network is non-technical. The QR-code handshake is a 30-second process. It is not hard. It is also not the "enter phone number, tap verify" experience most consumer apps offer. Multiplicative friction across a 50-person group is real.
You want server-side backups. The architecture precludes them. There is no cloud-side state to back up because the cloud is not the source of truth.
You are running a high-availability public channel. The Channels protocol (added 2025) is the company's answer here, but it is new, and the docs still flag the moderation/scale story as in development.

A decision framework to carry

If I had to leave the reader with one mental model, it would be this:

Choose SimpleX when your threat model punishes the connection graph. Choose Signal or Matrix when your threat model punishes message content but the graph is acceptable. Choose Session when you want pseudonymity without the introduction friction.

These are not three points on a quality spectrum. They are three points on a *threat-model* spectrum. The mistake to avoid is treating SimpleX as "more private than Signal" without asking *private from whom, against what attack, at what cost*. The series started with the claim that SimpleX is the only platform that cannot count its users. The closing position is that the property you cannot get back — the no-identifier design — is the property that justifies every other cost, and the costs are real and unhidden.

The architecture has not lied to you. It has told you the price upfront, in the BUSINESS.md doc, in plain language, in the cryptowallet analogy. Most consumer messengers do not even attempt the conversation.

Where the series leaves us

Five chapters. Five shifts.

1. The user count is empty by design (E00). 2. The message queue, not the user, is the architectural unit (E01). 3. Repudiation and padding are the cryptographically interesting properties, not the encryption (E02). 4. The organization constrains the code as much as the code constrains the organization — 12 requests, 0 records is the result of both (E03). 5. The architecture costs you things the cloud does for you, and the cost is the price of the property (E04).

The SimpleX Chat codebase, at ~370 MB cloned and 51 blog posts deep, is the most complete public demonstration I have read that *privacy by elimination* is implementable at production scale on mobile. The warrant-canary number is the proof of life. The BUSINESS.md warnings are the proof of honesty. The PQ integration is the proof of engineering depth. None of these alone would be enough. Together they are the reason I now treat SimpleX not as a privacy-messenger *competitor* to Signal but as a privacy-messenger *category* — a different thing, doing different work, for users who need what it does and can pay what it costs.

---

References:

docs/BUSINESS.md — the cryptowallet analogy and the data-recovery limitations quoted above.
docs/GLOSSARY.md — the cryptographic definitions referenced in the trade-off analysis.
docs/SIMPLEX.md — the comparison framing with P2P and federated networks used in the decision matrix.
blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.md — the post-quantum defense against "record now, decrypt later" referenced in the threat-model discussion.
docs/TRANSPARENCY.md — the 2025 disclosure record (12 requests, 0 records produced) used throughout the series.