Cwtch

Cwtch is the Tor-only multi-party messenger where every user is a `.onion` address — a metadata-resistant chat application from the Open Privacy Research Society in which group conversations live on ephemeral onion services hosted by participants themselves, with no central registry, no phone numbers, no email. Listed at Grade A because Cwtch occupies a structurally unique position in the privacy-messenger landscape: it eliminates the operator-infrastructure surface that even SimpleX retains, by making each user's identity *literally* a Tor onion address rather than an account on someone's server.

Background. Cwtch (pronounced "kutch" — a Welsh word meaning "a safe place / a hug") was created by Sarah Jamie Lewis at the Open Privacy Research Society (Vancouver-based not-for-profit research org focused on privacy primitives). Lewis is also the author of "Queer Privacy" and has been a long-running voice in privacy research focused on threat models that involve coercion, intimate partner surveillance, and state-actor pressure on marginalised communities — threat models the mainstream privacy-tooling community has historically under-served. Cwtch has been in active development since 2018, with stable cross-platform releases since around 2021. Open source under the MIT license (with some BSD-licensed dependencies); codebase at https://git.openprivacy.ca/cwtch.im/cwtch. Cross-platform: macOS, Windows, Linux, Android (iOS not supported due to Apple's restrictions on background networking that Cwtch's architecture requires). Funded by Open Privacy donations + grants (Open Tech Fund and similar); no commercial entity behind the project.

What you trust. You are your `.onion` address — when you create a Cwtch profile, you generate a Tor v3 onion service running locally on your device. Your contact information *is* the .onion address. Adding contacts means exchanging .onion addresses (via QR code in person, via Signal/PGP side-channel, or via the in-app Introduction workflow). Group chats are ephemeral onion services — when you start a group chat, one participant hosts a temporary onion service for it; messages route through Tor to that service; participants subscribe via Tor. When the host closes the chat, the service vanishes. No central server — there is no Cwtch-operated infrastructure. Every conversation happens between participants' devices over Tor onion routing. Metadata resistance — Cwtch's design specifically targets metadata leaks: no centralised database of who-talks-to-whom, no phone-number directory, no account-to-identity mapping. Open-source codebase — the source is auditable; releases are signed; reproducible-build documentation exists. Profile-per-context — you can run multiple Cwtch profiles on the same device (each is a separate .onion identity), allowing per-context identity-compartmentalisation. What you don't trust: your device — Cwtch profiles persist locally; if your device is seized, the conversation history is at risk (mitigated by per-profile passphrases). iOS support is absent — Apple's restrictions on Tor and background networking prevent a Cwtch iOS port.

Operational specs. Platforms: macOS, Windows, Linux desktop apps; Android. No iOS — Apple's policies make a port impractical. Identity: per-profile Tor v3 onion service generated on device; the `.onion` address is your contact information. Multiple profiles: yes — separate profiles can run on the same device, each with its own .onion identity. Profile encryption: optional passphrase per profile; the profile data is encrypted at rest. Contact addition: in-person QR-code exchange (highest-trust workflow), .onion address shared via side-channel, or the in-app Introduction workflow (a mutual contact introduces you). Group chats: ephemeral onion services hosted by participants; multi-party text + small attachments. File transfers: small files supported within chats; larger transfers handled by sidecar tools (OnionShare is recommended for files Cwtch is too small to handle gracefully). Server (advanced feature): optional persistent group-hosting server — a Cwtch user can run a "Cwtch server" (separate binary) to host long-running group chats that survive the original participant going offline. The server sees encrypted ciphertext but not message content, similar to Matrix homeserver model. Tor integration: Cwtch bundles its own Tor instance OR can use a system Tor; the entire app's networking is Tor-routed.

Philosophy. Cwtch's editorial differentiator is the identity-as-onion-address model. SimpleX uses queue servers (operator infrastructure for message delivery); Signal uses a centralised server (operator infrastructure for everything); Briar uses peer-to-peer-over-Tor (no operator but no offline message delivery). Cwtch sits in a unique slot: peer-to-peer with onion services as identity primitives, optional persistent servers for groups that need always-on hosting, and an explicit research focus on coercion-resistant threat models (Open Privacy's research mandate). The Welsh-language name and the explicit framing for marginalised threat models signal the project's design philosophy: privacy isn't a one-size-fits-all engineering problem; it depends on whom you're protecting from.

Grade rationale. Grade A reflects: open-source MIT license codebase; Open Privacy Research Society organisational backing (not-for-profit research org, public mission); 7+ years of operational continuity (since 2018); cross-platform desktop + Android (macOS, Windows, Linux, Android); no central server, no operator infrastructure to subpoena; identity-as-onion-address model (the strongest decoupling of identity from any central registry); ephemeral group chats as default (groups vanish when participants leave); profile-per-context support for identity compartmentalisation; named maintainer (Sarah Jamie Lewis) with public identity and research track record; explicit design focus on coercion-resistant threat models often under-served by mainstream privacy tooling. Last verified 2026-05-13.

Useful when. You need a messenger where your identity isn't tied to a phone number, email, or username on someone's server — Cwtch's onion-address-as-identity is the canonical pick. You're in a threat model where coercion is a credible risk — Cwtch's project mandate includes explicit consideration of these scenarios. You want ephemeral group chats that disappear when the host closes them — Cwtch's default model. You want to identity-compartmentalise by running multiple Cwtch profiles on the same device (personal, activism, research) with no link between them. You're building research or activist infrastructure and want a messenger that the Open Privacy Research Society explicitly designed for the threat models you care about. You're on Android desktop stack and want a Tor-only messenger that pairs with Tor Browser, OnionShare, and Whonix in your privacy stack.

Caveats. No iOS — desktop and Android only; iOS users need an alternative (SimpleX, Briar). Tor latency — Cwtch's networking is entirely Tor-routed; expect Tor's typical latency (200ms-2s) on message send/receive. For real-time chat with low latency expectations, this is a friction. Smaller ecosystem than SimpleX or Signal — fewer contacts are likely to already use Cwtch; you'll be onboarding people one at a time. No offline message delivery to offline recipients — like Briar, pure-P2P Cwtch chats require both parties to be reachable (Tor-online) for messages to flow. The persistent-server feature (advanced) addresses this but adds operational complexity. Persistent-server feature is a separate trust evaluation — if you run a Cwtch server for groups, that server is now operator infrastructure (encrypted ciphertext only, but still metadata-visible). Pure-P2P Cwtch has the strongest trust model; server-mediated Cwtch is a trade-off. No native voice/video — Cwtch is text-and-small-files; for voice/video, use Signal or Element. Profile loss is unrecoverable — your onion service is your identity; lose the device or the profile data, and that identity is gone (along with any conversation history attached). Plan for device replacement: export profile data to a secure backup, or accept identity loss when the device dies. File transfers are limited — for files larger than a few MB, Cwtch's chat interface is awkward; use OnionShare for proper file-transfer workflows and Cwtch for the conversation around them. Performance on Android can be uneven — Cwtch is resource-heavier than typical messengers because of the bundled Tor instance; on older Android devices, expect noticeable battery use. The Welsh name is intentional but unfamiliar — "Cwtch" pronounced "kutch" can confuse contacts who don't know the project; the rest of the privacy stack uses English-named tools.