Privacy

Ohiyo Privacy Threat Model

Effective June 27, 2026

Ohiyo is trying to be easier than SimpleX and more private than Discord. That means being clear about the line: Ohiyo protects private content with end-to-end encryption, but a Discord-like social app still creates metadata. This page says what we defend, what we do not defend yet, and what tradeoffs remain.

Short version: Ohiyo's hosted server should not be able to read encrypted DMs, encrypted groups, encrypted calls, or encrypted private attachments. It can still see account, routing, membership, timing, IP/network, abuse-prevention, and voice-room participation metadata needed to make the app work.

Assets we are protecting

Message and call content: plaintext text, edits, private file names/types, private attachment bytes, and media frames in encrypted conversations/calls.
Conversation safety: identity-key changes should be visible instead of silent, and removed group members should not read future messages.
Behavioral privacy: typing, read status, presence, activity, and attachment metadata should be reduced when you opt into privacy features.
Device-local secrets: desktop caches and key material should live behind the native encrypted vault where the desktop app can use it.

Threat actors we design against

The hosted Ohiyo server

The official server relays ciphertext and operates accounts, homes, invites, uploads, and calls. It should not receive plaintext for encrypted private content.

Network observers

TLS protects normal web traffic in transit. Custom homes and Tor Browser/.onion homes can reduce which server sees your IP, but traffic timing and volume can still leak.

Curious or malicious members

Members can screenshot, copy, record, forward, or reveal content they can legitimately see. E2EE cannot stop a recipient from disclosing plaintext.

Stolen or compromised devices

Local encryption helps, but malware, an unlocked session, browser extensions, or a compromised OS can read what your client can read.

Current privacy protections

Area	What Ohiyo does now	Remaining metadata
DMs and private groups	Signal-style end-to-end encryption for plaintext content, with identity-change warnings and group rekeying.	Participants, account IDs, home/server routing, message timestamps, ciphertext sizes, and delivery state still exist.
Privacy Mode	Suppresses typing indicators, online/idle/activity presence, watch presence, and peer-visible DM seen receipts.	Messages still route through the server; joining a voice room still reveals participation to that room.
Private DM links	One-time high-entropy links/QR codes; server stores scoped token digests, not raw tokens; creator can revoke.	After redemption, both accounts are connected by a normal DM relationship.
Message padding	Encrypted plaintext is padded into bounded buckets so small text length differences are harder to infer.	Large messages, send timing, recipient set, and total traffic patterns are not hidden.
Private attachments	In encrypted chats, dropped files are encrypted client-side; server sees generic encrypted blobs instead of real file names/types.	Uploader, destination, upload time, retention, and encrypted blob byte size are still visible to the relay.
Desktop cache	Sensitive desktop cache namespaces are routed through the Tauri encrypted vault allowlist.	The web app remains constrained by browser storage. A compromised unlocked device can still expose visible content.
Custom homes and Tor	You can add a self-hosted/custom Ohiyo home. Tor users can add an `http://…onion` home from Tor Browser.	The desktop app does not yet provide a built-in SOCKS/Tor proxy switch; OS or browser routing still matters.

What the hosted service can still know

Account metadata: username/display name, password hash, sessions, linked devices, preferences, roles, server membership, and moderation state.
Routing metadata: which account/device/channel/home needs a message, the time a message is sent or fetched, and ciphertext/file sizes.
Social graph metadata: server membership, channels, DMs after they are created, one-time link redemption results, and invite/role relationships.
Voice metadata: voice rooms require routing. Other room participants can know you joined, and relay infrastructure can see connection metadata even if media is encrypted.
Push metadata: content-free push for sleeping servers can reveal device endpoint/token, recipient id, platform, and delivery time to the relay/APNs/FCM/Web Push provider. Payloads should not contain message text, channel names, filenames, or keys.
Operational metadata: IP-derived rate-limit keys, request logs, crash/error details, abuse-prevention signals, backups, and infrastructure metrics.

What Ohiyo does not currently promise

No anonymity guarantee: Ohiyo accounts and communities are designed for convenience, not anonymous-by-default communication.
No SimpleX-level metadata isolation: Ohiyo does not yet use pairwise per-contact queue IDs, separate relay queues for every relationship, or default Tor routing.
No protection from endpoints: if your device, browser, OS, or recipient is compromised, encrypted content can be captured after decryption.
No independent audit yet: the code is open source and tested, but this launch build has not completed a third-party cryptography/security audit.
No invisibility in calls: calls work in Privacy Mode, but joining a voice room still reveals participation to that room.

Comparison: Discord-like ease vs. SimpleX-style privacy

SimpleX is stronger when your top priority is metadata minimization: no stable global user ID, pairwise queues, private routing, padding, proxy/Tor support, and local-only profiles. Ohiyo intentionally keeps Discord-like affordances — servers, channels, searchability inside your community, multi-device convenience, browser access, voice/video/screen-share, and one-tap onboarding. Those features create metadata. Ohiyo's approach is to keep the easy product while adding opt-in privacy layers that reduce the loudest leaks.

Roadmap

Paranoid/private DM mode with stronger contact isolation and shorter server retention.
More uniform traffic padding and batching where it does not make chat feel broken.
Built-in desktop proxy/Tor configuration instead of relying only on browser/OS routing.
More local-first encrypted storage and clearer data export/deletion controls.
Reproducible build notes, external audit prep, and a living protocol/security whitepaper.

How to choose the right mode

Everyday privacy: use the hosted web app or desktop app, enable Privacy Mode when you do not want presence/typing/read signals, and verify safety numbers for sensitive contacts.
Community ownership: self-host or choose a trusted custom home so your group controls the server and data-retention policy.
Network privacy: use Tor Browser with an onion Ohiyo home when hiding your IP from the home matters. Do not assume the desktop app is Tor-routed unless your OS/network is configured for it.
High-risk anonymity: use a tool designed around metadata minimization from the ground up, such as SimpleX, until Ohiyo's paranoid mode exists.

This threat model is a living document. If code and this page disagree, the code wins and this page should be fixed.