Type: Decentralized metadata-private messenger — Tor-native
Access: Windows, Mac, Linux, Android
Account required: No personal info — random identifier
Phone number required: No
Central server: None
Tor routing: Default — all connections through Tor
Metadata collected: None
Open source: Yes — fully auditable
Developer: Open Privacy Research Society — Canada
Last verified: March 2026
What Is Cwtch?
Cwtch — pronounced “cutch,” a Welsh word for a small safe hiding place — is a decentralized, metadata-resistant group messaging application developed by the Open Privacy Research Society in Canada. It is designed around a single core principle: no metadata should exist about who communicates with whom, when or how often.
Every connection in Cwtch runs through Tor hidden services. When you send a message, it travels from your device’s Tor hidden service to the recipient’s Tor hidden service — neither party knows the other’s real IP address, and no intermediary server exists to record that the communication happened at all. This architecture places Cwtch among the strongest available tools for metadata-private communication alongside Briar — and ahead of Signal, Session and every other mainstream privacy messenger in terms of metadata protection.
How to Install Cwtch
- Download Cwtch from cwtch.im — available for Windows, Mac, Linux and Android
- Linux users can install through Flatpak:
flatpak install flathub im.cwtch.cwtch - Android users can install via F-Droid — add the Open Privacy repository
- Open Cwtch — no registration, no form, no fields
- Create a profile — enter a display name only. Use a pseudonym
- Cwtch generates a Tor hidden service address as your unique identifier
- Wait for Tor to connect — indicated by a status change in the interface
First connection time: Like Briar, Cwtch’s initial Tor connection takes several minutes. Subsequent launches are faster. Desktop users can keep Cwtch running in the background for faster availability.
Cwtch’s Metadata Protection — What Makes It Different
Most encrypted messengers protect message content through end-to-end encryption but leave metadata exposed — who you talk to, when, how often and for how long. This metadata is often more revealing than content. Intelligence agencies have stated that metadata alone is sufficient to build detailed pictures of a person’s relationships, activities and intentions.
Cwtch addresses metadata at the architectural level — not through policy promises but through design choices that make metadata collection technically impossible:
| Metadata Type | Cwtch | Signal | Session |
|---|---|---|---|
| Who you talk to | ✅ Not knowable | ⚠️ Signal sees contact graph | ⚠️ Nodes see partial data |
| When you communicate | ✅ Not recorded | ⚠️ Logged on servers | ⚠️ Node-visible |
| Your IP address | ✅ Hidden — Tor | ✅ Hidden if using Signal’s proxy | ⚠️ Visible to nodes |
| Message frequency | ✅ Not observable | ⚠️ Potentially observable | ⚠️ Partially observable |
| Group membership | ✅ Private | ⚠️ Known to Signal | ⚠️ Partially known |
How Cwtch Groups Work
Cwtch’s group messaging architecture is technically novel — it solves the problem of group communication without creating a server that knows all group members.
Groups in Cwtch use a server component — but the server is a simple message relay that knows nothing about the messages it handles. Messages are encrypted before they reach the server, the server cannot read them and it does not know which Cwtch identities are members of the group. The server sees only encrypted blobs arriving and departing — no participant identities, no message content, no communication patterns.
Server operators can be anyone — the Open Privacy team runs public servers, and users can self-host a Cwtch server for maximum control. Running your own Cwtch server for your group eliminates the need to trust any third-party server operator.
Cwtch vs. Briar — The Two Strongest Options
Cwtch and Briar are the two messengers that provide the strongest metadata protection currently available. Both are Tor-native, both have no central server and both are open source. The choice between them depends on specific use case requirements:
| Feature | Cwtch | Briar |
|---|---|---|
| Desktop support | ✅ Windows, Mac, Linux | ⚠️ In development |
| Async messaging | ✅ Yes — via server relay | ❌ Both online needed |
| Offline messaging | ❌ No | ✅ Bluetooth + WiFi |
| Group metadata privacy | ✅ Strongest | ✅ Strong |
| Self-hostable server | ✅ Yes | ❌ No server model |
| iOS support | ❌ No | ❌ No |
| Best for | Desktop + async group communication | Android + offline scenarios |
Self-Hosting a Cwtch Server
Running your own Cwtch server for your group provides the strongest available configuration — no third-party server operator has any access to group communication metadata, however limited that access already is on public servers.
Requirements: A Linux server or VPS with Tor installed, Docker or direct installation of the Cwtch server binary and a stable internet connection.
What self-hosting provides:
- No third-party involvement in group message relay
- Full control over server retention policies
- Independence from public server availability and policies
- The server’s .onion address is known only to group members
What it doesn’t change: Message content is already encrypted before reaching any server — self-hosting does not improve content security. It improves operational security by eliminating a third-party relay operator from the trust chain.
Cwtch’s documentation at cwtch.im covers the server installation process in detail. The server binary is open source and available in the same repository as the client.
Practical Limitations
No iOS support. Like Briar, Cwtch has no iOS app. The combination of Tor hidden service requirements and Apple’s background process restrictions has prevented a production iOS implementation. iOS users must use Session or Signal for privacy messaging.
Smaller user base. Cwtch’s stronger privacy requirements create more friction than mainstream messengers — the result is a smaller user base. Convincing contacts to adopt Cwtch is harder than convincing them to adopt Signal, which is a mainstream recommendation. The tool is most useful in contexts where all participants have a genuine privacy requirement that motivates adoption.
Performance over Tor. All connections run through Tor — this adds latency compared to direct connections or even Session’s node network. Message delivery is slower than Signal or WhatsApp. For real-time chat where speed matters, this is a meaningful limitation.
Active development. Cwtch is actively developed but less mature than Signal or Session. Expect occasional bugs and interface rough edges. Report issues through the Open Privacy project’s channels — it is an actively maintained open source project.
Cwtch for Organizations and Activist Groups
Cwtch’s strongest use case is organized groups — activist collectives, journalist teams, legal support networks and organizations operating in adversarial environments where both content and relationship metadata must be protected.
The group architecture specifically addresses organizational needs:
- Group membership is not exposed to the server — an adversary who seizes a Cwtch server learns nothing about who is in which group
- Self-hosted servers eliminate third-party operators entirely from the trust chain
- Desktop support allows use on organizational computers rather than requiring personal phones
- No phone number requirement means members can participate without tying their organizational role to their personal phone identity
Canadian Jurisdiction
Cwtch is developed by the Open Privacy Research Society in Canada. Canada is a Five Eyes member — the same intelligence-sharing concern that applies to Session’s Australian jurisdiction. The practical mitigation is similar: Cwtch’s architecture means the Open Privacy team has no access to communications or metadata to hand over under compulsion. There are no message logs, no contact graphs and no IP addresses stored anywhere in the system.
A Canadian legal order against the Open Privacy Research Society yields no useful surveillance data because the data does not exist in a form that can be compelled.
Frequently Asked Questions
What does “Cwtch” mean?
Cwtch is a Welsh word — it means a small storage space, a cubbyhole or a safe hiding place. In South Wales English it also means a cuddle or hug. The name was chosen to reflect the application’s design purpose: a safe, private space for communication. The pronunciation is roughly “cutch” — rhymes with “hutch.”
How does Cwtch compare to Signal for everyday use?
Signal is significantly easier to use, has a larger user base and supports iOS. For everyday communication where your primary concern is message content privacy, Signal is the more practical choice. Cwtch is the stronger tool when metadata privacy — hiding who you communicate with and when — is as important as content privacy. The two tools serve overlapping but distinct use cases. Many privacy-conscious users maintain both: Signal for everyday communication, Cwtch for communication where relationship metadata must be protected.
Can I use Cwtch to communicate with Signal users?
No — Cwtch and Signal use incompatible protocols. There is no bridge between them. Both parties must use Cwtch for Cwtch communication. For cross-platform secure messaging, PGP-encrypted email provides a common format that works between any email clients.
Is Cwtch suitable for large groups?
Cwtch is designed for small to medium groups — a dozen to a few dozen members. Very large groups create performance challenges because Cwtch’s architecture requires more coordination overhead than centralized messaging systems. For large-scale community communication, platforms like Session’s open groups or Briar’s forums provide better scalability at some cost to metadata privacy.
How do I add contacts in Cwtch?
Cwtch generates a unique identifier for your profile — a long Tor hidden service address. Share this identifier with contacts through a secure channel. They add it to their Cwtch client and a connection request goes through Tor. You confirm the request and the contact is added. As with Briar, there is no central directory to search — contacts must be added through direct identifier exchange, which provides an additional layer of protection against unwanted contact from unknown parties.