Anonymity Lifecycle
Connect's privacy design is organized around four layers: identity (keypair-only, no PII), network (no IP traffic in offline mode), social (no global namespace; contacts know you only by a name you choose to share), and temporal (forward secrecy and optional message expiry). These layers do not hold equally at every phase of a relationship, and they mean different things depending on who the adversary is.
A distinction that runs throughout: Connect provides strong anonymity from strangers at every phase. Anonymity from contacts is not a design goal — contacts know you because you deliberately chose to meet them. The NFC tap is a voluntary de-anonymisation event between two people. Everyone else retains zero information.
This page traces each layer from the first NFC tap through BLE discovery, feed replication, the optional Tor relay, and key revocation, identifying where anonymity is structural (architecturally guaranteed), where it degrades (residual risk), and where it disappears by design.
Layer 1 — Identity Anonymity
A user's cryptographic identity is an Ed25519 keypair. No name, phone number, email, or other PII is required or stored by the protocol. The feed_id is SHA-256(identity_key.pub) — a stable pseudonym meaningful only to contacts who have already exchanged keys in person.
| Phase | Anonymity to strangers | Anonymity to contacts | Notes |
|---|---|---|---|
| Before first tap | Full — device broadcasts only a rotating unlinkable beacon | N/A | No identity revealed at any point |
| NFC / QR tap | Revealed to the specific contact being added | Revealed by design | Ed25519 pubkey exchanged; display name optional and user-chosen |
| BLE sync (post-tap) | Full — mutual auth gated by shared key; strangers see no identity | Contacts know the keypair | Shared key is never broadcast |
| Feed replication | Full — relays see only ciphertext | Contacts can verify authorship | feed_id is stable but only known to contacts |
| Online / Tor relay | Full from relay operator | Contacts unchanged | Tor .onion address shared only with contacts, encrypted |
| Key revocation | Full from non-contacts — bloom filter avoids revealing who the revoker knows | Contacts learn of the rotation | old_key_id propagates only to contacts who hold the old key |
Residual risk: feed_id is a stable pseudonymous identifier across all messages. Any contact who obtains the feed can link all posts to that identity — this is by design. Structural mitigation: feeds are shared only with direct contacts; friends-of-friends replication is explicitly disabled.
Layer 2 — Network Anonymity
No network observer — ISP, backbone, relay operator — can determine who is communicating, when, or how often.
| Phase | Offline mode | Tor online mode |
|---|---|---|
| NFC tap | No network traffic | No network traffic |
| BLE discovery | No IP packets; observer bounded to physical proximity | No network traffic |
| BLE / WiFi Direct sync | No internet-routable packets; content E2E encrypted over the air | No network traffic |
| Tor relay (opt-in) | N/A | .onion service — operator sees opaque ciphertext; guard node sees user IP + timing |
| Feed replication | No network traffic | Relay sees the circuit, not content or identity |
Structural guarantee in offline mode: there is literally no network traffic to intercept. A backbone-level adversary observing all IP traffic sees nothing. This is the core "never-online" design advantage — see Vision & Principles.
Tor mode degradation: the guard node learns the user's IP and that they run a Tor hidden service. Traffic correlation attacks (adversary controlling both the guard node and the destination) are probabilistic. Cover traffic reduces but does not eliminate this risk.
What breaks network anonymity entirely: routing traffic via a non-Tor internet path. Connect must not offer a direct relay fallback as a default.
Layer 3 — Social Anonymity
No global username namespace exists. Contacts know a user by a name they choose to share, or a name contacts assign locally. No directory, no search, no "people you may know".
| Phase | Who knows what |
|---|---|
| Before tap | No one. Device is a rotating beacon. |
| At tap | The single contact learns: your Ed25519 pubkey, optional display name, timestamp. Nothing else. |
| BLE discovery (post-tap) | Mutual auth uses the shared key. Bystanders see no identity. |
| Feed replication | Only direct contacts receive feed entries. Friends-of-friends gossip is disabled. |
| Group (MLS) | Group members know each other's keypairs within the group boundary. |
| Online relay | Tor .onion address shared only with contacts. Relay cannot reconstruct the social graph. |
| Key revocation | Gossip reaches only contacts who demonstrably hold the old key (bloom filter). |
Structural guarantee: because there is no central directory and no friends-of-friends replication, extracting the social graph requires compromising individual devices. Each device holds only its own local subgraph.
Residual risk — group membership: MLS groups are structurally visible to all group members. A member can enumerate other members, and group membership should be treated as sensitive data within the group boundary. Zero-knowledge group membership proofs for MLS are an open research problem.
Residual risk — contact introductions: the contact_introduction content type pre-stages cryptographic keys for a future physical meeting between two people. This does not bypass physical-first trust (the in-person exchange is still required), but it means a contact can learn that you know someone before the introduction completes — a partial social graph leak.
Layer 4 — Temporal Anonymity
An adversary who obtains a device or captures network traffic at time T cannot reconstruct communication history before T (forward secrecy) or reliably read messages after T (post-compromise security, restored on the next ratchet step).
| Mechanism | What it protects | Scope |
|---|---|---|
| Double Ratchet chain-key deletion | Past messages encrypted under deleted keys | Permanent once deleted |
| DH ratchet step | Post-compromise recovery | One round-trip exchange |
| MLS epoch progression | Group post-compromise security after member removal | Next commit after removal |
| BLE MAC + advertisement rotation | Unlinkability of BLE presence over time | Per rotation interval |
| Message expiry / tombstone | Feed entries marked for soft-delete | Chain stub retained; content dropped |
Forward secrecy in practice: if a device is seized and the OS is not compromised, all messages whose chain keys have been deleted are unrecoverable — even to the device owner. This protection is unconditional for deleted keys.
What breaks temporal anonymity:
- Device seized before chain keys are deleted — the pending receive queue is vulnerable. Post-compromise security restores protection only after the next DH ratchet exchange with the other party.
- Unlocked device seized — the entire local database is readable. App-level SQLCipher encryption (keyed from a separate user PIN) is the defence-in-depth layer here.
- Tombstones preserve chain integrity — the original envelope row is retained; only
content_jsonis dropped locally. A seized device will show a placeholder entry. This is the correct trade-off between chain integrity and content privacy. - BLE chipset fingerprinting — clock drift and RSSI signatures are stable across MAC rotation intervals. A physically co-located passive observer with suitable SDR hardware can correlate a device's presence across rotation events. This is not patchable at the application layer; it is an accepted residual risk.
The Revocation Window
Key revocation is where all four anonymity layers are simultaneously stressed. When a device is stolen, the attacker holds the live keypair and can act as the user until every contact receives a revocation notice.
Device stolen → Attacker holds old keypair
│
├─ Identity: attacker can impersonate until revocation reaches each contact
├─ Network: unaffected (revocation gossip is offline; no IP exposure)
├─ Social: attacker can read feed entries encrypted to old key
└─ Temporal: forward secrecy protects deleted chain keys; pending queue readable
Revocation propagates via BLE gossip:
Alice (new phone) → Bob → Carol (carries notice) → Dave
Speed: bounded by human movement; sparse graphs have no delivery deadline
The race condition: the attacker can continue to publish feed entries and exchange messages with any contact who has not yet received the revocation notice. For groups, any member holding a valid revocation notice can unilaterally commit a Remove — but the attacker may submit harmful proposals before this happens. Speed of propagation matters.
What survives revocation:
- Forward secrecy on deleted keys: past messages remain protected even if the attacker holds the old private key.
- PQXDH protects against retroactive quantum decryption of ciphertext captured before revocation.
- New contacts made by the attacker via impersonation cannot be revoked retroactively — physical re-meeting is the only ground truth.
For the three-tier recovery model (BIP39 mnemonic, Shamir 2-of-3, guardian threshold), see Key Revocation & Recovery.
Properties Summary
| Property | Offline mode | Tor online mode | Locked device seized | Unlocked device seized |
|---|---|---|---|---|
| Identity from strangers | Full | Full | N/A | N/A |
| Identity from contacts | Revealed by design | Revealed by design | N/A | N/A |
| Network from backbone | Full — no traffic | Partial — guard sees IP | N/A | N/A |
| Social graph from non-contacts | Full | Full | N/A | N/A |
| Social graph from contacts | Partial — contacts see their subgraph | Partial | N/A | N/A |
| Temporal / past messages | Full (deleted keys) | Full (deleted keys) | Full (deleted keys) | Partial (pending queue readable) |
| BLE tracking resistance | Partial — MAC rotation helps; chipset fingerprint is residual | N/A | N/A | N/A |
Open Questions
- Is there a practical way to reduce the revocation propagation window below "as fast as human movement" — for example, by issuing each contact a signed delegation certificate that auto-expires and forces re-verification within a bounded period?
- Can contact-introduction messages be redesigned so the introducer does not reveal that they know both parties, while still pre-staging the cryptographic material for a future physical meeting?
- At what BLE rotation interval does the chipset fingerprinting attack (Becker et al., Tracking Anonymized Bluetooth Devices, PoPETS 2019) become impractical given realistic SDR hardware available to a non-state adversary?
- Is the "attacker active in group before Remove" race condition addressable by requiring a minimum quorum of members to acknowledge a revocation before a harmful MLS proposal can be committed?
- How should the app communicate the four anonymity layers to users in plain language — especially the difference between "anonymous from strangers" and "known to contacts"?