Blog

Privacy by architecture vs privacy by promise

Every messenger says they care about your privacy. The real question is whether they architecturally CAN see what they promise not to look at. Promises break under subpoena, acquisition, breach, leadership change. Architecture doesn't.

What it actually means that BlindPost has no phone number

Most messengers ask for a phone number at signup; that number IS the identity. We don't ask. There's no column for it. No SIM-swap takeover, no carrier-record linkage, no subpoena thread back to your real-world name. Recovery: a 12-word mnemonic.

How your account moves between phones without going through our server

WhatsApp / Telegram migrate via cloud — your encrypted blob sits on their servers between phones. BlindPost: old phone and new phone connect over local Wi-Fi, transfer keys + history directly, sealed point-to-point. We see nothing happen.

How your client knows who's allowed to do what in a group

A group's moderation signal carries its own cryptographic proof. The server holds no role table; your client doesn't query any membership state to verify. Owner, admin, member — three layers of authority, all established by signatures.

Why even you can't decrypt the message you just sent

Ephemeral keys, Diffie–Hellman, and the one-way math that makes past sends unreadable to anyone but the recipient — even to the sender after the fact, even if the phone is stolen and the server is breached.

Why BlindPost can host 100,000-member groups

WhatsApp caps at 1,024. Signal at 1,000. We support 100,000 — because our server doesn't fan out, doesn't track membership, and doesn't even know how many people are in any given group.

How long would it take to brute-force a BlindPost mnemonic?

12 words on a piece of paper. 128 bits of entropy. Cracking one would take longer than the universe has existed — by a factor of 780 million.