Privacy & Security
Privacy isn’t optional—it’s foundational.
Whisper is built as a private coordination protocol for Web3, where wallets are identities and chat is the execution layer. Privacy is not a setting, a policy, or a promise. It is enforced by protocol design.
Most communication systems leak structure, metadata, and intent. Whisper is designed for adversarial environments, where coordination, value transfer, and authorization must remain private even when networks are observed.
This section explains how Whisper protects communication, the security assumptions it makes, the threat model it addresses, and the controls users retain.
1. Core Privacy Principles
Whisper is built around four core privacy principles.
End to End Encryption by Default Messages are encrypted at the client and can only be decrypted by the intended recipient. No intermediary can access message content.
Zero Trust by Design All infrastructure is treated as untrusted. Privacy does not depend on honest servers, compliant operators, or policy enforcement.
Wallet Bound Identity Identity is derived directly from wallet ownership. There are no usernames, emails, phone numbers, or centralized identity providers.
Minimal Metadata Exposure Whisper avoids presence signals and persistent identifiers. There is no last seen, typing indicator, read receipt, or public social graph.
2. How Whisper Protects Messages
Client Side Encryption Messages are encrypted before leaving the sender’s device and decrypted only by the recipient.
Asymmetric Cryptography Each user relies on cryptographic keys derived from their wallet. Messages are encrypted using the recipient’s public key and verified on receipt.
XMTP Transport Layer Messages are transmitted off chain using XMTP. Relayers forward encrypted payloads without access to content or intent.
No Key Escrow Private keys never leave the user’s wallet environment. There is no centralized key storage or recovery mechanism.
Ephemeral Conversations Chats do not rely on global sessions. Each conversation operates independently.
3. Identity and Authentication
Wallet Based Authentication Users authenticate by signing messages with their wallet. There are no passwords to reset and no accounts to recover.
Direct Identity Binding Each message is cryptographically tied to a wallet address. ENS names may be used for readability, but they do not create profiles or public identities.
Communication proves control, not reputation.
4. Zero Trust Execution Model
Whisper assumes that networks, relayers, and infrastructure may be monitored or compromised.
Messages remain encrypted at every hop
Actions require explicit wallet signatures
No backend can initiate, alter, or approve actions
Execution only occurs with direct user consent.
5. Metadata and Privacy Preservation
Whisper is designed to reduce metadata leakage.
No presence indicators
No public follower graph
No behavioral analytics
No message indexing by identity
Relayers handle encrypted data without visibility into relationships, timing patterns, or intent.
6. Group Communication and Access Control
Whisper supports private coordination among defined counterparties.
Access can be restricted using wallet ownership or cryptographic conditions. Enforcement happens through signatures and message acceptance rules, not centralized moderation systems.
There are no global groups and no discoverable rooms.
7. User Controls and Security Hygiene
Users retain full control over communication and execution.
Messages require explicit acceptance
Transfers and swaps require wallet approval
Conversations can be ephemeral by default
Identity access follows wallet control
Loss of wallet access means loss of communication access. There are no recovery backdoors.
8. Threat Model and Mitigations
Whisper is designed for hostile environments. The table below outlines the main threat vectors and how the protocol mitigates them.
Network Surveillance
Traffic is observed to infer communication patterns
End to end encryption and off chain relayed delivery
Infrastructure Compromise
Relayers or nodes are breached
Relayers handle encrypted payloads only
Metadata Correlation
Timing or presence signals reveal relationships
No presence indicators or public social graph
Identity Seizure
Accounts are taken over or censored
No accounts exist, identity is wallet based
Message Tampering
Messages altered in transit
Cryptographic authentication and verification
Unauthorized Execution
Actions triggered without consent
All actions require wallet signatures
Onchain Linkability
Payments reveal wallet history
Stealth addresses and relayed settlement
Censorship
Messages blocked by a central operator
No central server or authority
Whisper’s security properties hold even if infrastructure behaves maliciously.
9. Limitations and User Responsibility
Whisper protects communication at the protocol level, but some risks remain.
Once decrypted, messages exist on the user’s device
Physical access to a device can expose messages
Wallet compromise exposes identity and actions
Users are responsible for securing wallets and devices.
10. Transparency and Governance
Whisper commits to transparency at the protocol level.
Publicly auditable code
External security reviews as the protocol matures
Governance driven upgrades and treasury decisions
Trust is earned through verification.
11. Future Privacy Enhancements
Planned improvements include:
Stronger metadata obfuscation
Selective disclosure using cryptographic proofs
Privacy preserving local tooling
All additions will preserve existing guarantees.
Summary
Whisper replaces fragile communication systems with a private coordination layer built around wallets, signatures, and encrypted execution.
There are no accounts to seize, no servers to trust, and no social graphs to expose.
Communication becomes something you control, authorize, and execute directly.
Last updated