Plain-English Threat Model

This page explains what Atopos is designed to protect, what it cannot protect, and the trade-offs involved. It is not a guarantee of anonymity. It is not a claim of perfection. It is an explanation of reality.

What Atopos protects very well

Message contents

  • Messages are encrypted on your device.
  • The server never sees message contents.
  • Messages are end-to-end encrypted; we do not have keys to decrypt them.

If someone intercepts traffic, they see encrypted data — not conversations.

Encryption keys

  • Keys are generated on your device.
  • Keys are split into shards.
  • Shards are never reconstructed on the server.

Even a full server compromise does not reveal keys.

Message history

  • Messages are never stored on our servers.
  • When a room ends, the service forgets it.

There is no server-side archive to extract or subpoena later.

Provability

  • Rooms are not tied to identities.
  • Participation cannot be reliably proven after the fact.

Atopos is designed for deniability, not record-keeping.

What Atopos limits (but cannot eliminate)

Network metadata

Depending on how you connect, an observer may see:

  • That your device is sending encrypted traffic
  • When traffic is sent
  • Approximate traffic volume

What they cannot see:

  • Message contents
  • Room names
  • Participants
  • Keys

Using Tor Browser and Mixnet significantly reduces metadata exposure.

Timing analysis

A very advanced observer might attempt to correlate:

  • When messages are sent
  • When encrypted packets move through the network

Mitigations:

  • Mixnet introduces batching and delays
  • Ephemeral rooms limit long-term correlation

This makes correlation difficult — not impossible.

What Atopos cannot protect against

Compromised devices

  • Malware can read your screen.
  • Keystrokes can be captured.
  • Messages can be seen while you are typing.

No encryption system can protect a compromised endpoint.

Physical observation

If someone can see your screen, hear your conversation, or watch you type, they may learn information outside the system. Atopos protects data — not physical surroundings.

User behavior

Atopos cannot stop users from sharing identifying details, reusing recognizable names, or discussing personal information. Privacy depends partly on how the system is used.

How to reduce your risk further

You don't need all of these — but each adds protection:

  • Use a new browser profile or private window
  • Avoid being logged into personal accounts
  • Use Tor Browser to hide your IP address
  • Use Mixnet when available to reduce traffic analysis
  • Enable Extra Lock for rooms that require stronger local protection
  • Delete local keys when leaving a room

Security is layered. You choose how far to go.

What we deliberately do not claim

We do not claim:

  • Perfect anonymity
  • 'Untraceable' communication
  • Immunity from all attackers
  • Military or government certification

We believe honest limits build more trust than exaggerated claims.

In one sentence

Atopos is designed so that even powerful attackers cannot reliably read messages, identify participants, or prove conversations occurred — but no system can protect against compromised devices or careless use.
Back to Trust Local keys & Extra Lock