The Messenger Privacy Scorecard: LINDDUN or Die
The Messenger Privacy Scorecard: LINDDUN or Die
Most messenger comparisons are lazy altar rituals.
They ask one soft question: “Does it have end-to-end encryption?”
That is not a privacy analysis. That is a checkbox for normies, procurement departments, and people who think a locked diary inside a glass house is operational security.
A messenger can encrypt your message content while still leaking who you are, who you talk to, when you talk, where you connect from, how often you use the app, and whether you exist on the network at all.
In other words: it can hide the letter while publishing the envelope, the route, the sender, the recipient, and the smell of fear.
So we need a sharper instrument.
That instrument is LINDDUN.
LINDDUN is a privacy threat model built around seven threat categories:
| Letter | Threat | Question |
|---|---|---|
| L | Linkability | Can your actions be linked together over time? |
| I | Identifiability | Can your account or behavior be tied to your real identity? |
| N | Non-repudiation | Can someone prove you used the system or sent something? |
| D | Detectability | Can an adversary detect that you are using the app at all? |
| D | Data disclosure | Can messages, metadata, or stored data leak? |
| U | Unawareness | Are users misled about what the app actually does? |
| N | Non-compliance | Does the service respect privacy obligations, minimization, and resistance to abuse? |
For each category, I split the threat across three attack surfaces:
| Vector | Meaning |
|---|---|
| Account | Login credentials, phone numbers, emails, payment data, identifiers |
| Usage | Metadata, traffic patterns, social graph, timing, device and network exposure |
| Service | What the provider stores, correlates, sells, shares, or can be forced to reveal |
Each LINDDUN category can score from +3 to -3.
Maximum privacy score: +21.
Maximum privacy corpse-fire: -21.
This is not perfect. No model is. But it is vastly better than “my favorite app has encryption, therefore it is private.” That sentence has buried more privacy than most surveillance laws.
The LINDDUN Messenger Scorecard
Legend:
- +3 = excellent mitigation
- +2 = strong mitigation
- +1 = partial mitigation
- -1 = weak or exposed
- -2 = bad
- -3 = actively hostile to privacy
- N/A = not meaningfully comparable as a private messenger
| Rank | Messenger | L | I | N-R | Detect | Data | Aware | Comply | Total | Chapter ZERO Reading |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Briar | +3 | +3 | +3 | +3 | +3 | +3 | +3 | 21 | The clandestine monarch. P2P, Tor, minimal metadata, no central throat to squeeze. |
| 1 | Cwtch | +3 | +3 | +3 | +3 | +3 | +3 | +3 | 21 | Same royal bloodline as Briar. Built for adversarial reality, not app-store comfort. |
| 3 | SimpleX | +2 | +2 | +2 | -1 | +3 | +2 | +2 | 12 | Best serious daily-driver candidate for sovereign messaging. Metadata posture is strong, but usage can still be detectable. |
| 4 | Session | +2 | +2 | +2 | -1 | +1 | +2 | +2 | 10 | Strong anonymity posture, no phone number, useful decentralization. Still not Tor-grade against serious correlation. |
| 5 | Threema | +1 | +2 | +2 | -1 | +1 | +2 | +2 | 9 | Good privacy discipline, paid model, more anonymous than Signal when used correctly. Less universal. |
| 6 | Wire | +1 | +1 | +2 | -1 | +1 | +2 | +2 | 8 | Technically respectable, but enterprise-shaped. Better for organizations than clandestine private life. |
| 7 | Signal | +1 | +1 | -1 | -1 | +2 | +2 | +2 | 6 | Excellent encryption, huge adoption, but phone-number gravity poisons the privacy well. Best bridge to normal humans. |
| 8 | Matrix | +1 | +1 | +1 | -1 | +1 | +1 | +1 | 5 | Great for communities and federation. Not the best private chat tool. Useful infrastructure, not a stealth blade. |
| 9 | Telegram | -1 | +1 | -1 | -1 | -2 | -2 | -1 | -7 | Convenience masquerading as privacy. Better than SMS, which is like saying ash is better than sewage. |
| 10 | Viber | -2 | -2 | -3 | -3 | +1 | -1 | -1 | -11 | Some encryption does not redeem the metadata furnace. |
| 10 | Discord | -2 | -2 | -2 | -2 | -1 | -1 | -1 | -11 | Community tool, gamer palace, surveillance sponge. Never private. |
| 12 | iMessage | -2 | -2 | -3 | -3 | -1 | -1 | -1 | -13 | Better than SMS only because SMS is a fossilized privacy crime. Defaults matter. |
| — | Slack | -3 | -3 | -3 | -3 | +1 | — | — | N/A | Workplace surveillance wearing a chat costume. Do not treat it as private. Ever. |
| 13 | -3 | -3 | -3 | -3 | +1 | -3 | -3 | -17 | E2EE content, metadata empire. Meta does not become a monastery because one room has a lock. | |
| 13 | Facebook Messenger | -3 | -3 | -3 | -3 | +1 | -3 | -3 | -17 | Same empire, same incentives, same corpse perfume. |
| 13 | RCS | -3 | -3 | -3 | -3 | +1 | -3 | -3 | -17 | SMS with a new jacket and one useful encryption patch. Still structurally awful. |
| 16 | Snapchat | -3 | -3 | -3 | -3 | -3 | -3 | -3 | -21 | Privacy-negative by design. The van has candy and push notifications. |
| 16 | SMS | -3 | -3 | -3 | -3 | -3 | -3 | -3 | -21 | The bottom. Plain old telecom betrayal. Use only when failure is acceptable. |
What the Ranking Actually Says
The winners are not merely “apps.”
They are architectures.
Briar and Cwtch win because they attack the real enemy: metadata. They reduce or remove central infrastructure. They do not depend on a benevolent company promising to behave. They do not ask a corporate priesthood to please protect the peasants from the empire.
That matters.
A centralized messenger can be excellent today and compromised tomorrow. It can be subpoenaed. It can be acquired. It can be pressured. It can be slowly boiled in compliance language until all that remains is a branded corpse with encryption stickers.
A decentralized, metadata-hostile messenger changes the battlefield.
There is less to steal.
Less to correlate.
Less to subpoena.
Less to betray.
That is the privacy doctrine Libertaria should care about.
Signal: The Useful Compromise
Signal deserves respect.
It normalized end-to-end encryption for ordinary people. That is not nothing. That is a major civilizational contribution.
But Signal is still chained to the phone-number model. The phone number is not just a login credential. It is a state-adjacent identity handle, a telecom leash, a social graph magnet, and a stalker’s search field.
Signal is the messenger I would give to normal people.
Briar, Cwtch, and SimpleX are what I would give to people who understand that privacy is not a setting. It is a threat posture.
SimpleX: The Serious Daily Driver
SimpleX deserves special attention.
It does not merely say, “Trust us, bro, we encrypt.” It takes aim at identifiers and social graph leakage. It is probably the best candidate for people who want strong privacy without jumping immediately into the deep catacombs of Briar and Cwtch.
Its weakness is not message content. Its weakness is detectability. If your traffic still looks like you are using SimpleX, a serious adversary may not know what you said, but they may know you entered the temple.
That still matters.
The content is not the whole war. Metadata is the artillery map.
Telegram: The Great Privacy Impostor
Telegram is where privacy discourse goes to be embalmed.
It has brand power, groups, channels, convenience, and cultural adoption. But convenience is not privacy. Popularity is not privacy. “Secure enough” is not privacy.
Telegram is useful as a broadcast and community tool. Fine. Use it like a noisy public square.
But do not confuse the public square with a bunker.
For sensitive communication, Telegram is not a private messenger. It is a convenience machine with privacy aesthetics.
WhatsApp, Facebook, RCS, iMessage: The Default Trap
The mass-market messengers fail because their incentives fail.
They are built by companies and ecosystems that benefit from identity, analytics, lock-in, behavioral data, contact discovery, platform control, and compliance-friendly infrastructure.
Yes, some of them have encryption.
Good.
A locked diary inside a glass house is still inside a glass house.
This is the core lesson: end-to-end encryption protects message content; it does not automatically protect identity, metadata, detectability, or social graph exposure.
That is why LINDDUN is useful. It stops the discussion from collapsing into one checkbox.
Matrix: Federation Is Not Automatically Privacy
Matrix is interesting because it scratches the decentralization itch.
Federation matters. Open protocols matter. Community-owned infrastructure matters. Libertaria should pay attention to all of that.
But federation is not invisibility. A federated community tool is not automatically a private messenger. Server logs, room metadata, identity practices, bridges, and operational hygiene all matter.
Matrix is valuable infrastructure.
But for clandestine one-to-one privacy, it is not the blade I would reach for first.
Chapter ZERO Position
From Chapter ZERO, my position is simple:
Privacy is not a product category. It is an adversarial design discipline.
A private messenger should minimize trust.
Minimize stored data.
Minimize identifiers.
Minimize metadata.
Minimize corporate discretion.
Minimize the number of throats an empire can choke.
The correct stack is not one messenger for everything.
It is a layered doctrine:
| Use Case | Recommended Tooling |
|---|---|
| Normal humans / adoption bridge | Signal |
| Serious private daily communication | SimpleX |
| Hardcore sovereign circles | Briar / Cwtch |
| Resilient activist or dissident communication | Briar first, Cwtch also worth testing |
| Communities and federated rooms | Matrix |
| Public broadcast / noisy network effects | Telegram, but never treat it as private |
| Corporate coordination | Wire or Slack, but only with workplace assumptions |
| Anything sensitive | Never SMS, never RCS, never Facebook Messenger, never Snapchat |
The privacy war will not be won by asking corporations to behave better.
That is toddler politics.
The privacy war is won by removing their ability to betray us.
No central server where possible.
No phone number where possible.
No metadata where possible.
No advertising business model.
No magical trust in compliance departments.
No worship of convenience.
Briar and Cwtch are not winning because they are shiny. They are winning because their architecture says the forbidden sentence out loud:
The safest data is the data that never existed.
That is the doctrine.
Everything else is negotiation with the panopticon.