Welcome to the Invisible.im project website

Invisible.im is a coalition of security experts, developers, and a tech journalist that was established to develop an instant messenger and file transfer tool that leaves virtually no evidence of conversations or transfers having occurred. Invisible.im's goal is to create a messenger platform that generates no meaningful, third-party metadata.

We believe this type of project is most of value to people living under heavily surveilled, oppressive regimes. However, even those in the most free societies may also like to use it if they're uncomfortable with a third party (like a messaging server) keeping a record of all of their conversations.

Today, invisible.im's main focus is supporting the development of Ricochet Messenger.

For more information, please see our FAQ, or subscribe to our development or announcement mailing lists. Or you can contact us at info@invisible.im (KeyID: 0xA355114439F4EF08)

2014-09-17: Update from the Invisible.im Team

Well what a crazy couple of months it's been! Invisible.im started out with nothing more than some ambitious objectives and a simple roadmap for achieving them: Encrypted, metadata-free instant messaging that just works, cobbled together from existing anonymity and messaging software. We knocked together a proof-of-concept that (just) worked and announced our intention to move towards some sort of stable release.

None of us were prepared for the reaction to our announcement. The volume and quality of feedback has been overwhelming. Despite announcing nothing more than the early stages of an idea, invisible.im wound up in the press everywhere from the US to Italy, Germany, Netherlands and Peru. We've had dozens of quality offers of help from developers, designers and benefactors. We didn't have time to reply to everyone, we're sorry, but we've set up some mailing lists for those who want to get involved. (See below).

But of all the contact we received, it was an e-mail from John Brooks, a 22-year-old developer from the United States that proved to be the most valuable. For years, John has been working on a project that solves a lot of the problems invisible.im is seeking to address.

He calls it Ricochet. It's a serverless messenger platform, built from the ground up, that uses Tor hidden services to accomplish most of what we've set out to do. You can find information on Ricochet at its Github page. You can even download a binary and play with it, although we warn you now: It is unaudited code, and we're about to reimplement the protocol and make whatever you install today incompatible with what we release in November.

After some discussion and with John's blessing, invisible.im is backing Ricochet as its reference implementation. The focus has shifted from releasing a series of glued-together open source projects (Prosody, Pidgin and Tor) into supporting one project that has been designed for purpose from the ground up. Backing Ricochet is the fastest way for invisible.im to realise its vision of privacy-by-default messaging for at-risk users.

We are happy to announce the following:

Currently underway:

Coming Soon:

Getting involved:

We've also started two mailing lists. There's the development list and announcement list.

And, if you'd like, you can now donate to the project via bitcoin or PayPal. The addresses are:

All the best,

The Invisible.im Team.

Invisible.im is a project by:

We need your help

Here at Invisible.im we're keen for all the help we can get to make Ricochet a fantastic messaging package.

So feel free to head over to Ricochet's GitHub and pour through the source, criticise our implementation, propose features, add features, terrorise the developers on the mailing list or participate in any way you know how.

But what we need most at the moment is funding to accelerate development. We want to secure enough funding for:

As we move towards a non-alpha/beta release we'd also like to fund a bug bounty. The kind folks at BugCrowd have offered to host it for us and will even chip USD$1,000 into the bug pool to help us get it going.

But we still need help in the form of donations, sponsorships or assistance in obtaining grants.

...or if you are a benevolent philanthropist (or evil genius billionaire) you can also donate directly via bitcoin to 138Zt94BNuJTZWZqHVBUywVkCaazQnTfWQ or via PayPal to donate@invisible.im

All money raised will be spent on development and direct costs associated with development. No junkets to Bora Bora. Promise.

Get in touch via info@invisible.im


Q: What is the Invisible.im project?

A: The Invisible.im project is seeking to develop and release a secure, anonymous internet messaging platform for users of Windows, Mac OS X and Linux. It is designed to allow people in heavily surveilled environments to communicate safely. Invisible.im has selected Ricochet Messenger as the base software for achieving this goal.

Q: What's the problem we're trying to solve?

A: For many, the number of communications they have via electronic means is far greater than the number of conversations they have in the "real world". Every time one of these electronic communications takes place, a record of it having occurred is generated and stored somewhere. That could mean email server logs, telecommunications company logs or messaging server logs.

In many countries, that can spell danger. Pro democracy activists in oppressive regimes can face incarceration and even torture for the "crime" of communicating with each other. Invisible.im's goal is to protect at-risk individuals in oppressive regimes.

Q: Why Ricochet?

A: There have been many attempts to create an anonymous messaging platform, but some are definitely better than others. We believe Ricochet is by far the best-designed and implemented attempt.

The Tor project has launched an instant messenger project that uses the anonymity network to make instant messenger chats a lot safer. It's an excellent start, but doesn't solve the key problem we're setting out to solve -- incriminating metadata trails.

The Tor IM bundle will still rely on third-party messaging servers to relay messages. This means there will be a record of conversations having occurred on a third-party server. While it would theoretically be possible to use this technology to establish a secure and anonymous session, both parties to any chat using this tech would have to be using ephemeral identities to stay completely safe. We don't think that's practical, so we've taken a different approach.

Under the Tor project's model:

  • Every user will still need a registered IM account with an IM provider like AOL, Yahoo, MSN, GChat, Jabber etc.
  • User activity (metadata) still logged by IM service operators.
  • Oppressive regimes can use an IM username as a selector, not just an IP address.
  • If a user is tied to their IM pseudonym there's still a metadata trail a mile long.

TorChat uses a similar design, but has significant flaws in concept and implementation. It's also unmaintained, unaudited, and doesn't receive security fixes.

i2pMessenger is similar to TorChat but uses the i2p anonymisation network instead of Tor. Invisible.im will seek to enable conversations over i2p as well, but it's pretty far down on the list of immediate priorities.

Onionshare was written by Micah Lee, a tech staffer for online media startup The Intercept. A simple file transfer package, it allows a user to share files anonymously through an ephemeral Tor hidden service.

Ricochet is a Qt-based chat client that uses a custom binary protocol to send and receive messages via Tor hidden services. It was created by John Brooks. Of all the packages we've looked at it is by far the best designed and most secure.

Q: How will people use Ricochet?

A: People will use Ricochet just as they use existing instant messenger products like GCHat, MSN, AOL, Yahoo instant messenger. The difference is their chats will leave no recoverable metadata trail.

We believe there is a need for a simple tool anyone can download and use that enables safe chats. That's what Ricochet is designed to be.

It will also be possible to communicate via Ricochet without revealing your identity or registering a hidden service. This "anonymous mode" isn't yet incorporated into Ricochet, but it's on the roadmap.

In this mode it will possible for an individual -- without establishing their own hidden service -- to communicate with another party who has registered a hidden service address/Ricochet ID. This means the anonymous party can verify the remote party, but the remote party can't verify the anonymous party contacting them.

Of course Ricochet encrypts all messages, and no passive adversary can obtain users' "buddy lists", or determine who has spoken to who, let alone when.

Stated simply, oppressive regimes will not be able to infer relationships between users of Ricochet by passively observing Internet traffic.

Ricochet also makes mass/bulk surveillance difficult. For that reason we suspect privacy conscious people everywhere will be interested in running Ricochet as a replacement to their regular IM client.

Q: So specifically, what problems does Ricochet solve?

A. Ricochet makes it possible for its users to communicate without leaving a retrospectively recoverable forensic trail behind on third-party servers. It also protects users from passive snooping by oppressive governments.

In the case of a traditional instant messenger conversation, the service provider (Yahoo, Microsoft, Google, AOL etc) will have records of which user accounts have communicated with each other and when.

Ricochet leaves behind no such trail. It also doesn't log messages on either end, and when used in anonymous/unauthenticated mode the software will leave behind very little (and eventually, we hope, no) forensic evidence linking a user to a conversation.

Q: What problems does Ricochet not solve?

A: If a user is already the subject of targeted surveillance, Ricochet cannot facilitate secure, anonymous chats. This is not the problem it is seeking to solve. If the user is the subject of a targeted investigation by state security services, the investigating agency might do something as simple as take a time-stamped video recording of both ends of a conversation to prove that it happened.

There is no technological solution to that challenge. Ricochet is designed to eliminate "after the fact" metadata trails, not defeat real-time surveillance.

Further, Ricochet cannot leave absolutely no trail. It may be possible for investigative agencies to retrospectively determine whether the Tor network has been accessed from a nominated connection. It is a single data point, but a meaningful one. Our hope is that as Tor usage grows, connections to the anonymity network won't "stick out" or become incriminating on their own.

Q: What are some immediately identifiable security risks to Ricochet?
  • Private key jacking: The theft of a user's private key will result in the attacker being able to impersonate that user, but their past communications remain secure.
  • SPAM/phishing/malware: The spam challenge will be significant if the uptake of this service is successful. It is, after all, designed to allow anonymous parties to contact users. Further, Ricochet cannot protect users' communications from malware if their system is compromised. A proof-of-work-based anti-spam feature is on the development roadmap.
  • Security vulnerabilities: A vulnerability that allows an attacker to take control of a user's Ricochet software would be catastrophic. Regular code audits and a rolling bug bounty program are vital to the success of the project.
Q: What's the "big picture" vision for Invisible.im?

A: We hope Ricochet can demonstrate to the technology industry that serverless, private messaging is technically viable and necessary to protect at-risk communities and activists in oppressive regimes.

Eventually we hope other solutions built around a similar philosophy will emerge.