We built Ghost Protocol because "trust us" is not a security model. The only honest answer to privacy is architecture that makes betrayal technically impossible — not a policy you have to believe in.
"The best way to protect your privacy is to build a system where even we cannot violate it — not by choice, not under pressure, not because a court orders it. If we can't see your data, we can't be forced to hand it over."
Most messaging apps ask you to trust a company. They encrypt your messages — but they hold the keys, run the servers, and log the metadata. When a government subpoena arrives, they comply. When they get acquired, the new owners have different values. When a developer makes a mistake, your identity leaks.
Even Signal — the gold standard — knows who you talk to, when, and roughly how often, because their servers route your messages. They have your phone number. That is enough for metadata analysis to reconstruct your social graph without ever reading a single message.
We asked: what if the architecture itself refused to learn any of that? Not by policy. Not by promise. By design.
Ghost Protocol is built on six principles that go beyond what any other mainstream messenger does today.
The relay server never receives your IP address, your phone number, your contact list, or the plaintext of any message. It cannot — the protocol has no field for them. If we are compelled to hand over data, the realistic answer is: there is almost nothing to hand over.
Tor and I2P are built directly into the app — no third-party app required. When enabled, your internet provider cannot see that you are using Ghost Protocol, and the relay cannot see where you are connecting from. You choose the transport; the option is always there.
Messages are encrypted with X3DH + Kyber-768, combining the proven Signal protocol with post-quantum lattice cryptography. Conversations today are safe against adversaries who will have quantum computers in the future — "harvest now, decrypt later" attacks fail against Ghost Protocol.
Every line of code is public under AGPL-3.0. Not just the app — the relay, the cryptographic core, the build pipeline, the CI scripts. Anyone can read it, reproduce it, and fork it. Our builds are reproducible: the APK you download hashes identically to the one built from source.
Ghost Signals sends constant-rate cover traffic using a Poisson process. An adversary watching the network cannot tell whether you are actively chatting or idle. The shape of your traffic reveals nothing about the shape of your conversations.
The duress PIN and decoy identity protect you when the adversary is physically present. Enter a second PIN under coercion to wipe all sensitive data and show a clean decoy account. StrongBox-backed keys make the wipe cryptographically irreversible.
Ghost Protocol has not yet completed an external security audit. It implements modern cryptography correctly to the best of our ability, but no software is perfect without independent review. We are actively seeking an audit from a specialist firm (Cure53, Trail of Bits, or Quarkslab) and will publish the full findings — including any vulnerabilities found — when it is complete.
Until the audit is done: Ghost Protocol offers significantly stronger privacy than any mainstream messenger, but treat it as serious-but-experimental software. If you need a messenger with a completed audit today, Signal is the right choice. We are building toward being a better answer than Signal — the audit is the last step before we can claim that fully.
Mohamad built Ghost Protocol out of a conviction that privacy is not a feature — it is a right that the architecture of most technology systematically violates. Ghost Protocol is the result of asking "what would a messenger look like if we started from the threat model of a dissident in a hostile country instead of from the business model of an ad network?"
The answer took 33 specification sections, 18 build phases, a custom Rust cryptographic core, an embedded Tor engine, post-quantum key exchange, cover traffic, and a reproducible build pipeline — among other things. The work is not done, but the architecture is right.
Also co-founder of Email2Chat (privacy-first email-to-messaging bridge) and CSB Academy (licensed IT training institute) — all under CSB Group SARL.
Privacy is not a privilege for experts or a tool only for people in danger. It is a basic human right — and Ghost Protocol is built to give it to everyone, without asking them to understand cryptography to use it safely.
You don't send anything illegal. You just don't want your private conversations read by a corporation, mined for ads, or handed to a government that asked nicely. That is a completely reasonable expectation. Ghost Protocol makes it technically enforceable, not just a policy promise.
Medical decisions, financial discussions, relationship conversations — the most personal things in life should stay between the people they involve. No server reads them. No algorithm categorises them. No data breach exposes them years later.
Lawyers, doctors, therapists, accountants — professions built on confidentiality. Client conversations belong to the relationship, not to the platform. Ghost Protocol gives you end-to-end encryption that holds even under legal compulsion to the relay.
Source protection is not optional — it can be life-or-death. Sealed sender means the relay cannot log who contacted whom. Tor routing means your network provider cannot see you using Ghost Protocol at all. The architecture treats source protection as a first-class requirement.
In countries where organizing is criminalized, metadata is the evidence. Ghost Protocol's cover traffic makes your communication pattern indistinguishable from silence. The duress PIN lets you hand over a phone under coercion without revealing your real identity or contacts.
Privacy should not depend on where you live, what government you are under, or how technically sophisticated you are. Ghost Protocol works in censored countries using Tor bridges. It requires no phone number, no email, no real identity of any kind to get started.
Ghost Protocol is open source under AGPL-3.0. That is not a marketing claim — it is a legal structure that makes our privacy commitments enforceable by anyone. You do not have to take our word for anything. You can read the code, reproduce the build, and verify that the APK you downloaded matches what is on GitHub. If the code ever contradicted our promises, anyone could see it.
The AGPL-3.0 license also prevents the software from being forked into a closed product. If someone operates a modified relay, they must publish the changes. Privacy tooling must stay open — a private fork of Ghost Protocol would be Ghost Protocol without the accountability, which is exactly the problem we set out to solve.
Whether you are an individual looking for better privacy, an organisation that wants to deploy Ghost Protocol for your team, a security researcher, or a journalist writing about surveillance technology — we want to hear from you.
GitHub Issues · Security reports: security.txt