We Changed Our Mind on Encryption

Four of my closest friends from work have been in the Colloquies beta for the better part of a year. All of them are engineers I’d trust to explain hybrid encryption back to me. They use the app. They like it. And over the past few months, in conversations I kept replaying afterward, every one of them asked some version of the same question.

“Wait, if I lose my phone, do I get my history back?”

“If I sign in with Google on a new laptop, is that a different key?”

“What happens if I forget my password?”

I had answers for every one of them. The answers were good. They involved password-wrapped cloud backups, an opt-in device-pairing flow over QR, a recovery sheet that walked the user through three paths. I had spent months making sure the answers were good. And the friends were still asking. Not because the answers were wrong, but because the questions kept arriving in the first place.

If senior engineers can’t intuit the model, no docs fix is going to save it. The friction was structural, not editorial.

The seam the cryptography has

End-to-end encryption is a beautiful guarantee. The server cannot read your messages, not because we promise we won’t, but because we mathematically can’t. The key lives on your device. Only the people you’ve explicitly added to a conversation can decrypt anything. It is the strongest privacy contract a messaging app can offer, and every word of it is true.

It also has a seam, and the seam runs exactly through the points casual users actually hit. A new phone. A forgotten password. A “Continue with Google” tap on a fresh install, on an account they set up four years ago and have no real custody over. The cryptographic guarantee holds at those moments. The friction is what gets paid for it, and it runs in the precise opposite direction from the promise the app makes everywhere else, which is that the conversation is easy to come back to.

This isn’t a Colloquies-specific problem. It’s the structural cost of moving the trust boundary onto the device. Signal has written carefully about it, and the path they chose, PIN-protected Secure Value Recovery in an SGX enclave, is one of the more elegant compromises in the industry. Apple ran into the same wall and chose a different shape. iMessage in iCloud and Advanced Data Protection both ask the user to accept some version of “your history is portable if you set this up correctly, and gone if you don’t.” Every encrypted messaging product has to make this trade. Most of them either pretend it doesn’t exist or wrap it in language users don’t parse until they hit it.

What I tried before changing the default

The honest sequence here matters. The first instinct, when the friends started asking, wasn’t to weaken the encryption. The first instinct was to make the recovery story so good it would stop being a question.

So I built it. There’s a password-wrapped backup of the private key, recoverable on any new device by signing in and entering the same password. There’s a device-pairing flow that lets a user with two phones in their hands migrate in under a minute. There’s a status card on the profile screen that gently nudges anyone whose recovery surface is incomplete.

The friends, who saw all of this, kept asking the questions anyway. Better cryptography only makes the cryptography more elegant. The model underneath is still the model underneath, and a person who opens the app on a Sunday night to answer a prompt with their college roommates is not going to develop an intuition for it on a deadline.

The paradox I couldn’t engineer away

The people most likely to need Colloquies are the people least likely to be set up to defend a key.

That sentence took me longer to write than this paragraph would suggest. The same reflection from the streaks post applies here. Friends who already keep up with each other, who have the technical fluency to manage their own recovery, who would patiently sit through a key-restore flow because they understand what’s at stake, those friends don’t actually need this app. They’ve already built the rituals it tries to support. They’re a tiny share of who downloads it.

The actual users are people who keep meaning to call the friend they used to live with. People who haven’t moved a key in their life and would rather not start. People who signed in with Google on every service they own and have a fuzzy sense of what would happen if Google ever locked them out. Those are the people the app is for, and the default of “your messages live on this device and one wrong move costs you the history” was always going to be the wrong default for them.

I built the recovery surface carefully because I thought that was the answer. It turned out the answer was the default.

The objection I have to take seriously

There’s a real one, and it deserves plain English, because it would be easy to wave away.

The objection: you spent two years telling everyone Colloquies was end-to-end encrypted. People joined because of that. Reducing what gets encrypted by default, even with the option still available, is the moment a privacy product quietly becomes a normal product. Every privacy app starts this way. Every one of them has a memo that explains why their compromise was the principled compromise.

That memo exists, and most of those memos were wrong. WhatsApp folded into Meta. iMessage had an iCloud backup that was effectively a backdoor for a long stretch before Apple offered Advanced Data Protection as an opt-in. Telegram never had end-to-end as a default and pretends otherwise in its marketing. The road from privacy by default to privacy by tickbox is short, and the person walking it is almost always sure they’re being more careful than the last app.

The honest answer is that the option didn’t move. Private mode still exists, with the same cryptography it always had and the same guarantee that not even I can read the content. It is one tap at circle creation, no menu spelunking. Every circle that was Private before this change stays Private, and the change is forward-only. What moved is what happens when someone creates a new circle and doesn’t have a strong opinion about it. The default went from a promise most users couldn’t actually keep across a device change to one that matches what they actually need, which is messages that are there when they sign in again, held by a company with no advertising business, no recommendation algorithm, and no AI training pipeline that would benefit from reading them.

That’s not the same compromise the WhatsApp memo made. I can’t promise from here that the line will always hold. I can promise that the moment we start using Standard-circle content for anything other than running the service, it’ll be a different company than the one writing this.

The line that’s left

Privacy isn’t one thing. The cleaner story, everything encrypted, always, is the one I’ve been telling for years, and it’s the one I’d still rather tell. It just turned out to cost people their conversations more often than I wanted to admit, in a corner of the product that doesn’t show up in the marketing copy.

The right answer in the end is the unglamorous one. Two modes, with the everyday case as the default and the strong case one tap away when it matters. The trade is written into the privacy policy in more detail than most people will read, and into a post like this for the few who do.

I’ll know in a year whether this was the right call. The shape of the wrong call is probably visible already: a slow drift in what “private by design” comes to mean, a softening at every quarterly review. If that drift starts, I hope someone in the inbox will tell me, the way the four friends did, with a question I didn’t have a good answer for.

Hero image by Kelly Moon on Unsplash.