SimpleX Chat doesn’t take any action to protect your IP from prying eyes. Take a look for yourself:
SimpleX Messaging Protocol Server can: … learn a recipient’s IP address, track them through other IP addresses they use to access the same queue, and infer information (e.g. employer) based on the IP addresses, as long as Tor is not used.
More Cases of IP Exposure
This isn’t the only case of SimpleX leaking user IPs when sending a link:
Thankfully, SimpleX’s founder, Evgeny Poberezkin, addressed the issue. However, instead of acknowledging it as a privacy flaw, he labeled it a feature, not a bug:
Given that it is a documented behaviour, it is certainly not a bug, and it is also incorrect to call it a leak - every server you connect to, be it you ISP, VPN provider or Tor relay, can see your IP address, as this is how Internet works.
Instead of resolving the issue, SimpleX suggests users take extra steps to mitigate the risk themselves, such as:
- Using a VPN.
- Disabling link previews manually in settings.
But as one commenter pointed out:
It is important to state that no other messaging app that we know of considers this a non-issue. Not even Discord or Matrix - both ask a fully (Discord) or semi (Matrix)-trusted server to do the network request on behalf of the client.
Strange Justifications for Avoiding Tor Integration
SimpleX further avoids integrating Tor, claiming:
The last, but not the least, it would create an unfair competitive advantage to Tor. We believe in competition, and we want our users to be able to choose which transport overlay network to use, based on what network threat model works best for them.
Rather than embedding Tor, they expect users to set up Orbot manually, arguing that if users can’t manage this, they shouldn’t be using Tor at all.
At this point, users might be better off using Facebook Messenger with PGP keys.
Dismissive Responses to Security Concerns
When users raise concerns, responses often feel dismissive:
https://www.reddit.com/r/SimpleXChat/comments/19efalx/can_i_really_pull_other_peoples_ip_addresses
More comprehensive criticism of SimpleX’s privacy weaknesses:
Examples of user concerns being brushed aside:
Additional Concerns
- The company is based in London.
- The project has received funding from Jack Dorsey.
Another discussion highlighting these and other issues:
https://kiwifarms.st/threads/simplex-chat-discussion.203000/
Conclusion
I don’t trust SimpleX to protect my IP address. Their dismissive attitude toward privacy concerns raises suspicion.