Is there anything private on Nostr? It's not fun to use non-anonymously if everything I do and how I use Nostr is public.
Discussion
Nostr focuses on censorship resistance with privacy as an afterthought, while tools like SimpleX focus on anonymity and privacy. Do not confuse the two.
Not every Nostr client or relay implements the same NIPs. NIPs are optional by design—relays choose which ones to support, and client implementations vary. You could set up a private mute list on Amethyst only to find it doesn't carry over when you switch to another client that implements it differently or not at all.
As for messaging: NIP-17's "optional forward secrecy" refers to disappearing messages via expiration tags—not cryptographic forward secrecy. NIP-17 doesn't solve forward secrecy or post-compromise security.
If your Nostr private key is compromised, all your DMs (past and future) can be decrypted because the same key is used throughout. SimpleX doesn't have this vulnerability because it uses no persistent user identifiers. In serious privacy circles, SimpleX is consistently the recommendation.
I know SimpleX recently became controversial with the Bitcoin maxis on Nostr with their Community Vouchers launch, but the underlying protocol and privacy architecture remain technically sound.
There's nothing wrong with using Nostr non-anonymously—but understand what you're using it for. This isn't Reddit.
I firmly believe in and teach privacy and security through isolation and compartmentalization. Use the right tool for the right job. If you want censorship-resistant public discourse, use Nostr. If you need anonymous private communication, use SimpleX.
Treating Nostr like an anonymous platform when censorship resistance is its focus with privacy as an afterthought is a fundamental misunderstanding of the core purpose of the protocol.
💯
and if you're looking at SimpleX check out Cwtch.
I tried to use it a couple of years ago and found it to be highly unstable and barely usable.
I will revisit Cwtch one day, but not with anything mission critical yet. Interestingly the developers announced on SimpleX, not Cwtch, that they planned to undergo a security audit by Trail of Bits in early 2025.
2025 is nearly over and there has been no public report of a completed third-party security audit.
Due to the experimental nature of the app and the fact that they still haven't had—much less passed—a formal third-party security audit, so...
Sure, all this stuff is hard. I'd agree that Cwtch is not ux focussed! As for these apps and mission critical..... Let me think about that a while. ;)
private, authed relays, in foreign, nonaligned jurisdictions, on tor hidden services, the attack surface is social, not technical.
and something you don't mention, is that simplex is able to capture your connection metadata (timing) which is not a trivial value in intelligence, it's much more important to hide that, than to encrypt your messages.
i find the endless wrong-headed game theory analysis of surveillance threats with regard to nostr, to be sad.
the nostr you are talking about, is relay.damus.io and nostr.band and nos.lol and nostr.mom and primal, all full of spam and feds.
the nostr i'm talking about, is my relay, and there is at least dozens of us in the small circle i am in on this network, who also run relays. my relay respects deletes. my relay doesn't send DMs to interlopers. my relay is in spain, but meh. and it's not on tor. double meh.
but it's still not a domestic jurisdiction.
imo, privacy advocacy as it is on the internet at the moment is heavily influenced by spooks, the smell of palantir and the CIA, NSA, MI6, and all the rest are patent to my nose. why is it that mozilla "cares" so much about your privacy anyway? how old are you? does the word "netscape" mean anything to you?
if you are so wise in the ways of cybersecurity, why aren't you discussing the attack surface properly?
You can have good privacy with nostr:npub1h0uj825jgcr9lzxyp37ehasuenq070707pj63je07n8mkcsg3u0qnsrwx8
Apart from a detail that many people ignore, once you upload your face to a page that gives you anonymity, just doing that already exposes you.
Resistant to censorship, it gives you more control over your data without others deciding whether what you say or show is acceptable.
-Privacy: ensure that no one is observing you or collecting any of your information.
-Anonymity: do not provide any information that could identify you.
-Resistant to censorship: you have more control over what you say and do without waiting for others to approve your actions.
I use Nostr because I have a deep frustration with the consorship of status quo social media
I’d like a place for people to actually exercise their free speech
If you went into a town square to say what you want, it’s not private, so I don’t need Nostr to be either
If I want privacy, I’d speak offline, or use an app like signal
Not sure comparing censorship-resistance and privacy is all that helpful in this sense
Horses for courses as they say
If you don’t post anything that can show who you are don’t use your own name your account is private. If you use your real name and give details of your life then your account is not private. Or am I not getting this?
Are you hiding your IP from the relay runners or using a client that forces Tor? If not, you might feel “private,” but you are definitely not anonymous. Without Tor or a VPN, every relay you connect to can see where you're coming from.
Nostr is at its core a public system, but because it uses encryption, you can absolutely store and send information privately over its relays. The confusing aspect about mute lists is that there are both public and private lists, but they are not supported in the same way by all clients, and, as it turns out, some clients even overwrite private lists without warning you.
If backing up your public and private mute and follow lists to keep them from being unintentionally deleted is a priority for you, you should use #Mutable. I built it to do just this, because it had happened to me one too many times.
Very cool!
#Amethyst uses private (encrypted) mute lists...