Why YGOOW won't pick your security for you
Open any messenger and you are already inside someone else’s decision. A default encryption mode, a default for disappearing messages, a default for whether your number is visible — all chosen for you, by people who will not be in the room when it goes wrong. Defaults are convenient precisely because they let you not think. That is also exactly what makes them dangerous.
YGOOW does something most products are afraid to do: it refuses to choose for you. When you start a conversation, you pick how it is protected — and there is no fallback “normal” setting waiting to catch you. If you choose nothing, you cannot chat. Instead you get one blunt sentence:
You don’t need anything here protecting your metadata and your words? Send an SMS.
People read that and assume it’s a joke, or an insult. It is neither. It is the most honest thing we can say.
A default is a lie of omission
When an app turns a protection on by default, it earns credit for a choice you never understood. “It’s end-to-end encrypted” becomes a feeling, not a fact you can act on. And when some other setting quietly isn’t on — your profile photo, your last-seen, a backup sitting in someone else’s cloud — the same comfort that made you trust the green checkmark is what stops you from looking. Security you didn’t choose is security you can’t reason about. The first time it matters, “I thought it was on” is not a defense.
Bluntness is a teaching tool
There is a fashionable idea that good design means never letting the user feel friction. For most apps, fine. For a tool whose entire job is to protect you from consequences, frictionlessness is malpractice. If we let you slide into a conversation without a single decision, we would have taught you nothing — and the next time you needed to understand your protection, you would have no model for it at all.
So we put the decision in front of you, once, in plain words. Not a wall of cryptography — a choice with honest consequences attached: this is what a stolen phone would reveal at each level. You make it in a tap. But you make it, consciously, the way you would choose a lock for a door you actually care about.
This runs through the whole app. Turn Tor off and you don’t get a silent toggle; you get a confirmation that says, in effect, leaving Tor is like mailing your home address — are you sure? Pick a weak key and the app tells you it’s weak, to your face, instead of pretending a public photo is a secret. None of this is decoration. These moments are among the most important things the app does — second only to the cryptography itself, and arguably part of it.
Not for everyone, on purpose
The honest cost of this stance is that YGOOW is not for everyone, and we don’t want it to be. If your conversation genuinely doesn’t need to hide its metadata or its content, you have a phone full of tools that already do that job with less ceremony. Use them. We would rather lose the user who doesn’t need us than flatter them into a false sense of safety.
The people YGOOW is for — the ones who reach for it because the stakes are real — deserve a tool that treats them like adults making a decision, not children to be soothed by a default. Refusing to choose for you is how we show that respect.
Your key, your rules — everything else is redacted.