Trust trade-offs

Publishing through this site is a convenience. It costs you specific Tor properties. We'd rather you understand exactly what's gone than have you find out from a journalist or a subpoena.

What we know when you use the convenience button

Your wallet → your IP correlation

When you click "Sign & publish," your browser talks to our server. Our server sees: the IP you're using, the wallet pubkey, the content, and the signature. Even if we don't keep logs, the network path exists.

Content metadata, in clear

Your content goes through publish.ouija.social over HTTPS — encrypted in transit but readable to us. We can read it; if compelled, we'd have to hand it over.

No real Tor hidden service runs at your .onion

The site you publish exists on our clearnet host. The .onion address shown is cryptographically yours, but no Tor service is listening at it unless you set one up yourself.

We can take your content down

We're a single party. Any party that can apply enough pressure to us — a court order, a hosting-provider abuse complaint, a DDoS — can knock your content offline. The Tor network has no such single party.

What we do NOT know / cannot do

We do not have your mnemonic or secret key.

Convenience publishing only needs your wallet to sign a publish challenge. The wallet's key never leaves your browser. We cannot sign as you on Solana. We cannot move your funds.

We do not run a Tor service for you.

To run a real Tor v3 HS at your .onion, an operator would need the expanded ed25519 secret derived from your mnemonic. We never see it.

We don't run analytics or third-party scripts.

The page you publish has zero outbound trackers. The publish.ouija.social frontend itself has none either. The only network call from a published page is to its own asset host.

"Real Tor" tier (future)

A future version of ouija publish will offer an opt-in tier where you upload the Tor secret-key file (which we'd then host as a real hidden service at your .onion). This is strictly worse for you trust-wise — we'd hold the same key that controls your Solana wallet — and we'll plaster the trade-offs in every UI surface that touches that flow.

The right answer for almost everyone is self-host. The 4-command recipe takes about 5 minutes on a laptop you already own.

If we get a subpoena

We will comply with valid legal process. We do not retain access logs beyond what's needed to run the service, but we'd have to hand over whatever exists at the time the request lands. We will publish a warrant canary as the service grows.

Take me to the self-host guide →