The Tor Project will be closing down its privacy-focused Tor Messenger project after undergoing no fewer than 11 beta iterations since 2015. That’s according to a new announcement on The Tor Project’s official blog, which sites three primary reasons for dropping the messenger. Interestingly enough, the decision seems to stem from a single challenge that developers on the project were facing – also given as the first reason. Namely, the software product underpinning the messenger, Instantbird, is no longer in development or maintained. That program is being ported over to Thunderbird, which gave the developers an opportunity to step back and reexamine their efforts with Tor Messenger.
A thorough assessment, in addition to highlighting the relatively low adoption rate for the messenger itself, seems to have immediately thrust two other issues into the spotlight. The first of those is a meta-data problem that needs to be overcome to create a truly secure messaging platform. As things currently stood, even Tor Messenger has issues with metadata collection and leaks due to the dependence on server-client relationships and goals pertaining to cross-platform compatibility. Moreover, because the goal was also to create a messenger to be used across various social platforms – such as Facebook Messenger – participants in the beta were still revealing patterns of use. Although more difficult, those could ultimately still be used to identify users. That’s in spite of the use of Tor to prevent the tracking of what route, exactly, the data had been pushed over and the implementation of Off-the-Record messaging. So Tor Messenger simply couldn’t be what the developers had intended from the start.
Linking back to that is the final issue of resources. Tor Messenger, as mentioned above, was never able to leave beta and a lack of resources was preventing responses to bug reports, let along feature requests. That also means that no Android variant was ever able to be completed. Furthermore, the developers were never able to conduct audits, aside from a couple of internal audits performed by the developers themselves. A lack of resources likely also fed back into the other issues listed. As a result, the development is closing down and it’s recommended that users are going to need to look elsewhere if they want secure messaging. The software will still work for those who already have it. However, since it isn’t being maintained or updated, it can really no longer be considered secure.