someone

Frequently Asked Questions

Frequently Asked Questions

General Usage

Someone is an ephemeral messaging service that allows you to send messages that automatically delete themselves 30 seconds after being read. Simply write your message, share the generated link, and the message will disappear forever after the first person opens it.

Key advantages of Someone:

  • No app installation required - Works in any web browser
  • No account creation - Completely anonymous, no phone numbers or emails
  • One-time read - Message is destroyed immediately after first read, not after a timer
  • No message history - Messages never exist in a chat history or cache
  • Cross-platform - Works on any device with a browser
  • No metadata tracking - We don't store who sent what to whom
  • Perfect for one-off communications - Share passwords, sensitive info, or private thoughts

While Telegram and Signal are great for ongoing conversations, Someone is designed for truly ephemeral, one-time communications where you want zero digital footprint.

Yes, messages are limited to 5,000 characters to ensure optimal performance and prevent abuse. This is typically enough for several paragraphs of text.

No, each message can only be read once. If you need to share the same information with multiple people, you'll need to create separate messages for each recipient. This is by design to ensure true ephemeral messaging.

Security & Privacy

🔐 End-to-End Encryption (v4.0.10 Mandatory):

All messages are now protected with true End-to-End Encryption (E2EE) using AES-256-GCM:

  • Military-grade encryption - AES-256-GCM is the same standard used by governments and security agencies
  • Client-side encryption - Messages are encrypted in your browser BEFORE sending to server
  • Zero-knowledge server - Admin and server CANNOT decrypt or read your messages
  • Unique per-message key - Each message uses a random 256-bit encryption key
  • Key in URL fragment - Decryption key is in link (#key=...) and NEVER sent to server
  • Encrypted in transit - HTTPS protects data transmission
  • Automatic deletion - Encrypted files are permanently deleted after reading
  • Security by default - E2EE is always on, no user choice to weaken security

What does "Admin cannot read" mean? Even if the website admin or server is compromised, your message content remains completely unreadable. The only way to decrypt a message is with the unique encryption key stored in the URL link shared with the recipient.

End-to-End Encryption (E2EE) means your message is encrypted on your device BEFORE it reaches our servers. It stays encrypted until the recipient opens the link and decrypts it in their browser.

How Someone's E2EE Works (v4.0.10):

  1. You write: Message stays in your browser as plaintext
  2. Browser encrypts: Your browser generates a random 256-bit key and encrypts the message with AES-256-GCM
  3. You send: Only the encrypted blob is sent to the server (the server can't read it)
  4. Share link: Link includes decryption key in URL fragment: https://someone.app/read/abc123#key=xyz789
  5. Recipient opens: Their browser extracts the key from URL and decrypts locally
  6. Message displayed: Only the recipient sees the plaintext
  7. Server never sees key: URL fragments are NOT sent to servers in HTTP requests

🔒 Security guarantee: Without the URL key, the encrypted message is mathematically impossible to decrypt. Even Someone's admin cannot decrypt your messages.

Starting with v4.0.10, E2EE is mandatory and cannot be disabled. Here's why:

Security by Default:

  • No user error: Users can't accidentally send unencrypted sensitive information
  • Maximum protection: Everyone gets the same high level of security
  • Zero admin access: Complete message confidentiality guaranteed
  • Simpler UI: No confusing encryption options or checkboxes

Previous versions (v4.0.9 and earlier): Offered E2EE as optional with a checkbox. While this gave users choice, it also meant users could create less secure messages by mistake.

Recommendation: We believe mandatory E2EE is the right design choice for maximum user privacy.

Absolutely not. This is guaranteed by the E2EE architecture.

Why admin cannot read:

  • Client-side encryption: Messages are encrypted in YOUR browser before reaching our servers
  • No server key storage: The encryption key is in the URL link, never stored on our servers
  • Encrypted storage: Server only stores encrypted blobs (unreadable without key)
  • No decryption capability: Admin has no way to decrypt messages even if compromised

Evidence of security: You can inspect the network traffic using your browser's Developer Tools and confirm that messages leave your device in encrypted form. The encrypted blob looks like random garbage to anyone trying to read it.

This is true End-to-End Encryption. Not "encrypted on server" (where admin could decrypt) but "encrypted on client before transmission."

Message Content: We never log or store your actual message content. Messages are encrypted and automatically deleted after reading.

Usage Analytics: We collect minimal, non-personal usage statistics to improve the service:

  • Number of messages created and read (no content)
  • Message sizes (for performance optimization)
  • Anonymous sender type (named vs anonymous)
  • Anonymized IP hashes (SHA-256, cannot be reversed)
  • Browser type (for compatibility)

What we DON'T track:

  • Message content or recipients
  • Real IP addresses or personal information
  • User accounts or identification
  • Cross-message relationships

All analytics data is automatically purged after 90 days and used solely for service improvement.

No, absolutely not. Once a message is read and the 30-second timer expires, the encrypted file is permanently deleted from our servers. There are no backups, no recovery options, and no way to restore the message. This is intentional and core to our privacy promise.

Yes, unread messages automatically expire and are deleted after 24 hours to prevent indefinite storage. This ensures that sensitive information doesn't remain on our servers unnecessarily, even if the recipient never opens the link.

Technical Details

Someone works in all modern web browsers including Chrome, Firefox, Safari, Edge, and mobile browsers. No plugins or extensions required.

Currently, Someone is in early development stage and not yet open source. However, we welcome security experts to audit our system for vulnerabilities and security improvements.

For security audits or inquiries, please contact us at: wansazlinasaruddin.com

Currently, self-hosting is not available. Someone is exclusively hosted on our secure VPS infrastructure to ensure optimal security, performance, and data protection.

This centralized approach allows us to:

  • Maintain strict security controls and encryption standards
  • Ensure reliable message deletion and privacy policies
  • Provide consistent performance and uptime
  • Implement proper security monitoring and incident response

For enterprise or special hosting requirements, please contact us to discuss custom solutions.

Use Cases

Someone is perfect for:

  • Password sharing - Share temporary passwords or access codes
  • Sensitive information - Share personal data, SSNs, or confidential details
  • Private confessions - Share thoughts that shouldn't leave a trace
  • Whistleblowing - Anonymous reporting of issues
  • Temporary instructions - One-time directions or information
  • API keys/tokens - Share development credentials securely
  • Personal notes - Send yourself reminders that auto-delete

Yes, many businesses use Someone for:

  • Sharing temporary access credentials with contractors
  • Sending sensitive client information
  • Confidential internal communications
  • Secure API key distribution
  • Compliance with data retention policies

For enterprise needs, consider self-hosting for complete control over your data.

Troubleshooting

This usually means someone else opened the link before you did, or you may have accidentally opened it yourself (perhaps in a link preview). Remember, messages can only be read once - that's the core security feature of Someone.

Good news! As of v4.0.6, Someone includes advanced bot detection that prevents link previews and crawlers from consuming your messages. The system can detect 25+ different types of bots including:

  • Social media preview bots (Telegram, WhatsApp, Facebook, Twitter)
  • Messaging platform crawlers (Slack, Discord, Teams)
  • Search engine bots (Google, Bing, DuckDuckGo)
  • AI scrapers and monitoring tools

When a bot tries to access your message, it sees only a secure preview page with no actual content. Your message remains safe for the intended human recipient!

Privacy Protection: External apps can no longer see your message content through their preview systems - they only see generic security information.

Check that:

  • Your message isn't empty
  • You haven't exceeded the 5,000 character limit
  • Your internet connection is stable
  • JavaScript is enabled in your browser

If problems persist, try refreshing the page or using a different browser.