Get the App
Secure Drop
Anonymous · Encrypted · No login required
Your message is sealed and anonymous. We cannot identify you. No account or login is needed.
Your message
Max 3 files, 10 MB each
Secure Channel
Anonymous · Bidirectional · Encrypted
Start an anonymous conversation. You'll receive a thread code to check for replies later.
Your message
Max 3 files, 10 MB each
Thread Code
Enter your thread code above to check for replies.
EchoDrop

Speak the Passphrase.
Retrieve the Message. PREMIUM

Create encrypted messages retrieved by speaking a secret passphrase. Voice processing occurs locally on your device — only a hash of the resulting text is sent for verification. PBKDF2 key derivation with 600,000+ iterations. Then it burns.

See EchoDrop in Action

Watch the EchoDrop demo: how a spoken passphrase protects an encrypted message from creation through retrieval — with speech recognition that never leaves your device.

  • Record a secret voice passphrase for your message
  • AES-256 encryption derived from your spoken words
  • Share the retrieval code — recipient speaks to decrypt
  • Message self-destructs after successful retrieval
City of Hats EchoDrop

Speak to unlock your messages.

EchoDrop is voice-passphrase message retrieval. Record a secret phrase when you send. The recipient must speak it back to decrypt. All voice recognition happens entirely on-device.

  • Voice-passphrase triggered decryption — no passwords to type
  • On-device voice recognition — nothing leaves the phone
  • End-to-end encrypted at rest and in transit
  • Set expiration timers and maximum retrieval attempts
  • No transcript, no recording stored — zero-knowledge by design

Voice-Triggered. Zero-Knowledge. Ephemeral.

EchoDrop turns a spoken passphrase into a decryption key — with voice processing designed to stay on your device. Proven cryptographic standards meet on-device speech recognition.

Voice-Passphrase Retrieval

Speak a secret phrase — or type it — to retrieve and decrypt your message. The system converts speech to text entirely on your device using the Web Speech API.

VOICE-TRIGGERED

On-Device Speech Recognition

Voice processing occurs locally on your device using the Web Speech API. No audio recordings, voice data, or speech patterns are transmitted to City of Hats servers — only a text hash is sent for verification.

ZERO-KNOWLEDGE

PBKDF2 Key Derivation

Your passphrase is stretched through PBKDF2 with a high iteration count (600,000+) to derive the AES-256-GCM encryption key. Only a SHA-256 hash is stored server-side for matching.

PBKDF2 · 600K+

Full Dead Drop Lifecycle

Set EchoDrops to burn after first read, limit retrieval count, add time-lock delays, or auto-destroy after a countdown. Once burned, the encrypted payload is permanently deleted.

EPHEMERAL

Four Steps to Voice-Triggered Retrieval

From compose to speak — the passphrase is never stored. Only the hash touches the server.

1

Compose Message

Write your secret message. Set lifecycle rules — burn-after-read, time-lock, retrieval limit, auto-destroy.

2

Set Passphrase

Choose a system-generated passphrase or create your own. PBKDF2 derives the encryption key. Only the SHA-256 hash is stored.

3

Share the Passphrase

Tell your recipient the passphrase — in person, by phone, or through a separate channel. No digital link needed.

4

Speak & Retrieve

The recipient speaks the passphrase into City of Hats. On-device STT converts it to text, the hash matches, and the message decrypts. Then it burns.

Speak Passphrase

On-device speech-to-text. Only a text hash is sent.

SHA-256

Hash Matching

SHA-256 hash compared server-side. No plaintext passphrase stored.

PBKDF2

Decrypt & Burn

AES-256-GCM decryption. Payload destroyed after read.

Compose
Write & encrypt message
Passphrase
Set secret phrase
Share
Tell recipient the phrase
Speak
Voice or type passphrase
Burn
Message destroyed

Who Uses EchoDrop?

When the retrieval method itself needs to be untraceable — no links, no files, no digital trail.

Journalists & Whistleblowers

Share a spoken passphrase in person. The source speaks it later to retrieve your encrypted instructions. No digital link to intercept or subpoena.

High-Risk Environments

Share sensitive directives retrieved by voice. No links in browser history, no files on disk, no messages in chat logs. The passphrase exists only in memory.

Financial Compliance

Share sensitive compliance decisions or trade instructions via voice-triggered retrieval. Full audit trail of lifecycle events without exposing content.

Legal Privilege

Deliver privileged legal communications that can only be retrieved by speaking the passphrase. No forwarding, no screenshots of links — just a burned message.

Incident Response

Coordinate breach response through voice-triggered instructions. Share the passphrase on a secure call. The response team speaks it to get the playbook. Then it's gone.

Healthcare

Share HIPAA-sensitive patient data between practitioners using a spoken passphrase. No digital trail — the message self-destructs after retrieval.

What EchoDrop Guarantees

Every architectural decision is designed to eliminate digital traces of both the message and the retrieval method.

Enforced by Architecture

  • On-device speech-to-text (Web Speech API)
  • PBKDF2 key derivation with high iteration count (600,000+)
  • AES-256-GCM client-side encryption
  • SHA-256 hash-only server storage
  • Burn-after-read with server-side deletion
  • Text-to-speech read aloud option
  • Voice processing designed to stay on-device

Never Happens

  • No voice recordings stored anywhere
  • No plaintext passphrase stored on server
  • No encryption keys stored server-side
  • No sender-recipient metadata linking
  • No server-side backups of burned payloads
  • No recovery after burn

Enterprise-Ready Architecture

EchoDrop is built to align with privacy regulations and enterprise security policies — without compromising on cryptographic strength.

On-Device Processing

Voice-to-text conversion is designed to stay local. No audio data is collected, stored, or transmitted by City of Hats.

Zero Plaintext Storage

Neither the passphrase nor the message content is ever stored in plaintext on our servers. Only hashes and encrypted blobs.

Lifecycle Deletion

Burn-after-read, retrieval limits, and auto-destroy timers ensure data minimization by design — aligned with GDPR and PIPEDA.

Audit-Ready Architecture

Lifecycle events (creation, retrieval, deletion) are logged without exposing content — providing compliance evidence without privacy compromise.