This study investigates users’ cognitive biases and privacy expectations regarding “untraceability”—the property of preventing third parties from identifying communication endpoints—in messaging platforms. Method: We conducted an empirical study with 189 participants using scenario-based surveys grounded in fictional platforms (Texty and Chatty), complemented by qualitative coding, threat model mapping, and mental model analysis. Contribution/Results: We present the first systematic evidence that users conflate untraceability with bidirectional sender–recipient anonymity—i.e., mutual identity concealment—rather than its cryptographic definition: resistance to external tracking. This fundamental misalignment between user mental models and formal threat models leads to misconceptions about critical protocol design elements, including anonymity set size and metadata protection. Our findings provide essential human-centered evidence and actionable design guidelines for developing usable, privacy-preserving untraceable communication protocols and features.

Mainstream messaging platforms offer a variety of features designed to enhance user privacy, such as disappearing messages, password-protected chats, and end-to-end encryption (E2EE), which primarily protect message contents. Beyond contents, the transmission of messages generates metadata that can reveal who communicates with whom, when and how often. In this paper, we study user perceptions of"untraceability", i.e., preventing third parties from tracing who communicates with whom, with the goal of informing the design of privacy-enhancing features in messaging platforms and untraceable communication protocols that depend on large anonymity sets and widespread user adoption. We explore this from a broad conceptual standpoint: rather than studying mental models of a particular solution, we analyze how users reason about what features should be incorporated by two fictitious platforms, Texty and Chatty, to prevent third parties from knowing who communicates with whom. Through a vignette-based survey with 189 participants, we found that users associate the concept of untraceability with a wide range of privacy enhancing technologies, implying a diverse set of threat models. Overall, the features suggested by participants show awareness of privacy threats stemming from forms of surveillance and unauthorized access to message contents. Many participants also associated untraceability with the notion of anonymity, but interpreted it as senders and receivers concealing their identity from each other rather than only from third parties. We discuss the gap between users' perceptions of untraceability and the threat models addressed by untraceable communication protocols, as well as how different privacy attitudes point to challenges and opportunities for the adoption of untraceable communication tools in messaging platforms.