- cross-posted to:
- privacy@programming.dev
- cross-posted to:
- privacy@programming.dev
I currently use Telegram for my friends and family, but have reluctantly come to the conclusion that the UK Government is either reaching agreement for backdoors with messaging services, or is trying its hardest to.
I’m also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues or is that a good place to head?
Telegram is probably the worst thing you could use, it doesn’t encrypt messages by default and they are stored on Telegram’s servers, so they can read them at any time.
Yes, Matrix leaks a bunch of metadata and doesn’t have post-quantum encryption.
The best option is to use Signal. It uses end-to-end encryption by default for everything: Normal chats, group chats, voice and video calls and even stories. Messages are only stored on their servers (in encrypted format, so they can’t access them) until you receive them, after which they are promptly deleted and only stored on your device. And Signal has much better metadata protection than Matrix. The UX is also much better and less confusing, making onboarding new users much easier.
But you should also be aware that Signal does not federate, so the company can be bought. They have control over all accounts and the servers, without easy way to migrate away again. So it might just be another trap.
Try to use federated services (like matrix), they are more robust against hostile take overs.
At least (to my knowledge) the Signal messages are decrypted on the client end, so buying the company doesn’t give them automatic access to messages.
Having said that, I’m sure a hostile new owner could update the app to decrypt and then send the messages as plaintext to the servers if they wanted…
Well, you can still insert client side decryption into the app.
But it isn’t really about the messages, it is about the control of the servers and the accounts. You cannot easily move away from their servers, because you will lose your contacts. This gives the people controlling the servers power over you. A sort of vendor lockin.
That’s why all clients are fully open-source. You can also use a fork like Molly.
AFAIK, Signal does not want anyone to use alternative clients, has that changed?
As far as I know moxie, signals lead dev, considers only the use of the officially build and distributed client authorized to use their servers.
So if they ever manage to detect someone using their services with an alternative client, they might delete your account.
https://techcrunch.com/2016/11/07/signal-app-maker-rebuts-criticism-of-dev-direction-by-calling-for-more-community-help/
The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501©3 non profit organization.
I generally like this idea, and I also use federated services for things like social media, that’s why we’re having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.
Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it’s absolutely not as decentralized and resilient as you think it is.
OpenAI is also non-profit. Not really an argument.
Well, the goal is that moving to your own server, will not mean that you will loose access to all your contacts. Which makes moving instances much simpler. If Matrix gets a hostile take-over, your don’t really need to reach a critical mass for an alternative server.