Is matrix.org snooping?
- Login o registrati per inviare commenti
Someone on some mailing list I subscribed recently sent a link to some article criticizing Matrix on the grounds of privacy[1]. There is also some more writing linked, including a pdf with some analyzis of some behaviors of Matrix/Riot and comments defending Matrix[2].
I wanted to ask what you all think about this
[1] https://www.hackea.org/notas/matrix.html
[2] https://matrix.org/~matthew/Response_to_-_Notes_on_privacy_and_data_collection_of_Matrix.pdf
My knowledge on this subject is very limited.
Things that I noticed:
- Matrix works easily with synapse on Freedombox for communication between users with account on the same Freedombox
- joining a group hosted by matrix.org takes several minutes (joining any XMPP group is instantaneous)
- the only desktop client from FSDG distros are quaternion and nheko, I haven't managed to connect with nheko, quaternion looks ok
- for Android, most clients are based on Element and seem focused on being good looking rather than privacy, except for Syphon (but it warns that it is alpha)
- on iOS devices, Element (and I think all matrix clients I found) indicate collecting data, while ChatSecure, Monal and Siskin IM, for XMPP, indicate collecting none
At the moment, I am focusing on XMPP, in my efforts to have my contacts adopt some free software communication system (too many functional issues with Jami).
Thanks, Avron! I find the experience you shared very helpful in making my own decisions.
My own experience with Matrix is the following:
* I installed the reference Matrix server (Synapse) using apt.
* I could connect to it using Quaternion that I also installed with apt.
* My instance seemed to have been integrating properly with gitter.im.
* I could not integrate with other Matrix instances. The suspected reason is due to version difference between Synapse I installed with apt and Synapse everybody else was using (today this could no longer be a problem depending on what version the current stable of Debian and Devuan have).
* I wanted to set up a web client to make it effortless for others to join but none was packaged for Debian&friends. All available ones relied on npm repository which does not meet my security and freedom standards.
* Having an instance running generated way too much unnecessary traffic on my VPS (federation...) which led to lags. This (together with limited usefulness) was the reason I ultimately uninstalled Synapse.
At some point I'm also going to set up an XMPP server
> At some point I'm also going to set up an XMPP server
On Freedombox file upload is not activated for ejabberd, so I use it only for MAXS on my phone with Replicant, to send/receive SMS. I use a third party XMPP server for communications with human contacts, but many of them use iOS devices on which XMPP clients are either not fully functional or difficult to use.
I want to try running a Snikket instance, hoping that the iOS client is better so I could more easily convince these contacts to use XMPP. Snikket seems to only provide support for installing an instance with docker (it apparently includes prosody and coturn with configuration), which I never used so far. I am not happy that the container is to be downloaded from some place that I am not confident holds only free software but I do hope that the Snikket people are ensuring that the Snikket container is made in a way that ensures that no non-free software or dependency is used.
For those who need to connect to Matrix chats - disroot.org has a page[1] that explains how to use a public bridge at matrix.org to connect from XMPP. And if I understand correctly, this is not at all specific to disroot and should work with any XMPP server
Yes, and normaly martix force the user to run nonfree javascript and google analitycs, for that reason and others i recommend always XMPP and P2P, like GNU Jami and Tox. Here you can find more replacement to the nonfree software and maybe a new software for make your computing with computer user freedom: https://libreplanet.org/wiki/Remote_Communication and if you go to move to the XMPP, i recommend two clients, the first one is Gajim, and if the user run a "smart"phone i recommend dont use it more, but if they dont have other option they can install blabber, here the web site: https://blabber.im/en.html
How about an XMPP "web" client? I admit it is better to use a standalone program. That's out of question. I am thinking about all those people whom I want to introduce to free software and who might be uneager to install things just because I tell them to.
Do you happen to know of any "good" web front-end for XMPP that I could self-host? I don't think I'll be able to find something that has everything I want but perhaps there'll be something with at least a subset of those qualities:
- available under a free software license (that's a pretty obvious requirement...)
- packaged for Debian or Guix
- works without JS
- all the optional JS in use should be served in a LibreJS-compliant way
- can be configured to allow users to join rooms as guests (i.e. without registration)
- supports OMEMO for registered users (only possible when JS is enabled, I guess)
- supports displaying older messages if archive is enabled[1]
- supports sending files (using this[2] extension perhaps?)
- supports voice chat when JS is enabled
Obviously, some of these might require using specific server extensions or even one particular server implementation. That's OK as long as the required server software also has the expected qualities
[1] https://xmpp.org/extensions/xep-0313.html
[2] https://xmpp.org/extensions/xep-0363.html
> I am thinking about all those people [...] who might be uneager to install things just because I tell them to.
Everyone I know using a mobile phone is willing to install anything gratis without thinking. This is bad but it is so. The biggest difficulty for me is to recommend a decent client for people using iThings, so that they don't get pissed off.
> Do you happen to know of any "good" web front-end for XMPP that I could self-host?
I never used any web front-end for XMPP but I just noticed I can install JSXC on the Freedombox, so I'll try and report. https://xmpp.org/software/clients/ is listing a few others.
> - works without JS
> - - all the optional JS in use should be served in a LibreJS-compliant way
I doubt that exists.
> - supports displaying older messages if archive is enabled[1]
> - supports sending files (using this[2] extension perhaps?)
Yes, you got the correct extensions. My guess is that the support is mostly on the server, but I'll try JSXC.
Matrix seemed too bloated when I used it. In fact it was slowing my laptop so much, it became unusable after some time and I needed to restart. nheko and other clients had similar problem or/and lacking features.
So based on some articles I found credible at the time (which unfortunately I cannot retrieve to provide them as references), my understanding is that matrix is poorly written, had (has?) ties with the secret services of the state of Israel and keeps too much metadata. Xmpp on the other hand is more conservative in gaining new features, but this is because it supports standardization and trying to implement good code.
Both can be self hosted using a freedombox server. In fact koszkonutek, freedomobx, apart from ejabberd server, comes with jsxc web chat client. I suggest to have a look as I thing it ticks some of the boxes you asked for.
Another option is tox (and qtox as client).
Thank you both for the JSXC and qtox suggestions. I'll look into them. I hope one day I will be able to dedicate time to make one of them tick the missing boxes
EDIT: Btw, here[1] you can find the FSFE mailing list archives with ongoing discussion regarding Matrix and XMPP
[1] https://lists.fsfe.org/pipermail/discussion/2022-March/thread.html
The privacy problems with Matrix are huge. Just read this if you want to get a taste of it:
https://matrix.org/legal/identity-server-privacy-notice-1#37-who-can-see-my-matrix-idthird-party-identifier-associations
https://matrix.org/legal/identity-server-privacy-notice-1#310-what-happens-if-new-vector-is-sold
If you have more time you can start with any of these issues from 2019:
https://github.com/privacytools/services/issues/17
https://gitlab.com/prism-break/prism-break/-/issues/2176
https://github.com/libremonde-org/paper-research-privacy-matrix.org
The main problem is that it is so complex that most users are not even aware of what services they are using, because these have to be configured by default. So even if the protocol is supposed to be federated, everybody is using just one instance, which obviously gives its owners far too much power anyway. This what the lead dev and "Guardian of the Matrix" had to say about Riot being delisted from PRISM-break:
"Personally I think the autonomy to pick/run your own server and the E2EE is more valuable for privacy than the fact that metadata gathers on servers." Given that almost everyone is in fact using the same server, the metadata gathering combined with the CloudFlaring sounds even more problematic.
EDIT: This is how these issues got addressed. One year later, not much had changed, as per this, although privacytools seems to have relisted Riot/Element.
- Login o registrati per inviare commenti