still hella confused as to why self-proclaimed privacy advocates—even teams like @privacyguides—are pushing @element so hard despite the data collection & sharing practices, the loosey-goosey metadata usage, and the fact that they host on AWS.
matrix is VC funded and therefore has a big marketing budget. the XMPP foundation is community maintained and XMPP itself is a public domain standard, so there are not such interests nor capitals investing in it to make promotion.
i agree with the analysis about the ledger being copied across servers. it seems wildly inefficient and like a major security concern. i actually deleted an account on a FRIEND’s server because i joined some pretty-active public channels on onther servers and they found that i was using some not-insignificant portion of their server resources just to log channels i would pop into on occasion.
sure, but if the messages are stored on servers you don’t fully trust or control?
>Fork it if you want, remove what troubles you.
can’t argue with this, except that becomes it’s own point of vuln if you’re not adept in development or have sec experts vetting your setup, which make this easy to say and impractical to implement
(lol sorry for the spamming there… can’t figure out blockquotes)
sure, but if the messages are stored on servers you don’t fully trust or control?
Encrypted messages.
Also, you can limit which servers can participate in your room’s federation (in simple terms: which one has access to room data). There’s an option on the Element UI to disallow federating the room, and I think it’s also possible to have fine grained control over it (with so called server ACLs)
data collection & sharing practices
Isn’t it opt-in on all the released Element clients?
Of course, as soon as two people take this advice and then attempt to communicate, we have reached the standoff, where One of the two people must swear off their data sovereignty.
What is your idea to solve this?
With centralized messaging services, both of them must swear off their data sovereignty.
While with true peer to peer systems none of them must do that, that model is not really compatible with mobile devices as both the sender and the receiver has to be online at the same time for the message to go through, and generally any device that is not online 24/7, which mostly includes all desktop PCs.
For this reason, I think that for the average user (who does not have a 24/7 online server-role machine, or maybe even a desktop computer) the best solution is to choose a server operator who they trust with their data. Or, they may try to run a lightweight homeserver on their mobile device (laptop or even smartphone), and live with it’s shortcomings. Not like it’s not possible, and this way everyone can register where they want, including their own part-time server if they are more comfortable that way.
However I think I did not totally understand what is your exact concern.
Do you think it to be a problem that even if you run your own server, messages you sent to your friend on another one will be stored on that homeserver too?
If so, I don’t think it’s possible to solve that problem. They (your friend) have chosen to take a compromise between security and ease of use by trusting someone else with storage. You can’t tell them - only suggest - where should they store their data, otherwise they would lose their sovereignty over it.
Fortunately confidentiality can be kept with encryption, and if you are concerned with the other server having access to metadata, you could patch your server to try to generalize the message metadata to some extent, like with delaying sending messages to they 10th minute and such measures.
a federated service has all the downsides of a centralized service
No it doesn’t? A single party cannot block you from participating in the network, as you can just find a different provider, and you can have control over what servers may store your data, both as a server operator and as a room admin.
Element isn’t perfect, but what’s a better alternative? A giant Signal group would be a horrible idea, since everyone’s phone numbers would be exposed to the other members (plus there’s a 150 group member limit), and Discord is obviously much worse than Element (from a privacy perspective).
@sp6 oh i’m not suggesting Signal, though i trust it and use a FOSS client version of it. i agree with you there and would never pitch Discord either, but Element seems much more open to data leakage (bc of the bridges feature) than any other platform and lacks true decentralization (since everyone just uses the main homeserver) and ephemeral messaging, which makes it a non-starter for me.
i think Briar, Cwtch, Session, Simplex, and Tox are where we should be looking, no? or even @syphon over Element if Matrix is what we’re set on using (based on privacy policy).
-SimpleX doesn’t have a desktop GUI has issues with big groups (see comment below)
-Session has a 100-person group chat limit
-Syphon’s own github states they are “still in alpha and we do not recommend using it where proven and independently verified security is required.” Plus, they haven’t had a release in over a year, so I’m not sure it’s still maintained.
Element (or most Matrix clients) don’t have any of those issues. Like I said, it’s not perfect, but I see why it’s recommended. All decent alternatives have significant downsides
“Every message and file gets sent separately to every member in the group”
That seems fine for small groups, but for the typical Element crowd of large groups, I don’t think that would go over well. If you send a 10MB file in a 2000-person chat, you’d be uploading 20GB of data…
I looked at SimpleX a little while ago… and it was looking fine… until I read that they list ‘groups’ in some kind of directory… like chat rooms I imagine. Deal breaker for me.
And at that point it was just working like Signal does. Right?
New users should be told that they won’t have access to their old messages, just like with signal, unless they do a one-time additional setup.
This really should be exclaimed at the beginning on every chat history in every major client, because it is not obvious, and as you said users only realize when the damage was already done, or not even then.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacyguides@lemmy.one
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
We prefer posting about open-source software whenever possible.
No soliciting engagement: Don’t ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don’t repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.
What about IRC or darkirc?
XMPP+OMEMO
deleted by creator
xmpp with omemo hasn’t been mentioned but I would be perfectly happy if we all switched to that
@commie ya same. i didn’t mention it bc it seems like there was an exodus from XMPP to Matrix for some reason
matrix is VC funded and therefore has a big marketing budget. the XMPP foundation is community maintained and XMPP itself is a public domain standard, so there are not such interests nor capitals investing in it to make promotion.
There hasn’t, it’s just that matrix gets a lot of publicity and every other day someone falsely claims the death of XMPP or that Google killed it.
i agree with the analysis about the ledger being copied across servers. it seems wildly inefficient and like a major security concern. i actually deleted an account on a FRIEND’s server because i joined some pretty-active public channels on onther servers and they found that i was using some not-insignificant portion of their server resources just to log channels i would pop into on occasion.
You’re supposed to host on whatever you want.
Fork it if you want, remove what troubles you.
@mrmojo
>You’re supposed to host on whatever you want.
sure, but if the messages are stored on servers you don’t fully trust or control?
>Fork it if you want, remove what troubles you.
can’t argue with this, except that becomes it’s own point of vuln if you’re not adept in development or have sec experts vetting your setup, which make this easy to say and impractical to implement
(lol sorry for the spamming there… can’t figure out blockquotes)
Encrypted messages.
Also, you can limit which servers can participate in your room’s federation (in simple terms: which one has access to room data). There’s an option on the Element UI to disallow federating the room, and I think it’s also possible to have fine grained control over it (with so called server ACLs)
Isn’t it opt-in on all the released Element clients?
deleted by creator
whitelists: exist
deleted by creator
deleted by creator
What is your idea to solve this?
With centralized messaging services, both of them must swear off their data sovereignty.
While with true peer to peer systems none of them must do that, that model is not really compatible with mobile devices as both the sender and the receiver has to be online at the same time for the message to go through, and generally any device that is not online 24/7, which mostly includes all desktop PCs.
For this reason, I think that for the average user (who does not have a 24/7 online server-role machine, or maybe even a desktop computer) the best solution is to choose a server operator who they trust with their data. Or, they may try to run a lightweight homeserver on their mobile device (laptop or even smartphone), and live with it’s shortcomings. Not like it’s not possible, and this way everyone can register where they want, including their own part-time server if they are more comfortable that way.
However I think I did not totally understand what is your exact concern.
Do you think it to be a problem that even if you run your own server, messages you sent to your friend on another one will be stored on that homeserver too?
If so, I don’t think it’s possible to solve that problem. They (your friend) have chosen to take a compromise between security and ease of use by trusting someone else with storage. You can’t tell them - only suggest - where should they store their data, otherwise they would lose their sovereignty over it.
Fortunately confidentiality can be kept with encryption, and if you are concerned with the other server having access to metadata, you could patch your server to try to generalize the message metadata to some extent, like with delaying sending messages to they 10th minute and such measures.
deleted by creator
No it doesn’t? A single party cannot block you from participating in the network, as you can just find a different provider, and you can have control over what servers may store your data, both as a server operator and as a room admin.
Element isn’t perfect, but what’s a better alternative? A giant Signal group would be a horrible idea, since everyone’s phone numbers would be exposed to the other members (plus there’s a 150 group member limit), and Discord is obviously much worse than Element (from a privacy perspective).
@sp6 oh i’m not suggesting Signal, though i trust it and use a FOSS client version of it. i agree with you there and would never pitch Discord either, but Element seems much more open to data leakage (bc of the bridges feature) than any other platform and lacks true decentralization (since everyone just uses the main homeserver) and ephemeral messaging, which makes it a non-starter for me.
i think Briar, Cwtch, Session, Simplex, and Tox are where we should be looking, no? or even @syphon over Element if Matrix is what we’re set on using (based on privacy policy).
Everyone doesn’t use the main HS sure it is alot of people but alot also don’t use it
Bridges only work in rooms that aren’t encrypted, I think.
Some bridges support encryption and even if they don’t there’s a tool to make it so they do pantalaimon
Just a quick glance at all of those:
-Briar, Tox, and Cwtch don’t have iOS clients
-SimpleX
doesn’t have a desktop GUIhas issues with big groups (see comment below)-Session has a 100-person group chat limit
-Syphon’s own github states they are “still in alpha and we do not recommend using it where proven and independently verified security is required.” Plus, they haven’t had a release in over a year, so I’m not sure it’s still maintained.
Element (or most Matrix clients) don’t have any of those issues. Like I said, it’s not perfect, but I see why it’s recommended. All decent alternatives have significant downsides
deleted by creator
Oh nice! Although, one issue from their website:
“Every message and file gets sent separately to every member in the group”
That seems fine for small groups, but for the typical Element crowd of large groups, I don’t think that would go over well. If you send a 10MB file in a 2000-person chat, you’d be uploading 20GB of data…
deleted by creator
Revolt is certainly better than Discord’s privacy, but since it doesn’t yet have E2EE, it doesn’t seem like very privacy-focused software
deleted by creator
@whale @sp6
I looked at SimpleX a little while ago… and it was looking fine… until I read that they list ‘groups’ in some kind of directory… like chat rooms I imagine. Deal breaker for me.
deleted by creator
The only thing a regular person will do on element is lose their key and cry softly into a pillow.
And at that point it was just working like Signal does. Right?
New users should be told that they won’t have access to their old messages, just like with signal, unless they do a one-time additional setup.
This really should be exclaimed at the beginning on every chat history in every major client, because it is not obvious, and as you said users only realize when the damage was already done, or not even then.
Element doesn’t do shit.