Chat Apps, Government Ties, and Transparency
threema.ch
external-link
Over the past days, two popular chat services have accused each other of having undisclosed government ties. According to Signal president Meredith Whittaker, Telegram is not only “notoriously insecure” but also “routinely cooperates with governments behind the scenes.” Telegram founder Pavel Durov, on the other hand, claims that “the US government spent $3M to build Signal’s encryption” and Signal’s current leaders are “activists used by the US state department for regime change abroad.”

how has no one discussed matrix here

The Doctor
link
fedilink
337M

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

@Tenkard@lemmy.ml
link
fedilink
14
edit-2
7M

That must mean it’s working! :D

Dessalines
link
fedilink
167M

I don’t get it at all. There are plenty of platforms like matrix, xmpp, simplex that don’t require phone numbers tied to your identity. Signal has somehow managed to convince people that it’s a private platform, despite it being a US hosted service that requires phone numbers.

deleted by creator

Say the US government, in a worst-case scenario in which it constantly monitors all traffic that goes through Signal’s data centers, can ‘only’ see phone numbers, IP addresses and timestamps, right? Or am I forgetting something here?

Dessalines
link
fedilink
7
edit-2
7M

Metadata and social graphs are more important than message content, esp since not many people have the time to read through individual messages to build meaning.

Signal stores phone numbers (meaning your identity, and home address), and message timestamps: who texted who and when, and who’s in chats with who else. More than enough to build social graphs and connections, and also figure out where people are through their IP addresses.

Do you happen to know what metadata matrix stores? I assume matrix.org specifically stores email and username, right

Dessalines
link
fedilink
17M

Yes, but I don’t think user metadata outside of your apub url, name, icon, display name, leaves your homeserver. Email or passwords don’t leave iirc.

Brayd
link
fedilink
17M

Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.

Signal doesn’t store message timestamps either.

What Signal itself knows of you is your phone number, the timestamp of your registration, the timestamp of your last connection to the server. That’s it.

Yes metadata is critical but Signal handles metadata very well. Indeed, even though I’m a fan of Matrix, better than Matrix. Matrix is a metadata nightmare due to it’s centralized structure and the way the protocol works.

Dessalines
link
fedilink
47M

Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.

This is completely false. They can absolutely see who is texting who, in fact they need it to be able to route messages. They have message timestamps, and phone numbers stored in their database.

Question, why do you “trust” signal? You can’t see what code their centralized server is running, unlike matrix which you can self-host and build from source. You don’t have to “trust” matrix, you can verify it for yourself.

Brayd
link
fedilink
07M

Signals server is open source. You can run a server. You just can’t connect to the main net because each server is it’s own thing so it doesn’t make sense besides for development purposes.

Please don’t spread misinformation.

Dessalines
link
fedilink
07M

They went over a year without publishing their server updates. And how do you know signal is running the code they say they are? Do you trust them?

Brayd
link
fedilink
07M

The good thing here is that you don’t need to trust the server in order to have a secure communication since your clients decrypt and encrypt and not the server.

Yes they can optimize with things like this but that doesn’t make it insecure. It’s still the most secure solution that the average person can use.

Threema doesn’t even have the server open sourced at all, are for profit and their encryption has been compromised.

Session is shady.

Matrix is a metadata nightmare due to it’s federated aspects.

SimpleX is the only thing that is secure, anonymous and good in this regards but it has some small details left that prevents people from switching. I.e. simple things like the fact that you can’t see an overview of your images and videos sent in a chat without scrolling up all those messages. It seems trivial but for the average user stuff like that is important since they know it and use it every day in other messengers.

Right. So arguably better than WhatsApp, where each users’ contact books, profile photos, bios, and each group chat name, picture and description is not E2E. But to call it ‘private’ is not logical, looking at the alternatives, of which some are much more private.

Who have they convinced that it is private? I think it has more to do with the overall purpose of the platform. Signal is not made for large group chatting with strangers like Matrix.

I use Matrix for my personal 1 on 1 chats with family and friends, so dunno

The Doctor
link
fedilink
87M

It’s a Google hosted service, which is arguably worse because they may as well be a nation-state unto themselves.

And the largest homeserver, matrix.org, is MITM’d by Crimeflare.

Fuck matrix.org, just selfhost.

The Doctor
link
fedilink
27M

Doable, but a huge pain in the ass because of conflicts in the protocol. I spent about a year trying to suss them out and come up with a fix but never figured it out.

Any homeserver that federates (even indirectly) with matrix.org will still have practically all the same data shared with it, just not your password.

What passwords where?

The password used to login to the homeserver

Wasn’t Amazon involved here as well? It is another “nation-state”.

The Doctor
link
fedilink
37M

I do not think so, no. However, Amazon is certainly big enough to be un-humorously compared to nation-states as well.

I remembered it as being AWS. Checked their blog, and the article about their spending mentions renting space in AWS and Azure too, indeed.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.13K Posts
  • 78.3K Comments
  • Modlog