We are in contact with the Matrix/Riot team.
What did find ‘creepy’?
Using Riot on Android, I am unable to find users who have accounts - using their handle - without giving access to my contacts. They, in turn, have a hard time finding me.
I was looking to do more research on this to understand exactly what’s going on or if I’m doing something wrong, but if we want privacy and security, we should be able to allow limited permissions to such an app and simply use handles to locate and communicate. This has turned me off from using the app. No need to know all my contacts so that I can communicate with one person who I can exactly identify.
alot of those infos should not be collected in a privacy wide service
i’m not a technical guy, but i think a privacy app should just
mail/password for login (well protected with hashing)
used room (encrypted)
content chat (encrypted)
ofcourse any server will see (no to collect, why collect?) the ip, user agent and stuff like that, but in the link you can read alot of stuff i think they should not even have, again why COLLECT?
then i hope the app (like others in the librem5) will run as a kind of flatpack, where any app can’t “steal” data from other app, and when they need it a pop up must be showed, and ofcourse a kind of privacy panel with permission where we can see and modify the preferences (like privacy guard in lineageos)
i would like to know if are you looking into this with matrix guys?
I share some of these concerns. While on the Matrix website and in presentations the words “End-to-End” and “Encrypted” are used frequently, the statistics draw a different picture (source):
Also I currently get the impression from the Matrix blog that fancy features, UX improvements and bridging between different messaging silos (WhatsApp, Telegram etc), have higher priorities at the moment than laying the foundations for a truly decentralised identity management (also see the “needs” here from less than a week ago).
Another interesting fact are the permissions the Riot.im Android app currently requires:
android.permission.INTERNET android.permission.VIBRATE android.permission.READ_EXTERNAL_STORAGE android.permission.READ_CONTACTS android.permission.WRITE_EXTERNAL_STORAGE android.permission.ACCESS_NETWORK_STATE android.permission.READ_LOGS android.permission.REORDER_TASKS android.permission.GET_TASKS android.permission.CAMERA android.permission.RECORD_AUDIO android.permission.MODIFY_AUDIO_SETTINGS android.permission.MANAGE_DOCUMENTS android.permission.WAKE_LOCK android.permission.RECEIVE_BOOT_COMPLETED com.sec.android.provider.badge.permission.READ com.sec.android.provider.badge.permission.WRITE com.htc.launcher.permission.READ_SETTINGS com.htc.launcher.permission.UPDATE_SHORTCUT com.sonyericsson.home.permission.BROADCAST_BADGE com.anddoes.launcher.permission.UPDATE_COUNT com.majeur.launcher.permission.UPDATE_BADGE android.permission.BLUETOOTH
I understand it is still very early days for the Matrix project, so I hope that these things will improve significantly until the completion of the Librem 5. I also think we need to keep watching this space and keep asking for privacy if the situation doesn’t improve by itself.
As for the term “collect” Riot.im is using in its privacy statement, I think this just means that they get access to the respective data and may store it. Considering that they have the ability to bridge between messaging protocols, that’ll probably also mean they have (need) access to a user’s other instant messaging accounts… so users intending to use this feature may care even less about their privacy/security; something I do not understand at all.
What I just said about “early days” seems to be confirmed by Riot’s security page:
As of May 2017 Riot’s end-to-end encryption is technically in beta, but this is due to some residual stability bugs and missing usability features. Once these are resolved we plan to get the full implementation security assessed and out of beta. End-to-end encryption will then be turned on by default for private conversations.
second one is permission app, but let’s see how librem 5 handle it
i’d like to have an official reply from purism about it, because i feel it as a privacy problem
I just hope this matrix stuff will be optional and removable, not integrated into the core messaging system of the phone. so that i could just wipe it clean and install my preferred messaging app.
I do understand about vanilla os and blah but hate to remove some core components. I.e. removing telepathy stack with libcomhistoryd on jolla is possible but insane (telepathy is pluggable though hence not bound to any specific protocol).
Hi folks - I’m the project lead for Matrix.org; only just found this, so sorry for the delay. Quick answers on my side:
- Agreed that the policy is too large and scary, although in practice all it does is to spell out (in gratuitious detail) the data which you share by using Matrix at all; forbid illegality and abuse; and give the right to optionally use analytics in the apps to help us see what features people are using and how much.
- The reason the policy is so large and doesn’t have a TL;DR is that it was provided by the corporate overlords who used to fund Matrix and Riot. As of July we no longer work for them, and the policy has yet to be updated to reflect the new setup (which is now an independent startup). When we do this in the near future we intend to make it much clearer and less scary, as well as make it clearer that, again, it only applies to people using the default matrix.org homeserver.
- With this all in mind, I’m not sure I agree that Matrix is “a privacy problem”.
- @shagreen: Riot/Android should let you find users fine without giving access to your contacts; since July it implements the ‘user search’ API which lets you query your server for all the users you have rooms in common with or who are in publicly visible rooms. Now, if you still can’t find the user, then you either enter their email address or phone number. Finally, you also have the option of searching your contacts, but only if you give permission. So we’re hardly mandating it
- cgelinek: It should be a no-brainer that improving the app’s UX (to avoid confusion like @shagreen’s above) is as important if not more so than working on deeper infrastructure work like decentralised identity/reputation. You’re right that E2E is still being polished, but we’re working on this as fast as we can and the support of the Librem5 project helps substantially with this. In terms of it being “early days” - it may still be beta right now but it’s still the most advanced decentralised end-to-end encryption solution out there, plus the first to have a public audit of its core crypto. In terms of permissions: I believe that all of the perms you’ve quoted for the Android app are these days prompted incrementally (in Android M and later) as you use the features which require them; we spent ages getting this right.
- ruff I’m sure you’ll be able to delete the default dialler/messaging app if you so desire.
thank you @matthew for your reply, it’s very appreciated
is awesome to have the option to make your own server, the problem is for normal users who are not able to do it, so we have to trust the server admin/owner
same for the client, i’m scaried from android apps permission, and i really hope purism will make this issue a priority, giving to the user the full power to manage it with a good user interface and popups when needed, and of course i hope matrix client will just require the permission who really need and will access to the data when WE choose to use it
i know i’m paranoid, but as i wrote we live in a big data surveillance/economy era, and freedom is really important to me, i think company like matrix and purism have this user target, because normal user will just spend 100$ for and android phone with whatsapp used by almost everyone, less money needed and less problem, i have to convince people to use matrix to comunicate with me, and every time i’ll be watched like an alien “why you are not using whatsapp?” and so on, than i will explain why i really think different, and that’s why your policies and how the service/data storage work need to be made for paranoid like me, thanks to snowden and others heroes, we know we cannot really trust people or companies, that’s why technology architecture are important more than manifesto
opt-in is also awesome as i understand you need analytics for improve your product, and with opt-in you will respect the user privacy and will
about android permission i just don’t like how android work, but this is because usually apps will abuse of these permission
let us update on this if you still have time to communicate with us, thanks again for your time and your work, is important to have a privacy wise comunication system to be used for freedom and free speech
yes, i found that wondrous when i touched matrix the first time. for purism which states to use telepathy (which i consider the way to go while not really usable currently) i wonder if there would be a native “connection manager” for matrix (a libpurple one seems to exists and there is a bridge from telepathy).
@purism: will there be a telepathy connection manager for sms/mms?
where are you seeing that Purism is going to use Telepathy?
i’ve read it somewhere but don’t remember where and can’t find it with their search. it may well be that it was mentioned as part of pureOS and they tell pureOS will be installed on librem5…
i like the telepathy idea as (in theory) you can freely choose the protocol and the gui. but i found a mailthread now about the topic which even mentions matrix and librem5 (and contains a post from a Matthew Hodgson - is that you? ) which tells alot about architectural problems of telepathy… so what 's your oppinion?
Yup, that mail-thread was me too. As you saw, there was debate on whether telepathy should be left to die, or whether Matrix could replace it (albeit with quite a different architecture, given the multi-headed approach would be done serverside rather than clientside), or whether there’s a “telepathy but done right” model which could work better, providing a local OS abstraction which could be backed by Matrix (or other connectors if preferred). To my knowledge there hasn’t been a conclusion yet, although on the Matrix side we’re syncing with Purism about it this week.
i’m quite new to matrix (old user of irc and jabber) but amazed. but from my view matrix cant be a replacement for telepathy (i wondered about the subject already) as it’s below: as you say: a huge change in architecture.
the telepathy design fits so well because you are forced to stay on the device with a mobile if you want to support sms/mms, a proxy is mentioned there but that sounds ugly.
i’m not that deep into the messanging topic (only seen that empathy is unusable) - can you enlighten me about the major problems of the telepathy architecture? is it fixable with affortable efforts?
Rob McQueen (who I think ran the telepathy project) wrote a huge rant on its problems here: https://mail.gnome.org/archives/desktop-devel-list/2017-September/msg00047.html. Meanwhile, some of the stuff that telepathy doesn’t implement (and can’t, without big reengineering effort) include:
- Infinite scrollback serverside history
- Synced history across multiple devices
- Server side search
- Server side notification settings
- Read receipts
- Read-up-to markers
- Multiway voip
- Promoting 1:1s to group chats and vice versa
- Native end-to-end encryption (verifying keys, devices, sharing keys, etc)
- Encrypted file transfers
- Redacted msgs
- Reactions / upvotes / downvotes
- Editable msgs
- Pinned messages
You’re right that Matrix isn’t a direct replacement, as architecturally it differs. However, one approach being considered is to expose a Matrix-like API in the OS which maps easily to the Matrix client/server protocol, and is handled by a daemon process of some kind which handles some of the heavy lifting (e.g. E2E crypto; local chat history). This daemon could also implement other backends direct to IRC, XMPP, Slack or whatever if people wanted to take Matrix out of the loop entirely - at which point it starts feeling a bit like a modern version of telepathy (although in practice the only ‘connector’ which we’d be focusing on the Matrix side would of be the Matrix-backed one).
so you see matrix protocol as a blueprint for an api which can be used for others protocols or even local stuff like sms or voice-call - did i get that right?
still a background daemon handles the local stuff (i already thought of history, i’m often in areas without internet access and hate not to be able to use my phone), i like that idea…
what’s your oppinion about d-bus? the mailthread states it’s the cause for bad performance.