About matrix and riot

Does not sound like they disable the call-home address book upload anti-feature by default, and would only do opt-in for specific queries, instead of bulk data uploads.

Is this their “solution”?: Continuing to let all installed clients contact their servers, but now enforcing personal authentication for their central vector services, requiring acceptance of their “privacy policies”?

Could the PR matierial not sound like PR material, if the goal would be to develop a protocol that would not require to accept any external privacy breaching policy?

Could another protocol, instead, promote a default no-data-collection policy for clients and homeservers?
Maybe requiring something like some form of “tainted” flag if a home server or client wants to do data-collection that requires to be accepted to comply with the GDPR?

Maybe a way to implement this might be some form of a GPL+data-sufficiency copyright?

EDIT: Or is the GDPR already sufficient?

Any comments on the quote below, like in the pdf response from matrix? To avoid it from falling under marketing gibberish for promoting a larger privacy impact vector.

It is (is it?) right that not-allowing something does not-necessarily mean not doing so, but still keeps the option for rating freedom and privacy equally high (as – any low to negative number)?

Reading this now, could be revealing a different kind of accuracy depth, possibly including but not limiting the spreading of some FUD regarding own homeservers and other apps?

and as mentioned in #matrix:matrix.org:

“basically, there’s some stuff we could do better; we’ve almost finished a project to do so as per that post. much of the other stuff in the original gist is alarmist BS - mixing together innocuous stuff with a few legit issues in order to scare people and promote a hostile fork.”

1 Like

Let’s see, clients and servers that contact central servers and require the acceptance of privacy policies will speak for themselves.

Just to clarify: The blog post says, enforced agreement to the policy was a means to make everybody AWARE of the defaults, not to hinder anybody to change them. It also says that it’s unfortunate that those on other instances are NOT necessarily aware of said defaults (as they don’t see that policy).

This is also not a protocol thing. It’s the defaults of clients and servers. All of those things can be changed and improved. For example, I’d expect Purism to use different defaults.

However, I also understand the point that for adoption beyond the geek circle this kind of convenience can be viewed as important. I just don’t assume they do it with bad intentions.

1 Like

But who is assuming something? It just became obvious that there is no intention at Vector inc. to change the global out of the box default, to stop shipping a central data collection system, in favor of a decentral network that might still allow for some hosts catering to the “I publish the private contact data of my friends” type of people.

The question is if “Jami encrypted message chat and video call” 's current implementation of an optional name server service is already better or can still be improved.


Does the sentence have a spin conveying something that is not said?

Truth is, only they can change the default, so pure privacy respecting companies will have to support a fork that does not require accepting server “privacy” policies, and to use the fixed system instead.

It’s time to ask the question “how does Vector make money, what is his business model?”.
This topic seems to show that they are not trying to delete tracers (in order to clearly remove the suspicions), but to change a privacy policy that the end user must accept.

I reached a point where I was sure of Purism’s good intentions. But between this problem (concerning Vector), but also the Librem Chat which depends on this protocol, I’m starting to wonder if Librem 5 will really respect privacy by default or if it should be diverted (ex: Firefox instead of Pure Browser, a private instant messaging instead of Librem Chat, Silence instead of SMS by default, etc.).

I’m not accusing anything, but I’m not a fanboy either: I’m wondering.

1 Like

This is what they offer if you pay


I think that’s their business model, a legit one.

Imo the weak points are just because they are young and have a lot of work to do, so is not ideal yet, but i think community should keep an eye as every project to be sure they improve the privacy in their systems. They changed riot/matrix privacy policy for a request i’ve made in this topic, so i think they will improve also the other part. I’ve chatted with matthew and someone else who work on the project in their official room and my impression is they made some improvement on privacy side and they know there is a lot more to do but now they must focus on the protocols and riotx client, to offer a working service.
I have some issue with riot i’ve opened some ticket about it, so i agree they must focus to make the system usable.
After they reach this goal i think you should keep ask for have a fix on this privacy issue

We have erased all of the data where there is any chance that the data subject didn’t understand how, why or with whom their data was being shared.
We’ve made a change to Sydent so that it no longer persists new associations relating to users on homeservers not run by New Vector.


A question to everybody, is this a hard problem?

What does really matter

in conjunction with free software?

Fully usable without requiring to opt-in, or Consent to share your secrets???

Thanks, but no thanks.
That’s not a credible behaviour for company to sell your privacy. A lot of time has passed since the GDPR was introduced, and required changes.

Make sure you’re not buying in, into to a critical mass adoption strategy.

Don’t just think they may be not interested in private things, only to store them on their own servers?

Their new android app called RiotX doesn’t have any trackers (for now) @Caliga XD https://reports.exodus-privacy.eu.org/en/reports/85212/

You read that wrong.

Nobody wrote or denostrate they are selling data, the issue is about some info the server have that could be improved.

I’m the guy who opened this topic so i’m always asking pushing for more privacy, but they need to make money to as everyone else to pay the bills, so it’s understandable if now they are prioritizing functionality and stability, so they can start to sell their product, otherwise if they close the project there is nothing to talk about.
This doesn’t mean we should be quiet, but probably ask for a kind of roadmap yo understand if after stability the next priority will really be privacy, than we can check if they care about it

Is it obvious, if one is not wary after repetitive proof – that sweet talking privacy does not correspond to doing privacy-conscious work?

Weighing to the contrary?

1 Like

Can we know they are not selling data from their “privacy” statement?
However, we do know they sold and may anytime sell the company, or any share of it, to investors interested in accessing the collected data.

I agree that’s why we need to keep an eye as community but we should also understand this can’t be always a top priority, i mean since i’ve opened the topic they fixed a lot of stuff, if you read what i wrote about privacy policy and their actual one seems they copied it and i really appreciate it, riotx the next android client will substitute riot have no tracker at all and that’s another improvement.
Now from the lead project words i felt they done a lot of work for privacy and they know there is a lot more to do but now they need to focus on other things, what i suggest is to give them time, i mean let’s see what they to and let’s ask to fix this issue again maybe on may 2020 and let see what they say.

As user we have different options, xmpp seems good too and purism will offer this service afaik (correct me if i’m wrong) average users will use whatsapp we know the other guys like us are looking for alternatives, so will be their interest too to be good, i mean if their service sucks i switch to something else and i will not the only one i think

1 Like

But making the user’s privacy a priority, and consequently producing and shipping software that does not require to accept some data collection statement, is based on executive decisions.

Obviously, the vector decision was to go for data collection and “privacy” statement “marketing”. And possibly for community managing?

What to wait for at this time, other than correcting a wrong decision about promoting a company’s market share? A protocol migration path for librem one chat?

I think matrix-riot-vector may have repeatedly shown that it is not compatible with the executive decision layed down at https://puri.sm/about/social-purpose/ , especially the consent-to-collect requirements and the corresponding quick-actions taken to go forward?

Good that there are alternatives, but should that be a successor product out of the same hands that integrates an own blockchain id protocol?

Well, you’re right maybe using XMPP (+ jitsi-meet-mobile-sdk) could be an option.

Actually, Email-Chat might be an option, too. It has by far the broadest reach, anyway. And the plug-in is ready to get packaged for Librem 5’s “Chatty” app: https://source.puri.sm/Librem5/chatty/issues/96.

With jitsi-meet-sdk voice and video chat support in chatty, the peers could even use a web-link for talking, in case the peer’s client doesn’t have integrated jitsi webrtc support.


Wow, that’s an interesting project!
I tried a while ago delta on my an-bloody-droid, but eventually I came back to Telegram. But with the Librem 5 (or Pinephone) I would love to give it a go again, especially if I can call/video call through a Web link (in an easy way). I wonder if there is something similar for plasma mobile