signal is not perfect, could be better in my opinion but riot privacy policy is really awfull, they COLLECT alot of data, and it is not needed for the app funtionality, their base is in UK, i simply cannot trust them i see no much difference between them and whatsapp
open source =! privacy ofcourse have opensource applications is a must for privacy, but if an open system collect all this kind of data, is just a joke in a privacy area
in a privacy messagging app i could expect a privacy policy like that
we store:
mail and password for login (well protected with hashing) till you delete your account
used room (encrypted) till you delete your account
chat content (encrypted) till you delete the chat
ip address (encrypted) due to avoid abuse allowing one access per time, this will be automatically deleted when logout
we share no data with other companies and we all we can give to autority according to law is encrypted data
stop, all the other thigs are just rubbish i do not wanna see in online services
i’ve already asked in this forum about it and i got one reply from purism, where i’ve replied with the privacy policy link, then i got no more reply, i understand is not a purism issue but riot, that’s why i hope to have a choice for a messagging app with librem5
Government’s regulations usually impose much longer retention of data then “till you delete account/chat”. Therefore not collecting it in the first place is very important. userd room and chat content should be managed client side, not reside on servers.
I’ve skimmed over Riot’s and Singal’s privacy policy and I get the impression that Riot is like they are going to use the user data for making profit, whereas Signal is not.
thanks @eagle for an informative answer!
I also remebres Signal came as the relative best from my IMs research a few years back. What i dislike about it now is:
requires too much (almost all) permissions on android
bound to phone number
open-source but not free(community) - the development is under very heavy reigns of the company, sometimes going against community PRs,wishes…
So let’s see how Matrix shapes
I’m the project lead for Matrix (and Riot) and can categorically state we are not using user data for profit on Riot, and never will. The Riot privacy policy is indeed too heavy and scary atm but it boils down to “we collect information required to actually power communication; we don’t allow illegality or abuse; we keep the option to use analytics to see what features of Riot people use and so how to focus our dev effort”, which seems pretty reasonable to me. It also applies only to the default matrix dot org homeserver; if you use a different one (eg a hypothetical Purism one) then it can have whatever privacy policy it likes. More info over at About matrix and riot.
Personally, I rate the freedom to select and trust your preferred service provider as high as the need for privacy, which is why Matrix exists (rather than just using Signal). But OWS release a Signal app for the Librem5 you are of course welcome to use it. (Whereas with Matrix you are not beholden to OWS choosing to release an app for the platform).
I do not think this is enough. I am using Signal as a Chromium-plugin. It has to be associated via a QR-code with a phone using the Android or iOS app to be used. I assume the same is true for the Desktop App, so some further hacking is needed for a comfortable solution (you might install Signal for Android on Anbox on a GNU/Linux system, but this would be quite some effort just to use Signal on your phone).
I’d also really like to see Signal on the Librem 5. Signal may have its flaws (as in “it is not perfect”), but its the most privacy aware and secure messenger that you can even make your parents/less computer literate friends install and communicate with them. I do not see this level of security, privacy and ease of use with other applications so far. And in the end you also want to use your phone for communication.
While I appreciate the effort put in the matrix/riot project, at the moment, I see it as quite a different application. It’s fairly easy to set up on your own server, however encryption in Riot is still in a testing phase (imho it shouldn’t even allow for unencrypted anything in the first place) and it relies heavily on storing data/messages on the/a server. Signal, on the other hand, tries to store as little as possible on the server. The downside of course is a non universally accessible history.
All in all I see matrix/riot as a nice replacement for discord/irc and anything targeting multi-user chats, but less as an one-on-one instant messenger/sms replacement.
I think you already noticed it but I posted some information regarding the possibility to write a Signal client for the Librem 5.
I I might find some time to spend into it soon, although it would not go as initially planned. A first version could be written in Java, using as much code as possible provided by Open Whisper Systems and/or the Signal Foundation. A better version could come later in C or C++.
Purism has also already set-up a developer portal for the Librem 5. It is also up to us to enrich the platform with Free Libre Open Source Software
Yes I noticed your post, but somehow after writing here.
I appreciate the incentive, but I think should be backed by OWS somehow. At least having their okay would be nice, as they were not really endorsing any third party applications in the past.
Technically it’d only require an extended desktop client, allowing for activation of phone numbers.
I definitely agree with you. I tried to reach them on Twitter and on their (unofficial) community forums. Several people tried to reach Moxie through Github issues. Moxie has a lot to skim through, and quickly closed the issue as he thought PureOS was yet another Android ROM.
I believe the best to do in the meantime is:
Use as much Signal code as possible and as little extra code as possible to stay as close as we can to the client they intended to write
Explicitly mention that this client is not supported in any way by Signal
This should be enough to start peaceful discussions regarding how we someone/me can work together without causing them issues
Be assured that if I could have stood out of all the noise around them before having them noticing an existing client, I would have!
EDIT: clarified that this is a project of my own and does not involve Purism responsibility
Conversations is FLOSS, but based on the Android framework. So as soon as the device will be Anbox-enabled, Conversations will also work. However, it might be easier to adapt Gajim (which supports OMEMO) to be usable on the Librem 5.
I mean if you’re really paranoid about privacy there’s other Linux messengers out there that are totally zero-access encrypted and decentralized. Check out some at Prism Break. I just don’t use them because:
A: Decentralization is good for privacy, bad for convenience/usability (no offline messaging, etc… you’re essentially going back to the days of simple IRC).
But Wire is basically the good of encryption and all, without decentralization, so I favored that a bit.
B: Nobody else I know uses them.
B is really the main issue. Nobody uses them, and what’s the sense in having it if nobody uses them? If I have a buddy I’m trying to keep top-secret shit with, it’s great since we’ll both use it and know what we’re doing. But since I don’t have any such thing going on… yeah, these things ain’t the most useful.
And this is why even though I’m a security/privacy nut, I still have a Windows computer and still have Skype & Discord… sigh… someitmes it seems to keep secure and private, you have to just not have any social life. And trust me, I’m damn close, but I ain’t totally ground-zero with it at least.
I think the next big step for these applications is to get enough people using them that using them starts to make sense. I know it’s kind-of a self-dependent problem though, that first big influx of users is needed.
I already investigate porting a Signal app for the Librem 5 using their guidelines
Basically that would be a client based on AsmaK’s signal-cli, using D-Bus signals and methods to be fully integrated into PureOS mobile Features. That would most probably be shipped in a Flatpack.
There only are a few methods to write to complete the D-Bus support, plus probably a bit of rewiring when the Features specifications are done
Not much actually, you can alreay send and receive messages and group messages using the daemon and D-Bus.
A few methods are left to add in this interface and in this class. I conctacted AsamK who’s okay with his project being used as a base for the Librem 5 Signal client. Moxie is aware of signal-cli and seems not to have done anything to stop it.
The whole shipping issue is different though. It is not technically complicated, but Moxie is against a packaging of signal-cli’s dependencies as .deb packages.