Regular reminder Matrix/Element work closely with law-enforcement to provide encrypted comms for them. It's a sector Matrix/Element actively markets to and deals with. My personal view is I'm not using a chat platform designed/developed by an organization so eager to partner with governments and law enforcement agencies.
Dunno about anyone else but my trust in them is just gone. I'm not saying you have to care (and I don't care if you do). I'm sharing this for the people who do care, and don't want to use "secure messaging" made by people who actively market to and collaborate closely with law enforcement and governments.
I don't really see the problem here, I would prefer my local government use open standards that are secure. If they are weakening the crypto to help the police and government come after me then I would have a problem.
Fair enough to share the information but I take the opposite tack: if it's good enough for LEOs, good enough for me.
I would also be excited to find paying customers when trying to build free software.
In any case I get the feeling if I were to avoid technology built by companies with government contracts I would be left with my retro 8bit machines. Lets be pragmatic.
How do you know the matrix.org server or the element.io web client is running the same code as the source posted publicly? How exactly do you, personally, audit a hosted service? The answer to both questions is: you don't.
Ok, I'll bite, what even could be the alternative here then? You want something without big funders, totally OSS, and extremely friendly for grandmas? Feels like one of those "you can only pick two" type things to me, but would love to learn that's not the case.
>How do you know the matrix.org server or the element.io web client is running the same code as the source posted publicly? How exactly do you, personally, audit a hosted service? The answer to both questions is: you don't.
And I don't use them. I grab the posted sources and use them on hardware I physically control. If (I'm not, but I do care about my privacy) I was someone that was being pursued by one or more governments/well-funded private actors, I wouldn't use any communication platforms hosted by others.
As the old saw goes: "Three can keep a secret. If two are dead."
I find no issue that the company is working with law-enforcement to provide secure communications. In fact this makes me feel better about the security of those communications as they are trusted by these governments (not that this is a huge mark of quality, but I would consider it positive).
I your distrust of law-enforcement so strong that any company that they purchase from must be untrustworthy? Or is there another reason that this bothers you?
My concern is in the opposite direction of what everyone appears to be interpreting, despite what I thought was clear wording in my initial post.
It's not that govt/LE uses Matrix. It's that Matrix/Element actively seeks out partnership with govt/LE (to the extent of presenting on stage at a police conference), suggesting they are particularly interested in a relationship with authorities and personally sympathetic to these authorities, at the management/director level.
This is not a position I expect from an organization that is determined to build secure communications potentially used by activists, people living in oppressive/authoritarian regimes, etc... If I was a member of such a high-risk group, I don't think I would be putting my faith in this org to produce something I can actually consider truly secure.
I would guess the reason for that would be that those platforms are willing to pony up real cash and the actual communication protocol itself is no less secure when they use it. See also: Tor, famously developed/funded by the government
>If I was a member of such a high-risk group, I don't think I would be putting my faith in this org to produce something I can actually consider truly secure.
If I were in such a high-risk group, I wouldn't be putting my "faith" in anyone. Rather, I'd personally make damn sure my sensitive communications couldn't be spied upon.
I'd also point out that repressive/authoritarian regimes don't care about the rule of law and/or personal privacy, so they can just come to your house and take you away without any proof that you're working against the state.
What's more, they can also confiscate any systems/devices you (or others) may have in an attempt to discover the identities of your "co-conspirators." And they can torture you to give up those names, even if the names you give up aren't actually involved at all.
You seem to believe that there's some sort of magical software that can keep someone safe if a government or well-funded private actor wants to get you. News flash: there is no such animal.
From a personal perspective, I do share some of your misgivings about the appearance of sympathies with LE / authorities. It doesn't -feel- all that great to see. But at the end of the day to me it boils down to what another commenter said. If it's good enough for them, it is probably good enough for me. Someone has to pay the bills so the show can go on.
If the problem is that we're not trusting $LE_GOV_AGENCY to use the technology because it may hide abuses of authority, the root problem is that we can't trust $LE_GOV_AGENCY for reasons external to their choice of communication tooling. And that's not a problem I think we can solve with technology alone.
Plus, 'We can't allow X/Y/Z to use encrypted chat because they could do awful things' is a bit of a double-edged sword I personally don't feel comfortable wielding lest it be wielded against my own 'high-risk group'.
Disclaimer: SRE at Element, but I've been running a Matrix homeserver of my own since before I joined the company
The reason we "actively seek out partnership with govt/LE" is simply because they are by far the primary customer segment who actually have an clear need for self-hosted interoperable end-to-end encrypted communication and are willing to pay for it. If we don't find organisations who are willing to pay Element for services, then quite simply we can't pay people to work on Matrix and Element as their dayjob, and the whole thing would switch into best-effort volunteer run activity (although I'd presume most of the team would feel pretty burnt if that happened and go spend their freetime on something else). About 80% of Element's revenue comes from public sector, and without it the project simply wouldn't exist.
Hopefully, eventually, the rest of the world will wake up to the fact that sleepwalking into using Teams and Slack (or WhatsApp) is a catastrophe in the making. It's only a matter of time before someone publishes a torrent of every line of Teams scrollback or Slack scrollback for some high-profile organisation; the breach has probably already happened; the breacher is just waiting for the best strategic moment to drop the information bomb.
But until then, Element makes payroll by selling to folks like the French and German Governments, the United Nations, etc. They pick Element because it is high trust, and they can audit it and run it themselves. And there is categorically no way that I or other senior management at Element would destroy the company (let alone Matrix) by breaking that trust by letting someone undermine its privacy.
Separately: I'm literally years overdue in publishing Element's internal ethics guidelines publicly, which spells out precisely who we do and don't do business with. For what it's worth, the high level summary is:
* We don't sell to criminals (under UK/US/EU law)
* We don't sell to sanctioned (by UK/US/EU) or abusive govts or organisations
* We don't sell to orgs who explicitly encourage use which goes against our terms of service.
Our definition of abusive governments/orgs are those who commit human rights abuses or, who commit international atrocities (as defined by the UN), or contracts which primarily support the above.
Most western governments (including their police forces) do not fall into this bracket.
>Regular reminder Matrix/Element work closely with law-enforcement to provide encrypted comms for them.
Thank you for the reminder. Based on that, are you claiming that Matrix servers/clients are insecure or have government back doors?
If so, what evidence do you have that supports such a claim?
If not, why should I care? I'm not a fan of many organizations/individuals. Should I survey them all to create a database of software those folks use and refuse to use any software they use? What value would I derive from such actions?
Unless you're claiming the former (evidence please), what difference does it make? I use Matrix servers/clients only on hardware that's under my physical control. And I use free (libre and beer) versions of Matrix implementations, so I'm not even giving the developers any money.
Or are you making the argument that LEOs shouldn't have access to secure communications protocols?
I guess I'm confused because I don't understand what the issue might be. If you'd elucidate, I'd much appreciate it!
I didn't claim/assert anything other than what I linked to already in my original post.
You don't have to care, and like I said, I don't care if you care or not. I'm just making people aware, because some people _do_ care.
It's nice that you personally use matrix on hardware under your physical control. That's rare. The vast vast majority of matrix users have their account on matrix.org and are using Element. I'm glad to hear you are using alternative server and client software.
Since you didn't actually answer the question "why should I care?", perhaps you might deign to answer these instead:
>>I'm not a fan of many organizations/individuals. Should I survey them all to create a database of software those folks use and refuse to use any software they use? What value would I derive from such actions?
Why are those useful questions? Pick some software -- any software in wide use -- and you'll find that someone you find objectionable is using such software.
That includes OS's, browsers, databases, web/application servers, BIOS firmware, chat clients/servers, etc., etc., etc.
If using software that's also used by someone whose actions and/or rhetoric are objectionable to you is "capitulation" to those with whom you oppose/disagree, then you should power off all your electronic devices, smash them into little pieces and never look back.
But (IMHO, at least) taking such a position takes "guilt by association" to ridiculous extremes, especially when talking about open source software that can be audited and modified to suit your purposes.
Don't want your sensitive information shared? Don't share it on platforms not under your control. Full stop.
I'll say it again[0], "three can keep a secret. If two are dead." Food for thought, no?
When someone asks "why should I care," the implication is that they want to know why you care. Dodging the question here is an interesting way to respond
"Taking money" is a very poor description of a trade, which both parties chose to enter into because they both expect to derive benefit from it. What the parent objects to is presumably the "government/police/military expects to derive benefit" part, not the "taking money" part per se.
There's Element's Chief Product Officer & Managing Director presenting at the European Police Congress[0]: https://mastodon.matrix.org/@element/110310853505977058
And a quick post about their excitement at participating in this conference: https://mastodon.matrix.org/@element/110304013472307767
I mean, whatever, it's just doing business, right? When someone criticized this, they gave a snarky, surprisingly unprofessional response: https://mastodon.matrix.org/@matrix/110334695988903649
Dunno about anyone else but my trust in them is just gone. I'm not saying you have to care (and I don't care if you do). I'm sharing this for the people who do care, and don't want to use "secure messaging" made by people who actively market to and collaborate closely with law enforcement and governments.
[0] https://www.european-police.eu/