still hella confused as to why self-proclaimed privacy advocates—even teams like @privacyguides—are pushing @element so hard despite the data collection & sharing practices, the loosey-goosey metadata usage, and the fact that they host on AWS.

  • sp6@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    ·
    1 year ago

    Element isn’t perfect, but what’s a better alternative? A giant Signal group would be a horrible idea, since everyone’s phone numbers would be exposed to the other members (plus there’s a 150 group member limit), and Discord is obviously much worse than Element (from a privacy perspective).

    • @sp6 oh i’m not suggesting Signal, though i trust it and use a FOSS client version of it. i agree with you there and would never pitch Discord either, but Element seems much more open to data leakage (bc of the bridges feature) than any other platform and lacks true decentralization (since everyone just uses the main homeserver) and ephemeral messaging, which makes it a non-starter for me.

      i think Briar, Cwtch, Session, Simplex, and Tox are where we should be looking, no? or even @syphon over Element if Matrix is what we’re set on using (based on privacy policy).

      • sp6@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        ·
        edit-2
        1 year ago

        Just a quick glance at all of those:

        -Briar, Tox, and Cwtch don’t have iOS clients

        -SimpleX doesn’t have a desktop GUI has issues with big groups (see comment below)

        -Session has a 100-person group chat limit

        -Syphon’s own github states they are “still in alpha and we do not recommend using it where proven and independently verified security is required.” Plus, they haven’t had a release in over a year, so I’m not sure it’s still maintained.

        Element (or most Matrix clients) don’t have any of those issues. Like I said, it’s not perfect, but I see why it’s recommended. All decent alternatives have significant downsides

          • sp6@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Oh nice! Although, one issue from their website:

            “Every message and file gets sent separately to every member in the group”

            That seems fine for small groups, but for the typical Element crowd of large groups, I don’t think that would go over well. If you send a 10MB file in a 2000-person chat, you’d be uploading 20GB of data…

        • ninchuka@lemmy.oneM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Some bridges support encryption and even if they don’t there’s a tool to make it so they do pantalaimon

      • ninchuka@lemmy.oneM
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Everyone doesn’t use the main HS sure it is alot of people but alot also don’t use it

  • mrmojo@beehaw.org
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    they host on AWS

    You’re supposed to host on whatever you want.

    data collection & sharing practices

    Fork it if you want, remove what troubles you.

    • @mrmojo

      >You’re supposed to host on whatever you want.

      sure, but if the messages are stored on servers you don’t fully trust or control?

      >Fork it if you want, remove what troubles you.

      can’t argue with this, except that becomes it’s own point of vuln if you’re not adept in development or have sec experts vetting your setup, which make this easy to say and impractical to implement

      (lol sorry for the spamming there… can’t figure out blockquotes)

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        sure, but if the messages are stored on servers you don’t fully trust or control?

        Encrypted messages.
        Also, you can limit which servers can participate in your room’s federation (in simple terms: which one has access to room data). There’s an option on the Element UI to disallow federating the room, and I think it’s also possible to have fine grained control over it (with so called server ACLs)

        data collection & sharing practices

        Isn’t it opt-in on all the released Element clients?

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Of course, as soon as two people take this advice and then attempt to communicate, we have reached the standoff, where One of the two people must swear off their data sovereignty.

        What is your idea to solve this?

        With centralized messaging services, both of them must swear off their data sovereignty.
        While with true peer to peer systems none of them must do that, that model is not really compatible with mobile devices as both the sender and the receiver has to be online at the same time for the message to go through, and generally any device that is not online 24/7, which mostly includes all desktop PCs.

        For this reason, I think that for the average user (who does not have a 24/7 online server-role machine, or maybe even a desktop computer) the best solution is to choose a server operator who they trust with their data. Or, they may try to run a lightweight homeserver on their mobile device (laptop or even smartphone), and live with it’s shortcomings. Not like it’s not possible, and this way everyone can register where they want, including their own part-time server if they are more comfortable that way.

        However I think I did not totally understand what is your exact concern.
        Do you think it to be a problem that even if you run your own server, messages you sent to your friend on another one will be stored on that homeserver too?
        If so, I don’t think it’s possible to solve that problem. They (your friend) have chosen to take a compromise between security and ease of use by trusting someone else with storage. You can’t tell them - only suggest - where should they store their data, otherwise they would lose their sovereignty over it.
        Fortunately confidentiality can be kept with encryption, and if you are concerned with the other server having access to metadata, you could patch your server to try to generalize the message metadata to some extent, like with delaying sending messages to they 10th minute and such measures.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            a federated service has all the downsides of a centralized service

            No it doesn’t? A single party cannot block you from participating in the network, as you can just find a different provider, and you can have control over what servers may store your data, both as a server operator and as a room admin.

      • sir_reginald@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        matrix is VC funded and therefore has a big marketing budget. the XMPP foundation is community maintained and XMPP itself is a public domain standard, so there are not such interests nor capitals investing in it to make promotion.

      • commie@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        i agree with the analysis about the ledger being copied across servers. it seems wildly inefficient and like a major security concern. i actually deleted an account on a FRIEND’s server because i joined some pretty-active public channels on onther servers and they found that i was using some not-insignificant portion of their server resources just to log channels i would pop into on occasion.

      • 0x0@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        There hasn’t, it’s just that matrix gets a lot of publicity and every other day someone falsely claims the death of XMPP or that Google killed it.

  • vzq@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    The only thing a regular person will do on element is lose their key and cry softly into a pillow.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      And at that point it was just working like Signal does. Right?

      New users should be told that they won’t have access to their old messages, just like with signal, unless they do a one-time additional setup.
      This really should be exclaimed at the beginning on every chat history in every major client, because it is not obvious, and as you said users only realize when the damage was already done, or not even then.