
Tightening up Privacy in Matrix - blendergeek
https://matrix.org/blog/2019/06/30/tightening-up-privacy-in-matrix
======
WhatIsDukkha
The addressbook, contact matching and public email are pretty low value from
my perspective.

I'd much rather personally validate and match my contacts on my own and I
really think this should be the default with huge WARNING to people that want
to share their email globally and addressbook with the server etc.

"Users don't care" is largely because developers submarine the issues with "UX
flow" reasoning.

Excusing this toxic data exfiltration with "UX" really doesn't hold water.

Edit -

Specifically looking at

[https://github.com/vector-im/riot-
web/issues/10167](https://github.com/vector-im/riot-web/issues/10167)

This looks like industry standard bury the issue in unreadable TOS
boilerplate.

How about "Hey YOU PROBABLY DON'T NEED to share your email globally unless you
expect to meet your long lost cousin via the matrix.org social graph"

This is a place where ADDING friction makes the world better.

~~~
Arathorn
(Matrix lead here) The core problem is: empirically most users want an app
which works like Signal, WhatsApp, Telegram etc and tells you which other
users are contactable. If you’re some random installing a comms app, you want
to know if any of your contacts are on it already. It’s nothing to do with
whether your long lost cousin is on it.

However, there are then folks hyperfocused on privacy who declare this ‘toxic
data exfiltration’ and vociferously object.

We’re trying to get the balance right, and it’s worth noting that the bug you
linked is still up in the air. We don’t have the final UX yet, but the idea is
to even more explicitly warn the user that their contacts are being uploaded
to a identity lookup service if they want to discover people on the network.
An alternative/complementary approach is [https://github.com/vector-im/riot-
web/issues/10093](https://github.com/vector-im/riot-web/issues/10093).

(edited due to accidentally hitting submit...)

~~~
jeltz
> you want to know if any of your contacts are on it already.

For me that is an anti-feature and something which I have so far never wanted
to do. I hate when apps ask me to add users based on my other contact lists. I
want to curate my contact list and only add the people I communicate with over
this platform. I do not want to add a bunch of old contact's which I have
forgot who they are when moving to a new messenger and I do not want to add
people's accounts which they may have only used once years ago.

And this is entirely ignoring the privacy aspect of it which I do not care
that much about.

~~~
Arathorn
Yup, while many people do like this feature (the billions of people who use
WhatsApp and breathe a sigh of relief that they can find their friends &
family on the app without having to manually create a whole new contact list),
obviously there are others who do not (irrespectively of privacy concerns).
The point of the blog post is to show we're trying to cater for both, rather
than assuming that everyone falls into the WhatsApp bracket.

~~~
techntoke
If you are trying to cater to people that will use your app like the other
services, then why would they just not choose Discord or Telegram in the first
place?

~~~
cyphar
The goal is to make it easier for those people to use Matrix too. Otherwise
you won't ever expand past a fraction of the tech community and won't overcome
the network effect of larger messaging systems.

This is the same reason why (for instance) E2E isn't the default right now --
there were massive usability issues that most normal users would have trouble
with (until very recently you could lose all your historical session keys
unless you were very careful and backed them up religiously). Speaking
anecdotally, several people I've switched to Matrix really wanted to switch
away because they lost all of our old chat messages when they logged out of
their account.

I hope you agree that people without very strong privacy concerns should be
able to use Matrix as well.

------
rendx
The feature I miss most is expiring messages. Yes, it totally depends on
correct end-user client implementations and honest participants, but it is
crucial for many scenarios where a client is compromised after the fact (or,
lets say, an over-ambitious border control...). [https://github.com/vector-
im/riot-web/issues/2497](https://github.com/vector-im/riot-web/issues/2497)

~~~
Arathorn
Hopefully this will be coming relatively soon once [https://github.com/matrix-
org/matrix-doc/pull/1763](https://github.com/matrix-org/matrix-doc/pull/1763)
is implemented. It’s mainly been waiting for someone interested in sponsoring
the feature (which hasn’t happened yet).

------
0xNippon
I host my own Synapse instance and for the most part it's very reliable. I
don't bridge to anything. So far it's been like pulling teeth to get my
friends to sign up but once they do it's been super reliable. I'm traveling
through Japan right now and the server hosted in NYC has been fine.

There are a few problems. First the UI for approving new client connections in
encrypted chat rooms is complete crap. It needs to be clear and concise what
is happening and currently it starts a super complicated verification process
which is frankly confusing.

It simply needs to say "$user has signed in on a new device $deviceName. Is it
okay to send messages to this device? Yes/No"

That's it.

Also there needs to be a better way to integrate third party plugins. One
thing I miss from Facebook messenger is being able to paste a Spotify link and
have the song come up as an embed.

Finally the bot API could use work. I spent some time professionally
maintaining a Slack bot for a major American cable company and currently it's
much harder to make a Matrix bot and documentation is lacking.

~~~
cyphar
> There are a few problems. First the UI for approving new client connections
> in encrypted chat rooms is complete crap. It needs to be clear and concise
> what is happening and currently it starts a super complicated verification
> process which is frankly confusing.

Device cross-signing has nearly landed and will solve this problem by creating
a pseudo-WoT between users meaning that you need to do verifications very
infrequently (ideally, only once when you first start talking to the user).

> It simply needs to say "$user has signed in on a new device $deviceName. Is
> it okay to send messages to this device? Yes/No"

Doing it this way would open the door to a malicious homesever (or a user's
account being hacked into) being able to eavesdrop on you. Device names aren't
cryptographically relevant. Device cross-signing (where a user's devices sign
each other) solves the problem in a much safer way.

> Finally the bot API could use work. I spent some time professionally
> maintaining a Slack bot for a major American cable company and currently
> it's much harder to make a Matrix bot and documentation is lacking.

This boils down to the fact that bots are basically just normal Matrix clients
(with a few extra features if you've set them up as an application service).
You might be better served by using a library (like matrix-nio or the Matrix
SDKs).

------
meruru
I'll take the chance to plug miniVector again. It doesn't solve the problems
discussed in this thread, but it's a stripped-down Riot fork that requires
fewer permissions than the full program: [https://github.com/LiMium/mini-
vector-android](https://github.com/LiMium/mini-vector-android)

I have no affiliation with the project.

~~~
larkeith
Also RiotX (full rewrite of Riot Android) is hopefully landing soon, so that
should improve the mobile experience a lot for people who want a full client.

------
maxidorius
Interesting that you tighten up privacy by adding more tracking to your main
website with a cooking spanning sub-domains as well:
[https://github.com/matrix-
org/matrix.org/commit/48545495afe1...](https://github.com/matrix-
org/matrix.org/commit/48545495afe19a40152a166baee521bca1562d07) and JS code
from twitter directly: [https://github.com/matrix-
org/matrix.org/commit/30ece47f8930...](https://github.com/matrix-
org/matrix.org/commit/30ece47f893075869ddba7a7906bcac79f1ca50a)

------
Havoc
Seems like a well thought out response

------
maxidorius
(One of the author of the research doc that triggered this blog entry here)

It's good to finally see a reply, and it's good to see you are addressing some
of the issues we have highlighted. It's a shame it took a whole research
document posted on Hacker News and other websites to start getting your
attention. I am personally surprised about this blog entry (and reply to some
extend), given that the research doc was labeled as "FUD" by the lead dev.

Now that we have it, and that you answered in a blog post, there is one
question we asked several times and that you still did not answer, even in our
GDPR data request: Given that the research document clearly highlights that
users are totally unaware of how their personal data was collected, how its
going to be used, and that they did not given consent (e.g. storing their
email addresses for a lookup query mechanism) under EU GDPR: 1\. Under which
lawful basis do you collect, process and allow others to use such data? 2\.
Are you going to keep storing/using all the data you have collected using all
the methods highlighted in the research doc, or will you purge all that was
collected without clear knowledge and consent of the users?

