Pretty much all of our school and local community communication happens via WhatsApp. I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.
It pains me to say, but we're getting to the point where companies like Twitter, Facebook and Google need to be treated like utilities or something so that such moves as these can be scrutinised and controlled more effectively as Facebook could pretty much (within current law) introduce whatever policy they like and users would be faced with the option of accepting or being cut off from their local community.
Given the pandemic and the UK lockdown, this is not tolerable.
I want to add that when I left WhatsApp (~2y ago) I deleted my account. WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages. I'm surprised I don't see this mentioned to the point I wonder if I did something wrong at the time.
In the end, I reopened a WhatsApp account recently because everyone is using WhatsApp in France and I couldn't stand breaking everyone's efforts to bring us together during lockdown.
They saw 2 ticks, meaning delivered to your device? Or did they see one tick, meaning only delivered to the server?
If it's the latter, that's a reasonable choice for the server to make. The server has acknowledged receipt of the message, and failed to send it to your device.
If you wanted WhatsApp to advertise to your contacts that your account was inactive, you could have maybe sent them a message yourself?
Doing this without explicitly telling the other party is a dark pattern.
@heipei: the curse of knowledge, i learned yesterday, via https://news.ycombinator.com/item?id=25658216
What’s more, if you tap on “info” after long pressing any message, the app explains it to you.
Even the ones who do understand a little about the checks probably don't bother thinking about the difference between "sent" and "delivered". They'd understand it if it was pointed out to them, they aren't stupid. But they don't care enough to realize it because they shouldn't _need_ to understand it most of the time.
And even so, the checkmarks are very subtle and easy to not notice if you don't expect to need to look at them. A user is more likely to say "well it didn't give me an error so it must have sent, I wonder why nindalf is ghosting me" rather than "huh, I wonder if WhatsApp actually _delivered_ the message to nindalf, let me check"
I use it somewhat reluctantly which might reduce the degree to which I actively seek out understanding. I wish we'd all go back to vendor neutral channels of communication but I also apprecitate the fact that it is less sucky than SMS.
No it’s not a dark pattern. They’re being as transparent as possible. If you long press the message and click “info” they even explain what each tick means and when each event took place. It’s literally not possible to be more transparent than that.
And before the privacy brigade who’ve not used the app show up, this is configurable. You can opt out of sending and receiving read receipts. And since it’s a closed app with no other implementation, you can’t circumvent that either.
Anyway, my point is that WhatsApp shouldn't silently accept messages for a non existent user no matter what weak signals you get. When you send a text message to a non existent number, you get an error. Same for an e-mail.
I can't help but think it's a way to deter users from leaving WhatsApp.
As an FYI to you and anyone reading this, you can convert your account to a business account using WhatsApp for Business. It has an auto-reply feature that you can enable with a custom message, to inform people you've moved to whatever platform you've decided to move to.
You have a choice but it's a bit like voluntary solitary confinement. Especially during a lockdown.
But social media? What do I switch to?
> This is precisely the dilemma in a nutshell.
Exactly my problem too (car mechanic, plumber, school parent committee, loads of my friends …) – I need my car fixed, I need my plumbing fixed, I need to communicate with other parents. I hate that I have no choice but to use a Facebook product when I am not even on Facebook!
I can also not give up the WhatsApp account due to the social pressure. What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.
I do understand that this doesn't fix exactly the issue presented here, but I already assumed that whatsapp data was already in Facebook's hands one way or another. But I would limit the amount of information that WhatsApp can track about me by having this application on a phone which does not really represent my full actions as i don't have it with me.
Edit: Corrected some typos.
If they can't be bothered to email or send an SMS to me or use Signal or video call via the multitude of alternative messaging services (Duo, FaceTime, Skype, Signal etc. etc.) I don't think they're that bothered about being my friend are they?
If their friendship hinges on me using a specific mobile app, that's a shallow friendship.
Particularly, this social capital is at its minimum when you're trying to develop new friendships. Good luck starting any when you refuse to use the app that everyone else in the area uses to communicate.
In this instance, if developing friendships relies on me sending my data to some unknown person the other side of the world so that they can build graphs on my activity and follow me around just because everyone else has decided that's what they want to do, then I would choose another path.
Wouldn't you? If not, please send me all your data and details of your activities, all the time. If you can trust that data to some guy you've never met in a datacenter, then why not send it to me. You've got my username - that's more than you'll ever know about the people looking at your data at Facebook.
No, what they said is equivalent to "everybody is smoking but I'll annoy the hell out of them so they stop, and I'll refuse to meet them in person before they quit"
I would not "choose another path" because those things are more important to me. To be blunt, I'm not sending such data to any individual HN reader because that would have no relation at all to my practical ability to maintain friendships with people in real life.
Other people are saying that in their countries, Health Services and bank transactions are coordinated via WhatsApp.
It's not just about messaging your friends, and for many people, "opting out" of WhatsApp is not a viable path.
When you sign up to any service, they ask for an email address. They don't ask for a mobile number necessarily, and there is never a "my mobile number is on WhatsApp" checkbox. Why is the assumption of the organiser that you're on WhatsApp your concern? They have assumed you're on a certain platform, and it's their mistake.
It reminds me of the tidal wave of people suddenly abandoning their own websites and instead using "Find Us On Facebook". They might as well put "Use this keyword on AOL".
Facebook is not the internet, and WhatsApp is not the only communication method.
- Use WA and participate
- Don't use WA, don't participate
- Go stand in front of the home of whoever organizes the activity and have a little one-person picket parade with angrily-worded signs -- this is the same as #2 but might make you feel better
My mind is blown.
Looking on Amazon.com, a Huawei P Smart 2019 (32GB, 3GB) 6.21" FHD+ Display, Dual Camera, 3400 mAh Battery, 4G LTE GSM Dual SIM is $209.99.
I think some have assumed that he went out and bought an iPhone 12 Pro Max as a second phone, and we don't know that.
Hopefully this misuse is just a fad and we can go back to a more sensible use.
But I agree privilege is vastly overused.
The biggest annoyance is that Android only allows having exactly one of those "Work Profiles".
This is what I'm doing currently: an old phone used exclusively for whatsapp (with an empty contact list); it always stays at home.
I only use it to coordinate kid's stuff (school, social activities, etc), so there is no problem with me not having it with me the whole time.
So, these things should be regulated and operated like utilities. Phone companies don't have the right to mine my contact list, and neither should Facebook.
Why not? I would.
You would also have to explain to them that Facebook cannot read your messages, but they can see the meta data. And then you have to explain to them what meta data is.
I think your kid is not going to appreciate your efforts.
'other companies have the same product (talking about chat) and don't contribute to the formation of monopolies'
'you're way out of line'
'i just don't trust them and i use a different service'
'ah? tell me more.'
It's a lesson in civics. To do nothing and say nothing while expecting someone else to fight the good fight is poor citizenship, but it is very good consumerism.
If some company could set themselves up as a utility, and the mobile network operators were to pay that company to run the messaging app + infra, then it could be made to operate like a utility and nobodies data would have to be sold.
I think that model could've worked.
'your device owns you and is siphoning cash from you'
I've also withdrawn from social media.
The exception for now is HN, because it's more of a forum, even when bad information sometimes instates itself as reality for a large conversation, like a big gathering of fans talking about their team that will inevitably fail to win or perhaps a bad STD.
I learn what others are doing through direct and intentional communication, even if technology is used or if the information is second-hand. I don't text back or call back immediately, which my friends and family forgive, but it sometimes seems to hurt my relationships.
I still worry of dependence on large companies, big data companies gathering more information about me than I know myself, and the potential of out-of-control AIs. However, I attribute these in-part to my own paranoid thinking that use my memories of large company layoffs, privacy concerns raised in the tech community, and mostly fiction.
While I've come to the realization that the act to trying to be happy and successful is the very thing that makes me unhappy, and I just need to exist, maybe becoming better at whatever I'm naturally good at, while being here and now with those I'm with, giving my service to them... I still keep wasting time replying about things that don't matter.
Without kids I could see myself getting away with not using WA, but with kids you are really setting yourself up for a very hard time (and prepare to be judged by other (annoyed) parents and your kid will feel the consequences at some point, the kids will miss out on critical and fun information).
WA has almost become what email used to be. Except that it's a controlled platform and we are locked into a single provider, a provider that once promised a focus on privacy and an app free of commercials, forever...
And it's better than SMS at Unicode.
I'm not sure what the problem was, but WhatsApp solved it.
Our generation is reinventing the wheel here, our ancestors had exactly the same problems with the power, water, gas, telephone and rail networks (at some point in time, all those were unregulated and privately owned) and did exactly that. Critical infrastructure needs to be heavily, regulated if not outright publicly owned.
I like the analogy with utilities, but the issue is that we pay for electricity, but we don't pay for our usage of social media. As long as that's true we can difficulty do what I'm suggesting above
Consolidation is a debt. You gain market cap at the cost of introducing systemic weakness and reducing broader market innovation. Once a company becomes a fundamental service they need to be regulated like a utility
(I will illustrate with Facebook)
Facebook can get the license to operate it but they also need to open up their API’s so others can build on top. These should become web standards governed by w3c.
Facebook is an interesting case as this system would remove all the perverse incentives driving their business model (no more ads). It would also crash their stock. That value hasn’t disappeared though, it has been pushed out to the edge nodes of their network (specifically the companies building on top of their API’s). My thesis is that this model will increase the overall pot while reducing the share the largest players have.
The knock-on effect of this is that investors will see this as the final outcome and be less incentivised to invest. That may be a problem as we don’t want to stop the emergence of billion scale companies altogether. Therefore a mechanism for the people to buy out the company at a fair legally agreed market value should be in place. This will stop crazy upsides and protect the undesirable downsides. The asset then becomes publicly owned but privately operated according to regulations.
AI would fall under the same model. With open API’s and standards anyone can get the data they need to build new AI companies. Especially feasible if we move towards self-sovereign identities and crypto methods of exchange.
To facilitate more small tech innovation we need to introduce a UBI. It will allow more people take risks with their time leading to more cottage innovation. In 100 years it will be a fundamental aspect of fiscal policy.
Additionally education needs to be refocused on making things. People are not equipped with the skills to build things. There is no better way to learn, grow and generate value. If we want a diversified small tech eco-system economy we need to focus on helping people develop the skills that make it possible.
I believe that we need fully decentralized system, much like the e-mail, but realtime and E2EE. Sadly, it seems to me that we're taking the opposite direction. Just few widely used messengers, all of them are centralized, some of them have E2EE, but who knows for how long - EU commission seems to like the idea of breaking in. No matter what their intentions are, I didn't sign up for that.
Furthermore; I'd much rather have the government spying in my stuff than Facebook selling my data to the highest bidder; at least if that were my only two choices.
Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.
> I'd much rather have the government spying
I consider this very short sighted and dangerours, but that's your choice.
> at least if that were my only two choices
Those are not your only two choices, that's kinda my point. We actually don't have to choose between a greedy company or a state. The only decision people need to make is centralized or decentralized system.
> The only decision people need to make is centralized or decentralized system.
They already have this choice; Matrix and others exist for quite some time already. Yet it is evidently clear that your average citizen will flock to whatever messenger is the easiest to use and is already used by their friends/family. Security/privacy are second thoughts at best, if at all; and even if it were important, grasping the different implications of all the available options isn't exactly easy either.
And since we can probably agree that the vast majority of folks already "fail" to make the right choice in this regard, I'd much rather have a regulated, government-controlled messenger than some company like Facebook. The former is accountable to its citizens, the latter to its shareholders - if I have to pick my poison, the choice is clear.
...because email and IM exist. they used to not exist and people sent paper letters to each other all. the. time.
now there are places and people I need a particular digital post office company to communicate with - and the worst part is, it's because they don't really care and thus force me to risk giving up my data if i want or need (read - am forced to due to life circumstances) to talk with them.
For what it's worth, I too would trust the government a whole lot more than Facebook.
It would seem to me that Americans have had more experiences with bad companies, and Europeans more experiences with bad governments over the past 300 years...
Not to forget the things that were in co-operative ownership, either.
Privatizing them will just let someone else come along and Embrace, extend, extinguish them.
Nobody has a chance, but different reasons in each company:
* What we have seen with Google - For a search engine, the more traffic you get the better results you can give (you can A-B test different algorithms for different queries, and optimise results). For new entrants they need to be popular before they can be better, which is a catch-22. Additionally Google has significant revenue which is very profitable because of it's monopoly position, and it can use this to reinvest in search technology to further widen the gap. It's going to take more than 2 people in a garage to beat modern Google at search!
* For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly. See WhatsApp, Instagram, Friend.ly e.t.c.
Lately I have been noticing the opposite trend. Google search relevance is going downhil for me. I'm not sure when that started but I noticed it in 2019-ish last two years. Youtube search is so bad (note: I have history disabled), I rely on Google to search YouTube.
Playing cat and mouse with SEO seems to have taken its toll. I find myself going to DDG and Bing a few times a week. Before it was only Google.
> For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly.
Maybe, but each of those competitors is essentially a fad, and Facebook forcing WhatsApp users to login via Facebook, to me seems more like desperate move, than anything else.
I agree those acquisitions are IMO problematic, but I am not sure if they are strengthening Facebook, or killing it with a thousand cuts.
MSFT is nowhere the behemoth it was, with Windows 10 being minority compared to Android.
Or Blame MSN, the Instant Messenger, when Microsoft refuse to admit defeat to the Smartphone platform.
So WhatsApp took over in EU ( I believe iMessages or SMS is still popular in France ), UK, SEA, Brazil, Hong Kong. Line in Japan and Taiwan, KakaoTalk in South Korea. Unsure about Australia and Canada. ( They use WhatsApp but not to the extent of countries listed above. )
And it is iMessages in US. I have no idea why that thing even took off. I have tried it dozen times over the years and every few months it has problem with message delivery, people in group not receiving any messages. Poor Searching capabilities etc....
Telegram has gain usage but for different kind of reason. And I dont see it ever being used in the same manner as WhatsApp.
So most of friends just clicked yes and share their Data. It is important to note despite the increasing hostility against FB on HN, and in Tech Circle, most people in the world seems to have no problem with it. I dont see WhatsApp going away any time soon.
Edit: How does this data sharing fit in with GDPR in EU?
It actually doesn't fit at all. As long as "payment" for usage is based on agreement to share personal data it is illegally obtained consent. Either they are ignoring their lawyers or they should fire them.
EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.
"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."
Where iMessage fails is when the device in the other end isn't an Apple device, or perhaps the contact previously used an iPhone, then fallback to SMS is troublesome.
Most of my familymembers will send an "SMS"... except it's via iMessage, but nobody knows or cares.
That'll explain why my mum can never ever get in touch with me.
My point being that I don't think many carriers care about text messaging, or phone calls. They sell you a fixed cost plan for those. The only thing that can really affect your price is data usage. If Google wants to deal with the hassle of managing a messaging platform, great, that's money save on running a service that isn't making money anyway.
I'm getting strange looks every day when people hear I don't use the platform. It's horrendous.
I also really fear for the moment where I've to tell a nice girl I met that I don't use the platform, and that we should use X other platform instead. I can imagine that to be a letdown or to be weird. That's insane to me.
If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?
This argument doesn't make sense. You can't just ignore practical aspects entirely and justify it with a cheeky "if they're truely your friends they'll accomodate ahah".
Sure if I want to send a private message to a friend I don't care whether its via SMS or whatsapp, but if I'm in a group chat with 5 of my friends I won't send a transcript of the conversation to the one person who doesn't participate.
Or would you not want your friend to attend?
The choice is: do I want my friend to be included in my activities?
The choice is not: do I want my friend to be included and also send all of his data to some people I've never met?
Maybe it works for you, but not for most people.
I ring them up or SMS people.
I think your fear depends strongly on how open-minded/techie the girl is, though: I've used Signal to communicate with all of my Tinder contacts, but I will admit people remark on how it feels like a 'drug deal'.
It is possible, but difficult. You may lose access to some groups, but you can't have everything you want without some sacrifice.
Personally, I'm leaving WhatsApp. Yes, my family and friends will be a bit annoyed about the hassle of contacting me separately, but so be it.
And in a lot of countries you wouldn't lose access to "some groups" but you would lose access to ALL of them, from social, to every other group.
For me, ditching WhatsApp is altruistic, helping make it easier for others to socialise without giving up their privacy and security.
Would they really find that too difficult? The mind boggles.
It seems quite one-sided.
Hope some lawyers can stop this in its tracks. Otherwise Signal or some other service will get our business
Obviously that doesn't stop (many, many...) just using it anyway. But Facebook will happily turn a blind eye to this unless their hand is forced.
When I try to tell parents how much Facebook learns about their kids (their friends, networks, and by merging data from different sources: habits, school, frequented locations, etc), they just roll their eyes. The response is "well everybody is tracking us, who cares".
All this even though there is Signal, which works JUST FINE.
I don't think politicians are going to solve the problem for us entirely, but a bunch of us have been working on technical solutions for decades and they aren't the entire answer either.
A little regulation combined with the right alternatives may go some way. I'm optimistic, though we have a very long road ahead.
What is really problematic is Facebook monopoly for organizing any social activities or events. There are simply no alternatives especially among 30-50 years old. Like the saying, “What parents were afraid video game would do to children, Facebook did to parents.”
There is no way to cut WhatsApp from casual/family use in Europe.
Schools, kindergartens, mechanics, contractors, plumbers everyone uses it.
The problem is that WhatsApp is the easiest method to share photos on mobile.
If you do not have WhatsApp your plumber can not send you a picture of pipes they fixed. How do you work around that?
Other parents are using WhatsApp for organizing out of school activities. Again, there is no way to go full Stallman here...
Beyond that, I will not entertain personal messages on whatsapp, only work related. Each new person will be greeted with "Do you mind awfully if we use Signal?" Does this come off as self-important? Sure. But it helps that I don't care too much if it does. I had the same attitude quitting FB and Twitter too, I just don't need people that much. I don't have a 100 friends anyway. I have like 15 that I really want to keep in touch with. Those 15 will understand.
Here in the UK I am literally required to be on WhatsApp to live in the building I currently live in. I have no choice in this matter. It's just the default messaging service for everyone.
If you join any kind of club? WhatsApp group. If you want to talk to someone about renting a room or apartment? WhatsApp chat. Live with housemates? WhatsApp group.
Plus the whole fact that if I deleted facebook, I would cut off contact with my friends and family (I can't expect like 25 people all to switch messaging services just for me). I would lose access to my thousand-dollar Oculus VR headset (I hate them so much for buying and linking facebook and Oculus, and hope a better competing standalone headset comes out).
And don't forget, you can't use an Oculus Quest with a blank facebook account you made just for that - they actually check that you're really using the account and force you to verify with photos and ID.
They are the absolute epitome of evil. Facebook, in many ways, but particularly in regard to Oculus, is a moustache-twirlingly, cartoonishly evil organization.
Could I just never buy an Oculus? Hopefully one day. But when not just your hobbies, but also your study and skillset and career prospects are right in that industry, you swallow your pride and make a damn facebook account.
I was also required to be in facebook groups for university classes back when I was a student. I HAD to be on facebook to get a degree. And for an amateur theatre group I joined.
Not to mention everything going on with misinformation about elections, vaccines, etcetera etcetera.
Some of this stuff is now moving to Discord, which is probably better than anything owned by facebook, but being better than facebook is a damn low bar, and Discord is still ultimately a for-profit corporation that would sell your soul if it made them a dollar.
This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me. Do you people not have lives? Jobs? Friends? Family? If you (in or out of a pandemic lockdown) want to do just about anything outside your house, or a whole bunch of things inside it, you need to use Facebook services.
It sucks and I've love to stop supporting them but it's not like most of us have a realistic choice.
Unfortunately, seems that for many people on HN, HN is almost all their online social interaction, + tech people on signal/mastodon. Some don't seem to understand the concept of having family and friends who are not tech-savy (or even hate tech). Or understand the concept of social capital.
It’s not “switching”, they can start using another app and continue using whatsapp. I’ve done it with my family at least twice during the last 12 years, it was not that difficult.
I'm so anti-Facebook now that it's a part of the way I identify myself, and for all that I can't delete it.
I maintain contact with a friend in Germany via Whatsapp or Facebook messenger, and in this case it would be possible to use email (which is not nearly as casual as firing off a message in your spare moments) or some other service but it doesn't solve the problem about friend groups.
I have friend groups around the world that my only way to participate in is Facebook. I believe moving abroad is in my future again, and Messenger is detestably the only real way to keep up with my friends back home. Leaving Facebook and Messenger is like leaving a bar I hate; I'm only here for the people and I wish we could go somewhere else.
(I don't know what to replace it with -- I mostly use Hangouts but it really feels like it's falling apart.)
I would suggest to check if they use Telegram/Line/Kakao/Hangouts, or suggest it to them. They are all closed source, but at least is the lesser evil?
People have the choice and use it. Not sure what is holding other circles back?
I havent had whatsapp in 4+ years and only rarely have to fall back to SMS
And it is, and I sympathize, but you and your family will not die or starve. It's possible.
I'm fed up an will remove fb and wa from my phone, at least. It will be painful
You will find WhatsApp contacts for any kind of communication, ordering a taxi, food, whatever.
Move out of WhatsApp, and it is going to be quite boring out in the Savannah.
WhatsApp is popular but not a monopoly. Not really something to celebrate since its main "competitor" and #1 instant messenger app is Facebook Messenger. Skype and Discord are also significant, and I expect iMessage to be important too.
It seems to me that the inability to easily message a group would be a bonus and not a loss!
Net neutrality not existing helps WhatsApp and other services here, one cell provider for example offers 1 year unlimited WhatsApp+Facebook including voice and video calls for a total (not monthly!) cost of 3USD on a prepaid chip. So you can't call, you can't write SMS, you can't use the internet but you can use WhatsApp for almost no cost. If you are on a budget this is a no brainer, for comparison - 5GB full internet access on the same chip is around 5$.
How are you going to break such a monopoly supported by providers? At this point it is something all providers do so if one starts offering it all other providers have a competitive advantage because everybody is already using WhatsApp. I am not sure if Facebook pays these providers, my guess is not - they are pushed into this by their competitors.
Net neutrality is very important to not let this happen. Similar deals exist for other popular services: Instagram, Youtube, TikTok, Spotify, Snapchat, Twitter, Netflix to name a few
Everything you said applies to the Indian subcontinent, SE Asia and South America which form the bulk of the WhatsApp user base as well but with lesser or no scrutiny whatsoever when compared to EU/UK.
It has to start somewhere. It is possible, but it takes will, and the acceptance that you will lose some contacts.
Personally I'm not really sure who's using WhatsApp, I know two or three WhatsApp users. They all use it because they have friends other countries, mostly the middle east.
If RCS actually becomes a thing, then I don't see much of a future for apps like WhatsApp.
I have no reason to believe it will ever take off: It's been dead in the water since 2012 or even earlier. It doesn't support end-to-end encryption. Carriers would like to charge for it.
This takes chat away from any single service.
- Contact Discovery
- Group chats
- History / Log
- Shared message order
- Communication beyond text (emojis / reactions / inline images)
- Ability to receive messages while offline
- No need for technical skills
I prefer something you can generate yourself, like encryption keys. That's the approach taken by yggdrasil (and cjdns before): generate an encryption key, map the public part to an IP address (there's almost enough bits in v6). Plus, it can easily be end-to-end encrypted.
Another plus is that you can generate as many as desired.
As for the protocol, Matrix is experimenting a bit with going p2p.
I have Telegram and Signal installed and was chatting with friends above moving over (finally) but its painful especially right now.
With right amount of incentive, force and numbers - tipping point could be reached but I cant see it happening in the current situation.
With my cynical hat on I imagine FB know this and timed this policy change accordingly.
If I need anything to be delivered to the house I need to use Whatsapp (gas, water, food, etc).
It’s a deal!
What could be considered instead, is building public utilities as a community.
So, while they are not yet public utilities, they should be turned into such.
I could close the window. But there is a hard deadline apparently: Feb 8th.
F* you Facebook. I‘d rather stop using Whatsapp altogether.
Will start using Signal app, and for the transition period I‘ll keep an old smartphone with a throwaway Sim card and WhatsApp installed on it to keep updates from absolutely necessary groups I need to be part of.
In addition, I vaguely remember something about the acquisition of WhatsApp by Facebook to be only approved under condition that exactly this kind of data sharing would not happen.
Although I have my doubts about it happening soon, because the immediate impact it would have on real everyday life could by rather disastrous initially (something Facebook no doubt is aware of), the EU should probably declare/certify Facebook as a rogue/criminal organization. I just can't see it any other way, with Facebook's blatant disregard for anything but its own greedy interests.
If Facebook keeps pushing their "luck" like this, it should simply have all its assets on EU soil frozen. If eventually rules a criminal organization, confiscated too. It would be very sad and unfortunate for any EU citizens working for the company, who no doubt have no say in Facebook's criminal enterprise. But the current status quo is becoming completely unacceptable.
History has plenty of lessons, about criminal organizations rising to (hard to defeat levels of) power. In many cases more than anything because both societies and governments/authorities failed to respond appropriately in time, when they still had a fair chance containing those (with far less effort).
All that is even without opening the can of worms that is the access US government agencies have to all of Facebook's data.
That is to say, both options are bad. Of course it is conceptually better to spread your information over many separate information silos so that your data is harder to correlate. That should not be the bar we aspire to though.
Of course, that requirement is exactly how they implement the user lock-in, so it's not going anywhere until legislation forces them to open up.
Services now just want some person info they can link to you and that actually scares me a little.
As both the client _and the server_ is open source though it's entirely possible to do things like Signal<->Matrix bridges.
If so, do you have other notable examples or is it insider information? ;-)
I know you’re not engaging in good faith but I’m adding this more for the benefit of onlookers
That was uncalled for. Please adjust your troll-detector and I'll adjust my wittyness dispenser ;-)
I am serious even when I'm joking, but I have never heard anyone saying that in full seriousness and also it feels like we should have known something: even the Russian secret service isn't perfect, in fact they've done some really big mistakes the last few years (in addition to their deliberate "mistakes" that they seemingly do to show off.)
Do you have a source for that. Telegram is built by the VKontakt guys who Putin famously fucked over.
99% of people outside of the HN bubble will just look at the dialog, click OK and carry on as normal.
I've used the Signal app and it's a bug fest. Telegram is not even encrypted by default and there is no option for encrypted groups.
This isn't necessarily true - that's basically the problem with monopolies and the point of anti-trust. The network effect really can entrench an inferior product.
MMS messages are hot garbage but they're still better than a lot of alternatives because everyone with a phone can receive them.
They could just run it as a paid service again? They had a minimal annual charge before the Facebook acquisition and probably could have raised that, instead Facebook made it "free" which should have been a warning sign of things to come.
Friendly reminder that encryption is more than E2E-encryption despite what certain people on HN thinks.
Telegram is encrypted point-to-point by default. Same as banks, modern mail etc.
Can we stop spreading technical misinformation now, please? There's plenty of other issues with Telegram and if we stop crying wolf over the neighbors grand danois people might actually believe us when there is an actual wolf.
Only if you trust Facebook with their proprietary software.
Same for the Apple (and others') taxes in Ireland: While the Irish have been told by courts and the rest of Europe to collect the taxes they are owed, they just refuse to do so.
Also your understanding of the Apple case is a little out of whack too. There's a lot of subtlety to it, but basically the court ruled in Apple's favour on a technicality and there is a revised appeal pending.
The US sees FAANG as its babies and will protect them at all costs. Its up to the rest of the world to rein them in.
I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.
How many times do centralized services like VK, WhatsApp, Instagram, Apple, etc need to get co-opted into enforcing the will of private entities or governments before we learn our lesson?
The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.
The most mature app is Signal. It has the best usability to privacy trade-off.
Threema is the better choice if you don't mind not having a usable desktop client. For me that's a total deal breaker. It costs a one-time 5 bucks and it's totally worth that, if only it had so much as a usable web client (you need to open your phone and navigate two menus to enable the web client every time your phone changes WiFi or anything).
Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy. It's sluggish is all, and (like Signal and most other services) uses AWS. Full disclosure: I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients'.
Element/Matrix is the better choice if you'd rather make a trade-off towards privacy. Presumably the clients will mature, and between two years ago and one year ago they've made good progress. It's going less fast today but I still see things getting slowly better, and the decentralization works very well and fairly easy to setup.
Briar and Jami have limitations that make it unusable for general purposes use with your mom. Facebook and Google's messengers I didn't look at for obvious reasons. Keybase was never end to end encrypted to begin with and now Zoom bought them so they'll probably shut down soon (also, bugs).
Rocket.chat seems only aimed at business users.
You can also do OTR over any platform you like, and I still have to try this overlay encryption system on Android (I forgot its name).
Pick your poison...
Seeing as you mentioned Threema in the same post, I think I ought to step in here.
The encryption protocol for Threema is open source, using standard algorithms, not something they invented.
You, like I did for $my_org, can write your own software to send messages to devices running Threema using the Threema API.
Message contents are, of course, encrypted before submission to the API. Threema provide a number of SDKs to help you, but you are under no obligation to use it, you can write your own API submission client from scratch.
P.S. Not saying Wire is bad here. Wire is good. I use it alongside Threema myself for $other_uses. But I'm saying don't write off Threema under a false understanding that their encryption protocols are closed source.
Afaik Signal doesn't have an API or SDK, there only seem to be third party implementations for bots.
China can move fast for this reason too.
You have to decide if the long term consequences of a fast moving dictatorship are worth giving up the freedom of a sometimes messy democracy.
The internet is too important to herd all our services into control of dictators, no matter how benevolent.
We survived the dialup days for all the UX hell of many providers without giving AOL exclusive control in spite of them having the best UX.
I hope we can do the same with something as critically important as worldwide internet communications, but the marketing of dictators and their ability to move quickly is sometimes too hard to resist until it all backfires spectacularly.
I'm not buying it. Look at Matrix and tell me it's holding them back.
What's holding them back, perhaps, is not having a shitton of money in the bank like Signal, and they're actively supportive of decentralization which costs developer resources. Signal (or Matrix, for that matter) could not spend dev time on decentralization and just let the open source community do its thing. But that's not what Signal is doing, they're instead actively hostile towards it.
Or look at Telegram, they have an open network and third party clients. There also are unofficial clients that some people use. But what does the 99% use? The official clients. Signal's argument is that people might use insecure, unofficial clients. In practice, that's not what your average mom will do. (And it's not as if the official Signal app was audited either.)
I'm also not buying the "China can move faster" thing. They can be more oppressive without consequences, but is that really better? Does that "centralized dictatorship" allow them to be "more stable"? It's easy to say, and easy to see how indeed an oppressive government's decree can change things from one day to the next, but on that scale I think you need to consider more things than I am qualified to do before you can really say whether that is a superior system in a given situation.
I guess we conclude the same thing in the end, though, as you say "The internet is too important to herd all our services into control of dictators, no matter how benevolent."
The main argument against federated protocols playing well with security is that they have a harder time evolving. The example always given is email. Once Matrix has reached 500M users and several server implementations with less than 20% market share each, how can you be sure that it will keep improving contrary to email protocols? WhatsApp switched to E2EE in a matter of months, but most of our emails are still plaintext on the servers.
I like and use Matrix as a replacement for IRC, but I don't think they will catch up in terms of security with Signal in most practical situations (meaning, I want to send a message to a non-technical person). Both because of the fossilization associated with federated protocol (see above), and simply because developing a federated protocol is way harder and less forgiving than a centralized one.
Your argument about the "99% use" means that first that you don't need centralization if it's already centralized in practice, and second that it brings very little benefit (benefits only 1% of users). At that point, the (possibly low) costs of decentralization are not worth it.
Do you mean better privacy than Signal? I was under the impression that Signal was significantly ahead of Wire in this regard with features like private groups and private contact discovery.
They pinky swear they always patch and never dump keys when they have the chance though.
It's more of a trust thing than something you can technically solve while still having features like real-time calling. Hence Facebook being objectionable despite having encryption.
Usability is slightly different, yes, and you might also trust Signal more because they do better PR (they say outright that they're from the USA and get money from Facebook, while Wire has devs in Berlin and claims to be a German company, while taking money from USA investors... which imo comes down to the same thing), or you might trust Wire more because they were actually audited at all.
I do use Signal and Telegram with some friends, I really find the difference between WA and Signal to be small. Telegram though is a lot nicer as a platform, it has some channels I'm part of and the desktop client is much better. But this comes with privacy/security trade-offs as mentioned in this thread.
I also use Element.io for some channels and groups. I find it surprisingly nice. I may set up a server myself soon.
Honestly, Signal is just super high quality when you take into account how privacy focused it is, I could easily replace WA with Signal, apart from "the network effect".
Indeed, if it has to go through my phone it's nigh unusable in my opinion. Wire and Element/Matrix handle this properly since they don't depend on a phone number in the first place (so no need to tie it to your phone), only Signal and Threema are somewhat of a pain in this regard since you need to link it, and only Threema absolutely requires your phone to be online all the time.
I ended up adding a paragraph about it anyhow but that's why, when starting to write the post, I didn't add Telegram to the list. There is also rocket.chat further down that I didn't mention on top, fwiw.
+ It usually just works
+ Reasonable desktop experience (needs to re-link once a month or so, but otherwise independent and not terrible UX), good mobile experience
- Metadata handled by Amazon
- Phone number is a hard requirement, and changing your phone number means re-connecting to everyone
- Funding comes from Facebook from what I recall, and even with large amounts of their $100M invested, their expenses are 8 times larger than their income.
+ At least it's a foundation and their finances are not a black box!
~ With a build from an untrusted third party, you can make it work on Androids where Google Play Services are intentionally firewalled off.
~ No audit of the clients. The protocol, sure, but most bugs aren't introduced on a protocol level.
These are only things they could solve, i.e. that others do better. That their contact discovery solution (where you upload your phone book) is broken isn't a downside because nobody else has that figured out either.
That's rather broad, which metadata are you thinking about? Especially given the sealed sender feature. Assuming you have access to everything at Amazon, what can you deduce about Signal users?
I can think of:
- IP address (you can tell that this IP address sent some Signal message)
- size of messages
- timestamps of messages (when they were received by an Amazon server)
IP address leaks a lot of information but there are still workarounds, and it seems reasonable if you're in a no-trust model (meaning Signal's servers wouldn't be any better than Amazon's). In any case, that's way less information than other mainstream messengers.
On the other hand, one distinguishing feature regarding metadata is groups: group membership is not known by anyone outside of the group if I understand correctly, contrary to WhatsApp (and others).
Not really. Original funding came from NGO sources such as the Open Tech Fund.
I know in theory that sounds "bad" but it's their service I guess? In the real world, centralised services seem to be the norm, eg. the postal service. They don't let random third parties take the mail and also mandate that you use their postage stamps to use their network, and only accept mail at their post boxes and mail offices. They don't let people inject mail into the vans along their postal routes, and don't forward mail that is from another delivery company, eg. DPD, DHL, FedEx.
I am not sure how else it'd work?? Surely it'd be like expecting the postal system to deliver FedEx's parcels, whilst not paying the postal system anything at all. That's unfeasible and unsustainable.
36C3 - The ecosystem is moving | https://www.youtube.com/watch?v=Nj3YFprqAr8
Once users are in an ecosystem it takes years to convince them to change and only after they hit a high discomfort tipping point.
If Signal ran short on funding and got bought by Google or Facebook all the tracking would kick in and most users would stay.
We must stop herding people into walled gardens. It is unethical and always backfires.
It is one BGP attack or compromised CDN admin way from compromising the masses.
This is one of the few points I agree with moxie on.
The only safe way to install software on an Android device requires you bootstrap trust via a system supplied package manager that enforces signature verification.
Lineage grabs unsigned binary blobs from a separate account with little accountability ( https://GitHub.com/themuppets ) to limit the blast radius of illegally distributing them and does not ship a package manager at all.
They expect degoogled users to do disable system signature verification to use an alternative app store like F-droid. Lineage is great if you want to turn an old device into a game system or something, but it should not be used on a device you need to be able to trust.
The only Google-free option to have a signed system-verified app supply chain on Android is use a ROM that bundles F-droid as a system trusted app manager like CalyxOS, RattlesnakeOS, or my projects, aosp-build, and #!os.
While F-Droid is far from perfect it is the only alternative path and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.
In effect, you either use Apple/Google ecosystems to run verified binaries, or compile yourself every week or two.
That's nice, but why should Moxie decide whether the Google Play Store is a trusted source for me?
If neither of these work for you, you are not wanted on the Signal network.
APKs do not bypass signature verification. Android still requires all apks to be signed, and only installs updates to apks that were signed by the same original key.
As for BGP attacks, the apk is distributed using TLS, so it needs more than that. That being said, CDN hacks are definitely an issue. But so is someone hacking their play store account or Google play itself.
You have to turn on untrusted sources to sideload an APK. It will verify a signature. The problem is the OS has no anchor to know if that signature is by the key of the party you expect, or that of a malicious adversary. Once you pin the wrong key it is like getting a bad HTTPs cert on first connection. All bets are off moving forward.
If you have downloaded the apk using http, you can still verify the signature before installing through other means, e.g. by comparing it to your friend's installed APK, using multiple ways to download the apk, etc. Can you do this with Google play?
You also can directly download APKs from Google Play using Aurora Store and compare them to the standalone APK in theory, though both points of verification are against the same entity so it only rules out MITM on a CDN etc.
Problem is, who has time to do this for every single update? How many would even do it for the initial install? Most technical sysadmins don't even verify ssh host fingerprints unless automated CA infra does it for them.
Even if someone does do this religiously, in practice I suspect they will put off valuable security patches until they can manually verify every new binary corresponds with the published source code to rule out supply chain attacks etc.
If two totally independent entities compiled and published signed binaries and their hashes matched (when signatures are stripped) then there is some automated consensus there are currently no obvious supply chain attacks in play to protect users at large who don't have the time or experience to compile and verify against the published apk by hand or manually compare fingerprints. F-droid could keep the Signal Foundation honest if they let them but instead they say "trust us, or compile your own binaries" as if no middle ground exists.
Meanwhile I can hand my wife a phone with F-Droid and Matrix and know she can update reasonably safely without any manual key verification steps by me or her. Even when the signing key of matrix.org on Google Play gets compromised the blast radius does not extend to F-droid.
The more reputable independent package managers building, signing, and distributing protocol compatible binaries the better. Makes it impractical for even a sophisticated adversary to gain control. Also lets users to have the freedom to choose an easy automated install)update path for apps that respects their privacy by not requiring proprietary Google services.
Again, you only have to do this for the first install. After that, the local OS takes over and rejects any apk signed with a different key. It's a TOFU system.
Systems that expect humans to be key pinning anchors are always a bad plan.
So he admits he cares about usage metrics more than privacy. which makes trusting signal a bit hard
Is it technically prevented or just frowned upon? The former would be strange, because fixing a bug in your own private fork would also exclude you from the network.
With that thinking we would all be using AOL.
Making a robust flexible protocol that can support a bunch of different client and service implementations is hard, but that is how we ended up avoiding email and web browsing being controlled by a single entity.
Matrix is solving the hard problem of providing the core functionality of tools like Slack and Whatsapp without sacrificing user freedom or asking you to trust any one entity.
This is what ethical engineering looks like, and I don't mind tolerating occasional growing pains in exchange for freedom.
The argument makes no sense. I can't decide if Moxie is a double agent with street cred or honestly trying to do good here.
He is charismatic, highly intelligent, and lives by his own moral compass, rejecting FOSS ethos and silicon valley capitalist ethos alike.
This makes him especially dangerous.
Who's paying for my email@example.com and for the data (avatar pictures, transfered files, chat logs) associated with it ?
Will the Matrix foundation let me use their services forever and for free ?
Will there be discussion on HN in ten years about getting your own custom domain and own federated server ? For one account only ? Like we have for mail regularly ?
Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.
This is the same story on Matrix and what I mean when I say it is a freedom respecting decentralized service.
You are also free to run your own DNS to a dedicated EMS instance then later point to your own self hosted server later much like the freedom you have using your own domain and MX records on Google Apps allowing you to later move to a new email provider without having to update your social graph to change your address.
On Signal, there is no such option. You use their clients and servers forever, or GTFO.
The whole point is in avoiding starting with an AOL like service. So far only big matrix provider are reliable and performant enough to be usable. This is @gmail.com all over again but with @matrix.org tld.
Except you won't be able to carry your messages from a tld to another when you decide to rely on another domain name (your own or someone else's).
How long before Matrix foundation send messages telling users they are going to delete their rooms and messages if they don't log in once a year ? Or that they are now restricted your account to matrix.org rooms to "save operating costs" ?
The whole tech stack is free but operating costs are not.
I've been running a Matrix homeserver on a 1/1 VM for years without any issues. There is no downside to choosing a small server, you can still federate with everyone else. That's the entire point.
Start on a server, but your real identity is attached to a cryptographic key, not an e-mail-like identifier. That would allow you to move around, and maybe one day get rid of domain names altogether (using something like yggdrasil or tor to host and connect servers, for instance).
Signal offers no such choice.
Even if you don't do this, you can still reach contacts on the old server and middle through.
If you switch from walled garden to walled garden like WhatsApp to signal there is no migration path at all.
You mean like SMS?
A better example would be HTTP/HTML/JS. Sure it is not perfect and protocol updates are hard and slow due to endless implementations but we got a working decentralized internet out of the deal that is very hard for any single party to take over now, so I call that worth it over a single party enforcing proprietary protocols like AOL having a total monopoly.
I lost about half of my contacts when migrating to Signal, do you really think I can make them install some random app that may or may not work?
They already complain that Signal isn't as polished as Whatsapp.
I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview to continue building a decentralized censorship resistant internet.
This is kind of an unreasonable, one sided, stance. You exact everyone to simply follow you and your preferences with no regard for their preferences. Maybe you not respecting them and their worldview makes you the bad friend, not the other way around.
> I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview
I don’t know if isolating yourself from anyone that doesn’t’ think and act the exact same way is a good thing.
I for one avoid Google products for personal communications. A lot of long term friends decided they only want to socialize online with Google products fully knowing it excludes me, in spite of easily accessible alternatives like Matrix and Jitsi.
They are not using Google products because it makes the world better, they are using it because they don't like change, and changing to maintain a friendship with me was not worth trying to use less privacy hostile communication mediums.
I for one would not exclusively socialize at a Brazilian steakhouse if I had a vegan friend in a given social circle.
I will go to great lengths to accommodate people that are acting on authentic ethical convictions but if someone is only doing something that conflicts with my ethical convictions because they can't be bothered to try something new, then they obviously don't value me, and I'll invest more time with people who do.
You should live your convictions and find people that either share them, or at least respect you enough to accommodate them.
I don't expect others to think or act like me, but I would expect that my legitimate desire to maintain privacy in personal communication to be respected by anyone worth my time.
Plenty of friends that don't share my views put up with using some open tools to keep in touch with me. I likewise accommodate some of their preferences that don't make any sense to me. Everyone has a mix of deal breakers and things they can be flexible on in any type of human relationship.
Not worth the trouble for me and I don't even want to have accounts in these platforms or let them collect my conversations, but the path at least exists.
Yeah right. I am not RMS, with lock-downs, curfews, social distancing etc I'm already isolated enough so I'm not losing my remaining contacts for some moral high-ground.
Ideally we'd have a polished, decentralized app. Signal is a compromise. I don't think the drawbacks are identical:
Facebook's business model depends on violatings the privacy of the users. The Signal Foundation has no such need.
The client is open source. I see no reason to call Signal "privacy hostile".
* You can't use signal on minority market share platforms even if they offer higher assurances of freedom, privacy, and security (RISC-V, OpenPOWER, etc.)
* Getting a phone number requires KYC in over 200 countries and carriers will happily sell you out as extensively documented and demonstrated by journalists buying owner info and GPS coordinates for any given phone numbers. Any service that hard requires a phone number is not prioritizing privacy.
* All metadata and TCP/IP metadata flows to a SPOF where signal employees, the ISP, or another entity inline could use network heuristics to deanonymize users, of dump the weak keys in SGX and get actual contact lists directly.
* If you want to use a privacy respecting signature verifying app store solution like F-Droid you are SOL. Moxie threatened to fight F-Droid or any other parties compiling/signing binaries from source code or doing forks or alternative implementations. He wishes to have complete control and the ability to rapidly push updates to all users quickly, be they benign or malicious. If someone coerces the signing key out of them, all signal conversations globally could be decrypted likely before anyone noticed.
I call all of this behaviour very privacy hostile. Published source code is moot if you are not allowed to use it or empower third parties like f-droid to hold it accountable.
Signal works on platforms such as GrapheneOS without the Google ecosystem.
You're right regarding the phone number. I consider it a necessary compromise. Look at the spam problem that email has.
Supporting tablets would allow us to chat and send files across devices, without resorting to apps like Messenger.
(Yes, I think this is correct: For anyone who are currently on WhatsApp or anything Facebook for that matter even Telegram is a huge improvement in most ways.)
This is also true with Whatsapp, but against their terms of service, so you risk getting banned, and built on reverse-engineering, plus you need an android VM of some sort.
I've been personally moving my family to Signal, since that provides the best UX and easier transition from Whatsapp. Once I'm comfortable enough with it, we'll likely transition to matrix.
What Matrix is missing is in my view:
- Client with simple UI, polished UX, and not just a smoking pot of features: FluffyChat is mostly there.
- Server of which I can guarantee the uptime. Dendrite should lower the resource usage for a ~5-100 accounts server, and decentralised identities would allow falling back to another server (such as a friend's).
We're mostly there, so I'm starting to prepare the switch, starting with my more technical friends, by setting a bridge up. Hopefully we can finally break that dependency on phone numbers (ideally, domain names as well with ) and move on to bey-based IDs.
 Older bridge, unmaintained: https://github.com/matrix-hacks/matrix-puppet-signal
then there is the problem with push-notifications passing throu either google or apple as well as device-backups which both hand over your metadata and probably message content.
imo telegram is in a better spot simply because it is not affilliated with the facebook/google ecosystem but in the end it does not make much of a difference due to aforementioned systematic deficiencies.
imo good reasons to cash in on the platform compatibility and convenience of telegrams cloud-messaging architecture.
> I thought basically no one used android tablets anyway
Tens of millions of Android tablets are sold every quarter.
I am mostly using Signal and will let my WhatsApp expire.
I also think matrix is great and would recommend setting up an account by installing element. I think growth in matrix will more fully undermine FB's position as well as Slack/etc.
I wonder how Out of curiosity:
Does anyone know how the new Whatsapp TOS differ from the Gmail TOS in regard to user data and privacy. How does the Facebook group use data differently than, say Facebook or Microsoft?
Nah it wasn’t, I paid for WhatsApp originally and then there was a subscription model for a while.
I much prefer both those models, Facebook is just greedy.
Signal is another private entity with complete control of the servers and end client binaries. The fact they happen to open source the code is kind of moot since no services are allowed to write alternative implementations, no one can run their own servers or prove what code is running on Signals servers, nor can anyone even distribute reproducibly built binaries from said source code for accountability (e.g. f-droid).
There are so many better options. I suggest Element/Matrix which can even bridge to WhatsApp and Signal as needed thanks to community contributed bridges.
I thought Signal was open source, and the distributed binaries matched the source, and that is was allowed to run your own servers. Are the servers even open source?
Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
This is sort of true. The source is published and you can build your own binary. But given that you can't distribute Signal outside of official stores and can't pin the version in those official stores (unless you turn off updates on your phone entirely), it's not actually practical to run an audited version, yet alone to make your own changes to the code.
> and that is was allowed to run your own servers. Are the servers even open source?
EDIT: apparently there is now (purported) server source available, not that that means much when there's no way to even know which code a given server is running, yet alone run a server with different code. They claim that their E2E encryption means control of their servers doesn't matter, but their protocol analyses doesn't actually think about what an attacker might be able to do at the server level, IME.
> Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
It uses either the same ratchet protocol as Signal or a very similar one. E2E for group chats is more complicated but I don't think you're giving up anything.
The signal server source code is open source now in theory, you are just not permitted to run your own server and have it join the Signal network. We have to take their word for it that they are running the code they publish.
They are open source. Please see github.
We also only assume the published Signal binaries match the published source code. Moxie and team have exclusive control of the signing keys and Moxie said he will fight any third parties like F-droid doing from-source signed binaries outside the Google/apple ecosystems in spite of the accountability and removed SPOF it would offer.
If you choose to use a non Google/Apple platform or a freedom-respecting architecture like RISC-V or OpenPOWER you don't get to be on the Signal network.
This eliminates me from being able to use Signal. Talked to moxie at length about this but in the end he repeatedly admits he has no problem cutting off the few to enforce his vision for the many. He also frequently implies he sees himself as the only entity worthy of running the world's communications systems.
He is a smart guy and means well, but he is naive. Benevolent dictators are always replaced by less benevolent ones eventually. There is nothing stopping what happened to WhatsApp happening to Signal. You also have to trust the pinky swear offered by the Signal Foundation that they won't dump the keys from their SGX enclaves using any of a myriad of design flaws, and that they, their ISP, datacenters, and any three letter orgs tapping them will all throw away all the TVP/IP level metadata that centrally flows to their systems.
With Matrix OTOH, if those that host a given set of binaries/servers go evil or we simply want control of our metadata for sensitive channels, we can just use one of the alternative independent clients or a fork, switch to our own server or one run in a country or by an entity we trust more. We also still will be able to reach our social graph, just like switching an email provider.
Democratic control is messy, but I will take it over a benevolent dictator any day.
As for documentation, matrix.org documents the API and design choices of Matrix extensively and they welcome people making alternative clients and bridges to other networks because they believe the only safe and sustainable network services are open ones.
Signal is simply best because it works as SMS client AND encrypted messages client. Best UI/UX, one app to rule them all, consistent behaviour, not owned by FAAMG.
I think that's quite a misstatement, but it is indeed a centralized service.
The founder of VK had good intentions and was willing to protect his users too. The Russian government replaced him with someone more ethically flexible.
The foundsrs of WhatsApp clearly never intended it to go in the direction it did post acquisition, but it was not their call.
Gathering all users to a single choke point on a single client on a single server infra is irresponsible and unsustainable. We have been here before.
It's an email client (with clever, seamless encryption based on gpg) with a WhatsApp style interface. There's a desktop client too.
I've only ever managed to get one person to use it, but goodness it'd be nice to get rid of WhatsApp.
Of course, email goes between servers and then you definitely want to ensure the encryption is solid (it often isn't, so PGP is definitely good). I'm just saying that Wire/Signal/Threema/etc. having better encryption is in my opinion only important when you use Wire's/Signal's/Threema's servers. If you can and do host your own, especially if you host it at home, then in practice there is no difference.
Since most people don't do that, Signal/Wire/Threema/Matrix are of course the better options than PGP+email, but PGP+email is still an improvement over the status quo.
The trade-off is that you then don't have perfect forward secrecy.
The other feature is deniability: having an encrypted message and it’s decryption doesn’t give you any more information than a screenshot of the message in signal. There isn’t a way for the encrypted message to prove that it was legitimate as the previous keys are revealed in a way that means anyone sniffing the traffic could make a message encrypted with that key.
By the way, do you know if the one receiving the messages can force messages that are marked as "disappearing" to be kept?
See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...
Via the use of MACs, yes. I never said otherwise. What I said before still holds, as the recipient you can't prove to others that you indeed received a message by a certain someone rather than forged it yourself to incriminate them.
> See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...
The "Marisa" person in the comments is a friend of mine from IRC and I agree 100% with what she said.
As far as I understand, because of GDPR, the sharing of data between Facebook companies is limited. This is different from the US terms.
UK/IE/RO/MD/UA/RU/etc - cheap and fast delivery :D
I can't do this because everyone else I know uses Whatsapp.
Whatsapp helpfully gives you a transition period during which you can try out both ;)