Don't allow multiple people in DMs

[opusforlife2]

Description

I just discovered the horrifying fact that you can invite people to a 1:1 chat. I tested this just now and the 3rd user was indeed able to join after an invite. Why the hell is this allowed by the client/server/spec?

I have never seen this behaviour in any messaging service. This completely ruins the sanctity of personal chats between people, because a 1:1 chat can be converted to a group chat at any point, exposing the chat history.

This means that one can have no expectation of privacy on Matrix, and will always have to be guarded in conversations, because there is the (major or minor, depending on the persons involved) chance that the other user can invite a 3rd party to the chat and let them see the entire chat history between the first 2 users.

There is also the chance that a non-tech-savvy user mistakenly invites a 3rd user to the chat, resulting in the same problem.

Steps to reproduce

• Start a chat with a single user
• Create a long chat history over a long time period, including several private/personal messages.
• Invite a 3rd user and watch them join, exposing the entire chat history in the process irrevocably.

Describe how what happens differs from what you expected.

Neither user in a 1:1 chat should be able to invite another user. This functionality should be disabled for all 1:1 chats.

If a user creates a group chat by inviting at least 2 people, then the invite function could stay enabled.

Version information

• Platform: web

For the web app:

• URL: app.element.io (Synapse 1.33.2)

[opusforlife2]

This is allowed on Element Android as well.

[t3chguy]

This is intentional, for bots, personal assistants, etc.
It is a social issue, not a technical one.
You are both admins of the 1:1 room, you can do whatever you please.

Element uses the trusted_private_chat preset from the spec https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-createroom

Neither user in a 1:1 chat should be able to invite another user. This functionality should be disabled for all 1:1 chats.

This can be done if both peers agree to it, by setting the invite permission to Admin and then the peers changing their power level to below Admin.

[t3chguy]

This is allowed on Element Android as well.

Yup, an individual client forbidding it would be brittle given that a user could use a malicious client/API call to do it anyway.

[opusforlife2]

This can be done if both peers agree to it, by setting the invite permission to Admin and then the peers changing their power level to below Admin.

Imagine me trying to get everyone in my social circle (consisting of mostly non-tech-savvy Whatsapp users) to follow these instructions, and them having to do this for their social circles as well. 😓

The point is, Matrix aspires to be the default messaging solution for everyone, doesn't it? This is a glaring UX issue for most people. I have to admit it is so for me as well.

Possible solution: A user should be able to create a "non-inviteable" room with another user (and it should be the default option, too) where such functionality is disabled.

If a couple of tech-savvy users want to add bots to their chat, then there should be an advanced chat creation option just for them.

[t3chguy]

Possible solution: A user should be able to create a "non-inviteable" room with another user (and it should be the default option, too) where such functionality is disabled.

This is already possible.

1. Create a room
2. Change permission to invite to Admin
3. Invite your friend
4. Drop yourself from Admin

[t3chguy]

If a couple of tech-savvy users want to add bots to their chat, then there should be an advanced chat creation option just for them.

What if you realise you want to have a bot after a few months of a DM existing? then you're stuck and have to throw your history away?

[opusforlife2]

This is already possible.

I see. I think the opposite of the steps you've listed (where you promote yourself to admin, invite your friend and then make them an admin) could be the workflow for a tech-savvy user to create a bot-friendly room. But the default should still be that both users aren't admins and hence cannot invite anyone.

What if you realise you want to have a bot after a few months of a DM existing? then you're stuck and have to throw your history away?

This bot functionality seems to be a sticking point. Does the Matrix protocol differentiate between users and bots?

If so, one solution is that only bots could be invite-able.

If not, another idea is that it should take the consent of both users in a 1:1 chat before an invite is sent to a 3rd user/bot/whatever. So even if one participant does this out of ignorance or malice, the other user has the power to prevent it. How's that?

[t3chguy]

where you promote yourself to admin

You can't promote yourself to admin, only an admin can do that, if there are no admins in the room then it is simply not possible.

Does the Matrix protocol differentiate between users and bots?

Nope, and it doesn't have to be just bots, personal assistants are also a like usecase.

If so, one solution is that only bots could be invite-able.

Bots would still be exploitable to destroy your idea of privacy though

If not, another idea is that it should take the consent of both users in a 1:1 chat before an invite is sent to a 3rd user/bot/whatever. So even if one participant does this out of ignorance or malice, the other user has the power to prevent it. How's that?

That would be a suggestion for https://github.com/matrix-org/matrix-doc/ - not an individual Matrix client implementation

[opusforlife2]

You can't promote yourself to admin, only an admin can do that, if there are no admins in the room then it is simply not possible.

The direct chat creation UI could show you an option to choose between staying an Admin (advanced option) and becoming a whatever-is-below-Admin (default selected option), with the consequences that entails.

Nope, and it doesn't have to be just bots, personal assistants are also a like usecase.

Okay, that's a dead end, then. Thanks for clarifying.

Bots would still be exploitable to destroy your idea of privacy though

Yeah, now that I think about it, not every user will make themselves completely aware of the consequences of every bot they invite.

That would be a suggestion for https://github.com/matrix-org/matrix-doc/ - not an individual Matrix client implementation

Sure, I'll open an issue there. But I hope you'll consider changing this at the app level as well, because MSCs seem to take ages to be merged, and it's not like Element has always been strict about including only spec-included functionality...

[t3chguy]

Changing it app-level would be exploitable, it'd prevent people being invited from Element but other clients/older versions would still be able to invite, which would give a false sense of security, also its basically unchangeable for existing 1:1s given that both Admins would have to perform actions.

Have left it in X-Needs-Product for the product team to review it

[opusforlife2]

Oh. Okay. What about server-level?