chat.privacytools.io / Riot tracking issue

[Mikaela]

chat.privacytools.io/selfhosted instance issues

Check boxes as they are fixed on PTIO

• Host Dimension instead of relying on vector.im
  • upstream issue letting clients know about it: integrations suggested by homeserver element-hq/element-web#6430
    • upstream spec and sdk change allowing this has been merged MSC1957: Integration manager discovery matrix-org/matrix-spec-proposals#1957 & Support homeserver-configured integration managers matrix-org/matrix-react-sdk#3340
• Host identity server OR set it to chat.privacytools.io (same as homeserver) so it won't work.
  • https://github.com/matrix-org/matrix-doc/blob/6e8739c989172c351a6ead66f073b413f6340326/api/client-server/login.yaml#L147-L148 ?
  • Update 10/7: I don't know if our fix actually works currently so I'm unchecking this box, see: https://github.com/privacytoolsIO/privacytools.io/issues/1049#issuecomment-539269846
• Host Jitsi Meet
  • upstream: Jitsi concerns element-hq/element-web#7711 WONTFIX Wishlist: self-hosted jitsi server element-hq/element-web#6930

Upstream privacy issues

• Upstream Privacy Tracker which seems to have different priorities and miss some issues below, notably Tor and actually removing removed messages from the database.

major

Privacy issues that I think prevent PTIO listing:

• matrix-org/matrix-doc#447 - history is stored forever, there is no way to limit how much or how long
  • Signal & Wire: messages aren't stored on server, clients have option how many old messages to keep + both also support disappearing/timed/exploding messages.
• When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263 - uploaded media/files aren't removed when they are removed in Riot
• We need to actually censor redactions from the DB (SYN-284) matrix-org/synapse#1287 - actually removing removed messages from the database fixed
• Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649 / MSC2134: Identity Hash Lookups matrix-org/matrix-spec-proposals#2134 - private contact discovery
  I am not sure which topic to put this under, but Signal & Wire both have this.
• Please don't use CloudFlare. matrix-org/matrix.org#342 - Matrix.org uses Cloudflare (issue closed without disabling Cloudflare)
  • See also https://github.com/privacytoolsIO/privacytools.io/issues/374. I understand this to mean that Cloudflare can one way or another read all traffic going through Matrix.org including IRC users who have never even heard of Matrix if someone happens to use Matrix on the same IRC channel? Matrix.org is quite big compared to an individual Cloudflaring their IRC client, I have heard a number 1500 connections associated with a I-line request from third party bridge admin.
  • Wire and Signal [citation needed] apparently have support pages behind Cloudflare Please stop using CloudFlare wireapp/wire-webapp#5716.

major privacy issues also with selfhosting

I consider these as major due to Cloudflare as the traffic to integration manager and identity server would go through it and so would all messages assuming the user federated with Matrix.org. These may be irrelevant to user who is on Matrix.org.

• Store Integration Manager preferences in account data and allow user to change them somewhere sensible element-hq/element-web#10161 - Store Integration Manager preferences in account data and allow user to change them somewhere sensible
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167 - Present an aggregated terms of service dialogue at registration if possible
• Prompt to accept integration manager policies on registration element-hq/element-web#10087 - Prompt to accept integration manager policies on registration
• Store identity server in Account Data and support choosing identity server integration in User Settings element-hq/element-web#10094 - Store identity server in Account Data and support choosing identity server integration in User Settings
• Login/register: allow to set home server and identity server urls element-hq/element-android#20 - Identity server is hardcoded in RiotX (Android client rewrite), the issue is closed and no one has commented on identity server since it was pointed out on 2019-07-09.

medium

I need a better word here, but these would be issues that also affect other recommended instant messengers and may not be a blocker.

• redacted matrix-org/synapse#4565 - metadata resistance
  • to-read for me, is this similar like Wire server knows connections between users, or is this a more serious one?*

nice to have

• Options to strip EXIF metadata from media uploads. element-hq/element-web#4426 - riot does not scrub exif data from upload
  • Discord apparently does, Signal and Wire do.
• Proxy support element-hq/riot-meta#287 - Proxy/Tor support meta issue
  • I cannot find option to enable Tor use either in Signal or Wire, Conversations would have it
  • https://github.com/vector-im/riot-web/issues/3320 - desktop
  • Support connecting via SOCKS proxy (Tor) element-hq/riot-android#1234 - Android
  • TOR needs to be integrated in IOS version because TOR is BROKEN with IOS element-hq/element-ios#1085 - iOS

unsorted / note

• [Request] Allow account deletion matrix-org/synapse#1941 - allow account deletion, not just deactivation
  • I am not sure where exactly to put this either.
• https://github.com/vector-im/riot-web/issues/7757 - Open source the integrations server WONTFIX
• https://github.com/vector-im/riot-web/issues/6739 - stickers aren't encrypted
• Less technical users may register on matrix.org unknowingly by default
  • Show users that they're logging into matrix.org on the default login screen element-hq/element-ios#2614
  • Show users that they're logging into matrix.org on the default login screen element-hq/element-android#450
  • Show users that they're logging into matrix.org on the default login screen element-hq/riot-android#3238

Research papers

• Notes on privacy and data collection of Matrix.org
• Notes on privacy and data collection of Matrix.org, Part 2

---

These issues are mostly took from privacytoolsIO/privacytools.io#840, if you are aware of reported issues that aren't listed here, please do comment them and someone from the team will edit this issue and add them.

I was personally missing a list of things that can be done today to avoid the privacy issues that Matrix/Riot currently has and this may be helpful while considering the delisting (#1047).

[Mikaela]

@lampholder Could you also comment on these issues?

(Good night, it's 02 AM for me)

[lampholder]

Sorry I missed this earlier - I will take a look and come back with responses as soon as I can.

[lampholder]

Hi @Mikaela,

Sorry I'm only just getting to this now. Can I check what this list of issues represents to you?

In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.

First up - the ones I can handle off the top of my head. These issues are part of the current privacy work:

• Store Integration Manager preferences in account data and allow user to change them somewhere sensible element-hq/element-web#10161 - Store Integration Manager preferences in account data and allow user to change them somewhere sensible
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167 - Present an aggregated terms of service dialogue at registration if possible
• Prompt to accept integration manager policies on registration element-hq/element-web#10087 - Prompt to accept integration manager policies on registration
• Store identity server in Account Data and support choosing identity server integration in User Settings element-hq/element-web#10094 - Store identity server in Account Data and support choosing identity server integration in User Settings

As for open sourcing the scalar integration manager (vector-im/riot-web#7757 - Open source the integrations server WONTFIX) we have no plan to do this today, but we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?

Some of the others weren't high on my agenda - I wouldn't want to consider exif stripping, private contact discovery and sticker encryption until we've got cross-signing working in Riot so that E2E encryption is finally as user friendly as it needs to be. If they're blockers to your recommending or service, though, I can make sure that is at least kept in mind as we schedule future work.

The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.

[Mikaela]

In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.

You are correct, however I wouldn't consider some issues like the exif metadata scrubbing essential for listing Riot as as far as I am aware nothing else is doing that either. The ordering could be considered random as it's based on what I picked from other issues and then tried to search for issues based on other discussions, so towards the end it's in order of newest reported on your issue tracker.

we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?

I find it acceptable, especially with open source alternative existing, as opposed to the current situation where an average user doesn't even know they are using Scalar. my previous comment at prism-break

Some of the others weren't high on my agenda

In my opinion the most important issue from those I listed would be actually removing removals (matrix-org/synapse#1287) and allowing data to expire (https://github.com/matrix-org/matrix-doc/issues/447). (As you can see I started replying without reading your comment entirely at first)

There are also the issues raised by muppeth, do you have an issue number for them?

The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.

Thank you in advance and good night. I will try to sort the list better tomorrow.

[ggg27]

This is very interesting ( +1 )

Just to be clear, Synapse isn't the only way to implement Matrix.
There are also homeserver's like Ruma.

Matrix is just a protocol, lots of ways to use it!

---

Plus, you can always change your homeserver for most clients.
Therefore it may not be necessary for privacytools.io to host a full client like Riot-Web.
- not to say it wouldn't be convenient tho.

[Mikaela]

I think I got the list in a more clear order now.

---

Just to be clear, Synapse isn't the only way to implement Matrix.
There are also homeserver's like Ruma.

Has Ruma had stable releases yet? While it could fix some issues with Synapse, I don't think it helps very much with some issues like matrix-org/synapse#1287 while the federation includes Synapses that are doing that.

Plus, you can always change your homeserver for most clients.

Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX) and currently integration server existing is not even told to the user being an option only a selfhoster can change.

[afonari]

ISs can and should be blocked if privacy is desired. IS is not needed for matrix chat client to function correctly (I think). See also: LiMium/mini-vector-android#26.

[afonari]

Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX)

element-hq/element-android#20

they don't want people to change it.

[Mikaela]

Thanks, there we have another issue to add to this tracking.

[ghbjklhv1]

I'm a Fractal and Weechat fan. Although, I do use Riot.im for my aliases.

Although, I cannot confirm. But it seems like they allow you to change identity servers.

Edit: Also, what is IS?

[ghbjklhv1]

Plus, you can always change your homeserver for most clients.

I know, many users dislike them; However, even Purism seems to have acknowledged web based apps are no longer a first priority: https://shop.puri.sm/librem-one-thanks/

[lampholder]

they don't want people to change it.

Hey - I just wanted to highlight that the ability to change Identity Servers after having logged in is on the roadmap for the current privacy sprint, across all clients. If you would like to see the plan and track its progress you can follow along here: https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im%2Friot-web&repo=vector-im%2Friot-ios&repo=vector-im%2Friot-android&repo=vector-im%2FriotX-android&repo=matrix-org%2Fmatrix-doc&repo=matrix-org%2Fsydent

(this tool just pulls issues with the same labels from across they myriad repos this work spans; you can find all the same stuff by searching each github repo manually).

[afonari]

Edit: Also, what is IS?

identity server. Sorry shouldn't have written short right away.

to change Identity Servers after having logged

Why not at login? As it is now possible in the riot android (not riotx)?

[lampholder]

Why not at login? As it is now possible in the riot android (not riotx)?

I'm hoping we can get rid of references to identity servers at login entirely, and just have them configured by the user in user settings after they've logged in (so identity server is a configurable property of the account, rather than the session).

Once the current work has landed, no data will be processed by any identity server until the user has explicitly accepted the terms and conditions, so from a data processing standing I think it's fine to drop it from registration/login. I think it feels a lot more natural from an average user's perspective, too.

This does present a slightly tricky UX problem of how we handle the idea of a 'default' identity server, though I think that's fine, too - default identity servers can be set at the client level or in the .well-known, and all that will mean is that the default identity server is the one that your client will prompt you to accept the terms and conditions of if and when you try and do something identity-servery (e.g. invite by email or publicly link your mxid with your email).

We might want to maintain separate identity server choice states for this - i.e. "don't use an identity server" as distinct from "this is the identity server I would use, but I won't send it any data because I haven't accepted its terms and conditions". Even though they're materially the same (from a data processing perspective), it would be nice for people to feel like they're not at risk of accidentally accepting the terms and conditions of an identity server they don't want to use.