PS. With all the Discord stuff, in case you wonder why you never see me promoting Matrix, it’s not because it’s a usability nightmare (which it is) but because it’s made by the kind of people who’d be happy to call ICE a customer.

@freediverx @sotolf @aral @element @LukefromDC

AIUI, Signal rely on third-party hosting (AWS I think), so they don't control where their servers are located.

@freediverx @sotolf @aral @element @LukefromDC

To some extent, as long as the encryption works, that doesn't matter. I don't want to write them an instruction manual, but if a hostile US government really wanted to break the privacy of Signal Chats, its easier approach would be to use the fact that the Google Play Store and the Apple Store are hosted on US territory to sneak a backdoor into the client apps...

@freediverx @sotolf @aral @element @LukefromDC

... It'd probably only last a few hours before someone compiling from source themselves noticed that the builds on the Play Store and the Apple Store were not reproducible, but those few hours would be enough to harvest a *lot* of data.

@freediverx @sotolf @aral @element @LukefromDC

They have, but will they faithfully promise a customer to host stuff only on those servers, and will they be 100% reliable in sticking to that promise?

@zzt @Tamtam @aral There are some people working on adding E2EE to Mastodon, but, as far as I read about it, it will be like having Signal but decentralised and with better UX but lacking voice/video calls (so, Mastodon but your instance owner can't read your private messages and you don't need to verify codes or qr codes like Signal).

They are taking their time because once deployed it will be hard to fix things. I know that from experience developing megajs!!! I wish they didn't use RSA — non-standard RSA even, is a pain in the ass to work with — for authentication. Why not Ed25519 which has smaller keys or a post-quantum scheme?! I wish Matrix development was done like Mastodon's E2EE.

@sotolf @only_ohm @aral @Element @LukefromDC
It's alarming how much data infrastructure is controlled by Bezos. Europeans should be looking to create their own competing infrastructures instead of wasting money on the AI boondoggle.

@kravietz you've gone a little far in not understanding the point, mate

@aral @element

@mpsi@toot.lv @aral@mastodon.ar.al I am not an "abolish the police guy", but neither a "let's share everything with the police guy". Least of all an "I've got nothing to hide" guy.

Would you be comfortable with a camera in your home always connected to the local police station? No? Why? Aren't you supposed to collaborate with the police?

That's where I draw the line.

Matrix is my main mean of communication with the world, through my self-hosted server and a bunch of bridges.

Knowing that Element sells my data to whoever they like doesn't make me comfortable. It's exactly the same as "the always-connnected camera in my home". Which sounds as Orwellian as it gets btw. And that's why I don't use Element as a client, and that's why I self-host my own server. Hoping that there are no jerks in my supply chain. But, again, my security is only as strong as the weakest link. So if any of my contacts uses Element with an account on matrix.org it doesn't really help much.

(This is also something worth noting btw: I don't trust the folks at Element a little bit, but Matrix is still an open protocol, so you can still use it if you trust your server, your client and the whole supply chain of dependencies).

About "democratic control": Element's ethics statement is as generic and dangerous as it gets.

• We don’t sell to governments who are under economic sanctions by the UK/EU/US governments: does it include Israel? Because given our legitimate humanitarian initiatives I wouldn't feel comfortable if any of my communications are sold to the Israeli government. Do I even have an "opt out" option?

• _ We don’t sell to organisations who are committing human rights abuses (i.e. abusive organisations within a government, even if the wider government itself isn’t in scope)_: what's their position on ICE then? And, if they want to stop selling data to them now, what about all the data they've already sold?

You see the slippery slope of creating blacklists of "people I don't sell data to"? You have no guarantee of the good intentions of anyone not on that list. You have no guarantee that everyone within those "business partners" have good intentions. You have no guarantee that they will always have good intentions. You have no guarantee of the usage they'll make of the data you already sold to them once they turn rogue. You have no guarantee of how your data gets used, and what data is used for what. And, once your data is out there, you have no guarantee that ICE or someone else won't go rogue and resell it.

Btw @element@mastodon.matrix.org could you elaborate a bit more on the value of the "encrypted data" that you sell to governments and police forces? Vodozemac is supposed to be a quite secure E2EE implementation - by your own admission, and by admission of several independent auditors. So I see three possible scenarios:

1. There's a market for bulk buyers of encrypted data for "store now, decrypt later" attacks
2. You also sniff and share keys for decryption
3. You store and share unencrypted content before it gets through Vodozemac

Needless to say, hypotheses 2 and 3 would be huge stains on your reputation - enough to jeopardize any claims of being a "secure and private client".

@outfrost@mastodon.social

Fediverse is a global network, you have to account for cultural differences. So you have to explain your point in a way that is globally understandable rather than expect everyone will be duly researching your prejudices.

A few years ago some fanatic was compulsively throwing "ACAB" into my face as if it explained everything and was very surprised why I don't respond the way they expected. I simply did not understand what that means. I had to look it up but still, it made little sense. Came out they were from the US and it had some special meaning there due to widespread police violence there - I kind of feel sorry, but again, not my problem.

@aral@mastodon.ar.al @element@mastodon.matrix.org

@fabio @aral @mpsi We don’t sell data or metadata to anyone and never have. We sell encrypted messaging services - element.io/server-suite etc.

@kravietz no, it's a lack of education on your part. you're in luck - that's fixable, and unprecedentedly accessible with today's technology! from the comfort of your home, you can learn why police is, globally, overwhelmingly a fascist institution designed to protect the interests of the wealthy and powerful (that sometimes begrudgingly investigates crimes of violence against the poor), why your posts earlier in this thread are race essentialist and incredibly naïve, if not bigoted, and more!

@kravietz i don't have the spoons to school someone this arrogant on basic sociopolitics, but just know that it's incredibly privileged to be able to say "not my problem" and pretend that the issues mentioned only occur in the distant US of A

@kravietz

>"mastodon is funded by the eu"
not
"mastodon is funded by europol, frontex, etc"

some ppl here take pretty maximalist stances in their criticisms, but most (all?) ppl who have a problem with matrix/element customers are bothered specifically by the cops-and-military part

mastodon's primary source of funding is not any "violent enforcement" entity within the eu, afaik

im also not necessarily agreeing with all of the criticisms, its hard to squeeze nuanced takes into 500chars

@prma @MisuseCase @aral @precariousmind @element so to be clear, you're saying Matrix are just the other ten guys at the table

@element @aral

Matrix came out of Israel, and on your 'who you sell to' section:

"Public sector defence work - e.g. NATO, US Department of Defense, German Bundeswehr, UK Ministry of Defence, Ukraine MOD"

A cursory look at the UK MOD's postwar 'interventions':

Indonesia (1945), Oman (1957), Nyasaland (now Malawi, 1959), Brunei (1962), East Africa - Kenya, Uganda and Tanzani (1964), Anguilla (1969) and Jordan (1970)....

Not to mention their covert operations.

I'm out of chars (char limit)

@element@mastodon.matrix.org @aral@mastodon.ar.al @mpsi@toot.lv thanks for clarifying this. Your original message ("we sell encrypted messaging services") was actually quite ambiguous and didn't specify what kind of "encrypted messaging" you were selling.

Would you also be so kind to clarify if this point:

We don’t sell to organisations who are committing human rights abuses (i.e. abusive organisations within a government, even if the wider government itself isn’t in scope)

Means that ICE is a customer (or potential customer) for you?

And this:

We don’t sell to governments who are under economic sanctions by the UK/EU/US governments.

Does it mean that e.g. Israel may be a customer for you?

I ask not because I am against FOSS products collaborating with governments or law enforcement. But because I acknowledge that once that door is open there are many slippery slopes and a bit more clarify about your "customers" may be due.