-
Notifications
You must be signed in to change notification settings - Fork 6
Riot's privacy policy sounds very scary #132
Comments
Thanks @mvgorcum for summarizing this. I'd like to add a few additional points that came up during the discussion:
|
From the discussion in the riot room, reply by @ara4n: As others have said, it boils down to:
It categorically only applies to the matrix.org server (and a hypothetical vector.im and riot.im server if it actually existed). Totally agreed that the document is scarier than it should be: it was written by lawyers organised by the guys who originally funded Matrix.org (Amdocs), and they were optimising for comprehensiveness rather than something that was user-friendly to read. As of July we are entirely free from Amdocs, but rewriting the privacy policy has not yet got to the top of the list, especially as it costs money to ensure it's remotely legally accurate (of which we have very little right now) - and especially as anyone who actually digs into the current document can see that whilst superficially scary the actual underlying content is sane. Just to ensure the details are right:
So, TL;DR: Matrix is a protocol and a non-profit project. Vector is a for-profit company which happens to hire the Matrix core team and also releases Riot & Scalar. Finally: the only bit of Matrix which isn't decentralised right now is the identity service (used to lookup email addresses and phone numbers and map them to matrix IDs when inviting people), which is hosted on matrix.org & vector.im. We want to fully decentralised this asap (although it's quite far down the todo list) to ensure the protocol and ecosystem is completely autonomous and decentralised. [1]correction by mvgorcum: The analytics is currently opt-out, not opt-in. |
thanks for relaying my wall of text into here. in terms of the comparison with the TG privacy policy... if we had Russian billionaires bankrolling us, perhaps we’d be able to afford lawyers to writer a better policy ;p In short: a comprehensive waffling privacy policy is a lot more expensive than a comprehensive succinct one. in terms of opt-in v opt-out analytics: it depends per platform. Atm ios and android is opt-in and web is opt-out. In practice the analytics don’t really report anything that we don’t already see in our http logs though, so it’s all a bit moot. |
See also element-hq/riot-android#1185 |
see also matrix-org/matrix-spec-proposals#760 |
ftr we're currently working on rewriting our privacy policy and fixing the mess that we inherited there, thanks to the impulse provided by GDPR deadlines. |
I see all the communication, chat history is stored on the server (I logged in from new device while all others were offline and saw all my chats and messages). So where is the privacy then?! How it is differ from Skype which stores all the history on their servers as well since MS bought it?! Or only need to start up own server for privacy?! |
@akontsevich That the chat history is only stored with servers you've authorized. By starting a conversation with me, you've authorized that the conversation only is shared with your server and half-shot.uk. By using matrix.org, you are authorizing them to hold your conversations. The difference between Skype/Silos and Matrix is:
So, flatly - Yes. If you want the absolute security of your data then you need to run your own server but I think that's fairly common sense that by using another server...you are using them? But E2E offers an extremely strong guarantee that your data is safe anyway. |
No, you can't, you do not have access to matrix.org server so see what and how. And when it comes to things you can access, closed source doesn't stop you from checking what and how if you really want to. Free software stands for freedom, it's about a license. Open source stands for transparency and openness of the process of creation. The fact that often private apps are also free and open is unrelated, just a nice thing.
Only the message content is protected by E2E and only until a bug is found in the E2E implementation, flaw in the algorithm, 20 years pass (ie. when the todays crypto will be breakable by consumer computers according to predictions), quantum computers are usable, bug in the app, server, operating system, user/dev stupidity is found. When one of these comes, I'd advice considering it plaintext, since Matrix stores everything forever, you don't even need a Bullrun-like program, it does it for you/them. That is not to say Bullrun isn't real and perhaps even has a copy of everything even if Matrix deletes it. |
For me it is the past, most probably will leave Riot and matrix:
It was strange to me it is developing so rapidly and has many useful features right after the start, now I understand this dirty trick - just another tool to spy after users, gather statistics to manipulate societies I think the only thing server should do - simplify users connections, and keep rooms (groups) permanent - that is all. So like qTox now more, bad is has not such many features Riot does currently. |
One more question about privacy which was not answered in Riot room: whether p2p calls or conference calls also e2e encrypted? Or it also goes through a server and it is possible to intercept communication theoretically? |
This is not really the right place to ask this question, but I'll try to answer to the best of my knowledge. The conference calls recently changed its default (IIRC) from the legacy system to jitsi. Jitsi uses a server to set up and relay the call, and it is not end to end encrypted. The whole code is FOSS though, and you can host your own instance of jitsi if you so desire. |
for the sake of completeness:
|
This issue is opened based on a discussion in the Riot room starting here.
Reading through the policy it shows that basically all data and metadata is saved (with a note that this can be limited by the users) and it's allowed to use this personal data for a bunch of vague sounding things like 'data analysis', 'research', 'statistical and survey purposes'.
There is a clause allowing riot to give data to third parties, though it does mention that the third party is 'under obligations of confidentiality in respect of the personal data they receive.' (I'm guessing this means something specific in legalese, but it still doesn't really sound great to me).
Of course the selling of riot to a new party would give all the information to them. (on a personal note: this is particularly scary to me if facebook would buy riot).
As far as I understand large parts of the reasons for collecting and saving this data are technically required for riot/matrix to work well as a federated system, which is probably one of matrix' biggest strengths, especially from a privacy perspective. We may need to find a good way of explaining this and there may be some technical things to do as well.
As a bit of a privacy-nut I'd argue that if it is at all possible to not save/have any data, this is always the best way out (though some data saving is obviously required).
Seeing as matrix is very actively developed by a team that is transparent and trustworthy (at least to me) I feel comfortable using the ecosystem, and this rapid development is probably at least partially possible because the team has access to a lot of data.
Going forward, though, I think this needs to be addressed and explained in a less scary sounding way.
I'll end with a quote from Marcus (@Bubu) describing why this is an issue:
The text was updated successfully, but these errors were encountered: