Riot's privacy policy sounds very scary

[mvgorcum]

This issue is opened based on a discussion in the Riot room starting here.

Reading through the policy it shows that basically all data and metadata is saved (with a note that this can be limited by the users) and it's allowed to use this personal data for a bunch of vague sounding things like 'data analysis', 'research', 'statistical and survey purposes'.

There is a clause allowing riot to give data to third parties, though it does mention that the third party is 'under obligations of confidentiality in respect of the personal data they receive.' (I'm guessing this means something specific in legalese, but it still doesn't really sound great to me).

Of course the selling of riot to a new party would give all the information to them. (on a personal note: this is particularly scary to me if facebook would buy riot).

As far as I understand large parts of the reasons for collecting and saving this data are technically required for riot/matrix to work well as a federated system, which is probably one of matrix' biggest strengths, especially from a privacy perspective. We may need to find a good way of explaining this and there may be some technical things to do as well.

As a bit of a privacy-nut I'd argue that if it is at all possible to not save/have any data, this is always the best way out (though some data saving is obviously required).

Seeing as matrix is very actively developed by a team that is transparent and trustworthy (at least to me) I feel comfortable using the ecosystem, and this rapid development is probably at least partially possible because the team has access to a lot of data.

Going forward, though, I think this needs to be addressed and explained in a less scary sounding way.

I'll end with a quote from Marcus (@Bubu) describing why this is an issue:

But it's kind of hard to really get behind a project when you get reactions like this when recommending riot as an IRC client: "BubuIIC: Dear God, I just took a look at their privacy policy, that thing is a nasty Botnet :S"

[Bubu]

Thanks @mvgorcum for summarizing this. I'd like to add a few additional points that came up during the discussion:

• The privacy policy should be a lot clearer about what data collection pertains to the riot client. I.e. when using the web or android client or desktop client; and what data is collected when using the matrix.org homeserver. I think it tries to make that distinction but it's absolutely not clear to me.
  Basically I asked myself what part of the data collection can I avoid by not using matrix.org home server and what part can I avoid by not using the riot client(s).

• As a comparison I brought up the Telegram Privacy Policy. It's a lot nicer to read, not in legalese but provides clearly structured information for users.
  It also makes pretty strong promises about privacy both on a organizational level (we don't share anything, ever.) and on a technical level (messages are deleted on the server when you do x.).
  Now I understand that matrix has a different architecture and may need to store more information. But what I'd like aiming for is the same clarity for users how the policy for storing data x connects to the necessity for operating the server/network.
  (Also I understand that "We share nothing. Ever." is not a realistic promise matrix/riot can make.)

[mvgorcum]

From the discussion in the riot room, reply by @ara4n:

As others have said, it boils down to:

1. if you send messages through our server, we necessarily see their metadata.
2. don't do illegal stuff (as defined in the EU), and don't abuse the service or each other
3. we have opt-in opt-out [1] anonymous analytics in the Riot clients to give us some idea of how people use the app so we can try to make it suck less. The analytics go through to our own Piwik (these days, although originally when that written they piped to Google Analytics)
4. we don't yet do log minimisation given the service is still beta and we'd not have a hope in hell of debugging it if we deleted logs all the time.

It categorically only applies to the matrix.org server (and a hypothetical vector.im and riot.im server if it actually existed).

Totally agreed that the document is scarier than it should be: it was written by lawyers organised by the guys who originally funded Matrix.org (Amdocs), and they were optimising for comprehensiveness rather than something that was user-friendly to read.

As of July we are entirely free from Amdocs, but rewriting the privacy policy has not yet got to the top of the list, especially as it costs money to ensure it's remotely legally accurate (of which we have very little right now) - and especially as anyone who actually digs into the current document can see that whilst superficially scary the actual underlying content is sane.

Just to ensure the details are right:

• Matrix is a non-profit opensource project originally in 2014, by a team which at the time was employed at Amdocs. (Historically we'd worked at OpenMarket, a subsiduary of Amdocs, who acquired my last company in 2010, and legally speaking most of the team was employed by OpenMarket, hence the (c) statements everywhere).
• Riot is an opensource collaboration app built on top of the Matrix protocol, intended to help spearhead uptake of the protocol. Most of Riot is written by the same team.
• In Feb 2017 we created a dedicated company (Vector Creations Ltd) to hire the core Matrix team, as well as build Riot and Scalar (a for-profit proprietary appstore for Matrix). Vector Creations was set up as an independent subsiduary of Amdocs.
• In July 2017 Amdocs decided that they didn't want to put more money into Matrix (or Riot/Scalar), as the project seemed successful enough to be self-supporting, and meanwhile Riot/Scalar is still a way off from making them any revenue. So they terminated our funding and the team left.
• In response, we set up a new company, called New Vector, which rehired almost all of the existing team, and we've spent the last 5 months getting money together to actually pay our salaries and keep the project going - both through donations, consulting gigs, and more recently getting external investment in place (hopefully). Luckily we were able to transfer all the IP of the project from Amdocs to New Vector (which is why you're talking via matrix.org right now rather than openmatrix.org or something ;P)
• Once New Vector is funded and stable we'll a) fix the privacy policies, b) set up an independent non-profit Matrix.org Foundation to look after Matrix itself (and protect it from New Vector, or any other for-profit company building on top of the protocol)

So, TL;DR: Matrix is a protocol and a non-profit project. Vector is a for-profit company which happens to hire the Matrix core team and also releases Riot & Scalar.

Finally: the only bit of Matrix which isn't decentralised right now is the identity service (used to lookup email addresses and phone numbers and map them to matrix IDs when inviting people), which is hosted on matrix.org & vector.im. We want to fully decentralised this asap (although it's quite far down the todo list) to ensure the protocol and ecosystem is completely autonomous and decentralised.

[1]correction by mvgorcum: The analytics is currently opt-out, not opt-in.

[ara4n]

thanks for relaying my wall of text into here. in terms of the comparison with the TG privacy policy... if we had Russian billionaires bankrolling us, perhaps we’d be able to afford lawyers to writer a better policy ;p In short: a comprehensive waffling privacy policy is a lot more expensive than a comprehensive succinct one.

in terms of opt-in v opt-out analytics: it depends per platform. Atm ios and android is opt-in and web is opt-out. In practice the analytics don’t really report anything that we don’t already see in our http logs though, so it’s all a bit moot.

[ara4n]

See also element-hq/riot-android#1185

[ara4n]

see also matrix-org/matrix-spec-proposals#760

[ara4n]

ftr we're currently working on rewriting our privacy policy and fixing the mess that we inherited there, thanks to the impulse provided by GDPR deadlines.

[akontsevich]

I see all the communication, chat history is stored on the server (I logged in from new device while all others were offline and saw all my chats and messages). So where is the privacy then?! How it is differ from Skype which stores all the history on their servers as well since MS bought it?! Or only need to start up own server for privacy?!

[Half-Shot]

@akontsevich That the chat history is only stored with servers you've authorized. By starting a conversation with me, you've authorized that the conversation only is shared with your server and half-shot.uk. By using matrix.org, you are authorizing them to hold your conversations. The difference between Skype/Silos and Matrix is:

• The code is free software, you can see what and how it is being stored.
• You know that your conversations are being stored on N servers that you can see in the members panel.
• Matrix fully supports E2E encryption which means conversations stored on a server are unreadable by anyone other than you and the other people in the conversations. Even if you don't trust any of the above or the server you are on, encrypted rooms cannot be read by anyone else.

So, flatly - Yes. If you want the absolute security of your data then you need to run your own server but I think that's fairly common sense that by using another server...you are using them?

But E2E offers an extremely strong guarantee that your data is safe anyway.

[ghost]

The code is free software, you can see what and how it is being stored.

No, you can't, you do not have access to matrix.org server so see what and how. And when it comes to things you can access, closed source doesn't stop you from checking what and how if you really want to. Free software stands for freedom, it's about a license. Open source stands for transparency and openness of the process of creation. The fact that often private apps are also free and open is unrelated, just a nice thing.

But E2E offers an extremely strong guarantee that your data is safe anyway.

Only the message content is protected by E2E and only until a bug is found in the E2E implementation, flaw in the algorithm, 20 years pass (ie. when the todays crypto will be breakable by consumer computers according to predictions), quantum computers are usable, bug in the app, server, operating system, user/dev stupidity is found. When one of these comes, I'd advice considering it plaintext, since Matrix stores everything forever, you don't even need a Bullrun-like program, it does it for you/them. That is not to say Bullrun isn't real and perhaps even has a copy of everything even if Matrix deletes it.
The other part of the story - load of metadata and account info in plaintext just sitting there. This is an enormous amount of information about you. Right now it's not deletable.

[akontsevich]

For me it is the past, most probably will leave Riot and matrix:

• privacy policy means it gather user statistics and send to 3rd parties (so it spies like the Skype do now)
• not p2p
• totally unusable now with e2e bug
• electron 2.0 have many bugs which they seems have no plans to fix

It was strange to me it is developing so rapidly and has many useful features right after the start, now I understand this dirty trick - just another tool to spy after users, gather statistics to manipulate societies

I think the only thing server should do - simplify users connections, and keep rooms (groups) permanent - that is all. So like qTox now more, bad is has not such many features Riot does currently.

[ara4n]

As promised we've entirely rewritten and released the privacy policies, terms & conditions, copyright policy, cookie policy and right-to-erasure policy for the matrix.org homeserver and for the copy of Riot hosted by us at riot.im/app. Hopefully they mitigate the majority of the concerns on this thread. They now all live on github and PRs and feedback are very welcome against the https://github.com/matrix-org/matrix.org repository.

Matrix.org homeserver policy docs (only for the matrix.org homeserver, as should be obvious - other servers can do whatever they want):

• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-privacy_notice.md
• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-terms_and_conditions.md
• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-copyright_notice.md
• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-exceptional_erasure_policy.md

Riot.im policy docs (only for the instances hosted at https://riot.im; other deployments can do whatever they want):

• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-riot_im_cookie_policy.md
• https://github.com/matrix-org/matrix.org/blob/master/jekyll/_posts/guides/2018-05-24-riot_im_privacy_notice.md

I'm hoping folks will agree that the policies are a massive improvement and a lot less scary, so I'm considering this bug fixed. Please open any further feedback against https://github.com/matrix-org/matrix.org.

[akontsevich]

One more question about privacy which was not answered in Riot room: whether p2p calls or conference calls also e2e encrypted? Or it also goes through a server and it is possible to intercept communication theoretically?

[mvgorcum]

One more question about privacy which was not answered in Riot room: whether p2p calls or conference calls also e2e encrypted? Or it also goes through a server and it is possible to intercept communication theoretically?

This is not really the right place to ask this question, but I'll try to answer to the best of my knowledge.
1:1 calls use webRTC, which will first try to set up a peer to peer connection, but if that fails it will fall back on a server relay. The data itself (after the connection is made) is end to end encrypted though, which means it can't be intercepted (both peer to peer and in relay mode).

The conference calls recently changed its default (IIRC) from the legacy system to jitsi. Jitsi uses a server to set up and relay the call, and it is not end to end encrypted. The whole code is FOSS though, and you can host your own instance of jitsi if you so desire.
Of course the jitsi conference call itself is encrypted in transit, so unless you have access to the jitsi server you can't intercept communication.

[ara4n]

for the sake of completeness:

• 1:1 WebRTC calls are only fully end-to-end secure if they are initiated in a e2e encrypted room (otherwise the signalling that sets up the call can be intercepted, letting the media then be decrypted).
• Neither FreeSWITCH nor Jitsi are end-to-end secure for conferencing yet; the conferencing server has to decrypt the calls to mix them together. It's a hard problem and they're working on it, and when they sort it out we'll of course hook it up to Matrix.