💬 Discussion | Why is PrivacyTools recommending Riot over Wire when it's less private without a warning on unencrypted metadata?

[rawlife56]

Ok! I get it, Riot is federated and their app is a step in the right direction coupled with Matrix protocol but it doesn't come without compromise due to its early beta stage.

privacytools.io mentions 'Wire' stores contact data unencrypted on their servers as their only reason removing it from the top recommendations. Doesn't Riot do the same ? AFAIK, Riot only encrypts the message content as of now if we enable it. Everything from the time stamps to people we have contacted, stickers sent, few attachments, Call duration-recipients and much more except the message content stays unencrypted somewhere in the matrix server. Isn't this situation much worse than Wire ? Yes, we can host our own server unlike any other client but I really doubt that will be more than a small minority of people. Hiding metadata like Signal does isn't their priority either right now looking at their road map.

So the question arises, Shouldn't we mention the large amount of metadata leaks in Riot on the website warning the users beforehand. I'm really in love with Riot for its stability in such an early stage as a user who used wire since a year as my main IM but people should be aware of caveats because they expect the website to mention it because the same website did warn about unencrypted contacts metadata for another chat application. I wouldn't use Riot over Wire or Signal for anything remotely sensitive in its current state.

I may miss something obvious because I'm still an amateur in this stuff. Would love to know if I'm missing anything.

@muppeth summed it up well here. I'm quoting one of his sentence which holds true and explains my concerns in a much easier way 'At this moment I don't see how this(Riot) could be advice as privacy aware service alternative. It's quite possible synapse stores more metadata then whatsapp at this point.'

[five-c-d]

Wireapp does do the same, with the difference that if you WANT to secure your metadata and use RiotIM, you actually can: by running your own Synapse homeserver, or by picking somebody YOU trust that is running one. Ability to pick the riotIM server you connect with, also gives you ability to pick what jurisdiction that server is hosted in, unlikely with wireapp.

If you look at the VoIP recommendations, wireapp is recommended in the top3 with signalapp, because cryptocalling on RiotIM (via jitsi codebase under the hood I believe) is only kinda-sorta working on MatrixOrg right now. Most people cryptocall more rarely than they cryptotext, so signalapp is listed on both categories, but where signalapp is limited wireapp is solid (only 1-on-1 confcalls in signalapp and wireapp permits up to 10-way-confcalls) and the metadata-risk might be worth the server-side metadata for that use-case.

But over in the IM listings, wireapp is marked as experimental and the recommendations are Signalapp or RiotIM ... and ideally, that should be RiotIM+SynapseHomeserver since otherwise metadata privacy is at risk. (Ricochet is also recommended at the moment, though I suspect it will be removed soon as unmaintained-and-unlikely-to-regain-momentum.) There is a discussion about whether wireapp and/or Jami ought to be promoted in the IM category ... along with a bunch of other things, it is a long thread ... over in element-hq/element-web#779

Shouldn't we mention the large amount of metadata leaks in Riot... warning the users

Yes absolutely. "Make sure you trust the person running the server your RiotIM will connect to, and if necessary, run and secure your own Synapse homeserver (or have someone you trust setup such a thing for you)." With wireapp, the yellow-warning-flag notes that the metadata is stored unencrypted ... not sure how Synapse and other MatrixOrg servers handle such things, do they use at-rest crypto for their homeservers on the primary public nodes? If so that would be worth noting... with a Synapse homeserver you can always use it in combination with VeraCrypt or similar, https://www.privacytools.io/software/encryption-tools/ , to achieve some measure of crypto-at-rest.

[Mikaela]

Some issues that I didn't see linked above and I think are related to this discussion:

• https://github.com/matrix-org/matrix-doc/issues/447 - history is stored forever, there is no way to limit how much or how long
• When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263 - uploaded media/files aren't removed when they are removed in Riot
• We need to actually censor redactions from the DB (SYN-284) matrix-org/synapse#1287 - actually removing removed messages from the database
• [Request] Allow account deletion matrix-org/synapse#1941 - allow account deletion, not just deactivation

[ghost]

• Options to strip EXIF metadata from media uploads. element-hq/element-web#4426 - riot does not scrub exif data from upload

[five-c-d]

there is no way

If you are running your own homeserver, you can of course implement your own DIY limits on history-storage, implement your own database-vaccuum (e.g. SQLCipher and pragma secure_delete), et cetera. But out of the box, there is a lot of metadata and it is stored forever, so unless you are doing a lot of extra legwork at the sysadmin-and-database-admin level on your homeserver, RiotIM is pretty leaky.

Plus of course, you need strong infosec on your homeserver nodes -- because there is such a large amount of metadata on them, they are a juicy target for pwn'age threat-vectors. Cf the recent security breach of the central matrixOrg server-cluster, including the code-signing keys of certain flavours of synapse/riot/etc. Running your own homeserver is not hard in the monetary sense, but securing internet-facing chatservers is not a walk in the park either, whether that means ejabberd or synapse or self-hosted wireapp/signalapp even. Getting the self-hosted thing operational is only the first step, infosec maintenance and opsec maintenance are never-ending projects in most respects.

And the point here is not so much to complain about server-side metadata... even things like signalapp where the server-side metadata is strictly limited are vulnerable to weak opsec, just, the target has moved. Eve would still be able to get groupchat metadata from a 99-member signalapp groupchat, but instead of her target being a server-node, she would need to target a router with network-layer visibility of traffic going to and from that node (to perform timing analysis), or target any of the 99+ endpoint devices including signal4desktop link-n-sync slave-devices. There are still lots of ways for Eve to get the metadata, in other words.

If the 99-member groupchat was on RiotIM sans homeserver, Eve would need to pwn the central MatrixOrg cluster, or a nearby router with visibility onto that cluster, or any member-device (including browser-clients). Better to run a homeserver, if you can secure it against Eve better than the central cluster is secured... or maybe just Not Stand Out as much and therefore not become a target? But this is risky, since obviously, running your own self-hosted synapse server with mandatory MegOlm crypto does definitely make you Stand Out.

Complicate topic, with no easy silver-bullet answers, unfortunately

[Mikaela]

Notes on privacy and data collection of Matrix.org via maxidorius on our forum.

[Mikaela]

I commented upon PRISM Break's equivalent issue with the quotes from @muppeth.

I seem to be the only PTIO Member commenting on this issue, and I would guess there is no interest in delisting Riot because of https://riot.privacytools.io/ and it would be the decision of @BurungHantu1605 or @jonaharagon who are running it and I think considered reliable by PTIO for the issues to not matter (but what if the servers get seized or compromised?).

CC: @privacytoolsIO/editorial @privacytoolsIO/services

[Mikaela]

PRISM Break has delisted Riot. I am going by assumption that PTIO is not going to delist it due to hosting an instance, but I am opening a pull request to add a warning about the notes.

Ping @blacklight447-ptio, judging by #general:privacytools.io I am surprised to not have seen you here.

[Mikaela]

What would you think about closing this issue in favour of a new Riot tracking issue which clearly listed the privacy issues with Riot?

• like this
• actually open the new issue?

I am not very optimistic on this issue receiving answers in it's current form and I think a new issue could be more clear.

Also can I get your attention on element-hq/element-web#1024 and opinion on if it should link to the new issue?

[Mikaela]

Notes on privacy and data collection of Matrix.org via maxidorius on our forum.

Part 2 via forum.

PR to delist Riot: element-hq/element-web#1047.