this post was submitted on 18 Mar 2024
16 points (100.0% liked)

Matrix

3263 readers
2 users here now

An open network for secure, decentralized communication

founded 4 years ago
MODERATORS
 

I am interested in trying out matrix, but my first impression seems to reveal that by default, there may be some privacy or anonymity pitfalls if I use matrix.

Examples:

  • using an instance I don't host means the host is trusted with my data
  • self hosting might reveal a lot of information about me. Most likely, it is registered to a domain that has my info and could potentially be traced back to me.
  • When self-hosting, being one of few users, basic analysis of my activity could reveal a lot about me, since all that activity could be easily identified as belonging to a single person

Now I understand not all threats could be mitigated, but my worry is that both self hosting or not have significant gaps. What's the most privacy and anonymity conscious way to use Matrix?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 7 months ago (1 children)

Matrix is not the right protocol for staying anonymous. There's way too much unprotected metadata.

You might be able to mitigate that somewhat by using an instance that is accessible via TOR and being careful who you communicate with, depending on threat models and so on.

But if you want to communicate anonymously and not leak meta data... Probably not what you are looking for.

[–] [email protected] 1 points 7 months ago (1 children)

Thanks, that's what I was thinking. Are there better alternatives?

I'm skeptical of Signal's centralized model and its couple with Google services, among other things.

[–] [email protected] 1 points 7 months ago

I don't know what would fit your needs, but Signal does not require Play Services. And even if those are present, it does not leak data to Google. Other than "Signal is installed" and "You get a push message", Signal does not put your messages into the notifications. Instead Signal connects to the Signal servers and then gets the encrypted messages from there and only then decrypts.

Even if you have Play Services installed, you can force it to use a background connection inatead, if you disable Play Services before installing Signal, it wall automatically fall back to it.

If you want a version without Play Services libraries, you could use Molly, a hardened version of Signal, which is available in a version without those libraries.

Molly even allows linking phones as secondary devices, not just desktops.