this post was submitted on 18 Mar 2024
16 points (100.0% liked)

Matrix

3195 readers
6 users here now

An open network for secure, decentralized communication

founded 4 years ago
MODERATORS
 

I am interested in trying out matrix, but my first impression seems to reveal that by default, there may be some privacy or anonymity pitfalls if I use matrix.

Examples:

  • using an instance I don't host means the host is trusted with my data
  • self hosting might reveal a lot of information about me. Most likely, it is registered to a domain that has my info and could potentially be traced back to me.
  • When self-hosting, being one of few users, basic analysis of my activity could reveal a lot about me, since all that activity could be easily identified as belonging to a single person

Now I understand not all threats could be mitigated, but my worry is that both self hosting or not have significant gaps. What's the most privacy and anonymity conscious way to use Matrix?

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 5 months ago* (last edited 5 months ago) (1 children)

Trusting a third party with your data that is encrypted. Its better to blend in than to stand out. Use a instance with a fair amount of users , use anonymous username and email if they ask.

[–] [email protected] 1 points 5 months ago (1 children)

What about information like: who are the people I message, or the list of all group chats or public channels I am in? Is that encrypted?

[–] [email protected] 1 points 5 months ago

I don't have the answer to those but one that I know protect you even more is SimpleX. You can listen to this podcast with the founder where he explains everything.

Opt Out: SimpleX chat and how privacy aligns with the future of computing w/ Evgeny from SimpleX

Episode webpage: https://optoutpod.com/episodes/s3e02-simplexchat/

Media file: https://www.buzzsprout.com/1790481/12333165-simplex-chat-and-how-privacy-aligns-with-the-future-of-computing-w-evgeny-from-simplex.mp3

[–] [email protected] 2 points 5 months ago (1 children)

The first point is moot as you can encrypt your data; your host my have it, but they can't access it.

As far as self hosting goes, yes: DNS registration will generally out you, so if you're really trying to stay hidden then - as the previous poster mentioned - your best bet is to just make an account on a relatively large server.

[–] [email protected] 1 points 5 months ago

Thanks. Is it encrypted by default? Or do I have to do something to ensure it is?

[–] [email protected] 2 points 5 months ago

You can get a domain name 4free and anonymously https://freedns.afraid.org

[–] [email protected] 1 points 5 months ago (1 children)

Matrix is not the right protocol for staying anonymous. There's way too much unprotected metadata.

You might be able to mitigate that somewhat by using an instance that is accessible via TOR and being careful who you communicate with, depending on threat models and so on.

But if you want to communicate anonymously and not leak meta data... Probably not what you are looking for.

[–] [email protected] 1 points 5 months ago (1 children)

Thanks, that's what I was thinking. Are there better alternatives?

I'm skeptical of Signal's centralized model and its couple with Google services, among other things.

[–] [email protected] 1 points 5 months ago

I don't know what would fit your needs, but Signal does not require Play Services. And even if those are present, it does not leak data to Google. Other than "Signal is installed" and "You get a push message", Signal does not put your messages into the notifications. Instead Signal connects to the Signal servers and then gets the encrypted messages from there and only then decrypts.

Even if you have Play Services installed, you can force it to use a background connection inatead, if you disable Play Services before installing Signal, it wall automatically fall back to it.

If you want a version without Play Services libraries, you could use Molly, a hardened version of Signal, which is available in a version without those libraries.

Molly even allows linking phones as secondary devices, not just desktops.