*Permananently Deleted*
trash
27

Permananently Deleted

poVoq
12
edit-2
3M

People consider way to little under what jurisdiction the developers and servers are. Even if Signal was fine right now, them being under US law, is a total no-go for anyone not living there (zero rights for non-citizen) and it would be trivial for the NSA to force Signal to intercept more meta data etc. even with a gag order.

Matrix.org is AFAIK based in the UK, which is nearly as bad, especially now with Brexit. And self-hosting while avoiding any connections with the main instance is nearly impossible.

If you insist on a centralized platform and are a EU citizen, then Threema is probably the best option, now that they open-sourced their clients. For non-EU & non-US, I guess Telegram (Doha based, but servers on US cloud providers AFAIK). I think for east Asia (other than China), LINE would do (Japan/South Korea based).

But IMHO, by far the best option is to selfhost XMPP or sign up with a local community run XMPP server.

@je_vv
2
edit-2
3M

I guess the whole point of having e2ee, storing as less users metadata as possible, and the not having to trust the service provider model, is the motto for Signal and perhaps Matrix (Signal being the messenger collecting less metadata, while Matrix backend is open sourced). Actually no matter where the service resides on these days, some probably are hosted on Amazon or other processing and storage services, which most probably have head quarters on one of the 5 eyes countries. I definitely like true decentralized and FLOSS apps and services, such as Briar or Tox. However unfortunately AFAIK Tox last protocol never got as audited as the double ratchet one, and besides, both decentralized services are energy hungry. A regular phone’s battery is not enough for a full day of such apps up and running…

The fact of having swiss servers is not fully reassuring, since at least swiss crypto AG company has been exposed to be involved with intelligence agencies agencies (US, Germany and swiss ones at least) as well (https://web.archive.org/web/20201111074303/https://www.parlament.ch/press-releases/Pages/mm-gpdel-2020-11-10.aspx?lang=1033 - https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage). So threema, though interesting, jut by having swiss serves is not totally reassuring, and features wise, it lacks voice and video calls (it does support voice messages, which is not the same), to be in pair with Signal and Matrix, besides the backend and server is not open sourced, just the client (like for Signal, but not the case for Matrix, which is fully open sourced).

I do like it the fact threema doesn’t depend on phone numbers, but Signal is supposed to be working on getting rid of the strict need for phone numbers (https://www.zdnet.com/article/signal-to-move-away-from-phone-numbers-as-user-ids - https://signal.org/blog/signal-pins), and Matrix doesn’t depend on phone numbers at all. I’m using both Signal and Matrix/Element, and if Signal doesn’t eventually come up with a no phone number solution, I’ll then get out of Signal, but I’m patiently waiting, particularly because I guess most people will opt out for Telegram (which is a definite no go for me, and it’s not even open sourced btw), and part of them for Signal, but I don’t see them opting out for Matrix, and even less opting out for Briar or Tox (as Tox is right now, it’s also a no go).

BTW, Signal at least sent a communication last year, sort of indicating that if the US ever approve the “earn it act”, they would move out of the US (https://www.wired.com/story/signal-earn-it-ransomware-security-news - https://signal.org/blog/earn-it), which is somehow nice to hear from it.

XMPP requires a server, and in that sense is not truly decentralized, unless you self host, as you pointed out, but that might be out of scope for some (I at least can’t trust my electricity service, not even the internet one as to be able to self host), or might even be too complex for non tech people, and the alternative for most would be a central server… If I could self host, not only XMMP would be an option, also email and NextCloud (meaning, I would not depend on several services being hosted or not by US or non US service providers)… And I don’t know how many users would be moving to XMMP (and even less self hosting, for a non centralized experience), and I suspect as with the Matrix case, very few would…

Matrix solution, so far has clients and backends fully open sourced, which is a big win compared to other solutions, since it can be explored and audited by any one interested, and not just the protocols it uses or some APIs. Also by being federated, there can be instances everywhere. If someone doesn’t feel comfortable with matrix.org instance, can look for some other instances. And furthermore, as with XMMP, you can self host your own instance as well, and still communicate with the rest of instances, so you can make it non centralized if you and your contacts all self host. I then see Matrix as one of the best options out there, except by 2 major issues. Main one being adoption. As mentioned, I doubt I can make even a fraction of my contact move to a Matrix client, though one of the cool things about being federated is that there’s no only Element, but that’s not the point… And 2nd one being that at least group video calls (not sure if voice calls as well) are not e2ee, but instead are webrtc encrypted, since jitsi is used underneath, and in this regard Signal is better, though currently limited to 5 people video calls (they have in plan to increase that limit).

So to me, it’s not as simple as saying the service provider or the servers are not based on any of the 5 eyes countries, or the extended 5 eyes for that matter, since in the end countries intelligence agencies make alliances, and when there’s money involved as well, then one can’t assure how ethical things are. I’m still to see truly decentralized solutions like Briar or Tox, providing usable solutions on regular users (not just whistle blowers or protesters, on special situations, for which some suppose Briar is made), and becoming, if not main stream, at least easy and energy/battery safe to adopt as well, so it doesn’t become that hard to convince others to also join the decentralized experience.

I use Telegram and Signal. Telegram is the most like WhatsApp, but Signal is a little better for privacy.

@Freshy969
93M

Signal is one of the best WhatsApp alternative,

@sia
4
edit-2
2M

deleted by creator

@marmulak
83M

If you use Android then Conversations is probably your best choice. Some people won’t use it because it requires them to create an XMPP account on some server, which apparently is too much trouble. Signal is more appropriate for normies who just want to open an app and have it work like WhatsApp out of the box. (It supports iOS as well.)

poVoq
5
edit-2
3M

There is blabber.im, which uses a fork of Conversations and also runs a federating XMPP server: https://blabber.im/ Or if you want phone number linking there is: https://quicksy.im/ from the original Conversations developer.

@Lowey
63M

Short answer Signal: https://signal.org/download

poVoq
6
edit-2
3M

It really isn’t, just read the below messages.

Switching from WhatsApp to Signal, while being an improvement in the short term, is in the end the same story. You are still stuck in a centralized walled garden that falls under US jurisdiction and has clients that are controlled externally (and thus it is trivial for US intelligence services to force the Signal Foundation to push an update that kills all the privacy features without you ever knowing).

Edit: Probably FUD, but I wouldn’t be surprised if Signal is used as a honeypot by the NSA already. They did a similar game with a Swiss encryption product company for decades. And as much as I like Snowden, he is still very much a US intellgence service insider and can’t be fully trusted when it comes to recommendations for non-US citizens.

@gorugorugo
23M

I use Signal to chat with my friends and family.

  • I like the fact that it’s E2EE

  • I like that it’s very easy to signup with a simple download, install, text code confirm.

  • I like the UI to an extent, it has nice features and looks nice enough. Text is text, pictures are pictures… we don’t need to obsess with “the shiny”.

  • I do not like that it’s hosted in the US

  • I do not like that it requires a phone number (for now)

  • I do not like that the servers are centralized, that the devs do not take decentralization into consideration, and that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)

Which is why there are alternatives like Matrix, Session, and lots of others; however:

  • Matrix requires a bit more from the user to signup, such as username and email. This arguably is less worse than a phone number (although temporary or one-time phone numbers are available).

  • There’s also some shared disappointment around the web with the standard Element UI, can’t necessarily back those claims up though.

  • And to be really secure, you’d probably want to self-host a Matrix instance, which requires considerably more time, resources and effort to maintain, especially if you have poor internet at home, and feel that renting a VPS off-site would perhaps defeat the purpose of self-hosting (as I do).

  • Session is backed and developed by an Australian based company, which should immediately raise alarms for anyone familiar with Australia’s crazy backdoor encryption law [1] [2]

Obviously this is all personal anecdotes, my bottom line being that Signal is not perfect, far from it, but if you’re using Whatsapp, now is probably the easiest time to shift your contact groups off. It’s an equivalent that’s far better, while still having some usage pains.

If anyone wants sourcing on any of the above claims, please reply or otherwise offer a source up. I know they’re out there, I don’t have the energy right now for it. I do not intend to lie.

[1] [2]

poVoq
2
edit-2
3M

that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)

This argument is very weak IMHO, as Signal is a free app and anyone using it with a 3rd party client puts the same load on the servers as someone signing up for free. They do also say that having only a first party client allows them to quickly and easily change and innovate, but then why are they hostile to 3rd parties compiling and distributing the first party app?

If you think about it a bit more closely, then it becomes apparent that by forcing everyone to only use the 1st party client and distribution channel, they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices. And maybe I am a bit paranoid, but that is exactly how an intelligence service would operate in order to compromise the communication of selected individuals.

PS.: You should rather compare it to XMPP with the Conversations client (or the fork blabber.im). Works great, is fully e2ee and has a UI and functionality very similar to WhatsApp or Signal. And you can easily get it from Fdroid or compile it yourself, so the risk of the developers messing with the binaries is minimal.

they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices.

Is it possible though? like Google Play updates the modified app only for certain individual devices

poVoq
13M

Sure that is easily possible. They can also push an update to everyone and a slightly modified version the same time only to certain devices.

In fact if this is still true then Google could even dynamically push a exploit into Signal without an update to the app itself.

@gorugorugo
13M

Thank you for this reply, I did not consider that. The small unseen changes due to forced use of a single client. I always want to use a decentralized platform if I can which is why Fediverses are so nice, but my friends are not as keen. Signal is the gap for now

@Lowey
13M

Android builds are reproducible builds(download from website). As such I can be sure I get what it says, as for US jurisdiction I think it has been published extensively that they were only able to give account creation and deletion date.

​@
33M

Seems like https://www.privacytools.io/software/real-time-communication/ recommends only Signal if you want a centralized service.

@soloninja
23M

element / matrix is usually a good one. it is similar to discord in a way

Signal seems to be the ideal replacement for WhatsApp at the moment. It would be fairly simple to get someone to install it if they want to switch. I am going to attempt to get my mother to switch in the coming weeks.

Element/Matrix would be my choice but I would bet my life savings and first born son that I would never be able to get more than one person to switch.

Just as a side note/side question: RE: the upcoming changes to WhatsApp, what will be the deal in Europe? I did see that the changes won’t be the same, will there be any changes made at all for European users?

Element/Matrix would be my choice but I would bet my life savings and first born son that I would never be able to get more than one person to switch.

That was my exact experience. I got two people. Both left.

One person asked me this on reddit in comments. Read comments here https://teddit.net/r/privatelife/comments/krr7gf/writeup_dissecting_massive_whatsapp_privacy/

@TheAnonymouseJoker
2
edit-2
3M

Favourite answer: Signal for personal chats and Telegram for public groups and public chat boards

Honest answer: keep WhatsApp to have an open presence in social public sphere, devoid of permissions except contacts, but use Signal for personal and sensitive chats

If you want to read more, read conclusion part in my writeup: https://lemmy.ml/post/46726

@e44nbe4
3
edit-2
3M

deleted by creator

@TheAnonymouseJoker
-2
edit-2
3M

WhatsApp for some people can be integral to participation in academia (schools or colleges) or businesses. For them getting rid of WhatsApp is work suicide, hence the advice.

@e44nbe4
1
edit-2
3M

deleted by creator

@AgreeableLandscape
admin
1
edit-2
3M

I’m a student, ALL my friends use WhatsApp, you want to talk with me? Signal.

I wish I could do this. Facebook Messenger group chat is the platform of choice for organizing group projects at my university, and obviously I can’t refuse to communicate with classmates for assignments. I tried suggesting other platforms but practically no one is interested. Other communication, I direct them to email or Matrix.

Personal chats is surely fine on other secure messengers, which is what my own OPSEC is. What I meant was that universities and schools have their groups for notes and announcements on WhatsApp, and one would not like to miss out on that essential information.

QuentinCallaghan
2
edit-2
3M

I like Telegram mainly because of the many features and larger userbase.

The only thing that Signal seems to ask for is the phone number. But, in terms of privacy, do they collect any other metadata and can the phone number be linked back to device or the user externally?

@Nevar
13M

Look up Fluffychat and also Wire

@cruon
13
edit-2
3M

Not Wire please. Apart from the issues listed on that blog post, its UI/UX is terrible.

@onlooker
43M

Yeah, it’s not great. It’s also an electron app, which gobbles up more memory than I’m comfortable with AND last I used Wire, it wouldn’t detect my mic unless I was using the web version. Just no thanks.

@Nevar
03M

What about Threema? Open source, e2ee, easy user interface, no metadata collection

@Echedenyan
53M

As far I see, Threema only became FLOSS in the client side and few things in the server side, the rest is still propietary software.

poVoq
33M

Yes, similar to Telegram. Still that opens a lot of possibilities for reproducible builds and bridging etc. and they are also not hostile to 3rd party clients: https://www.openmittsu.de/ Servers located in Germany/Switzerland afaik. Recently got a larger cash investment from a large German investor.

@Echedenyan
13M

Yes, my point was only that and I apply the same to Telegram. It is a disadvantage for me and a major one.

@Nevar
-13M

I don’t know if any of you are on Telegram but Durov’s Channel is doing a takedown of privacy criticisms. He’s essentially calling people who demand server side code open sources misinformed.

Telegram is okay only as a public board/group messenger service, nothing more. They take time in open sourcing their client code, around 3-4 months.

poVoq
-13M

That’s not that relevant, as long as older versions compiled from source still work.

@TheAnonymouseJoker
2
edit-2
3M

Older versions work, but would also have security flaws. So Telegram is open source depending on what definition of security or feature updates you are okay with.

Most (spoiler: nearly all) people have no clue about this in privacy community.

I’d suggest you try Threema or Telegram. I personally use both but have more trust in Threema overall.

https://threema.ch/en/blog/posts/messenger-comparison-2021

Telegram works very well but is a nightmare from privacy perspective since they store everything* unencrypted as long as they want. They even call themselfes “cloud messenger”.

(*) everything but the e2e chats you can set up but are barely used since they can’t be accessed on desktop and there’s no e2e for groups

@kitsunekun
23M

My favorite telegram feature is that you can nuke entire chats with a couple of clicks. I wish more texting apps had that type of design because it gives you ownership of your messages/discourse.

@awa
creator
13
edit-2
2M

deleted by creator

@ksynwa
43M

Element gets a “good” on ease of use but IME using multiple clients is a pain in butt with the way encryption keys are handled. Lots of people complain about not being able to read some messages in an encrypted room I am in. I understand if it’s a limitation of them not storing your keys on a centralised server (unless you opt for it I think) but it makes it very difficult for normie friends.

Dreeg Ocedam
4
edit-2
3M

Telegram’s E2EE isn’t even partial since it’s inexistent in groups ¯\(ツ)

@kitsunekun
23M

Your post says that Threema doesn’t have voice and video calls, that’s wrong. https://threema.ch/en/blog Feature-wise Threema is very, very solid, and they will soon be adding even more features now that people are in a frenzy about not being spied upon 24/7.

@nutomic
admin
3
edit-2
3M

Where does Telegram have ads? I’ve certainly never seen any.

They’re going to https://lemmy.ml/post/45696

@nutomic
admin
73M

Okay but thats only for public channels, so anyone who uses it as an instant messenger will never see those.

@federico3
1
edit-2
3M

This comparison ignores the leaking of metadata: for that, the only viable option is Briar.

It also ignores ease of use: Signal is still reasonable, Element is too fiddly and buggy for non-technical users.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote closed source software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 79 users / day
  • 125 users / week
  • 235 users / month
  • 484 users / 6 months
  • 2540 subscribers
  • 1121 Posts
  • 5117 Comments
  • Modlog