this post was submitted on 04 Aug 2024
212 points (96.5% liked)

Privacy

31921 readers
1084 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I am a firm believer that there are many privacy techniques you should focus on before encrypted messaging because they will offer you much more “bang for your buck,” things like good passwords, two-factor authentication, and even encrypted email. That said, I still believe that encrypted messaging is a critical part of a well-rounded privacy and security strategy. While the vast majority of our day-to-day conversations may be benign, it can still offer a lot of insight into who we are as people – our routines, likes, and personal thoughts. This information – mundane or not – is worth protecting.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 66 points 3 months ago (10 children)

Another basic thing -- If your messenger is throwing your messages in a notification; it's being logged. Google was found to be logging almost all notification content. Make sure your message app isn't putting the content of messages into notifications.

[–] [email protected] 27 points 3 months ago (2 children)

If the app implements their own notification system and doesn't rely on GCM then Google isn't able to log them as far as I know.

[–] [email protected] 14 points 3 months ago

UnifiedPush instead of their own implantation would be better for power consumption ig.

Overall a choice between which Notifier you want to choose would be nice.

Between the apps own notifier and UnifiedPush (also has a Fallback to GCM if wanted)

[–] [email protected] 4 points 3 months ago (1 children)

Sure -- but how many of them actually do?

[–] [email protected] 23 points 3 months ago* (last edited 3 months ago) (4 children)

I can throw a few examples:

  • SimpleX
  • Threema Libre
  • Briar (afaik)
  • Conversations (XMPP client)
  • FluffyChat (matrix client), probably some others too
  • Telegram FOSS (Telegram fork), Mercurygram (Telegram FOSS fork)
  • Molly (Signal fork)
  • Session F-Droid (Session fork)

So, the answer is — almost every of them.

[–] [email protected] 13 points 3 months ago

Element X (Matrix client). Basically anything that offers F-Droid or open source release will have builds without built-in notifications. Play Store/App Store builds requires using native notification systems.

[–] [email protected] 2 points 3 months ago

Briar just says x private messages

[–] [email protected] 2 points 3 months ago (2 children)

But not Signal? I use Signal but I'm not sure I can get my chat groups to use something else.

[–] [email protected] 14 points 3 months ago

Signal has a ton of the dependence on proprietary software. You won't find Signal on F-droid.

Best option is Molly foss

[–] [email protected] 10 points 3 months ago* (last edited 3 months ago) (1 children)

I mentioned Molly — Signal fork. It can show notifications via UnifiedPush or websocket.

[–] [email protected] 3 points 3 months ago (2 children)

I just run it in the background. It pulls almost no battery so it is a non issue.

Also getting it to work with Unified push requires extra effort.

[–] [email protected] 1 points 3 months ago

I would do the same but it uses too much battery for me so I had to figure out how to self-host ntfy and mollysocket.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

Yeah, configuring a mollysocket requires at least a little self-hosting knowledge.

[–] [email protected] 14 points 3 months ago

Now this is why I read comments. You're absolutely right and I knew this info and just hadn't put the two together. Thank you. Settings changed.

[–] [email protected] 10 points 3 months ago

That's if they use Google's push notification backend on firebase. FOSS apps from F-droid usually don't.

Tl;Dr install F-droid damnit

[–] [email protected] 7 points 3 months ago* (last edited 3 months ago) (1 children)

Unless you don't have Google or Apple services.

Also I don't think they log the normal Android notification mechanism. (Not push)

[–] [email protected] 2 points 3 months ago

Yeah, if it's a local notification, they're not logging that -- so far as I'm aware at this point in time.

[–] [email protected] 3 points 3 months ago

Molly uses UnifiedPush, so definitely try that. Also, Google may log notifications but they can't read the messages iirc. Maybe they get some metadata idk.

[–] [email protected] 1 points 3 months ago (1 children)

You can also just use a degoogled os which won't be logging your notification content. But in any case you shouldn't have notifications as notifications are exclusive with at-rest encryption (or I guess you could have at-rest encryption but just have the db constantly decrypted whenever your phone is on? Seems to defeat the point then)

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (2 children)
[–] [email protected] 7 points 3 months ago* (last edited 3 months ago)

Which DeGoogled OS do you know of that uses their own notification backend?

You don't need one. Just use any degoogled ROM with UnifindPush, as almost every secure messenger support it. If not, notifications can still show up via websocket.

[–] [email protected] 3 points 3 months ago

Presumably any degoogled OS would remove that kind of telemetry—it seems like quite an obvious oversight if they continue to send notification contents to Google's servers? If the suggestion is that it's through a backdoor, then that's the responsibility of the open source community to spot the backdoor in the AOSP.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

Or you can uninstall/disable google services and inatall something like ntfy. Molly-UP (signal fork) supports that.

[–] [email protected] 1 points 3 months ago (1 children)
[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

If you put the notification in unencrypted form, across google's push notification system, it is logged in puretext. I, and everyone else knows, that messages can be encrypted. This was a warning about a very specific thing.

Law enforcement has been doing this to signal users for a while now. The default is to not show the message in a notification, but users keep turning it on, and it uses Google's notification servers. So law enforcement, got access to people's signal messages, by going through Google to get the notification history/logs.

[–] [email protected] 1 points 3 months ago

The push notifications can be encrypted. Threema encrypts them, for one.

[–] [email protected] 1 points 3 months ago (1 children)

Do they also log everything that comes through a private ntfy server? Or just what goes through their notifications?

[–] [email protected] 4 points 3 months ago (1 children)

NTFY uses the same mechanic that they do for push notifications; it keeps an open socket and then just communicates across the socket. So they shouldn't be keeping track of that, so far as I understand the AOSP codebase.

[–] [email protected] 2 points 3 months ago

Cool, that's what I was hoping. I'm perpetually in the "knows enough to be dangerous" category.