this post was submitted on 03 Feb 2024
426 points (96.9% liked)

Privacy

32442 readers
604 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I've been working really hard to research and rank messaging apps by their privacy. The more green boxes the better.

I plan to turn PrivacySpreadsheet.com into a place for privacy data on everything from cars to video games. It's all open source too on GitHub.

Not trying to advertise, I just put a lot of time into researching all this, and I want to share it since I think others could benefit.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 83 points 10 months ago (2 children)

Bro put Tinder DMs on the list. Points for being thorough I guess lol.

Jokes aside looks really useful. Good job!

[–] [email protected] 50 points 10 months ago (1 children)

I forgot Grindr DMs, but you already know that ones gonna be red all the way down lmao

Pls share with friends if you find it useful, I dont accept donations or anything, and it'll never have ads or bullshit.

I'm working on adding more services, but each one takes about 4 hours to research and review.

[–] [email protected] 7 points 10 months ago (1 children)

Google's bound to put ads on Google sheets eventually.

[–] [email protected] 17 points 10 months ago (2 children)

Its not Google Sheets. It was initially generated with the tool because I like the formatting, but its HTML running on Cloudflare Pages. The source code is here

If you see errors or hwve suggestions, please submit an issue on GitHub, they're easier to track than here

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 34 points 10 months ago* (last edited 10 months ago)

The is the messenger matrix from the German blog Kukitz-Blog (it is a blog with a strong focus on privacy and is in my opinion well informed). But no worries, the matrix is also available in English.

Maybe you can take some inspiration from the matrix.

[–] [email protected] 30 points 10 months ago (7 children)

The issue with me is ease of use to use with other people. I've tried Matrix and Session with other tech minded people and it's not nearly as seemless as Signal. I'm just waiting for an app that ticks all my boxes, really looking forward to Signal usernames though.

[–] [email protected] 20 points 10 months ago (6 children)

Signal really is that better replacement for WhatsApp since the functionality is identical, others would have to force people to get used to the different ui and the options.

load more comments (6 replies)
[–] [email protected] 10 points 10 months ago* (last edited 10 months ago) (1 children)

I've been using Matrix for years, but now only as a replacement for IRC. The encryption key handling has always been cumbersome and flakey, and too easily broken by users. Not compromised "broken", but locked out "broken." It's been like this for years, and while the UI has improved, it's still too hard for casual users to confidently use; I've given up hope that it'll ever get to a point where I can recommend it to friends who don't give a fuck how it works, and who aren't interested in spending a half hour figuring out how to set things up - they just want it to work. So many encrypted messaging systems have done this correctly, I dispair that Matrix can't (it's a common issue with all clients, so I blame the design of the protocol).

Edit oh, I also wanted to say I'd also been disillusioned with Matrix when I realized I couldn't run my own server. That is, I technically could; I just couldn't afford to. Synapse is a hot mess of a server, but it also just pounds on the CPU and requires massive amounts of disk space (over time). Matrix is designed such that all content for channels joined by any user is replicated to the user's home server. It's a questionable design decison, at best, but a consequence is that regardless of the server software, the storage requirements make running a home server cost prohibative. Compared to, say, running an xmpp server, which could be done effectively on a Pi.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 25 points 10 months ago* (last edited 10 months ago)

it would be more usable if the left column were locked so you don’t lose it when scrolling horizontally. Same for the top row.

“Email / Phone required for signup” ← these are on two very different levels of intrusiveness.. really needs to split into two rows. And from there, it’s interesting to know whether a phone must be a mobile phone or not. With email, it’s interesting to know if disposable addresses are blocked or not.

Also, for “decentralized network” for #Signal, you simply have “no”. I would change that to “No (Amazon)” to inform people they are feeding Amazon by using Signal.

In fact I suggest also adding a row: “feeds a tech giant” because privacy from tech giants is not the only factor -- some of us trying to live ethically do not want to even feed privacy offending tech giants, such as:

  • Amazon
  • Microsoft
  • Google
  • Cloudflare
  • Apple
  • Facebook

And as someone else pointed out, Delta Chat is missing.

[–] [email protected] 22 points 10 months ago (1 children)

why not put this on Wikipedia? Theres already a great article there that would benefit from this additional data

https://en.m.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients

load more comments (1 replies)
[–] [email protected] 21 points 10 months ago (1 children)

Is there a way to lock the left cells while scrolling through the other messengers?

[–] [email protected] 17 points 10 months ago (2 children)

Working on it, hard to do well without JavaScript while maintaining the ease of webpage generation

load more comments (2 replies)
[–] [email protected] 20 points 10 months ago (5 children)

Not that I give a shit, but I can see you potentially catching some flack for listing the USA as an "authoritarian regime" lmfao

[–] [email protected] 40 points 10 months ago

Lets be honest, its not much different from China. They both make social media companies censor, and they both track citizens to predict their likliness of committing a crime in the future.

[–] [email protected] 19 points 10 months ago

Where's the lie?

[–] [email protected] 11 points 10 months ago

They hate him, because he told the truth.

load more comments (1 replies)
[–] [email protected] 17 points 10 months ago (3 children)
load more comments (3 replies)
[–] [email protected] 16 points 10 months ago (1 children)

And, because I'm not entirely uncynical, does the creator of the spreadsheet work for any of the companies included upon it?

[–] [email protected] 11 points 10 months ago (1 children)

I have worked for Status in the past, but that has not impacted the review of any apps. The spreadsheet has been reviewed thoroughly by others in the privacy space before I published it, and I encourage everyone to take a look and report any inaccuracies.

The criteria is objective on purpose. Everything on the spreadsheet can be verified for accuracy.

[–] [email protected] 8 points 10 months ago

Status got a recommendation purely because it has proven itself to be resiliant to subpoenas and the cryptography is implemented well.

Nothing is sponsored, and no matter who I work for in the future, it won't impact the results. It's open source on GitHub, and I'm looking for contributors to decentralize control of the spreadsheets.

[–] [email protected] 15 points 10 months ago (1 children)

who has analyzed the code to determine how sweet new comer SimpleX really is?

[–] [email protected] 10 points 10 months ago

Well, Trail of Bits did more than a year ago

simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html

[–] [email protected] 13 points 10 months ago (1 children)

This is awesome! Is there a way to freeze the first column? Just so you can scroll to the right and see the categories

load more comments (1 replies)
[–] [email protected] 12 points 10 months ago (1 children)

Looks good, thanks for the hard work!

According to my uBlock Origin your site uses Google fonts which I have blocked. Can you make that more privacy friendly please ?

load more comments (1 replies)
[–] [email protected] 12 points 10 months ago* (last edited 10 months ago) (1 children)

Nice work so far! It's a big task, really.

Smart idea hosting on git. Gives it a chance to be maintained and have a history.

Any way to download as a csv/excel file? (I can just copy/paste from the web, but that's imperfect)

load more comments (1 replies)
[–] [email protected] 12 points 10 months ago (1 children)

I noticed that some of these are apps and some are protocols. It makes sense to list the app if the protocol is proprietary, but it's confusing that there can be multiple apps for an open protocol and not all of those apps could feature the same level of privacy.

load more comments (1 replies)
[–] [email protected] 12 points 10 months ago* (last edited 10 months ago) (2 children)

This is worthy of a more usable interface than this spreadsheet widget.

It took me a fair bit of scrolling to identify which attributes each of the six purple "N/A" values for SimpleX are, but now that I have I agree they're accurate (though I think there is an argument to be made for just writing a green "no" for each of them).

It is noteworthy that SimpleX is currently the only one of these (currently 34) messengers to not have a single red or yellow cell in its column. well done, @[email protected]! 😀

edit: istm that SimpleX (along with several other things) getting a "no" in the "can hand IP address to the police" row is not really accurate. SimpleX does better than many things here in that they don't have a lot of other info to give to the police along with the IP, but, if Bob has their phone seized (or remotely compromised) and then the police reading Alice and Bob's messages from Bob's phone want to know Alice's IP address... they can compel a server operator to give it to them. (And it is the same for a user who posts a SimpleX contact link publicly.)

load more comments (2 replies)
[–] [email protected] 9 points 10 months ago (1 children)

I think you left off Session from this list. Based on everything I know, it'll probably come in number 2, or even number 1 if it beats SimpleX.

[–] [email protected] 6 points 10 months ago* (last edited 10 months ago) (3 children)

SimpleX may be one of the best, privacy-wise, but until they implement multi-device support with shared history, it's simply a non-starter. Not being able to access a conversation on both my phone and my computer puts a messaging app near the bottom of any usability list.

SimpleX is close to implementing it; the last time I checked, there was a way to link two devices, but it was exceedingly cumbersome - too difficult to ask a non-tech person to work through - and the history syncing didn't work. If they get that worked out, it'll be a strong contender; I only wish it'd been part of the original design and not a tack-on, as I expect it'll consequently be a major source of bugs for the project.

load more comments (3 replies)
[–] [email protected] 9 points 10 months ago* (last edited 10 months ago) (1 children)

You got some errors for XMPP e2ee: the popular mobile clients all enable it by default, it has perfect forward secrecy and a/v calls are usually also e2ee and of course data is encrypted in transit.

[–] [email protected] 6 points 10 months ago* (last edited 10 months ago)

Yep. Really need to compare the best-practice XMPP clients (e.g. Conversations, Siskin), not half-developed clients more suited to the XMPP landscape of 20 years ago. -- Just as Matrix's ranking in the table is high because only the state-of-the-art clients are considered -- there are plenty of Matrix clients which don't support e2ee, for example.

This list of mistakes isn't exhaustive, but extending from poVoq's mentions, here are some things XMPP(conversations) does actually have positive findings for:

  • End to end encrypted by default [OMEMO]
  • End to end encryption is available [OMEMO]
  • Voice/video calls are end to end encrypted ["calls are always end-to-end encrypted with DTLS-SRTP"]
  • Utilizes Perfect Forward Secrecy [OMEMO]
  • Data is encrypted in transit [TLS and OMEMO]
  • You can verify contacts out of band [https://gultsch.de/trust.html]
  • There has been a third party code audit [2016]
  • Provider can scan for illegal content [If you send content unencrypted, otherwise no different to Matrix/Signal]

I'm not sure there's much differentiation between any apps when it comes to "What can the apps hand to police?"; if the police have physical access to your device and app, they have access to everything you do on that device/app.

[–] [email protected] 8 points 10 months ago (1 children)

I think that information for XMPP is inaccurate. I use it for private communication. E2E encryption is on by default in Conversations, messages are removed from a server if MAM is off.

[–] [email protected] 10 points 10 months ago (2 children)

Dino, Gajim turn on OMEMO by default & even the TUI Profanity prominently displays [unencrypted] in red at the top by default nudging you to pick OMEMO, OTR, or PGP for end-to-end encryption. The protocol is generic on purpose & meant to be extended with encryption which in the case of private chat applications, is now defacto. Much in the same way, TLS isn’t required since there are application that don’t require it, but defacto, all guides for setting up a XMPP server for chatting applications will suggest TLS where some servers have options like s2s TLS required or it won’t talk to the other server.

Seems weird that there’s a big, red no even when all the defaults point in the direction yes for human-to-human chat. Much in the same way some values are wrong like apps & servers being open source when there very much are proprietary XMPP servers out there like WhatsApp & Zoom. There’s also a reason Tails OS comes with Dino (or Pidgin) & every dark web guide explains how to connect to XMPP thru Tor + OMEMO/OTR, because it can be secure & anonymous enough for criminals & whistleblowers while being lightweight & decentralized.

load more comments (2 replies)
[–] [email protected] 8 points 10 months ago

This makes me feel things. Incredible.

[–] [email protected] 8 points 10 months ago* (last edited 10 months ago) (4 children)

So contributions require folks create accounts with Microsoft for GitHub? That’s a bit contradictory, but here you are telling folks to raise “Issues” exposing themselves to Microsoft’s ToS & data collection machine. Not to mention all they are doing with Copilot.

load more comments (4 replies)
[–] [email protected] 7 points 10 months ago (1 children)
load more comments (1 replies)
[–] [email protected] 7 points 10 months ago (4 children)

It's got that telegram is funded by Russia, is that true?

Wikipedia says the opposite.

https://en.m.wikipedia.org/wiki/Telegram_(software)

Telegram was launched in 2013 by the brothers Nikolai and Pavel Durov. Previously, the pair founded the Russian social network VK, which they left in 2014, saying it had been taken over by the government. Pavel sold his remaining stake in VK and left Russia after resisting government pressure.

[–] [email protected] 13 points 10 months ago (1 children)

Telegram was suddenly unblocked in Russia after getting a bunch of money from the Kremlin.

https://www.wired.com/story/the-kremlin-has-entered-the-chat/

The Moscow Times reported that the investments included $75 million from a joint partnership between an Abu Dhabi state fund and a Kremlin sovereign wealth fund.

load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 7 points 10 months ago

Deltachat?!

[–] [email protected] 6 points 10 months ago (2 children)

The messaging app front I consider to be a long-term stalemate, mainly due to crippling network effects. Another factor is that strange psychology at play when making app decisions, where a person will have page after page of junk apps on their phones, yet utterly balks at the notion of installing a second messenger.

Even if a large actor (say, the EU?) managed to bruteforce some interoperability into being, I wonder whether that would be to the detriment of small apps in terms of undermining (or even eliminating) their privacy protections. I can use the likes of Session or Simplex all day long, but if the other side of the conversation is on a corporate product like Whatsapp... It runs into the same problem as email.

load more comments (2 replies)
load more comments
view more: next ›