- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
I’ve been working really hard to research and rank messaging apps by their privacy. The more green boxes the better.
I plan to turn PrivacySpreadsheet.com into a place for privacy data on everything from cars to video games. It’s all open source too on GitHub.
Not trying to advertise, I just put a lot of time into researching all this, and I want to share it since I think others could benefit.
You must log in or register to comment.
The issue with me is ease of use to use with other people. I’ve tried Matrix and Session with other tech minded people and it’s not nearly as seemless as Signal. I’m just waiting for an app that ticks all my boxes, really looking forward to Signal usernames though.
Signal really is that better replacement for WhatsApp since the functionality is identical, others would have to force people to get used to the different ui and the options.
Except Signal UI is… Not good. It feels like using a texting app.
Between the UI and dropping SMS support, I can’t get anyone to use it anymore, and people I had using it have moved on.
Dropping SMS is really frustrating - it was the big selling point I had.
I’m one of those people who thinks SMS has no place in a private messaging app. Signal is the gold standard, and enabling sms merely legitimised this incredibly non private and antiquated messaging protocol.
And gave a constant reminder to people that something better was right there.
And put things in one place.
You’re letting perfect be the enemy of good. At least with SMS support I could get people to switch to “this new texting app”, and we’d then have a proper Signal encrypted chat. And when they texted someone else, Signal would append the “you could have encryption too” signature, generating a conversation about it.
The people who moved off of Signal went back to SMS entirely. How is that better?
Everyone. Everyone. I mean everyone here misses the biggest plus for WhatsApp compared to pretty much every other messenger. Signal is pretty much the only one as “simple” as it.
We are all too big of privacy geeks to realize what non-tech-savvy people go through with these.
-
Sign up process is dead simple from your phone. It is literally as simple as putting in your phone and PIN. Once you hit the “choosing server” on people using matrix for the first time, you have already lost them. Completely. The exact same thing happened with mastodon and lemmy. People who had no idea about how federation and decentralization were instantly lost
-
Backups: backing up is a process that the users have to do on a lot of matrix clients, or not available. People want to be able to simply move to a new phone by installing the new app, logging in, and being right back with all of your old messages. Even on signal you still have to restore the automatic backup. If you don’t have that file, you are screwed. I can’t remember if Element will sync your messages automatically to a new device.
Those 2 things and population are literally the only thing that the average person actually cares about outside of other people being available on the platform.
-
it would be more usable if the left column were locked so you don’t lose it when scrolling horizontally. Same for the top row.
“Email / Phone required for signup” ← these are on two very different levels of intrusiveness… really needs to split into two rows. And from there, it’s interesting to know whether a phone must be a mobile phone or not. With email, it’s interesting to know if disposable addresses are blocked or not.
Also, for “decentralized network” for #Signal, you simply have “no”. I would change that to “No (Amazon)” to inform people they are feeding Amazon by using Signal.
In fact I suggest also adding a row: “feeds a tech giant” because privacy from tech giants is not the only factor – some of us trying to live ethically do not want to even feed privacy offending tech giants, such as:
- Amazon
- Microsoft
- Cloudflare
- Apple
And as someone else pointed out, Delta Chat is missing.
Bro put Tinder DMs on the list. Points for being thorough I guess lol.
Jokes aside looks really useful. Good job!
I forgot Grindr DMs, but you already know that ones gonna be red all the way down lmao
Pls share with friends if you find it useful, I dont accept donations or anything, and it’ll never have ads or bullshit.
I’m working on adding more services, but each one takes about 4 hours to research and review.
Google’s bound to put ads on Google sheets eventually.
Its not Google Sheets. It was initially generated with the tool because I like the formatting, but its HTML running on Cloudflare Pages. The source code is here
If you see errors or hwve suggestions, please submit an issue on GitHub, they’re easier to track than here
That hardly looks like original source code, but more like a HTML dumped from the website.
Or maybe just use used some visual editor to insert tables? I don’t believe it’s written by hand.
They said “it was initially generated with the tool [Google Sheets]”.
Nice work. Can you add RCS to the table? https://en.wikipedia.org/wiki/Rich_Communication_Services
RCS is a protocol, not a messenger. Google messages is the only client that implemented it.
Unless you know of any other RCS apps
Apple announced to support it : https://www.eff.org/deeplinks/2024/01/what-apples-promise-support-rcs-means-text-messaging
So contributions require folks create accounts with Microsoft for GitHub? That’s a bit contradictory, but here you are telling folks to raise “Issues” exposing themselves to Microsoft’s ToS & data collection machine. Not to mention all they are doing with Copilot.
You’re not required to contribute. I went with GH because it doesn’t require creating a new account on an obscure Git provider, which would kill the chwnces of anyone contributing.
Git provides itself, so forges aren’t even required (the d is distributed version control). Issue trackers don’t need to be attached to the code forge. Even if you like someone else hosting it & an sidecar of integrated bug tracking, it should not require an account with Microsoft if privacy is the end goal—and there’s a host (pun not intend) of other options.
PRISM Break, Calyx live on GitLab (not obscure, supports SSO). Many free software projects like Freedesktop, GNOME, KDE, DivestOS, Briar, Jami self-host the community edition of GitLab. Privacy Tools & Awesome Privacy mirror to Codeberg as well as MS GitHub, presumably to have an escape hatch to the megacorporate bubble & to practice what they preach about privacy. LibreWolf is exclusively Codeberg. Cwtch self-hosts Gitea. Prosody self-hosts its Mercurial server. Choosing not Microsoft GitHub puts you in good company.
If a mailing lists alternative isn’t your thing, Forgefed, federation protocol for software forges, would apply for anyone with a Fediverse account (so Lemmy) could submit issues with Forgejo building it in along with others soon (GitLab expressed interest).
Choosing proprietary tools and services for your free software project ultimately sends a message to downstream developers and users of your project that freedom of all users—developers included—is not a priority.
—Matt Lee, https://www.linuxjournal.com/content/opinion-github-vs-gitlab
Mailing lists are for old fat unix guys. Who uses email anymore? I can’t even remember the last time I opened my inbox, maybe a month ago for a 2FA code?
I’ll stick with GitHub because its what I know. If you don’t want to use GitHub, then you can still view the spreadsheet, just dont click the GitHub or Datasets links in the fop left.
You’re in a privacy-related space that values keeping data away from the corporations—that’s why your response has a worse ratio. If you don’t want your messaging data with data with Meta or Google, why would you be okay with Microsoft for your code? I like that instead of acknowledging the multitude of options you would have that puts your project in better position for contributor privacy, you chose to attack the one you disliked the most, mailing lists, & dismissed everything else. It’s really not any more difficult to pick up something like Codeberg & the UI loads faster too.
If someone said “WhatsApp is what I know, why should I care about your $MESSAGING_APP?” would you not, like, send them the output of your project to explain how their digital privacy is at risk? Consider building another list comparing code forges & see that you get little extra from MS GitHub being closed, proprietary, centralized, for-profit/publicly-traded, requires accepting Microsoft ToS to create an account, search locked behind auth, slow to load, slow to fix bugs, has outages constantly, locks out all users from Yemen et al. due to US sanctions, plays ball with capitalists (such as following record label demands to take down
youtube-dl), pushes ‘social’ features (massive can of worms), tries to monopolize the developer space on the network effect, etc.
I think that information for XMPP is inaccurate. I use it for private communication. E2E encryption is on by default in Conversations, messages are removed from a server if MAM is off.
Dino, Gajim turn on OMEMO by default & even the TUI Profanity prominently displays
[]in red at the top by default nudging you to pick OMEMO, OTR, or PGP for end-to-end encryption. The protocol is generic on purpose & meant to be extended with encryption which in the case of private chat applications, is now defacto. Much in the same way, TLS isn’t required since there are application that don’t require it, but defacto, all guides for setting up a XMPP server for chatting applications will suggest TLS where some servers have options like s2s TLS required or it won’t talk to the other server.Seems weird that there’s a big, red no even when all the defaults point in the direction yes for human-to-human chat. Much in the same way some values are wrong like apps & servers being open source when there very much are proprietary XMPP servers out there like WhatsApp & Zoom. There’s also a reason Tails OS comes with Dino (or Pidgin) & every dark web guide explains how to connect to XMPP thru Tor + OMEMO/OTR, because it can be secure & anonymous enough for criminals & whistleblowers while being lightweight & decentralized.
It’s always crickets when the issue of improper poor ranking of XMPP is addressed in these threads…
Everything has to be new & shiny or it’s bad. XML bad, JSON good. /s
You got some errors for XMPP e2ee: the popular mobile clients all enable it by default, it has perfect forward secrecy and a/v calls are usually also e2ee and of course data is encrypted in transit.
Yep. Really need to compare the best-practice XMPP clients (e.g. Conversations, Siskin), not half-developed clients more suited to the XMPP landscape of 20 years ago. – Just as Matrix’s ranking in the table is high because only the state-of-the-art clients are considered – there are plenty of Matrix clients which don’t support e2ee, for example.
This list of mistakes isn’t exhaustive, but extending from poVoq’s mentions, here are some things XMPP(conversations) does actually have positive findings for:
- End to end encrypted by default [OMEMO]
- End to end encryption is available [OMEMO]
- Voice/video calls are end to end encrypted [“calls are always end-to-end encrypted with DTLS-SRTP”]
- Utilizes Perfect Forward Secrecy [OMEMO]
- Data is encrypted in transit [TLS and OMEMO]
- You can verify contacts out of band [https://gultsch.de/trust.html]
- There has been a third party code audit [2016]
- Provider can scan for illegal content [If you send content unencrypted, otherwise no different to Matrix/Signal]
I’m not sure there’s much differentiation between any apps when it comes to “What can the apps hand to police?”; if the police have physical access to your device and app, they have access to everything you do on that device/app.
It’s got that telegram is funded by Russia, is that true?
Wikipedia says the opposite.
https://en.m.wikipedia.org/wiki/Telegram_(software)
Telegram was launched in 2013 by the brothers Nikolai and Pavel Durov. Previously, the pair founded the Russian social network VK, which they left in 2014, saying it had been taken over by the government. Pavel sold his remaining stake in VK and left Russia after resisting government pressure.
Telegram was suddenly unblocked in Russia after getting a bunch of money from the Kremlin.
https://www.wired.com/story/the-kremlin-has-entered-the-chat/
The Moscow Times reported that the investments included $75 million from a joint partnership between an Abu Dhabi state fund and a Kremlin sovereign wealth fund.
Not that I give a shit, but I can see you potentially catching some flack for listing the USA as an “authoritarian regime” lmfao
Lets be honest, its not much different from China. They both make social media companies censor, and they both track citizens to predict their likliness of committing a crime in the future.
Where’s the lie?
Removed by mod
I wouldn’t say worse than China, but I’d say they’re both equal, in their own way.
It’s the nature of state politics and security. I’d bet even money every government on the planet is equally bad, up to the resources they have at their disposal.
Remember, all governments are collections of individuals, and individuals range in their morality.
Certain types are attracted to certain opportunities…like the power of government.
