Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

I made a spreadsheet that ranks messengers for privacy

I've been working really hard to research and rank messaging apps by their privacy. The more green boxes the better.

I plan to turn PrivacySpreadsheet.com into a place for privacy data on everything from cars to video games. It's all open source too on GitHub.

Not trying to advertise, I just put a lot of time into researching all this, and I want to share it since I think others could benefit.

toastal , (edited )

So contributions require folks create accounts with Microsoft for GitHub? That’s a bit contradictory, but here you are telling folks to raise “Issues” exposing themselves to Microsoft’s ToS & data collection machine. Not to mention all they are doing with Copilot.

UnHidden OP ,

You're not required to contribute. I went with GH because it doesn't require creating a new account on an obscure Git provider, which would kill the chwnces of anyone contributing.

toastal , (edited )

Git provides itself, so forges aren’t even required (the d is distributed version control). Issue trackers don’t need to be attached to the code forge. Even if you like someone else hosting it & an sidecar of integrated bug tracking, it should not require an account with Microsoft if privacy is the end goal—and there’s a host (pun not intend) of other options.

PRISM Break, Calyx live on GitLab (not obscure, supports SSO). Many free software projects like Freedesktop, GNOME, KDE, DivestOS, Briar, Jami self-host the community edition of GitLab. Privacy Tools & Awesome Privacy mirror to Codeberg as well as MS GitHub, presumably to have an escape hatch to the megacorporate bubble & to practice what they preach about privacy. LibreWolf is exclusively Codeberg. Cwtch self-hosts Gitea. Prosody self-hosts its Mercurial server. Choosing not Microsoft GitHub puts you in good company.

If a mailing lists alternative isn’t your thing, Forgefed, federation protocol for software forges, would apply for anyone with a Fediverse account (so Lemmy) could submit issues with Forgejo building it in along with others soon (GitLab expressed interest).

Choosing proprietary tools and services for your free software project ultimately sends a message to downstream developers and users of your project that freedom of all users—developers included—is not a priority.

—Matt Lee, https://www.linuxjournal.com/content/opinion-github-vs-gitlab

UnHidden OP ,

Mailing lists are for old fat unix guys. Who uses email anymore? I can't even remember the last time I opened my inbox, maybe a month ago for a 2FA code?

I'll stick with GitHub because its what I know. If you don't want to use GitHub, then you can still view the spreadsheet, just dont click the GitHub or Datasets links in the fop left.

toastal ,

You’re in a privacy-related space that values keeping data away from the corporations—that’s why your response has a worse ratio. If you don’t want your messaging data with data with Meta or Google, why would you be okay with Microsoft for your code? I like that instead of acknowledging the multitude of options you would have that puts your project in better position for contributor privacy, you chose to attack the one you disliked the most, mailing lists, & dismissed everything else. It’s really not any more difficult to pick up something like Codeberg & the UI loads faster too.

If someone said “WhatsApp is what I know, why should I care about your $MESSAGING_APP?” would you not, like, send them the output of your project to explain how their digital privacy is at risk? Consider building another list comparing code forges & see that you get little extra from MS GitHub being closed, proprietary, centralized, for-profit/publicly-traded, requires accepting Microsoft ToS to create an account, search locked behind auth, slow to load, slow to fix bugs, has outages constantly, locks out all users from Yemen et al. due to US sanctions, plays ball with capitalists (such as following record label demands to take down youtube-dl), pushes ‘social’ features (massive can of worms), tries to monopolize the developer space on the network effect, etc.

sintrenton ,

Not sure, but I couldn't find Tox (https://en.m.wikipedia.org/wiki/Tox_(protocol)) anywhere?

fluffery ,
@fluffery@lemmy.ml avatar

Unmaintained iirc

JustUseMint ,

I'll ask here since it's such a good thread: best FLOSS privacy respecting replacement for discord?

Star ,

There's Revolt (FOSS, functionally the same as Discord but it's centralised) and Matrix (FOSS and decentralised but it's somewhat functionally different than discord). Both have their pros and cons. You can look into them.

JustUseMint ,

Thanks! I've also seen Spacebar formerly FOSScord

toastal , (edited )

Adding to sibling… Discord is used in a couple of different ways at present for communities. If you mean voice coms for gaming or otherwise, Mumble should be in your repository. If it’s more of a of a Slack-like business chat, self-hosted Mattermost is actually pretty nice. If it’s just text chat, IRCv3 & XMPP have that covered & scale massively even on a home PC. If it’s voice calls, Jitsi or Jami can work. If you are posting updates or things that should be forum topics, you shouldn’t be using chat anyways where Mastodon, Misskey, Lemmy, & other Fediverse options or even Atom feeds can suffice. If you want integrated chat, community updates/posts, voice/video calls (unsure if conference calls are support) Movim is a good option--and if you don’t mind the rough UI edges, Libervia can do similar but also integrates a calendar for events. Bear in mind as well that a lot of these technologies can be bridged between one another to avoid some of the lock-in, but I would hesitate to force everyone’s chat to be piped & logged thru Discord’s servers. It’s also not bad to say “we use these 2 services” rather than requiring a kitchen sink communications application.

JustUseMint ,

Very thorough response thanks. This shows me about how many things discord covers, which is a good and bad thing, makes migrating away much more difficult.

toastal ,

Define covers… With something like Mumble for instance, you can host a server (real server, not Discord ’servers“), have low-latency real-time chat with noise cancelation algorithms, directional audio, etc. & it comes with a chat you can use, it’s just not very robust. But there’s also a decent chance your group or whatever isn’t using all of the features & could be happy with IRCv3 & XMPP since you can share text, image, videos. My biggest gripe tho is that some communities use it as a replacement for forums or Atom like you were supposed to read & follow every thread because they want to shoehorn Discord as the one-size-fits-all tool. The other issue is not treating that sort of chat as ephemeral--opting to assume users want or need the entire history (which reminds me that I should do a better job with my bookmarks & note taking than relying on search); but also while the history is ‘permanent’ it’s not publicly accessible in the cases where community decisions should be seen (such as making roadmap for an open source programming language) where those not present for the conversation may have missed it, have trouble referring to it, & the search engines can’t find it since it was locked behind Discord’s walled garden.

In a lot of communities historically & still operate in a manner where important discussions & long-lived threads live on the forums, and real-time chat is treated as social or one-off questions/tips. Operating your community with two different tools here is okay… even a third for say video conferencing if it’s not something you do often, especially if it means one or more cogs in that wheel of communication can be non-proprietary.

Additionally I missed adding mailing lists as an option as well as Zulip for forums/chat.

cypherpunks , (edited )
@cypherpunks@lemmy.ml avatar

This is worthy of a more usable interface than this spreadsheet widget.

It took me a fair bit of scrolling to identify which attributes each of the six purple "N/A" values for SimpleX are, but now that I have I agree they're accurate (though I think there is an argument to be made for just writing a green "no" for each of them).

It is noteworthy that SimpleX is currently the only one of these (currently 34) messengers to not have a single red or yellow cell in its column. well done, @epoberezkin! 😀

edit: istm that SimpleX (along with several other things) getting a "no" in the "can hand IP address to the police" row is not really accurate. SimpleX does better than many things here in that they don't have a lot of other info to give to the police along with the IP, but, if Bob has their phone seized (or remotely compromised) and then the police reading Alice and Bob's messages from Bob's phone want to know Alice's IP address... they can compel a server operator to give it to them. (And it is the same for a user who posts a SimpleX contact link publicly.)

viking ,
@viking@infosec.pub avatar

Briar has even fewer N/As than SimpleX and all greens otherwise. Second column in the table.

cypherpunks , (edited )
@cypherpunks@lemmy.ml avatar

Briar has even fewer N/As than SimpleX and all greens otherwise. Second column in the table.

Briar has a yellow Yes in row 12 ('requires global identity')

https://lemmy.ml/pictrs/image/fb1b9368-9ea5-4863-89d6-fd4e9e3a7d5b.png

... presumably because (if you have one instance of the Briar installed) when you're talking to two different people they can check and confirm you're the same person, while in SimpleX you can create disposable/ephemeral identities for different chats.

I haven't reviewed this thoroughly but I can see that there are a lot of attributes that could be added to this table in regards to metadata protection against various parties, including revealing online presence to servers and contacts (which is a place where briar falls short).

pineapplelover ,

The issue with me is ease of use to use with other people. I've tried Matrix and Session with other tech minded people and it's not nearly as seemless as Signal. I'm just waiting for an app that ticks all my boxes, really looking forward to Signal usernames though.

BlanK0 ,

Signal really is that better replacement for WhatsApp since the functionality is identical, others would have to force people to get used to the different ui and the options.

BearOfaTime ,

Except Signal UI is... Not good. It feels like using a texting app.

Between the UI and dropping SMS support, I can't get anyone to use it anymore, and people I had using it have moved on.

Dropping SMS is really frustrating - it was the big selling point I had.

pineapplelover ,

Huge bummer. Kind of understood why they did it but they lost a lot of people because of this.

ry_ ,

I’m one of those people who thinks SMS has no place in a private messaging app. Signal is the gold standard, and enabling sms merely legitimised this incredibly non private and antiquated messaging protocol.

BearOfaTime ,

And gave a constant reminder to people that something better was right there.

And put things in one place.

You're letting perfect be the enemy of good. At least with SMS support I could get people to switch to "this new texting app", and we'd then have a proper Signal encrypted chat. And when they texted someone else, Signal would append the "you could have encryption too" signature, generating a conversation about it.

The people who moved off of Signal went back to SMS entirely. How is that better?

MrRazamataz ,
@MrRazamataz@lemmy.razbot.xyz avatar

but it is a texting app...

JustEnoughDucks ,
@JustEnoughDucks@feddit.nl avatar

Everyone. Everyone. I mean everyone here misses the biggest plus for WhatsApp compared to pretty much every other messenger. Signal is pretty much the only one as "simple" as it.

We are all too big of privacy geeks to realize what non-tech-savvy people go through with these.

  • Sign up process is dead simple from your phone. It is literally as simple as putting in your phone and PIN. Once you hit the "choosing server" on people using matrix for the first time, you have already lost them. Completely. The exact same thing happened with mastodon and lemmy. People who had no idea about how federation and decentralization were instantly lost

  • Backups: backing up is a process that the users have to do on a lot of matrix clients, or not available. People want to be able to simply move to a new phone by installing the new app, logging in, and being right back with all of your old messages. Even on signal you still have to restore the automatic backup. If you don't have that file, you are screwed. I can't remember if Element will sync your messages automatically to a new device.

Those 2 things and population are literally the only thing that the average person actually cares about outside of other people being available on the platform.

sxan , (edited )
@sxan@midwest.social avatar

I've been using Matrix for years, but now only as a replacement for IRC. The encryption key handling has always been cumbersome and flakey, and too easily broken by users. Not compromised "broken", but locked out "broken." It's been like this for years, and while the UI has improved, it's still too hard for casual users to confidently use; I've given up hope that it'll ever get to a point where I can recommend it to friends who don't give a fuck how it works, and who aren't interested in spending a half hour figuring out how to set things up - they just want it to work. So many encrypted messaging systems have done this correctly, I dispair that Matrix can't (it's a common issue with all clients, so I blame the design of the protocol).

Edit oh, I also wanted to say I'd also been disillusioned with Matrix when I realized I couldn't run my own server. That is, I technically could; I just couldn't afford to. Synapse is a hot mess of a server, but it also just pounds on the CPU and requires massive amounts of disk space (over time). Matrix is designed such that all content for channels joined by any user is replicated to the user's home server. It's a questionable design decison, at best, but a consequence is that regardless of the server software, the storage requirements make running a home server cost prohibative. Compared to, say, running an xmpp server, which could be done effectively on a Pi.

toastal ,

Replicating all chat history + attachments provides a lot of resilience to the network from a node going down, but at the cost preventing to the home lab user from practically hosting a server which just means everything centralizes around Matrix.org, & when anyone on Matrix.org chats with you or your group, that metadata gets synced back to the central hub server once outwardly funded by Israeli intelligence.

toastal , (edited )

I made the mistake of getting my family to switch to Signal. It works great for messaging, but it has other issues—beyond the typical SIM-required complaint. I hate that you have to register with a ‘primary’ device on either iOS or Android fueling that duopoly (SoL if you are on a postmarketOS or KaiOS or Capyloon phone… or just don’t want a internet-capable phone). Notifications are sent thru Google’s FSM (news 1–2 months ago that of course Apple & Google send all the metadata to the feds) & refuse to support UnifiedPush (thank goodness the Molly fork does). They’re also not too happy to support alternative clients meaning you are stuck with the shitty, resource-sucking Electron client while not having a web client or native or TUI client. And the worst cherry on top is shipping those iOS emoji to Android & Linux …eww.

pineapplelover ,

  • Yeah not having it as a default SMS app sucks. Can't really argue with you there. Perhaps, one could make a fork with it?? Just thought of that now.

  • I seriously doubt any encrypted messenger is going to support OS like KaiOS or non internet capable devices.

  • For unified push, just use molly.

  • iOS emojis...I really don't care, Signal devs have other things to worry about.

toastal , (edited )

With an FPGA or special CPU instruction set, the encryption algorithms could run on a toaster—which would give access to whatever low-spec handheld you wanted without making it chug to have strong encryption. That also still isn’t covering the future hope of a Linux phone, or someone that just wants to register an account on their laptop.

Using forks puts stress on other teams to keep up with breaking changes, & 90%+ of folks won’t be looking for forks or be willing to trust their unofficial status. I saw the code for UnifiedPush as a Mattermost plugin & it was like 50 lines or something small which is much less than the rest while allowing users to keep control of their metadata which is a big deal if you care about privacy. A fork for SMS support would encounter similar issues, & now you either need to compete with Molly or copy its featureset otherwise users have to choose, SMS or UnifiedPush. That said, I agree with the SMS situation since it was easy to convince relatives to use this new “text app” where encryption magically came to a chunk of their contact list.

Saying emoji was the most important was tongue-in-cheek, but it makes the application feel non-native (& I think Apple’s emoji are particularly ugly). You would think at least the Google set was shipped to Android, or—now hear me out—not ship emoji, don’t override the user experience, let the user’s fontconfig display the one they set. Shipping a whole font (or images) for emoji is why the application size is so bloated for a chat app.

pineapplelover ,

The first two arguments I get. But the emoji argument about not shipping them at all? Yeah if this is going to be a mainstream and easy to use app then that won't fly. My friends, family, and I all use emojis, gifs, and stickers. I'm sure many people enjoy these things as well. All that bloat.

toastal ,

Are you using a device without an emoji font installed on the system at all? The web works just fine without browsers shipping an emoji font.

Marzanna ,

I think that information for XMPP is inaccurate. I use it for private communication. E2E encryption is on by default in Conversations, messages are removed from a server if MAM is off.

toastal ,

Dino, Gajim turn on OMEMO by default & even the TUI Profanity prominently displays [unencrypted] in red at the top by default nudging you to pick OMEMO, OTR, or PGP for end-to-end encryption. The protocol is generic on purpose & meant to be extended with encryption which in the case of private chat applications, is now defacto. Much in the same way, TLS isn’t required since there are application that don’t require it, but defacto, all guides for setting up a XMPP server for chatting applications will suggest TLS where some servers have options like s2s TLS required or it won’t talk to the other server.

Seems weird that there’s a big, red no even when all the defaults point in the direction yes for human-to-human chat. Much in the same way some values are wrong like apps & servers being open source when there very much are proprietary XMPP servers out there like WhatsApp & Zoom. There’s also a reason Tails OS comes with Dino (or Pidgin) & every dark web guide explains how to connect to XMPP thru Tor + OMEMO/OTR, because it can be secure & anonymous enough for criminals & whistleblowers while being lightweight & decentralized.

rcbrk ,

It's always crickets when the issue of improper poor ranking of XMPP is addressed in these threads..

toastal ,

Everything has to be new & shiny or it’s bad. XML bad, JSON good. /s

JustUseMint ,

Would absolutely add Session, I think it's basically a requirement for this comparison. Great work otherwise

sxan ,
@sxan@midwest.social avatar

Yes, please add Session. Wire is missing, too.

A version of this with usability features would be nice. Some of these I gave earnest tries, with multiple friends who were willing to indulge my interest, and the tools failed for various reasons: too cumbersome, too confusing, too unreliable, too basic. It's a subjective metric, but these are social tools, and to be useful, they have to be usable -- and many simply aren't.

I don't know if it's humorous, but one unexpected thing I discovered was that Wire's and Session's embedded animated GIF finder+inserter is so hugely desireable with my friends, it became an almost minimum requirement. Funny GIFs are immensely popular.

UnHidden OP ,

Session, Wire, and Element are done and will be added later today

sxan ,
@sxan@midwest.social avatar

I just saw Session - thanks!

But now I'm confused. Maybe you could add notes about what some of the rows mean. For example:

  • Upon what is based the "recommended for private comnunication?" Recommended by whom? Under what criteria?
  • Why is Session's voice/video "n/a" when it supports encrypted voice and video calls?
  • Why is running a private server, rated as higher security than distributed, tor-like onion networks? (can self host), and why is Session listed as "no" when anyone can self host routing nodes in the network? This preference for centralized servers over distributed onion networks is particularly baffling for a privacy-focused table.

This is a huge labor. Thanks again for attempting it.

JustUseMint ,

Based

fiercekitten ,

I don’t see Wire listed. Do you plan to add it?

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

I don't think wire is the best privacy wise

clever_banana ,
@clever_banana@lemmy.today avatar

Very few dont require a phone numbers, so Wire is def in the top 10

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

I think most don't require phone numbers

clever_banana ,
@clever_banana@lemmy.today avatar

Oh boy you're in for a surprise

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

Signal is the only one I know that requires a phone number

clever_banana ,
@clever_banana@lemmy.today avatar

WhatsApp, Telegram too.

Oh, and Discord and a bunch of others dont tell you they require phones. Until their ML system false-positives and locks you out of your account until you auth with a phone number.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

Those are proprietary massagers. I though we were talking about secure messaging. When it comes to messages that have a reasonable level of transparency Signal is the only one I know that requires a phone. I'm comparing it to Briar, Simplex chat and Session.

UnHidden OP ,

Yes

cralder ,
@cralder@lemmy.world avatar

Bro put Tinder DMs on the list. Points for being thorough I guess lol.

Jokes aside looks really useful. Good job!

UnHidden OP ,

I forgot Grindr DMs, but you already know that ones gonna be red all the way down lmao

Pls share with friends if you find it useful, I dont accept donations or anything, and it'll never have ads or bullshit.

I'm working on adding more services, but each one takes about 4 hours to research and review.

Jolteon ,

Google's bound to put ads on Google sheets eventually.

UnHidden OP ,

Its not Google Sheets. It was initially generated with the tool because I like the formatting, but its HTML running on Cloudflare Pages. The source code is here

If you see errors or hwve suggestions, please submit an issue on GitHub, they're easier to track than here

Matriks404 ,

That hardly looks like original source code, but more like a HTML dumped from the website.

Or maybe just use used some visual editor to insert tables? I don't believe it's written by hand.

https://lemmy.world/pictrs/image/70bce1b2-798e-4ef1-9399-1f308bf32450.png

MrRazamataz ,
@MrRazamataz@lemmy.razbot.xyz avatar

They said "it was initially generated with the tool [Google Sheets]".

stepanzak ,

And Xbox live

lemmyreader ,

https://divestos.org/pages/messengers

Blackmist ,

And, because I'm not entirely uncynical, does the creator of the spreadsheet work for any of the companies included upon it?

UnHidden OP ,

I have worked for Status in the past, but that has not impacted the review of any apps. The spreadsheet has been reviewed thoroughly by others in the privacy space before I published it, and I encourage everyone to take a look and report any inaccuracies.

The criteria is objective on purpose. Everything on the spreadsheet can be verified for accuracy.

UnHidden OP ,

Status got a recommendation purely because it has proven itself to be resiliant to subpoenas and the cryptography is implemented well.

Nothing is sponsored, and no matter who I work for in the future, it won't impact the results. It's open source on GitHub, and I'm looking for contributors to decentralize control of the spreadsheets.

jbd ,

Nice work. Can you add RCS to the table? https://en.wikipedia.org/wiki/Rich_Communication_Services

BigDanishGuy ,

I came here to suggest that as well. I have contacts who are switching from other platforms to RCS, and I have a hard time figuring out how secure that is.

Cyberflunk ,

RCS is a protocol, not a messenger. Google messages is the only client that implemented it.

Unless you know of any other RCS apps

lemmyreader ,

Apple announced to support it : https://www.eff.org/deeplinks/2024/01/what-apples-promise-support-rcs-means-text-messaging

Blisterexe ,
@Blisterexe@lemmy.zip avatar

It would be great 8f you could make a simpler table that's easier to parse, just to get a quick overview of how each platform stacks up

lemmyreader ,

Looks good, thanks for the hard work!

According to my uBlock Origin your site uses Google fonts which I have blocked. Can you make that more privacy friendly please ?

toastal ,

Public CDNs Are Useless and Dangerous

PrivacyWayFinder ,

Why Session is not recommended for private communication?

UnHidden OP ,

They purposefully removed perfect forward secrecy, which is an important part of preventing future compromise in the chain of messages.

Cyberflunk ,

They explained this, and why it doesn't weaken the stack.

This opinionated ruling about "no PFS,no secure" is questionable judgement

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • random
  • incremental_games
  • meta
  • All magazines
    •