Eric K3FNB (they/them)
@SrRochardBunson @VeroniqueB99 Delta Chat is based on email which leaks metadata like a sieve.
I would not use it for any kind of activivism. You're one warrant away from having your entire social graph mapped out.
The contents might be end to end encrypted but who you're talking to isn't and all those people are susceptible to rubber hose decryption.
feld
adb
@k3fnb just because #DeltaChat uses the email protocol you are making some wrong assumptions that only apply to classic email, sure if you go doing activism using #gmail that is not safe, but to use Delta Chat, you don't need to provide ANY personal data / metadata and hence can't leak metadata, you can create an anonymous account for a protest and throw it away afterwards, if cops get your phone they get random contacts not phone numbers unlike in #Signal etc.
feld
Andromxda 🇺🇦🇵🇸🇹🇼
@adbenitez Yes, that is my opinion. But I think it's pretty unrealistic to believe that people are just gonna abandon their habit of using phone numbers as identifiers for messaging apps. I don't like it either, but you can't build a messenger for yourself, other people actually need to use it, in order for it to be useful.
There's a reason why Signal is by far the most popular private messenger.
feld
Andromxda 🇺🇦🇵🇸🇹🇼
@adbenitez This is just not the way people typically use messengers. Everybody is used to using their phone number as an identifier for whatever messaging solution (SMS, WhatsApp, iMessage, etc.). It's a much better idea to just use a messenger with sufficient metadata protection. No Matrix, and nothing based on email then. @signalapp and @simplex are probably the best solutions.
if cops get your phone
I hope you're using a secure phone then. #GrapheneOS has stood really well against forensic companies like Cellebrite. https://grapheneos.social/@GrapheneOS/112826160880324005
You can also use the @mollyim client for Signal to encrypt your message database, which on modern devices is also tied to the hardware keystore. https://github.com/mollyim/mollyim-android/wiki/Data-Encryption-At-Rest
adb
> "It's a much better idea to just use a messenger with sufficient metadata protection"
this is your very own opinion, mine is that it is better not to require phone numbers or SIM cards, often tied to personal ID card or passport in some countries. An app requiring ZERO personal data is better.
feld
feld
adb
@feld another point people miss: unlike on #Signal, #WhatsApp, #Telegram, etc where there is a central server watching all the social graphs of the whole network, in #DeltaChat and other decentralized platforms like #XMPP what a server can see is pretty limited and fragmented, We started talking about activists btw, and having the freedom to choose a server instead a central server potentially collaborating with your enemy is a killer feature
👊🇺🇸🔥
@adbenitez @feld @k3fnb @VeroniqueB99 @SrRochardBunson Signal doesn't "track social graphs" because it can't: https://signal.org/bigbrother/
Eric K3FNB (they/them)
@feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
Looking at the server side code, Signal stores the phone number with the account id.
So if the cops were able to decrypt my phone app's database, enumerate all the account ids in my Signal's contacts/messages, they could submit a warrent to Signal a gain access to all the phone numbers associated with those account ids.
The phone number has been my biggest complaint about Signal.
feld
Eric K3FNB (they/them)
@feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
Now, if the cops got ahold of my phone's DeltaChat messages, they would be able to build a graph of what email addresses I've been talking to, but they'd have a hard time mapping those to real world identities, especially if they're pseudonymous chatmail addresses.
feld
Alan
I know that each Chatmail deployment has its own setup, but I never read anything about idle accounts being deleted with other Chatmail deployments, unless the user intentionally sign out. I'm sure you have a reason to do this for your deployment, but I can't think of a compelling security reason to delete a signed in account just because it is inactive.
feld
Alan
For an account to be completely abandoned (no logins), the user needs to log out first, by deleting the account from inside the Delta Chat app, right?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.