Email or username:

Password:

Forgot your password?
Top-level
HistoPol (#HP)

@smallcircles

Friendly reminder:

People, stop using #Meta, #Google, and other #BigTech Apps that make YOU the product!

There are already so many right-wing governments.

You compromise your current or at least future security (e.g. profiling using LLMs.)

Use #Threema or #Signal instead.

#DeleteWhatsApp
#DeleteThreads
#DeleteFacebook
#DeleteInstagram
#DeleteTwitter
#DeleteTikTok
#DeGoogle your Android phone

Data collection comparison of messenger services (found on the web):

Comparison of data security and information gathered per messenger app: #Threema, #Signal, #Telegram, #Whatsapp.

Found on the web.
60 comments
DELETED

@HistoPol

These applications are executed by electronic components. Do electronic components from Intel, ARM and Nvidia provide complete telemetry of our activities?

Yes, these corporations are legally obliged to spy on us.

What else can I say?

@smallcircles

Pusher Of Pixels

@benjamin @HistoPol @smallcircles

yeah, it's just about limiting data really - not true privacy. If you have a mobile data installed chip it's basically always pinging towers. A wifi only tablet with gps (again assuming it's not using towers for this) and pre-loaded data is about the only way to be 'untracked' while using a device out n about.

HistoPol (#HP)

@pixelpusher220

Ah, I thought so. And I assume, you'd be using a TOR browser or at least a VPN on top of that?

I assume going into flight mode and then only switching on the WiFi will not do the trick?

And/or the WiFi must be public and not at home or in your company?

@benjamin @smallcircles

Pusher Of Pixels

@HistoPol @benjamin @smallcircles

I'm definitely not an expert. But if you have a device that 'can' connect to the mobile network...and you don't have a physical off switch, can you really trust that it's off? depends on the jib of your tinfoil hat :) Next level, even with a physical switch, do you trust that switch? etc. it's a rabbit hole of 87 layers of tech between you and actual privacy.

The only 'sure' method is to not bring along any device with such capability...or any device to be truly sure.

And even then...

There was a story of a guy who hacked his EZ Pass to play a cow sound when it was scanned. Turns out NYC was using the devices to track traffic all over Manhattan entirely not for toll uses. nbcnewyork.com/news/local/e-zp

Is it 'identifiable' to you? kinda, but they'd need to link up a few data sources.

Etc. now imagine they could do the same thing with. your. tires.

innotechtoday.com/3-ways-rfid-

Privacy is elusive...

@HistoPol @benjamin @smallcircles

I'm definitely not an expert. But if you have a device that 'can' connect to the mobile network...and you don't have a physical off switch, can you really trust that it's off? depends on the jib of your tinfoil hat :) Next level, even with a physical switch, do you trust that switch? etc. it's a rabbit hole of 87 layers of tech between you and actual privacy.

eddynamite

@HistoPol @smallcircles @session je dirais @briar mais y a pas grand monde qui l'application. Sinon il y a un site de libriste qui est pas mal wikilibriste.fr/debutant/logic

Derek Salmon [Pikselkraft]

@eddynamite1969 @HistoPol @smallcircles @session @briar pour Briar, l'application a vraiment un usage spécifique (journalisme, manif, hors-ligne) pour une communication de tous les jours, il faut mieux chercher une alternative, car Briar consomme beaucoup de batterie malheureusement :-(
Sur wikilibriste, il y a pas mal d'autres applications Ă  tester, mais il y a toujours pas beaucoup de monde dessus.

eddynamite

@pikselkraft @HistoPol @smallcircles @session @briar le problĂšme c'est que la plupart des gens non pas envie de s'embĂȘter. Ils achĂštent des tĂ©lĂ©phones tout prĂšs installĂ©s. L'alternative comme @murena est une bonne solution. Pas de bidouillage a faire.

Derek Salmon [Pikselkraft]

@eddynamite1969 @HistoPol @smallcircles @session @briar @murena je suis d'accord, les solutions techniques existent et sont de plus en plus accessible. C'est plus un travail d'éducation populaire qui est nécessaire.
@murena est vraiment une bonne solution. Je l'utilise depuis un moment sans soucis.

till

@HistoPol@mastodon.social @smallcircles@social.coop I've heard, that Wire is supposed to be a better alternative, than Signal. Unfortunately, it seems not well known enough, to pop up in most comparisons...

ian

@HistoPol @smallcircles
With Telegram you don't have to share your phone number or contacts. And you have no user name/ID unless you choose to create one. As that is useful to share 'instead' of your phone number.

HistoPol (#HP)

@ianp5a

Thanks for sharing your experiences.
I tried installing #Telegram a longer time ago.

I did not finish.
I see no way to avoid providing a phone number.

See screenshot.

@smallcircles

ian

@HistoPol @smallcircles
Right. What the privacy minded people do is enter a scrap number, just to get the code. Some install the app called Text Free and receive the code there. Once in, they create an optional user name to share just with those they want to.
Also, go to settings and switch off "Share Contacts" if you don't want that.

HistoPol (#HP)

@ianp5a

Registering for #Telegram (and maybe #Signal?)

ah, yes, good point!

Now I remember. On that day, I wasted about 2 hours trying to find a page which would provide a scrap phone number. All where either already know and blocked or did not work out. So I stopped trying.

@smallcircles

Skolliagh
@HistoPol @smallcircles There's the French equivalent of Threema called Olvid that could be a good suggestion.

But I'm looking into Databag that seem a step further because Threema and Olvid still rely and third party servers while Databag, I can host it myself.
ilyess

@HistoPol How is profiling done using LLMs? I’m assuming you’re referring to Large Language Models here.

@smallcircles

HistoPol (#HP)

@ilyess

Yes.
It' been awhile since I read about it. E.g. screenscraping from social-media sites as one source.

@smallcircles

Distopico

@HistoPol
@smallcircles
No sure about #Threema but #Signal is a centralized service that use Google Api and doesn't allow redistribute/publish is free service such as #FDroid, what about #XMPP or #Matrix ?

CC

@distopico @HistoPol @smallcircles
#Threema has an f-droid repo:
threema.ch/en/faq/libre_instal
Actually one of the few projects taking advantage of the fact that f-droid is built to be #decentralised

Distopico

@kino @HistoPol @smallcircles reading about Threema is similar to signal in terms like the server is close source and not #decentrilized / #federated like #XMPP or #Matrix

CC

@distopico @HistoPol @smallcircles
Yeah, Threema's business model is to provide the network (and the server code) as a paid service. So given that, It is not clear under what kind of open source license they could publish the server code. Once their network was big enough, supposedly they could say, yeah.. here's the code, go ahead and try to compete with us. But some of their bigger business clients might choose to run their own server.

CC

@distopico @HistoPol @smallcircles
At this point I'm not taking the open source == good (just coz) argument at face value anymore. The future of Matrix always seems somehow, em.. unconfirmed? An interesting project. I wonder where it will go. There's been a LOT of VC funding up to now, one might assume some return is expected at some point. Maybe not though. I've run jabber servers in the past, I still have one, but federated XMPP just somehow can't seem to take hold outside of its own niche.

Distopico

@kino @HistoPol @smallcircles well close source/private != Privacy, you cannot own your data in your own server, you can't audity the code so you don't know what they do with your data

CC

@distopico @HistoPol @smallcircles In general I find that false dichotomies don't help here. "Audited" code is overrated. (History has already absolved me) It may even lure into the false sense of security trap.
But yes, 95% or so of the time, if it is a question of data integrity/security, and you have the time and skill to do analysis, you're probably better of with FOSS. You might also choose to trust other people, which is what a code audit is, no?

Distopico

@kino @HistoPol @smallcircles so instead trust many tech people that audity the code we should trust what one company behind those server said?, With XMPP you can choose several server some of those behind social activist such as disroot or use your own server

CC

@distopico @HistoPol @smallcircles
Rather than trying to lock down options, everybody has to find what "works" for them. There are no absolute correct choices here. For some, a good option may be no tech IM style comms at all. For others, maybe getting a genuine personal recommendation of trustworthyness from someone you trust might be worth more than "some hacker bros said it was all good." Not saying this is or is not the case with Threema. :-)

HistoPol (#HP)

@kino

(1/2)

Thank you for your well-thought comment based on your wast experience.

I tend to disagree with your overall conclusion, though:

"There are no absolute correct choices here." Maybe. But we presently have "one size fits all", at least in the West, and that is #WhatsApp.
In the face of the rise of fascism and the surveillance state a maximum number of people must move to...

@distopico @smallcircles

HistoPol (#HP) replied to HistoPol

@kino @distopico @smallcircles

(2/3)

...alternative messengers. The cannot indict everyone. This will protect the minorities (persecuted by the NS,) that direly need this protection.

I can see that many people might yet opt for even more security. But in this case, maybe even 3rd best would be way better than sticking with data kraken #Meta.

For instance, #Mastodon is definitely not the best solution for everyone. But yet, it has...

HistoPol (#HP) replied to HistoPol

@kino @distopico @smallcircles

(3/4)

...become the biggest non-corporate competitor.

I think the challange is finding the smallest common denominator and then promoting that (except for specialits lice infosec, who can easily manage 2 or more messengers.)

This is not about convenience anymore. This is information warfare preparation. Looking at what happened in the countries of the former Arab Spring or Iran and in particular to Russia and...

HistoPol (#HP) replied to HistoPol

@kino @distopico @smallcircles

(4/5)

...foremost China gives a pretty clear picture how this might turn really ugly.

The foremost global market square of ideas, #Twitter, is already lost. It had played a vital role in the Arab Spring.

For instance, #Telegram might be #freemium software, distributed and all, but its operational servers are in the #UAE, an autocratic state, where you'd better not...

HistoPol (#HP) replied to HistoPol

@kino @distopico @smallcircles

(5/5)

... be involved in serious car accient with a local as a foreigner.

In short, I think the choices would be very limited, if the criteria I mentioned earlier were applied.

//

Distopico replied to HistoPol

@HistoPol @kino @smallcircles is not limited, is just the basic requirement, you don't have privacy if you don't have transparency and you can't have transparency with close/privative software

So for a WhatsApp replacement the base requirements should be

- Free software client/server
- Federated/decentralized
- Allow self hosting, so if you don't like X location of the server you can use you own server in the location of your preference
- Support e2e encryption, ideally by default and required

Distopico replied to HistoPol

@HistoPol @kino @smallcircles that is one of my points, why if we have XMPP and Matrix we want to promote more options? That makes pretty hard to the end user choice one of those, XMPP, Matrix, SimpleXChat, Jam,DeltaXChat and Signal,Threema these last two with close/restrictive parts, I prefer promote the others that respect the user freedom and privacy and have similar features privacy/e2e encryption video/calls + federation/decentralized, transparency etc

CC

@distopico @HistoPol @smallcircles
Also, in my contacts there are precisely 2 people who use threema, and maybe 3 who are regularly connected to XMPP, with a few more not so regularly connected. I and others have been playing this find the best network game for literally decades, I think I started with ICQ, but I guess I was also using IRC that time. The latest being Wire and Matrix. I'm bored telling people to move to the latest cool IM space.

JM Horner :blobcatcowboy:

@HistoPol @smallcircles

Would XMPP and Jitsy be blank if they were added to that chart?

HistoPol (#HP)

@jmhorner

Excellent questions.

As I had offered, if someone in-the-know provides the data, I am very willing to recreate the image with more columns and solutions and/or pros/cons.

@smallcircles

JM Horner :blobcatcowboy:

@HistoPol @smallcircles

Sweet! :-) For those who do not know, XMPP is a protocol (similar to the ActivityPub protocol being used by various fediverse services) that has many client applications. I can't think of any proprietary clients, though one or more may exist somewhere. XMPP actually spawned from Jabber (the protocol Google Talk originally used), and it is generally used for instant messaging style communications. It has the ability to include media, and can be end-to-end encrypted with [most commonly] OTR, OMEMO, or PGP.

Jitsy on the other hand is a little more complicated, and in fact includes some XMPP interoperability. It has video conferencing services similar to what you might find in Teams or Zoom. It is open source, and can support end-to-end encryption when using a Chromium based browser.

Both XMPP and Jitsy servers may or may not log IP addresses in the same way a web server like Apache or NGINX does. Though I imagine if that were added to the list for them, it would need to be added to the list for all of the others as well. Unique identifiers such as email address and phone number are simply not required for using either, and I am not aware of any XMPP or Jitsy services that have any advertising.

Thanks for making the chart and if you have any other questions, do please let me know. :-)

@HistoPol @smallcircles

Sweet! :-) For those who do not know, XMPP is a protocol (similar to the ActivityPub protocol being used by various fediverse services) that has many client applications. I can't think of any proprietary clients, though one or more may exist somewhere. XMPP actually spawned from Jabber (the protocol Google Talk originally used), and it is generally used for instant messaging style communications. It has the ability to include media, and can be end-to-end encrypted with [most...

Martin Be

@HistoPol @smallcircles You can't use original Signal on the degoogled devices due to the "hardcoded" google-services dependencies in the app code.
Okay, there are some modded Signal versions with google crap removed, but still that's a "third-party" work - you can't be sure of what exactly is in the code inside. There's no warranty that someone doesn't compromised the app code. We have a few good example of troianised apps in the Samsung and Huawei store with over a million counted downloads.

HistoPol (#HP)

@MartinBe

Thanks for pointing this out.
An alternative app must run on Android and Apple to be acceptable, non-exclusive for the general public.
For me, not fond if the #RottenApple and its data practices and lock-in policies, #Signal will not be a solution in its current version, then.

I think I read that #Threema doesn't suffer from this issue?

@smallcircles

Gorky
@HistoPol @MartinBe
Signal do provide an apk directly downloadable in their website. You can get it here. https://signal.org/android/apk/
This version auto updates without depending on Google playstore and look like is the version used by people on degoogled phones.
I have personally not tried it though.
The other option is using the signal fork Molly (https://molly.im). The version named molly-foss is what you will need.
@HistoPol @MartinBe
Signal do provide an apk directly downloadable in their website. You can get it here. https://signal.org/android/apk/
This version auto updates without depending on Google playstore and look like is the version used by people on degoogled phones.
Martin Be

@HistoPol @smallcircles To be honest I have no idea if Threema will work? I don't use android anyone since few years. Btw.. This app is open source or not?
I think better solution in such case can be Session, SimpleX, or something similar to them both. They can be normally used on for example SailfishOS with android api enabled. They also have a cli and desktop versions as well for many operating systems.

CC

@MartinBe @HistoPol @smallcircles
Threema "works", if you mean technically. yes. There is also a desktop client.
The app source code is available: (unfortunately on github) github.com/threema-ch/threema-

As to whether it "works" socially, there is an extra barrier to trying to move your network there, which is that each user has to buy a license (for less than the price of a beer in many countries) and this seems to be a huge barrier for most people who prefer their chat apps to be "free" 😉

cherti

@MartinBe @HistoPol That's strange, because for me original Signal runs flawlessly on a degoogled device... đŸ€”

Martin Be

@cherti @HistoPol Original means the default one, This always firstly released package to the google play store. This one won't work, because it relays on the gms (google mobile services), gps (google play services), gns (google notification system/services) and firebase.
They provide now an app variant without those things but it is mentioned for HMS enabled devices like Huawei, Zte etc. Yes, it can be installed on the other devices but you won't have all features of the standard one app.

cherti

@MartinBe @HistoPol

well, if you refer to the "original one" as the one distributed via Google Play, the it is kinda unsurprising that this specific version depends on Google Play.

If you don't have GPlay, you have the alternative method.

I have also heard that both APKs are actually completely identical (including autoupdate), even though I haven't checked that myself.

Either way, I feel that the term "original" in this conversation is used primarily to be able to be antagonistic...

CC

@MartinBe @HistoPol @smallcircles
I'm no fan of signal, but this is somewhat outdated and inaccurate. Despite that for all moxie's f-ed up reasons, they do their best to hide it from you, the APK that runs without g deps is available: signal.org/android/apk

Morgan

@HistoPol for communications apps that's easier said than done. If I use only good open source products to communicate, I can't communicate with pretty much anyone I know offline

HistoPol (#HP)

@raphaelmorgan
(1/2)
No, I know. That is why I don't say this lightly.

The only really safe form of communication is to meet in person at a remote space (no wires;),) as an infosec contact pointed out some months ago.

It is always a trade off.
However, with the FBI getting relatively easy access (see my TL) to any US based server and with the increasing overreach of local law enforcement, the server location is as important as the organization behind it.
This pretty much eliminates most...

HistoPol (#HP)

@raphaelmorgan

(2/3)

...US based services. Of course, China and Russia are even worse (see my TL.)

That said, I'd like to reach a consensus, which of the apps, and there is an interesting French librarian post here that has more alternatives, is the best option for most that are willing to invest the 5 bucks (if necessary)and a bit of time, but are no techies and want to include their non-tech savvy family and friends.

I guess hardly anybody will have a smartphone that is not connected to..

HistoPol (#HP)

@raphaelmorgan

(3/4)

...a playstore. Yes, paying with a credit card or mobile payment like PayPal or ApplePay is a traceable action. Having the app might be an issue in some countries and might become one, if the French justice ministry gets its way (all e2ee is suspicious--see TL,) but what kind of world will we be living in, if owning an e2ee messenger app becomes illegal?

And then, the way I understand it, #Threema never gets your phone number. If you use TOR or VPN, I don't see much...

HistoPol (#HP)

@raphaelmorgan

(4/5)

...potential for security breeches. Of course, if you have the tools of the intelligence services at hand, there is no really secure form for non-infosec people.
But this cannot be the yardstick.

Yes, the weak link might be the payment, but other than what I wrote, did I miss anything essential?

If not, this might be a solution for many people.

Most anything is better than WhatsApp in this regard. Meta cooperates best with US law enforcement and has the worst...

@raphaelmorgan

(4/5)

...potential for security breeches. Of course, if you have the tools of the intelligence services at hand, there is no really secure form for non-infosec people.
But this cannot be the yardstick.

Yes, the weak link might be the payment, but other than what I wrote, did I miss anything essential?

HistoPol (#HP)

@raphaelmorgan

(5/5)

...type of leaks (#CambridgeAnalyticaSummit, ) probably apart from post-Dorsey #Twitter (#X,) soon to become the "everything app," like the state-surveillance tool #WeChat, if #Elmo continues to have his way and people are stupid enough to follow him down that rabbit hole (#TESCREAL.)
But this goes way beyond this convo.

//

Greenbirder

@HistoPol @smallcircles
I’d like to use a messenger other than WhatsApp but it’s hard enough to persuade the people I interact with to open accounts with it - as for telegram and the others, forget it. Not a single person I have told about these is interested or can be bothered. They can be as private and secure as you like but if nobody is installing their apps what is the point.

HistoPol (#HP)

@Greenbirder

LOL
I would not open a WhatsApp account, even if you tried to bribe me. 😉 --No-no-go.

Well, it depends a bit on the sway you have, e.g. if you manage the IT of a small business or a larger part of your damily/relatives. Those that don't like it have to use SMS or Mastodon or call me.
It is a hard start I agree.
The solution should
run on iOS/Android, PC/Mac if possible.
install easily or be gifted
have a look-and-feel like WhatsApp
Not use native services...

@smallcircles

@Greenbirder

LOL
I would not open a WhatsApp account, even if you tried to bribe me. 😉 --No-no-go.

Well, it depends a bit on the sway you have, e.g. if you manage the IT of a small business or a larger part of your damily/relatives. Those that don't like it have to use SMS or Mastodon or call me.
It is a hard start I agree.
The solution should
run on iOS/Android, PC/Mac if possible.
install easily or be gifted
have a look-and-feel like WhatsApp
Not use native services...

HistoPol (#HP)

@Greenbirder @smallcircles

(2/2)

...then, it can be pushed in your surroundings.

It is, as we all know, a network effect.
However, the more warrants and seizures or leak of Meta data (#CambridgeAnalyticaSummit) become public knowledge, the more I see the willingness to switch.
Also, many people in many countries are afraid of right-wing government takeovers. This, in combination with "#ChatControll discussions in the #EU, in particular #France, will provide possibilities.

Greenbirder

@HistoPol @smallcircles
That might work in an organisation but I am in an organisation, I just exchange messages with friends and colleagues in a considerable number of countries. The universal response is “let’s just use email” - failing that then text if we really must - a few use What’sApp and the rest simply are not interested (“what’s wrong with email”). And what is wrong with email - it’s a good question.

dinosauce

@HistoPol @smallcircles the main problem with this approach is that WhatsApp is so baked within the population that it's hard to disentangle someone from those in a viable way.

HistoPol (#HP)

@dinosauce

Yes, you need to start two-tiered if you have this lock-in (I live without it) and small:

I touched on this here:

mastodon.social/@HistoPol/1110

and here:

mastodon.social/@HistoPol/1110

And some place else that the UX must be like WhatsApp, easy to install, free or be able to be gifted, etc.

@smallcircles

Go Up