Rambling: Security vs. Standards

2021-01-07

On many privacy-oriented communities, you'll see people advocating for Signal, a chat service, praising how secure it is, while not seeming to realize it's yet another walled garden with a single central server, and with developers actively discouraging alternative clients AND distribution of their own clients outside the walled gardens of other big tech corporations. (in the name of security)

Moxie of Signal: I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world.

Moxie: let me provide a little color on why I've been reluctant to distribute APKs outside of Google Play.

The safest and easiest way to install Signal for Android is through the Google Play Store. Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

Both of these are solveable problems, yet Moxie (and most likely the rest of the team at Signal) seem to not care about it, pushing people towards the proprietary silos of Google and Apple by discouraging downloading Signal outside their stores, and locking in the most important part of a chatting application (the people) to themselves, while throwing some code on GitHub every once in a while to be able to call themselves "open".

(Oh also, the Signal APK you get is not completely "open". The Signal team seem perfectly fine with using proprietary libraries.)

. . .

You'll see people advocating for Tutanota, an e-mail service, while not seeming to realize they don't care about mail standards one bit, and have intentionally NOT been supporting IMAP, SMTP, or any kind of communication protocol that isn't what they are using in their own applications, which are just web pages wrapped in platform-specific embedded browsers.

Reddit search on r/tutanota for "smtp"

Tutanota FAQ about IMAP: This is not possible as we could not guarantee end-to-end encryption for your data

Most mails sent to/from Tutanota mail accounts will be in clear text, so there is no extra security in this, given they can always snoop on your mails when they're being sent or received. (And in fact, this is what they seem to be doing in response to legal "stuff")

And for the specific encrypted communication they have, how hard would it be to either make a fancy interface to an already existing standard, or create your own standard and share it with the wider world?

. . .

Have we not learned that walled gardens aren't that nice? They are one of the reasons why "Big Tech" is "big" after all. They are one of the reasons why you /(have struggled|are struggling)/ to get your friends and family to switch off of WhatsApp and Gmail. Do we really want a repeat of this all again?

Yesterday, we sacrificed our freedom in exchange for "usability". Now, do we want to sacrifice our freedom for "security" instead? I believe we can have all three (freedom, usability, AND security), but I don't expect it to come from the types of people behind Tutanota, Signal, and many other similar services I don't currently have in mind.

🐺 · CC BY-SA 4.0 · me@ecmelberk.com