Matrix? No, thanks.


Intro

Matrix keeps growing. Even the French government decided to use it. However, many Free Software activists refuse to use it.

What would you think if you discovered that a new messaging software claiming to be decentralized is sending lots of your private data and metadata to their central servers despite you installed your own instance?

Software must be Free, but that is not enough. This is a story about how power and hype managed to put a dangerous software into many Free Software communities.

Disturbing history (or maybe just FUD)

XMPP and many other technologies were already there. However, a new software arrived: Matrix. Its goal was to be the new ecosystem for Instant Messaging and VoIP, where different apps and services would interoperate. They also claimed to be able to create and manage «fully distributed chat rooms with no single point of control».

It was everywhere, people started to talk about it, as if they were bringing something really good.

Matrix is not a community-based software, it was born [00] in Amdocs [01], a multinational corporation founded in Israel.

On the Internet we find many pieces information connecting Amdocs with Israel’s Intelligence [02][03][04]. We do not know if it is because they wanted to wash their image, but allegedly Amdocs does not own the project anymore. A new organization, New Vector, was created for Matrix. Nevertheless the same people work there [05] and the project keeps being generously funded [06].

We have not seriously investigated those disturbing pieces of information, so let’s consider them as FUD and let’s not wonder whether Matrix software should be eligible [07] for the Boycott, Divestment, and Sanctions campaign or not. Let’s just focus on software analysis facts.

Issues on Freedom

Riot, the Matrix client, was created with Electron. Electron was not considered Free Software by the Free Software Foundation. Currently, Electron [08] is included in the Free Software Foundation’s evaluation list [09].

We have not investigated further, so let’s consider there is no freedom issue at all and we are only dealing with fully Free Software.

Decentralizing through centralizing

Matrix arrived with this plan to interconnect every existing IM and VoIP network through what they call Bridges [10], which could be seen as a centralizing hub where metadata could be analyzed, as well as the right place to try Person In The Middle Attacks.

Some might say interconnecting everything could be a legitimate goal. Nonetheless, some people started to report about huge amounts of data and metadata being sent to Matrix central servers.

Disroot’s decision

In September 2018 Disroot decided to close their Matrix service [11] and go back to XMPP. They gave several reasons, the main one: Privacy.

Facing the real and clear facts

In 2019, The Grid protocol community published their Notes on privacy and data collection of Matrix.org [12], a document which helps us assess what the extent of the problem is:

This research and investigation work is based on several years of experience within the Matrix ecosystem and validation of facts via public and private communication. Reverse engineering was used to ensure some of the statements presented as facts regarding implementations are accurate.

Summary of the Notes on privacy and data collection of Matrix.org

matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviors of the software.

Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:

  • The Matrix ID of users, usually including their username.

  • Email addresses, phone numbers of the user and their contacts.

  • Associations of Email, phone numbers with Matrix IDs.

  • Usage patterns of the user.

  • IP address of the user, which can give more or less precise geographical location information.

  • The user’s devices and system information.

  • The other servers that users talks to.

  • Room IDs, potentially identifying the Direct chat ones and the other user/server.

With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:

  • Matrix IDs mapped to Email addresses/phone numbers added to a user’s settings.

  • Every file, image, video, audio that is uploaded to the Homeserver.

  • Profile name and avatar of users.

No, it is not Facebook, it is Matrix.

This time, with such an impressive collection of private data being sent to Matrix central servers, even when you use your own instance, we have to face the facts: Something is seriously wrong.

Trying to fix things

In the same page of the report, a thread can be followed where Matrix developers try to defend themselves, but their defense is discredited in detail by the author of the report.

5 years after the creation of Matrix, and after 5 years of centrally receiving such a scandalous amount of users private data from their “decentralized” software, it was only after the mentioned report was published when the Matrix developers published some “privacy improvements” [13] addressing some of the revealed problems.

We have not read it. We do not think it is worth wasting more time. We understand there are always bugs, but noone can maintain that that valuable selection of private data sent to their central servers was a code error. Decentralization was in their hype, but their code was doing the opposite.

We might be wrong, but we have to make decisions. Fortunately, there are many other honest projects offering decentralized tools which deserve our attention.

If you find something is not correct or accurate

Please let us know.

TL;DR

We do not recommend Matrix because we find unacceptable that a software widely hyped as decentralized is released sending a scandalous collection of private data to their central servers, even if you run your own instance.