(Please see comments) Alternatives to Signal if they exit EU due to ending E2EE
Like the title states looking for E2EE apps (Android and iOS) without going into much details or needs to be robust enough and easy to use for anyone and stable for operations that are susceptible to constant electronic warfare. I did some research and thought about replacing Signal with Molly and wondering if it will still work if Signal leaves the EU, but am also worried about its updates to patch vulnerabilities in a timely manner. I appreciate the help I am a “Jack of all trades and master of none” when it comes to these types of programs, but am also the go to currently in my unit since I am somewhat knowledgeable about exploits and attacks that can compromise systems would be great if there was an desktop as well (like Signal) and would also be nice if it was FOSS and auditable ( I know that’s kind of redundant ) I know it’s a tall order to ask but figured I would try. I really appreciate the help so much and hope I did things by the rules here and don’t get flamed if this has already been covered ( I searched but my skills with searching the fediverse is low
If so, banning E2EE because of CSAM is like cutting off your hand because you stubbed your toe. Banning E2EE won't stop child porn nor will it prevent the use of E2EE.
Understanding is simple. Every few years, 5 or 8 or 10, there's a big marketing push and brain wash around trying to destroy encryption by using the excuse of CSAM. Nothing new, a play as old as ever. It's basically (and really the whole point) trying to pass mass surveillance into law hoping that people forget the arguments of the last time or that people are not paying attention or trying to put it wrapped into a different gift wrapping and see if it goes into effect before anyone notices. The time frames for these things are getting smaller and smaller and more and more people don't care at all about privacy and basic rights and are ok with things like mass surveillance. It will eventually pass.
Pretty sure signal won't be forced to do anything:
Encryption plays an essential role in securing communications. The international human rights law test of legality, necessity and proportionality should be applied to any measures that would affect encryption. Both the UN Commissioner for Human Rights[1]and the European Data Protection Supervisor[2]have concluded that the EU’s proposal for a regulation on child sexual abuse material fails this test[3].
this is from May this year, when Spain proposed this. How in the everliving fuck the EU can get away with violating human rights?
So yeah I'll eat my hat unsalted if this actually will break encryption
I'd just like to point out that if Signal leaves the EU, it will most likely just mean that it's not available through the official app stores. With Signal updating itself, it's just a little inconvenient to install it on a new device, though, they even said that they'll try to make it as easy as possible.
Yup. At most, Signal gets removed from the Play Store. There's no meaningful way to block Signal, especially now that big CDN providers are starting to rollout Encrypted Client Hello.
"If it's not allowed in the play store and we need to click away a Google warning or 2, maybe it's dangerous and we shouldn't use it" - average Joe. Next step: "... suspect was using signal, so we decided to ..." yada yada yada same as it already is perceived in general for tor and even with VPN in some countries. Just the fact you're not using the thing most other people use makes you stand out.
Much has been said about the idea of 'signal leaving UK or EU'. Little has been said about how exactly that would happen.
AFAIK, Signal has no business presence in the UK or EU. IE, no offices, no registered corporate entities. Thus, they (arguably) have no more requirement to comply with UK's or EU's regulations than, say, Iran's or China's or any other jurisdiction where they do not do business and have no presence.
Signal's leadership has a record of giving any regional restrictions the middle finger, so I doubt Signal would voluntarily block EU countries.
So that means the EU would either pressure Google and Apple to delist Signal (easily worked around, at least on Android, and soon on Apple too as EU is trying to force sideloading) or they'd pressure ISPs to block connections to Signal (more or less impossible).
If EU tried to do that, it'd just create a giant game of whack-a-mole. And people doing real CSAM shit would just move to even more private distributed systems.
XMPP or SimpleX. It's easy to block signal, given they require a phone number and the servers are centralized. But it's quite hard, potentially impossible, to block the federated XMPP network or the decentralized relay structure of SimpleX
China manages to block XMPP pretty reliably in my experience. I've tried both AWS hosting and self hosting and they will work for a bit but eventually gets blocked. You can see from the logs that they just probe the server to get an XMPP bad auth response and then shut it down. Next time I am planning to set up an auth proxy on a different server entirely and really lock down the actual XMPP box and see if that makes any difference.
Both are E2EE. Unlike Signal, they also have the benefit of not requiring a phone number, so your account isn’t linked to you that way. In my experience, Session feels more mature, having apps on more platforms and more reliable notifications. However SimpleX has some really nice features, like the ability to have multiple profiles (including hidden profiles).
Although I doubt that Signal would leave the EU (or that this dangerous regulation would even become something that could ever be applied in practice), SimpleX looks very promising as a possible alternative.
However, it would also mean that you have to convince all your contacts to make the move, too - which was already difficult when I told them to install Signal additionally to WhatsApp, which is virtually on almost every device.
I'm not convinced by Session's decision to remove forward secrecy. I don't care if it's malice or incompetence, they shouldn't be in business of encrypted messaging either way.
And their lack of transparency on their share of underlying network and the associated costs for new entrants doesn't make them smell like a cryptoscam any less.
My personal advice is avoid. You'll be far better off with simplex, or xmpp+omemo for something not paired with phone number.
I caution mentioning both Matrix, and Element as if they are synonymous -- they are not (I'm quite certain that that wasn't your intent, but the usage of the forward slash could be interpreted as such). It may lead to confusion for newcomers. It would essentially be the same as saying "I recommend ActivityPub/Thunder" to someone who you want to introduce to Lemmy. Matrix is the protocol, and Element is simply a client that interacts with the Matrix protocol.
I personally think that it's sufficient to recommend Matrix if one is mentioning chat-app alternatives. Of course, nothing is stopping one from also recommending a client, but I don't believe that it's entirely necessary.
That’s what I’m hoping some consideration considering it would undermine everything in regards to the lifes at risk. Currently using Proton but think Mullvad now it keeps coming up. Does it offer other services as well similar to Proton and if so how are they? Thank you for your reply.
Mullvad is a non-profit focused on privacy as a human right. They provide anonymous VPN services, you can pay with them with crypto, cash, a lot of different things that help distance you from the service. They also provide a Firefox fork, called mullvad browser which is like a mix of the tor browser, arkenfox with all the privacy respecting options set correctly out of the box
The only alternative that's FOSS and not centrally controlled is Matrix. By being decentralized, anyone can run their own server and good luck stopping that.
There may be 200 other "alternatives", but they're irrelevant to the point where I consider then non-existent. Nobody has heard of them. Nobody is using them. Trying to push them on normal people will most likely result in them no longer talking to you as often or at all, and none of the other ones has any chance of reaching a critical mass. Matrix at least has some recognition among nerds and some, tiny amount of adoption outside.
Stop pushing random niche shit, it does privacy a disservice.
If I installed a different app for every friend I had, I'd have a homescreen full just of chat apps. What's worse, those niche privacy friendly apps go under or out of favor often.
You might be able to convince some of your friends to install an app just for you once, but by the time you're telling them "this one now sucks, I'm on other app now" for the second time, they'll just stop chatting with you, and if you ask them repeatedly, likely shun you even IRL because most people want to live their lives, not chase chat apps for their friends' weird interests.
And even if they do that, they'll have one app that they use every day, and one that sits in the bottom of their app drawer. Guess who gets invited to do something on the weekend, the person who shows up on their main contact list, or the person that would show up if they dug out that dusty app? And guess what the phone is gonna do with that app once it hasn't been opened for a week... it's going to deprioritize it so it won't even work properly, while their main daily-opened app always gets push notifications immediately.
You don't have to like it. You can pretend it's not happening. But it will happen.
I've been using DeltaChat (available on F-Droid) for a few months now.
What I like about it is that because it's email based, it uses OpenPGP for encryption, making it easy to have compatibility with other email-based solutions.
If you want to go the extra-secure route, you and your contacts can even self-host your emails - as long as you're not going to send messages to people on Gmail or other big providers, you can avoid your messages being treated as spam.
The multi-device support is still a bit rough around the edges, but has gotten better in the last few months since the app is under active development.
deltachat uses autocrypt which apparently doesn't support key verification yet. how secure is it if you can't even verify that your messages aren't being intercepted? I also didn't see anything about rotating keys after every message like Signal does, so anyone sucking up your encrypted messages just needs one key to see your entire message history. that doesn't sound very good.
It depends on what you want. I encourage people to use Jami (distributed, so might be a thing, if not self-hosting your own service, since what is said decentralized in reality is a set of centralized services). If too hard, then XMPP + OMemo. And only then, Matrix (by design it gives up more meta data than XMPP).