I am interested in trying out matrix, but my first impression seems to reveal that by default, there may be some privacy or anonymity pitfalls if I use matrix.

Examples:

  • using an instance I don’t host means the host is trusted with my data
  • self hosting might reveal a lot of information about me. Most likely, it is registered to a domain that has my info and could potentially be traced back to me.
  • When self-hosting, being one of few users, basic analysis of my activity could reveal a lot about me, since all that activity could be easily identified as belonging to a single person

Now I understand not all threats could be mitigated, but my worry is that both self hosting or not have significant gaps. What’s the most privacy and anonymity conscious way to use Matrix?

  • Apollo2323@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    9 months ago

    Trusting a third party with your data that is encrypted. Its better to blend in than to stand out. Use a instance with a fair amount of users , use anonymous username and email if they ask.

  • Derin@lemmy.beru.co
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    The first point is moot as you can encrypt your data; your host my have it, but they can’t access it.

    As far as self hosting goes, yes: DNS registration will generally out you, so if you’re really trying to stay hidden then - as the previous poster mentioned - your best bet is to just make an account on a relatively large server.

  • erebion@lemmy.sdf.org
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Matrix is not the right protocol for staying anonymous. There’s way too much unprotected metadata.

    You might be able to mitigate that somewhat by using an instance that is accessible via TOR and being careful who you communicate with, depending on threat models and so on.

    But if you want to communicate anonymously and not leak meta data… Probably not what you are looking for.

    • matcha_addict@lemy.lolOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Thanks, that’s what I was thinking. Are there better alternatives?

      I’m skeptical of Signal’s centralized model and its couple with Google services, among other things.

      • erebion@lemmy.sdf.org
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        I don’t know what would fit your needs, but Signal does not require Play Services. And even if those are present, it does not leak data to Google. Other than “Signal is installed” and “You get a push message”, Signal does not put your messages into the notifications. Instead Signal connects to the Signal servers and then gets the encrypted messages from there and only then decrypts.

        Even if you have Play Services installed, you can force it to use a background connection inatead, if you disable Play Services before installing Signal, it wall automatically fall back to it.

        If you want a version without Play Services libraries, you could use Molly, a hardened version of Signal, which is available in a version without those libraries.

        Molly even allows linking phones as secondary devices, not just desktops.