K8y So Matrix Element collects lots of metadata, whereas SimpleX the least? Are there any significant drawbacks to SimpleX then?

That it is new. That you, if you use it as intended, connect to untrusted nodes. That we generally don't know yet how much security, privacy and anonymity such a system offers. That we still don't know if the company behind SimpleX is trustworthy, or if they might start doing shady things to earn money similar to what Session developers did. SimpleX developers have expressed an interest in earning money on SimpleX, and to me that is extremely worrying. As I see it, SimpleX is simply too new right now.

I am staying at Element right now. Not only because everyone I know uses Matrix, but also because I know what metadata they collect, and I know what security, privacy and anonymity they offer. I guess many stay at Signal for similar reasons.

      ryrona That it is new.

      It's not just new, it's also very complex and nontrivial to analyze and reason about its privacy and anonymity guarantees, because of a combination of its modular design with many separate protocols and also the lackluster way they're presented to end users, last time I checked. There's many infographics on their site each presenting a different angle but no infographic giving a clear full picture and detailing the privacy/anonymity properties. Also doesn't help that the different protocols have such similar names and sometimes they call the same protocol with an inconsistent name or acronym. Very difficult to understand this way especially as a person with attention deficiency.

      EDIT: I've also managed to catch one nontrivial privacy issue with SimpleX that I've asked them in private about and they've confirmed to me. It's not a vulnerability or anything, but it just confirms what I said above. They should put much more effort into their documentation, their infographics on their site don't impress me. It's also not anything hidden, it's something I was able to conclude with logic.

          Watermelon I've also managed to catch one nontrivial privacy issue with SimpleX that I've asked them in private about and they've confirmed to me. It's not a vulnerability or anything, but it just confirms what I said above.

          I am curious about this. Can you share what privacy issue it is you have found?

              ryrona This may be outdated, and they've since made additions/changes that I suspect might affect the situation, but idk because it's so messy to understand. It used to be that SimpleX gives you the ability to add SMP servers of your own. Your contacts know which SMP server you have. Thus, if you use a non-default SMP server for decentralization, you're forfeiting anonymity as the custom SMP server functions as a sort of pseudonym; furthermore, your choice of a specific SMP server potentially lets your contact learn something about you regardless of the pseudonym issue. They've confirmed it's the case and that they want to add more preset SMP servers to decrease centralization.

                  Watermelon Ah, okay. Yeah, all users would need to have the same list of nodes to use to not leak that information, same as Tor and other networks. I think they are worried about bundling a list containing lowly trusted nodes, which is why they still really only have their own nodes bundled in the app. I think I read a few months ago that they considered using their nodes as first hop, to allow for using untrusted nodes as the actual end points without those nodes being able to learn much about you. Or something to a similar effect. I guess we will see what happens. They are trying to solve the problem at least, as far as I know.

                    Another problem with Session is that it's based on the "Lokinet" anonymity network. I made a comment on it on the Tor forums a year ago.

                    Lokinet is very heavily built on crypto tech, which means to run a node you'll have to be rich. They hoped it will scare sybils but in reality some sybils (e.g. Russia, China) are rich and can easily run Oxen nodes while ordinary users like me can't run nodes because we don't have enough Oxen coins.

                    In short, Session, Lokinet and Oxen is a "Web3" alternative "privacy" platform. We all know Web3 sucks, and even VCs moved away from it and towards "AI".