Is Element.io a private choice?

Hi there!
Colleagues and I looking into migrating a work Slack space to Element.io since they are recommended on the PrivacyGuides website. We don’t have the funds to sign up to an enterprise version, so we’re looking at the free tier. I’m trying to figure out how private it is to use Element; how data is handled, and where their servers are based, and who they are hosted by.

From their privacy policy it seems that they use AWS within EU:

We host the Element Matrix Services on Amazon Web Services (AWS), specifically:

  • Our admin server is hosted in an AWS data centre in Amsterdam;
  • Our deployment server is hosted in an AWS data centre in Stockholm;
  • Customer deployments have the option to select the geographical location which is the most convenient for them;

We also host the Gitter.im app on AWS, in a datacenter based in the East of the US.

Amazon employees may have access to some of this data. Here’s Amazon’s privacy policy. Amazon controls physical access to their locations.

I could also find out that their identity server is hosted by UpCloud on servers in London.

From a privacy perspective, is it an issue that their servers are AWS? Or does Amazon not harvest data from their web services division? Or does the EU regulations provide that extra layer of privacy?

Hope someone can help me wrap my head around it. :slight_smile:

Couldn’t add the links - here they are:
Element privacy policy
Element Identity Server privacy policy

And Amazon’s privacy policy.

Personally I can’t offer much on the topic but I would recommend using an alternative server for Element/Matrix to help with decentralization and other servers probably have better privacy policies and better uptime

If it’s just for colleagues in a small work group would Signal desktop not be a great slack replacement?

You just have to be comfortable with everyone in the conversation knowing each others’ phone number, since that’s the unique identifier on Signal.

If you trust a 3rd party to manage your matrix (element.io) server for you it’s pretty cheap - like $5/mo. I’m pretty sure Jonah and DNG manage the PG matrix server, but that is, again I believe, within their professional wheelhouse…

Simple X chat (https://simplex.chat/) have a table on their homepage comparing chat protocols. DivestOS has a comparison table here: Messengers - DivestOS Mobile

To my shallow understanding the biggest criticism of matrix protocol is that “a lot” of metadata is visible as a result of it’s federated nature.

My personal opinion is Element.io is fine for anything except super secret stuff…

@TasteOfCherry We’re actually around 200 people, but with limited funding. So I think Signal and other instant messengers are out of the question. Also we do need the “rooms” to separate discussions out.

Ah, sorry.

Would it be too much of a headache to run your own server?

https://matrix-org.github.io/synapse/latest/

Hopefully Jonah, DNGray, or someone else with real world experience will happen along.

Best, my friend!

1 Like

I would say signal would be out of the question for a room of that size. I wouldn’t use Signal either, if employees aren’t provided with a business phone number, as that encourages annoying them when they should be offline.

It would use would likely make more sense, to use Matrix, especially if you use the spaces, and have smaller rooms for particular things for organizational purposes

With Matrix, you could have your own Matrix server, (if you care to manage that) and enable E2EE on some rooms, or use something like EMS if you want to pay someone else to do it.

For a business I wouldn’t use something like Dendrite, just yet. There are some rough edges and a few bugs still to iron out. Consider that you may want high availability of some kind, so it may very well be a lot cheaper to not self host.

At least you can have private E2EE rooms, which is more than the competing products offer.

3 Likes

Thanks @TasteOfCherry and @dngray, really appreciate all the input I can get!

I think hosting our own server is a bit much to take on for now (but we’ll try to convince our IT staff that it’s a necessity, and in turn the higher-ups that it’s worth the money). Good to know about Synapse and, eventually, Dendrite.

Would we be able to start out with a free Element space and then seamlessly(ish) migrate to a on-premise server later on should the option present itself?

It may not be, depending on the size of business. Economically it can be completely reasonable to pay for SaSS options. You get a SLA and then don’t have to pay staff to manage it.

Would we be able to start out with a free Element space and then seamlessly

Matrix is decentralized, so no reason you couldn’t start out making a space. If you want it hosted on your own domain, though then you might like to look into EMS options.

Additionally EMS makes more sense for onboarding, because you can have single sign-on and those other features set up.

You could do that any time you like, or not at all.

I would suggest checking out revolt.chat and rocket.chat.

Revolt is not encrypted, at all (no E2EE). Even when they do complete that, I would really question the quality of the product, because E2EE is something you kinda want to think about from the beginning.

Rocket.chat is base on the Matrix Protocol. Prior to that their own E2EE algorithm was only ever experimental.

To me the work flow of the Matrix Protocol, ie individual MSCS, that get rendered into the main Matrix Spec, seems like a better design workflow, which will produce better quality software and reduce “pitfalls”, ie “issues” the developer just didn’t really think about too well before implementing.

1 Like

I don’t understand

When a change is requested, a proposal is written before code is written, as opposed to a developer who has complete control over the whole process and just does whatever they want whenever.

2 Likes