It appears that Simplex’s value proposition is predominantly tailored for high-risk individuals,
Absolutely not. We have many family users who like the fact that they cannot be approached by strangers.
It is the same as to say that Tor’s, therefore Cwtch’s, value proposition is tailored to high risk users, which is simply not correct.
I think that claim “complete privacy” is helpful, but not in the way you think. You are right that less savvy users can’t assess and ignore it, but more savvy users put more energy into scrutinising the system, and pointing out the flaws, that we consistently improve.
So it kind of helps making system better, and does no harm to anyone, so I don’t see why we should drop it. We do want to be criticised for any difference with “complete privacy” we have, and we will continue reducing the gap.
As for wayland, I agree, but it would happen either when framework we use supports it, or if at any future point we will decide to redevelop linux app (the latter is very unlikely in the foreseeable future, but framework support seems to be coming).
John Smith writes his first messaging app and calls it unbreakable. SwiftOnSecurity spots four vulnerabilities. Smith patches them and calls it unbreakable again. Bruce Schneier comes along and points out sixteen zero days. Smith patches those and calls it unbreakable again.
Three guesses if anyone trusts the next version with its new features.
You can only cry wolf so many times.
Hyperbolic statements like complete privacy are idiotic, when e.g. you’re doing absolutely nothing regarding endpoint security. I know it’s not in networked TCB SW domain, but it’s not being addressed at all, and since you’re not going to do anything about that issue even if it’s pointed out, you’re not entitled to saying “complete”, unless you want to get called out for spouting snake oily corporate puff.
This is silly. Software using cryptography has always been dual-use goods. Also, the GPLv3 license allows the user to run the program for any purpose.
It’s usually only proprietary software that issues control to what the user can do with it, and any code used to monitor what the user does, will not be tolerated by the community. You can check the Chat Control law in EU to see how well the idea of scanning attachments against blacklisted hashes, is being received. It’s not exactly hard to disable the code running the scan when the code is open. So you can’t enforce only good guys use products. You can only do stuff like ban encryption which hurts everyone, and will only result in criminals using encryption.
I’m not sure why I had a dozen notifications regarding your crusade when I logged back in, but leave me and my critique towards SimpleX etc out.
Had to log-in just to say thanks for the analysis and breakdown on all of this.
It was technical but you made it easier to follow and understand, whilst also sharing some significant points of critic on SimpleX and the communication from its devs which I was not aware of - one of the best threads on secure messengers with great info, critic and feedback.
Definitely keeping a closer eye on SimpleX’s moves going forward and now looking to try out Cwtch and see what it’s all about.
Thanks again. 
Agree. Please also see:
while Signal is quitting Sweden in lieu of a very similar law there
This is misleading. Signal is threatening to quit Sweden if the new law passes, not based on existing law. The IPA is already law in the UK.
I see.
To my knowledge, such “backdoor” laws already exists in countries where Signal and WhatsApp have a big presence (like, the one demanding “traceability of messages” in India). Neither Signal or WhatsApp has quit India, yet. In the latter’s case, they won’t, given their vast business presence in the country.
not based on existing law
I said “similar” law?
The bill states that companies like Signal and Whatsapp will be forced to store all messages sent using the apps (ref / mirror).
Note though, the “backdoor” requirement exists in Swedish 2020:62, which is now being made permanent, though it may not concern Signal.
Which implies that the law Signal is concerned about already exists, which it doesn’t. It is a law proposal at the moment.
Most countries have similar legal provisions to “capability requests” of IPA law, and the provisions of IPA are far from the worst - e.g., the US FISA 702 provisions have much fewer safeguards.
Capability requests under the IPA law have 2 pages worth of limitations and due process, and we have an excellent legal counsel who advises us on that.
I see the only answer to jurisdictional risks to continue evolving multi-operator network where users are in control which jurisdictions they choose operators from, unlike they can be in Session or in Tor, irrespective of the number of nodes.
You also have wrong expectations about what a threat model should cover. Security threat model usually covers what a compromised part of the system can do. The confidential capability request can only be applied to server code, it won’t be confidential for open-source client code. And what a compromised server can do is already covered in threat model – how exactly it is compromised is out of scope - there any too many scenarios.
Further, if we are compelled to run a modified server code that is different from published open source code we would be in direct violation of our Privacy policy, unless we change it. While there indeed exist legal powers to compel us to change server code confidentially, without disclosing it, there are no legal powers to compel violating contract conditions, so even if we had to change code we run, we’d have to amend our Privacy policy to remove this obligation.
Any privacy policy updates are shown to the users in the app - it’s coming for example in today’s beta release and in v6.3 release on March 8: docs: update privacy policy by epoberezkin · Pull Request #5646 · simplex-chat/simplex-chat · GitHub
So if you see that provision that we must run the same code as we publish disappear, then this would be a cause for alarm. We have zero motivation to break contracts - I don’t do it under any circumstances.
This is false though. You can be compelled to not open source the surveillance part, and unless everyone is building and running reproduced builds (which are also in turn verified to not have any shenanigans in make) and sounding an alarm about a mismatch before harm is done to relevant users, it is just not true.
UK has parliamentary sovereignty, which means it has the legal power to mandate contract violation and stop any appeal, since there are no actual written constitution to constrain the parliament. “Parliament can do anything or everything but make a man a woman or vice versa.”
Can be compelled to not show the notification.
Yes, but the laws we are talking about would mean the things you say the server can do will ALL be done:
- learn when a queue recipient is online
- know how many messages are sent via the queue (although some may be noise or not content messages).
- learn which messages would trigger notifications even if a user does not use push notifications.
- perform the correlation of the queue used to receive messages (matching multiple queues to a single user) via either a re-used transport connection, user’s IP Address, or connection timing regularities.
- learn a recipient’s IP address, track them through other IP addresses they use to access the same queue, and infer information (e.g. employer) based on the IP addresses, as long as Tor is not used.
- drop all future messages inserted into a queue, detectable only over other, redundant queues.
- lie about the state of a queue to the recipient and/or to the sender (e.g. suspended or deleted when it is not).
- spam a user with invalid messages.
Don’t you think attesting server code and only distributing built from source binaries with community verification of reproducibility before each release on an unassociated public page (hosted in a neutral jurisdiction) a better guarantee?
In general what you write is FUD and is not consistent with IPA.
You are projecting a lot of “can be compelled” without any actual legal basis. IPA capability notices have tightly defined scope, and most of your ideas fall outside of what a Secretary of State can demand under the IPA.
You can be compelled to not open source the surveillance part
On what grounds? Point to specific IPA provision, as I haven’t seen anything there that would allow making such request. It would not fall under “capability request”.
Parliament can do anything or everything but make a man a woman or vice versa.
Parliament has nothing to do with IPA capability notices - they are issued only by Secretary of State under the IPA.
Can be compelled to not show the notification.
Again, on what grounds? Point to specific provision in IPA.
Yes, but the laws we are talking about would mean the things you say the server can do will ALL be done:
Nonsense, as doing ALL of that would make it dysfunctional, and such requirements cannot be made under IPA. You really need to read the law and not mass media if you are going to interpret the law.
Don’t you think attesting server code and only distributing built from source binaries with community verification of reproducibility before each release on an unassociated public page (hosted in a neutral jurisdiction) a better guarantee?
Yes, but it is unrelated to your concerns.
In general, I find it strange that the focus of attention of privacy community is 100% determined by mass media coverage.
Yes, IPA is a worrying law, that allows some powers to the state that we’d rather did not exist. And we have more checks and balances here than any other operator I know. But there are two things that are important here:
So you are right to worry about the state surveillance risks. You are wrong to think that the UK has risks that other countries don’t have. In some cases there are advantages, as there are certain level of protection from law enforcement requests from other countries that all have to go via the Home Office under MLAT agreements.
So stop using mass media as the guide for your attention, and start thinking independently.
If you were to choose our jurisdiction, which one would make you feel any better? Because I really don’t have answer to that question.
There may be additional provisions that are now considered, but again - Sweden already has similar laws: Signals Intelligence Act (FRA law) and Electronic Communications Act (LEK)
While they use different language from IPA, they allow the state exactly the same powers, if not wider.
Why the UK became such a focus of attention then you may ask? Obviously, because of the diplomatic tensions with the US.
All you can do is to pay less attention to mass media. And to marketing posturing of companies who make promises that they know they won’t have to follow through.
I am very open to recommendations of better jurisdictions, but it seems illusionary, tbh.
So don’t get me wrong - I am not arguing that the UK is great - far from it. But it’s at least as bad or even worse from the state surveillance point of view everywhere from my analysis. And the only mitigation we see is splitting users comms across multiple operators in different jurisdiction, which is what we are working towards - technically.
I did not argue at all if UK is better or worse. I simply asked if it is better to have technical guarantees of transparency rather than pinky swears.
You called the arguments given as FUD, when it is all provably possible. Here are relevant provisions, have your hotshot lawyer look at it, and next time talk to a concerned user better I guess.
Because it is not a capability. It is forced non disclosure. (Investigatory Powers Act 2016)
The point flew over your head. You said your thin piece of privacy policy is inviolable. I taught you why it isn’t. UK does not have inviolable rights or contracts, since there is absolute parliamentary sovereignty.
Answered above.
Nonsense, the point wasn’t about a server doing All of it simultaneously as you imply in your narrow interpretation.
I find it interesting that someone who constantly misunderstands laws keeps blaming some vague “community” for his own short sightedness.
None. I wasn’t asking for jurisdiction change, I was asking for more technical guarantees. But since what you wrote allows you to make my points into trivial nonsense, you prefer to lie.
Very disappointed in the hostile response. Should have expected nothing more from another privacy project building hype without actual long term thought about their threat model. The value of the leader in your space, Signal, was always the crystal clear threat model and communication. SimpleX seems to lag a lot there.
Hope you see the value of this or at least talk about why this is economically or technically infeasible right now or forever.
Before replying with more FUD, I recommend understanding that to refute my point using legal smoke and mirrors, you will need a narrow exception explicitly written out that defends against a broad law. If your defence is the State doing a narrow interpretation of a broad law, then it is no defence at all, since it depends on subjective benevolence of State, and not explicit guarantees.
I did not argue at all if UK is better or worse. I simply asked if it is better to have technical guarantees of transparency rather than pinky swears.
I think both are important, and legal guarantees are more than pinky swears.
What technical guarantees you are expecting though? Reproducible builds are not achievable in the short term.
Because it is not a capability. It is forced non disclosure.
Publishing open-source code does not qualify as disclosure of the capability notice. I am aware that we cannot disclose notices. Nothing in the IPA prevents publishing open-source code.
Likewise, notifying users about changes in our privacy policy, and changing our privacy policy would not qualify as the disclosure of the notice.
I find it insane that someone who constantly misunderstands laws
My understanding of the law is based on reading of the law and legal advice. But you seem to prefer to apply wider interpretation of the law than it says.
Very disappointed in the hostile response.
No hostility at all. I am just engaging with you. I am not into “thank you for your questions” style. You made comments, I am responding, bring it on - it all helps.
without actual long term thought about their threat model.
This is not true, we are actually thinking about it long term, and about how to avoid the same compromise of the underlying assumptions for threat model that Tor now has.
Signal, was always the crystal clear threat model and communication.
Unless you are affiliated with it, I don’t see how you can call Signal’s “smoke and mirrors” approach to marketing when they fail to disclose most technical limitations “crystal clear” - with regards to multi-device attack vectors, with sealed sender not really working, with PQ in double ratchet having little to do with double ratchet, etc. etc. Signal is certainly better at marketing posturing, but I don’t see how it’s an advantage in communication style…
Don’t you think attesting server code and only distributing built from source binaries with community verification of reproducibility before each release on an unassociated public page (hosted in a neutral jurisdiction) a better guarantee?
Yes, I would love to get to the point when we can do that. It would indeed be an important technical guarantee.
State doing a narrow interpretation of a broad law
State does not interpret laws. I understand your point here, but interpreting the law wider than it is written or intended is also wrong.
Much more reasonable.
Maybe. Legal theory, needs testing.
Threat model always seemed pretty clear to me. I read docs not marketing, so maybe there is a mismatch.
Why a reproducible build is not possible right now. I am happy to volunteer build infrastructure, and publish it for cross verification. I am sure others are too. Software attestation can be costly, a poor man’s implementation can always be automating destruction then redeployment of server images on hardware after periodic intervals. This ensures that unless the host machine itself is infected, any modified code will not stay persistent.
maqp made a similar point a while back.
Nice. Besides, reproducible builds and remote attestation may also help, but as you say, building that is going to be more involved and may take time. Though, if SimpleX remains in the UK, it becomes imperative to pursue those, as all the fancy cryptography & protocol wouldn’t mean much (to me, if not to anyone else).
Please don’t patronize others. You’re better than that.
As a SimpleX user, I’m worried about SimpleX being based in the UK. What other providers do, and what jurisdictions they are in, are none of my concerns.
My bad. May be IPA concerns the “Trust in servers” section or the “SimpleX objectives” section?
Security against passive and active (man-in-the-middle) attacks: the parties should have reliable end-to-end encryption and be able to detect the presence of an active attacker who modified, deleted or added messages.
…
In particular SimpleX provides better privacy of metadata (who talks to whom and when) and better security against active network attackers and malicious servers
…
servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence.
In fact, the document even highlights the protocol’s strengths:
SimpleX supports measures (managed transparently to the user at the agent level) to mitigate the trust placed in servers. These include rotating the queues in use between users, noise traffic, supporting overlay networks such as Tor, and isolating traffic to different queues to different transport connections (and Tor circuits, if Tor is used).
Shouldn’t it recognise where such measures fall apart?
I’ve been informed Kenya is nice.[1]
Much more reasonable.
Huh. Will fix 
Maybe. Legal theory, needs testing.
100%. What I know is that I am as entitled to have legal theories as anybody else. The law is 100% based on precedents, not on statutes such as IPA, so our reading of IPA doesn’t really matter. What matters is how similar disagreements were resolved in the past, in similar situations. It’s only Supreme Court judges who can make a final decision about who’s right – they are still reasonable at this level.
Why a reproducible build is not possible right now.
GHC is fundamentally non-deterministic. A lot of (unknown amount, really) work on core GHC and dependencies to make build deterministic. I estimate like 6 months of somebody who can contribute to GHC. Maybe I am too pessimistic, and maybe it requires some experiments.
I am happy to volunteer build infrastructure, and publish it for cross verification.
We will certainly use it once we can have deterministic builds. I also think that reproducibility without each release actually reproduced, compared with published releases and signed by trusted community members is rather pointless.
What is needed is somebody’s time to try to identify the sources of non-determinism in the build. Quick attempt failed. Somebody needs to spend several days at least to understand and diagnose it.