Matrix

Premise

This post follows the previous ones (Hugo, Obsidian part 1, Obsidian part 2, Matomo, Cactus Comments) that intend to present solutions that we use or consider interesting.
For the analysis, we pay attention to different profiles such as, by way of example but not limited to, if it is open source, the impacts on privacy and personal data protection, the aspects of cybersecurity.
We will soon publish other posts that will focus on many other valid solutions.

Matrix: what is it?

When you hear about Matrix, very commonly, you immediately think about the famous movie of 1999 entitled “The Matrix, winner of four Oscars, written and directed by brothers Andy and Larry Wachowski. You can probably also think of the sequels “The Matrix Reloaded” and “The Matrix Revolutions” from 2003 that completed the Matrix trilogy.

However, in this post, we are not referring to the movies, although fascinating and engaging, but to a software solution, a protocol that was released (out of beta) in 2019. That protocol began its spread worldwide with a considerable rise today (to get an idea, follow the tweets on #Matrix).

It’s probably still not all that clear at this point what Matrix is.

On the home page of Matrix there is this definition “An open network for secure, decentralized communication”.

As understood from the synthetic definition above reported, Matrix is an innovative and meaningful solution, in some ways revolutionary, valid for communication.

On the FAQ page, to the question “What is Matrix?” you can read the answer

Matrix is an open standard for interoperable, decentralised, real-time communication over IP. It can be used to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things communication - or anywhere you need a standard HTTP API for publishing and subscribing to data whilst tracking the conversation history.

Therefore, Matrix is not only about messaging but also about VoIP and IoT.

The concept of “open standard” does not yet seem to have an unambiguous definition (an example is the definition provided by the ITU).

Generally speaking, Matrix works with a server (called “homeserver”) and client.

In an attempt to continue to provide more detail on how Matrix works, we provide below a static image of what is on the home page of their site. From the home page of the Matrix site under “How does it work?” you can see the working scheme of the protocol in dynamic mode, also displaying details about the code if you click on the “Next” button.
Bob

Communicate consciously

We said that Matrix - very generically - is a communication solution.

People communicate in different ways (voice communication, gestures, body communication, electronic devices, video calls, etc.). Still, we rarely worry about the aspects that concern privacy and protection of our personal data.

Even in IoT systems and ecosystems, objects communicate to transmit information.

So, as we will elaborate at the end of this post, privacy and protection of personal data is paramount.

Likewise, security is relevant.

We reproduce portions of the first chapter of our latest book entitled “GDPR & Privacy: awareness and opportunities. The approach with the Data Protection and Privacy Relationships Model (DAPPREMO)”, 2020, which we believe are relevant to the subject matter of this paragraph.

The human being needs to communicate (the first axiom of the Palo Alto School). The advantage offered by the Internet of interacting with other people even at a distance has had a success that has become disruptive just when maintaining distance has become essential to contain the pandemic.

and further

Users, however, choose apps following the criteria of their greater diffusion (often by fashion or to be part of a group) instead of paying attention to the protection of the conveyed information. Paradoxically, users prefer to continue using potentially less secure apps, but very popular, instead of thinking about the consequences of data security risks. When we invite people to reflect on potential security risks, they say to choose the app(s) that are the most used and popular; therefore, the (imprudent?) criterion of the choices made by the majority of users (unaware) prevails.”*

and more

Moreover, users’ choices are, at the same time, directed towards apps to use free of charge. Still, the users do not reflect on the real cost to pay, which almost always corresponds to users’ data (personal data, IP addresses, date and time of access and use, metadata, etc.). The eagerness to access certain services or use apps prevails over the minimum common sense, mostly overwhelmed by the superficial attitude. Indeed, most users accept unconditionally both the general conditions and privacy policies (almost always unread). People also demonstrate to lose interest in the risks, even minimal ones, related to information security. Those risks are very often assessable even with three trivial questions: “To whom and where do I send my data? Who will process my personal information? Where will my data be stored?

Therefore, in our opinion, the issues of awareness, ethics, privacy, data protection, and security are fundamental and unavoidable.

Our reflections are based on what happens every day in real life.
People prefer to communicate through more popular and well-known applications, neglecting the awareness about the fate of their personal data and security aspects.

This rampant phenomenon will leave little room for “conscious” personal data processing, privacy, and cybersecurity considerations.

However, it is good to do healthy outreach to make people aware of the risks and solutions that can reduce them.

Why choose Matrix?

The last words of the previous paragraph somehow answer why to choose Matrix.

Meanwhile, it is a free, open source and transparent solution (all resources are available on the Internet).

Matrix is a reasonably secure solution (absolute security in computer science does not exist), respecting privacy.

On the home page of the Matrix website, you can see some tweets, among which is the one of @lrvick who has elaborated a report where the author reports the comparison relative to security and privacy of different messaging systems.

Although the tweet is from 14/10/2018, it indicates Matrix’s security and privacy profiles even compared to other systems.

Beyond the security profiles and respect for privacy and personal data protection regulations, we highlight how this solution can be adopted for personal communication between users and as an IT architecture for private and public organizations.

Moreover, we know that some universities have already adopted Matrix-Synapse for communication.

We have no doubts that Matrix-Synapse can be freely used also by PA, thus promoting “safe” communication with users.

In short, the concrete uses of the Matrix ecosystem are vast, and it would also be time for someone to make a reflection on the subject.

Our evaluation

After getting to know the Matrix ecosystem, we made some evaluations and, from the beginning, we considered it an innovative and, above all, privacy-friendly solution.

The users’ data, the content of messages, media, and any activity carried out on the Matrix server ("homeserver”) are encrypted and therefore cannot be read even by the system administrator.

Regarding the use of Matrix, we must specify that the only “unencrypted” data is the “Username” that, however, can also not be “speaking” (i.e., not presenting elements that can identify the user).

Matrix doesn’t use telephone numbers (mobile or others) for communication between users, and it doesn’t use email addresses. In short, the user is identifiable only by the “Username” and the “homeserver” because the helpful address to be identified in the Matrix ecosystem is @username:homeserver and that is, for example, @name:matrix.org (if the user has been created on matrix.org server).

This aspect is undoubted of extreme importance if we consider that other messaging systems work exclusively with the mobile number (personal data of which the controller makes their processing).

Another key aspect is compliance with Whereas (7) of the GDPR according to which:

Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

The user is the only one who has complete control over his account and can decide at any time to modify or delete it.

These, in extreme synthesis, are the main reasons that led us to choose Matrix as a communication protocol even in the full knowledge that most users use other systems more widespread.

Getting a Matrix account?

On the Matrix website, there is a guide describing how to get involved in the ecosystem.

To use Matrix, you need to have an account that you should create.

It is possible to create an account either on the Matrix server - matrix.org - or on any other existing Matrix server in the world.

To create a Matrix account, you have to register through a client, and you can choose the ones indicated on this page.
The client used by Matrix is Element.

Matrix.org

To create an account on matrix.org you must:

  1. access the Element web page.
  2. click on “Create Account”;
  3. enter a “Username”";
  4. enter a “Password”;
  5. insert an “Email”;
  6. click on “Register”.

After that process, Matrix creates a user profile as @Username:matrix.org.

It is possible, then, to access Matrix through the client (in our case Element) and start communicating with other users (obviously who already have a Matrix account) or access the rooms (rooms) that interest you.

Matrix on your server

If you install Matrix-Synapse on your server, creating an account will be the same as above.

For the reasons above we have decided to install both Matrix-Synapse on our server which is matrix.nicfab.it and Element.

Incidentally, we are among the supporters of Matrix.

You can register an account on our server (matrix.nicfab.it) by reaching the following web page Element.

In our case, for security reasons, we have added as mandatory the phone number (mobile) for the sole purpose of receiving notifications or in case you forget your password.

We must point out that the data are all encrypted on the server, and therefore no one cannot read them, not even the system administrator (sysadmin).

Matrix Clients

We said that the user needs a client to use Matrix.
The client’s choice is essential to appreciate all the functions of Matrix.

To be able to orient oneself on the choice of the client, you can consult the page of the Matrix site where you can see the clients subdivided by:

  1. Mobile
  2. Desktop
  3. Terminal-based / Command Line
  4. Web
  5. Nintendo 3DS

If you want to see a more detailed list with operating system indication, you can reach another Matrix resource.

Element was our choice for both Desktop/Web and mobile.

Element

Element is the client chosen by Matrix, and at the bottom of the home page, we read:

Our mission is to preserve your right to privacy in the face of an increasingly centralized internet and routine surveillance.

Privacy is protected by the UN Declaration of Human Rights.

The client is free unless you want to opt for one of the solutions on the Element website.

The Element interface is clean, as we can see from the image below

<strong>Element</strong>

As you can see, on the left side, there is a part with the list of chats with People and Rooms.

The central part shows the room’s content or chat with a box at the bottom for writing.

On the top bar, there are icons that represent the phone, the video camera to start phone calls or video calls.

Clicking on the icon at the top left that represents the user who logged in opens a menu containing the settings item.

The interface is the same for both Desktop/Web and mobile clients.

Matrix self-hosted

Our choice was to create our own “homeserver” Matrix.

Whoever is interested can follow the guides on the Matrix site that refer to the installation of Synapse, which, as you can read at this page, is described as follows:

Synapse is a Matrix “homeserver” implementation developed by the matrix.org core team, written in Python 3/Twisted.

To install Synapse, you can follow this official guide.

We also recommend this post published on the official Matrix Blog, which also contains a video: “Running your secure communication service with Matrix and Jitsi”.

In our opinion, it is an excellent resource for those who want to realize their own Matrix “homeserver”.

We will not go into purely technical profiles because the purpose of this post is merely informative. In any case, you can find available online the official resources, and you can also access specific rooms on matrix.org, where you can discuss with other users.

We can undoubtedly say that the installation of our Matrix “homeserver” has amused us, and we are enthusiastic about it.

Bridges

If you install Matrix-Synapse on your server, you can also install bridges which are applications most of all written in Python that allow you to use other messaging apps within the Matrix client.

I could install the bridge for Telegram or for Signal, or both, to have all Telegram conversations itself within the Matrix client (in our case Element).
There is no limit to installing bridges; you could decide to install as many as you need.

If you don’t have your server (so-called self-hosted), instead, you can use t2bot.io, a bot that allows you to have several functions available, including bridges with other systems. We read “A public integration network for Matrix. Thousands of communities use t2bot.io bots and bridges to connect and share, all without advertising.” on their website.

In essence, these solutions described only briefly highlight one of the potentials of the Matrix ecosystem, being an interoperable resource with other systems.

Matrix and privacy

As usual, we reserve an ad hoc paragraph on privacy to express our evaluations that must be considered as an opinion and not as a declaration of compliance or non-compliance.

After this due clarification, we can say that it is not easy to express an evaluation of compliance with the personal data protection regulation. Indeed, both, because this would require a proper and complete investigation of the software code (anyway, it is open and available on GitHub) and our contribution, expresses our free opinion.

However, months of intensive use and interventions on our “homeserver” allow us to affirm, hoping not to be contradicted, that Matrix-Synapse is a solution realized according to the principle “Privacy by Design” or “Data Protection by Design and by Default” as described in art. 25 of the GDPR.

The entire IT architecture developed by the Matrix Team, together with the technical and organizational measures adopted, seems to us - both from the user’s side and from the server administrator’s side - to be compatible with the principles and rules contained in Regulation 2016/679 (GDPR).

We have already pointed out that the user has complete control over their personal data, according to Whereas (7) of the GDPR.

Another important aspect concerns the release of frequent and frequently published updates with maximum transparency to allow users full awareness.

The position of Matrix on privacy is in the Privacy Notice, to which we refer to those who are interested in learning more.

The whole project deserves our utmost appreciation. That is one of the reasons that pushed us to support Matrix, convinced that continuous development can improve more and more the whole software ecosystem.

It’s just the case to highlight that the “Coalition for Competitive Digital Markets” (The Coalition for Competitive Digital Markets) has published an open letter (available only in English) titled “The EU Needs an Effective Digital Markets Act.”.

According to what we read on the website, the Coalition comprises 50 companies from 16 countries, 12 from the European Union.

The text of the open letter is available at this page, and the points highlighted in summary are the following ones:

  • Extend the interoperability provision to all core platform services, for all business and consumer offerings;
  • Prohibit the gatekeepers’ harmful self-preferencing by introducing an explicit pre-installation and default setting ban for core platform services;
  • Extend the bundling prohibition to ancillary services.

We refer to this open letter because Matrix is one of the companies that joined this initiative.

The content of the open letter is generally acceptable if Europe wants to be competitive in digital markets.

Stay tuned!