People consider way to little under what jurisdiction the developers and servers are. Even if Signal was fine right now, them being under US law, is a total no-go for anyone not living there (zero rights for non-citizen) and it would be trivial for the NSA to force Signal to intercept more meta data etc. even with a gag order.
Matrix.org is AFAIK based in the UK, which is nearly as bad, especially now with Brexit. And self-hosting while avoiding any connections with the main instance is nearly impossible.
If you insist on a centralized platform and are a EU citizen, then Threema is probably the best option, now that they open-sourced their clients. For non-EU & non-US, I guess Telegram (Doha based, but servers on US cloud providers AFAIK). I think for east Asia (other than China), LINE would do (Japan/South Korea based).
But IMHO, by far the best option is to selfhost XMPP or sign up with a local community run XMPP server.
I guess the whole point of having e2ee, storing as less users metadata as possible, and the not having to trust the service provider model, is the motto for Signal and perhaps Matrix (Signal being the messenger collecting less metadata, while Matrix backend is open sourced). Actually no matter where the service resides on these days, some probably are hosted on Amazon or other processing and storage services, which most probably have head quarters on one of the 5 eyes countries. I definitely like true decentralized and FLOSS apps and services, such as Briar or Tox. However unfortunately AFAIK Tox last protocol never got as audited as the double ratchet one, and besides, both decentralized services are energy hungry. A regular phone’s battery is not enough for a full day of such apps up and running…
I do like it the fact threema doesn’t depend on phone numbers, but Signal is supposed to be working on getting rid of the strict need for phone numbers (https://www.zdnet.com/article/signal-to-move-away-from-phone-numbers-as-user-ids - https://signal.org/blog/signal-pins), and Matrix doesn’t depend on phone numbers at all. I’m using both Signal and Matrix/Element, and if Signal doesn’t eventually come up with a no phone number solution, I’ll then get out of Signal, but I’m patiently waiting, particularly because I guess most people will opt out for Telegram (which is a definite no go for me, and it’s not even open sourced btw), and part of them for Signal, but I don’t see them opting out for Matrix, and even less opting out for Briar or Tox (as Tox is right now, it’s also a no go).
XMPP requires a server, and in that sense is not truly decentralized, unless you self host, as you pointed out, but that might be out of scope for some (I at least can’t trust my electricity service, not even the internet one as to be able to self host), or might even be too complex for non tech people, and the alternative for most would be a central server… If I could self host, not only XMMP would be an option, also email and NextCloud (meaning, I would not depend on several services being hosted or not by US or non US service providers)… And I don’t know how many users would be moving to XMMP (and even less self hosting, for a non centralized experience), and I suspect as with the Matrix case, very few would…
Matrix solution, so far has clients and backends fully open sourced, which is a big win compared to other solutions, since it can be explored and audited by any one interested, and not just the protocols it uses or some APIs. Also by being federated, there can be instances everywhere. If someone doesn’t feel comfortable with matrix.org instance, can look for some other instances. And furthermore, as with XMMP, you can self host your own instance as well, and still communicate with the rest of instances, so you can make it non centralized if you and your contacts all self host. I then see Matrix as one of the best options out there, except by 2 major issues. Main one being adoption. As mentioned, I doubt I can make even a fraction of my contact move to a Matrix client, though one of the cool things about being federated is that there’s no only Element, but that’s not the point… And 2nd one being that at least group video calls (not sure if voice calls as well) are not e2ee, but instead are webrtc encrypted, since jitsi is used underneath, and in this regard Signal is better, though currently limited to 5 people video calls (they have in plan to increase that limit).
So to me, it’s not as simple as saying the service provider or the servers are not based on any of the 5 eyes countries, or the extended 5 eyes for that matter, since in the end countries intelligence agencies make alliances, and when there’s money involved as well, then one can’t assure how ethical things are. I’m still to see truly decentralized solutions like Briar or Tox, providing usable solutions on regular users (not just whistle blowers or protesters, on special situations, for which some suppose Briar is made), and becoming, if not main stream, at least easy and energy/battery safe to adopt as well, so it doesn’t become that hard to convince others to also join the decentralized experience.
People consider way to little under what jurisdiction the developers and servers are. Even if Signal was fine right now, them being under US law, is a total no-go for anyone not living there (zero rights for non-citizen) and it would be trivial for the NSA to force Signal to intercept more meta data etc. even with a gag order.
Matrix.org is AFAIK based in the UK, which is nearly as bad, especially now with Brexit. And self-hosting while avoiding any connections with the main instance is nearly impossible.
If you insist on a centralized platform and are a EU citizen, then Threema is probably the best option, now that they open-sourced their clients. For non-EU & non-US, I guess Telegram (Doha based, but servers on US cloud providers AFAIK). I think for east Asia (other than China), LINE would do (Japan/South Korea based).
But IMHO, by far the best option is to selfhost XMPP or sign up with a local community run XMPP server.
I guess the whole point of having e2ee, storing as less users metadata as possible, and the not having to trust the service provider model, is the motto for Signal and perhaps Matrix (Signal being the messenger collecting less metadata, while Matrix backend is open sourced). Actually no matter where the service resides on these days, some probably are hosted on Amazon or other processing and storage services, which most probably have head quarters on one of the 5 eyes countries. I definitely like true decentralized and FLOSS apps and services, such as Briar or Tox. However unfortunately AFAIK Tox last protocol never got as audited as the double ratchet one, and besides, both decentralized services are energy hungry. A regular phone’s battery is not enough for a full day of such apps up and running…
The fact of having swiss servers is not fully reassuring, since at least swiss crypto AG company has been exposed to be involved with intelligence agencies agencies (US, Germany and swiss ones at least) as well (https://web.archive.org/web/20201111074303/https://www.parlament.ch/press-releases/Pages/mm-gpdel-2020-11-10.aspx?lang=1033 - https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage). So threema, though interesting, jut by having swiss serves is not totally reassuring, and features wise, it lacks voice and video calls (it does support voice messages, which is not the same), to be in pair with Signal and Matrix, besides the backend and server is not open sourced, just the client (like for Signal, but not the case for Matrix, which is fully open sourced).
I do like it the fact threema doesn’t depend on phone numbers, but Signal is supposed to be working on getting rid of the strict need for phone numbers (https://www.zdnet.com/article/signal-to-move-away-from-phone-numbers-as-user-ids - https://signal.org/blog/signal-pins), and Matrix doesn’t depend on phone numbers at all. I’m using both Signal and Matrix/Element, and if Signal doesn’t eventually come up with a no phone number solution, I’ll then get out of Signal, but I’m patiently waiting, particularly because I guess most people will opt out for Telegram (which is a definite no go for me, and it’s not even open sourced btw), and part of them for Signal, but I don’t see them opting out for Matrix, and even less opting out for Briar or Tox (as Tox is right now, it’s also a no go).
BTW, Signal at least sent a communication last year, sort of indicating that if the US ever approve the “earn it act”, they would move out of the US (https://www.wired.com/story/signal-earn-it-ransomware-security-news - https://signal.org/blog/earn-it), which is somehow nice to hear from it.
XMPP requires a server, and in that sense is not truly decentralized, unless you self host, as you pointed out, but that might be out of scope for some (I at least can’t trust my electricity service, not even the internet one as to be able to self host), or might even be too complex for non tech people, and the alternative for most would be a central server… If I could self host, not only XMMP would be an option, also email and NextCloud (meaning, I would not depend on several services being hosted or not by US or non US service providers)… And I don’t know how many users would be moving to XMMP (and even less self hosting, for a non centralized experience), and I suspect as with the Matrix case, very few would…
Matrix solution, so far has clients and backends fully open sourced, which is a big win compared to other solutions, since it can be explored and audited by any one interested, and not just the protocols it uses or some APIs. Also by being federated, there can be instances everywhere. If someone doesn’t feel comfortable with matrix.org instance, can look for some other instances. And furthermore, as with XMMP, you can self host your own instance as well, and still communicate with the rest of instances, so you can make it non centralized if you and your contacts all self host. I then see Matrix as one of the best options out there, except by 2 major issues. Main one being adoption. As mentioned, I doubt I can make even a fraction of my contact move to a Matrix client, though one of the cool things about being federated is that there’s no only Element, but that’s not the point… And 2nd one being that at least group video calls (not sure if voice calls as well) are not e2ee, but instead are webrtc encrypted, since jitsi is used underneath, and in this regard Signal is better, though currently limited to 5 people video calls (they have in plan to increase that limit).
So to me, it’s not as simple as saying the service provider or the servers are not based on any of the 5 eyes countries, or the extended 5 eyes for that matter, since in the end countries intelligence agencies make alliances, and when there’s money involved as well, then one can’t assure how ethical things are. I’m still to see truly decentralized solutions like Briar or Tox, providing usable solutions on regular users (not just whistle blowers or protesters, on special situations, for which some suppose Briar is made), and becoming, if not main stream, at least easy and energy/battery safe to adopt as well, so it doesn’t become that hard to convince others to also join the decentralized experience.