Export chat should be limited by homeserver settings

[jamescl]

Your use case

The ability to export chats was recently introduced, which raises some interesting privacy concerns:

• Users may expect that in E2EE rooms that their conversations can not be shared easily in an unencrypted format
• Users may not expect to have their conversations saved without their explicit permission
• Homeserver may not wish to allow users to easily export E2EE chats in an unencrypted format
• Homeserver privacy polices may be incompatible with the ability to export other users data (i.e. their chats) in such a format.

What would you like to do?

Homeserver should be able to specify whether chats can be exported (i.e. always, unencrypted rooms only, none) for rooms in their homeserver and clients should respect them.

Have you considered any alternatives?

No response

Additional context

No response

[SimonBrandner]

I find this to be more of a social problem than a technical one, you can never prevent people from downloading all of the chat content. They can always write a script to do so, use an existing one...

[jamescl]

I understand nothing will ever be watertight once it reaches a client and rendered to a user - but it seems like its too easy to download an encrypted chat and forward it on to whoever you like without the knowledge of other participants.

[toger5]

I could see how It might be useful to inform the other participants, that an encrypted chat was exported. But that would of course not at all make things more secure. It is always possible to share encrypted chat for example someone could take a picture of the screen and share it. I agree that in the end its a social problem and a prompt that says:

This is an encrypted chat. The other participants should be aware if someone downloads the chat history. Export the chat content and send this message to the room: "I downloaded the chat history from the DD MMM until the DD MMM" \<Button> Export & Inform room \</Button>

could have an impact on the awareness of the person downloading the history, that the person is supposed to treat the content as confidential. And it could make all participants feel more relaxed since they know they will be informed if chat is exported. If you have evil intentions this of course does not stop you from anything. Creating a custom client just for downloading messages or hacking element to not show this prompt is of course still possible but a higher barrier of entry.

[SPiRiT369]

I came across this page while searching if "Export Chat" can be disabled. From my experience with public chats, Element should absolutely allow homeserver admins to disable this feature. I understand that people can still scrape data or use api for that, but those who can abuse this feature not always have the knowledge to do so. The first thing I thought when I saw Export Chat, was how to disable it. Please consider adding this. For me personally, it's a must have. 🙏

[t3chguy]

I understand that people can still scrape data or use api for that, but those who can abuse this feature not always have the knowledge to do so.

Those who want to abuse something will google it, there are other export tools. e.g https://matrix.org/docs/projects/other/matrix-recorder

[SPiRiT369]

Those who want to abuse something will google it, there are other export tools. e.g https://matrix.org/docs/projects/other/matrix-recorder

Some chats are intended for less-techy people. There's a difference between downloading tools and having this feature wide open to everybody. In my opinion, server admins should have the ability to turn on/off features and have more control over their servers. Well, just please re-consider. There are many use-cases to Matrix. Some, like myself, will find it very usefull.

Meanwhile, @jamescl, you can do that by adding this to index.html (I've just tried and it works): <style>.mx_RoomSummaryCard_icon_export {display:none !Important;}</style>

Still... I hope this will be part of config.json as it should 😩

[T-bond]

@SPiRiT369 If server admins should have more control over their server, why shouldn't the people using that server, should have more control over their data?

I don't see the point to making it disableable. It is easy any way to do that. If there is not an option for it, people will find other ways (tools) to export the data. And third party tools maybe not works as good as the inbuilt ones.

Also it could cause confusion that one person can export it, and the other pesron can't because they are on different homeservers.

[SPiRiT369]

@T-bond as I said, there are many use-cases to Matrix. Some people install Matrix in-house (not connected to the Internet) or run an unfederated server. This should be taken in mind when features are developed. Others might think or need something different than what you think is obvious. (I had the same issue when I tried to disable Location Sharing...)