Open feinstaub opened 6 years ago
ylecollen
commented
6 years ago @feinstaub The contacts are only used to find matrix users.
We already have a message from the application which explains their uses.
Riot needs permission to access your address book contacts to find other Matrix users based on their email and phone numbers.\n\nPlease allow access on the next pop-up to discover address book users reachable from Riot
Is it not enough ?
feinstaub
commented
6 years ago Thanks for the answer.
Is it not enough ?
Thanks for asking. Not quite. :-)
It does not say how Riot.im uses email and phone numbers. Will anything of this data be sent to a remote server? If yes, how is the data handled there? Or is the processing done locally on the user's device, only?
Ideally, these privacy claims would be placed somewhere on the Riot.im website so that they can be read before the app is installed and the permissions are granted.
ylecollen
commented
6 years ago @feinstaub To summarise (before adding it in the android ReadMe file) 1- Your account might be linked to phone numbers or email addresses. Theses data are stored on servers. 2- We try to find out if some of your local contacts are matrix users. The contacts are read only if you granted the dedicated permission (for android >= 6, use the system dialog else we implemented a custom one). A remote request with all the phone numbers and email addresses is used to do it.
Do you think you need more inputs ?
feinstaub
commented
6 years ago Thanks for the summary. The following questions might sound nit-picky and time-consuming to answer but since the address book information contains data of third parties, it is most sensitive. The better the statements can be understood by not-involved people the more credible they are.
1- Your account might be linked to phone numbers or email addresses.
a) Which account? I assume the Matrix account which is needed for Riot, correct? b) Who's phone numbers and email addresses, the ones that the account owner added for himself?
Theses data are stored on servers.
c) "these data" would mean the data of all users registered in the matrix network? d) Whose servers? Servers from the Matrix network? e) Can anybody read all this data? So it is better not to use real names?
2- We try to find out if some of your local contacts are matrix users. The contacts are read only if you granted the dedicated permission (for android >= 6, use the system dialog else we implemented a custom one).
f) Can Riot be used without giving the Contacts permission? What disadvantages would the user have?
A remote request with all the phone numbers and email addresses is used to do it.
g) Maybe it is good to mention explicitly that phone numbers and email addresses are the only data items used. So names, birthdates, profile pictures, notes on contacts and whatsoever are NOT sent to a remote server, right? (in contrast to WhatsApp which probably sends all available data)
h) Is the data deleted on the remote side after the request is completed? (in contrast to WhatsApp)
ArchangeGabriel
commented
6 years ago Not a Matrix dev, but:
a) Yes.
b) Yes. For instance, I added none. So no one can find me this way.
c) “These data” are the links between Matrix accounts and other identities (phone number and emails, maybe others?).
d) 3PID (Third-Party Identity Providers) servers. Currently, only Matrix official team hosts an official one. AFAIK, this is not (yet) federated, so you either use your own (in a corporate case for instance) or the global one. So yes, all people using Matrix 3PID and having linked other identities to their account have an entry in the Matrix 3PID server linking their Matrix identity to those other identities. It’s a kind of Matrix “phonebook” if you want.
e) AFAIK, no. You can just send some data (like an email) and get an answer of which account is linked to it, if any. Not sure if giving a “real name” is enough to get an answer from the server. But at least you should not be able to discover new identities through it (e.g. you cannot get the phonenumber of someone by knowing their Matrix ID).
f) Yes. And I do. It means you cannot search for Matrix user matching your contacts, so that you have to add them by hand.
g) As you can see by my answer in c), that’s where I lack knowledge of how things work. Not sure if something else than emails and phonenumber is used.
h) Can’t tell for them, but I would say so. Just because they would have to store an huge amount of useless (for them) data else.
bringlein
commented
6 years ago Hi @feinstaub @ylecollen @ArchangeGabriel and all,
I think that is a very important discussion. One of the most important criteria for me to decide if I use a messenger or not is the handling of contact/phone book data.
TL;DR: Riot uploads only the e-mail addresses and phone numbers, that were found in the phone's address book. The Reference Matrix Identity Server Syndent does not store them. Only new e-mail addresses and phone numbers submitted by a user to associate them to his matrix-id (mxid) are stored, logically.
Your questions in Detail:
g) Maybe it is good to mention explicitly that phone numbers and email addresses are the only data items used. So names, birthdates, profile pictures, notes on contacts and whatsoever are NOT sent to a remote server, right?
Yes! As you can see in the following snippet, only e-mail addresses and phone numbers are submitted. (And it would be a good idea to mention that in the privacy terms.) https://github.com/vector-im/riot-android/blob/0be745a9df420c21cc3d9867d0f6a29d313d0263/vector/src/main/java/im/vector/contacts/PIDsRetriever.java#L207-L215
Footnote to this: the e-mail addresses and phone numbers are NOT hashed, in contrast to other Messenger-Apps like Signal or Threema (and AFAIK WhatsApp). This behavior is required by the matrix.org-standard: https://matrix.org/docs/spec/appendices.html#pid-types
I don't know why and I would prefer if they would be hashed. But I guess there are some justifications/reasons why not, but I haven't found them yet. Maybe this is also an issue, that should be discussed.
h) Is the data deleted on the remote side after the request is completed? (in contrast to WhatsApp)
Yes, Syndent, which is the reference Matrix Identity Server does these: https://github.com/matrix-org/sydent/blob/c3879957b0b7a1e3509f8b727a66bcef4a8cd0c2/sydent/db/threepid_associations.py#L102-L140
The corresponding API specification can be found here: https://matrix.org/docs/spec/identity_service/unstable.html#association-lookup
The deletion is not specified, for reasons I don't know either (but done by the matrix.org implementation). Again, this should also be discussed, IMHO.
Finally, I currently using Riot.im/matrix.org with a sound conscience regarding my privacy and the privacy of my contacts ;).
julianfoad
commented
5 years ago Did anyone update docs using the answers collected here? What are the docs that need updating?
OmlineEditor
commented
5 years ago There is still a problem with data access. there is more data in the manifest and I don’t understand why they are needed, it looks like a spyware program: android.permission.READ_LOGS - read confidential data from the log android.permission.GET_TASKS - Allows an application to retrieve information about current and recently completed tasks android.permission.WRITE_SETTINGS - Allows an application to read or write system parameters
Hi,
in Germany, schools are not a allowed or are in conflict with privacy laws when using WhatsApp and the like with students. Reason: the address book is read and it is unknown what happens with the data, see https://www.didacta-digital.de/lernen-lehren/finger-weg-vom-klassenchat-datenschutz-in-der-schule
Now I wonder - since Riot.im has the READ_CONTACTS permission - if there is an explicit text on the website explaining what this right is used for. Then anyone could verify this claim by reading the source code.
Having such a written explanation would very much help to promote Riot.im as a superior alternative to WhatsApp.