wireapp / wire

:wavy_dash: Overview of the open source code for Wire
https://wire.com
GNU General Public License v3.0
2.4k stars 174 forks source link

Please stop using privacy-hostile supplier Amazon AWS #265

Open ghost opened 5 years ago

ghost commented 5 years ago

Wire is centralized on Amazon's AWS. There are substantial privacy and ethical issues with this:

security risks

When users connect to AWS, privacy abuser Amazon gets their IP address and likely knows they are using Wire. That IP address can then be cross-referenced to other activity recorded by Amazon (both their shop and other AWS-based services like Signal and Github). Amazon also has a view of that plaintext metadata that Wire exposes. It's really a bad idea for Amazon to see who is associated to who.

@EgbertW also mentioned in https://github.com/wireapp/wire/issues/102 that Wire is advertized as being Swiss-based when in fact the servers are in Ireland and operated under ownership of a US company. That issue was apparently lost amid other issues in that thread and still needs to be remedied.

privacy-related ethical problems

  1. Amazon paid $195k to fight privacy in CA.
  2. Amazon supported CISA.
  3. Amazon is making an astronomical investment in facial recognition.
  4. Amazon drug tests its employees, thus intruding on their privacy outside the workplace.
  5. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
  6. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
  7. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).

Wire users are generally privacy-focused, so the ethical consequences of using AWS are out of alignment with the values of Wire users. There is both an ethical need and a practical need to abandon AWS (which has proven to be an untrustworthy supplier).

tokariu commented 5 years ago

I understand that maybe it was comfortable using AWS back when Wire was in it's early days and way smaller than it is nowadays. But today, with the increasing number of users, this issue should be worked on with higher priority than before. Indeed, labeling Wire 'swiss-based' is dishonest at best.

strypey commented 5 years ago

I agree AWS hosting is an issue, although it will be less of an issue when server>server federation is implemented. I'm not sure what replacements are available, but surely there is at least one hosting provider that does for the Eurozone what CatalystIT does in Aotearoa (NZ): https://catalystcloud.nz/

rbraley commented 5 years ago

Totally agree, this is counter to the purpose and mission of wire.