It has stuff like E2E encryption, but that essentially just works on the message contents. Who sends messages where is visible to any server owner that receives the data (basically: host of the user account or room, or any public room). (there may be wrinkles to this, but in a broad sense it matches Matrix's metadata exposure)
Which makes it pretty much exactly the same as, e.g., XMPP. Or nearly[1] any federated chat system, past, present, or future. It's not privacy-oriented, by design, because privacy oriented and able to connect N independent implementations which are able to protect themselves from abuse are almost completely at odds with each other.
In that sense: yes, it's a privacy disaster. It is not and never will be Signal. But in another sense, no, it's just what happens when you build a usable federated chat system - convenience costs privacy. There are "free" and "cheap" ways they could improve it, and some improvements have been trickling steadily, but the fundamental feature-set prevents it from ever being what most privacy people would call "good".
[1]: there are some exceptions, but generally speaking they are making extreme tradeoffs somewhere. E.g. inability to stop spammers because you can't see senders -> no large hosts will ever exist because it'll hemorrhage money, so it's practically just a P2P network. Some of which do have interesting privacy feature-sets, but often suffer with discoverability and connection reliability.
Which exposes you to greater complexity in combating abuse, and greater difficulty in discovery.
I agree entirely, and I really like the fine-grained "part P2P part federated" stuff that's growing more and more popular, but it's not a zero-cost thing to do. And it's not just a "oh, well, the code's a bit more complex" cost, the user experience will be unavoidably more complex as number of hosts increases, as they now need to select one in order to enter the ecosystem... but they're outsiders, how do they make an informed choice?
I disagree re discovery, it's working-as-intended. It's got better discovery than say email, at least there are actually identity servers for people who wish to use them, and can work with both phone numbers and email addresses.
Non-publicly-addressable accounts are excellent, that's why the EU gov, military, healthcare and emergency services are using Matrix protocol versus say WhatsApp.
People can host their own node right now, and that's encouraged rather than joining Matrix.org or a paid Matrix provider. 60m+ publicly-addressable accounts on Matrix thus far. A Raspberry Pi starts at the price of lunch.
However, going forward, there's work being done to have on-device lite servers, eliminating the need for a third-party server to send/receive messages. These can even work P2P via BLE, meaning connectivity in areas of natural disaster, warzones, and political unrest where an oppressive government or invading force may disable the internet.
That post on abuse is a good example of what I mean, tbh. It's proposing a tagged reputation system.
That means users choosing and updating tags, service-owners choosing and updating tags and taggers, taggers having to follow[1] purposes of tags and changing purposes of tags, eventually mime-type-like things for better specificity and disambiguation, etc. There is absolutely no way that that is a better non-technical / non-deeply-invested user experience than "the company checks on and deletes violating stuff for me so I don't see it".
I generally like it, reputation systems are a reasonable option for nearly everything in a federated or P2P system, and they're wonderfully flexible. But they're not simple. Any time you choose reputation, you're depending on a manually-selected pool of trusted actors (at the very least for bootstrapping), or putting highly-technical expectations on users. You can reduce the impact (significantly) with good UX, but you can't truly remove it.
[1]: or abuse! abuse of abuse-management systems is a huge problem.
I think the interesting aspect to me is how so many on here complain about Signal in comparison to Matrix in the context of one-on-one or small group chats. How federization makes Matrix "more secure", but I think meta data is probably more important at this point. (Still excited to see Matrix grow, but this is clearly an issue that needs to be resolved)
Is the security and privacy provided by Matrix fit-for-purpose for the EU gov, healthcare, military and emergency services? Yes.
Is it fit-for-purpose for those with nefarious intent, or those who might be the victim of an oppressive regime? "It depends".
If two people are talking on a single Matrix server that they control, it's absolutely whatever as far as metadata goes.
Element using Matrix protocol to make a Slack-like/Teams-like/WhatsApp-like? Absolutely fit-for-purpose. We've used it every day for over a year for business. I've even bridged in WhatsApp, Facebook Messenger, Discord et al to not need anything but Element as a comms app on any of my devices. I separate them by "Spaces".
In the real world, very few people need ever worry about metadata.
Yeah, for Slack/Discord-like purposes, it's entirely reasonable I think. There are of course low-hanging fruit worth grabbing, but "tons of metadata all the time" is absolutely the normal expectation for a system like that. By being federated, Matrix is already noticeably better in most ways.
Anything better is achieved through massive effort and often novel research. Which is wonderful when it happens, but it's not reasonable to point to existing systems and say "how dare you [not do that thing nobody knows how to do yet / nobody has demonstrated scales to real-world use]".
Honestly this is how I see it, with the exact same split. Matrix = slack/teams and Signal = text messages/messenger/whatsapp. But I've seen quite a lot of passionate responses about how this comparison is naive because Matrix is a protocol and pointing to Element.
> In the real world, very few people need ever worry about metadata.
I disagree. Personally I'm not a fan of surveillance capitalism. Rather I think that people don't understand the importance of their data and how powerful it is.
Which makes it pretty much exactly the same as, e.g., XMPP. Or nearly[1] any federated chat system, past, present, or future. It's not privacy-oriented, by design, because privacy oriented and able to connect N independent implementations which are able to protect themselves from abuse are almost completely at odds with each other.
In that sense: yes, it's a privacy disaster. It is not and never will be Signal. But in another sense, no, it's just what happens when you build a usable federated chat system - convenience costs privacy. There are "free" and "cheap" ways they could improve it, and some improvements have been trickling steadily, but the fundamental feature-set prevents it from ever being what most privacy people would call "good".
[1]: there are some exceptions, but generally speaking they are making extreme tradeoffs somewhere. E.g. inability to stop spammers because you can't see senders -> no large hosts will ever exist because it'll hemorrhage money, so it's practically just a P2P network. Some of which do have interesting privacy feature-sets, but often suffer with discoverability and connection reliability.