> Is there mandatory end to end encryption [in XMPP] yet?

Nothing is mandatory in XMPP except for the core and that's not going to change. But perhaps I'm taking you too literally? If your question is do all (non-beta) clients support E2EE, I'm pretty sure that's a goal. I believe there's been some funding grants handed out to client devs to help them finish/ audit OMEMO implementations.

Care to correct/ add to any of this @joinjabber?

Indeed not mandatory, but there are some XMPP clients that offer the option to make e2ee the default in private chats. In general this website still gives a good overview on the state of e2ee support in XMPP clients: https://omemo.top/

There is also ongoing work in some clients to implement a newer version of OMEMO (nick-named newmemo or omemo2) that offers much improved metadata encryption compared to the current standard that encrypts the text body. #xmpp #jabber

> a newer version of OMEMO ... offers much improved metadata encryption compared to the current standard

Good to know! I presume Conversations is one of the clients working on this? If so, it will available to people using @snikket_im as soon as its stable.

@freakazoid

As long as people have to take action to enable encryption, it will be possible to make the case that the use of encryption is evidence of wrongdoing. I think there is a big opportunity here for XMPP to significantly move the needle on privacy because, unlike Signal, it's not "primarily" about encryption.

Right now I use Signal with my friends and family. I don't see moving to Jabber unless/until the iOS experience improves (very slow/missed messages due to battery optimizations) and encryption becomes the default on some usable client for each of the platforms used by my friends, mostly iOS and Android.

That has already happened 😀

Conversations and cheogram has a setting to make all conversations encrypted by default.
Monal also on IOS. Since version 5.3
And monal is also on mac.

Yeah i get it.
Signal has an easier way because its centralized and non democratic. What signal corp says goes.
With #xmpp we go about things the standards and democracy way. So hopefully in a bit we can have encryption by default. PGP is already almost phased out as completely insecure compared to omemo.

So what i can offer now is that its just a setting that can be enabled. Which i have done for friends and family. Because they are going to ask for help to set it up anyway 😀

Yeah decentralized and democratic is definitely my preference. I will take Moxie as a benevolent dictator, but dictatorships are only ever benevolent temporarily.

Plus, while I totally understand the reasoning, I don't like using my phone number as an identifier.

Moxie is no longer involved right?

Also remember even though Signal is e2e by default, they forced people to enter a trivially breakable 4 digit PIN which caused your keys+history to be sent to Google's servers, and only walked back the "force" part after most of the damage had been done due to backlash.

This can't happen in an open protocol with multiple independent implementations, pick one with e2e by default and be happy.

If you are actually serious about privacy you can even run your own server so no one has your metadata, not even Signal.

I haven't been paying as much attention as I should. I think I probably heard Moxie was no longer involved at some point and promptly forgot.

If you're talking about their "secure value recovery" thing, I can understand why some people would be concerned about it, but in general I'm not concerned about encrypted data being stored on servers. Their secure enclave method seems very similar to what Apple said they were going to do for secure backups and then quietly didn't.

I generally compare anything like this to the available alternatives rather than to some absolute ideal. If there were an alternative an alternative available that I felt was overall better and that I could get friends and family to use, I would switch.

As for why it's important to me that encryption be the default:

"Although the exception purports to protect online platforms from liability for offering encrypted services, it specifically allows the use of encryption to be introduced as evidence of the facilitation of illegal material."

https://www.eff.org/deeplinks/2023/05/stop-csam-act-improved-still-problematic

Optional encryption might as well be no encryption if it can bring the rubber hose down on you. The only protection from rubber hoses is for the people with the rubber hoses not to know who to use them on.

The STOP CSAM Act: Improved But Still Problematic

Last month, we expressed concerns about how the STOP CSAM Act threatens encrypted communications and free speech online. New amendments to the bill have some improvements, but our concerns remain.

^{Electronic Frontier Foundation}

> Optional encryption might as well be no encryption if it can bring the rubber hose down on you

FWIW Nothing in this article suggests this law applies to people using a third-party service. Only to the service provider.

@moparisthebest @joinjabber @msavoritias

I guess I don't understand how that works. Someone on the platform uses encryption and a prosecutor can use that as evidence the platform is facilitating that person's transfer of illegal material without also using that against the person themselves?

Even if something like that is the case, it's still an example of people assuming that taking positive action to use encryption indicates possible wrongdoing, whether or not it can be presented as evidence against the individual in court today.

> Someone on the platform uses encryption and a prosecutor can use that as evidence the platform is facilitating that person's transfer of illegal material without also using that against the person themselves?

IANAL. But my rough understanding is that this digitally illiterate bill;

a) only targets service providers (not users) by making holes in Section 230 (Safe Harbour for platforms hosting third-party content with moderation).

(1/3)

@moparisthebest @joinjabber @msavoritias

IANAL. But my rough understanding is that this digitally illiterate bill;

b) whether the E2EE is on by default or not makes no difference. If the service offers it, this bill would make them potentially liable for accusations of use involving CSAM.

(2/3)

@moparisthebest @joinjabber @msavoritias

> taking positive action to use encryption indicates possible wrongdoing

If people have fallen for this wrong-headed notion, you've got a more basic problem than legal risk from bills that will hopefully never pass.

Ask them if drawing the curtains before getting undressed indicates possible wrongdoing. Turning on encryption, just like choosing a service that uses it by default, is just the digital equivalent.

(3/3)

@moparisthebest @joinjabber @msavoritias