Using (and understanding) Matrix chat

Why this page?

Hi, I'm Martin, Cohort 3. I take an issue with us EHF people using WhatsApp to chat. You can find some of the reasons further down.

I've been closely following the development of the Matrix.org project since its inception, which I'd like to pitch to you as an alternative, because it's independent, doesn't abuse your data, and therefore is truly free to use and adopt.

We're self-proclaimed changemakers, and it is my hope that in crafting this document, I help you lead change around you, first by adopting Matrix yourself, and then helping others freeing themselves by doing the same.

Let's work together

This is a collaborative document, which anyone can edit (the document is under a copyleft licence). You can also leave comments. If you find an error, please fix it. And if something is unclear, then don't hesitate to leave a comment, and I'll try to follow up. If I don't, please prod me!

What is Matrix?

Matrix is an open protocol for instant messaging. It allows people across the Internet to chat and share media with each other, whether in 1:1 (so-called direct chats), or in "rooms" uniting any number of people.

Similar to e-mail (where the protocols are called "SMTP" and "IMAP"), Matrix allows you to choose between any number of available clients. The most common client these days is called Riot, and we'll get to that shortly. But you can run any other client, or multiple ones at once, all connecting to the same account, thanks to common protocol they all speak.

All your clients will be in sync with each other. The chat history will be accessible from all, and you can obviously search it.

Furthermore, Matrix is a federation, which means that users can communicate with each other, independently of where they choose to host their accounts (from e.g. this list of public Matrix servers, which, again, is similar to e-mail. This means that you will never be dependent on a single provider, nor limited to the set of people with whom you can interact.

And the Matrix protocol allows for more than simple chat and media exchange. You can make voice calls, host video conferences, and integrate applications into your rooms to help with collaboration.

Matrix even allows you to bridge with other protocols, allowing you to interact with people on other platforms using one and the same client. Among the most popular bridges are Slack and IRC (don't worry if you don't know what that is), and it's also possible to link up with Skype, WhatsApp, Google, and many other services. One client for all of them. How cool is that??

Of course, Matrix sports end-to-end encryption, which translates roughly to "nobody between the communication devices can eavesdrop on anything said, or infer anything about the channel."

Finally, Matrix, which originated as an open-source project inside a big telecommunications corporation, has since been placed under custody of The Matrix.org Foundation, where it is safe from abuse by advertisers, data miners, and governments.

What is Riot?

Riot is the glossy, most featureful Matrix client available today. It comes in various forms:

• As a web application;
• As Android app from F-Droid or the Play Store. Only the latter can do push notifications via Google, which you might want to avoid. The F-Droid version works by regularly polling for new messages, which works just as well.
• For iOS from the AppStore;
• For the desktop (in form of an Electron app).

For now, I can recommend that you check out the information available on the Riot webpage, and we'll be setting you up with an account using Riot in just a minute.

What's wrong with WhatsApp, Telegram, Signal, & Co.

Let's be honest here: this is not supposed to be a platform for my idiological venting, as much as it's tingling in my finger tips. No! We're here to get you started using Matrix. However, you might care to know just why I'm asking you to do that. There are good reasons to avoid those platforms, and I'm happy to provide some background, but in the interest of flow, I'm postponing my treatise of "the why" to the end of this document. I'm more than happy to elaborate in person, too, when we meet the next time. Make sure you have an exit strategy, or just tell me when the flood gates must close again.

How to get started

You can use Matrix from either your desktop/laptop computer, or your phone, or both. But choose one to get started. You can then easily add the other later, and the two will always be in sync.

We will be registering a new account in the following. If you've already made an account, you obviously need to sign in using the appropriate credentials instead of creating a new account. So if you want to use Matrix on multiple devices, follow the steps down below on one, and then sign in to the account on all the others.

Using Matrix on your laptop/desktop

The Riot client can be accessed with any browser, or downloaded as a stand-alone application. For your first steps, it's probably easiest to just use the browser to register, so open up a new window and point it at https://riot.im/app/#/register ← right-click this, and select "Open link in new window".

Similar to your email address, your username will later consist of both, the server you picked, as well as the username chosen. So if your desired username is already chosen on matrix.org, you could just register with another server. Note that it's currently not trivially possible to rename or move your account to another server, so think twice before registering douchebag on the hypothetical idiots-united.org server.

After choosing a username and entering a (strong) password twice, you have the option to provide an email address. Doing so will allow you to reset your password, should you ever forget it, and it'll also let others to find you on Matrix using your email address. You can change the address provided later. I recommend you provide it, that is if you trust the operators of the server you chose not to abuse it. I can vouch for the matrix.org folks (and for myself, of course).

Once registered, you'll be taken to the main screen, which will look not entirely unlike the following:

A good thing to do next is to set a display name and upload a photo of yourself, which will make interacting with you more personal, and help people identify you in a full room. To do this, click on the down arrow next to your name at the top left, choose "Settings":

This will open the settings dialog where you can modify your personal information, add and remove email addresses and phone numbers associated with your account, and configure a slew of other preferences:

Click on the photo (or the lack of a photo) to change it. Thanks for that. It really helps.

Now you are all set and you can start joining rooms, inviting people, and chat away, for instance by joining our EHF's general room accessible with the address #ehf:madduck.net. Obviously, if you are reading this, but you're not affiliated with the EHF, please respect our privacy and join another room, such as #matrix:matrix.org.

You might first want to read up on some of the concepts in use, before you get confused about what's going on.

Using Matrix on your phone

Riot exists for both major phone operating systems from their respective app stores:

• Android: F-Droid (preferred);
• Android Google Play Store;
• iOS: AppStore;

You may be asked to share your phone number, depending on which server to choose — the default server will do this, simply as a means to avoid nonsense registrations. If you don't like it, choose another server (such as mine). Having your phone number stored will, however, make it easier for others to find you on Matrix.

Once you've signed up and find yourself within the app, it's a good idea to open the settings and set a display name for your account, as well as upload a portrait of yourself. This will make interactions with you more personal, and help identify you in a room with multiple people.

Then come on over to the EHF's general room accessible with the address #ehf:madduck.net. If you're reading this on Android, you can probably just click on the link; With Apple, it seems like you have to copy-paste. Obviously, if you are reading this, but you're not affiliated with the EHF, please respect our privacy and join another room, such as #matrix:matrix.org.

You might want to read up on some of the concepts in use, before you get confused about what's going on.

Understanding basic Matrix concepts

Accounts like @user:server.org

Let's have a quick look at some of the concepts used around Matrix. You've just made an account. Accounts consist of a username and a server, and they are written in the following format: @user:server.org. This might seem weird at first (why not user@server.org??). The reason is that it's still a username, and as per convention (think @-mentioning), this syntax was chosen. Also, the goal is to hide this detail from the user eventually and let people find each other using e.g. email addresses and phone numbers. But we're note quite there yet.

Rooms like #room:server.org

Users (accounts) congregate in rooms. These can be either one-on-one, in which case they are called direct chats, rooms with a few users, or even ones comprising thousands of users, such as the main Matrix discussion room #matrix:matrix.org. As you've already gleaned, rooms are preceeded with a hash symbol: #room:server.org, and the resemblance of a "hash tag" is intentional, as rooms generally exist around a specific topic.

Note that a room can have multiple addresses, and there is no "home server": #room:server.org is not "owned" by server.org, and #somethingelse:anotherserver.com might refer to exactly the same room, meaning that the room would now be synchronised completely between the two servers.

Room administrators and moderators

If you look at the member list of our room, you'll notice that I carry an orange star badge:

This is because I am an administrator of the room, and can control access and settings. There are also other roles, such as moderator roles, but we won't need them just yet, and so I'll leave it at that for now.

Multiple devices

Maybe another thing worth pointing out at this stage is that a Matrix account can have multiple devices associated with it. For instance, you might be logged in on your desktop, on your laptop, and on your phone, all at the same time, and be able to participate in the same conversations, without your peers really noticing what device you are using. Therefore, Matrix is useful on the road, just as it is a great platform for intense collaboration from your desk, and you can start a conversation from your desk, and seamlessly continue chatting as you head out to catch the bus.

There's more to Matrix (bridges, integrations, bots, apps, stickers, …), and I might add more later, but for now that's all you need to know.

Usability and bugs

Even though a lot of excellent work has gone into the user experience of Riot, the resources available to The Matrix Foundation don't match those available to private companies, such as Facebook, Slack, or Microsoft, who can and do invest huge sums into usability research.

And it's also worth pointing out (again) that what Matrix is doing is vastly more complex than what any of the centralized services offer, and this means that the folks developing this software cannot always follow the same paradigms you've come to know from using WhatsApp, or Slack (which by the way both also behave differently from each other). Keep an open mind. Matrix is ground-breaking in what it does.

Matrix and Riot are pretty young, and even though hundreds of thousand of people use both on a daily basis, there are still bugs here and there, and things to improve.

But here is the thing: whereas the folks at Facebook or Google won't support you, open-source software is built around a community of people eager to help. As long as you've done your research and you're asking questions the smart way, you'll be surprised as to how quickly others jump to help, around the clock, and for free.

And whereas you have little to no chance to get your feedback to the folks at Facebook or Apple or Microsoft, and they won't just implement an idea you've had, the world of open-source software is all about that. Be warned: it gets addictive quickly.

The feeling of reporting a problem and having it fixed, sometimes within an hour, is second to none. And while a prime motivation of open-source software developers is scratching their own itch, they are also often genuinely interested in improving their software for their other users. So if you have an idea how something could be improved, or a functionality that could be added, bring it up!

What this means for you is that when something doesn't work, or doesn't work quite the way you expect or like it to, don't learn to deal, like you've probably grown used to.

Instead, bring it up with the other users, in our community, or beyond. And if a problem persists, let the developers know. I'll be very happy to hold your hand and show you how to best do that.

Properly encrypting your chats (end-to-end)

End-to-end encryption means that nobody between the two endpoints can eavesdrop on a message. It's like when you and a friend use a secret cipher to encode the text you put on postcards, preventing the postpeople in sorting and delivering the card from deciphering what you've written to each other.

Matrix sports state-of-the-art end-to-end encryption (as do WhatsApp, Signal, and all the others by now). That's the good news.

The bad news is that encryption in Matrix is a lot more complicated then elsewhere, due to the decentralized, federated nature of the protocol, as well as the multi-device support I mentioned earlier. As a result, it's taken a lot longer to surmount all the challenges, and especially even out the rough edges in terms of usability.

For this reason, chatting in Matrix is not encrypted by default, and neither is the

We're working on it, and I am certainly not here to draw you onto an unencrypted platform, but I am going to delegate the subject to a future me, and keep the discussion at the end of this document.

Comparing Matrix to Hivebrite, Loomio, Slack

The EHF's community site is powered by "Hivebrite", which is a community portal that combines membership functionality (directory services, as well as administrative backend stuff) with a discussion forum, designed for sharing longer messages that stay around, and which can be commented on.

Loomio is also more of a forum, except it focuses on decision-making, and provides much better moderation and curation tools than Hivebrite.

Neither of these two can really be compared to Matrix, which is more about synchronous discussions. Even though you can search for messages across rooms, and it's possible to reply to individual messages, there is no concept of discussion threads. Rather, instant messaging, like WhatsApp, is more about quick exchanges and coordination. And while it is possible to include apps in Matrix rooms to enable e.g. collaborative editing of documents, that's not really in focus at this stage.

Which leaves Slack (and Mattermost, and RocketChat, and probably others). These are indeed very similar to Matrix, with some features Matrix doesn't have, and without some that Matrix does support.

It's especially hard to position Matrix against Slack, which has been a massive success in terms of adoption. However, Slack is a centralised service, with control over all your data (message history etc.), locking you in, and exposing you to their price control and privacy policies.

Also, they can and do read along, or let others read messages, including those that appear to be private between two people. For instance, it's part of Slack's business offering that the CEO may read everything, including private chats between employees, and this is not only a problem because people are generally not aware.

While Slack is a classic walled garden, Mattermost and RocketChat come as open-source projects, allowing you to run your own server. However, there is no federation between them, so you will only ever be able to interact with people who also have an account on the same server as you.

Matrix has the concept of bridges, which allow you to connect Matrix rooms with rooms on other platforms, including Slack, Mattermost, and RocketChat. And so while these platforms won't allow you to reach out to others, as a Matrix user, you'll be able to integrate them, and collaborate with those locked in to these services.

Taking stock

This document started out to be a one-pager, and that was naïve. Well, technically, it's still a single web page

I also hope that you are now in a better position to understand Matrix, and why it's a preferable option over WhatsApp, especially for a group of self-proclaimed changemakers like us.

Go ahead, choose the green pill!

Copyright & Licence

This document is Copyright © 2019 by Martin F. Krafft <mail@martin-krafft.net>. You may use it freely under the terms of the Creative Commons Licence Attribution-ShareAlike 4.0 International, meaning that you can distribute it, even in modified form, as long as you give credit, and your work is placed under the same permissive licence.

Appendix

What's actually wrong with WhatsApp, Telegram, Signal, & Co.

You might now be thinking: "I'm already using a chat app, why should I get down with this one?" And you're probably fatigued of installing yet another app, setting up yet account with yet another password to remember, and you simply don't have the time and energy to invest into learning a new tool…

So let me tell you what's wrong with the apps you're already using, at least according to my perception. In some ways, this will be similar to your doctor telling you to live a healthier life, and all your New Years' resolutions, and I won't be able to help you actually put things to action.

But I can give you a better data basis, and thereby hopefully enable you to make a more informed choice.

Quite likely, you are already in the habit of using any or some or all of the following services to chat with your friends, family, and colleagues:

• WhatsApp / Facebook Messenger
• Google Hangouts
• Skype
• Threema
• Telegram
• Signal
• … (those are the most popular ones, I think)

All of these are lock-in services (also called walled gardens), and they are proprietary. Let's dive into what that means for you, and the people you know:

Walled gardens: locking you in so you can be milked

All of these services are unfederated, centralised services, meaning that you can use them to interact only with people who also have signed up to the very same service. Given the ubiquity of e.g. WhatsApp, this isn't much of an issue to most, but there is a price to pay: WhatsApp is owned by Facebook, and by centralising their service offering, you are being forced to go via their servers, always. Not only does this mean that when they go down, everybody is affected; The chief reason for companies like Facebook to enforce centralisation is so that they can mine your data, and there is nothing you can do about it.

Put differently: while WhatsApp (and the others) appear to be free services, you can only talk to others if you are willing to let Facebook in on who your friends are, and let the company keep a close watch of your browsing and shopping habits, as well as your general interests. By using WhatsApp (or other such platforms) to engage with others, you are also implicitly forcing them to give up their own privacy, and when others choose such platforms to contact you, they are implicitly forcing you to do the same.

Proprietary services: intransparent, and not accountable

All of the aforcementioned chat services also force you to install their very own chat client, which comes in the form of an app. An app is a piece of software that only computers can read. A human has no reliable means to find out what an app actually causes your computer (or mobile phone) to do. This means that you have to trust the issuer of the app that it does what they promise (and does not do what you wouldn't expect).

For instance, while all of the above chat platforms support end-to-end encryption (channel security between devices), you don't actually know what happens on your device; Facebook — or a state actor — could just as well leave the communications encrypted, only to then send the decrypted content you read and write on your screen directly to their data machinery. And you would have no way of knowing.

Did you know that by using WhatsApp, you consented that the app upload your entire address book to Facebook at regular intervals, thus giving them nigh perfect insight into who you know? What's more, you just gave permission to Facebook touse contact details of other people, such as their address and email, maybe even photo and birthdate, to Facebook without their knowledge or consent.

Open source & open standards to the rescue

At this stage, some of you might say "oh but wait a minute, Riot also comes as an app", and you're right: the app you downloaded is computer code, just like all the other apps. However, the human-readable source code, which was used to generate the computer code, is publicly available (whereas Facebook guards the source code of WhatsApp behind closed doors). In theory, anyone can study the code and verify that it does precisely what it should, nothing more, nothing less, and nothing else. Furthermore, you can build your own app and choose to ask your mobile phone to run that instead. But don't worry, you neither have to read code, nor build the app yourself; Hardly anyone does this, but the fact that it's possible already raises the security barrier a great amount, making it nigh impossible for state actors or commercial players to insert code that they wouldn't want you to know about, without being caught.

With me so far? Great! Because now it's time to confess that some of these services, especially Signal and Telegram, pride themselves as being open-source tools, and it's true that the companies behind both of these products have published source code, as well as the pre-built apps.

However, what you don't know, and what you cannot find out is whether the source code published is actually the code used to build these apps, and you have no way of finding out.

Furthermore, you cannot build your own app from the source code and use that, because both companies explicitly forbid and prevent this. Not exactly trust-building measures, if you ask me. These companies have opted against an open standard by closing off their ecosystem, whereas a proper federation builds on open standards, and incidentally also invites innovation to thrive in doing so.

Alright I get it. But I don't mind the ads. And I have nothing to hide anyway…!?

It's beyond the scope of this article to dive into how targeted ads drive consumerism, or how the tech giants and advertising companies exploit echo chambers to grab and maintain your attention.

And while it might be true that you feel like you have nothing to hide, the reality is that you do, you might just not be aware. Everyone has secrets, and intimacy, and the fact that they are yours only is part of what makes us human. Or are you willing to share your intimate secrets, your tax returns, your bank details, etc. with anyone? Mark Zuckerberg himself isn't (watch this 30s clip…).

Hopefully you'll never experience the situation when a piece of personal information leaks to the public, because you'll never be able to take it back. And you cannot really put a price on such damage before it happens. You can probably ask Monika Lewinsky about that, as one of the strongest survivors of such a personal disaster.

What should be of concern to you, and all of us, however, is the way in which data, such as collected by Facebook (and others), have been sold and abused to influence the political landscape, as evidenced by the Cambridge Analytica scandal, as well as the role that WhatsApp specifically played in the election of alt-right nationalist Bolsanero as Brazil's president. Facebook (and others) to date have failed to address the problems around fake news.

And it goes without saying that technology such as Matrix per se isn't immune to similar abuse. However, just like bulk e-mail isn't anywhere near as effective as the targeted communication enabled by WhatsApp (and others), the federated, decentralised nature of Matrix makes it a lot harder for attackers than to target just a single, central service. It's a lot easier to spread your messages at a town hall meeting, or during school assembly, than to figure out the phone number of everyone you want to address, and call them individually.

And now we all take a deep breath, please.

Done? Great. Then, if you aren't using Matrix yet, here is how to get started.

Matrix and end-to-end encryption

Warning: this entire section is still work in progress

Complexity impedes upon usability

Warning: this entire section is still work in progress

And I would appreciate being able to tell you why. And when that might change.

While the encryption algorithm in use can be considered finished and ready for production (it's been audited and certified), hiding all the complexity around it from the user so as not to impede upon the usability continues to be hard.

Our encrypted room

Warning: this entire section is still work in progress

We've encrypted the EHF early adopters' room, because we won't compromise on end-to-end encryption, and I also hope to learn from you about usability, and hopefully be able to channel some of the insights gained upstream.

When you join, you won't be able to decrypt previous messages, because they weren't encrypted to you. Theoretically, we could share the necessary key material with your device, but that's anything but trivially done, so let's just leave it at that.

Another thing you might notice about our room is the exclamation-mark-on-a-lock icon at the top:

If you hover over, you'll see a note saying "Some devices in this encrypted room are not trusted."

And if you send a message into our room, then you'll be told about untrusted devices, and asked whether to "send anyway". Gosh, how annoying. Are you reminded of the days of security warnings when browsing the Web, and did you click "send anyway", just like back in the days you'd hit "OK" without really understanding the implications?

Please allow me to explain what's going on, because otherwise you'll end up screaming at Riot, compare it to WhatsApp, which seems to have solved this (they have not, they didn't need to, and I'll explain that too), and possibly throw out the baby with the bath water.

Strap yourself in firmly, we're about to descend into the innards of encryption, into perhaps the hardest part of it, short of the actual mathematics involved. We're going to talk about trust.

Device trust

Warning: this entire section is still work in progress

As I wrote earlier, the encryption algorithm works flawlessly (which does not mean that bugs won't be found). However, the best encryption algorithm is useless, if you are unkowingly encrypting your secrets to the wrong recipient.

You've registered an account earlier on, and then configured a display name. What did you write? Did it occur to you that you could have written "Jacinda Adern" in an attempt to impersonate our acting prime minister?

tags: ehf old