@z428
I agree that we need more awareness. But we also have to make sure that we don't ask for too much. All this is still quite new. People need time to understand the impact of new technology and even more time to develop a general idea about it. How long did it take until we reached a general consensus that it makes sense to protect our environment, that waste separation makes sense, etc. That's why I think it's important to show people easy ways forward in order to make a difference

@bjoern Definitely. :) First and foremost I still and firmly believe we would need "end-user-proof" solutions just like WhatsApp, Facebook, ...: Download an app, sign up with two clicks, immediately see who in your environment is around there. Actually even the fact that the latter didn't work is something that always prevented me from successfully "converting" people to #xmpp or #diaspora so far. A load of the current #fediverse discourse is way too technical for that, right now...

@z428
That's one of the reasons I recommend Signal for now, even that personally I love XMPP.

@bjoern Same here, but even with Signal I repeatedly end up in strange disputes: Non-techies wonder whether they need "yet another messenger" (asides WhatsApp where "everyone is"), and techies more into details complain that Signal shouldn't be used because it depends upon Google services (GCM) to work. :|

@herrgnatz @bjoern Actually this is what I am trying right now; the Cambridge / Facebook affair has made people a bit sensitive and Slack is not something *everyone* wants here. At least internally I haven't given up here so far. Talking (WhatsApp) end users, this is different however...

@herrgnatz
Riot is definitely a option like many other as well. I just picked the one which are most known and already in use by a large group. Because I think this way you can have the biggest impact. But that doesn't mean that Signal, Diaspora and Mastodon are the only options or for everyone the best options.
@z428

@herrgnatz @bjoern That's what I mean. And this is where non-technical people and even a load of "slightly technical" people are out and resort to using WhatsApp or Threema because it's considered too much effort to convince a substantial amount of people. Personally, I think people will switch as soon as there is *one* really good alternative that is feature-wise on par with WhatsApp, Facebook, ... and better in terms of privacy.

@raucao
It is a step forward. We can wait for the perfect solution (forever) and achieve nothing or start now to move into the right direction. This is a journey, not one hop for 0 to 100. All IMHO of course.

@bjoern Who said I want to wait? I'm using XMPP with OMEMO today, and it works better than Signal across my devices.

@raucao
I use it too and I love it. But in my experience it is not the right tool to pick up the vast majority of WhatsApp users out there, sadly. I want to show this group of people a way forward in a way that they feel comfortable to try it. If we get them to move we can take the next steps. But it is important not to ask for too much for the first step in order to start the process.

@bjoern If you ask them to move for nothing, then you have won nothing, no? Might as well help improve better solutions in the meantime and have people at least message each other with e2e encryption and good UX imo.

@raucao
I think you achieved a lot if you make people question stuff they took for granted until now and if they get used to try something else. Experience that it doesn't hurt and it isn't less comfortable, etc. IMHO it's all about starting a process and to move in the right direction with the speed people feel comfortable.

@raucao
It's the same with Free Software if you start with a "FSF approved GNU distribution" you don't achieve much. Start with "let's try LibreOffice, Firefox, Thunderbird,...". Later maybe Ubuntu and so on. It's important to convince people to start a journey and make them feel comfortable in changing some of their habits.

@bjoern You're still not addressing my points at all. Signal is NOT the same as FF or LibreOffice at all. Both work without a central server that identifies users via phone numbers given out by corporations (and tied to real identities in many countries). Both don't leak metadata about who you communicate with to the central server.

@bjoern And there are other solutions out there that don't do that. For example Wire.

@raucao
I don't compare the software here, that's impossible but the approach how to lobby for a change.

@bjoern Cool. And I'm interested in actual change, as opposed to perceived progress that achieves nothing.

@bjoern I'm comparing risk profiles of the two, and so far I couldn't find a difference.

@bjoern On the other hand, tying accounts to phone numbers is actually worse in many ways imo. You do not own your phone number.

@bjoern Same for both, of course. But I think with WhatsApp, at least you can change it.

@bjoern I disagree that it's a step forward from WhatsApp. They're exactly the same thing now.

@bjoern In fact, WhatsApp is a big step forward from FB Messenger for a lot of people imo.

@clacke @bjoern Yes, but does it matter who owns the central servers that contain the metadata when it comes to encrypted messaging? There's not much to mine for advertising. Prism, gag orders, sysadmin gone mad, getting infra pwned, etc.; those are the risks I see for leaking personal communication metadata from both Signal and WhatsApp.

@clacke @bjoern There's literally zero difference, as I already showed with the list of risks. The ownership doesn't matter for those, but you did not address the actual risks I listed, and you did not add other ones, where FB would be more dangerous.

@raucao
I think it is a step forward: Free Software, so e2e is verified. Notable less meta data leaked, no sync of the full address book, no big data silo which can combine this information with many more information from various sources, etc.

@bjoern 1) The e2e for WhatsApp was literally built by Signal. Did you read the Signal source code yourself, or hire someone to do it for the recent updates? 2) WhatsApp uploads exactly as much address book as Signal does. That's how they both discover that other users are using the program. 3) That metadata is the same regardless of what you combine it with, and you don't have to use FB for using WhatsApp.

@raucao
1) one is a black box where you have to trust the ownet the other one not, IMHO this makes a difference. 2) AFAIK that's much more than WhatsApp does: https://signal.org/blog/private-contact-discovery/ the last time I checks WhatsApp synced and stored the whole address book. 3) IMHO it makes a difference, first the meta data are different, see 2. Second whether you can combine it with all the online and offline information from facebook or not makes a difference as well.

@bjoern Hahaha, so you have access to the Signal server they run in production? That's a hilarious idea.

The combination of metadata depends on who collects it in the end. Facebook is not your adversary when it comes to risk of leaking that data. And with Signal it's tied to your phone number, for which in most countries you need actual ID now.

@raucao
I think we can agree on the final destination of the journey pretty easy but not on the approach how to motivate the vast majority of people to join the journey. That's not a problem. Let's try different approaches, everybody will collect some people on their way and we see each other at the final destination (hopefully).

@bjoern I'm not sure why you assume my approach is different. I'm merely pointing out that I'm happy with having people use encrypted messaging for now, and that Signal is not much safer in terms of risk imo, but I actually do have shitty UX issues with it all the time, while WhatsApp pretty much just works. Most people I know already use multiple messengers, depending on who they talk to. It's not as if installing app is some great achievement or impossible task.

@raucao
OK, let's say the approach is the same but we define from time to time different step(sizes) and milestones :).

@bjoern Interesting blog post! So they already employ that technology preview? Would make it much safer indeed.

@bjoern It's still a black box when you download the Signal app from a store and connect to a server you don't run yourself, of course.