Riot Web 1.4.0 is out today (with Android and iOS to follow shortly), landing a range of enhancements and powerful new features to make sure you’re always informed and in control of how, when, where and why your data is processed.
Riot and Ancillary Services
As you probably already know, Riot runs atop Matrix and Matrix is a decentralised, federated instant messaging network.
What might be less obvious is that Riot/Matrix uses a range of services to provide all the features you’d expect from a traditional chat application, but in a decentralised, federated manner. If you’re using Riot to connect to the matrix.org homeserver today, chances are you are making use of some of the following ancillary services:
New Vector runs an identity server to provide a public user directory. You can use the identity server to:
- publish your contact details so your contacts can find your Matrix ID by looking up your email address or telephone number
- invite your contacts using their published email addresses rather than their Matrix ID
- on Riot Mobile, you can compare your local contacts list against an identity server to see who is already using Matrix
The New Vector integrations manager (“Modular”) connects additional services into the Matrix ecosystem, such as bots, bridges to other networks, widgets and sticker packs.
Part of the magic that directly connects one Riot user to another when making 1:1 VoIP calls, STUN servers are used by Riot to discover their public-facing IP address.
What does this mean for data privacy?
If you’re using a Riot instance or homeserver from another provider, however, then unless the provider has taken careful steps to configure their service and has explained to you clearly the implications of that configuration, your data could have been shared with services run by other providers (such as New Vector) without your explicit awareness.
As per our blogpost back in July, users on other homeservers were temporarily blocked from using the New Vector identity server (and all identity server data relating to such users was deleted). The changes we’ve released today have allowed us to once again open up our identity servers to non matrix.org users, without fear that users’ data will end up on our servers without their awareness or understanding.
What changes will I see in Riot?
Securely Comparing your Contact List on Riot Mobile
Riot mobile can now securely compare your local contact list against a Matrix identity server by hashing all contact details before sending them to the server.
Instead of your Riot client asking the identity server whether it knows a Matrix ID for email@example.com, instead it will send the hash of ‘firstname.lastname@example.org’:
If Alice has published her email address to this identity server, it will also have calculated the same hash, and can reply to you with her Matrix ID. If, however, the identity server has never heard of Alice, then it won’t have calculated that hash and the value will be meaningless.
Terms of Service for Connected Services
We’ve enhanced both the identity server and the integrations manager to support requiring users to indicate that they have read and agreed to the service’s policies before use.
You’ll see an independent prompt for each service when you first do something that requires the use of that service, e.g.:
- Invite somebody to a room using their email address
- Publish your email address or telephone number to an identity server
- Add or use a widget
- Provision a bot or bridge
- Send a sticker
Choose your Own Identity Server
With the latest release you no longer select an identity server at login or registration time. Instead, you can now manage your use of an identity server in user settings:
Riot will be configured to suggest the New Vector identity server (vector.im) by default, but it will not share any details with this server until you have read and accepted the service terms. You’ll be prompted to review the terms of service before using the identity server, and if you don’t want to use any identity server, you can click on the big red button to disable the feature entirely.
Choose your Own Integrations Manager
The latest release supports users changing their integration manager (again in user settings):
You can change your integration manager whenever you like — existing bots and bridges will continue to function, though widgets set up using the New Vector Modular integrations manager will no longer work for you. All new integrations will be provisioned using your newly chosen integration manager.
Prompt before falling back to new public STUN server
Connecting two devices for peer-to-peer voice and video calling is a complicated business. Historically, Riot would, having failed to connect to participants via every other channel, fall back to a public STUN server provided by Google.
We’ve now ditched Google as a fallback; instead, if everything else has failed, Riot will prompt the user asking if, as a last resort, they would like to fall back to a public STUN server run by New Vector:
Using the STUN server will share your IP address with New Vector when you try to make a VoIP call.
What changes won’t I see in Riot?
You won’t see the huge amount of effort that went into decoupling the identity server from registration and password reset! This was one of the trickiest parts of the privacy effort, but should be barely perceptible in daily use 😁
The Riot work is also just one part of a larger Matrix privacy sprint — you can read all about that on the Matrix blog.
What’s still to come?
We’re still working through a few items in phase 2 of the privacy project. There most significant of these are:
Prompting users each time before they send data to an identity server or integrations manager which does not expose policy documents.
Right now it’s up the the identity server or integrations manager provider to add the terms of service to their configuration — if they don’t, Riot assumes the service has no terms that need accepting and goes ahead and uses the service anyway. The next step is to prompt users each time before this happens, unless the user positively indicates that they trust the provider.
The ability to disconnect from an integrations manager entirely
At the moment you can choose between integrations managers, and you can refrain from sending personal data by not accepting the terms of service (or simply by not using the integrations manager). The next step is to make rejecting integrations managers entirely as simple as it is for identity servers.
Over the next few weeks we’ll likely continue to make some changes to the new privacy APIs behind the scenes, so make sure to keep your Riot up-to-date for the most reliable experience!
Keep watching this space!
Now that this privacy sprint is nearing an end, we’re planning to return our attention to cross-signing (which will dramatically lighten the burden of verifying devices) and improving the first time user experience for Riot. Stay in touch, and keep that feedback flowing!