I really, really don't want to be calling out specific people or projects, I don't think it's a useful thing to do - but it makes me so sad to see people, whose work I deeply respect, volunteering/writing/promoting a tool whose privacy claims are fundamentally unsound.
Privacy tools that a metadata resistant are essential, but please technically vet the projects you a promoting.
I feel like the one major lesson I learned from the crypto-hype era is that most people don't care about technical arguments, at all.
There are projects tackling hard problems using sound methodologies, there are projects talking about hard problems and selling a story (either intentionally, or because they don't know any better).
There is a difference between those two kinds of projects and I wish more people cared about that.
I don't want to "name and 'shame' such projects because it doesn't work, they thrive on the attention and few listen to the actual arguments anyway.
The system I see people promoting is "not-even wrong", it cannot do what it claims to do because that is not how the universe works. The key claims rest on axioms that are not practically possible.
I too could claim miraculous system properties if I could assume everyone magically and securely exchanged key material before using my system.
Usually I wouldn't say anything, there are so many bad privacy projects out there, I get asked about them all the time and are just a fact of life in this space.
But there is a blog post going around, advertising this project and it's gained enough traction within a community a deeply care about that I need to at least say something.
Please do some due diligence before promoting unsound privacy tools. People rely on these tools. People trust their lives to these tools.
A few people have asked for specific details, and I'm not going to call out a specific project; However, someone asked about general red flags and I will list a few here:
Beware of "metadata resistant" privacy apps that:
Advertise Real time Audio / Video.
Have Offline messaging on mobile / without self hosting some kind of server
Have "No Identities"
Rolled their own onion-routing
Rolled their own mixnet
Implement offline storage with 3rd party servers that is somehow efficient.
Add comment