April 25 2024 GM

Glitter Meetups What are Glitter Meetups Notes from Past Glitter Meetups Virtual Events Calendar Join the TCU Mattermost

Quiet: A Secure Slack Alternative for Groups that Outgrow Signal

• Date: Thursday, April 25
• Time: 9am EDT / 1pm UTC
• Who: Holmes Wilson
• Facilitator: Mardiya
• Where: On TCU Mattermost "IF Square" Channel.
  • Don't have an account to the TCU Mattermost? you can request one following the directions here.

We will talk about Quiet, a team chat that Holmes Wilson is building for groups that need the privacy of Signal but also team management features like channels and organization-level access control, without running their own server. Holmes will give a short demo of Quiet in whatever format makes the most sense for folks attending. Quiet is built on Tor and does not require a server to work. Someday it will even work locally offline in an Internet shutdown scenario, at an office or in a meeting, for instance.

Holmes Wilson is an activist for Internet freedom and online privacy. Before starting Quiet, he was one of the founders of the US-based activism NGO Fight for the Future, which fought for stronger privacy laws and the right to encrypt in the US, and more recently has had big wins against biometric surveillance like face recognition in the US.

What is Glitter Meetup?

Glitter Meetup is the weekly town hall of the Internet Freedom community at the IF Square on the TCU Mattermost, at 9am EDT / 1pm UTC. It is a text-based chat where digital rights defenders can share regional and projects updates, expertise, ask questions, and connect with others from all over the world! Do you need an invite? Learn how to get one here.

Notes

What is Quiet and why did you start building it? What about the messaging ecosystem made you decide we need an alternative? That is what was the major or series of inspirations?

• Quiet (tryquiet.org) is an alternative to team chat apps like Slack and Mattermost. And we're building it for teams that want the security properties of Signal, but with team chat features like the ones we have here in Mattermost: stuff like channels, threads, and team level access control. Quiet also has some unique properties for security and resilience that I'll talk about more in a bit!
• It's important to say that Quiet is still a work in progress and hasn't been audited yet, so it shouldn't be used by anyone who needs security right now. But feedback from groups who need tools like this, at this stage, is sooo helpful.
• What first motivated me to work on Quiet was two things:
  • 1. My organization didn't have an obvious choice when we needed more security than Slack...
  • And 2. I was really interested in the possibility of building communication tools that didn't rely so much on central servers. Hosting your own service is a ton of work and out of reach for a lot of groups. But depending on someone else to host is a trust issue. The question I was obsessed with was: what if there is a better way to do all of this where we can have open source apps we don't have to host.
• Then as I started to research more what the needs of other journalists and human rights defenders were, Quiet emerged from that. ..And a need seemed to emerge in this space between Signal on the one hand and Slack/Discord on the other.

How does Quiet Work? How does it make or aim to create a better way to have open source apps we dont have to host etc?

• So, the biggest and most important difference between Quiet and Slack is that Quiet will have end-to-end encryption, like Signal. And the most important difference from Signal is that it has channels, like Slack, or like we do here in Mattermost. And we'll have threads too, and team-level controls for who is in the community, disappearing messages settings, etc. That's the most important difference for users. But in terms of how Quiet works it's very unique and different from all of these.
• The short version is, we've built Quiet on a peer-to-peer network (we use tools like libp2p, IPFS, and Tor) so that it doesn't need a server at all. A server will be helpful for some things like iOS push notifications, and we'll provide one ourselves or for people who want to self host, but Quiet will work without it. So there's a lot of resilience there. And it has some nice privacy properties, like metadata protection. One thing people don't like about Signal for example is the need to use a phone number. You don't need any email or phone number to join a Quiet community.

Does Quiet provide Admin control – and are there different levels of admin?

• We've put a lot of thought into this, and we're at the stage where we have designs and feedback is really helpful. We haven't built anything yet. From our research it seems that activists need flexible roles and the Discord model seems best. You can see what we're planning here: https://www.figma.com/file/xCgVHg3qZPCQuLZudBAnn7/Roles?type=design&mode=design&t=DwNKQWaeBONzziRl-0
• Mostly we're modeling Quiet on Slack, but Roles are something we think Discord does better. So you'll be able to make any role and give it a range of permissions, and then add users to those roles, or give roles access to particular channels.

Does Quiet support Single Sign-On (SSO)?

• That isn't a need we've heard from the organizations we've spoken with, but it certainly could. I'd love to hear more about your needs in that area. Right now, users just click an invite link and pick a username. Later this year we'll let you link multiple devices and revoke devices.

Can individual users block people? That's one thing wrong with Slack - there's only an option to hide users

• Not yet, but it's definitely something we're interested in, and this has come up in our research.

What happens when someone get targeted by oppressive regime for running this network. Either physically or digitally does Quiet also work on the ways it can be compromised since that helps to build features which can be resilient when things go south?

• For physical targeting, I can say that one focus of ours has been deletion and disappearing messages. One thing we heard early on, and have continued to hear from users, is that people really want some organization or community level control of disappearing messages. So that there's some structure and they don't have to rely on everyone always remembering to turn them on.
• Another thing we've heard is that it's really important to be able to quickly suspend someone's account but easily restore them later. That's a use-case we're really interested in and exploring. The thing we provide right now is built-in support for Tor. And pretty robust phishing protection compared to any app that uses email or phone for signing in. We don't support Tor's censorship-circumvention powers yet, but we will in the future. But Tor does offer some metadata protection. People don't have to reveal almost anything to others in their group, or to us. And also, people don't have to know what Tor is, or how to set it up. It just works.

Since Quiet is built on TOR (which is great), has Quiet been tested in countries with poor internet speed?

• This is part of why we're building a central server option for people. We've found that Tor is fast enough for messaging when you're connected, and I suspect this is true almost everywhere, but that connecting to Tor onion services (which Quiet uses) can be slow. And if the internet gets less reliable (not slower but like, more zones of no service, etc.) then that becomes a really big issue. In our research it was clear that people care about reliability more than almost anything.
• So we want to make the p2p stuff in Quiet a cool fallback or option, but not force it on folks. If using a server is okay, we'll provide one. Our goal is to make Quiet as reliable as WhatsApp or Telegram, by doing push notifications and message delivery in essentially the same way. And messages will still be encrypted, and we're putting a lot of thought into making sure that the server doesn't need to keep messages (which are encrypted) for any longer than necessary, and giving users control over this.

When creating Quiet, were there any notable challenges you and your team experienced? What were they, and how did you manoeuvre them?

• iOS has been really challenging. Especially push notifications. But we learned from our research that if the community is large enough there is often an iOS user, even in regions where iOS use is low. We're overcoming this challenge by building an assist server that will share minimal data with Apple, but give people a WhatsApp-like experience for push notification on iOS.

As Quiet is based on P2P - how do you address common issues that messages in group chats can get all messed up, because people are not online all the time?

• One answer is that since we needed a server helper for iOS anyway-- there was no getting around it and apps like Briar and Cwtch usually don't support iOS for this reason-- we decided to use that server for other kinds of help too, like in the case when nobody is online. (Cwtch actually kind of does have servers, and if your server is on then sync should work okay, but there might be connection issues sometimes with Tor or whatnot)
• But one difference between Quiet and Briar is that Briar only connects to contacts you add deliberately, while Quiet connects (over Tor) to anyone in the community. This makes syncing much more reliable when operating in p2p mode.
• And it seems like a better tradeoff to us re: security and usability. You get much better reliability and availability, in exchange for one security issue: people can potentially tell when you're online by looking in their logs. This is a bigger issue when you're in multiple communities since it could allow linking.

If implemented the deletion, does the time based deletion is applied to media. If yes, does it really get deleted or the extension is changed to the random thing. But by checking the hex people can get the original media back? Signal has the similar feature but I need to check whether it deletes the media or changes the extension?

• We will definitely delete media, but right now there is a known bug in how we're deleting attachments. Deletion will work the same for media as messages: you tell people to delete, as soon as they get the message they will delete, if you're authorized to delete. Also I'm just learning this about Signal now. Is it because the attachment is still on their server for someone else to fetch, for some time?