Skip to content
DevMeme
4795 of 7435
Element's Blunt Defense of Selling Encrypted Chat to Governments
Security Post #5253, on Jun 21, 2023 in TG

Element's Blunt Defense of Selling Encrypted Chat to Governments

Why is this Security meme funny?

Level 1: No Spare Key

Imagine you have a special box that only you and your best friend can open. You both have unique keys to this box, and you keep your secrets in there. Now, the company that made this box promises that nobody else can unlock it – not even the company itself or the police – because they didn’t make any extra keys. This is like what end-to-end encryption does: your messages are in a box that only you and the person you send them to can open with your keys.

Some people got worried, thinking, “Hey, what if the box company also made a secret key and gave it to the police? That would be like a sneaky backdoor into our secrets!” The company (Element) basically replied: “Nope, we didn’t make any secret keys. We sell these super-secure boxes to anyone who needs one – even the police buy them from us so they can secure their stuff – but we never made a master key for ourselves or anyone else. If you’re uncomfortable with that (like you don’t like that we do business with certain buyers), you can always use a different box from another company. We’re not forcing you to use ours.”

In simple terms, Element is saying they’re being honest and sticking to their principles. They built a lock that everyone can use to protect their conversations, and they didn’t keep a special spare key for themselves or authorities. They also understand not everyone will be okay with who they sell locks to – and they’re fine with those folks choosing another lock. It’s a bit like a lockmaker saying: “Our locks are super secure for everyone. Yes, we sell them to the local police station as well as regular people, because everyone deserves security. We haven’t given anyone a cheat key. If you don’t trust us or don’t like our customers, you’re free to buy a different brand of lock.” The funny part here is just how plainly they put it – it’s frank and a little sassy. But at the end of the day, it’s about trust: you either trust this lockmaker and keep using their lock, or you go find one you do trust. And Element is confident enough to say, “It’s your choice.”

Level 2: Locks, Keys & Backdoors

Let’s break down what’s happening in this post in simpler terms. Element (the company) is talking about encryption – specifically end-to-end encryption (E2EE) – and addressing concerns about so-called backdoors in their product. First, what is end-to-end encryption? It means that when you send a message using Element/Matrix, it gets scrambled into secret code that only you and the intended recipient can unscramble (with special digital keys). Even the servers relaying the message (or the company running the service) can’t read it. Matrix is the open protocol that Element (the app) uses to do this – think of Matrix as the language or system for passing along these secret messages, and Element is like a phone app or messenger that speaks that language.

Now, a backdoor in this context means a hidden way to get around encryption. Imagine if the app had a secret spare key that only Element or certain people (like government agencies) knew about – they could unlock any conversation without the users’ permission. That would be a backdoor. Obviously, privacy-conscious users distrust that: it’s like thinking your locked diary might have a secret copy key held by the diary manufacturer “just in case” someone (say the police or the company) wants to read it. 😬 The Element company’s post is clearly saying there is no such backdoor in their app or the Matrix protocol. In other words, they’re insisting that Security wasn’t compromised: only the people in a chat have the keys to read those messages, and nobody else.

So why are they saying this? The post references that Element funds Matrix development by selling encrypted messaging solutions to governments, including police. Essentially, Element offers a paid, secure messaging service (built on Matrix) to organizations that need privacy – and yes, that includes government agencies like the police. For some users, especially in the privacy and open-source community, hearing “we sell our product to the police” set off alarms or moral objections. Some might worry: “If the police are using it, did Element add a special door for law enforcement to peek in? Or do we feel comfortable supporting a tool that police also use?” It’s a bit of community drama. Privacy advocates often see governments (and their law enforcement) as the ones trying to weaken encryption or surveil people, so the idea of selling a privacy tool to them can seem like fraternizing with the enemy.

Element is responding with a link to their blog about the UK Online Safety Bill, calling it “an attack on encryption.” This bill (proposed law) is something the UK government is considering which would require tech companies to ensure “online safety” – unfortunately, that could mean companies must scan private messages for bad content. If an app is truly end-to-end encrypted, even the app’s company can’t scan those messages (because they don’t have the key to read them). So, such a law indirectly pressures companies to break or weaken encryption (for example, by building a backdoor or doing content scanning on your device before you send the encrypted message). Element, by sharing that blog post, signals that they oppose such laws; they’re siding with privacy and strong encryption.

Finally, the blunt statement: “if you don’t like that then please feel free to use a different app.” This is them saying: We understand some of you might not agree with our way of doing business (like selling to governments) or you might distrust us, and that’s fine – you can choose another messaging app. It’s a surprisingly direct thing for a company to say! Usually, companies try hard to keep every user. But Element’s tone here is honest and a bit fed up: they believe in their approach (no backdoors, selling to anyone who needs encryption, fighting bad laws), and if someone is still unhappy, well, Matrix is open and there are other apps out there. In the open-source world, this is almost a point of pride: users aren’t captive customers, they have freedom. So Element’s basically reinforcing that freedom – “we’re not locking you in; you’re free to go if you think we’re doing wrong.” For a junior developer or someone new to this, it’s a glimpse into how passionate and principled the data privacy field can get, and how companies in open source sometimes handle criticism transparently rather than with corporate-speak.

Level 3: Encryption Without Exception

On a practical level, this Mastodon post is addressing a very real tension in the DataPrivacy and Security community. The humor (tinged with seriousness) comes from Element’s unusually blunt, almost brusque tone for a company: “if you don’t like that then please feel free to use a different app.” 😏 It’s not every day you see a company essentially tell a segment of its users: “we’re not changing our stance, so door’s on your left.” Experienced developers recognize this as a confident – if risky – PR move, reflecting a senior perspective that doing the technically right thing (strong EndToEndEncryption with no special treatment) sometimes means not appeasing everyone. The context here is Element (the company behind the popular Element client for Matrix) responding to community concerns or accusations. Some privacy-hardliner user presumably implied: “Hey, Element might have a secret deal with the devil (police/government) – maybe there’s a backdoor in Matrix for law enforcement!” This post is a mic-drop answer: No backdoors. Yes, we do business with governments (even law enforcement agencies). If that offends you, well, you can take your trust elsewhere.

Why is this both serious and chuckle-worthy for seasoned devs? Because it lays bare an open_source_funding_model dilemma many of us know: great open-source projects need to make money to pay their developers. In Element’s case, they fund Matrix’s development partly by providing secure messaging solutions to enterprises and governments. It’s a bit ironic – selling privacy tech to institutions that, in other contexts, might seek to undermine privacy (think of regulatory pushes like the online_safety_bill which seek to weaken encryption). Seasoned engineers have seen similar patterns: VPN companies marketing privacy to consumers while also selling “enterprise compliance solutions” to governments, or database companies working with both activists and banks. This juxtaposition is ripe for controversy, but it’s also how the sausage gets made. The spicy part is Element openly acknowledging “yeah, we sell to police departments too,” rather than dancing around it. It’s a candid transparency that senior folks respect – calling a spade a spade.

The backdoor_claims are addressed head-on: in security parlance, a “backdoor” is a secret method of access. By saying “no backdoors,” Element is assuring technically-minded readers that there isn’t a hidden master decryption key nor a special law-enforcement mode in Matrix. Given that Matrix is open source, any such deceit would likely be spotted by code auditors or the global developer community. (It’s hard to sneak a skeleton key into a widely-scrutinized encryption library without someone noticing a suspicious generate_government_access_token() function or strange key-sharing mechanism! 🕵️) The post also subtly points to their blog article about the Online Safety Bill: An attack on encryption. This clues in savvy readers that Element stands against government mandates to weaken encryption – they’re funding Matrix by selling it to governments as is, not by secretly modifying it to please regulators. In other words, they’re saying: we’re on the side of strong encryption, even when we work with big clients.

For those in the know, there’s also the context of how Matrix works: It’s a federated communication protocol, like an open alternative to Slack/WhatsApp, used by many – from open-source communities to government agencies. The UK government and French government have indeed used Matrix for internal communication (for security and sovereignty reasons). A senior dev chuckles here because the very groups pushing for backdoors also need secure channels for themselves – a classic irony in the world of DataPrivacyRegulations. The post’s last line, “feel free to use a different app,” resonates as a tired engineer’s refrain: we’ve built this on principle; if you accuse us unjustly or don’t align with our model, you’re free to fork or go elsewhere – the beauty of open tech. It’s both a show of confidence and a release of responsibility: the ultimate power move in open-source is reminding everyone they aren’t locked in. Long-time devs recognize that vibe immediately. It’s a bit of a meme in itself in dev culture: Works for you? Great. Doesn’t work for you? It’s open source – no one’s forcing you to stay. 😜

Level 4: Crypto Wars Redux

At the deepest level, this post touches on the recurring encryption vs. authority debate – often dubbed the "Crypto Wars". End-to-end encrypted messaging (as used in the Matrix protocol behind Element) relies on solid mathematics: messages are locked with keys that only senders and intended recipients hold. From a cryptographic standpoint, a backdoor is an intentional weakness or secret key that would let a third party read messages. Security researchers have a saying: "no backdoor stays secret". If you build an encryption system with a master key (even “just for the good guys”), you’ve effectively left a key under the doormat – and history shows that eventually, someone unwanted finds it. Cryptography rests on computational hardness assumptions (like the difficulty of factoring large primes or computing discrete logs). A proper end-to-end encryption scheme has no hidden trapdoors in its math; only explicit keys decrypt content. Demanding lawful access is demanding a hole in that math – an anathema to computer science theory and practice.

This scenario is a modern echo of the 1990s Crypto War battles, where governments attempted to mandate escrowed encryption (e.g. the infamous Clipper Chip) so authorities could always unlock communications. Academics and engineers resoundingly countered that any mandated access makes the entire system insecure. It’s like asking for an encryption algorithm that is both secure and broken by design – a logical paradox. In formal terms, strong encryption provides confidentiality guarantees under well-defined threat models. A government backdoor doesn’t magically stay available only to “good actors” – it becomes a single point of failure, ripe for abuse or attack. This Mastodon post implicitly stakes a claim: Element will not compromise the math. The Matrix cryptographic ratchet (Olm/Megolm, similar to Signal’s double-ratchet) is designed such that even the server operator can’t decrypt messages. Introducing a special decryption access for governments would fundamentally violate the protocol’s trust model. In security terms, it would break zero-trust assumptions and eliminate forward secrecy (since someone holding a master key today could read all future and past conversations).

By firmly stating “no, there are no backdoors”, Element is asserting that the integrity of their encryption is intact – a bold stance under pressure from laws like the UK Online Safety Bill. That bill essentially asks for the impossible: it wants providers to find bad actors inside encrypted chats without actually breaking encryption for everyone. From a theoretical perspective, this is like wanting a proof that 2+2=4, except on Thursdays when it should secretly equal 5 for police – mathematically inconsistent. The post’s technical subtext: our encryption is end-to-end with solid security, unweakened by any secret keys. You can inspect our open-source code (verifying there’s no sneaky AES key shared with authorities) and read our protocol specs – transparency is how we prove the non-existence of backdoors. In summary, this meme highlights a fundamental infosec principle: either encryption is secure for all users, or it’s not truly secure at all. Element chooses security for all, even if that stance ruffles some feathers in both government offices and certain activist circles.

Description

A screenshot of a post from the official 'Element' account on Mastodon (@[email protected]). The post is a direct, unapologetic statement addressing controversy around their business model. The text reads: '@amatecha @matrix @liaizon element.io/blog/the-online-saf... gives an idea of our position. And no, there are no backdoors. Yes, we fund Matrix dev by selling encrypted messaging to governments, which includes police: if you don’t like that then please feel free to use a different app.' Below the text is a link preview to an Element Blog post titled 'The Online Safety Bill: An attack on encryption'. The preview image has a green background with white swirling lines and the phrase 'Own your conversations.' This post became a flashpoint for discussion in the privacy and open-source communities, highlighting the ethical complexities of funding secure, open-source communication tools by selling services to state and law enforcement agencies. The company's defiant tone - essentially 'take it or leave it' - was particularly notable

Comments

18
Anonymous ★ Top Pick Element's business model is basically a Schrödinger's cat of privacy: the message is simultaneously secure from the government and paid for by the government, and you don't know the state until the support contract is signed
  1. Anonymous ★ Top Pick

    Element's business model is basically a Schrödinger's cat of privacy: the message is simultaneously secure from the government and paid for by the government, and you don't know the state until the support contract is signed

  2. Anonymous

    Sprint review at Element: 1) ship the double-ratchet, 2) toot ‘no backdoors’ on Mastodon, 3) invoice the Home Office for the `/gov/compliance` microservice - privacy and procurement in the same commit

  3. Anonymous

    "We're not adding backdoors, we're just providing enterprise-grade observability features with advanced telemetry, comprehensive audit logging, and real-time compliance monitoring capabilities that definitely aren't backdoors because the documentation says so."

  4. Anonymous

    Nothing says 'we value privacy' quite like a company defending their business model of selling encrypted messaging to the very entities users are trying to encrypt their messages from. It's the cryptographic equivalent of selling locks to burglars and assuring homeowners there are 'no backdoors' - technically true, but the optics are doing more damage than a zero-day exploit. At least they're transparent about their funding model, which is more than you can say for most 'free' services that monetize your metadata instead

  5. Anonymous

    Legislators ask for a “secure backdoor”; architects just label it “attacker with a badge” in the threat model

  6. Anonymous

    Matrix: Gov funds the bridges, but Olm/Megolm locks the doors - backdoor budget meets zero-knowledge reality

  7. Anonymous

    Enterprise E2EE roadmap: promise “no backdoors,” monetize government contracts, then propose client-side scanning - aka a backdoor shipped as a mobile feature flag

  8. @bezuhten 3y

    can someone explain, please?

    1. @colllapse 3y

      matrix supposed to be federated messenger. element is one of the android clients for matrix network. they generally provide app free for personal use and supposedly non free for organizations.

  9. @IceBlink1 3y

    The article itself https://element.io/blog/the-online-safety-bill-an-attack-on-encryption/ Strongly advocates against breaking the end to end encryption as suggested in some UK's bill As far as I understand these Matrix dev guys are selling end to end encryption messaging solutions to governments and police and thus their regular users could be subject to wiretapping

    1. @viktorrozenko 3y

      I don't see the connection. If police uses the same e2e encrypted system and there are no backdoors, how does that lead to any kind of misuse?

      1. @IceBlink1 3y

        idk, I think the admin meant it not that it is true in any way

      2. @colllapse 3y

        make fake ID to enter some chats. social engineering basically

        1. @viktorrozenko 3y

          Bruh, but then no messenger is safe. If there is a group chat, a police officer could enter it no matter the platform.

          1. @colllapse 3y

            generally - yes. but if there's only two persons talking it pretty safe. also on govs side there's problems with proving link between actual person and he's account. so if you aren't drug lord or didn't made something to Cia worth watching you probably okay

  10. @RiedleroD 3y

    matrix is not part of the fediverse

    1. @deerspangle 3y

      But it is a federated chat system

      1. @RiedleroD 3y

        generally, the fediverse is considered to be software that implements ActivityPub specifically. Sometimes other protocols are also included to mean fediverse, but I disagree. https://en.wikipedia.org/wiki/Fediverse

Use J and K for navigation