I’ve been thinking about this for a while, that there’s kind of not a great solution, that I know of or can think of, for long-form internal political discussions within an organisation. There are of course existing platforms that are not private (like you could have a Facebook group for instance).
There’s obviously a lot of encrypted chat apps out there but they’re all more “texting” form and are not great for like forum-style discussion.
The best I can think of might be Matrix, but it’s more of a chatroom style format and I’ve not tried using it for this forum-style of discussion which I’m not sure if it works smoothly for.
Tbh a mailing list would kind of be my ideal (I assume there’s mailing list software out there that integrates with PGP so we can protect our emails) but so many people in organising spaces are pretty tech-resistant boomers (no offence to the older generation, I’m aware it’s a generalisation that doesn’t apply to everyone) and it’d be hard to get everyone to use PGP I think. Also email is just not very secure in the first place and would expose a lot of metadata, making it not suitable for organisations that are heavily criminalised or otherwise have a higher threat model. Not to mention that the mail server in question would be able to read the emails sent to the mailing list, as it has to decrypt emails sent to the mailing list in order to encrypt it with all recipients’ personal PGP keys. And there’s just so many points of failure in terms of all messages to the mailing list getting accessed if just one member gets compromised.
Maybe I’m missing an obvious solution, in which case please tell me of course. But this is just an issue that’s crossed my mind over the years as I’ve watched organisations use insecure platforms for long-form discussion, and I cringe, but I don’t think I know the ideal solution either.
I can’t believe I forgot about it, but secure scuttlebutt fits the bill here pretty well. The protocol has issues and the default clients are open to anyone by default, but the security properties of the design are pretty interesting and definitely applicable to building encrypted long form communicate nets. Bamboo Earthstar and Willow are all based on similar ideas and may also be useful. I have gotten a little use out of Briar, but being mostly phone-centric makes it hard to use the forum for actually long messages and complex discussions.
I have been working on a protocol for mobile adhoc mesh networking an general purpose coms that could fit the bill, but i’m still in the very early stages so its not really useful, but some of the research and project links at the bottom might be interesting.
In the early days of the pandemic when I was at home alone and super bored, I put together a working forum system that was pretty much aimed at this problem. It had the added bonus of not using any javascript so that it would work perfectly on a default Tor browser. I used sqlite3 for ease of installation. It was mostly a self-teaching project for me to get better in Go. But it did work. I can’t link to it as it has my real name plastered all over. But I’ve been thinking of rewriting it now that I’m a much better programmer. And this time I wouldn’t have any personal details linked to it. I’d still write it in Go though. Go has great html templating that makes server-side rendering of forum-type pages dead simple. And the additions to Go’s standard library over the past few years have reduced the 3rd-party dependencies considerably. I could probably pull off a rewrite with only mattn’s sqlite3 module as the last remaining module pulled in.
I included a few fun ideas that I haven’t seen elsewhere, like an emergency account deletion page where you just enter a TOTP code to wipe your account and posting history instantly. Admins could also do an emergency site deletion with a TOTP code as well. The philosophy is that it’s aimed at people who are more concerned with security than keeping long-term records.
It also had a feature where the site sign-up could be limited to people with one-time codes. An admin page could generate a list of these codes, which the admin would give to a trusted friend. That trusted friend in turn gave out individual codes to people they trust who wanted to sign up. The idea was to make sure users and admins could credibly say they didn’t know who the other was. A variation on clandestine cells.
Discourse is the de facto standard for what you’re asking for, and has a LOT of customization and plugins community.
Despite the chatroom format I do think that self-hosted, unfederated Matrix is the best option right now from the perspective of surveillance resistance.
Should probably add unfederated to self-hosted there, Matrix was incubated at a known Mossad-front Canadian telco notorious for harvesting metadata and itself is notorious for leaking metadata when federated. Any federated Matrix homeserver should be considered a honeypot.
Thanks, edited.
Freenet Messaging System (FMS) is a forum interface which uses the distributed key-value p2p storage of Freenet for publishing and hosting the content (which uses anonymous request forwarding similar to onion routing… and it’s now called “Hyphanet” by its founder).
There are a few other systems that operate atop Freenet, including Freemail and some other forum systems that are very much not recommended due to illegal content.
Maybe Mattermost or Loomio? Maybe even Discourse? None of these are e2e, of course, so it’s extra important to protect the server.
delta.chat has some concept of e2ee mailing lists, but i’m not positive on the details. technically PGP based (though rewritten in rust), but the app doesn’t expose many of the crypto details to the end user. sadly that does mean it inherits some of the weaknesses of PGP like a lack of forward secrecy. OMEMO, Signal, and Matrix all use some variant of a double-ratchet algo. I’d like to see something like this make its way into async/store-and-forward messaging, but idk if there’s some reason why it hasn’t.
the delta chat app is currently pretty chat-centric, but its based on email so it could be modified to fit better with long form discussions.
My org’s in Loomio, it’s decent for that.
But I think it’s closed-source and paid-only.nvm AGPL-3 let’s goooooEven if it’s open-source and free software, unless they’re hosting it themselves, Loomio still has access/control over all your data. Also, hosting it yourself is just much cheaper. Looking at their website, the cheapest plan they have is still $300/year and you can only have 30 members, which is outrageous in my opinion. You can get a cheap cloud server with decent storage space that you could host it yourself on for like $10/month and have unlimited users.
I’ve been considering self-hosted Matrix, in order to keep metadata obscured to anyone outside the org. is that advantage preserved when using a cloud server?
As long as the people using your home server aren’t messaging people or chatting in rooms from other home servers (aka you’ve disabled federation) and you can trust your cloud provider not to snoop around, yea, it’s a fairly decent solution. Even with disk encryption like LUKS or your file system’s built-in encryption, if your cloud provider wanted, they could just dump the memory of your VM and find the password/encryption keys that way.
Not really, you can do obscure things or obscure the hosting server with reverse proxies and mixnetworks. Most cloud hosts aren’t sniffing around in your VMs/containers… But they might.
Most cloud hosts aren’t sniffing around in your VMs/containers
You would be surprised, especially the ones in the five eyes countries or whatever.
Talkyard is an interesting one.