The French government and the Black Basta ransomware group may have little else in common, but both have been notable users of Matrix servers to run secure communications channels. The Élysée has long-touted its homegrown Tchap messenger, built on Matrix, and Black Basta was a Matrix server user too; a leak of its chat logs revealed earlier this year. 

Whilst incident response professionals say ransomware groups are now typically running communications (certainly with victims) over the Potato Chat or the Session messengers, the French government is demanding wider use of encrypted messenger Tchap from September 1, in a drive led directly by Prime Minister François Bayrou, a government note revealed.

PM Bayrou warned in a July 25 note published by the CFDT-UFETAM union on August 8 that “certain so-called secure commercial messaging services are under the influence of foreign countries, which are likely to implement technical or legal measures to access exchanged communications.”

“Each minister is responsible for implementing this circular within their ministry,” he said, without naming any of the services in question. 

“Major public instant messaging applications are taking an increasing place in our daily communications. However, these digital tools are not without security flaws and do not provide all the necessary security guarantees in a professional environment. Public servants are exposed to an increasing risk of their electronic communications being intercepted… Besides the privacy violations they often represent, these attacks now constitute a major threat to the need to guarantee the confidentiality and integrity of all these exchanges.” – Prime Minister François Bayrou

French President Macron was a longstanding user of the Telegram messaging application before security concerns were raised to his team – and his government detained Telegram founder Pavel Durov last summer, citing widespread criminal use of the messaging/group chat service. 

(Durov on Sunday hit out at the subsequent ongoing investigation, posting on his Telegram channel that “one year ago, the French police detained me for four days because some people I'd never heard of used Telegram to coordinate crimes. A year later, the 'criminal investigation' against me is still struggling to find anything that I or Telegram did wrong,” he posted.)

“Giving preference to Tchap”

Like many governments and indeed large banks, the French administration is also riddled with the informal use of Signal, Telegram, WhatsApp et al. 

The French government has also created another homegrown messaging application called Olvid. Officials can carry on using this, but should be “giving preference to Tchap for exchanges with state administrations.” 

The open Matrix protocol underpins a public network of Matrix servers ; anyone can spin one up and federate it, or connect it with others. 

Tchap and other government deployments federate Matrix servers across private trusted networks with tiered controls. (For some years, notably, Paris funnelled money to Element to help support its development/back the open-source project, but has since stopped supporting upstream.)

There are numerous client applications that can sit on top of Matrix, including Element (built by the Matrix creators) and many others. 

Development of Matrix has been a struggle for its founders, for freeriding and other reasons. As Element co-founder Matthew Hodgson noted in a recent social thread on some of Element’s travails over the years: “The freerider problem is still huge –  right now the Turkish government is not just freeriding but AGPL-violating with their “Next Messenger” fork (currently #5 in Social Apps in the App Store!). So isLaoApp from the national telco in Laos (with >1M downloads and 36K reviews!)... Ukraine MOD’s runs on a fork of Element (although we are sympathetic to them for freeriding).

LuxChat has historically routed a token amount of funding (although they’re now trying to fix that... And the list goes on and on. If all of these countries put even 1% of the amount they spend on proprietary licenses into funding upstream open source dev that they are operationally dependent on, Matrix… would be in a much much better place.”

Matrix co-creator speaks out

Matrix co-creator and Element founder Matthew Hodgson recently shared an in-depth update on the company in response to a discussion on the XXXX site. Posting as Arathorn, he wrote:

"In 2021 things were going great: Element had raised a bunch of money from investors; COVID had really accelerated the need for secure comms; Matrix uptake was increasing exponentially, and so we used the $ to accelerate a bunch of next-gen projects: Element X (moving from development-in-triplicate across matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 to instead having one, stable, audited, best-in-class native matrix-rust-sdk); Element Call; P2P Matrix (arewep2pyet.com); Applications Beyond Chat (https://matrix.org/blog/2021/12/22/the-mega-matrix-holiday-special-2021/#applications-beyond-chat); Third Room (https://thirdroom.io) etc.

Unfortunately, in 2022/2023, the wheels fell off. I had assumed that the more successful an open source project is, the easier it would be to fund it. The single most important lesson here, imo, is that the more successful an open source project is, the more commercial entities will materialise and capture the available $ from customers, competing with the upstream project, without routing any of it upstream. Economically this makes sense: they can charge less as they don’t bear any of the development costs. Practically speaking, it’s insane, given by harming the upstream project they then put their own projects at risk (but hey, they can always take the money and blame us for that if it goes wrong). In 2022 Element lost a series of major deals like this to random system integrators who had picked up our FOSS and could charge as little as they wanted for it (and who then subsequently screwed up the delivery - stuff like https://www.heise.de/news/Wie-Behoerden-und-ihre-Auftragnehmer-Open-Source-Software-ausbeuten-10274161.html or https://www.heise.de/news/Probleme-mit-Open-Source-Videokonferenz-Tool-Hessen-fuehrt-kurzfristig-Webex-ein-10217839.html).

So, rather than surfing Matrix’s success to fund more Matrix dev, instead we had to do a very painful handbrake turn to:

  • shelve all the next-gen projects, apart from Element X and Element Call
  • halve the size of the team, given the revenue we were relying on to fund us went to freeriders instead
  • freeze the ‘classic’ Element apps other than for security fixes, given we no longer had anyone to work on them
  • relicense everything as AGPLv3 to be able to sell AGPL exceptions and discourage freeloading
  • build an enterprise distribution with a bunch of proprietary add-ons we could sell as a concrete differentiator to our govt customers to compete with our own FOSS: https://element.io/server-suite
  • stop focusing on building out features for the edification of the FOSS community (e.g. custom emoji, Discord-killer features, prioritising Threads/Spaces in Element X).

The unhappiness we’re seeing now in the wider Matrix community (“why isn’t Element a Discord killer?! why is trust & safety underfunded!? why are there two apps?! etc”) is very much the result of these changes.

To be clear: it’s not that we said “oh you know, we’ll deliberately not prioritise Threads & Spaces in Element X as nobody really cares about them” - it’s more that “we know our customers don’t use Threads or Spaces much yet, so we’ll deliberately build out other stuff they’re asking for, like brandable apps; EMM/MDM; antivirus; server-pushed config; certificate pinning; etc. Yes, this will upset FOSS users, but it’s better that than have further funding crises”.

That said, I am still surprised at how upset FOSS users are about Element X not having feature parity with Element - I assumed it’d be like Mozilla->Firefox, when everyone was very happy to use a new browser which was lighter and better, even though it lacked most of the features of the old Mozilla Suite. We do instrument Element via Posthog (assuming folks opt in to analytics reporting) - e.g. https://github.com/element-hq/element-ios/tree/master/Riot/Modules/Analytics on the classic Element app. So we could see that spaces & threads were both only used by a relatively small fraction of users. It’s more that we failed to anticipate how dependent (and loud and angry) that subset were, to the extent of refusing to use Element X.

Anyway, the good news is that as a company, Element is recovering and approaching sustainability, and as you can see by me posting here and elsewhere, we haven’t given up on returning to our original mission of helping build out Matrix successfully for everyone (not just Element customers). After all, if nothing else, Element’s success has a hard dependency on Matrix’s success.

The freerider problem is still huge - right now the Turkish government is not just freeriding but AGPL-violating with their “Next Messenger” fork (currently #5 in Social Apps in the App Store!). So is LaoApp from the national telco in Laos (with >1M downloads and 36K reviews!). France stopped routing us funding for Tchap after budget cuts (Tchap just got mandated by the prime minister for use from September!). Ukraine MOD’s runs on a fork of Element (although we are sympathetic to them for freeriding). LuxChat has historically routed a token amount of funding (although they’re now trying to fix that - thank you!). And the list goes on and on. If all of these countries put even 1% of the amount they spend on proprietary licenses into funding upstream open source dev that they are operationally dependent on, Matrix (and Element) would be in a much much better place.

Instead, all we can do is to continue on our plan to a) get Element financially sustainable by providing enterprise deployments to GovTech, b) once we’re sustainable, invest in broader Matrix dev once again. Meanwhile, there’s obviously huge opportunity for other projects to contribute to improve Matrix too - and indeed this would be way healthier than Matrix ending up significantly dependent again on Element’s contribs.

Not throwing shade, let me be very clear. We just all need to learn from these. Growing pains, indeed.

Totally agreed, hence me spending the time to try to explain the story, so future generations can learn from both our missteps and occasional successes :)

Critics of Matrix say that the protocol holds on to too much cleartext metadata about users / groups but it has become, as the examples above show, increasingly popular for federated messaging in government circles. 

See also: Discord rolls out MLS-based encryption: Beware weak clients

The link has been copied!