Encryption and Privacy for Chat
niederfuchs last edited by
Dear Church Tools Team,
I would like to endorse the comments made by some previous speakers in the German Forum. End to End Encryption of Communication of Church Tools (Chat), is not a "Nice to Have," it is an area that belongs to your first duties just as a comercial provider in this highly sensitive area.
I would like to briefly discuss why these communication tools should not be offered unencrypted from the outset. And in addition, there is some reason for not using clear names in the matrix structure behind it.
In congregations, information is often exchanged that is not particularly sensitive within the congregation itself (donation calls, reports of missionary activities, calls to support persecuted Christians, etc.) that could make a CT server attractive for bad actors or corrupt governments in the medium to long term. Assuming that your own server infastructures is beyond being attacked is an unrealistic point of view that you can't afford and shouldn't afford.
Users who understand the chat as a means of pastoral care and as low-threshold offer, write messages in emotional distress, rightly assume without notice that their communication is A) E2E encrypted and takes into account B ) Perfect Forward Secrecy - since this meets common standards today. If your app cannot offer this (which, as explained above per se, would not be desirable/acceptable in the long term), the app should at least inform the user that the content is not encrypted and is in plain text on the CT servers.
In addition to the risks of hacking from outside, it should be noted that one can never guarantee the confidentiality of the persons entrusted with server systems. It can happen in all institutions that confidential information is sometimes misused and even leaves the maintained/entrusted systems.
The only effective protection:
You ensure from the outset that you never get this data in plain text. And please consider how you can protect any existing clear names/passwords/emails from compromise...
Dear developers let us hear how you think about it...!
Thank you for taking the topic seriously and your community...
Thanks @niederfuchs for filing this FR and discussing the backgrounds. I fully support your view (and the FR, of course).
For point C) I'd like to add that this does absolutely not mean anything like general distrust against CT as a company or any individual working at CT!
Apart from the fact that I have experienced persons who did strange things while suffering from (temporary & unexpected) mental health issues, loss of confidentiality may simply occur due to (unintended) errors, even if well-crafted processes to prevent them might be in place.