We caught up with Matrix co-founders to find out how the project is developing and why the future of internet freedom may depend on decentralization
News broke today that Matrix, the open source, decentralized communications network, has reached the milestone of gaining 30 million users.
Matrix is powered by the Matrix.org Foundation, a non-profit that maintains the open standard and the network on which it runs, providing the means for a highly secure communications channel.
The foundation has already gained the attention of both privacy-conscious internet users and governments worldwide, especially within the EU which earlier this year partnered with Intigriti to launch a bug bounty program for the Matrix network.
As they toast the 30 million user mark, The Daily Swig caught up with Matrix co-founders Amandine Le Pape and Matthew Hodgson to find out more about the project and why they believe the future of internet freedom depends on decentralization.
Amandine La Pape and Matthew Hodgson, co-founders of Matrix
Enter the Matrix
The Matrix.org Foundation is the non-profit tasked with maintaining the Matrix network. But what exactly is Matrix?
The project’s website describes Matrix as the “open standard for interoperable, decentralized, real-time communication over IP” that can be used to power instant messaging, VoIP/WebRTC signaling, Internet of Things communication – “or anywhere you need a standard HTTP API for publishing and subscribing to data whilst tracking the conversation history”.
In simpler terms, Matrix is a network that provides a common communication layer that is highly secure, end-to-end encrypted by default, and allows users to communicate with each other regardless of what app they are using.
It was born out of the idea that internet services should be open and not fragmented by proprietary apps such as Skype, WhatsApp, and others that only allow users to chat within those specific platforms.
READ MORE 5G network slicing flaws pose denial-of-service risk
Hodgson explained: “They have completely starved us of the opportunity of the web. Like on the open web, I can start a website, I can run it on a server under my desk here, and it can grow to be the next Google.
“If I wanted to do that with a communication start-up, before Matrix, you would basically have to start from scratch. And before, you know, it you’re just reinventing the wheel for something like Skype or WhatsApp.
“And the chances are that you might just end up keeping it proprietary and closed because you spent so much money going and building those closed silos.”
The German armed forces ('Bundeswehr') created iOS and Android app BwMessenger, built on the Matrix platform, as a secure communications channel
He added: “What we’ve tried to do is to disrupt the hell out of that and go and put out the missing common communication layer for the web as a way for people to build these communication systems without having to start from scratch every time and without building additional silos and walled gardens.
“It’s really a complete moonshot to go and basically replace the phone network, replace email, and have an open fabric for secure, decentralized communication that anybody can hop on top of in order to do chats, or voice, or VR, or IoT, or anything else where you might want to stream real-time data with Signal-style, end-to-end encryption and publish the history of it.”
High-profile use cases
It’s this “Signal-style encryption” that attracted the likes of the French and German government to use Matrix for their official communication channels.
The French government created secure communications tool Tchap by building on the Matrix network after other platforms were deemed “not suitable for government use”, project director Jérôme Ploquin was quoted as saying.
The German armed forces (‘Bundeswehr’) created iOS and Android app BwMessenger, built on the Matrix platform, as a secure communications channel for some 50,000 recruits.
Elsewhere in Germany, Dataport, a major IT services provider, has deployed a Matrix-based collaboration tool for 500,000 public sector workers throughout the states of Schleswig-Holstein and Hamburg.
INTERVIEW Offensive Security’s Ning Wang on training the next generation of infosec pros
These governments “really liked the idea of being able to run it [the channel] themselves, having each ministry controlling their own deployments, yet still being able to talk to one another”, Le Pape told The Daily Swig.
Other major use cases include individual, smaller companies, and the grassroots activist community, partly due to the ease in which they can implement Matrix and transport their data securely.
“Even if it’s just being able to spin up a server on our SaaS platform, [or access] Matrix services, they can extract their data… and run it on-premise,” Le Pape explained.
Glitch in the Matrix
When Matrix was first launched in 2014, it had already jumped over various security hurdles, beginning with the mammoth task of creating a decentralized network that would be impervious to nefarious actors.
“First of all, decentralization where you have a big network with everybody running their own servers and critically, those servers cannot be trusted, is tough.
“It’s actually a very sophisticated problem with decentralized access control, where you have a network where none of the servers can be trusted, and yet you very rapidly need to be able to make decisions about who is allowed to do what.”
He added: “How do you make sure that people can’t sabotage it and screw it up for everybody? So that was a huge consideration. And frankly, we got it wrong.
“First time round, there was a bug that resulted in exploits in the wild, with people of hijacking rooms and generally causing mischief.”
In 2018, Hodgson said, the team performed a “tear down” of the work they had already done, found a bug, and rebuilt it again. “This time, touch wood, we got it right.”
Matrix provides end-to-end encryption via the Olm and Megolm encryption protocols
Safe channels
A major consideration for the security team at Matrix was its USP: the end-to-end encryption that helps protects users’ identities and the content of the chats between them.
Hodgson explained that in a decentralized network, any data in a chat, for example, is replicated in the server used by a participant.
If the participants wanted to keep the conversation private, they would have to trust all of those servers “not to get owned” in order to keep the conversation safe.
Multiple servers, however, only increase the attack surface, hence the need for end-to-end encryption.
Hodgson said: “It’s fine, in some ways, from a data protection perspective, if the servers have been [compromised] because end-to-end encryption means that the attacker wouldn’t be able to see those conversations anyway.”
The next step towards data protection, Hodgson said, is working on a means of preventing metadata from being replicating across servers, as well as employing further measures in line with GDPR to assign random IDs on a per conversation basis that do not correlate in any other conversation, thus protecting the users’ identity.
Next steps
So, what’s next for the Matrix.org Foundation? Aside from continuing to build on the Matrix network, the foundation is also a keen actor in pushing legislation that will help further protect user privacy.
The EU Digital Market Act, which was proposed in December 2020, will “require gatekeepers to proactively put in place certain measures, such as targeted measures allowing the software of third parties to properly function and interoperate with their own services”.
Le Pape told The Daily Swig: “It’s really interesting from our perspective to eventually get the EU to start looking at and asking everyone to be able to inter operate, or at least provide the ability for people to extract their data from one place to another and communicate between the islands and the silos.
“So that’s really good for Matrix, as we’ve been trying to build this for the last seven years, so we’re glad to see that even regulators are coming our way.”
YOU MAY ALSO LIKE Tor security: Everything you need to know about the anonymity network
