Thoughts on Wire Messenger

What are your thoughts on Wire? Personally, I wouldn’t make it my daily messenger, but I do find it a helpful backup since it can be accessed from any web browser. If my primary messenger ever goes down, Wire or Matrix would be my go-to for an alternative since it’s easy to create an account and access it from any web browser, without the need for an app.

I would avoid it:

  • Jurisdiction and infrastructure inside EU and USA, both 14-eyes
  • Contact info / identifiers / usage data / diagnostics collected through usage
  • User data and/or metadata sent to parent company and/or third parties
  • Reproducible builds aren’t used to verify apps against source code
  • Can’t sign up to the app anonymously
  • Forced to trust a centralized directory server
  • Directory service could be modified to enable a MITM attack
  • Only notified of a contact’s fingerprint changing when you have previously verified them
  • Not all personal information is hashed to protect against certain attacks
  • Metadata not encrypted
  • Company logs timestamps/IP addresses
  • Undocumented design and infrastructure

It could be said but with Signal the peer-reviewed audits and recent attempts by government to gather user data from its servers show that they collect the bare minimum metadata possible. Signal also doesn’t have reproducible builds except for android. You can’t signup anonymously or add a contact without trusting a centralized server. if you want to avoid this, choose something that offers E2EE by default, strong metadata protections, doesn’t require a phone number/data plan and that is audited and well documented and within reach of anybody even the technically unsavvy. The infrastructure of most services you use can be reverse engineered and backdoored but with Signal they make sure they collect no raw messages or other PII that can be used by government or state actors. Only the signup timestamps and last message timestamp are collected.

1 Like

You can access Element (Matrix) with your web browser

1 Like

TL;DR: it’s not worth using.

Wire was subtly taken over by a holding company with a questionable track-record in regards to privacy. Furthermore, they quitely changed their privacy policy:

A previous version of the policy (July 18, 2017) stated it would only share user data when required by law. Now (Updated September 1, 2018), it reads they will share user data when “necessary.” What does necessary mean, and necessary to whom? Necessary to law enforcement, shareholders, or advertisers? The word “necessary” is an alarming change because “necessary” is purposefully vague terminology that could conceivably be used as a tool to justify any action. This change doesn’t leave the user with much confidence as to when the company may share your data.

There is not much point to using Wire, given how many better messengers are available.