Interview: Element CEO on the matrix protocol and digital sovereignty

After the European Parliament called on its MEPs to use the messenger service Signal for work-related communication if Teams and Jabber do not work, Element CEO and co-founder of Matrix, Mathew Hodgson, was particularly critical. Neither Teams nor Jabber were mentioned in the Forrester study from August 2024 – in which ArmorText and Threema were listed as "leaders" – criticized Hodgson. We spoke to him about his idea of independent communication solutions.

heise online: Could you elaborate on your criticism of the security requirements for sensitive government communications?

Matthew Hodgson: The European Parliament asked lawmakers, parliamentary assistants and staff to use Signal as an instant messaging tool for work-related communications. The recommendation seems to be in response to the US encouraging widespread use of end-to-end encrypted communications after the US public telephone network was successfully attacked by Salt Typhoon, a China-linked cyberattack group.

Salt Typhoon was able to monitor communications by exploiting a law enforcement ‘backdoor’ in the US public telephone network. One can only hope that those working on the EU’s Chat Control regulation have noted that as a very obvious example of why backdoors present an insurmountable risk.

The European Parliament advised use of Signal if its "corporate solutions" – Microsoft Teams and Jabber – were unavailable. Both of these "corporate solutions” are dubious choices for the European Parliament. Microsoft Teams is a cloud-based service, owned and controlled by a US vendor, that is not even end-to-end encrypted. Jabber is now End of Life and no longer supported. The migration path is Cisco’s Webex which is end-to-end encrypted but cloud-hosted. However, it’s still a siloed vendor-locked platform, which is of little use when needing to communicate securely across multiple governments. Neither were deemed safe enough to be included in Forrester’s most recent report on Secure Communications Solutions (PDF).

Unfortunately, most of the well-known apps are unsuitable for government use. European governments, in particular, need to ensure their digital sovereignty – so that eliminates vendor-controlled cloud-based solutions. Genuine digital sovereignty also requires open source software, for full auditability and lack of vendor lock-in, which rules out many other solutions. The need for interoperability – which is absolutely critical for communications, in particular in an heterogeneous organization like the European Parliament – makes siloed solutions unsuitable. A decentralized technology brings tremendous benefits in terms of an end-user organisation being able to own, host and control its solution and data, and ensures more robust and reliable communications even in moments of crisis and break-down of intercontinental connectivity. End-to-end encryption is basic table stakes, as is user management.

If you review the options against those requirements, most solutions are not suitable for government use – especially across and between multiple governments and the likes of NATO and the United Nations.

Signal is a centralized, US-based app that can't be self-hosted, and while its encryption and privacy are great, it's not based on open standards and doesn't allow management of users.

Signal is a great consumer app with a lot of emphasis on security and end-to-end encryption. It is also open source, and if these were the only relevant criteria, it would be a good choice for a government agency. However, all Signal servers are in the cloud and subject to US jurisdiction. Even if a government trusts Signal that the encryption is good and the US government cannot eavesdrop, it could still require Signal to block the communication. Just as the Trump administration has just done with Microsoft services for the International Criminal Court (ICC). The centralized approach also makes Signal vulnerable to attacks on the central infrastructure, and there is no way to run Signal on secured or even air-gapped networks. In the event of a real crisis, where undersea fiber optic cables are cut and satellite bandwidth is limited, it is unclear if the US servers would even be reachable. Overall, Signal unfortunately does not offer digital sovereignty.

Furthermore, Signal is not really manageable from an enterprise perspective. There is an immediate problem in ensuring who is in which group, and in adding or removing members and dropouts. This problem becomes exponentially greater when communication takes place across multiple governments, especially for sensitive topics. Under no circumstances should this be left to chance, but must be managed by a formalized IT function, ideally using existing sign-in systems.

As with all consumer messaging apps, Signal has no record keeping, which is against all kinds of compliance requirements. Public sector organizations must be accountable, so there must be records of discussions and decision making. Of course, it's important that communications are end-to-end encrypted, but that shouldn't mean there's no way to create an audit trail if needed.

What requirements should communication solutions meet?

Government communications apps should ensure digital sovereignty, security and interoperability. If you think about the ‘coalition of the willing’ that’s responding to the ever-evolving situation in Ukraine, that’s more than 30 countries – each with multiple departments and military forces – that need to communicate securely in real time. There’s no way that all of those different parties will be using, or could use, the same siloed communications platform. And, of course, they can’t use a platform that’s owned and controlled by a US vendor.

So open standard based interoperability is essential as that allows each party to use their own solution, while still being able to federate and communicate securely with each other. That’s very much how SMTP works for email, only for secure real-time communications that standard would be Matrix.

The need for digital sovereignty – for each party to own and control the technology it’s using, and therefore the data within it – necessitates a decentralised technology and one that is open source. If you break all that down, it means governments need to find a solution that is:

• Open source - so that they can be audited and don’t depend on a single vendor
• Decentralised - so that there is not a central point of failure or control, especially outside the jurisdiction
• Self-hostable - so that there is no dependency on a specific hosting vendor or data centre, and can be deployed in a jurisdiction under their control
• End-to-end encrypted - so that nobody can listen in, including the server hoster
• Open standards-based - so that the communication is interoperable
• Highly familiar and simple UX - so that staff actually use the system
• Professionally supported - so that a government can turn to someone for help
• Ecosystem based - so that there is not a single vendor dependency
• Enterprise manageable - so that there is control on access, data retention and policies

What might a decentralized standard for real-time communication look like, and what advantages would it offer over a centralized service?

Communications should be open and decentralised, like traditional telephone networks and the original internet. Decentralisation serves two main purposes; enabling digital sovereignty and ensuring a resilient network.

Enabling digital sovereignty

By separating the hosting of a service from the network, an end-user organisation is able to host its own communications system. Whether hosted on-premise or in a private cloud, the system itself is then entirely owned and controlled by the end-user organisation. That’s absolutely critical for military and government use - organisations that should not be using any form of vendor-controlled cloud service.

There are plenty of communications platforms that can be self-hosted and some are even open source but most - such as Threema or Wire – don’t use a common open standard. All parties must be using the same vendor solution in order to interact. A decentralised open standard for communications – and really here we’re talking about Matrix - enables interoperability, protects against vendor lock-in and unleashes a competitive ecosystem that drives innovation. An end-user government can use a Matrix-based chat client from any vendor just like they can use different email clients but still reach each other by email.

Ensuring a resilient network

Decentralisation is the design principle behind the internet, which sought to ensure communications could continue to flow even in the face of an attack whereby parts of the network would be destroyed. With a decentralised design, all servers are equal and can direct traffic accordingly. Combined with end-to-end encryption, it creates a zero trust communications network that is fault tolerant or ‘self-healing.’ It’s an obvious requirement for military and government use, and combined with mesh and low bandwidth networks is invaluable - especially at a time when communications networks are subject to being pulled arbitrarily by foreign vendors.

To what extent do you see the technological dependence on US-based services as problematic for European government institutions?

It’s a huge problem as we’re in a different world now. Just look at Maxar Technologies pulling its services from Ukraine with zero notice. The threat of Starlink doing likewise. European militaries scrambling to find alternatives to F-35s. Paying US vendors to receive a service is no longer enough as those services can be stopped at the whim of the US government.

Germany, and the EU in general, has been pushing for digital sovereignty for a long time and there’s been good progress with initiatives such as ZenDiS’ openDesk.

What we’re now seeing is digital sovereignty moving from the ‘important not urgent’ box to the ‘very important and very urgent’ box.

How could European technological sovereignty in the field of secure communication be strengthened?

Technical sovereignty revolves around ownership and control of the technology being used. A proprietary, centralised cloud system such as Microsoft Teams or Signal, offers zero sovereignty. Even if some of the vendor’s servers are in a European country, it’s still the vendor’s system and the vendor retains all the control. And even if the actual cloud servers are fully European, like in initiatives from SAP / Delos hosting Microsoft or StackIT hosting Google Workplace, this is still not really digitally sovereign as the original vendor can easily cut off the European cloud providers from any updates which without open source would bring such setups to a quick halt.

The first thing European governments should do is to seek out solutions based on open source software. Not from a cost perspective – well packaged and maintained open source software will cost a similar amount to proprietary software – but because it offers transparency. If you can inspect the code, you know exactly what you’re using. And you can take control should the vendor stop cooperating or even disappear.

Second, look for an open source solution that has a healthy ecosystem, as that drives innovation and protects against vendor lock-in. Take the German healthcare sector as an example. It devised a standard, TI-Messenger, based on the Matrix open communications standard. There’s now a competitive ecosystem serving the German healthcare industry with sovereign and secure real-time communications, based on open source software. A public healthcare insurance firm can select from a range of vendors that are all building software to the same interoperable standard, and even then the public healthcare insurance firm has the fallback of being able to take its solution in-house.

The third action is to make sure that, when putting an open source software solution in place, the upstream vendor leading the open source project is involved. That’s the vendor that is driving that particular open source initiative. If that’s the open source you’re committing to, you need to ensure the vendor is able to support that project in the long term in order to make the technology sustainable. Also, by giving back upstream, everyone benefits from economies of scale leading to better technology overall.

What role does interoperability play in secure communication, and how could it be improved to facilitate collaboration between different government agencies?

Interconnectivity is crucial – we’re used to telephones that can call any other number around the world or emails that you can send to anyone who has an email address, regardless of the hosting provider or email software they use - yet most messaging apps and collaboration tools are siloed; Microsoft Teams only interoperates with others using Microsoft Teams. Likewise with Webex, Signal, WhatsApp, Wire, Threema, Slack and other traditional siloed systems.

Each party being able to communicate from its own system, with all the relevant checks and balances, avoids the complications and unfamiliarity of separate parties discussing sensitive topics through guest access to siloed systems such as Webex, which led to the Taurus leak of the German Bundeswehr.

The reason we invented the Matrix open communications standard was to enable secure interoperability. We refer to it as the missing communications layer of the web. The whole point is that multiple parties can host their own Matrix-system system, and interoperate with any other Matrix-based system. Users of the Matrix standard - such as NATO, the Bundeswehr, and the French government – all have their own Matrix-based frontend and yet can connect to each other natively if they wish because they are all Matrix-based.

How do you deal with criticism regarding the security of Element?

Culturally, as an open source company, we’re very transparent. By nature we’re our own biggest critic, but there’s also the huge and vibrant Matrix community that’s reassuringly vocal. Through a combination of GitHub, tech support questions and chat rooms we listen really carefully to feedback. Given the gravity of our customers, almost all of them do their own security audits - they don't simply trust us blindly. We also work constructively with the security researcher community, as per our Security Disclosure Policy and our Security Hall of Fame.

Criticisms tend to be around usability rather than security. We’re in a tough place because we have an unusual business model. Our revenue comes from governments and other large public sector organisations, or directly via their IT services companies. We have to prioritise their requirements, while still also serving consumers, small groups and communities with a free of charge product. That means we’re always having to juggle different use cases.

Being open source also brings revenue challenges when large end-user organisations – and the systems integrators that support them – free ride on our free of charge community components rather than subscribing to an enterprise-grade product. So it’s good that organisations like Germany’s Open Source Business Alliance (OSBA) are helping public sector organisations how to purchase open source software responsibly and that organisations like ZenDiS are so mindful about how they work with open source firms.

(mack)