federation: stop texting me, but use text before facebook

:: introductory, technical, federation, computers

In this post I will try to explain what federation is among online services, and why it is vitally important. Also, I will explain why cell phone texting, which actually is federated, bugs me so much.

[Also, see the end of this post for my updated recommendations of federated software and services to use.]

What is federation? Federation in the context of online services means that different providers of the same service can talk to each other. The key example of this is email. Everyone has an email address, and tons of different parties host email servers. You can use a gmail account, a yahoo account, a school account, a work account, you can host your own account, and more! But no matter who hosts your email address, you can send and receive email with any other email address. This is the killer feature that makes email awesome, and why it has survived and flourished despite also having various deficiencies.

One key way to recognize a federated service is that they tend to have user names and host information. Your_name@host_name. This addressing scheme is simple — just like regular mail it tells the service who you want to interact with and how to find them. Facebook and Twitter don’t use name@host usernames, because you can’t use them to talk to people outside of their servers, or on another similar service. That means if you want to talk to someone who uses that service, you have to get that service too.

This cyber-pressuring is annoying and bad for society. And it’s rampant with tech companies. The reason it becomes powerful is the network effect, which basically means that the communication value of a network is not equal to its number of members, but the square of its number of members. For example, suppose I have some communication service with 10 members. Its value would be 100. Suppose Bob has a service with 100 members. Its value would be 10,000. My service isn’t very useful because you can only reach a few people. With Facebook you can reach almost everybody. However, Facebook and other centralized services have various problems. Centralized networks create a central point of control — for example, facebook can kick people off if it wants, censor communication it disagrees with (can you imagine if facebook showed more posts for political campaigns its management agreed with than those it disagreed with?), control how you can access their communication services, and pollute those services with more advertising than you can stand. Tech companies love to get into positions of power with the network effect, because it gives them all this control, and that’s very lucrative and ego-inflating. They actively oppose federation because then people would be able to leave them for a better provider that doesn’t abuse their power — just like you are free to get a different email host if yours sucks. Once a company has a large enough network, it becomes a terrible force that makes everyone feel like they need to use that service — everybody uses facebook, despite the centralized control and soooo much advertising because everybody else uses Facebook. Everybody feels they have to use Microsoft Windows because hardware and software makers assume everyone uses Windows, so they make everything work with Windows (despite the fact that Windows sucks so much. Everyone feels like they need Microsoft Office, despite the fact that there are free and open source alternatives like Libre Office, because Microsoft keeps its exact document format secret, so Libre Office can’t use it with 100% compatability, and everyone feels like they need 100% compatability because everyone else uses MS Office. Libre Office is just as good for 99% of the uses of Microsoft Office, yet their slight format incompatability (MS keeping its format secret and not fully supporting the open, standardized format that Libre Office uses) keeps people from switching. Imagine how much our school system could save if every machine for which they shelled out cash for a Windows and MS Office license ran a free copy of GNU/Linux with Libre Office. Imagine how great it would be if you could use a single interface to see posts from your friends that use Facebook and your friends that use Google+. Imagine if you had some control over how that’s done and filter out all the stupid ads? Federated services with open protocols give you these opportunities.

Now what are some examples of federated services? A great one that everyone should use is Jabber. Jabber (also known as XMPP) is a messaging protocol. Messaging is something very basic that we all do with computers, but without federation you have to juggle various accounts and switch between them to talk to different people. With a Jabber account on any server you can send and receive messages with people on any other server — just like email. You can use various different programs to use it — there are web-embedded chat programs (IE you just use it in your web browser), desktop programs like Pidgin and Adium, Mobile clients (I recommend Conversations for Android), even console programs for nerds, and more! There are online lists of publicly available jabber servers where anyone can get an account. I host a jabber server myself. Everyone please switch to Jabber. Instant messaging has been around for decades. The only reason you can’t have a single account and message with all your contacts is because companies like Facebook and Google want to control their networks — they have purposely chosen not to federate and allow that! But you don’t have to be their pawn — get a federated Jabber messaging account. (You can feel better about pressuring your friends into using an open federated protocol than you can about pressuring your friends into closed, controlled systems like Facebook, Skype, Google+/Hangouts, Twitter, etc)

Now, while switching it might still be nice to talk to your contacts who are still stuck in the non-federated Facebook or Google Hangouts with one app — but they both fortunately have a Jabber interface, so you can use both with the same programs you can use Jabber chats with (Pidgin, Conversations…), although they left out the critical federation bit, so you still can’t use their services to talk to other servers.

Want more federated services? There are various federated social networks (a la Facebook, Google+, Twitter…). Friendica and Diaspora are similar to Facebook, and you can use one of various public servers or set up your own (and they even talk to each other to some extent). GNU Social is like a federated Twitter, GNU Media Goblin is like a federated YouTube. And there are more federated social-network-y things… buddycloud, Friendica Red… I haven’t really decided which of these are better than others, but they are all better in many ways compared to centralized corporations that spy on you, sell your information and give it to oppressive governments (IE whether or not you think the US government collecting all internet traffic and all people’s information is ok (it’s not), other governments that similarly demand data are doubtless more evil), pollute your communication with real people by spamming it with ads, control what programs you can use, how you can use them, how your data is sent and stored, who else can access it, etc.

Finally, let’s talk about texting. It is the same as IM, using Jabber, Facebook messages, Google Hangouts, Skype IM, MSN messenger, etc, etc. It is better than most of those because it is federated — it doesn’t matter who your cell carrier is! It is popular precisely because people assume they can use it to talk to anyone with a cell phone (IE practically everyone in the US and other rich countries). But texting is annoying. You can only use it on your phone (I hate it when I’m at a computer with a real keyboard and a big screen, but I have to pull out my phone to read a message and type with my thumbs to reply). Addresses to reach other people at are meaningless jumbles of numbers rather than something meaningful like user@host (I know several peoples email addresses off the top of my head, even though they can be saved in contact lists just like phone numbers. I remember somewhere around 5 phone numbers.). Texts have to be within 160 characters — your phone probably lets you write longer ones and automatically splits them, and concatenates messages that you receive back to back by the same person, but some services get them jumbled some times, which can be frustrating. There is no standard (de facto or de jure) for encrypting them (so cell carriers can read your messages just like centralized Facebook and Google services can).

So please, stop texting me and message me with Jabber. But don’t send me Facebook messages — I’d rather get those stupid texts.

Technical Addendum

If you aren’t interested in more technical details and rants, the main post is already over. You don’t have to read this part. But it has some interesting tidbits.

First off, clients like Pidgin, if you tell them to remember your password, store it in plain text in a file. Granted, unless you are using a system that has a master password (gnome-keyring type thing or firefox’s optional master password feature), that’s what all programs do that offer to remember your password and/or sign in automatically. Just remember to use a different password for your Jabber account. Seriously, come up with a system to vary your passwords enough to be secure and use a different password for everything. Use a very different password for your bank, or other things that could lose you a lot of money if someone gets your password.

Google used to use Jabber for its chat service back when it was called “Google Talk”, so you could add contacts from any other Jabber server and talk to them! At the time I openly recommended Google Talk, since it was just Jabber. But then Google switched to branding it as Hangouts instead, and decided to cut Jabber interoperability. Curses! I am so mad at Google for that. They still (for now) have a Jabber interface for clients, but you can only use it to talk to other Google Hangouts users (with external clients you can add contacts from other Jabber servers, but messaging with them can silently fail — you think messages are delivered but they’re not). But google never supported encryption — Google would always send messages in clear text, which could allow interception, changing message contents en route, or spoofing (IE Bob pretending to be Alice). Google did another sneaky thing with regard to encryption — there is an end-to-end encryption protocol used by Jabber called “Off The Record” or OTR. Google used this same phrase in its interface for a mode to simply not log on the server — meaning your messages were still in clear text, and google can still log them and do whatever with them, but they don’t show up in the user-facing log. Sneaky sneaky, Google. You know, people like Facebook and Google not sending messages that they can’t read is like the mail man refusing to deliver mail if he can’t open and read your letters before sending them. Creepy.

Speaking of encryption, there are two types you need to worry about — end to end encryption (more important) and single-hop encryption (less important). These two types show up all over, actually, and people really misunderstand them. For instance, SSL (the encryption used by encrypted web sites — you see they use HTTP*S* rather than HTTP) is end to end, meaning that that nobody between your computer and the server can read the message (the server can do what it wants with it, of course). Your secured WiFi network is single-hop — it means that your communication to your router is wrapped in a layer of encryption, but that layer is taken off between the router and the next hop. The next hop may or may not also have a layer of encryption, but each computer the message is routed to can read it. You can use both — any digital information can be wrapped in an arbitrary number of layers of encryption. But if your end-to-end encryption works, the other layers shouldn’t really matter. So don’t worry about open wireless networks, just be sure you’re using HTTPS for any website that requires security.

Let’s rant about open wireless networks for a bit — ISPs have run scare tactics to try to get people to close up open wireless network, telling people that it’s not secure. They do this not for your security, but because they don’t want people to have open access to internet — they want people to pay them. If everyone ran open wireless networks, you could have good internet access everywhere even without a cell radio. That would be great. The downside would be moochers — neighbors using your network instead of paying for their own. Whether or not that would be a problem really depends on where you live — in college towns and other high density housing it would be a problem (your neighbors would take all your bandwidth!), but in normal suburban areas most people would probably get their own rather than dealing with the bad signal to the neigbor’s router. Now the ideal situation is those routers that let you have a private network and an open network on the same router — if you can set it up to prioritize the private network traffic then you would get your bandwidth despite moochers, and people travelling by would get convenient internet access. Remember, “Give to him that asketh thee, and from him that would borrow of thee turn not thou away.” Wouldn’t it be great if society actually lived that way? As for the actual security of open wireless networks, the only people who can snoop on you are people physically in the range of the network. So it’s a small number at any time, though a real attacker could camp out there. If you use end-to-end encryption the only information an attacker can get is what servers you talk to and when. So, it’s not nothing, but it’s not much to worry about for most people either — if you just use a public open network with end-to-end encryption you will just be a nondescript passer-by, and this metadata won’t be something that can really be used against you. Finally, about these stupid ISPs, Comcast has rolled out “open” Xfinity networks on their routers. Basically, it is a semi-open network that you can only use if you are a paying customer of Comcast. In their advertising, they claim security benefits (“you don’t have to give out your password to your visitors” — that means they can only snoop on you to the level of having an open network: they can’t get your email or bank password (unless they don’t use https), and they are probably people you trust to some degree anyway), and they claim a bunch of benefits that open network advocates claim of people using open networks. The caveat is that those benefits are limited to Comcast customers! So clearly Comcast doesn’t actually disagree with the open network advocates’ reasoning, they just want everybody to have to pay them! Moral of the story, it’s nice to run an open guest network. But turn off that stupid Comcast “open” network, because that way you aren’t helping society, you’re just helping Comcast build a network effect on top of all the reasons they are already a monopoly in areas they control (ISPs are like mafias or gangs that carve out and respect each others’ turf).

If you want to use Jabber (please do!), there are some things you should be aware of when you choose what program you use for it. The protocol is extensible (the X in XMPP stands for eXtensible), so there are clients that support some features but not others. One important extension is called “stream management”, which basically means messages won’t be lost if your network connection intermittently fails. This wasn’t a part of the original protocol because it was originally made for home computers (they have good internet connections), so cell phones going in and out of service wasn’t a design consideration (it was made in the 90s). Some Android clients support it (Conversations, Yaxim), but others don’t (Xabber). Also, a good client should support OTR (encryption), message carbons (receive messages on more than one device, so you can continue the conversation elsewhere), and more. I recommend Conversations, which supports more of these features than any other (as of mid–2015).

If you want to run your own Jabber server (for super techies), I recommend Prosody. You need to get a couple of plugins so your server supports stream management and message carbons — their website has a listing of both official and third party modules for all the extensions. It’s easy to set up, and you can set up account creation to be manual or automatic (IE anyone can sign up), using plain text files or a SQL database.

Jabber also has a protocol for voice and video chats called Jingle. Google Talk voice/video chats used it. I don’t know whether Hangouts uses it under the hood. I know at least 3 clients support it. First off is Jitsi — it works (with video chats) on GNU/Linux, Windows, and Mac OSX. It seems to be the best for those wishing to video chat in the manner they are used to with Skype. As a bonus, it has some good easy to use encryption facilities, so you can be more confident that your video chats are actually private. The main downside of Jitsi is that it is written in Java, and therefore uses Java’s GUI toolkit, which I hate. Java GUIs tends to have weird issues. However, it seems to be a good client for voice and video chats.

Pidgin and Gajim both also support voice/video chats, but only on GNU/Linux. Pidgin seems to work better for it — I had to install some extra packages and fuss to coax Gajim into working with video, but it seems to work easily out of the box on Pidgin. Pidgin will only show controls to start a voice/video chat with contacts that also have voice/video capability, so don’t be alarmed if the controls aren’t there for most of your contacts. Pidgin and Jitsi seem to have some trouble using video together at the moment, but I hope that’s sorted out soon — I would like to convince my family members to use Jitsi, but use Pidgin myself. But perhaps I’ll just launch Jitsi for video sessions and stick to Pidgin otherwise.

Update

(this update is out of date, see below)

Here are my current recommendations for public jabber servers:

  • jabber.at — It supports all the normal features and seems to respect privacy well. It stores no data long term, but it does support offline messages and message history for something like 21 days. So it gives the convenience of sharing your history between clients, but without any long term storage that they will harvest.
  • dukgo.com — It keeps no offline data at all, but note that that means people can’t send you messages when you are offline, and you can’t retrieve any history from when a device was offline.
  • If you want to self-host, I recommend prosody as the easiest to set up, but it seems that ejabberd is more on top of the latest features.

Note that despite what they say, they could in theory be logging everything, so if you want complete privacy you should use OTR or OMEMO encryption for your chats.

My recommendations for clients are straightforward:

  • For Android, use conversations. Conversations is free (as in freedom) software, and available for free through f-droid or from source, but you can also get it through Google’s Play “Store” for a couple bucks. It is possibly the best jabber client that exists right now.
  • For Desktops, I recommend Jitsi, as it works with voice and video well. But if you don’t like Jitsi, maybe try Gajim if you use a GNU/Linux desktop.
  • For iOS… I don’t know. I want to know the best one to recommend, so if someone else does know, please tell me.

Update to the update

(2017–11–29)

For some time now I have been using Matrix with the riot client. And I heavily recommend it. Everyone I used to use Jabber with is now on Matrix, and you should be too!

There is an official Riot app for Android, iOS, web browsers (IE you can just log on with a web browser), and desktop. There are also third party clients, even including weird ones like text-only terminal clients. So you can use it on all your devices. You can send text, photos, videos (like people do with that annoying Marco Polo app), arbitrary files, and you can do live voice/video chats. You can send messages to individuals or groups. You can use optional end-to-end encryption. The Matrix protocol bridges with other protocols, so you can use the Riot client to use other things like IRC. And critically, the Matrix protocol federates, so you can choose from different hosts or host your own, just like with email.