| ▲ | rvrb 2 days ago |
| Users in a Discord server/local community on tools like Discord naturally expect that their actions within that community are private in so far as they trust everyone in the community (including the operator) to keep it so. By using ATProto, Colibri fundamentally makes all of your communication within any community completely public to everyone on the internet. That’s fine for something like Twitter, where the product sets the expectation of such a thing. You can imagine how big of an issue this is when you try to do it in a trusted community model. Add on that Discord is used by kids who likely don’t know this and you can see why this is dangerous. I consider this not only just a liability but bordering negligence. It is fundamentally broken, at an architectural level |
|
| ▲ | AbanoubRodolf a day ago | parent | next [-] |
| The structural problem is that AT Protocol repos are crawlable by design. Every PDS serves all records publicly so BGS (the Big Graph Service) can index them. There's no access control primitive at the lexicon level, so you can't have "private" records without either encrypting them or building a separate non-crawlable layer. Bluesky solved the DM case by adding E2E encryption using the Signal protocol -- that works because it's 1:1 with a well-understood key exchange. Group chat is harder. Every membership change (someone joins, someone leaves) ideally requires a key rotation so former members can't read future messages. For a 10k-member server that's already expensive; for a large gaming community it's impractical with current approaches. The Discord DMs aren't E2E encrypted either, for the same reasons. The difference is Discord doesn't claim to be a decentralized open protocol, so users don't think about it the same way. Colibri's marketing around ATProto creates an implied trust that doesn't actually exist at the privacy level. |
| |
| ▲ | Alpha3031 a day ago | parent | next [-] | | MLS would be the primary standard for group messaging these days with the usual guarantees right? (PFS, backwards secrecy, etc) As I understand it from the RFC, large groups was an explicit design requirement and costs are supposed to be asymptotically logarithmic with group size, so I don't see why it couldn't be used. I feel like Colibri (based on their page) just doesn't believe it's there problem, which seems... irresponsible. | |
| ▲ | throwawaymobule a day ago | parent | prev | next [-] | | Bluesky DMs aren't end to end encrypted. Where are you getting that impression from? | | | |
| ▲ | gzread a day ago | parent | prev | next [-] | | Even with all that, you're leaking an unacceptable amount of metadata. And what about reliability? If I cause the key to change, and then alter my PDS so it only shows that event to one half of users, did I completely mess up your protocol so you have to delete the chat room and start over? | |
| ▲ | verdverm 21 hours ago | parent | prev [-] | | > Bluesky solved the DM case by adding E2E encryption using the Signal protocol This is patently false. Bluesky DMs are not E2EE, they do not use Signal. Germ is the MLS based system that a few bluesky users are on, but it started separate from ATProto and has had account integration to atproto added on later. The folks behind that are a separate entity from Bluesky. I'm not keen on this setup, I'd prefer an MLS scheme where there are more controlling entities of the servers. I agree E2EE chat is not the foundation for a Discord alternative and that Colibri has poor messaging and understanding. Communities need permissions, UX needs visibility into the data for things like search. E2EE has unsolved scaling problems required for real world communities. |
|
|
| ▲ | consumer451 2 days ago | parent | prev | next [-] |
| I agree that is borderline negligence, and by far the biggest issue with AT and Bsky. Here is what I believe to be the most recent discussion on that topic: https://github.com/bluesky-social/atproto/discussions/3363 |
| |
| ▲ | quasigod a day ago | parent | next [-] | | Theres more recent updates on it in a blog post from Bluesky head of protocol: https://dholms.leaflet.pub/3mhj6bcqats2o | | | |
| ▲ | theturtletalks 2 days ago | parent | prev | next [-] | | Having something like circles from the Google+ days would be needed if ATProto is going to go anywhere. Is it possible in the protocol? | | |
| ▲ | Multicomp a day ago | parent [-] | | Yeah having the messages be e2ee by default and then extending it out to one or more groups depending in which circles are currently included for messages could let atproto act like an encrypted group chat with crisscrossing group chats per message, which can ratchet up and along with the new enceyption keys each message/batch of 10 messages/hour/day until that client is dropped from a group or a group is dropped from a conversation, then the keys change and pfs prevents old clients from continuing to read future messages. Sure you can see that users emit messages in the pds but you dint know if its for your former group or other activitt |
| |
| ▲ | verdverm a day ago | parent | prev [-] | | The current conversations are around how to do permissined data properly on atproto. I have a prototype, but Bluesky hasn't participated in the community effort and looks to be doing their own thing. They also took Bain Capital "funding" (private equity) which was the breaking point for me. They could have set up subs for nothing and made more than that, hard fumble imo. |
|
|
| ▲ | louisescher 2 days ago | parent | prev | next [-] |
| Fair point! A different user has already pointed out that this isn't disclosed enough on the landing page, and I'll be adding a section to clarify that, both on there and in the app itself. I think one of the replies here already linked the current proposal for private data spaces, which I'm hoping will become implemented later this year. At that point, people will have the option of either having their community be 100% public, or confined to a more Discord-style data storage, where people can still join, but not everyone can "just read" the messages |
| |
| ▲ | steveklabnik 2 days ago | parent [-] | | Just want to chime in with, this does feel very slick, but this was the #1 question I had. I could not determine it from your site, and had to try it out to see. One major criticism of things like Discord is that they're private, so I don't think that it's inherently disqualifying, some people might even prefer it for that reason. But it's very, very important that you're very clear about this, up front. | | |
| ▲ | louisescher 2 days ago | parent [-] | | I really appreciate you chiming in, no matter how slick! New section has been added, lmk if you'd like to see this adjusted further | | |
|
|
|
| ▲ | david_shi a day ago | parent | prev | next [-] |
| The first assumption has been long disproved since multiple full scale Discord data leaks. If it's a public server, it can be scraped. https://www.malwarebytes.com/blog/news/2024/04/billions-of-s... |
|
| ▲ | em-bee 2 days ago | parent | prev [-] |
| any discord server that offers public invites is effectively public. |
| |
| ▲ | rvrb 2 days ago | parent | next [-] | | First, the user knows this when joining a public community. Second, the moderators can choose to remove someone who has joined the community in bad faith. Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL. | | |
| ▲ | 0x457 19 hours ago | parent | next [-] | | > First, the user knows this when joining a public community. From Colibri: your community chats are public and visible to everyone by default. So it's the same. > Second, the moderators can choose to remove someone who has joined the community in bad faith. Colibri has mod tools as well. > Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL. Sure, but then just don't use it? It's really no that different from how IRC worked. Except persistent history is part of protocol and not some bots. This is not public communities, not for small group of friends sharing edgy memes and discussing national security. | |
| ▲ | em-bee 2 days ago | parent | prev [-] | | the moderators can choose to remove someone who has joined the community in bad faith unless you prevent new members from reading the chat history until given permission then they can already read everything before they are kicked out, and they can come back with a different account. you also can not detect people acting in bad faith if all they do is read. basically, you can't expect privacy if you don't limit members to people you know and trust. that goes for any group chat, encrypted or not. i also doubt that discord chatlogs are encrypted on their servers. | | |
| ▲ | rvrb 2 days ago | parent | next [-] | | What is your point? I feel I made the one you are making before you even responded the first time. That Discord communications can be exfiltrated in this specific set of circumstances (again, something I already said) does little to change that Colibri is implemented in the least privacy preserving way possible, short of publishing directly to every news and intelligence agency on your behalf, and does little to make that very clear in the first place. | | |
| ▲ | em-bee a day ago | parent [-] | | you said: Users in a Discord server/local community on tools like Discord naturally expect that their actions within that community are private in so far as they trust everyone in the community (including the operator) to keep it so. my point is: you don't get that in a public discord. and i believe that most discord servers, those for games anyways are public. only small team discord servers are private. privacy on discord is an illusion. i also would not trust discord to keep any messages private even from a private server. you seem to imply that just by looking like discord colibri promises the same privacy options as discord. why? colibri does not present itself as a discord alternative. and although the line "privacy when needed" was misleading, in the FAQ they clarified that there is no private data. (to be sure i checked the site as it was 2 weeks ago: https://web.archive.org/web/20260311020805/https://colibri.s... ) |
| |
| ▲ | verdverm a day ago | parent | prev [-] | | > the moderators can choose to remove someone who has joined the community in bad faith This is one of the challenges of building a Discord alternative on atproto. Allow access or not, how moderation works, and having shared ownership that can change. |
|
| |
| ▲ | eximius 2 days ago | parent | prev [-] | | Private channels in public servers exist. I'm almost entirely on private servers. | | |
| ▲ | verdverm a day ago | parent [-] | | This is one of the challenging aspects about defining permissioned spaces on atproto. In essence, you have a completely separate database per user (sits next to their repo) with which you can do permissioned public->private spectrum. Nesting more privacy inside another permissioned space requires breaking the typical permission walking chain, eg. in Google Docs, if you have access to a folder, you have access to the subfolders. |
|
|
