At the 36C3 conference in Europe in December 2019 - an event hosted by the Chaos Computer Club and dubbed the largest hacker conference in Europe - Moxie Marlinspike, founder of Signal, gave his thoughts on centralized versus decentralized systems. In response, Matthew Hodgson, co-founder and CEO of New Vector published a blog post refuting several of Marlinspike's claims. As a company focused on developing technology based around giving users flexibility, freedom, and security, we at StormFree are interested in this debate and attempt here to engage both perspectives while providing our own analysis of the centralized vs. decentralized debate.
Marlinspike's 36C3 presentation, "The Ecosystem is Moving" reiterates several of his arguments originally articulated in his May 2016 blog post of the same name. In this presentation, Marlinspike addresses what he sees as the barriers standing in the way of what he perceives as the major goals of decentralized communication networks. These major goals - in Marlinspike's view - are privacy, censorship resistance, availability, and control. Throughout the presentation, Marlinspike asserts that these goals are either extremely difficult or impossible to achieve in a decentralized communication network, since he believes that such a network is not equipped to iterate quickly. He also asserts that centralized communication systems (such as his own) are equipped for rapid iteration, and are therefore the best candidates to achieve these goals. Marlinspike's argument can largely be distilled down to his assertion that decentralized networks result in stasis, while centralized networks provide the level of control that developers need to introduce new features and rapidly push technology forward.
Crucial to the argument that Marlinspike constructs is his idea of what constitutes privacy and control. While advocates for decentralization often contend that control comes from the ability to choose where their data is hosted or the capability of hosting their own data entirely, Marlinspike believes that control comes from preventing user data from being accessed by those who handle it. This view of control can be observed in the way that Signal operates, where a central server transmits message data between users, but is not able to decrypt the data. Signal also incorporates features like sealed sender, which takes this principle one step further by preventing the server from knowing who is speaking with who in the application. The Signal application also offers private groups and private contact discovery features to further limit the metadata that servers have access to.
Regarding censorship resistance, Marlinspike asserts that creating a centralized system that can offer multiple ingress points is preferable to a decentralized system. His reasoning behind this position is that - in his view - it is easier to create new ingress points to compensate for censors blocking access than it is for users to migrate to entirely new servers when one is shut down. This perspective is particularly interested in the preservation of a user's social graph, the contacts that a user establishes when using a communication application like Signal. One of Marlinspike's issues with having to migrate between servers to avoid censorship is that this process can often lead to a user losing all of their established contacts and conversations. As a result, he contends that centralized messaging services like Signal or Telegram offer the most realistic and user-friendly censorship resistance capabilities.
Availability is another feature that Marlinspike believes is not present in decentralized systems, claiming that splitting Signal's servers between two data centres would actually increase the chances of an outage, and would halve the availability of the service. This is a confusing assertion, and Marlinspike seems to base it upon the idea that moving from a single data centre to two data centres increases the hardware that a service is reliant upon, thereby increasing the statistical likelihood of one piece of that hardware experiencing a problem.
Matthew Hodgson is the technical co-founder and CEO/CTO of New Vector, the for-profit company that oversees the development of Riot.im and the Matrix protocol.
The Matrix ecosystem is a decentralized, federated communication network that offers E2EE based on the Signal Protocol in its flagship chat client, Riot.im. As a decentralized ecosystem, Matrix is the antithesis of Signal's centralized network, despite the two sharing the broad similarity of being tools used to facilitate secure communications. So, it's unsurprising that Hodgson responded to Marlinspike's original blog post with a blog post of his own, "On Privacy versus Freedom", which strives to refute Marlinspike's claims about the downsides of pursuing a decentralized ecosystem.
Hodgson's post conceded that each of Marlinspike's assertions were valid to some extent, but he clearly disagreed with the majority of the Signal founder's claims. Hodgson admitted that building a decentralized system - where users are free to run their own servers that may or may not conform to the rest of the ecosystem - is more difficult and time consuming than a centralized one, but also claimed that Matrix has seen little fragmentation within the ecosystem. Following this, Hodgson addressed Marlinspike's concerns about metadata retention in decentralized systems, and he explained that Matrix is aware of this issue and is working on addressing it by introducing hybrid peer-to-peer (P2P) and client server models to keep metadata on client devices. When combined with nomadic accounts - another feature in the works at New Vector - these features might eventually allow the central Matrix.org homeserver to be shut down to further decentralize the ecosystem and prevent the largest server from exercising undue power over the entire network. The push by New Vector to decentralize the Matrix ecosystem (which is currently partially centralized around the Matrix.org homeserver) shows their commitment to ensuring that users retain control over their own communications and data.
In relation to Marlinspike's assertion that switching servers is more cumbersome than switching applications, Hodgson contends that communication silos (like Signal) also make switching applications difficult, since doing so necessitates convincing an individual's contacts to also switch applications. This problem of chat application silos is exactly what Matrix's interoperable design is intended to address, allowing users of different chat applications to connect across a common federated protocol. In Hodgson's view, the barriers that exist when completely changing the server or the application one uses to communicate securely are comparable, and both situations represent an inconvenience to the user.
The primary thrust of Hodgson's rebuttal contemplates the meaning and value of freedom. Hodgson explains that his view - and the view of New Vector - is that true freedom comes from what Matrix offers: the ability to choose where to host your data, which server to use, which identifiers to register an account with, and how much metadata and history to retain on a server. He also points to the fact that using a centralized solution such as Signal is "putting all your eggs in one basket", as this type of system offers no ability for users to build on and modify the protocol. Essentially, Hodgson says that using a centralized service requires that users blindly trust that Signal (or any other chat silo) will continue to uphold their privacy and security standards in the future, which may not necessarily be the case. While Signal today appears to be a highly secure communication tool, there is very little preventing them from allowing government agencies to collect user data in the future, or from taking other steps that might not align with user expectations. Alternatively, in a decentralized system like Matrix, the user base could choose to not implement new homeserver updates if New Vector began to make changes that did not align with the community's expectations of privacy and security. Another risk factor that Hodgson points to is that a centralized system, especially one like Signal that is used to encrypt the communications of billions of users, represents possibly the "single highest value attack target" on the internet today. Thus, using Signal also requires that users trust that the centralized system's servers will be able to withstand the attacks of malicious actors both now and in the future.
Hodgson concluded his blog post by reminding the reader that the entire success of the internet is the result of its openness, interoperability, and decentralization - factors which he believes are worth working for. To avoid trying to solve these issues because they are difficult is, in his view, to throw away all the potential of an open network. Finally, Hodgson declared that New Vector will continue to work to prove Marlinspike wrong and demonstrate that Matrix and Riot can be as secure and metadata protecting as Signal without forcing users into a walled garden or robbing them of their control.
Both sides of this debate raise valid points about the pros and cons of decentralized systems and the place that they have in the modern secure communications market. We will discuss these points as well as StormFree's position on the debate in an upcoming blog post.
