We don’t know. We don’t have access to what’s running on their servers.

Aren’t they audited, tho?

(yes i know that the source code is available, but there’s no way to check if that’s the same thing running on the servers)

But isn’t this true for most services, such as Matrix as well? Nothing assures that a Matrix instance is running the exact code on git.

Usually the government goes there a just takes whatever is in the rack they want.

But if your threat model is the goverment, aren’t all services affected as well? If they want to take element’s servers, they will. If you selfhost and they want to take your server, they will?

The problem is that you have to trust them.

I feel like in communication apps you’re always going to have to rely on trust. Even if you self-host in a Swiss server, with the best intentions and security practices… Other people are going to have to trust you. You trust yourself, but others might not.

And what metadata is Signal leaking? As far as I know even their notifications are not sending the message.

The government seizing an entire batch of amazon servers seems unrealistic, but the data would be encrypted anyway. Do they even store messages on servers, anyway?

If everything is e2e encrypted do servers actually matter?