im working on a proof-of-concept messaging app. it has a fairly unique architecture which i think makes it so ChatControl wouldnt affect it... but im not an expert in laws, so im sure im not asking the right questions. any guidance is appriciated.
to make things clear: my project is far from finished. its pretty experiemental, unstable and buggy. im not at a stage where i can say my app is watertight... but that is my general aim.
i think the code for my app is too complicated and not well documented for anyone to pick up and look at in their spare time, so i think its better i describe how it works (please reach out for clarity on any details i may miss!). i hope it can be used to determine how ChatControl can apply to my project.
-
im working on a fully client-side messaging app. cryptography is done client-side using browser API's to generate encryption keys. messages are encrypted client-side and decrypted on the recieving client-side
-
as a webapp i can avoid installation and registration so there are no databases with registered users that can be compromized. user ID's are cryptographically random. this allows allows profiles to be as ephemeral or persistent as the user wants.
-
the app is using webrtc to exchange messages which are then stored on the recieving device client-side only. there is no database storing "pending" messages. if your peer is offline, you cannot send a message.
there are a lot of nuances to a p2p-only messaging app, but i hope that by reducing the amount of infrastructure, it can simplify e2ee.
i dont think its written well enough to be worth your time to do a deep dive into my code, but you can find it here: https://github.com/positive-intentions/chat
non-EU citizens here
The biggest problem with ChatControl is that you are required to weaken the encryption of your chat application, or possibly give authorities access to scan all messages.