Element, hands on: Secure messaging for tech-savvy organisations

element-header.jpg
  • Editors' rating
    Not yet rated

Slack and Teams encrypt customer data at rest and in transit. After a good deal of controversy, Zoom introduced end-to-end encryption, but not for on-premises configurations. Element promises end-to-end encrypted but also decentralised messaging with public and private chat rooms, file sharing, and voice and video calls. It's based on the Matrix protocol that you can host yourself, use with a free server or run against a commercially hosted service (which won't have access to your message content, but will store unencrypted metadata about conversations, contact lists and IP addresses).

element-matrix-homeserver.jpg

Not all of the public rooms listed on the free Matrix homeserver are this work-friendly.

Image: Mary Branscombe / ZDNet

We wouldn't recommend using the free public Matrix homeserver for business use, though: alongside the many developer, Linux and crypto communities, there are some adult communities with public rooms in the directory that most organisations would find inappropriate, including some banned from Reddit.

Naming can be confusing with Element. Matrix is the underlying specification and you connect to a Matrix server using a client. Element -- formerly known as Riot IM, and Vector before that -- is one of a number of Matrix apps (the French government made its own IM app, for example), and as long as the Matrix server you connect to is federated with the one they connect to, you can communicate with users on other instances using different clients.

element-encryption-integration.jpg

Enabling end-to-end encryption removes some integration features.

Image: Mary Branscombe / ZDNet

Matrix can also 'bridge' to other chat networks including  Slack, Signal, SMS, Skype, Discord text channels, Telegram, IRC, Twitter and Gitter (now owned by Element) with various levels of fidelity and synchronisation. But setting those integrations up is definitely a job for the IT team, requiring a clear understanding of authentication and federation.

For end users, getting started is relatively simple as long as they know which Matrix server to log into and create their account on. You can connect from the browser or download the Element app for iOS, Android, macOS, 64-bit Windows 10 or 64-bit Debian/Ubuntu (for other Linux distros you have to build and package the client yourself). There's no 32-bit version for Windows or Linux -- the latter is a restriction in Electron, while the former has been on the roadmap for nine months.

element-secure-backup.jpg

During installation there are lots of terms and conditions to approve, along with repeated requests to set up secure backup.

Image: Mary Branscombe / ZDNet
element-ui.jpg

The Element interface is clean and simple, but lacks advanced collaboration features.

Image: Mary Branscombe / ZDNet

Element's user interface has improved significantly since the early days of the mobile Riot client, but it can still be somewhat complicated. There's a kind of progressive reveal for terms and conditions that you have to accept to use the server, create public or private chat rooms or send direct messages to other users, and you'll be promoted repeatedly to set up secure backup for the encryption keys if an admin hasn't already done that.

Top ZDNET Reviews

Because of the encryption, signing into Element with a new device requires you to verify the device with a passphrase, or a combination of QR codes and a one-time emoji password if you have a device that's already logged in. The experience for this is fairly straightforward. Chats and meeting rooms with unverified devices connected show a red icon to warn other participants, but once verified you'll see your chat history on all devices, and messages read on one device will be marked as read on others.

You can invite other users into chat rooms and messaging sessions by their Matrix identity or using their email address, which sends them an invitation to the Matrix service -- business users will certainly prefer that to sharing their phone number. You can set very granular admin roles for chat rooms (the right to change the name of the room doesn't let someone remove messages or ban users, for example) and choose whether new colleagues joining a chat room see the whole chat history or just new messages. Expect invitations and signup confirmations to end up in junk mail or even quarantined though; admins will need to whitelist these or advise users where to look for them. 

IT teams will also need to set policy and explain to users when to enable end-to-end encryption for messaging, because this has extra implications beyond securing message content.

element-emoji-picker.jpg

Element's emoji picker.

Image: Mary Branscombe / ZDNet  

Encryption uses Olm/Megolm, an open implementation of the protocol used by Signal, which supports Perfect Forward Secrecy. So if a password or encryption key is compromised in the future, the contents of previous messages won't leak. For security, a conversation that starts as encrypted can't have encryption disabled later. But bridges to other chat networks and most bots won't work in encrypted rooms, and you can only search those conversations in the Element desktop client, not mobile or web. If you want to use Element for ChatOps by integrating with GitHub, Jenkins or JIRA, or have bots for Giphy, Imgur image search or Wikipedia lookups, you can't use end-to-end encryption.

The Giphy bot is also rather primitive compared to picking animated GIFs in Teams, Slack or even Twitter: the bot shows up as if it was a work colleague rather than a chat feature, and you're not picking from previews but typing in a text search with no way of knowing that the clip Giphy sends is in fact appropriate for work use or likely to get you a meeting with HR.

Element pitches itself for collaboration, not just chat, so those bots are important for more than just self expression beyond emojis and stickers. You can upload files (which are also encrypted), but you need the desktop client to see the list of shared files or do screen sharing.

SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)

You can make voice and video calls: voice calls use WebRTC, while video calls use Jitsi integration (that's currently free for the Matrix ecosystem or you can provision your own). Again, this lacks many of the niceties of commercial systems like Teams: you can have the video window as a thumbnail inside the chat or full screen, but if it's full-screen you can't put the call on hold. We also had issues where we had to call someone twice for their video to appear.

Users looking for help will find a rather anaemic list of FAQs on the Element site; there's much more detail in the Element blog about features and options, but the information isn't easy to find. Users wanting to know how to use screen sharing, for example, won't want to search through blogs or look on GitHub for app themes to customise the client. 

Conclusions

Element's security and decentralised aspects will be appealing to businesses that prefer to control their own messaging architecture rather than rely on public cloud providers, but it offers a very bare-bones experience for collaboration compared to Teams or Slack. In the long run, Element plans to bring the richer features in Gitter into the Element apps, and a more polished interface will certainly broaden the appeal from the open-source communities that are already comfortable with the tools. For now, Element is best suited to organisations with a high proportion of technology-savvy users and a strong need for encrypted, decentralised messaging. 

RECENT AND RELATED CONTENT

Switching from WhatsApp to Signal (or something else)? Here's what you need to know

WhatsApp vs. Signal vs. Telegram vs. Facebook: What data do they have about you?

The complete Zoom guide: From basic help to advanced tricks

Microsoft Teams: The complete starter guide for business decision makers

French government releases in-house IM app to replace WhatsApp and Telegram use

Read more reviews