XMPP – John Lines's Debian blog

Location and XMPP Internet Chat

One feature of XMPP clients which receives less attention than it deserves is the ability to send the current Location of the user, as defined in the XEP-0080: User Location feature.

If you are using, say, the Conversations client (or derivatives such as Snikket), you can attach (with the paperclip icon at the top of the screen), your current location to a message.

The recipient (or recipients for a group chat), receive a message with button to ‘Show Location’ and clicking on that will open a map showing where the sender it.

Uses

The ability to easily send an unambiguous location, without needing to know where you are yourself has many uses – some attempted to be covered by workarounds like What3words, Mapcode and other Geocoding systems.

Such systems require that your phone runs an app which can determine your location (i.e. your current latitude and longitude) and convert it to something more convenient to be send by speech, or possibly as a text message. If you already have an app which can transmit your location, and also chat, send photos and videos etc, then it is simpler to use that.

Family and Friends

When meeting up with friends in a place you do not know, it is very handy to be able to send your location quickly and easily.

Breakdown services

Many breakdown services can see the benefits to them of a App, which can send their clients location, but having an app which only does one thing, and which you hope not to use is a poor use of your phone’s resources. If they had an XMPP contact point – say ‘help@rescueservice.example.com’ – then clients could use that to provide information on where they are, as well as further information on the problem.

Reporting Potholes, Fly tipping …

There are many situations where an accurate location report would be useful, as well as the ability to send a picture. Councils could use a set of XMPP accounts, e.g. pothole@oxfordshire.gov.uk for

Tour groups

Organised tours, particularly those where not all the group members will be together all the time, could benefit from the ability for the group leader to send a message saying ‘I am here’ – at some convenient meeting point – and message to ask member to be there in half an hour. By running their own server they could create temporary (or not) client accounts for group member who do not have an account, and add everybody on that tour to a Group Chat

Where are you?

A possible XMPP extension would be a standard way to ask the client program for a location report. Depending on the source of the query this could result in

The user being asked if they want to send the location, or decline to send it (which would send a reply indicating this) or ignore the query
The device sending, declining or ignoring, depending on what it had been told to to.

Sharing security information with XMPP

I run several systems spread across the Internet, and all are being probed by bad actors. The run services like fail2ban, which protect them, but looking at the logs are often targeted by the same attacking host. It would be useful to be pro-active and have an attack on one counted as an attack on any, and to be able to distribute this information more widely.

This describes the cobbled together system I have a present with plenty of room for improvement.

The XMPP Group.

This is a Chat Group, created from an Administrator account – using Gajim on an XMPP server under my control called (for example) secinfo@example.net

There are also XMPP users for each target host called secinfo-hostname@example.net – created by

prosodyctl adduser secinfo-hostname@example.net

Having created the accounts for the hosts the chat group owner should go into the account in Gajim, make the participating hosts members, and go into Group chat Configuration and tick Persistent, make sure the room is not included in public lists, and tick Only allow members to join.

Client-server software

The software implementation uses slixmpp, so

apt install --no-install-recommends python3-slixmpp

Note that slixmpp recommends several packages not required for this purpose, though they may be useful in other contexts. I have only tested with version 1.10

An initial version of the software can be found at https://gitlab.com/JohnLines/secinfo-xmpp.

Current state

At present the software reads from fail2ban, via a local rule which invokes

actionban = /etc/fail2ban/action.d/secinfo-xmpp.sh "v=1,t=f2b-b,j=<name>,i=<ip>"
actionunban = /etc/fail2ban/action.d/secinfo-xmpp.sh "v=1,t=f2b-u,j=<name>,i=<ip>"

and sends the messages to the group. The ‘|| true’ prevents the action from failing if secinfo-xmpp is not running.

It reads messages from the group, and if they contain a ban action from another host then execute a ban action on the local host for the same jail and IP address, unless that IP address is already banned..

Who owns ‘your’ contacts

If you are a doctor, or a politician, or someone in a position of responsibility in a charity, or you are using your personal phone to contact work colleagues or customers, then there are probably contacts on your phone which you hold in trust, but does the fact you hold their information give you the right to give it, without their knowledge or consent, to a third party?

Almost every ‘free’ social media app is financed by selling personal information to advertisers, and when you grant app access to your contacts the owning corporation has access to as much as you know – at the very least phone numbers, but potentially home and work addresses, dates of birth etc. In fact the corporation probably knows a lot more about them than you do, as it knows who else’s contact lists they appear on.

If your contacts include vulnerable people, then you have a duty of care in relation to releasing their personal information. For example they might to more susceptible to poor buying decisions. People with poor self esteem responding more readily to advertisements for ‘quick fix’ weight loss product. Vulnerable teens are known to be a potential market.

Note that this does not happen the way a person would think about it, e.g. this person runs a support group, lets target them, but by an algorithm which takes large amounts of data, profiles people in a more general way, creating groups of people more likely to respond to particular types of message.

The message might not be ‘buy something’ – it could equally well be ‘vote for something’ or ‘protest about (immigration,violence against women, corrupt government,damage to the environment, …)’

If you are an estate agent your contacts list probably contain more people who are about to buy new furniture than if you are, say a farmer.

What are the risks?

Exchanging your personal data for some benefit from a marketeer has a long tradition – and can be mutually beneficial. This can avoid you being bombarded with information on unwanted products, and can also allow a retailer to offer targeted discounts or coupons.

The big datasets of customer information can lead to companies knowing more than they may expect, for example a supermarket knowing a teenage girl was pregnant before her parents did.

There is, I believe, a difference between trading your privacy for some benefit, compared to the personal information of a third party who will not benefit from the arrangement.

What are the options?

Instant messaging is a very useful facility, particularly with the ability to keep in touch with friends or family, or local groups, so is it possible to use Instant Messaging, while not sharing information about other people?

Use a second phone

If a company entrusts it’s employees with customer data, the company should consider the risks and benefits of providing them with a ‘work’ phone and insisting that work and personal contacts must be kept separate. Despite the inconvenience of staff having to carry a ‘work’ and a ‘personal’ phone there is a risk that the companies data will be leaked, via personal use of a proprietary IM app. There is also a risk to the employees privacy (and that of their contacts), if the company backups up contacts from phones to its own systems.

I use an old Android phone, which I only use for WhatsApp, which I do use, reluctantly, as there are people I want to keep in touch with who use it – largely because of the network effect where they have contacts who use it – and so on. As this phone only has contact information for people who are already WhatApp users, it is not giving Meta group any information they do not already hold. This phone also has a XMPP instant messenger app on it – see below – which allows me to forward important messages.

Use an iPhone with iOS18 or over

With iOS 18 it is now possible to allow an app to only have access to a limited subset of your contacts. This is a big improvement over previous versions which, like Android (up to Android 15) only allow, or deny app access to All your contacts – and WhatsApp will not run without Contacts permission.

Use an Internet Standard XMPP Instant Messenger chat app

Unlike WhatsApp, Signal, Telegram, Viber, Facebook Messenger or other proprietary Instant Messengers there are a wide range of Apps which will talk to each other over XMPP. It is fairly easy to find one (such as Conversations or Snikket) which do not require access to your contacts information.

These can be installed on the same device as a proprietary Instant Messenger, and allow you to communicate with other XMPP users. If you are in an area where the privacy of end users is important then consider making XMPP accounts available to those users who do not have one. With Snikket hosting this has become much easier, as you can rent a simple hosted service from them to try it, with the potential to run your own system if this becomes more cost effective.

If you represent a small UK charity who wishes to try hosted Snikket, and you can receive donations via the Charities Aid Foundation, please contact me to discuss funding a pilot. I can be contacted by email tojohn+snikketoffer@paladyn.org, or by posting a comment on this article. Comments are moderated, and I will discuss with you before making the comment public (or not if you prefer)

Larger organisations will probably want to integrate XMPP chat with the other systems they use, which can be done – the systems are very flexible, but are still welcome to contact me as above to set up a pilot.