this breaks e2e encryption:
It’s also worth noting that end-to-end encryption is necessarily broken as messages to (and from) WhatsApp, Signal and Telegram pass across the bridge(s). The bridge(s) operates in Element’s trusted EMS environment, with no content scanning or datamining, but currently bridged conversations are not stored end-to-end encrypted in Matrix (they will be in the future).
and per the Element CEO, setting up these bridges necessarily MITMs your conversations. Element is incorporated in the US and that means it's subject to National Security Letters and other kinds of sealed warrants -- you shouldn't trust them or anyone else to run a bridge.
warn your contacts not to set this up -- they can accidentally MITM your conversations with them if they set this up without realizing what they're doing and you'll have no way of knowing that it's happened. hopefully, Signal decides to treat this as a vulnerability and blocks the bridges from its network so people don't get inadvertently bitten.
signal and matrix use the same e2e encryption implementation for their clients. signal also has an easier time here cause they only have the first-party clients. you can't federate with signal but you also can't get a client that's screwed up the encryption implementation. the problem is, if you set up the above service, it appears as if you have a secure, end-to-end encrypted conversation with other people -- all your clients will tell you that you do -- but instead encryption will be silently broken. and the response from Element is that this is intentional and the user is supposed to be aware of this risk when they click the button to set the service up -- something that's just not reasonable to expect of non-tech savvy users.
worse, if one of your contacts sets this up, your communications with them will be mitmed and you'll have absolutely no knowledge that this has occurred. and it's the vendor of a secure messaging app that's put you into this confusing position, not merely user error. this is a bad service that's only going to result in people getting inadvertently hit with privacy breaches through shit they didn't even sign up for.
fair