Ethics at Element.

Element is a major vendor of end-to-end encrypted communication solutions, empowering anyone to run their own secure (yet interoperable) communication service on their own terms. Element is powered by Matrix, the open source project for decentralised communication created by the team who founded Element - and much as the open web lets anyone run a website, so Matrix lets anyone run a communication service.

With this power comes responsibility, however - and while Matrix as technology can be used by anyone, the Element team has always had guidelines on who we work with.  After all, Matrix’s end-to-end encryption has at points been subject to the same US export controls that regulate munitions and similar, and can be used both for good and for harm.  As Element, we are intentional about not working with organisations who would deploy Matrix abusively.

At first our ethics policy developed on a case by case basis, but in 2021 we wrote it down internally for the visibility of employees, and particularly to help Element’s commercial team navigate opportunities.  Since the outset, we have repeatedly actively applied it and have previously turned down very significant commercial opportunities as a result.  We’ve published it here - in keeping with Element’s tradition of transparency - to act as a reference point as the subject of open source projects being used by the defence industry has been coming up in a few places and we wanted to make our position clear.

The rules which Element operates under are as follows:

  1. We don’t sell to organisations who would break the Terms of Use we apply on our own servers. In other words, we don’t sell to folks who would use our products and Matrix deployments we run for illegal activity (under UK/EU/US law), and we don’t sell to abusive communities or organisations who we would kick off our own servers.
  2. We don’t sell to governments who are under economic sanctions by the UK/EU/US governments.
  1. We don’t sell to governments with poor human rights, to avoid risk of harm to their population. This is currently defined as countries scoring 20 or less in this quantified ranking.
  1. We don’t sell to governments who are under investigation by the UN for international atrocities.
  2. We don’t sell to organisations who are committing human rights abuses (i.e. abusive organisations within a government, even if the wider government itself isn’t in scope)
  3. We don’t sell to contracts which are primarily a shell for any of the above.

Now, this list may well evolve (although minimal revisions have been required since it was first devised), and it doesn’t cover all the fine detail, but it hopefully gives an actionable overview of our position.

Having listed who we don’t sell to, it might be useful to also give some counter-examples of organisations who we do sell to, based on the application of this policy.  Some more instructive examples of organisations we sell to include:

  • Public sector defence work - e.g. NATO, US Department of Defense, German Bundeswehr, UK Ministry of Defence, Ukraine MOD
  • Public sector ‘blue light’ services - e.g. Emergency services, Police, Fire brigade etc.
  • Contractors for the above (e.g. BWI in Germany, Boeing)
  • Infosec research (e.g. analysing malware and similar security research - but not for organising attacks).

This isn’t an exhaustive list, obviously - we strive to maintain a balanced portfolio between the various disciplines of central government, local government, education, healthcare, defence, national security etc.

Finally: this policy focuses purely on who Element does business with. It doesn’t cover the ethics of  end-to-end encryption, data privacy, law enforcement requests, decentralisation in general, or any of the other hot button topics in this space.  By publishing it, we hope that it gives more transparency to how Element operates, and helps manage expectations in future.