Only disclose devicelists on a need to know basis

[ara4n]

Suggestion

Currently anyone can see anyone else's device list, posing an unnecessary privacy exposure.

Instead, we could limit the device list APIs such that only users who you share an E2EE room with can see them - so a user would have to explicitly accept a DM or join a private room before exposing their device details.

This would avoid the unpleasant surprise of being able to see random users' other devices in a public chatroom.

(This could be problematic for MSC3401, which uses to-device messaging for voip calls in non-e2ee rooms, but given users participating in the call explicitly advertise their devices via m.call.member events, it should work out okay.

Another thing that could break would be to-device based device verification. But if one is verifying within a DM (as you should, these days) it should be okay.)

Credit to https://twitter.com/gamingonlinux/status/1510239751286235138 for the idea (and further context).

[ara4n]

Worth noting that if we shifted to a "each device is a separate mxid" model for p2p matrix or to solve account portability (and simplify the complexity of the devicelist api) we would lose the ability to do this.

[ShadowJonathan]

As an alternative, I think that while device IDs should be publicly accessible (for E2EE functionality and other bits), the device names should be obscured to other users (also see #421), as that's the real privacy hazard.

[turt2live]

Synapse appears to have limited the ability to look up some parts of the device list over federation: matrix-org/synapse#12616