I was surprised to receive a 2am automated message from ‘rocket.cat’ in our company’s self-hosted Rocket.chat instance. It was a notice from Rocket.chat alerting me that from now on registration is mandatory to use the Rocket.chat gateway to enable push notifications to mobile devices.
The reason we run our own instance is to be in full control of the data we share between ourselves in rocket.chat.
However, something that wasn’t clear to me before, push notifications in Rocket.chat involve multiple third parties without users giving explicit consent (which is very problematic in terms of GDPR). Especially as there is no way in Rocket.chat to finetune when/how you want to receive alerts, nor any meaningful instance wide settings, and the default is alerts get pushed always.
When you @user someone, or @all a channel, or even share any message in any channel, the server pushes an alert by default to the mobile devices of the users involved.
That push notification isn’t generated within your own server, or within the mobile applications after receiving the messages concerned directly from our server. It is generated by sending an alert to the Rocket.chat gateway. Through that gateway all alerts from every rocket.chat instance anywhere, self-hosted or not, pass. The connection is encrypted, but the content isn’t. The gateway then sends the alert onwards to Google and Apple, for them to generate the alert on the mobile devices involved when the mobile app isn’t running or in the background. Using Apple’s Push Notification Service and Google’s Firebase Cloud Messaging is common, I realise, but both allow encrypted and/or empty payloads, which doesn’t seem to happen here.
Rocket.chat put in the gateway as a workaround, where every alert gets send with their keys, to prevent independent instance owners needing to have their own keys to APNS and FCM (and as Rocket.chat suggests to compile their own mobile apps and have them accepted in the app store). I’m not knowledgeable enough about how push notifications generally work on mobile devices, but it surprised me that push notifications always require third party involvement this way.
Rocket.chat is now starting to enforce registration of instances to be able to use the gateway, because that gateway is becoming a major cost to them. Not surprisingly if all alerts of every single Rocket.chat user in the world pass through it. Because those costs are rising, they want to start charging for sending alerts above a certain threshold. To start charging they need you to register with them to both show you your usage and store your payment method.
I don’t like the existence of such a centralised bottle-neck. It also comes across as a next step of building on something that seems to have been implemented as a workaround fix to begin with.
This way, even if you run your own independent instance you’re still tethered to Rocket.chat the company indefinitely. It’s completely at odds with why we (and others I presume) run our own instance in the first place.
I therefore disabled all push notifications in our rocket.chat server.