Hide device displaynames from other users altogether, even on the same homeserver

[anoadragon453]

Other users on my homeserver don't really need to know the displayname of my devices, especially since the default of some clients is to share the client name and operating system identifiers.

I propose that we forgo a config option (unlike allow_device_name_lookup_over_federation) and simply prevent local users from seeing the device displaynames of other local users by default. (I'm open to feedback on use cases where a config option would be necessary.)

---

Note that sytest currently assumes that device displaynames are always shared between local users, so this test will need to be updated.

[reivilibre]

It might be worth trying to figure out what the purpose of this was in the first place.

Was it for (pre-cross-verification days) knowing which device to verify when you were talking to someone? Sure, the device ID might work but it's not very human friendly to read over the phone etc.

(Should there be a spec question about this? At some point it seems like we should just cut out the device displaynames for other users if there's no point to them. I don't see why we should remove them from Synapse unconditionally if they're not going to be removed from the spec)

[anoadragon453]

I'm unclear what the original reason was (or whether it was an oversight), but there is some discussion in matrix-org/matrix-spec#421, where people are largely agreeing to not expose device names to any but the owner of the devices.

Going via the spec is good shout. It'd provide privacy benefits across the ecosystem, reduce any surprises client-side (and be a pretty simple MSC to write).

[anoadragon453]

I'm unclear what the original reason was (or whether it was an oversight), but there is some discussion in matrix-org/matrix-spec#421, where people are largely agreeing to not expose device names to any but the owner of the devices.

MSC3480 asserts that the original purpose for sharing device names between users was to make it easier to identify another user's devices when verifying. Now that cross-signing is in use everywhere and users verify other users - rather than individual devices, the benefit no longer applies.

I'm minded to turn this issue into one tracking the implementation of MSC3480. The best course of action to eliminate device names being shared with other users is to remove the field from the spec (when shared between users), which MSC3480 is pushing for. And a specific implementation of it here will help the spec process move forward.