The Aytwit project strives to inspire trust and sparkle with transparency in every way possible - social, legal, and technical. There is no software system that can be trusted 100% and the Aytwit website is no exception. But most of the work that goes into projects like Thoughter
is aimed at establishing the most trust possible. So you should always be suspicious, but Aytwit logically deserves at least a tiny
bit more trust than most online entities, because instead of openly selling your data you're asked for money
to help protect it. So it would be extra
evil to take both your money and
your sou- I mean data. Like devil evil. But this is not the devil. Trust me.
- Ask as little about you as possible.
- What little is asked should be encrypted as securely as possible, even to the degree that only you or a chosen other party can decrypt it, because...
- Assume all stored data will be leaked at some point, perhaps even intentionally, and act accordingly.
- Respect the resources, attention and personal cyber space of all people who visit the website or utilize its services or goods in any way. So no tracking, ads, or dark patterns. Keep the site fast to load and simple to render so it looks and works the same on all devices. Minimal access by, or use of, third parties.
- Assume said personal cyber space is already being unknowingly invaded and disrespected by questionable entities, even otherwise authorized tenants, like email providers or web browsers themselves. Therefore send as little information as possible to said space so the gremlins don't have as much to chew on.
- Email is currently the sole communication medium and it's insecure on several levels. So more communication mediums will be supported in the future.
- Credit card information is handled entirely by the payment processor Stripe, for example for donations or the shop. The Aytwit server never stores or even sees any actual credit card information. It is sent to Stripe directly from your browser over an encrypted connection and they return a token (which is a fancy word for a bunch of random letters and numbers) to Aytwit. When it comes time to charge your credit card (only on thought match!), the Aytwit server sends this token back to Stripe and they charge your credit card. Credit cards are pretty secure but they don't allow anonymity, so cryptocurrencies are on the short list for new features.
- Data Transfer to/from the aytwit.com website uses TLS to protect data over the wire, but for Thoughter Aytwit's server currently sees emails and messages for a brief instant before deleting them and/or mathemagically scrambling them for everyone except the two parties who are thinking of each other. A second version of the protocol is already designed to account for this weakness, where at-rest encryption happens before data even gets to Aytwit's server, but implementing it will take time.
- Server Hosting is currently provided by Google's Cloud Services, which is fine for now, but who knows if Google is sniffing around. So it would be nice to self-host more and more infrastructure in the long run.
- What is not done (just to be clear) is storing any Personally identifiable information unless you subscribe or donate on a recurring basis, in which case we store your email address encrypted in a database. See the subscriber SQL table for more details, but the main thing is that this is a major step beyond how your email is stored by 99% of other websites. Anyway, no personally identifiable information is shared with third parties beyond the temporarily necessary "evils" outlined above of using email as the communication medium and 3rd party services for donation mechanisms. But c'mon everybody does that, and again even those technicalities will both be addressed.
There's only one inherent conceptual weakness in Thoughter's protocol. If the Federales
knock down the door and demand to know whether Pancho Villa
has an unmatched thought to Fransisco Madero
, that can be checked. However, the Federales must provide the exact email addresses and hashtag used within the time window that Pancho pushed his thought. In other words they must already know the information they're looking for in the first place, and
look for it at the right time. They can't just look through the entire database to see if any revolutions are forming. Furthermore, Pancho and Fransisco can use private email addresses or a secret hashtag to make it practically impossible for anyone to decipher their shared thought. And of course the thought is deleted as soon as it can be. As a result of all this, if there's a public database leak, not only is the data limited and largely useless, but it is also encrypted by a private key stored entirely separately from the database. So a hacker would have to compromise two separate systems and their reward would still be a bunch of random numbers and letters, each row of which is only decipherable if the hacker knows the two email addresses and the hashtag used to form that row. And if they know it already then the information causes limited damage. Please see technical details
for more information.
There are probably a few ways to make Aytwit more trustworthy through legal mechanisms, but this is not something that has been looked into deeply yet. Some possible options here include passing third party audits, official compliance with new regulations coming out of various governments, turning Aytwit into some kind of nonprofit entity that is inherently more open and "aquisition-proof" than standard corporations. Who knows. Need to talk to some lawyers and get back to you.
For what it's worth Aytwit is currently an LLC registered in the state of Delaware just because that was the simplest option to get started.
- Open Source is a good signal for inspiring trust. Aytwit will eventually be open sourced, probably under some flavor of the GPL so that anyone may see the actual code.
- The Website Itself along with all the writing here hopefully signal strong passion for ensuring privacy and security. If Aytwit is a plot to collect personal data and sell it to ad agencies then it's really protesting too much.
- The Identities behind Aytwit in the end shouldn't matter too much. After open sourcing everything, forming proper legal structures, improving protocols, etc. etc., then we could be an ad agency or the NSA and it wouldn't (greatly) affect Aytwit's privacy guarantees for projects like Thoughter and Ikwyt. But anyway for what it's worth here's my profile, which should show that I'm at least not probably trying to steal your data.