Technical Details
Crypto Basics
  • One-way hashing is the most important concept. Imagine person A writes a secret on a piece of paper using a big marker, lays the paper on the ground, and lights it on fire. The ink causes the paper to burn in a special way compared to a plain piece of paper, but a person B looking at the ashes can't guess the original secret. Now imagine that person C comes up and writes the same secret (secretly) on a second piece of paper and lights it on fire the exact same way as person A. Physically impossible of course but you get the point. Person B can look at this second pile of ashes and confirm it looks identical to the first pile. Thus Person A and C can prove to Person B they know the same secret without showing the actual secret. One-way hashing is the mathematical equivalent of all that.
  • Symmetric Key Encryption is where you take plain text like the word "Hello", create an encryption key using (for example) a password, then through dark mathemagic use the key to encrypt the text so that it is indistinguishable from random noise. Maybe you end up with "pRhX". It will always be different depending on the key and you can't turn it back into the word "Hello" without the key. So unlike a one-way hash, you can take the paper ashes, cast a reversal spell with your wand (the key), and turn it back into the original piece of paper with the secret written on it.
  • Security Tokens are really big random numbers. So big that it's impossible to roll the same one twice. Well, if you made one roll every nanosecond you might get a dupe before the Sun exploded. This makes them good secrets to give out. For example Aytwit attaches such a random token to the first email it sends you. When you click the link in the email it gives Aytwit the token back, thus proving you own your address, because nobody else can provide that number unless they're spying on your email (or frantically rolling big dice enough times before the sun explodes). That same token is used by Aytwit as the Symmetric Encryption Key for your data, and stores the One-way Hash of the token in the database alongside your encrypted data. The hash lets us "match ashes" while not leaving a proverbial key in the door.
Thoughter Technical Gist
The combination of (emailAddyA + emailAddyB + hashtag) is the secret that both parties know. Not like super secret but still pretty secret, and Patron-adjustable in strength depending on the situation. It is first hashed so it's matchable yet remains a secret, and then forms the encryption key for both party's full thought message. You can figure out the rest yourself, but here is the down'n'dirty SQL spec. If that's a little too heavy at this time of day then let's walk though it...
Thoughter Protocol
  1. Receive two valid email addresses and a message containing one Hashtag from Patron A.
  2. Combine the two email addresses and the Hashtag.
  3. Do a one-way hash of those three things.
  4. Check if that hash is already in the database.
    • If it is, send Patron A an email saying they already pushed that Thought. They can either delete the Thought or find the original email that was sent to them. Otherwise the funnel ends here.
    • If it is not in the database, then...
  5. Generate a Security Token, use that token as an encryption key for Patron A's Thought data, insert (a) the encrypted Thought data, (b) the hashed Thought data, and (c) a hash of the token all into the database, and finally send Patron A an email with a link containing the unhashed token. Note also that the hashed Thought data is further encrypted by a master key located on the application server.
  6. Patron A must now click the link in the email within 30 minutes.
    • If they never do, a cleanup process will delete the unconfirmed Thought after 30 minutes and the funnel ends here.
    • If they do click the link...
  7. Send the Hint if one was selected.
  8. Mark the email address as confirmed and the Thought as available for matching. This means taking the Thought's message and encrypting it using the hashed Thought (hash of the two email addresses and the Hashtag) as the encryption key and adding all this in another field in the database, which is also encrypted by a master key on the application server for further defense. All Thought data is now encrypted even from Aytwit itself.
  9. Some time later Patron B gets a Hint and can match the Thought if they wish.
    • If they don't then Paton A's Thought data is deleted by a cleanup process at the end of its duration and the funnel ends here.
    • But if they correctly guess both the other Patron and the Hashtag and confirm their email address...
  10. Patron A's Thought data is locked from Aytwit, but Patron B's Thought data acts as the key to (a) check if there's a match in the first place and (b) unlock the match. In this case there's a match so...
  11. Send both Patrons an email that there was a thought match, and also tell Patron B directly on the webpage displayed after confirming their email address.
  12. Delete all that stuff from the database.
The Stack
Future Plans
  • Support more secure communication mediums beyond email, like encrypted messaging protocols.
  • Move from cloud to self hosting.
  • All Patron data publicly downloadable, since it's all encrypted and anonymized.
  • Support for Bitcoin and other cryptocurrencies.
  • Support for more than two people per thought on Thoughter.
  • Thoughter protocol v2 that encrypts/decrypts all sensitive at-rest data on clients.
  • Mobile app for Thoughter with thought match notifications and hashtag shortcuts.
  • Email and credit card confirmed just once with "Remember Me" checkboxes.
  • Release of Ikwyt, the software verification engine running this whole site.
  • Getting some physical contraptions under final development in our labs available for sale in the shop.
Privacy
General Policy
The Aytwit project strives to inspire trust and sparkle with transparency in every way possible - social, legal, and technical. There is no software system that can be trusted 100% and the Aytwit website is no exception. But most of the work that goes into projects like Thoughter is aimed at establishing the most trust possible. So you should always be suspicious, but Aytwit logically deserves at least a tiny bit more trust than most online entities, because instead of openly selling your data you're asked for money to help protect it. So it would be extra evil to take both your money and your sou- I mean data. Like devil evil. But this is not the devil. Trust me.
Rules
  • Ask as little about you as possible.
  • What little is asked should be encrypted as securely as possible, even to the degree that only you or a chosen other party can decrypt it, because...
  • Assume all stored data will be leaked at some point, perhaps even intentionally, and act accordingly.
  • Respect the resources, attention and personal cyber space of all people who visit the website or utilize its services or goods in any way. So no tracking, ads, or dark patterns. Keep the site fast to load and simple to render so it looks and works the same on all devices. Minimal access by, or use of, third parties.
  • Assume said personal cyber space is already being unknowingly invaded and disrespected by questionable entities, even otherwise authorized tenants, like email providers or web browsers themselves. Therefore send as little information as possible to said space so the gremlins don't have as much to chew on.
Technical Considerations
  • Email is currently the sole communication medium and it's insecure on several levels. So more communication mediums will be supported in the future.
  • Credit card information is handled entirely by the payment processor Stripe, for example for donations or the shop. The Aytwit server never stores or even sees any actual credit card information. It is sent to Stripe directly from your browser over an encrypted connection and they return a token (which is a fancy word for a bunch of random letters and numbers) to Aytwit. When it comes time to charge your credit card (only on thought match!), the Aytwit server sends this token back to Stripe and they charge your credit card. Credit cards are pretty secure but they don't allow anonymity, so cryptocurrencies are on the short list for new features.
  • Data Transfer to/from the aytwit.com website uses TLS to protect data over the wire, but for Thoughter Aytwit's server currently sees emails and messages for a brief instant before deleting them and/or mathemagically scrambling them for everyone except the two parties who are thinking of each other. A second version of the protocol is already designed to account for this weakness, where at-rest encryption happens before data even gets to Aytwit's server, but implementing it will take time.
  • Server Hosting is currently provided by Google's Cloud Services, which is fine for now, but who knows if Google is sniffing around. So it would be nice to self-host more and more infrastructure in the long run.
  • What is not done (just to be clear) is storing any Personally identifiable information unless you subscribe or donate on a recurring basis, in which case we store your email address encrypted in a database. See the subscriber SQL table for more details, but the main thing is that this is a major step beyond how your email is stored by 99% of other websites. Anyway, no personally identifiable information is shared with third parties beyond the temporarily necessary "evils" outlined above of using email as the communication medium and 3rd party services for donation mechanisms. But c'mon everybody does that, and again even those technicalities will both be addressed.
Thoughter Considerations
There's only one inherent conceptual weakness in Thoughter's protocol. If the Federales knock down the door and demand to know whether Pancho Villa has an unmatched thought to Fransisco Madero using #vivaLaRevolucion, that can be checked. However, the Federales must provide the exact email addresses and hashtag used within the time window that Pancho pushed his thought. In other words they must already know the information they're looking for in the first place, and look for it at the right time. They can't just look through the entire database to see if any revolutions are forming. Furthermore, Pancho and Fransisco can use private email addresses or a secret hashtag to make it practically impossible for anyone to decipher their shared thought. And of course the thought is deleted as soon as it can be. As a result of all this, if there's a public database leak, not only is the data limited and largely useless, but it is also encrypted by a private key stored entirely separately from the database. So a hacker would have to compromise two separate systems and their reward would still be a bunch of random numbers and letters, each row of which is only decipherable if the hacker knows the two email addresses and the hashtag used to form that row. And if they know it already then the information causes limited damage. Please see technical details for more information.
Legal Considerations
There are probably a few ways to make Aytwit more trustworthy through legal mechanisms, but this is not something that has been looked into deeply yet. Some possible options here include passing third party audits, official compliance with new regulations coming out of various governments, turning Aytwit into some kind of nonprofit entity that is inherently more open and "aquisition-proof" than standard corporations. Who knows. Need to talk to some lawyers and get back to you.

For what it's worth Aytwit is currently an LLC registered in the state of Delaware just because that was the simplest option to get started.
Social Considerations
  • Open Source is a good signal for inspiring trust. Aytwit will eventually be open sourced, probably under some flavor of the GPL so that anyone may see the actual code.
  • The Website Itself along with all the writing here hopefully signal strong passion for ensuring privacy and security. If Aytwit is a plot to collect personal data and sell it to ad agencies then it's really protesting too much.
  • The Identities behind Aytwit in the end shouldn't matter too much. After open sourcing everything, forming proper legal structures, improving protocols, etc. etc., then we could be an ad agency or the NSA and it wouldn't (greatly) affect Aytwit's privacy guarantees for projects like Thoughter and Ikwyt. But anyway for what it's worth here's my profile, which should show that I'm at least not probably trying to steal your data.