The combination of identityA + identityB + hashtag
is the secret that both parties know. Not like super secret but still pretty secret, and Patron-adjustable in strength depending on the situation. This combination is first one-way hashed
so it's matchable yet remains a secret, and then forms the encryption key for both people's thought messages. You can figure out the rest yourself, but here is the down'n'dirty SQL spec
. If that's a little too heavy at this time of day then let's walk though it...
- Receive two identities (e.g. Email address, Facebook username, Twitter handle, etc.) and a message containing one hashtag from Alice, who wants to match a thought with Bob.
- Combine the two identities and the hashtag into one long string.
- Do a one-way hash of this string.
- Generate a security token, use that token as an encryption key for Alice's Thought data, insert (a) the encrypted Thought data, (b) the hashed Thought data, and (c) a one-way hash of the token all into the database. Note also that the hashed Thought data is further encrypted by a master key located on the application server.
- Alice must now prove she owns her Email, Facebook, etc. account...
She has 30 minutes to prove ownership...
- If using email, send her a link with the thought token that she must click to prove she owns the email account.
- If using Facebook, Twitter, etc., Alice must copy a given random alphanumeric passphrase into her public profile.
Mark the account ownership confirmed and the Thought available for matching. This means taking the Thought's message and encrypting it using the hashed Thought (one-way hash of the two identities and the hashtag) as the encryption key and adding all this in another field in the database, which is also encrypted by a master key on the application server for further defense. All Thought data is now encrypted even from Thoughter itself.
Alice now waits for Bob to match the Thought. To help her chances she can ask Thoughter to send a hint to Bob.
Some time later Bob gets the Hint and can attempt to match the Thought if they wish...
- If she never does, a cleanup process will delete the unconfirmed Thought after 30 minutes and the funnel ends here.
- If she does prove ownership...
Remember Alice's Thought data is locked from Aytwit, but Bob's Thought data acts as the symmetric key to (a) check if there's a match in the first place and (b) unlock the match. In this case there's a match so...
Inform Alice and Bob of the thought match. Bob is informed immediately. Alice must either refresh the page again or sign up for an email notification.
Delete all of Alice's and Bob's data from the database.
- If he doesn't then Alice's Thought data is deleted by a cleanup process at the end of its duration and the funnel ends here.
- But if he correctly guesses the hashtag and who sent the Thought...
There's only one inherent conceptual weakness in Thoughter's protocol. If the Federales
knock down the door and demand to know whether Pancho Villa
has an unmatched thought to Francisco Madero
, that can be checked. However, the Federales must provide the exact email addresses and hashtag used within the time window that Pancho pushed his thought. In other words they must already know the information they're looking for in the first place, and
look for it at the right time. They can't just look through the entire database to see if any revolutions are forming. Furthermore, Pancho and Fransisco can use private email addresses or a secret hashtag to make it practically impossible for anyone to decipher their shared thought. And of course the thought is deleted as soon as it can be. As a result of all this, if there's a public database leak, not only is the data limited and largely useless, but it is also encrypted by a private key stored entirely separately from the database. So a hacker would have to compromise two separate systems and their reward would still be a bunch of random numbers and letters, each row of which is only decipherable if the hacker knows the two email addresses and the hashtag used to form that row. And if they know it already then the information causes limited damage.
If Alice pushes a thought to Bob, Alice can have Thoughter send a hint to Bob without revealing the whole thought or who it's from. This helps solve problems like Bob not even knowing that Thoughter exists, in which case Alice's thought would obviously never get matched. Sending a hint costs $0.50 USD to help support the service and reduce spam. As the service becomes popular then hints may be used less. Here are the following hint types and what they reveal:
- Anonymous: The other person is told that someone is thinking something about them, but not who or what.
- Hashtag Only: The other person is given the exact hashtag you used in your thought and that's it. They have to guess who sent it and on what platform.
- Platform Only: The other person is given the platform (Email, Facebook, Twitter, etc.) and that's it. They have to guess who sent it and what hashtag was used.
- Platform and Hashtag: The other person is given the platform and hashtag. They just have to guess who sent the thought.
- Identity Only: The other person is told who precisely sent the thought. They just have to guess the hashtag.
- Everything: The other person is told who sent the thought and the hashtag. This is useful for hashtags like #coinFlip, #rocksPaperScissors and for secure messaging with a #channelName.