@shad Before the question: you worked with Sea Shepard? I think that’s so awesome. I just watched the documentary not too long ago on the founder. So many questions but so impressed you went out and did it.
Great question. It’s probably not clear because I haven’t yet put a section up explaining how it all works. So sorry about that and I’ve add that to my to do list. It’s just me making it all and my little one isn’t yet in daycare, so I work in nap breaks and after bed time if I’m not too exhausted (translation: takes me a longer than I’d like to check things off my list).
To answer: currently your data like images (for memories, avatars, other features) are hosted with Amazon S3.
I wasn’t stoked about this as there could well be a future where I’m paying them a significant amount of money, but it currently was within my ability to get it up and working.
I’ve looked at decentralized options like Storj, and I’m considering transition to Storj in the future (it has an S3 adapter — part of my reason for S3 was that I can more easily move services). When you sign in to your session and pull your images down from S3, they’re stored temporarily in ETS until you log out, then they’re cleared (currently that’s how the temp ETS is working).
Other non-object data like name, email, stripe_id, pseudonym, etc is stored with our hosting provider which is currently Render.
Oh! Just remembered: also when you delete your data, like a memory let’s say, the encrypted blob is also deleted from S3.
On Amazon
Now, S3 claims that they don’t do anything with the data in your buckets. I’ve read their policies a couple times and it actually sounds like that’s the case (I choose to not actually trust them—so what’s hosted is the asymmetrically encrypted object blob—even the file name, just not the extension—cause that made it much harder for how i then decrypt and show you the image temporarily in the browser without storing anything other than the decrypted binary temporarily on ets).
However, I do presume that their AI systems are involved in similar practices to scan public (and possibly private) images to train and build up their image recognition training sets. I presume this because that’s standard industry practice for the economic model.
So that’s when I realized I had to asymmetrically encrypt (with your password-derived key) because I didn’t want to “trust” that they wouldn’t do that with peoples data.
This also allows me to keep the buckets public but restricted with their CORS policy etc—which allows the frequent and hard to predict pulling of images for people (although as I write I realize I think I can update this now again to be private with presigned urls because the binary now gets stored in ets)—because the data is totally encrypted with the NaCl/libsodium libraries that the authors suggest not even the NSA can break (again all i can do is use my judgement and then decide to trust or not—I decided to trust them because they made a note on how NIST recommends algorithms and bit sizes that are strong for everyone but the NSA, hence 256 over 512 for SHA, which was my hunch, so that helped me feel like the library had similar hunches and I could count on it—it’s also recommended by the Practical Security book on prag prog). But you can forever go down the rabbit hole on wondering.
I encourage anyone to test and see if they can pull down any encrypted blobs from Metamorphics buckets (staging or otherwise and verify that the encrypted data is useless). Ive searched for them on grayhatwarfare but they don’t show up (although I don’t have a premium account so that may be why). They are currently named like: metamorphic-memories, metamorphic-avatars, and (I think) staging-metamorphic-memories (on my phone) etc.
On Render
The founder of Render comes from Stripe. And I felt Stripe is probably the most trustworthy with your data in the payments space. That inclined me to believe that @anuragg would bring similar if not better data and privacy practices. Again, I just have to trust at this point.
They also have temporary logging by default of only 7 days, which made me, again, feel that they had a similar respect for operational functionality and people’s data. And they encrypt their databases, use tls 1.3/1.2, I believe, when it’s supported.
However, I take a similar step as with Amazon and asymmetrically encrypt that data too before it hits the database with them (then I use amazon’s own symmetric encryption to encrypt that blob at rest).
Additionally with Render, the asymmetric encrypted data is then symmetrically encrypted by me with the Cloak/cloak_ecto library and I don’t store any logs outside of Render’s temp 7 day logs. Also, the logs are the base server error/warning logs.
Symmetric not asymmetric
Things not asymmetrically encrypted include the stripe_id. I added a section to the privacy policy on how a government may be able to get metadata by court ordering stripe and metamorphic’s databases (https://metamorphic.com/privacy), but it’s pretty trivial. Metamorphic is about protecting you and your data from surveillance capitalism and those AI systems, rather than making you 100% invisible/anonymous. It’s probably possible to do on Metamorphic but I don’t offer any guidance for that cause it’s next to impossible in the digital space.
Not encrypted
Things not encrypted explicitly by me but by my hosting provider only, are things like Boolean data that indicates really nothing sensitive or personal at all.
Okay this is probably straying off topic, sorry!
