Hacker News new | past | comments | ask | show | jobs | submit login

What are your plans for when your app is found to host content such as terrorist executions, child porn, etc.? (This isn't trolling, it's something that eventually happens with every product, and I've been wanting a non-Google version myself but wondering how that kind of abuse would be dealt with.)



Since it‘s a paid service with user accounts. You would be able to ban users that have been reported to use this service for illegal means. The same question can be asked to WhatsApp / iMessage / Signal / etc.


the answer is right here https://ente.io/transparency


It does not say how often it is updated. Wouldn't it be better to say "as of 8/29/2021, we have received no such requests and we are updating this page monthly".


Yes, this is a good first step towards a true warrant canary, but you need to date it and provide a cryptographic hash of the content.


I don't think they would be able to do anything about it, since (from what I could infer from reading) it is zero-knowledge, so no one from the company can access the pictures. I might be wrong, though


Well, depending on legislation, they could be ordered to change the code to send the user password to them on next login for that account and then decrypt everything…


The architecture of Ente (https://ente.io/architecture) prevents your unencrypted master key from being exposed to the server. The password authentication appears to be client-side, which means that the data could not be compromised solely by a malicious server-side change.

Now, Ente could still change its web application to somehow leak the master key and not disclose the changes in the source repo. One solution for this vulnerability is to package the entire web client as a browser extension, which is what Mega is doing:

https://github.com/meganz/web-extension


There are a couple of other ways to mitigate the problem for web applications. If you're willing to install a browser extension, then it might make more sense to use the Signed Pages extension[0] which applies PGP signature checking to web pages. The other solution is to use Secure Bookmarks[1], which combine SRI integrity hashes with Data URIs to ensure that a fixed bundle of JavaScript is running in the page.

[0] https://github.com/tasn/webext-signed-pages

[1] https://coins.github.io/secure-bookmark/


Yes, and that is a problem.


What is the problem/why is there a problem?


When push comes to shove, technology is subservient to society: https://en.m.wikipedia.org/wiki/Lavabit


Well, first and foremost, if I ran a service, I would not want to help either terrorists or pedophiles. I would be very unhappy if I was doing that.

Secondly, if you do provide service to terrorists or pedophiles, and take no steps to stop doing so, law enforcement and society in general is not going to be very happy with you.


The answer to this question is why the only solution in the long run is local storage.


Just imagined a distopian future where storing data locally would be illegal, for the society good of course /s


Not when you have government-mandated software checking your local files against hashes. Not today, but someday.


It is not possible to prove this, because the photos are encrypted.


Encrypted content can be decrypted.

Links and data tranfers can be traced.

Warrants and suponeas can make such traces / actions legal.


something that only showed up in mainstream media 10 years after smart phones got launched. gawd.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: