How do "recover my password/account/data" schemas work in casr of E2E encryption?

What if multiple people have access to certain pieces of data shared between them? Does each person have one key for that data?

What about data that is public?

@phoe There are various approaches, including having an encrypted backup of your private key that is encrypted by a restore key/password.

Regarding the second question: see how Cabal/multifeed (and my now-defunct Heartbeat) do it: you have one DAG per writer. Access is via sharing the public key (see DAT), contents can be further end-to-end encrypted for private conversations.

@aral Typo in your "about box" at the bottom of your post: "I'm is"

@aral Interesting - but how do you enforce (1) - obliging data to be held only locally if it can be?

All code to be open source so individuals can check it and sue? Or certification/licencing red tape to validate all software before anyone is allowed to share it?

@pperrin @aral unfortunately I think 1 is unenforceable even so, as it can be easily circumvented by an invented feature (that nobody asked for) which "needs" that data.

And 2 looks like it will end up banning stuff like "aggregating locations to calculate traffic congestion“, which can be done ethically but requires anonymous but unencrypted location data.

You can allow anonymous uses but then you're opening an elephant-sized loophole.

@qwazix @aral


I'd much rather give google my public key and 'require' all the data it saves regarding me to be encrypted with that key and the original destroyed.

(ditto all other central services)

If they want access to my data, I will authorise on a case by case basis... maybe.

I can always access my data - but to pass it to others it would have to be decrypted with my private key, encrypted with their public key and passed to them...

Either party can kill the agreement at any time.

@pperrin @aral that sounds like a workable solution. It requires to teach people what a public key is and stop that nonsense "if there's a padlock it's secure" bullshit. Let everyone see garbled stuff and decrypt them, make it real.

@qwazix @aral if you have trust in 'government' to enforce good behaviour then you just need a box to tick to say if only you, or you and the service provider have access to your data.

Googles location history stuff is great in many ways for the person who was being tracked --- the issue is who has access to that data... I don't want my data deleted, I just want it to be private. The internet can 'forget me', but I still want access to the memory.

@qwazix @aral of course the proviso it 'trust'...

Is google run by the CIA?

Well if the CIA haven't 100% hacked all of googles/facebooks data etc, then what bl*ddy use are they at all??

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!