-
-
Notifications
You must be signed in to change notification settings - Fork 13
Personal Data Protection (PDP)
I expect that a lot of the users of this app will be teenagers. After all, teenagers go through a lot emotionally. Their lives are also often closely inspected by their parents, who may not like what they find. As a place for private thoughts, it's crucial that baseline can protect its users from prying eyes, whether they're parents, significant others, or nosy friends. This is the reasoning behind PDP, which provides users with several different ways to protect their data.
There are two possible attack vectors we're protecting against with PDP. The first is transient access. This is for people who might have access to a user's device for a limited amount of time, like a friend or a non-controlling significant other. In order to protect against transient access, "upfront" PDP shows a passphrase unlock screen whenever baseline is opened. The app is automatically locked whenever the app is closed.
The other attack vector is constant access. This is for people who might have access to a user's device for a significant amount of time and have some interest in getting as much personal information off of the device as possible, like a parent or a controlling significant other. In order to protect against constant access, "discreet" PDP pretends the user has never journaled before, and blocks access to all screens except for the home screen (which is empty). If the user opens the menu and clicks on "Settings", they are finally presented with a passphrase unlock screen, which will allow them to view their data and journal.
Tech-savvy parents are out there, and while we want baseline to be a "hackable" platform that's easy for third parties to work with, we also want to ensure that users are protected from third parties when they want to be. Thus, PDP encrypts all user data on-device when it's enabled. User decryption keys are also encrypted, thus ensuring that any new data Firebase serves to the user can't be viewed without the PDP passphrase. When the PDP passphrase is given, it is hashed and stored in sessionStorage, and used to decrypt on-device data and keys. Decrypted data is only ever stored in-memory, and is decrypted on-the-fly whenever it's needed. This ensures that device failures are unlikely to lead to data leakage to third parties. Finally, getting user keys requires the PDP passphrase (see getOrCreateKeys), ensuring that a third party with access to a user's Google Drive or iCloud still can't retrieve their decryption key from us without also knowing the user's PDP passphrase.
The word "passphrase" is used instead of "password" throughout the app to encourage "phrases" instead of typical passwords.