Show HN: We built an end-to-end encrypted alternative to Google Photos
5 years ago
Hello HN,
Over the last year we've been building ente[1], a privacy-friendly, easy-to-use alternative to Google Photos. We've so far built Android[2][3], iOS[4], web[5] apps that encrypt your files and back them up in the background. You can access these across your devices, and share them with other ente users, end-to-end encrypted. You can also use our electron app[6] to maintain a local copy of your backed up files.
We've built a fault-tolerant data replication layer that replicates your data to two different storage providers in the EU. We will be providing additional replicas as an addon in the future.
We're relying on libsodium[7] for performing all cryptographic operations. Under the hood it uses XChaCha20 and XSalsa20 for encryption and Argon2 for key derivation.
We have documented our architecture[8] and open-sourced our clients[9].
We did a soft-launch on r/degoogle[10] sometime ago, and have since then ironed out issues and polished the product.
But we are far from where we want to be in terms of features (object and face detection, location clustering, image filters, ...) and user experience. We are hoping to use this post as an opportunity to collect feedback from fellow hackers.
If there's anything we can do better, please let us know, we would like to.
Best,
- Vishnu, Neeraj, Abhinav
[1]: https://ente.io
[2]: https://ente.io/apk
[3]: https://play.google.com/store/apps/details?id=io.ente.photos
[4]: https://apps.apple.com/in/app/ente-photos/id1542026904
[5]: https://web.ente.io
[6]: https://github.com/ente-io/bhari-frame/releases/latest
[7]: https://libsodium.gitbook.io
[8]: https://ente.io/architecture
[9]: https://github.com/ente-io
[10]: https://www.reddit.com/r/degoogle/comments/njatok/we_built_a...
I’ve been watching this project for a long time and personally am very excited. The fact that it’s #1 on HN today (congrats!) makes me think I’m not the only one.
There are also a lot of valid concerns in these comments about privacy and use of algorithms. A lot of it depends on what you’re looking to gain by adopting a new service/switching away from something else and individual concern.
Personally, I’m looking for a place to store personal photos: friends, family, travel etc. Critical needs - easy sharing ideally not locked into Apple’s ecosystem - not to have my photos mined for advertising and social graph data (most important) - ideally around for the long haul but in my mind this is for sharing, not backup
I’m not particularly concerned about warrants, government surveillance etc. Again for me this is about sharing so the expectation of true privacy is low. Any photos I considered sensitive I would store elsewhere.
For me, the biggest point of confidence I have in this project is that they charge money from day 1 and don’t have a forever free plan. I’m excited about projects that offer the benefits of “social” but where the software, not my data, is the product.
re: "the expectation of true privacy" you might enjoy reading the Cypherpunk's manifesto [0]
"Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world."
[0] https://www.activism.net/cypherpunk/manifesto.html
I'm in the same boat, have been watching, love that they have a businessmodel and am waiting for the time when they are covering my needs (face recognition, object / scene detection...). I'd even pay a 2$/month "lurker" subscription which has like 100mb of storage so I can check the features from time to time and support the team.
As someone who's never used cloud-based photo browsers... I always assumed the facial recognition aspect was primarily for social media apps that try to tag known faces from a user's friends group, to put it in those people's news feeds or something. It's one reason I avoid being photographed and ask people not to tag my name to my face if they do post a photo I'm in. I'm wondering, what's the utility of facial recognition if you're storing/sharing photos on a service that has no database of known faces? Or is this just for image editing or red eye removal or something?
[edit] as I'm rethinking it, would this just be for searching your own images for a particular person...?
6 replies →
So this is a project specifically marketed as E2E encrypted, and you are "waiting for the time when they are covering my needs (face recognition, object / scene detection...)"
You will be waiting a long long time for that.
The only way they can do that is client side, and if they go there we are back to the last few weeks discussion of Apple's new client side image scanning shit.
You do not want this service, it seems.
You want a non Google service who can do face recognition, and object/scene detection, but who'll pinky promise you they won't sell you out to advertisers or law enforcement or governments, even though they obviously could.
3 replies →
I wonder how sales psychology might differ between a "lurker" subscription and an inexpensive limited plan? Lurker might have a more explicit "I think you're interesting and want to support/encourage you - thanks, we appreciate it" exchange. Or maybe defuse "but is it usable?" or "do I want to bother attempting to use it?" or yet-another-thing commitment concerns. Not "am I really going to use this?" but "does this look worth encouraging?". And maybe has a funnel story of "ok, now it's looking good, and I'll start using it for real... and not the mere limited plan". Sort of a patreon vibe, but blended with plans?
Looking at their pricing for €0.99 / month you can get 10gb storage, so go at it!
2 replies →
The monthly storage costs are too high. For the price of 1TB from you (15€), I can buy more than 2 TB just about anywhere else.
Commercially, Apple and Google are both 2TB for 10 CHF and Amazon gives you unlimited as part of a Prime membership. Storage providers like Backblaze and Wasabi both charge around $5/TB and that's really the table-stakes price. For the more DIY-inclined, Hetzner sells a 2TB OwnCloud instance for 9.90€/month.
I'd prefer to buy software from you than storage. It's out of the question for me to pay you per TB but I'd consider paying a flat rate for software I then host myself.
I fully agree. It's a hard sell getting people to switch from an evil but known cloud provider to an unknown cloud provider that claims to not be evil.
What we do not need is more cloud offerings that can change, vanish or lock us out at the blink of an algorithm's eye.
What we need, rather, are reliable and easy-to-use solutions that allow us to retain full control of our data (i.e. self-hosted and offline) while having feature parity with the big cloud-only solutions.
I for one am convinced that there is plenty of money to be made that way. Perhaps not as much on autopilot as with the quasi-scam that is cloud computing, but people willingly paid hundreds or thousands for software before clouds and subscriptions. People will do so again, if you bring a convincing, unique or competitive product to market.
That being said, I like, appreciate and support this project for its impetus, even though I think its distribution strategy is misguided and fad-driven (re-selling cloud space instead of selling software). It's not too late to change that...
Hey, so the project had initially started off as a self-hostable software (with an option to buy a pre-configured device). We realized soon that it's hard to monetize such a product in the consumer space to the point where it can become self-sustaining.
We don't have a problem with offering a self-hosted variant. But given our limited engineering bandwidth we had to take a call on who our target market should be, and we felt that it was more important to make privacy accessible to people like my mom and dad. Hence this direction.
30 replies →
What about Google photos is evil? I don't get it.
11 replies →
Yeah, if you are client-side encrypted, where you choose to host doesn't really matter because even with a warrant there is nothing you could do to recover data, so why not go for something like Wasabi?
I can pay for a terabyte of Amazon Glacier for $50/year. Amazon Deep Glacier is $12 per month.
$300/year for 2TB isn't happening. I can buy a 12TB HDD for less, if I shop around.
I'd like a service like this to keep small, well-compressed 1080p or 4k photos available for instant access, and original files in archival storage of some kind.
I'm totally glad to pay the $10/year for the baseline service, and another $12 for deep glacier costs. I'm not glad to pay thousands of dollars for a service like this over the lifetime of my photos. I'm not quite sure where the line between that is.
I'll also mention: open-source, data export, and the option of self-hosting is helpful. I don't want to spin up an EC2 instance for this when I can buy $12, but if you go out-of-business, I'd like to have the option. Could also be an option you only guarantee if the service is discontinued or has substantially different costs/terms.
> I can pay for a terabyte of Amazon Glacier for $50/year. Amazon Deep Glacier is $12 per month.
You can pay even less to store that data in /dev/null. To make a more realistic comparison you should also include data retrieval & data transfer costs. Reading a terabyte from those services costs around $100.
1 reply →
With Amazon and Google you’re paying half in monthly fees and half with your mineable data. This service seems geared towards people who don’t want that.
Rolling your own on top of a cloud storage provider is great too but for an incremental $100-$200/year some people would pay for something that “just works”.
I’d love for something like this to exist (a fast, clean, well-designed mobile and desktop app for backing up my photos with E2E), but I’d only switch from one of the big providers if it were FOSS and I can bring my own backend target (e.g. S3, SMB, FTP).
In a perfect scenario I could generate my own private key to plug into my client devices and just have everything push to private S3 (and then from there archive to the cheapest, coldest glacier tier after it’s been synced to my home storage).
This to me would not be that complicated to build, but would essentially provide E2E Photostream and a backup of last resort in the cloud.
Obviously (as is the problem with all FOSS) you have the dilemma of how do the developers get paid, which I’m sure is why you went down this yet-another-paid-cloud-provider route instead of what I’ve suggested above.
All that said - I like what you’re trying to build, I could see it being useful to some, but providing E2E photo storage as a direct-to-consumer service is IMHO just asking to be held liable later for what your users store there should you gain any considerable traction.
I'm sure this isn't a popular opinion due to the technical know-how involved, but these days I much prefer to selfhost my own services. Far too many times businesses have gone under, changed their practices, had pricing wildly fluctuate, or remove features I wanted. Having setup a handful of useful services on a cluster, I have much more peace of mind involving my data, feature access, etc.
I would love to see a FOSS version of ente available for me to host. My family is currently split amongst multiple photo library services and it'd be nice to say "Here's ours."
Well you can, I wrote how here:
https://redbeardlab.com/2021/08/03/my-syncthing-setup-cheap-...
The nice thing is that S3QL allows setting a secret key, so your files just get encrypted before to be pushed on the cloud.
+1 for custom storage target
I tried it, but unfortunately the complete lack of auto-categorization in all of those e2ee photo storage apps renders them unusable for anyone with a large library. Ente is not the first one to do this, there are many others with similarly lacking UX, like MEGA.
Both Apple Photos and Google Photos:
1. have easy search by location on a map of the world.
2. allow browsing to any date in an instant.
3. index photos by objects/faces and allow for instant searching - Apple even does it on-device.
Also, frankly, I don't trust you to stay around for long, so I would appreciate the option to store encrypted photos on a cloud of my choosing that I already pay for, with a separate subscription for using your app. Not sure what the Venn diagram of <cares about privacy>, <willing to pay for your storage>, <needs excellent browsing experience> looks like.
Looking forward to an app which works for people with large libraries. :)
All the features you mention are already addressed in the original post as planned future developments. Knowing that they are planned makes me put my trust more in Ente than in Mega (which I use as an alternative to Dropbox and am very satisfied with). Not that there’s anything wrong with confirming interest in their planned features; I’m just pointing Ente’s plans out for anyone who scrolls right to the comments.
As for possible bankruptcy, you can never be too certain, but it’s easier to stay in business with Indian costs of living than US. (The company is located in India.)
Have you tried the Synology Photos app (https://www.synology.com/en-global/DSM70/SynologyPhotos [1])
While it does have some kinks it's surprisingly good and has the features you are looking for in a locally hosted/publicly available option. You do have to buy one of their NAS's however.
I have moved over to this partly for privacy and partly due to cost (I produce way too many photos per year to store them economically at Google)
[1] fyi this is the reasonably 'new' instantiation as linked to here, they EOL'd the very old, different app of the same name from their v old NAS's. Adding that here in case anyone has or buys an old NAS, you may get the old version of the app - I think you need a NAS with a decent processor to perform the face detection etc.
The biggest problem I've faced with their app suite is it seems to make my disks spin 24/7, constantly seeking even if there is zero external activity. It wouldn't be such a big problem if I didn't live in a small apartment and have to listen to them seek all night. Other people have reported the issue, but it doesn't seem like they plan on addressing it.
2 replies →
I personally would want both options. I use mylio with many similar features and it has e2ee but you manage your own space / cloud and your still paying a monthly fee.
For the non nerd friends, managing your own cloud space is mostly a non starter although. The best choice is cloud storage managed by the provider as an option, along with the self hosted option.
Thank you! As someone who as of a week ago is hardcore switching from Apple to Linux, I applaud you. I've purchased a 16" MBP, both Airpod models, iPhone, and iPad in the last 24 months. Now on to System76!
Whatever the past is, I believe there's a new market in 2021 for Apple-switchers that will unleash new funds for companies like yours. De-Google movement will pale in comparison to this in terms of economics. Looking into signing up just on principle. Non-E2EE encrypted, closed source, without ability to self host is a dead end, why put a penny more towards it. Open source options may suck today but it's the only path forward. Thank you for what you do - whether your company succeeds or simply inspires 1,000 new companies in its place.
What are your plans for Linux support? Your site only mentions Android and iOS, I see electron mentioned, but again I'm one of these Apple switchers, I have no idea what I'm doing really but I'm willing to pay for solutions.
Take my money!!!
I think that you are overestimating the size of the audience of people who have nerd rage over whatever we’re pissed off at Apple about or have meaningful concerns about government surveillance.
They’d be better off focusing on making a better user experience instead of E2EE drama.
The size of the audience may be small indeed. But Apple users on average have deep pockets and are willing to spend. A quick search suggests Apple users spend >2x what Android users spend. No data yet on what Apple users spend compared to Linux users. It's part of the reason "but 5% marketshare!" was never a good argument against the rise of Mac/iPhone.
2 replies →
> without the ability to self host is a dead end
Indeed, this is why you would be foolish to use Ente as you cannot self host it. At any point they can choose to lock things down, make their clients closed source, etc etc, and you'd once again need to spend time jumping ship because you'd need to find a new ecosystem.
Ente is just convient and is coming at the right time (hence the massive amount of upvotes) but does not give you total control nor your freedom back. Using them instead of something you can self host is just running in circles.
> open source may suck...
What? This was extremely random and out of place with the rest of your comment.
What you really want, if you care about self hosting and all the other stuff you mentioned, is Nextcloud[0]. And if you don't want to self host yet, you'd be better off hosting Nextcloud in a VPS, even on Linode you can just 1 click deploy a Nextcloud instance in their app store[1]. That way you don't become dependent on a service you cannot control/deploy yourself.
[0] https://github.com/nextcloud [1] https://www.linode.com/marketplace/apps/linode/nextcloud/
I think ente does fill a niche, people don't mind paying dollars for companies because it is supposed to guarantee a level of service/polish. And in the case of photos, if the service were to shut down, there's very likely a path one can take to perform a migration.
I'm a big user of open source solutions, I use Linux on my machine and use syncthing to sync files across all my devices. I'm aware that my solution is not doable for everyone and that's the problem with most open source solutions, the lack of polish/ease of use. There are tons of systems that aren't open source that we are forced to rely upon for day to day, airplane software, traffic lights, telecommunications) and we've just accepted it because of convenience and trust.
What I'm trying to say is that we don't have to worry about self-hosting everything and force ourselves to only use open source tools. I do think that if we do use private tools, we should understand how our data can be exported to a new system if necessary so we're not "locked in".
1 reply →
Yes, Ente needs to have self-hosting on their roadmap or I won't support it.
> What? This was extremely random and out of place with the rest of your comment.
Edited to say "open source options may suck today"
Thanks for giving me the chance to explain. My comment here may give more context: https://news.ycombinator.com/item?id=28321460
I've tried NextCloud, even 1-click hosted by a third party. For all the power, it's not built with me in mind, it seems to treat my photos like files/data, not like photos. I want to pay money for that extra oomph, for algorithms, searchability (about $10/month for my photos seems about right), and I want to pay money so I don't have to pay with my time. Is there something I can buy that's on top of NextCloud?
3 replies →
Sorry for the delayed response, I missed this comment.
If you're on Linux you can either use our web app[1] or our desktop app[2]. The latter is just the former wrapped in electron, but with the ability to sync uploaded files to your local disk drive.
[1]: https://web.ente.io
[2]: https://github.com/ente-io/bhari-frame/releases/latest
I don't think I'm ready to invest in a photo hosting solution again, be it with my time, my money, or my data, without it being open source/self-hostable or at least open core with a community behind it.
Been duped too many times.
Similar sentiment here. I wish this project well, but photo storage is a long-term thing, and I've been bitten too many times (most recently by Apple shutting down Aperture, which left me with big libraries which are very difficult to migrate).
I considered writing my own software and making it open source, but then realized that photo hosting/sharing software with password-protected sharing features will be used by criminals to store/share CSAM. So, if I end up writing my own solution, it will sadly not be shared with anyone.
Incidentally, I think this service will run into a similar problem: end-to-end encryption is great, but if it gets to a certain size, governments will intervene.
Curious about the details of how you were duped.
Not OP but I have had many cloud photo accounts in the past: myphotoalbum, Kodak Gallery, photobucket, Flickr and more. Eventually all of them either shut down, or got sold and became unmaintained. Google Photos and Apple's are the only ones that I can trust will still be around in 10 years' time.
6 replies →
What are your plans for when your app is found to host content such as terrorist executions, child porn, etc.? (This isn't trolling, it's something that eventually happens with every product, and I've been wanting a non-Google version myself but wondering how that kind of abuse would be dealt with.)
Since it‘s a paid service with user accounts. You would be able to ban users that have been reported to use this service for illegal means. The same question can be asked to WhatsApp / iMessage / Signal / etc.
the answer is right here https://ente.io/transparency
It does not say how often it is updated. Wouldn't it be better to say "as of 8/29/2021, we have received no such requests and we are updating this page monthly".
Yes, this is a good first step towards a true warrant canary, but you need to date it and provide a cryptographic hash of the content.
I don't think they would be able to do anything about it, since (from what I could infer from reading) it is zero-knowledge, so no one from the company can access the pictures. I might be wrong, though
Well, depending on legislation, they could be ordered to change the code to send the user password to them on next login for that account and then decrypt everything…
3 replies →
Yes, and that is a problem.
4 replies →
The answer to this question is why the only solution in the long run is local storage.
Just imagined a distopian future where storing data locally would be illegal, for the society good of course /s
Not when you have government-mandated software checking your local files against hashes. Not today, but someday.
It is not possible to prove this, because the photos are encrypted.
Encrypted content can be decrypted.
Links and data tranfers can be traced.
Warrants and suponeas can make such traces / actions legal.
something that only showed up in mainstream media 10 years after smart phones got launched. gawd.
Please please support custom storage back ends, I'd love to use my Dropbox or S3 or whatever to still fully own my pictures. And I'd love to pay extra to opt out of and analysis, tagging, etc of my photos. Basically I'd like the interface to be similar to Google Photos but with a privacy focused storage engine and clients.
I concur. However storage is how they plan to make money, so there will need to be a different monetization strategy for BYO storage. As yet I can't imagine any.
EDIT:
I think have an idea! Add the S3/OneDrive/Etc support but comment it out. To make use of it one would have to download the source, XCode, compile it, and deploy it. This puts a cap on the number of people who can do that, so you won't end up with everyone getting a free copy. Those people who are able to do it are likely to be asked for advice by their less techy friend, so this is basically free software to key influencers.... Ok, so this does not sound as exciting as it did before I started typing, but maybe this will lead to something...
The problem with that is that some kind fellow on GitHub will clone the project, uncomment the code to enable the premium features for free, and change its name. If it's released under a FOSS license, the original authors have little recourse.
This is what happened with Emby (a media server like Plex). The backend was open source and there was a license to activate premium features. Somebody cloned it, and then released the premium features to everyone for free.
So it's a little more complicated than that.
Our API server runs the following
- authentication
- replication
- differential sync
- and a few more errands that are necessary for the apps to function
The solution to this would be to offer a self-hosted variant where you can plug in your S3 credentials. But like I mentioned else where in this thread, maintaining such a project comes with an overhead we cannot afford right now. Hopefully sometime in the future we will be able to afford the necessary engineering bandwidth.
4 replies →
Heh. Yeah. Been building something like this, where you can have your choice of metadata storage and file storage. Out of the box, it would be Sqlite and the local FS, and then you can become adventurous. Postgres and S3? Elastic and S3? Sure.
Needless to say, years later, I am still building it. For one guy doing this on my own time, it's a lift. Maybe after I quit my job soon :)
Is there something to share and possibly collaborate with others? Just now on the drive home I contemplated doing a POC with S3 storage but I acknowledge hoe much work that probably would be.
1 reply →
you may want to take at look at: https://www.boxcryptor.com/en/
Re: Shared Albums
>the receiver just needs a free ente account.
I feel like there should be an even more frictionless option to make it easy for family to access photos. For example, if there were a way to just trigger a mailing list when an album is added to, that would be perfect. “Here is an update on our trip: [link]” I love that you mention you are security and privacy focused, and I see how this could conflict with that mission. Perhaps a tradeoff here could be allowing one viewing via link and future viewings require account?
> if there were a way to just trigger a mailing list when an album is added to, that would be perfect
We can do this if all of the participants are already on ente.
> allowing one viewing via link and future viewings require account
We are hoping to come up with an implementation similar to this where in a link to an album can be shared with N devices. We will persist an accessToken on the viewer's localstorage so that they can re-view the album multiple times without having to sign up.
It's funny, I see this being the first feature they kill off unfortunately when it becomes the new super easy way of sharing CSAM on shady forums.
This is looks super cool, however not something I'd be interested in using myself if I can't selfhost it (at least it looks like thats not possible from the website).
Self-hosting a zero knowledge service is probably unnecessary.
If you're hosting the service, there's no need for data to be encrypted client-side. Unless, of course, you were intending on running the service on a public cloud which you didn't control, but that's something I don't think many privacy conscious folk would do.
There's plenty of open source, self-hosted alternatives to Google Photos.
Yeah, having attempted to operate a service very similar to this (only more focused on general encrypted cloud storage) I will say there are no good economics in usage-based billing. You're much better off selling a license to use the software and give users the ability to use common cloud storage providers (minimally the s3-compatible ones but also things like Google Drive) as the backing for this. Even safer from a legal perspective would be not having accounts at all and allowing users to purchase a 1-year license based on license keys that are cryptographically validated but not stored anywhere. Then it's impossible to do anything user specific whether you are compelled to or not.
To me it is a canary signal that I have the option to self-host.
Most likely, QoS would be better from ente's hosting and I would be inclined to take advantage of that. An open source server can be audited and offer an off-ramp should their service no longer suit me.
Then again, the economics of enabling self-hosted infrastructure are probably less exciting compared to locking users in to marked-up, white-labeled infrastructure.
How do you know it's zero knowledge?
10 replies →
self hosting is not worth the time and effort.
That is not categorically true.
On the business side, there's plenty of companies that have offered and succeeded with self-hosted software. On the client side, there's many individuals like myself willing to dedicate time, money, and effort to self-host services. I spent quite a bit of time setting up my NAS with self-hosted services, not only because the number of photos and media I store would be prohibitively expensive to host elsewhere (I do photography and videography as a hobby, 120 fps 10 bit footage adds up), but because I enjoy the hobby.
2 replies →
Another thing to keep in mind with this kind of software is tracking data loss, corruption and deletion. I've used photo management services before, and have had data loss that I can't explain from this year or that year. Did I delete it? Did I do a migration wrong? Did the software silently delete it? I'm not quite sure. What is even worse is you cannot get 'another copy' of these photos from elsewhere, because they're all unique.
Having a 'recycle bin' and an ability to see the history of photo deletion, modifications and imports can be useful in tracking down what causes data loss. Also having masters accessible in a simple plain directory is essential in being able to audit that the software is working correctly, can be backed up in a simple manner and if your service goes belly up, is easy to migrate from.
Another issue is bitrot. Your desktop can bitrot modify a photo, and then your photo management software detects this as the 'new version' and destroys the original good version. You have to make sure you mitigate this by storing a hash on import and restoring to the original hashed version.
Sharing some of the steps we've taken at ente to reduce the probability of such events:
- All files uploaded to ente are versioned and older versions are available for 60 days from the day you updated them.
- File deletions are performed only as a function of user action. Deleted files are again recoverable for 60 days.
- Two copies of each file are maintained with separate storage providers. Both of these providers offer 11x9 durability.
- For each uploaded file, we compare the number of bytes uploaded from the client to that received on the server and request a reupload in case there is a mismatch (to be replaced with a hash check).
We understand your concerns and will continue to invest in steps that improve data integrity and durability.
Super cool. Did you roll your own storage solution or are you using one of the many cloud providers? If the latter, which one? I ask because I've done a ton of work in optimizing costs in this area (at large scales), and as the top comment mentioned, $15 is kind of steep for 1TB.
Hey, we're currently using two S3 compliant storage providers (Backblaze and Scaleway). I would love to talk more about how we could reduce our pricing. Please let me know if I can reach out to you over the email mentioned on your HN profile. Thanks!
More than welcome to!
1 reply →
Very reasonable pricing, though you could advertise the free 'trial' tier a bit more prominently. I thought the service was paid only until I re-checked the pricing page and read the tiny gray on black text before writing this comment.
You also didn't set a single tracking cookie. Nice.
I'll increase the opacity of that line, thanks for the feedback!
Your homepage says "protect your photos/faces etc. from algorithms"
The algorithms are what makes Google Photos; Google Photos. If I wanted to just store my photos I'd throw them in a S3 bucket or Dropbox or something.
Google Photos lets me automatically categorise my photos by person, lets me search my library using text search for anything (e.g. I can search 'museum' and see pictures I've taken in museums). That is where the real value of Google Photos comes into play.
> But we are far from where we want to be in terms of features (object and face detection, location clustering, image filters, ...) and user experience. We are hoping to use this post as an opportunity to collect feedback from fellow hackers.
So you're going to implement algorithms then?
> So you're going to implement algorithms then?
Yes, we will implement the algorithms, purely on the client side, such that we don't hold indexes to your personal data.
But I understand how that piece of text could have thrown you off, I'll think of ways to rephrase it. Thanks for pointing it out.
Actually I'm really curious how you do this. If the photos aren't stored client side, then how do you search? Do you have a thumbnail of every photo client side? Is that enough? I mean ImageNet scores are still pretty low for small/fast neural nets. And ImageNet isn't even representative of real world photos. So obviously to be successful you're going to have to continue training. So how do you do this in a privacy preserving way? Even federated learning can have some issues because images can be reconstructed from gradients.
23 replies →
You can run algorithms locally and still violate privacy by uploading private facts derived from the data with algorithms. Saying you won’t hold “indexes” doesn’t begin to cover it.
2 replies →
But that will mean that for every version of the algorithms, it have to read all the photos since 15 years ago... my phone battery will die soon.
And if I need to have other kind of client... like a nas to do that... Why I need the cloud?
1 reply →
Agree with the above poster. I don't care about algorithms. I want algorithms. But I want algorithms that only work for me. Screw off everyone else.
Apple used to sell this. Then they stopped.
Those "algorithms" can run locally, on a NAS or a desktop, generate the metadata and make it available to you only on your mobile.
I can see myself paying for such software if it was mature enough.
Synology Photos is one such solution already for example.
10 replies →
> Those "algorithms" can run locally
But I don't want my GPU burning away running them when they could run much more efficiently and out of mind in the cloud.
1 reply →
Am I the only one who never realized you can search "museum" and see your museum photos?
Now that you've mentioned it, yes, I'd like to try that. But as a counterpoint to your argument, I've never needed it, and I suspect that a lot of people may not actually be getting the same value propositions that you're getting.
On the other hand, Google Photos is Google Photos. But it's often a mistake to compete directly with an established product. New ideas tend to win by transcending the competition.
I propose that if this Show HN turns into a product, it will be because it does something people didn't realize they wanted. Maybe that's privacy. I don't know.
I use it all the time - it's the killer feature of google photos. The premise is that if you come back from vacation with 300 photos, it's unlikely that you (the average non photography-nerd user) are going to sit there and tag them all. If in a few years you want to find "that photo of me you took on the beach in north carolina", with a quick search you can.
There are annoying limitations though, probably because the original team moved on and it's in maintenance stage. Using my example above, google photos has no idea what the "outer banks" are (which is where the beach photos were taken in north carolina) and returns no results. It also has trouble parsing out entities from search terms, so "north carolina beach maggie" isn't going to find pictures of Maggie on the beach in North Carolina (which you'd think they could really fix given that, well, they're google). Finally, there's no way (that I know of) to jump from search results to your full timeline; let's say that "north carolina beach" gets me a bunch of beach pictures from January 2015 (yeah, it was cold), but doesn't have _the_ picture from the trip that I know I want - there's no direct way to click to January 2015 from the results, which really sucks. (Instead you have to go back out of results and use their fiddly scroll to get there.)
7 replies →
There's more you can do honestly. Search and and assign people so you can find picture with just them. This also works for pets. People, pets , objects, place, etc. Hell, I searched the car I use to drift and it showed up. It's really neat.
The search is really quite fun to play with, and very useful! I also like searching on the map and seeing where I’ve taken photos. Especially if I’m looking for one particular photo, it’s fun to zoom in from the world map
5 replies →
I use this feature occasionally, but it also seems to be pretty bad for the searches I try. For example, if I search for 'dog', I do indeed get pictures back that contain my dog. However, there are a ton of false negatives -- that is to say, the 'dog' search doesn't show me all of the photos that most definitely and very clearly have my dog in them.
And it's not just dogs. Specific people, locations (before I turned of geotagging on my photos), scenery (mountains, outdoors), etc.
Sometimes this search is nice, but it's not good enough that I can really rely on it.
We need to make this stuff local again, that will be the real competitor to big corp Foo... no servers, no end-to-end, no service cost, no ads, no privacy issues, no random revokation of accounts without recourse, just one end - the users. We can have face detection etc locally if people want it... cycles, it's going to happen eventually.
we had that, but almost everyone decided they like the cloud better.
>lets me search my library using text search for anything
This is untrue, and actually one of the reasons I hope a strong competitor to Google Photos comes along soon. The search function is, for whatever reason, heavily censored and perhaps even biased in some circumstances. Worse, it is completely useless. For example, the query "fat" returns nothing, despite the fact that my gallery is filled with drawing reference photos that includes plus-sized people. "Black people" returns photos of non-black people, and (infamously, and perhaps for related reasons re: the shortcomings of Google's image recognition and tagging algorithm) "gorilla" returns 0 results. "Red shirt" returns an image of a blue decorative screen; "comic" returns anime and webpage screenshots; "woman" returns multiple photos consisting entirely of groups of men.
The situation is dire.
Think of it from Google's POV. Imagine if the tabloids found out about a situation of someone searching for 'fat' in the search bar and then it coming back with pictures of themselves or their friends - that could cause some serious controversy.
1 reply →
To think that someone can just throw their photos in s3 assumes people are ops, devils, or devs. That’s a small slice of the population. What about everyone else?
I also mention Dropbox. I haven't used it for a while though
You're right, a few hours of work on top of S3 are needed to obviate Google Photos.
Besides search another feature of Google Photos that I would need is automatically inclusion of photos in shared albums based upon who is in them. Some examples:
I have an album shared with my parents which photos of my daughter are automatically added to.
I have an album shared with my daughter which photos of our dog is automatically added to.
I also like the collages, slideshows, movies and this day x years ago photos which Google Photos automatically creates and notifies me of.
You're willing to pay the price of those algorithms and the Google ecosystem. Others are not.
I'm excited to review this project. Thanks to the creators.
This has come at a perfect moment ... as, this weekend, I'm literally downloading my entire Google photos archive (one year at a time) to my local harddrive and figuring out a way forward.
I'm done with Google after a 'straw breaking the camels back' moment with their payment system.
Why not use Takeout to download all at once?
For me the features that make Google photo, Google photo are:
* it's free and comes by default with an Android phone.
* it just works.
If you can make an effortless way to get online backups of my photos at a reasonable price while regaining privacy, then I'll switch in a heartbeat without a single thought about any of those ML-based moat features Google has crammed in their service.
I want none of those features.
I want automatic backup, easy sharing, and accessibility from all devices.
Personally I'd find the pure storage and basic categories suitable. I dislike almost all the algorithms. Especially "memories" and shit like that.
Simple and reliable backup and reasonably speedy browsing is what I need.
> If I wanted to just store my photos I'd throw them in a S3 bucket or Dropbox or something.
Neither of those give you any privacy unless you do the encryption yourself in which case you have to build something to access them unencrypted. Have you checked out what the service actually does?
Wouldn't a mega encripted folder make sense for the average person?
2 replies →
On top of this, good algorithms should be run if it is possible to do it in a privacy friendly way.
>So you're going to implement algorithms then?
Jeesh, that's easy.
You encrypt the algorithms too.
I don't want Google at all in my life, so I think this product seems very attractive. But of course it depends on the user, what they value.
Sidenote: are you aware that "Ente" is German for "duck"? :)
If I recall correctly "ente" has a pleasant meaning in Portuguese. Google Translate says it means "loved" but I feel like my paperback dictionary said something else...
Edit: I think it's similar to "being"
Since OP seems to be from Kerala it might be in Malayalam."ente" in Malayalam(Language of Kerala) means "mine".
2 replies →
Yes, hence the icon for "simple" @ ente.io :)
what are currently the best open source projects that allow you to fully automate and manage deployment of your own personal (or multi-user) cloud photos/drive storage service? I found:
I migrated my photo collection to https://github.com/jpsim/AWSPics about a year ago, pretty happy with it (so much so that I ended up contributing a number of features and bug fixes back to it). Basically all you have to do, after the initial setup, is an S3 sync to upload new photos, and a gallery web site and resized thumbnails get generated automatically.
All private, you configure usernames and passwords. The ongoing cost is just that of S3 standard / infrequent-access storage, which for my collection of ~50GB is currently costing me about ~$1/month. In terms of the auto-generated gallery (lambda function that traverses an S3 bucket) and the password-protection (CloudFront Origin Access Identity), you're locked in to AWS. But in terms of the data, you by definition have all the files in a simple folder tree on your local disk too, you can back it up wherever else you want, you can migrate it elsewhere quite easily. And AWSPics itself is open-source.
Add https://lomorage.com, self hosted, cross platform, mobile friendly, support multiple accounts, and login from multiple devices.
Or, just syncthing, if you don't need a specializes photo web interface. They apparently added support for client-side support recently, so you can put it on some random vserver as well.
What is happening here is more properly called client side encryption[1]. End to end encryption is the case where two clients are communicating directly with one another where the identities are established directly between those clients.
[1] https://en.wikipedia.org/wiki/Client-side_encryption
I think the idea is great, I'm looking for a E2EE photo service already for a long time.
Although I'm not a security expert, I have some worries about your security concept.
1. When the user wants to change the password, all photos&videos have to be reencrypted and uploaded which is absurd for most people because ~100GB of photo-storage is not an exception these days anymore.
2. When your database is leaked, it is very easy to compare with leaked passwords, putting users with reused passwords in great risk.
My proposal:
Masterkey: Random key encrypted with users password
Device A creates a masterkey and short-living rolling keys. Device B creates private/pub keys. If the user wants to add another device (B), he has to enter the current rolling key (from A). Device B sends its public key to Device A, encrypted with rolling key. Device A sends back masterkey encrypted with Device B public key.
en/decryption-key = masterkey decrypted with users password
With this method a database leak would be much less of a problem and a password change much less painful.
1. A user can change their password without re-encrypting any of the uploaded files. Changing the password only changes the encryptedMasterKey that is stored on the server.
2. Hashes of passwords are not stored at our server, and email addresses are stored encrypted.
You can read more about our key-encryption flow here: https://ente.io/architecture#key-encryption
1. Oh sorry, thanks for the clarification
2. How is the email address encrypted? Why would an attacker need a stored hash? In a database leak situation it's possible to get to the data with only a valid email-password combination or am I missing something ? There is no information from a registered device necessary for the decryption right ?
Neat.
Some UVP / Headlines to split test:
1. Keep your memories yours.
2. Safeguard your memories from prying eyes.
3. Don't let big tech creep on your memories.
4. Keep your memories private.
5. Block creepy algorithms from spying on your life.
I like the dynamic sub headline - perhaps test the following variation on that:
protect your {memories} from creepy algorithms
Yes and work this into your pricing / tiers. Charging per GB just turns my photos into data. It's not data to me. It's memories, my life, my eyes.
Love the idea, sounds like a lot of hard work has gone into it already. I have been looking for this kind of thing to replace Google Photos. I checked out the website and couldn't find enough about the app's usability. So, I downloaded the (android) app hoping for some kind of demo or further insight into the UX but it's asking me to sign up or login. I guess I'll sign up anyway because I'm curious, but I'd have preferred a demo of the app first, especially since I really love the UX of Google Photos which is one of the main reasons prolonging my desire to replace it
Hey, we know that we should have a demo video of sorts so that you don't have to sign up to experience the product. It's due to a lack of resources that we don't have one yet. But we will prioritize this. Sorry for the trouble, I hope it's worth it.
What happens if I buy the yearly plan, fill my account with photos, then don't renew my subscription? Can I still access my photos even when downgraded to a free account?
No, storage and bandwidth are quite expensive. We will purge your data from our systems 2 months after your subscription expires.
You will have an easy way to download all of your data, and we will notify you multiple times to do so before the deletion actually happens.
Off-topic, but why is the color for regular text on HN text posts so light? For comments, it indicates a downvoted comment, but seemingly all text posts are this grey color.
AFAIK to discourage people from using them, it's preferred that you submit links. (I think they also get ranked worse)
One of the biggest reasons why I like Google Photos is all the processing that it does on photos, especially some of the features that you have mentioned (object and face detection, location clustering, image filters, ...). Now to process these photos, you would need to read them and since you are end-to-end encrypted it's up to the clients to do this processing. Would some of these features even run on mobile devices(or for that matter javascript on the web)?, since google uses AI heavily for these tasks. You upload a picture on google, and instantly you get all the processing done on your pictures and they are available for you to browse and search. Google uses custom built AI processors and massive GPUs to get that computation done quickly. To replicate that in javascript on the web and mobile devices is going to be hard since there are few libraries which support it and the mobile devices really cannot compete with the computing power available in the cloud.
I really love the privacy oriented aspect of this service though and I would really like to share one less thing with google. I've always been concerned about being blocked out of my google accounts and losing my photos.
You're right, we don't think that the accuracy of the indexes generated on the client will match the ones generated by Google's servers. There is a trade off here between user experience and privacy, and we are hopeful that the outcome with ente will hit a spot that will make it a viable alternative for a certain set of users.
Sure. All of Apple's photo analysis is done on device.
I like the fresh thinking, but I don't see a market for this.
What I see is a market for an Instagram replacement that is:
- not about filters or effects
- has flexible sharing settings (e.g. you can opt-in to looser privacy on a per-photo basis) that default to 'private'
- solves the storage and encryption of my photo library without me even having to understand it
That last item is a feature, not a product (but could provide an amazing moat around the product).
Ouch! This is costly. I'm still shopping for a Backup or a parallel solution to Apple Photos.
At $14.99 /mo for a 1TB storage or even the discounted Indian pricing of ₹999 /mo; I would put it at a high price point for a Photo Service/Tool.
Just a thought. I'd priced it similar to Google Photos but sell the encrypted/privacy part as a prominent feature.
No thanks. My interest in cloud based e2e services is at 0%. I want a local only, AI based photo (video) solution and I am willing to pay good money for it (100/year) if: - its extendable via plugin system - integrates well into Windows Explorer, Finder, Browser, Media Servers - might be open source to fix bugs myself
I’ve been using ente for a while now. The user experience has potential for improvement but overall I’ve found it worth the tradeoff. The client app itself is super clean and it feels great to not be thinking about giving more of my money and data to google or amazon or fb. Take my money!
In my opinion, people who don’t trust google (like myself) would not trust every other company too. The perfect solution for me would be something that I can self host on my LAN with a clean and intuitive app like the google photos one, that would be a service that I would pay for.
With an Electron client, you also have to trust all the JavaScript libraries that NPM brings in (and this can be a huge number).
Electron is pretty cool, but it doesn’t seem compatible with anything related to security or encryption.
This looks very good and the pricing plans are reasonable. However I want something locally hosted. I will pay to buy the software and run it on my own equipment. I really don't want to keep paying a subscription perpetually in order to store my photos.
Thanks! ente is currently not directed at an audience that has the knowledge to set up and maintain a reliable storage infrastructure. We had started off on the self-hosting route and then realized the difficulties in scaling such a product in the consumer space. So we have for now decided to direct our limited bandwidth into making the product accessible. Sorry about that.
No worries, I understand. Congrats on the launch and good luck!
How ripe is this space?
Recall Origami which stated to do same and then they got a qui-killed before they could even launch?
I haven't used any online photo storage place for years because I dont trust them, but that's also a lame excuse because I have yet to be able to extricate Google from my life, which is a smoldering desire in the back of my head..
But I feel like any of these photo upstarts are going to be short lived.
I'd be happy to pay $60 for the app, and then pay some fee/month for storage space, dedupe etc...
What might be cool for an organization option would be a shared library of assets such that dev's and artists can manage a library of digital assets across teams and projects and integrate with ssomethingnlike slack..
Kudos on your launch! I just had a question: the pricing plans seem slightly pricey, is it to break even before bringing prices down, or is it due to expensive storage? If the latter, is there a self-hosted option?
Also, the website looks absolutely great!
Thanks! We're currently focusing on breaking even and becoming self sustaining. With scale we're hopeful that we'll be able to reduce the prices.
Have been hoping for something like this for probably a decade – and your product looks great.
Also have a question about the pricing. I’m happy to pay at the current tiers, especially to help getting y’all bootstrapped. But I’m curious if reducing the pricing will be an objective for you as you scale? I’m not sure I see myself maintaining the current expense indefinitely or it making it easy to recommend to less technical friends/family.
The idea behind the project is to make privacy accessible. We are hopeful that we'll be able to lower the price points as we scale up and still remain profitable.
yes! googol is cheaper and the bottom line matters to lot of people. perhaps this is a good way to ask people whether they'd pay additional 5-10$ for privacy.
ELI5 what does self hosting option mean here in this context?
I reckon, BYO object store.
I'll bite. I think you've got a really really promising product here. The one thing I'd add is that at least from initial testing, the iOS app doesn't detect and offer to backup nested albums. Specifically, I have an album with another album nested inside, and then another three albums nested inside that. The first album and second album contain no photos, but the 3rd level down does, and the app doesn't see them.
Other than that, I think you've got a really seriously good product here. libsodium + XChaCha20 is really really good in terms of encryption technology. You've picked all of the right things! Well done :)
We hadn't tested out nested albums scenario you pointed out yet, will get this fixed.
Thank you for the feedback! :)
But forgotten to sign commits and establish a trust chain.
I highly appreciate this project and I will watch it. Once I travel back to India again, I'll knock on the office door (its like 300m away from my usual place ;).
Respect btw for being one tech startup that finally has an address on their website.
The first thing I read on the landing page is:
"Encrypted backups for your photos and videos"
But you show apps with images that for me implies that I can you an application you provide to look at the photos that are stored?
I dont think of Google Photo as my backup, though I presume it is that as well, but as a way to look at photos, organize them, do some quick editing, and show the same photo collection on all my devices.
Is this mostly pure backup?
Is there a means to search for photos per keyword, location, or any other meta data.
If I wish to export all photos with the keyword "Good dog" can I do that?
If so what all meta data is stored and can I adjust what I want to be revealed or not?
For the privacy centered people Synology has a nas that does all of this and more.
I feel like I'm missing something with these E2E encrypted products. I would _never_ recommend one of these to my family. What happens if they lose their password? Suddenly all of their photos are physically impossible to recover? What if the primary account holder dies? I would never trust a physical storage locker that said "if you lose your key we're going to set your stuff on fire". I _do_ place some amount of trust in the owners to potentially get access to the contents of my storage in extreme situations. Making that physically impossible is terrifying.
In addition to your password, you have a recoveryKey that can be shared with your family members. As long as you've access to either your password or your recoveryKey, you will be able to decrypt your data.
A shared recoveryKey can be revoked and a new one generated if necessary. (We don't have a hook for this on the UI yet, but our system is designed to support a key rotation).
Nice! I appreciate that this is something that you've looked into. I'm still wary of the core tech here, because it's just too powerful. I'm personally ok with my photos being discovered by family many generations into the future. Or by random archivists. So much of the history we have access to is the result of discoveries of people's miscellany. Moving into an age where people's photos/messages/letters will auto-self-destruct by default -- the opposite of their physical counter-parts -- is scary to me.
1 reply →
I leave the handling of those situations to Lastpass. My wife and kids may request access to my password locker, and if I don't reject within 30 days the locker is opened to them.
Thanks for sharing this, I had no idea Lastpass had such a feature.
I guess this means that your family already has access to your decryption keys and the Lastpass servers are merely restricting access to the encrypted data for the 30 day time period.
That's an ingenious system.
What’s your story for exporting from Google photos? I would happily use this service if it could automatically backup my Google Photos to protect me against the possibility of Google killing my accounts.
You can take out your Photos data from takeout.google.com, and drag and drop the output folder into https://web.ente.io.
We understand and parse the metadata files Google generates and support resumable uploads.
I have been using ente.io for few months now. It does what i want, to back up my photos. AI and all is something i personally don't care much about. But i would love to have location clustering.
Pretty happy with it.
9 times out of 10 people will choose convenience over privacy. Google Photos is just too good to care about the supposed "privacy issues."
You know you could just use Jottacloud for a fraction of the price. Also, Google Drive supports multiple encryption providers. I use rclone, and for $99 a year you can get 2TB of storage or more with Google Workspace. I don't understand why this is so expensive when in reality you can get the same from other providers for much cheaper. It isn't like Google Drive has to be unencrypted.
One of the biggest ways I use iCloud Photos is as a screensaver on my Apple TV. As I am considering alternatives to Apple products due to privacy concerns, I am looking for something that has screensaver integrations with Android TV and/or Apple TV. It seems all open source Google Photos alternatives don't have a screensaver app for any TV platform.
Thanks for the suggestion, we already have this on our roadmap[1].
[1]: https://roadmap.ente.io/tv-app-p-1257/
I'm curious what challenges you've faced on iOS -- for example, has Apple made it difficult to implement background sync?
We are still facing challenges with the reliability of background syncs on iOS. There is a threat of the OS blocking our background tasks altogether and we end up having to be very conservative when it comes to uploading data in the background. Which a lot of times results in 0 files getting synced until the app is in the foreground. These constraints don't seem to apply to Apple Photos though.
How would you compare yourself to Mylio? Mylio is closed sourced & a $10/month subscription, but doesn't have a cloud component to it, so you can have unlimited amounts of photos. You have to manage your desktop computers yourself although. It also lets you store photos E2E encrypted on onedrive, amazon drive and google drive.
Is this encrypted at rest as well?
Can you recover the data in case of a loss without seeing the data?
Good project, really well done, browsing the GitHub a bit.
Thanks!
The data is encrypted once it leaves your device.
Not sure what you mean by a data "loss" here. If it's about the customer losing access to their password, as long as they have access to their recoveryKey, they will be able to sign in and change their password. If it's about something else, please let me know.
Ummmm, data at rest is to mean that the photo remains encrypted on the server's hard drive after power off.
you have a warning during sign up that says “you will lose everything if you forget your password”.
naturally this is off-putting to most normal people. any plans to implement a social-recovery system like we see in the ethereum world?
if i can share photos with friends, i should be able to use those friends to recover my account too.
Sorry for the off-putting text. We do offer a recoveryKey that can be shared with your friends and rotated if necessary. As long as you have access to either your password or your recoveryKey, you will be able to decrypt your data.
If you still want to use the algorithms but keep the data private (self hosted and open source), I can suggest Librephotos. It has face detection, object detection, place markers, etc. It is not perfect but from what I have seen, it's currently still the best self hosted open source solution.
Very interested in this. She questions:
How does one migrate to this from Google photos?
How does one share across the family?
Is it possible to have a local backup (e.g. on my desktop) in case something goes wrong?
What are plans for features beyond just storing photos (categorizing, tagging, labelling, albums, comments/notes, geotags, stories, etc.)?
What's the pricing?
> How does one migrate to this from Google photos?
You can export your data from takeout.google.com, and drag and drop the output folder into web.ente.io.
> How does one share across the family?
Currently we don't have family plans yet. Existing customers are sharing the same account with their partners. This is on our roadmap and we will ship it soon.
> Is it possible to have a local backup?
Our desktop app[1] has an option to sync your uploaded data to a local disk drive.
> categorizing, tagging, labelling, albums, comments/notes, geotags, stories.
We already have albums and stories. All the other features you mentioned apart from "comments/notes" were already on our roadmap. I've just added "comments/notes" too to it[2].
> What's the pricing?
https://ente.io/#pricing
[1]: https://github.com/ente-io/bhari-frame/releases/latest
[2]: https://roadmap.ente.io/ability-to-add-commentsnotes-to-a-ph...
Thanks for the detailed responses! Some more questions:
a) I note the pricing is somewhat higher than Google/Dropbox, which is fair. But is there a way to compress the media (esp. videos) before uploading it to conserve some storage? (I wish when Google still had unlimited 'high quality', it was possible to store photos in original and video in hi quality).
b) is there a way to detect duplicate photos, including of lesser quality, and only store the higher quality version? (E.g. photo comes from original device but also in a WhatsApp image folder because it was shared).
c) assuming search is on the roadmap based on feature detection, are there ways to find photos based on date/uploading device/camera/geolocation?
1 reply →
Looks great, but based on my limited time with it:
- when registering via the Android application I got no 1Password prompt to fill in the fields; this is usually the case with other applications - there doesn't seem to be an option to back-up single photos, only whole directories; why is this?
Hey, sorry that the 1Password prompt did now pop up. We'll look into this.
Regarding the lack of option for backing up individual files, currently that option exists only on iOS since the OS provides users with an option to grant permission to a few files instead of their entire gallery.
There are two ways to work around this on Android right now:
1. Share a file from outside the app to ente.
2. Skip the folder selection, choose the file you want to backup from your device folder, and add it to an album (you will be prompted to create an album if none exist).
Question: Why XChaCha20? If you used aes256 I wouldn't even give it a thought and simply move on to the next question, but now I have stop and ask what's going on and wonder if you did it right. Just seems like unnecessary friction in my decision process.
We had started off with AES, and the performance was abysmal on low-end mobie devices and certain web browsers. XChaCha20 in comparison added negligible latency and seemed less prone to human errors.
These weren't the sole reason however. There's a lot of literature on the security aspects of XChaCha20, some of which I'll link below:
- https://soatok.blog/2020/07/12/comparison-of-symmetric-encry... (in our case your masterKey is used to sign all your fileKeys)
- https://crypto.stackexchange.com/a/34458
- https://nordpass.com/features/xchacha20-encryption/#why%20No...
- https://blog.cloudflare.com/do-the-chacha-better-mobile-perf...
Have you correctly evaluated your threat scenarios?
ChaCha is streaming cipher, which is meant to be used on transmission phase, not on data-on-rest(DARE). That is significant difference. In this case, you are implementing Photo storage service, where data is laying mostly on your servers, and not disappearing after the transmission. What is the threat model?
In general, streaming ciphers are considered as weaker alternatives for DARE ciphers. The main risk lies on nonce. In service like this, you are using long-term key. xChaCha provides 192-bit nonce. How likely you are generating identical nonces?
Well. In this case, it might be that this streaming cipher is safe. 192-bit nonce is quite big number.
For example AES-GCM with 96-bit nonce has max message amount of 2^32 when used deterministically [1]
In theory, the AES alternative is much weaker than your current implementation.
[1]: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51288...
4 replies →
Why does this app need to link my identifiers and contact info to my identity?
I would feel a lot more comfortable with this if it didn't collect any data of mine, and you were just storing ciphertext.
I don't want an account, and I don't want to give you my name or email.
Hey, we do need some information to get the product to work well. You can see the bits of information we collect, along with the reasoning here: https://ente.io/privacy/#account-data
> Browser type and operating system of the devices from which you have logged in to ente to ensure account security.
I can't imagine how that information could be used to stop an attack that otherwise would succeed. Is this just so that you can say "Your last login was from Safari on an iPhone" to the user to reassure them their password hasn't been stolen (or the attacker has correctly guessed the most popular browser on the most popular platform)?
If so, this seems like a string that could be generated client-side, and stored encrypted on your server, so that you never have to log this data in plaintext.
1 reply →
Collecting my data is a nonstarter for me. The point of e2e is so that the provider doesn't have useful information.
If I have to trust you with my information, you didn't need to bother with the crypto stuff.
I've been craving a service like this for a long time!!! I'll check it out asap.
To me, the main selling point of Google Photos is their excellent AI search (yes, I understand the implications). Otherwise, Syncthing covers all of my requirements. Is there any alternative that has this kind of indexing/search?
Yes: https://photoprism.app/
Assuming this is what I have been looking for I would 100% purchase a one off licence for self hosting should your team ever think about that as an option. Even if it is just a 2021 version or something along those lines.
Gotta love the progress y’all made in the last few months! Congrats on the launch!
Interesting but prices is high!
Guys if you need to hide sensitive information while screen sharing or video recording, check this https://blurdata.net/
Can it be linked to a personal server? I have been doing backup ( over SFTP ) to a rasberry pi with an external HDD for storage. So far its great but i can not view the photos, i have to download them to view them.
I noticed on one of the screenshots there are buttons labelled "When in Rome" and "Christmas 2019". What do the labels reference? Are you using tags added from the photos metadata? Thanks!
Those are manually created album names. We don't have automatic clustering enabled yet. But it is in the pipeline and we hope to ship it later this year.
Congrats! Love the product. I can see myself switching to ente very soon.
Looks great - congratulations! Could you please add if / how you store a hash of the user password of authentication - it‘s not discussed on the architecture page. Thank you.
We don't store your password's hash. Since we use authenticated encryption, clients can identify when the decryption of your masterKey fails because you used a key generated from a wrong password.
Ok, that‘s cool! But the client get‘s to download the encrypted master key without authentication, right? Doesn’t that enable easy offline attacks or is the decryption too time-consuming?
1 reply →
Is there an example gallery we can check (without the need to log in, or upload own photos)?
Is there a local backup? (Say, in the pessimistic case of Ente going down for any reason.)
Sorry, we don't have a sample gallery yet. :(
We do have a local backup tool that will sync your uploaded files to a local folder: https://github.com/ente-io/bhari-frame/releases/latest
Thank you!
And is it possible to show publicly selected galleries/photos? I see only on per-person basis via email.
Right now I have an inconsistent combination of Dropbox (mostly archive), Zenfolio (public), and FB (some public) - and I am looking for a better solution (aesthetic & long lasting).
I would suggest make your APK compatible with Android TV, there is no Google Photos for Android TV and Google answer is use your phone to cast your photos to TV.
I think we will need to re-imagine re-jig and pivot or image file sharing site https://picc.io
Why is your app not available on the App Store in France?
Love the idea. What happens if I delete a photo in Photos app on iOS does it get backed up by Ente at any point automatiaclly before it's deleted?
From our observations, the only way to reliably sync data with remote on iOS is to keep the app in the foreground. The behavior is unpredictable otherwise.
Congrats on the launch! Are you guys are from Kerala by any chance? എന്റെ ("ente") means "mine" in Malayalam.
Yes, I am from Kerala. :)
So how is it developing with flutter for an app and why not use it as the base for a desktop app vs. make a web version?
Flutter's GitHub issues seem to suggest that the framework is not yet stable on the web or desktop. Also, we wanted a web version so that customers could check out the product without having to install an app.
Coming back to Flutter, I personally have high hopes for the framework. The learning curve is one of the smallest I've experienced and they have managed to create a community that actively contributes to their plug-in ecosystem.
How has the developer experience on it been overall? I downloaded the flutter app from github on my machine and it's pretty extensive! I'm kind of surprised you don't have a web target just for convenience sakes, but I see your using some stuff that is more mobile focused for background task management.
What file formats are supported? RAW files? Any plans to integrate with apps like Lightroom/darktable/etc?
Currently we support image/* and video/* formats. We don't have plans to integrate with professional photo editing tools yet.
V cool service! What metadata do you store btw? Can I use it to store nice dslr pics and later sort by ISO?
On mobile we already include EXIF information in the encrypted-metadata. We will be doing the same on web soon, and will then enable client-side search over that data.
Excellent work guys! If you can make your service cheaper and keep your promises, you have a winner.
congrats! initiate a page [here](https://newdin.com/page/App/21485833) and ready to chronicle your adventure.
Very excited to see the source!
Does it do the auto person/object/place recognition + tagging + search?
Sorry, not yet.
I really love your product
Have you considered using FHE for analyzing the photos encrypted?
> two different storage providers in the EU
Which ones did you choose and why?
BackBlaze because of their reputation.
Scaleway because of their cold storage offering in a fallout shelter underground that reduces the risk of natural disasters.
Congratulations, this looks neat. A couple questions around this venture:
1. Does ente.io intend to remain bootstrapped or seek funding (tiny-vc, crowd, crypto, public)?
2. Is the founding team in it for long term; serious about sustaining this business in face of capable incumbents (some upcoming ones https://news.ycombinator.com/item?id=27338008, some established ones like nextcloud.com, getkeepsafe.com) and competent competition (EteSync)?
---
A couple around the app:
1. What are the guarantees around backups / data loss across updates, device changes, account turnovers due to password-loss etc
2. If the founding team is thinking ahead, do they plan to build other such alt-apps too?
3. What's the server-side object store, if okay revealing that: StackPath? Scaleway? Wasabi?
4. How does ente.io handle file versioning, race conditions (file created and deleted with same names across different devices, as one example)?
5. How does ente.io handle abuse? Using ente.io for nefarious purposes such as CSAM, as one example.
---
A couple around cryptography (since you emphasize e2ee I took a glance at the architecture doc):
1. To my untrained eye, a lot of crypto cited in the architecture document reads like it was hand-rolled. There exists RFCs that cover recovery for usecases involving public-key crypto (PGP is hard for a reason), but yours is "cross-encrypt master-key with recovery-key and vice versa..." which does not inspire any sort of confidence in me. Besides, the wrapped keys stored on servers are sent to clients without any checks and hence subject to brute-force attacks. Are you sure of what you have designed isn't weak? ente.io sets out to be tarsnap but looks far from it.
2. Another thing that sticks out is the custom "encrypted authentication flow"...
3. How do I rotate the master key, collection keys, file keys etc in case my password is compromised? Sounds like a lot of work given the current architecture?
I see that the doc has been "peer reviewed" by 5+ engs, but any cryptographers in there?
---
A couple around ToS:
1. ToS states that ente.io may store documents even post-deletion by the customer. Why not delete it right away? That's a security risk?
2. If you suspend access to an account (since ente.io retains the right to do so), what policies govern data-takeout?
Thanks. All the best.
Venture:
1. We did apply to YC a few months ago, but was rejected in the interviews because they felt that the total addressable market was low. We don't know if other VCs will feel differently and we haven't applied anywhere else since. Perhaps paid subscriptions is in a way public funding? :)
2. The rate at which photos are being taken (a trillion a year), we believe that the market is large enough for multiple players. Also none of the existing solutions provide a user experience that we are happy with, so we would like to keep building until we have something that works for us (at least). Also it helps that we are not very motivated by money. As long as we get to build useful things while being able to sustain our lifestyles, we will be content.
--
App:
1. We have been advised by our lawyers to provide no such guarantees. All I can say is that we follow the best engineering practices to make sure that possibility of a data loss/corruption is minimal. And in the unfortunate case that it does happen, we have strategies in place to minimize the damage by applying rollbacks and triggering re-syncs from clients. We will be transparent about any such event.
2. Our infrastructure is agnostic to the data type. Once we have reasonably polished the photos product, we would like to venture into other spaces where E2EE storage + sync is useful.
3. We use BackBlaze as our hot-storage and Scaleway as our cold storage.
4. All files are versioned. File names are not a primary key.
5. Due to the nature of our encryption protocols, we cannot actively look out for illegal content, but we will take down content that violates our ToS[1] when it is brought to our attention.
---
Cryptography
1. The key recovery flow was hand rolled and peer reviewed, since we could not find existing implementations that solved for our use cases. We wanted the recoveryKey to be something that can be shared and rotated if necessary. We have reasoned from first principles and have relied on libsodium for executing the actual cryptographic operations. If you have specific concerns with this, please write to security@ente.io, we would love to engage in a conversation.
Wrapped keys are sent to clients only after verifying a user's email address and 2FA (if configured). This is similar to what most other encrypted storage providers do.
2. The extra layer of authentication was added to serve as an implicit second factor. This ensures that even if your email is compromised, an attacker cannot gain access to an auth-token and trigger API calls that could corrupt your data. Both your email and password have to be compromised for them to authenticate against our servers.
3. If by your password being compromised you mean that all of your encryption keys have been compromised, you will have to re-encrypt and re-upload all of your data. It is difficult to rotate a file key without actually re-encrypting the file.
4. These are seasoned engineers who understand and have used high level crypto libraries to build secure infrastructure at a few unicorns.
---
ToS:
1. We keep it around just to help users recover their data in case they were attacked.
2. I believe that we should be able to offer a takeout for the data that was not in violation of our ToS, but I would like to speak to our lawyers before confirming this. :)
Thanks so much for taking time to answer these.
As a fellow founder/eng in the digital consumer privacy space, I can tell you that it remains fringe. And it isn't clear if it will take off in an exponential way anytime soon as, from what I have noticed, VC-backed startups in this space trying to pry out growth have indeed struggled (SilentCircle, as one example). Competing with free [0], as it turns out, may make for a decent-sized lifestyle business, but may not bring in VC-warranted returns (Netflix vs BitTorrent / Spotify vs LimeWire notwithstanding).
Enterprise security and privacy remains very lucrative however, if you are considering pivots :)
Please consider getting ente.io's cryptography reviewed by cryptographers. It does not inspire confidence so much so that I feel ente.io frontends are better used with a tarsnap backend.
Thanks again.
[0] https://kk.org/thetechnium/better-than-fre/
1 reply →
I've been thinking of a similar system with e2e sharing of content and I'd love to pick your brain on this if you don't mind :)
- What made you go with libsodium over using the browsers Web Crypto API?
- If you stop sharing an album with someone, do you somehow re-encrypt the collection key or is the recipient still in possession of all the necessary keys to decrypt the data if they get their hands on it?
5 replies →
From what I have seen, I like Photoprism [1] better. Yes, they are a different kind of product, but feature wise they should be considered a competitor.
Yes, ente.io is easier to setup, but there are many things lacking or unpolished (e.g. the image sizes that are being loaded while going through the fotos fullscreen in the browser).
[1] https://photoprism.app
I just set up PhotoPrism myself this week! With it being completely self-hosted, this isn't something I'd be comfortable asking someone non-technical to do.
I like that it is self hosted, it also uses TensorFlow to classify images so you can perform keyword searches e.g "museum". It doesnt appear to be as good as Google Photos though, e.g in GP you can search "vaccination card" and it does what you expect which is very impressive.
Face detection is currently under heavy development also, which is very exciting: https://github.com/photoprism/photoprism/issues/22
There are certainly things that are missing, but I'm okay with the tradeoffs for now in the hope that it will eventually improve.
That service doesn't look like it's encrypted and not really equal then.
So far, there isn't even a service. It is only software, which you can use to self-host your pictures, which can serve the same purpose. Both are certainly GP alternatives.
Equal: no. Comparable: sure.
Is there a way to “one click” move from google photos?
Currently no. You have to manually export your data from takeout.google.com.
We are optimistic that with the Data Transfer Project[1], Google will eventually expose APIs for us to perform this migration programmatically.
[1]: https://datatransferproject.dev
I use mega.nz which is E2E and very cheap per GB
Is there a way to self host? Backend included?
congrats! wishing you good luck
I am not using this. Sketch.
Is there a 20GB plan please?
Super excited for this one.
is there a way to automatically migrate from google photos?
Yes! You can go to takeout.google.com, export your photos and drag them into https://web.ente.io. We will preserve all of the metadata Google generated.
If at all the upload flow breaks in between, just drag and drop the exported folder again, we will skip already uploaded files and resume from where we left off.
Is there a way to self host the backend?
6
I like the look of this, and I’ll keep watch on it. But, all the negative comments here (even those which are well founded) really is discouraging. Must be absolutely horrifying to post your product on Show HN
Thank you! :)
The point of this post was to be critiqued, and we think everyone has their hearts in the right place.
Clickable links!
[1]: https://ente.io
[2]: https://ente.io/apk
[3]: https://play.google.com/store /apps/details?id=io.ente.photos
[4]: https://apps.apple.com/in/app/ente-photos/id1542026904
[5]: https://web.ente.io
[6]: https://github.com/ente-io/bhari-frame/releases/latest
[7]: https://libsodium.gitbook.io
[8]: https://ente.io/architecture
[9]: https://github.com/ente-io
[10]: https://www.reddit.com/r/degoogle/comments/njatok/we_built_a...
(Since the original links are now clickable, I propose that it would be nice if HN made all links in self-text posts clickable by default. It seems like it might foster a healthier community, since it will feel less like it's a special privilege to have clickable links.)
Last time I looked at your servixe it was web only and did in-browser crypto. This is essentially useless for 2 reasons: - There is no effetive Versioning. - Application and Storage-Vendor are the same entity. Therefore if you are hacked or coerced you can push code to me. The only defense is proper version pinning and compiling myself / taking it from FDroid.
Photos are among the highest value phone data. I dont take chances here. You do not post the apk signing key prominently on your front page. Your commits are not signed. You host on Microsoft owned Github.
Why would I trust you? This seems like yolo-development.
213
"We built a defacto repository of CSAM"
Cloud services have entire departments of people constantly combatting this stuff for a reason. It's the single hardest part about providing an image service.
Awesome work. Although the price is 5x of google’s, the privacy is worth it.
Is there a family plan? We currently have 200gb google photos plan with my wife, but to migrate we have to take 1000gb plan (which we fill maybe in 8 years at current pace of adding content). Maybe something in between 100gb and 1000gb would find it’s audience.
Yes, we have both a 100GB and a 1000GB plans, you can check them on https://ente.io/#pricing
Pricing is expensive comparing it to mega (https://mega.io/pro). Mega is end to end encrypted as well (Mega is 2tb for $118. Source code is also available https://mega.io/sourcecode).
Why would someone pick your service?
1 reply →
Exactly my point. I’m getting close to 200gb, but it’s gonna be a while I reach 1000gb. So essentially i’ll be paying for the space I don’t use for years.
1 reply →