Comment by YPPH
5 years ago
Self-hosting a zero knowledge service is probably unnecessary.
If you're hosting the service, there's no need for data to be encrypted client-side. Unless, of course, you were intending on running the service on a public cloud which you didn't control, but that's something I don't think many privacy conscious folk would do.
There's plenty of open source, self-hosted alternatives to Google Photos.
Yeah, having attempted to operate a service very similar to this (only more focused on general encrypted cloud storage) I will say there are no good economics in usage-based billing. You're much better off selling a license to use the software and give users the ability to use common cloud storage providers (minimally the s3-compatible ones but also things like Google Drive) as the backing for this. Even safer from a legal perspective would be not having accounts at all and allowing users to purchase a 1-year license based on license keys that are cryptographically validated but not stored anywhere. Then it's impossible to do anything user specific whether you are compelled to or not.
To me it is a canary signal that I have the option to self-host.
Most likely, QoS would be better from ente's hosting and I would be inclined to take advantage of that. An open source server can be audited and offer an off-ramp should their service no longer suit me.
Then again, the economics of enabling self-hosted infrastructure are probably less exciting compared to locking users in to marked-up, white-labeled infrastructure.
How do you know it's zero knowledge?
The source code of the client-side apps appears to be available on GitHub. So if they're bluffing, it won't be too long until someone calls them out on it.
Without a fully described mechanism to confirm that the client you download is not compiled with additional code (i.e. without specifying exactly how the client is compiled, using which version of which compiler, and which compile flags, dependency versions, etc) any kind of "the code seems to be on github" is kind of meaningless.
2 replies →
Unless they only send compromised code to you personally and nobody else.
1 reply →
https://ente.io/transparency/
That's just a non-binding promise. If that's enough for you, you don't need encryption at all.
2 replies →