Privacy in P2P GNU Social is guaranteed by strong cryptography. This enables users to allow their actual, binary data to traverse the network and live anywhere, without any loss of privacy.

Currently, there is a standing challenge for those who believe that strong cryptography does not guarantee privacy.

Overview

Every object in GNU Social has a privacy policy, represented in a set of keys. In the case that an object is fully public, the set is the null set. In the case that an object is fully private, the set is the origination point of the object. In most cases, the set will be composed of the origination point of the object plus a number of other keys.

Data Keys

Every time an object is created, it is encrypted to a symmetric key, the "data key" (abbreviated hereafter as Kd). That key is then encrypted to all keys in the set of user keys who are allowed access to the object. It is to our good fortune that such interactions are already implemented in the OpenPGP protocol.

Set Operations

It should be possible to add people to any given privacy policy set.

It is not possible to remove people from the privacy policy in the general case, though it may be possible to re-encrypt the data in the datastore before a person has retrieved it. Removing user keys from the set is an expensive and largely symbolic process, since we assume that once published, data exists everywhere, and removing a user entails re-encrypting the object and re-sending the key to all members of the set.

UI

In the UI, these sets are visible to the user, but can be built up from pre-existing "tags" - sets of keys that organized by the user. All possible set operations with tags and other users should be possible when composing privacy policies.