How Developers Can Mitigate the Risks of User Data Being Exposed on Nostr
The bitcoin community has been taken by storm lately: Nostr is the hottest topic of the moment.
The strange acronym stands for "Notes and Other Stuff Transmitted by Relays". Imagine a non-P2P, highly scalable and experimental network that uses cryptographic key pairs.
We live in a world where trust in established social media companies is being challenged more than ever.
Nostr enthusiasts believe it is time to build a new kind of network from the ground up: one where users cannot be censored or shadow banned.
The protocol was created by Fiatjaf some time ago. On a podcast, he described it as a side project that he didn't have a lot of expectations for.
But things started to heat up in late 2022, when Twitter hinted that it would start censoring mentions of it, along with other competing networks (Mastodon, etc.).
And then Jack Dorsey donated 14 BTC (about $245,000 today) to fund the development of the protocol. This brought more resources and visibility to the project.
And as if that was not enough, Edward Snowden started using and promoting it this week.
As an enthusiast myself, I had every reason to be super excited. But if I am completely honest, some of my own excitement has turned to worry these past few days.
With all the hype, there has been an influx of new users joining the network using various clients. And many (if not most) of these people have a set of expectations developed from decades of regular social media use.
To make matters worse, some may be somewhat blinded by the excitement of experimenting with something new. Others may not even have the technical knowledge to understand the rules of this new territory.
What I mean is that for the past few decades, most people have been using social platforms with some basic security and privacy features built in. Two of them are missing (to some extent) in Nostr:
- Delete feature
- Automatic removal of metadata from uploaded photos
Delete feature
On Nostr, there is no guarantee that a note will be saved permanently (unless you run a relay yourself). There is also no guarantee that it will ever be deleted on request.
Once someone publishes something on Nostr, they have very little control over it.
This means that it is best to assume that whatever you share will be public forever.
It is not possible to delete a note at the protocol level. Instead, you can only mark a note as "deleted". How different relays and clients handle this information is up to them.
For example, clients may choose not to display notes marked as deleted, while relays may actually delete the note. However, it is not possible to ensure that all relays that receive a note will delete it.
Similar to a regular email message, once someone hits the send button, that's it, there's no going back.
Automatically removal of metadata from uploaded photos
The second point exacerbates the first.
EXIF data is automatically removed from photos uploaded to regular social media platforms. This is not the case with most Nostr clients (and image hosting setup), which are still in an experimental phase.
Yesterday I downloaded a photo that someone had posted on Nostr and used the pic2map website to find out where it was taken. It was all there, with the address and everything.
I find this very disturbing. The non-censorship aspect of this new network is especially important for dissidents and persecuted activists. Imagine what could happen if a persecuted person accidentally shared their location.
Finally, here are my recommendations for Nostr developers:
- Make sure you inform users about the basic differences between using regular social media and Nostr. A single message when the user has entered the private key may be enough: Don't share any personal information such as phone numbers, full name, address, as we can't guarantee that you will be able to delete a post in the future).
- Make sure that all metadata is removed from photos sent by users. If you can't do this, teach users how to do it themselves using free tools:
With great power comes great responsibility.
Yes, we are building the future. But let's not forget to make sure we protect people from the mistakes they might make along the way.
This blog post is about two issues that I consider low-hanging fruit: high impact, low cost to fix with good design.
For more in-depth information on this topic, I recommend the following two blog posts: