Give the possibility to opt-out the webtorrent

[Insoleet]

Because of privacy reasons, some users could wan't not to share their public IP with the web torrent tracker.

I think we should give the option for the user to opt-out of the web-torrent video sharing. If the server is overloaded, the user could watch the video with less quality or fluidity than web-torrent users, but at least his IP would remain private.

[therahedwig]

I agree with this.

I think that informing people that their ip address is visible is waking them up to the fact bittorrent does this. This might be annoying right now, but it cannot be helped, and in general giving people more information on the topic is generally a good thing. However, to make a non-commercial youtube alternative, peer-to-peer is probably the only viable way. Therefore perhaps embrace giving people the choice to do good by peering.

I think if people can choose to peer, a lot of them will feel empowered by the ability to do so, and I think that if channels can guide users through the weird YouTube subscription system, I don't think it will be hard for them to guide people to click the 'seed this video' button.

Similarly, even if bittorrent didn't have this showing-ip-problem, peertube channels would grow a need to encourage healthy seeding behaviour anyway, so I do not think that allowing opt-in/opt-out will have a huge negative effect in the long run.

[therahedwig]

I agree with this.

I think that informing people that their ip address is visible is waking them up to the fact bittorrent does this. This might be annoying right now, but it cannot be helped, and in general giving people more information on the topic is generally a good thing. However, to make a non-commercial youtube alternative, peer-to-peer is probably the only viable way. Therefore perhaps embrace giving people the choice to do good by peering.

I think if people can choose to peer, a lot of them will feel empowered by the ability to do so, and I think that if channels can guide users through the weird YouTube subscription system, I don't think it will be hard for them to guide people to click the 'seed this video' button.

Similarly, even if bittorrent didn't have this showing-ip-problem, peertube channels would grow a need to encourage healthy seeding behaviour anyway, so I do not think that allowing opt-in/opt-out will have a huge negative effect in the long run.

[RUSshy]

You own the platform, why should i need to protect my identity ?

If you can't do it while you own the platform, then your design sucks

Don't share my IP, enf of the talk

Imagine if every website starts to use PeerTube, then everyone will be able to track me and my habits, and that just because your platform decide to share my identity with everyone else

On top of that i'm pretty sure this is not compatible with GPRD/RGPD

This should be opt-in with user agreement

[RUSshy]

You own the platform, why should i need to protect my identity ?

If you can't do it while you own the platform, then your design sucks

Don't share my IP, enf of the talk

Imagine if every website starts to use PeerTube, then everyone will be able to track me and my habits, and that just because your platform decide to share my identity with everyone else

On top of that i'm pretty sure this is not compatible with GPRD/RGPD

This should be opt-in with user agreement

[thibaultamartin]

If you can't do it while you own the platform, then your design sucks
Don't share my IP, enf of the talk

@RUSshy, let's not forget PeerTube is developped by a single person hired by a non-profit. This is not even the v1, still a beta. Constructive criticism would help a lot :)

On top of that i'm pretty sure this is not compatible with GPRD/RGPD

I do believe it is GDPR compliant, as these data are needed by the service to run. I need to dig a bit before giving a strong position though. PeerTube disclosing explicitly that your IP is shared publicly goes in the right direction: not hiding "flaws" from the user.

A more privacy-enabled mode could be thought of with ideas such as:

• Generate "noise" by being put in several trackers instead of only the one of the video you're watching (downsides: can be a strain on the server and the clients if the "not currently watched" videos need to be downloaded anyway; does not protect you from being tracked regarding which instance you are watching now)
• A kind of "routing": user A routes packages from user B to user C, even if he does not watch the video user B has watched and user C is watching. (downside: does not protect you from being tracked regarding which instance you are watching now, except if there is federation between trackers too)

[thibaultamartin]

If you can't do it while you own the platform, then your design sucks
Don't share my IP, enf of the talk

@RUSshy, let's not forget PeerTube is developped by a single person hired by a non-profit. This is not even the v1, still a beta. Constructive criticism would help a lot :)

On top of that i'm pretty sure this is not compatible with GPRD/RGPD

I do believe it is GDPR compliant, as these data are needed by the service to run. I need to dig a bit before giving a strong position though. PeerTube disclosing explicitly that your IP is shared publicly goes in the right direction: not hiding "flaws" from the user.

A more privacy-enabled mode could be thought of with ideas such as:

• Generate "noise" by being put in several trackers instead of only the one of the video you're watching (downsides: can be a strain on the server and the clients if the "not currently watched" videos need to be downloaded anyway; does not protect you from being tracked regarding which instance you are watching now)
• A kind of "routing": user A routes packages from user B to user C, even if he does not watch the video user B has watched and user C is watching. (downside: does not protect you from being tracked regarding which instance you are watching now, except if there is federation between trackers too)

[Chocobozzz]

If you can't do it while you own the platform, then your design sucks

You broke my heart

Imagine if every website starts to use PeerTube, then everyone will be able to track me and my habits, and that just because your platform decide to share my identity with everyone else

Just for information, on peertube embed the client contacts the tracker only when the user clicks on "play".

[Chocobozzz]

If you can't do it while you own the platform, then your design sucks

You broke my heart

Imagine if every website starts to use PeerTube, then everyone will be able to track me and my habits, and that just because your platform decide to share my identity with everyone else

Just for information, on peertube embed the client contacts the tracker only when the user clicks on "play".

[paulcmal]

Because of privacy reasons, some users could wan't not to share their public IP with the web torrent tracker.

This is definitely an issue, but not on the side of Peertube. Giving away your public IP to receive content is mostly the way TCP/IP and the web work. Which is why we share IP addresses (using VPNs) to make tracking harder on the ISP/server level. Tor is also really good at this, however doing P2P applications on Tor like Bittorrent/Webtorrent is a really bad idea, both for your privacy and the efficiency of the Tor network.

I understand your concerns in terms of privacy, but if many people opt out of Webtorrent, then we're back to a centralized content distribution scheme (that already exists) and the situation is the same as before Peertube was invented : only big players can distribute content, because it costs a shitton of money to build a reliable infrastructure to duplicate your content across and make it available in different areas of the world. There's also other concerns i have when it comes to direct centralized distribution of content, but i won't repeat myself :)

So, in terms of who has access to the information. With a centralized scheme, only the server knows what content you are watching (in theory). In our case, everybody can see who's connected to the tracker/DHT and who's trying to fetch what content. This is in a way "worse" than Youtube because only Google had access to the watching habits of the users. However, considering Google collaborates with political police and intelligence agencies throughout the world, making our viewing habits public will have no impact in terms of political repression.

The main difference with Youtube is potentially more advertisers and commercial-profiling companies may try to know what we're watching. I don't think it's a good thing, but if that's the price to pay for easy-to-host, cheap-to-distribute, uncensorable videos then i think it's a more-than-reasonable drawback.

Because the only real solution against these issues is burning down the State and the capitalist system to build a society based on autonomy and solidarity. To change everything, start anywhere (sorry no Peertube for sub.media yet :D). Attacking the monopoly on content distribution is already quite a task, and as @thibaultamartin pointed out there are strategies to develop to just confuse spies with noise on the network.

But if you're interested in viable, long-term solutions, I'd advise you to take a look at network-side projects like the FDN federation of local/neutral ISPs, the LEAP Encryption Access Project by Riseup to provide easy-to-setup and secure-by-default VPN/mail infrastructure… there's many other projects out there working on these issues.

Sorry that was a bit long. Should i just make a blog post next time? ^^"

[paulcmal]

Because of privacy reasons, some users could wan't not to share their public IP with the web torrent tracker.

This is definitely an issue, but not on the side of Peertube. Giving away your public IP to receive content is mostly the way TCP/IP and the web work. Which is why we share IP addresses (using VPNs) to make tracking harder on the ISP/server level. Tor is also really good at this, however doing P2P applications on Tor like Bittorrent/Webtorrent is a really bad idea, both for your privacy and the efficiency of the Tor network.

I understand your concerns in terms of privacy, but if many people opt out of Webtorrent, then we're back to a centralized content distribution scheme (that already exists) and the situation is the same as before Peertube was invented : only big players can distribute content, because it costs a shitton of money to build a reliable infrastructure to duplicate your content across and make it available in different areas of the world. There's also other concerns i have when it comes to direct centralized distribution of content, but i won't repeat myself :)

So, in terms of who has access to the information. With a centralized scheme, only the server knows what content you are watching (in theory). In our case, everybody can see who's connected to the tracker/DHT and who's trying to fetch what content. This is in a way "worse" than Youtube because only Google had access to the watching habits of the users. However, considering Google collaborates with political police and intelligence agencies throughout the world, making our viewing habits public will have no impact in terms of political repression.

The main difference with Youtube is potentially more advertisers and commercial-profiling companies may try to know what we're watching. I don't think it's a good thing, but if that's the price to pay for easy-to-host, cheap-to-distribute, uncensorable videos then i think it's a more-than-reasonable drawback.

Because the only real solution against these issues is burning down the State and the capitalist system to build a society based on autonomy and solidarity. To change everything, start anywhere (sorry no Peertube for sub.media yet :D). Attacking the monopoly on content distribution is already quite a task, and as @thibaultamartin pointed out there are strategies to develop to just confuse spies with noise on the network.

But if you're interested in viable, long-term solutions, I'd advise you to take a look at network-side projects like the FDN federation of local/neutral ISPs, the LEAP Encryption Access Project by Riseup to provide easy-to-setup and secure-by-default VPN/mail infrastructure… there's many other projects out there working on these issues.

Sorry that was a bit long. Should i just make a blog post next time? ^^"

[rigelk]

doing P2P applications on Tor like Bittorrent/Webtorrent is a really bad idea, both for your privacy and the efficiency of the Tor network.

@paulcmal I just would like to point out that the article you point to justify Tor doesn't protect you privacy only applies to UDP clients, and only a subset of clients, which have been patched anyway since then (2010). More on that here and the comment that follows.

@thibaultamartin @paulcmal adding noise to the swarm is:

• not protecting you (the adversary can do the same thing to gain statistical advantage)
• making the swarm less efficient (obviously noise is not helping, especially in case of escalation - see previous bullet point)

More on that here, where we also work to improve the tracker privacy-wise.

[rigelk]

doing P2P applications on Tor like Bittorrent/Webtorrent is a really bad idea, both for your privacy and the efficiency of the Tor network.

@paulcmal I just would like to point out that the article you point to justify Tor doesn't protect you privacy only applies to UDP clients, and only a subset of clients, which have been patched anyway since then (2010). More on that here and the comment that follows.

@thibaultamartin @paulcmal adding noise to the swarm is:

• not protecting you (the adversary can do the same thing to gain statistical advantage)
• making the swarm less efficient (obviously noise is not helping, especially in case of escalation - see previous bullet point)

More on that here, where we also work to improve the tracker privacy-wise.

[thibaultamartin]

@rigelk sure, we definitely agree on the noise not being a very efficient method (as mentioned in the downsides when discussing it. I would even add the strain put on the server is not sustainable).

What about the "routing" option? Does it actually make it the swarm significantly less efficient?

Thanks for the issue you linked, very instructive

[thibaultamartin]

@rigelk sure, we definitely agree on the noise not being a very efficient method (as mentioned in the downsides when discussing it. I would even add the strain put on the server is not sustainable).

What about the "routing" option? Does it actually make it the swarm significantly less efficient?

Thanks for the issue you linked, very instructive

[rigelk]

@thibaultamartin the "routing" option is basically what Tor does. So yes, this is an option. It's just as hard to implement as Tor. 😶

[rigelk]

@thibaultamartin the "routing" option is basically what Tor does. So yes, this is an option. It's just as hard to implement as Tor. 😶

[paulcmal]

More on that here, where we also work to improve the tracker privacy-wise.

These tracker-side mitigations are necessary, but i think we can do the same client-side, too. I'm no expert, so please correct me if i'm wrong, but it should be possible for every client to register on the tracker & DHT for many different torrents it doesn't have, and simply not seeding them when asked to.

This kind of noise (getting registered on a tracker/DHT) shouldn't be resource-consuming for anyone. Am i wrong to assume this?

[paulcmal]

More on that here, where we also work to improve the tracker privacy-wise.

These tracker-side mitigations are necessary, but i think we can do the same client-side, too. I'm no expert, so please correct me if i'm wrong, but it should be possible for every client to register on the tracker & DHT for many different torrents it doesn't have, and simply not seeding them when asked to.

This kind of noise (getting registered on a tracker/DHT) shouldn't be resource-consuming for anyone. Am i wrong to assume this?

[thibaultamartin]

@rigelk dang, true. This is leading to a dead-end, as using PeerTube over Tor is an infraction to the ToS if I'm right, and "reimplementing" the Tor logic would be both resource consuming (from a project point of view) and prone to be lagging behind the fixes the Tor team makes. I see no way out :/

@paulcmal Wouldn't that trigger the download of all videos at the same time?

[thibaultamartin]

@rigelk dang, true. This is leading to a dead-end, as using PeerTube over Tor is an infraction to the ToS if I'm right, and "reimplementing" the Tor logic would be both resource consuming (from a project point of view) and prone to be lagging behind the fixes the Tor team makes. I see no way out :/

@paulcmal Wouldn't that trigger the download of all videos at the same time?

[rodneyrod]

@rigelk Have you looked at the possibility of doing this over I2P? They have an inbuilt I2PSnark (torrent) client with the most common routing software bundle and their 'garlic' routing implementation scales far better than Tor for P2P transfers.

Someone's also done a node.js implementation of the I2P router too, so this might go some of the way to allowing an I2P router to be embedded in a web page and not require the user to download, install and configure their own software.
https://github.com/redhog/node-i2p

[rodneyrod]

@rigelk Have you looked at the possibility of doing this over I2P? They have an inbuilt I2PSnark (torrent) client with the most common routing software bundle and their 'garlic' routing implementation scales far better than Tor for P2P transfers.

Someone's also done a node.js implementation of the I2P router too, so this might go some of the way to allowing an I2P router to be embedded in a web page and not require the user to download, install and configure their own software.
https://github.com/redhog/node-i2p

[eyedeekay]

@rodneyrod I'm actually looking into implementing a way of doing webtorrent over i2p using redhog's SAM implementation, it's just down the road for me because I've got other i2p-related stuff to worry about first. TL:DR, it's perfectly possible, Peertube probably isn't the place to do it though(webtorrent is). Unfortunately, it just requires work time I don't have at the moment. I may be able to start working on it in earnest in a month or two. node-i2p isn't actually a router implementation though, it's a library for communicating with the SAM(Simple Anonymous Messaging) API. It could allow a peertube instance running as an eepSite to create i2p destinations for clients to connect to through the i2p network without needing to use the same destination it presents the eepSite on.

[eyedeekay]

@rodneyrod I'm actually looking into implementing a way of doing webtorrent over i2p using redhog's SAM implementation, it's just down the road for me because I've got other i2p-related stuff to worry about first. TL:DR, it's perfectly possible, Peertube probably isn't the place to do it though(webtorrent is). Unfortunately, it just requires work time I don't have at the moment. I may be able to start working on it in earnest in a month or two. node-i2p isn't actually a router implementation though, it's a library for communicating with the SAM(Simple Anonymous Messaging) API. It could allow a peertube instance running as an eepSite to create i2p destinations for clients to connect to through the i2p network without needing to use the same destination it presents the eepSite on.

[rigelk]

@rodneyrod thank for pointing me towards the 'garlic' routing. I didn't know about it. But as @eyedeekay explained, PeerTube isn't the place to implement i2p streaming. WebTorrent is. See webtorrent#465.

@thibaultamartin it wouldn't trigger the download of all videos. Being part of a swarm isn't enough to change the state of your client.

@paulcmal It will certainly not hold long against adversaries checking if you have the file. And it's not like checking if you have the file is a costly operation (it's more of a technical operation), so I wouldn't decrease the efficiency of the swarm just to have a weak protection. @Chocobozzz do you have any take on this?

[rigelk]

@rodneyrod thank for pointing me towards the 'garlic' routing. I didn't know about it. But as @eyedeekay explained, PeerTube isn't the place to implement i2p streaming. WebTorrent is. See webtorrent#465.

@thibaultamartin it wouldn't trigger the download of all videos. Being part of a swarm isn't enough to change the state of your client.

@paulcmal It will certainly not hold long against adversaries checking if you have the file. And it's not like checking if you have the file is a costly operation (it's more of a technical operation), so I wouldn't decrease the efficiency of the swarm just to have a weak protection. @Chocobozzz do you have any take on this?

[Chocobozzz]

I think it should work, but it would slow down swarms since other peers will try to find chunks you don't have. But yes, it's one of the possible mitigations

[Chocobozzz]

I think it should work, but it would slow down swarms since other peers will try to find chunks you don't have. But yes, it's one of the possible mitigations

[rigelk]

@Chocobozzz my concern was that it would also clash with webtorrent/bittorrent-tracker#280, and could more easily get only fake peers.

[rigelk]

@Chocobozzz my concern was that it would also clash with webtorrent/bittorrent-tracker#280, and could more easily get only fake peers.

[rodneyrod]

@eyedeekay That's amazing news, if there's anything that I a non-coder could help with (well, money) I'd be happy to do what I can to advance this.

Gonna be next to impossible to get sites to adopt a new webtorrent standard if the old standard can't be easily adapted or if it takes too long for this to come out. Wish you all the best.

[rodneyrod]

@eyedeekay That's amazing news, if there's anything that I a non-coder could help with (well, money) I'd be happy to do what I can to advance this.

Gonna be next to impossible to get sites to adopt a new webtorrent standard if the old standard can't be easily adapted or if it takes too long for this to come out. Wish you all the best.

[thibaultamartin]

@rodneyrod There is a crowdfunding campaign running at the moment if you want to help PeerTube with money.

[thibaultamartin]

@rodneyrod There is a crowdfunding campaign running at the moment if you want to help PeerTube with money.

[rodneyrod]

@thibaultamartin Thanks for the link. I'll definitely consider it, but my primary interest is to see this I2P and webtorrent project gain critical momentum. The public IP issue of Peertube is one I think a lot of people haven't really thought of yet and it's key to get these projects started while there's momentum, as there is right now.

[rodneyrod]

@thibaultamartin Thanks for the link. I'll definitely consider it, but my primary interest is to see this I2P and webtorrent project gain critical momentum. The public IP issue of Peertube is one I think a lot of people haven't really thought of yet and it's key to get these projects started while there's momentum, as there is right now.

[thibaultamartin]

Ah, my bad @rodneyrod I read your answer out of the context of @rigelk's answer.

I'm not much experienced in the domain of funding, but wouldn't a project such as PeerTube which triggered the general public's attention shed more light on webtorrent? This is an actual question, I'm not related to PeerTube nor trying to get you to contribute money to the crowdfunding campaign

[thibaultamartin]

Ah, my bad @rodneyrod I read your answer out of the context of @rigelk's answer.

I'm not much experienced in the domain of funding, but wouldn't a project such as PeerTube which triggered the general public's attention shed more light on webtorrent? This is an actual question, I'm not related to PeerTube nor trying to get you to contribute money to the crowdfunding campaign

[eyedeekay]

@rodneyrod Honestly I'd just donate to peertube at this point. There are quite a few things that need to come into place before webtorrent-over-i2p becomes practically feasible, as far as I can tell. One of the Browser Bundle projects should reach reasonably re-distributable state, for instance. There are some others, mostly smaller and more manageable ones, but the browser thing is what's dominating my time right now. I do have a monero wallet that I'm not shy about putting on my more interesting i2p-related projects, if that's something you want to do I'm sure you can find one you'd like to support on my profile. But it's not necessary. I want it just as bad as anybody, if I can do it I'm going to anyway.

As for adoption, I'm pretty sure if I understand things correctly and my experiments with webtorrent on my LAN are an indication, I should be able to do it in such a way that most clients won't need to alter how they use webtorrent. Can't say for sure yet, but at least that part looks promising.

[eyedeekay]

@rodneyrod Honestly I'd just donate to peertube at this point. There are quite a few things that need to come into place before webtorrent-over-i2p becomes practically feasible, as far as I can tell. One of the Browser Bundle projects should reach reasonably re-distributable state, for instance. There are some others, mostly smaller and more manageable ones, but the browser thing is what's dominating my time right now. I do have a monero wallet that I'm not shy about putting on my more interesting i2p-related projects, if that's something you want to do I'm sure you can find one you'd like to support on my profile. But it's not necessary. I want it just as bad as anybody, if I can do it I'm going to anyway.

As for adoption, I'm pretty sure if I understand things correctly and my experiments with webtorrent on my LAN are an indication, I should be able to do it in such a way that most clients won't need to alter how they use webtorrent. Can't say for sure yet, but at least that part looks promising.

[rriemann]

I think that peertube can have a privacy advantage over Youtube, because there is no central database with an accumulated viewing history of many internet users, but instead a distributed one. Ideally one uses something like Kademlia DHT to distribute among peers, but also distributing among peertube instances can be already an advantage.

However, when I connect to a peertube instance for the first time, than I can expect that my personal data (IP address) is not without any further consent distributed to third parties (other users). All peertube instances should obtain individually consent. I do not see which agreement would allow instance operators to share consent.

Hence, opt-in is very important here! If you are not sure about it, please write a question to any one in this list: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Given the number of requests they receive, you may better send a question earlier than later.

I agree that individual p2p users are not third-parties in the traditional sense and may impose less risks for data subjects. It would be interesting if for this reason the data protection authorities allow for exceptions to opt-in.

Feel free to add your questions to http://area51.stackexchange.com/proposals/118864/data-protection . There is indeed little information available on GDPR compliance of p2p systems.

[rriemann]

I think that peertube can have a privacy advantage over Youtube, because there is no central database with an accumulated viewing history of many internet users, but instead a distributed one. Ideally one uses something like Kademlia DHT to distribute among peers, but also distributing among peertube instances can be already an advantage.

However, when I connect to a peertube instance for the first time, than I can expect that my personal data (IP address) is not without any further consent distributed to third parties (other users). All peertube instances should obtain individually consent. I do not see which agreement would allow instance operators to share consent.

Hence, opt-in is very important here! If you are not sure about it, please write a question to any one in this list: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Given the number of requests they receive, you may better send a question earlier than later.

I agree that individual p2p users are not third-parties in the traditional sense and may impose less risks for data subjects. It would be interesting if for this reason the data protection authorities allow for exceptions to opt-in.

Feel free to add your questions to http://area51.stackexchange.com/proposals/118864/data-protection . There is indeed little information available on GDPR compliance of p2p systems.

[thibaultamartin]

I think that peertube can have a privacy advantage over Youtube, because there is no central database with an accumulated viewing history of many internet users, but instead a distributed one.

It all depends on your threat model. If you fear Google will be watching all instances to have an idea about the videos you're looking at, then this may not be a threat at the moment. Still, if Google decides to do so, they have everything needed to do it (a crawler to discover instances, all the technical stack, hardware, and manpower).

If there is a well known PeerTube instance broadcasting Pink Pony's Magical Adventures, if a teen watches it, other teens may try to retrieve his IP from the tracker. This means getting the proof he's watching Pink Pony's Magical Adventures, and more easily bully him. This is a silly situation here, but we can think of more critical situations, such as instances well-known for their videos against a government, and the governement in question could know who's watching those videos and sentence the dissidents to death.

However, when I connect to a peertube instance for the first time, than I can expect that my personal data (IP address) is not without any further consent distributed to third parties (other users). All peertube instances should obtain individually consent.

@rigelk does PeerTube already handle connecting users from instance B with users from instance A so they share a video hosted on instance A?

GDPR

Hm, those are interesting points. This is a bit complicated, because the javascript is a client, automatically executed by your browser when sent from the server. I think PeerTube is a case study for the GDPR compliance!

[thibaultamartin]

I think that peertube can have a privacy advantage over Youtube, because there is no central database with an accumulated viewing history of many internet users, but instead a distributed one.

It all depends on your threat model. If you fear Google will be watching all instances to have an idea about the videos you're looking at, then this may not be a threat at the moment. Still, if Google decides to do so, they have everything needed to do it (a crawler to discover instances, all the technical stack, hardware, and manpower).

If there is a well known PeerTube instance broadcasting Pink Pony's Magical Adventures, if a teen watches it, other teens may try to retrieve his IP from the tracker. This means getting the proof he's watching Pink Pony's Magical Adventures, and more easily bully him. This is a silly situation here, but we can think of more critical situations, such as instances well-known for their videos against a government, and the governement in question could know who's watching those videos and sentence the dissidents to death.

However, when I connect to a peertube instance for the first time, than I can expect that my personal data (IP address) is not without any further consent distributed to third parties (other users). All peertube instances should obtain individually consent.

@rigelk does PeerTube already handle connecting users from instance B with users from instance A so they share a video hosted on instance A?

GDPR

Hm, those are interesting points. This is a bit complicated, because the javascript is a client, automatically executed by your browser when sent from the server. I think PeerTube is a case study for the GDPR compliance!

[rigelk]

@thibaultamartin users from instance B will see get the video object from the instance A. That means the WebSeed is on instance A, and the user swarm too. So yes, in a sense they are "connected", they are part of the same swarm.

[rigelk]

@thibaultamartin users from instance B will see get the video object from the instance A. That means the WebSeed is on instance A, and the user swarm too. So yes, in a sense they are "connected", they are part of the same swarm.

[rriemann]

This means getting the proof he's watching Pink Pony's Magical Adventures, and more easily bully him.

This is not as easy to realise with classical bittorrent and Kademlia DHT if many people watch the video (it is trivial if only the targeted suspect watches the video). Why?

• IP addresses are only a pseudonym (still personal data under GDPR according to the Working Party 29 group uniting European Data Protection Authorities) that does allow only authorities and infrastructure providers to learn about the identity, but not a regular Internet user.
• All peers learn only a subset of all seeds. As far as I know, they cannot control which subset. (Please tell me if I'm wrong.)

Hm, those are interesting points. This is a bit complicated, because the javascript is a client, automatically executed by your browser when sent from the server.

The browser can execute scripts automatically. The browser shall just not share without prior consent personal data such as IP addresses.

[rriemann]

This means getting the proof he's watching Pink Pony's Magical Adventures, and more easily bully him.

This is not as easy to realise with classical bittorrent and Kademlia DHT if many people watch the video (it is trivial if only the targeted suspect watches the video). Why?

• IP addresses are only a pseudonym (still personal data under GDPR according to the Working Party 29 group uniting European Data Protection Authorities) that does allow only authorities and infrastructure providers to learn about the identity, but not a regular Internet user.
• All peers learn only a subset of all seeds. As far as I know, they cannot control which subset. (Please tell me if I'm wrong.)

Hm, those are interesting points. This is a bit complicated, because the javascript is a client, automatically executed by your browser when sent from the server.

The browser can execute scripts automatically. The browser shall just not share without prior consent personal data such as IP addresses.

[beatgammit]

@rriemann

It seems like you're assuming people will use a web browser to collect this data. I can make a client that I completely control that gets this same data without having to go through a web browser. Here's the attack:

1. connect to popular channel(s)
2. get all relevant trackers and advertise that we can seed it
3. collect all IP addresses requesting parts of target files

Boom, now I have a list of IP addresses for content I'm interested in. I then have to figure out who the IPs belong to, but that's not too terribly hard.

The GDPR and the browser can't help here.

Sure, I only get a subset of seeds, but I can set up lots of "seeding" clients to increase my chances of finding my target. This is something that larger organizations and botnets will have access to, but may be less practical for smaller attacks.

Then there's also the attack by sniffing data, which is a separate concern entirely. However, I think encrypting headers can work without being too CPU intensive. However, this doesn't solve the problem of untrusted peers.

I think it could be interesting to allow clients to force traffic through a set of trusted peers, so someone could set up a network of high bandwidth, trusted peers that handle all the data. This, coupled with encryption, could solve the privacy concerns for those who need moderate privacy.

[beatgammit]

@rriemann

It seems like you're assuming people will use a web browser to collect this data. I can make a client that I completely control that gets this same data without having to go through a web browser. Here's the attack:

1. connect to popular channel(s)
2. get all relevant trackers and advertise that we can seed it
3. collect all IP addresses requesting parts of target files

Boom, now I have a list of IP addresses for content I'm interested in. I then have to figure out who the IPs belong to, but that's not too terribly hard.

The GDPR and the browser can't help here.

Sure, I only get a subset of seeds, but I can set up lots of "seeding" clients to increase my chances of finding my target. This is something that larger organizations and botnets will have access to, but may be less practical for smaller attacks.

Then there's also the attack by sniffing data, which is a separate concern entirely. However, I think encrypting headers can work without being too CPU intensive. However, this doesn't solve the problem of untrusted peers.

I think it could be interesting to allow clients to force traffic through a set of trusted peers, so someone could set up a network of high bandwidth, trusted peers that handle all the data. This, coupled with encryption, could solve the privacy concerns for those who need moderate privacy.

[paulcmal]

I think it could be interesting to allow clients to force traffic through a set of trusted peers, so someone could set up a network of high bandwidth, trusted peers that handle all the data. This, coupled with encryption, could solve the privacy concerns for those who need moderate privacy.

Aren't you trying to reinvent Retroshare or Tribler ? The first one is a friend-to-friend and/or peer-to-peer file-sharing network, the second is an onion-routed torrent network (not using the Tor infra). Both are reliable solutions but are not so user-friendly.

I think there could be a lot of value in trying to cooperate with these privacy-first solutions so they may access Peertube content in a privacy-friendly way, rather than trying to reinvent the wheel hoping that Peertube may respect people's privacy at some point (which is rather hard given neither the web nor bittorrent were designed with privacy in mind).

[paulcmal]

I think it could be interesting to allow clients to force traffic through a set of trusted peers, so someone could set up a network of high bandwidth, trusted peers that handle all the data. This, coupled with encryption, could solve the privacy concerns for those who need moderate privacy.

Aren't you trying to reinvent Retroshare or Tribler ? The first one is a friend-to-friend and/or peer-to-peer file-sharing network, the second is an onion-routed torrent network (not using the Tor infra). Both are reliable solutions but are not so user-friendly.

I think there could be a lot of value in trying to cooperate with these privacy-first solutions so they may access Peertube content in a privacy-friendly way, rather than trying to reinvent the wheel hoping that Peertube may respect people's privacy at some point (which is rather hard given neither the web nor bittorrent were designed with privacy in mind).

[rriemann]

@beatgammit,

I agree one can do that. Hence, it is important that whenever a user who does not understand the concepts of P2P connects to a P2P network gives its prior consent that its IP (and potentially her or his name) is shared with potentially many people.

The GDPR does not prevent the sharing of own personal data, but provides rules on how others (including software provided by third parties) process personal data on behalf of the data subject.

[rriemann]

@beatgammit,

I agree one can do that. Hence, it is important that whenever a user who does not understand the concepts of P2P connects to a P2P network gives its prior consent that its IP (and potentially her or his name) is shared with potentially many people.

The GDPR does not prevent the sharing of own personal data, but provides rules on how others (including software provided by third parties) process personal data on behalf of the data subject.