But, worse, it makes it sound like it's only something you should use if you don't trust the other person.
Instead, they should market it as "2fa for sex tapes" rather than a trust issue by itself and point to things like "the fappening" icloud social engineering hack.
I can't imagine many people using this otherwise.
Also, don't forget that your target audience is mostly women who bear the majority of the shaming for a leaked video instead of high-fives. "Don't be the next Jennifer Lawrence" is going to be more effective marketing.
An alternative: "The safest way to share your most intimate moments." It takes what is a deeply troubling problem (revenge porn) — and turns it into an opportunity for deeper intimacy with your partner. Then hit em with value props:
* Protect your intimate videos from hackers — the videos can only be accessed on specific devices.
* Get control over your image. Share your videos as few or as many times as you'd like, and simply delete your video from your Rumuki app to remove access immediately, forever.
* Make security the default. Sent videos can be seen once. Unless you say so, no hacker, ex, or snoop can open it again.
"Prenups" are about when couples disagree. Rumuki, by contrast, is for couples that do agree. The video can only be unlocked when both of a couple agree to unlock it.
I understand I'm spinning a bit here but I think it's good spin. It's encryption for couples!
Nobody enters prenuptial agreements for various difficult reasons, not because they don't hear it in rap music.
There are many, many reasons why viewing private videos that require two people to approve is useful. Even during legal negotiations or confidential meetings. Two lawyers could hold the keys for example.
And for those in USofA this could be very helpful for protecting data when asked for passwords by CBP because they wont be able to authorise from the other device!
Going to deeply consider the angle moving forward :)
If this was my app, I probably will stress that it is against friends and families that may mess with your phone. I would skip the overly complicated technical explanation and the jargon and just say that it needs the other phone to play the video, so you don't have to worry about your SO cheeky friends.
The marketing feels like it is targeting men rather than women. I suspect women would be the group who would benefit the most from this app.
People don't care that much about how things are encrypted or about complex security mechanisms, they want something that is easy to use. Snapshat is easy to use for example. Everyone knows that a snap can be saved like everybody knows that I can film a phone playing a video. Given that the practical security of both apps are the same, people will go for ease of use and Snapshat wins there.
However, I think there might be a market for this with casual hookups. In these situations, you may want to let someone access private videos/pictures, but don't trust them enough to just send it, especially if your face is included. Receivers might also be more inclined to pay. Additionally, while I think it would be acceptable in this situation to ask someone to install an app, the makers of this have to take extra care to ensure that this looks serious and doesn't come off as a scam.
Maybe it's possible to make things somewhat harder.
Maybe the front camera can detect that and make it harder to do, or just covertly capture that and enable some legal process. Or encode a code of the user's phone for that purpose.
Also i remember certain format for images encoded in a certain format that when you try to capture them, you get only part of the pixels and lots of noise. Maybe something like this noise injection could be added to videos ?
- I think I would sell this as a private camera app ("protect you and your partner from prying eyes"), rather than by emphasizing the two-party crypto angle ("protect you from your partner"). Like, make the front-line features be: "it's a camera where each photo album is protected by a secret PIN, and if someone takes your phone but doesn't know the PIN, they can't tell the album exists! Oh, and if you want to you can share the album with someone else who has the app, but you can always delete something from the album and it'll be deleted from the shared version as well."
This way you're selling it as something that's better than the built in camera app, with some bonus safer-sharing features that will just happen to reduce privacy violations in practice, instead of emphasizing the distrust-of-your-partner-solved-by-easily-hacked-crypto thing. When someone asks their partner to install, it's not "because I don't trust you" but "because it's more private for us."
- As a lawyer, I think the legal-prenup-built-into-app approach would be pretty interesting. For example, right now the way US law works, it's much, much easier to get revenge porn taken down if you happen to have been the one holding the camera, than if it was your partner holding the camera. If you were holding the camera you own the copyright, and we have robust legal-technical tools for copyright takedowns, whereas we only have patchy state-based laws around invasion of privacy.
So could we have camera apps that actually reallocate the rights between the photographer and subject? Like imagine a shutter button with a bunch of fine print like, "by pressing this button I express an intent to share authorship of the resulting work with all human subjects portrayed, and agree that consent of all authors must be obtained to authorize any copy."
I'm not an expert and not sure what would be possible, but it would be interesting to talk to legal advocates in the revenge porn area and ask what legal agreements people could have entered beforehand that would have best protected them, and see if any of them could cleanly be engineered into the UX of a private camera app -- or even into Snapchat et al.
I expressed an upfront concern about reverse engineering in another comment directly to the OP (no DRM is foolproof, etc). After skimming through the whitepaper I'd like ask you a few implementation questions about the feasibility of client trust:
• Can you tell me how the device token/keys are stored locally and accessed by the application? I understand the crypto itself (e.g. libsodium), but I'd like to know how you're protecting data on the client insofar as you can.
• Can you tell me what your methodology is for determining if an application has been manipulated or altered?
• How are you specifically obfuscating sensitive data or otherwise making the DRM bypass difficult (e.g. obfuscating data in .so files, etc).
I'm not trying to grief you here, I just want to talk about technical protection mechanisms in place. To your credit, you explicitly admitted that DRM is fundamentally not a foolproof guarantee (though that's different from saying it's not effective...). I think your app would mitigate most scenarios where an ex would try and expose the other party.
1. Uses Realm for storage, encrypted with their encryption api using a random key generated on first boot stored in iOS keychain.
2 & 3. It has some rudimentary jailbreak detection but obfuscation is still in the pipeline.
(Getting late here in Tokyo so may be until tomorrow before I answer follow up questions)
The concerns I'd have with this myself would be that I'd have to trust the website. As it is I trust my spouse a lot more than some cloud service and I don't expect that to change.
With this app, you don't might assume you're less vulnerable than you really are.
Hope you found a better job and colleagues after that.
So basically, you bet that people would overcome millions of years of human psychology?
While I agree with you it would be nice if that happened (really nice!), i wouldn't expect that to happen for a long long time.
You expected them to compliment you. It means you are proud of what you did. But if you really are proud of what you did you wouldn't care about their opinion in the first place.
So either you are somewhat ashamed of what you did and regret that it became public or wanted to brag with it but are now angry that you colleges made fun of you instead.
When you let it be recorded and the recording be possessed by someone else, it's practically public, as you can't control what'll happen in future and there will always be mean people that'll try to bully you for that sort of thing. I'm sad that it's caused you harm, but I guess in such situations showing confidence might work.
I think the comparison to Snapchat is more relevant: Snapchat is expected to provide only temporary access, but cannot guarantee that. This did not impede snapchat's growth, and might not really be an issue for rumuki; however, the use context is different so the comparison is not very informative.
> How do I know my partner won't abuse my trust?
> You can't. However with Rumuki you have the discretion to only grant playbacks when you can keep an eye on them. You also have the option to revoke all playback grants and delete the recording if trust is ever lost.
If you do trust the other party, I don't see how this app adds anything but complications. Don't get me wrong, I guess there are some practical applications for the underlying technology and from the looks of it, this seems pretty well engineered and designed. The advertised use case just does not make any sense to me at all.
But indeed for now, that analog hole can still be... penetrated. ;-)
Isn't that exactly what Rumuki is trying to solve? If there's enough trust in the relationship in question, the people involved should just solve this with the conversation: "hey, did you delete that video after watching it like we agreed?" / "yep, you?" / "yep".
And I KNOW complaining about downvotes is like the HN kiss of death, but whoever hit that down arrow because they disapprove of my (hypothetical) conduct should really rethink their use of HN votes.
Well... The viewer needs to request permission from the partner, and may want to bypass that. Furthermore, a given video may have more than two partecipants, and the app seems to be limited to pairs of people. In such situations the video will need to be shared with those people too.
The most secure option is to have one encrypted copy of the file and only that, and decrypt only when viewing it, and only temporarily. Even then it's possible to make recordings of the content as tiny hideable cameras are sold everywhere. I'm not dismissing the work done, but if someone is as careful about security to use such an app, they can also do the best thing and not record at all.
Similarly, this app reduces the chances that one of the parties will be victimized by their ex. That's still useful, even though imperfect.
"They are encrypted and saved on your devices. Recordings are never sent across the internet and never touch our servers. "
" it is impossible for third party attackers to gain access to your videos without local access to the network your devices are on (that includes us!)"
This claim is made by every developer of security/privacy apps when content stays on the device. It's actually false. They could embed a backdoor in the current or a future release that shares the files. Already requires networking permission when managing videos. Actually, a service like this getting extremely popular could lead to one of the largest leaks of nude pics in history. One person hacking the box containing the source/credentials, getting on the development team, or being the original author w/ trolling intent could subvert it into a giant store of pics/video. Get it to send the data back when on WiFi to avoid high, data bills. Thumbnails of videos sent first to filter out uninteresting parties.
I'm not accusing the author of this at all. I'm just assessing security risk from side I'm good at: subversion. The subversion risk here is spectacularly above average as a network effects developing around this app lead to many eggs in one basket that's probably easy to grab. Or was until the author read my comment and beefed up security in a panic. ;)
The lack of threesome (and beyond) support shows somewhat of a lack of vision.
in my opinion this is one way to do it but prevents me from having a kind of "library" with videos to share with my partner.
how about a shared library that is watchable until access is revoked by one party?
there's also the question about sharing videos with a person that's not present (i.e. long distance relationship).
(Edit: Not a new idea, certainly, but well executed so far.)
I can't speak to other countries specifics, but in the US the most effective avenue currently appears to be copyright claims. That's a civil proceeding, so the jilted ex is only on the hook for financial penalties.
I think you mean that this is too obvious an idea to NOT have been patented.
The problem with these kinds of videos isn't trusting the other party in the present, but in the future.
What stops one from doing a screencast of the video, and then publishing it months later when you break up?
The image of the two phones on top of each other is illustrative and just a little bit suggestive, which is clever and tasteful IMO.
Not sure how best to market it. Maybe "keep access within a couple" -- emphasize protection from outsiders, people who gain access to one of the couple's devices temporarily, etc.
Then, as an aside, make it so either party can irrevocably end access at any time.
Don't mention "break up" so prominently. "Pre-nup" has lots of bad connotations.
Would be cool if you could cover some other files, too (text, etc.). A way for people to collaborate on something and then delete drafts. Video and pictures are obviously a lot of it, though.
By default, a message could disappear shortly after playback ended a la Snapchat.
But you could store the encrypted version and bring if back anytime with consent of both parties.
Then come home and use my iPad to record playback. Perfect plan! Win-Win!
In practice, however, any system like this, Snapchat, etc is easily defeated with a USB cable and QuickTime's record device screen feature. I suppose it could be useful to others depending on your "threat model", but generally it offers no protection from a savvy computer user after you've unlocked it once.
Edit: Not sure why the downvotes. This is completely correct and you can test it yourself with any iOS app. I've added more explanation to clarify.
I can't imagine two horny teens like:
M: Show me something hot baby
F: Sure! But please install that app to take all the nececary security precautions before we proceed with our sexting...
This will gain traction among camgirls and other people that produce private porn (I just invented that term because I don't know how one would call porn distributed on an individual basis).
So thats like, pervware?
You make it sound like it is a good thing. In fact, security is lower than when there is no app and no video is made. And the video is not secure because it can still be copied.
I agree with the other comments that this should be marketed as 2FA instead.
The best marketing angle would be to get a high profile celeb to get behind it, maybe one that has had a sex tape leak.
Honestly, even then, I don't know how much they would use it.
It sounds sexist, but women (on a large scale) just aren't into this type of security thing.
Women would rely on the relationship and the trust built up into it to make sure their sex tapes don't leak.
Honestly, I really like this type of thing for sensitive business stuff or other security oriented material.
You make the boss/owner/manager the guy with one key and then he can sort of decide who has the other key on a need to know basis.
I really like the idea, but the application use is just off in my opinion.
Are you kidding me? How will you get funded?
And yet, this solution still provides a dramatic increase in security for its users. Normally, files "exist by default", and will continue to do so forever. You have to take deliberate action to delete them. But here, files are effectively "destroyed by default", and can only be accessed via:
1. Consent of both parties.
2. One of the parties going out of their way to make a deliberate copy within a 7-day window, when (you hope) they're still well-disposed towards the other person.
A security solution does not need to be perfect.
Similar issues arise with systems like Hashicorp's Vault, which generates time-limited, revokable credentials for programs. Obviously, a compromised server could abuse a time-limited AWS credential. But that's still a much better situation than handling out AWS credentials with unlimited lifetimes, because they'll inevitably wind up in all sorts of strange places.
Expiration is not a solution to all your security problems. But it's much better than no expiration.
more importantly: they can't do that after the consent ended. so if the malicious partner starts to do this while the relationship is still intact, you're partially fucked.
if you decide to break up they can't record the video afterwards for revenge or blackmailing purposes.
(No, wait, they do!)
Your answer demonstrates that you've thought about this problem, not that you've solved it. I like the idea of this app, but I would argue that the core promise of your app is technically infeasible.
EDIT: I clicked through to read your whitepaper and see that you've explicitly called this concern out and admitted the DRM scheme cannot be foolproof. That's admirable, and I'm glad you did address it. I would gently suggest you place that disclaimer somewhere in your FAQ as well.
There is, of course, no technological way to prevent someone from capturing a video through the analogue hole (i.e., pointing a camera to the video as it is played), even if we assume that is possible that a consumer device can be controlled to such an extent that its owner can't find a way to capture the video output digitally.
In my opinion this is fair, because the vast majority of bitter/petty ex's are not going to know how to, or bother with, reverse engineering an app to spite their significant other. They'd also have to do it when they're granted access to the app, which implies a certain forethought.
If your ex is making secret copies of sex tapes while you are still in a relationship with him, I think you have bigger things to worry about than revenge porn.
Best bet is avoiding sextapes.
However, I bet you do remember it better than it was. So keep your memories. They're much better for this than a video record.
If you don't understand someone's sexual preference, the correct response is no response. You're not obligated to comment on everything.
The app does not protect from malicious partners, it just makes sure videos are still secure if one of the phones is stolen or lost. I even think there should be a feature to backup your key to your computer or your other phone.
And again, it is a client app, assume it would be modified by a malicious party.
Just admit the problem is not possible to solve.
For example, sending a message between party A and party B so no party C can read it is possible, given that party A and party B have some way to pre-share key. Sending a message from party A to party B in a way that party B knows it is from party A but is unable to prove it to any third-party is, again, possible under some reasonable conditions, see OTR/Axolotl. Sending a message from party A to party B in a way party B can read the message but can't resend it is impossible under any conditions.
In most cases DRM-like functionality is a bullshit. Secret sharing is known to protect against outsiders only. You can use it to split backups so they are harder to steal . The scheme will never work for cases when malicious party has the whole secret at some point in time.
sex tapes can be fun but are something very private, potentially damaging and a liability in case the relationship ends on bad terms (which can happen under the best circumstances).
so without (even flawed) protection like this you've got two options:
a) don't do sex tapes, which is not a good option in case you want to make sex tapes.
b) try not to let a leak affect you, which is not a good option because you're only human and part of a larger society where sex tapes aren't universally accepted (maybe with the exception of porn actors).
using this you have at least another level control/protection that might defer all but the most technologically versed (or at least prevent super high-quality leaks).