Privacy-First Architecture

And now, let's find out what it takes to build a JavaScript application with React. Hi, everyone. My name is Andrey Sitnik, and today I will talk about why and how we can improve as a developer users' privacy.

And I know what some of you think, like, come on, nobody has to worry about privacy. Like, we should keep code out of the politics. So, let's talk about this one. This topic. Who uses open source? Do you know that open source was created in the 80s not to have a free library to use without payment, but to be able to control everything which works on your device and to be able to change how it works. So, it was not about like free beer. It was about really own your device, to be an owner rather than a user. And it's pretty political for me.

Another example, like cryptography. Right now, everything has HTTPS in the beginning. And this S means secure encrypted. And encryption was created, the whole philosophy under this encryption. In the 90s, it was created by the idea that protocols and software, which are not available in the market right now, will change the world which we will live in the future. And that people definitely changed the world which we live today. Or like hacking ethics. It contains a very interesting rule to mistrust the authority. And to me, it's pretty political. So, software developer was always about principles, was always about principles. And it was about like new things to think about, salaries, Silicon value, et cetera. Because just a few like recently, whole society sees us as fighters against the system rather than, you know, people who are helping the system for high salaries in the Silicon value. Okay. But why I should care about the politics? First, because today, you can develop, you know, a software which controls the screen of the software. The software will control you. Like the software, it's really like change the world where we live in the future. Second, because materialist question could not answer the most important questions. Why? And this is why like salary doesn't, there is no salary which will be able to fill the hole in your soul. But like principles can.

But there is many revolution. I can say that like only privacy is important. So, privacy does not mean that you should care about everything. It's okay to have sympathy for everything. But you know, pick two or three just special for you.

There is no reasons how I can explain why privacy is better. But I can explain my reasons. So, a lot of people think privacy is not important because privacy is just for better advertisement. You know, this Google just to show me a better ads. Data broker is a company which buy a data from the many, many different applications, combine them and sell to very shady clients. Four years ago, journalists found a very creepy case when data broker called Xmode collected data from the Quran app, Muslim dating app, Craiglist, many apps and sell to the U.S. military contractor. It's creepy shady to be honest. Okay. But like we don't work with data brokers. Why I should care if my company like doesn't work with them? You know, if you don't sell the data, it doesn't mean the data will not be available for everyone.

There is such things called data leaks or like data breaches. It's when hackers take the data from your servers and like sell it. There is a way, and right now it's more and more. And if you like, if you save any data to your server, in some moment it will be leaked in my opinion. There is a very interesting example. A few years ago, Yandex food deliveries like Russian Uber Eats, they lost data for the whole year about the deliveries. Whole year of all deliveries contain data with your first and last name, delivery address, delivery time and phone. And people even create a very nice application, map application, where you can, you know, Google and easily find some person in this data. Imagine what your relatives could find in this data. For instance, what if you told your grandma that you will not eat her pie because you are not hungry? But then she will go and find that just 30 minutes later you ordered some Chinese food. Okay. But like in my application, we don't have really private data. You know, we just store emails. So it's not a big deal.

It's not true as well. The main problem here is big data. Data brokers connect multiple small pieces of data which is not like really private to make a path which is really private. For instance, like somebody used one app but doesn't put a name, email, anything. The app only knows location to show the direction. But then there is another app which the same user use which knows location as well. And data brokers can connect this locations and find that this email is the email of that user's app. And then it's very easy to use some leak and find the real name under this email. So it's very easy to connect the fact that user is Muslim with a real name.

There is a very critical case which really bothers me. Who uses Google Analytics on their website? We sometimes as well. The main problem here is that like half of the website has Google Analytics. And it means that not Google Analytics know what users do on your website. The main problem is that Google Analytics know what every one of us do in the whole Internet. They know half of the paths, even more because they can track the clicks and can track the traffic. So they know the like next path and previous path. So they like Google right now really see every place you go in Internet. The whole tracks every day.

But you know, like I have nothing to hide. So I have nothing to hear, to fear. Unfortunately, maybe you. Yes, but there is people who have something to hide. For instance, Twitter collects a lot of personal data and one exploit, sells the data to Saudi Arabia government and the government uses data to anonymize Twitter users and put this woman to 34 years jail and old teacher to the death sentence. If Twitter was not collecting this data, they will be free because there was nothing to leak. And if not, you know Saudi Arabia cases, in Israel, there is a company which sells face recognition software to Russia and then this software is used to find and put to the jail people who are protesting against the war. Some developers don't have principles at all. And it's not only, you know, for Russia, for Saudi. Even in Europe, Spain this year forced ProtonMail to give them a data and by this data the person is in jail. And there are people who help in manifestation against, manifestation for the Catalan independence.

And there are people who help in manifestation against, manifestation for the Catalan independence. And it's not a terrorism. This is just a peaceful manifestation and right now the person is in the jail because ProtonMail keeps some data.

Okay. What we can do? Who thinks that like right now with all this pop-ups, internet is an awful place. Like with GDPR pop-ups, it was a conference, yes? It's not internet became an awful place. It's we made internet awful place. So the first step you can do is remove GDPR pop-up. I need it for the law. Brussels forced me to do it. But in the reality there is no pop-up world in the GDPR law text. Why do we have pop-ups? Because we have a lot of data. And GDPR tell us to stop tracking users that we can't stop tracking them. So this is why we punish user, makes them hard. So to stop this pain, user will agree with tracking. This is the idea behind any GDPR pop-up. Because this is a dark design pattern.

There is a privacy policy. This is a privacy policy, which doesn't need you, doesn't need the user to agree with your privacy policy. Then by using this analytics, you don't need to use pop-up. And when user will do some steps, for instance, sign in, and that moment you will show this very small checkbox to agree or disagree with your privacy policy. So this is much better way. And analytics without pop-ups, they can track, for instance, traffic. They could track traffic, they could track events, and of course, they can track campaigns from the click with, like, to the, for instance, payment. They can do only two things. They can connect each page visit with the same user ID because this is tracking by definition. And second way, they can do remarketing when you connect the visit to social media because there are a few tools. I use Plausible, but all of them is pretty nice. Okay, but, like, Google, like, if you want to make a picture. But what if Google, what if my marketing manager forced me to use Google Analytics? You know, the main problem is that sometimes it's irrational obsession to collect the data rather than the rational one.

There is a very big problem with using Google Analytics right now. Half of the users, they refuse this pop-up, they press no. And it means that you will not collect the whole data. For this user, for half of the users, you will collect only part of the data. And so for one type of user, you have full data, another, you have only a part of the data. But these two groups are not random. There is a reason why people are going to one group or to another. And this is why you cannot trust any decision based on the private data in that part because this part is not representative of the whole user base. It's not uniform statistics. And without uniformity, you cannot trust this data. So it's much better to have uniform data with less items, but you will be able to trust it more rather than what you have with Google Analytics. And you cannot show pop-up only for European users because this law is going across the whole globe. It's like everywhere. And I really believe that we, as a community, should change industry because we already did it. Remember how we killed Internet Explorer? Remember conspiracy of developers who removed the support? We can do it again to make Internet a better place.

Okay. Step two. Reduce the privacy data processors. This is a very popular pop-up. We care about privacy and then a huge list of the companies which move the data. Each company is a risk. Each company could sell data or could be a leak there. So I highly recommend don't use public CDN for JavaScript libraries and the forms. Use self-hosted solution as many as possible and try to combine two features on the same platform rather than using multiple platform for each feature. But this is my favorite step. But it's advanced. It means that you can, it's not for everyone. You can use it only on new projects or you can use it on very hard refactoring. So what does that mean? Before, like, ten years ago, we have only like laptop and every data was there. And we did not have the problem with privacy.

But then iPhone came. And right now we have two devices. Every user has two devices. Like laptop and the phone. This is why we created the servers. And we start to collect all data to the servers and it start to have a new idea. But there is a better way.

It's called local first. The idea that you put all data here on the local devices and on the phone. But then you are still using a server to synchronize this data. So you have all features of the old way but all privacy benefits of the local way. There is a very good document about the ideology. I highly recommend to read it. It was written by. The creators of this idea. There is seven ideas which defines the idea of local first.

But I will use a better example. Who uses Notion? It's pretty popular software. But they put all your notes on the cloud. There is a much better tool called Obsidian. They put all your notes here on your local device. Not like local but they put it in the markdown files. And you can edit it with any tools. They have a server to synchronize your notes between a laptop or phone. But it's optional. And you can use any cloud to synchronize this data. You can use GitHub. You can use iCloud. Anything that you want because this is just a simple file. And this is a good example of local first.

Not all local first should be like this because local first is a spectrum. You can do just a partial database replica on the local first and you will be still in the family. We will still love you. But of course, the more you want the local first, the better.

How we can implement this way. First, because we will put all data on the client, we need a very good database because this is a lot of data. It could be 500 megabytes of data. So we need a good database with good performance and rich query language. There is a way with WebAssembly we can put SQLite to the browser. Or even there is a project of putting Postgres in the browser with any extension. It's an amazing project but this one is under development.

Then we will use new APIs like original private file system and create a folder for the website and the website could write to this folder. Or we can use indexer database. The funny part is if you put SQLite to the indexer database, in Firefox, you can put SQLite in the indexer database. So you put SQLite inside the SQLite. But it's still much faster than just indexer database because indexer database doesn't work.

Then you will need to separate writes and reads. So you will use SQLite only to initialize data and put it to the reactive store. But then you will have a log, list of actions, what people did. And your reactive store will listen to this action. And every time you want to change something in your UI, you don't go in your React components to the SQLite. Instead you write to the log. From this log, the SQLite will read the data and your reactive store will read the data and update the UI. We need this log because not only UI can change the data. The data can be changed from the browser tabs from the server. And this operation between reads and writes helps you to synchronize the data.

Then you will need two passwords. One password to authenticate the server. And second one to create end-to-end encryption to encrypt your data on the client and encrypt it on the phone so server will not be able to read it. But the funny part, we create this complex system because we have principles.

But sometimes principles can bring you very good benefits. First, your server is very simple. It just does synchronization. And it means that you don't need a back-end developer. Second, you don't need a server on the prototype stage. So we can go to the business, you can go to investments much earlier. Third, it's very cheap to scale. Because on the service, on the solutions, more users means you need more servers. On the local host, each client brings their own power. So you can use the same server. Like linear, for instance, they use a very simple one server for the whole Europe and it's enough for them. No private data, no leaks.

And the funny part, all localhost developers told that they like start to write faster. Because your React components right now is a mix of the networking code and the business logic. But with localhost, all the networking will be in a separated system called Sync Engine. And your components will be smaller. It will be much faster to maintain them because they will be only about the business logic. And performance. This is a real localhost application. Because all data is locally, it's very easy to work with. It's like zero latency. There's a lot of frameworks. This is mine, for instance. Many of them are good. But hard stuff. Not everyone is production, 100 production ready for every case. They're very easy to work with.

Second, client-side migration could be hard. And end-to-end encryptions means that it's very hard to recover the password. But, again, it doesn't mean to be like localhost is a spectrum.

You can go at any part. If you can support end-to-end encryption, it's okay to not be. And there is a lot of businesses. For instance, linears. A lot of people like it because of performance and this performance because of the localhost. Or pitch. They have 2 million teams. They have 25 million users and they are localhost. So localhost can be production ready. It just needs to polish a little.

And last step, but very interesting and short one. This step is too big an advanced project. But it's interesting to think about it and discuss after party. Like we have a different risk of the privacy. But in United States, people think only about risks important for the citizens of the United States. And the problem is that different risks sometimes if you work with one risk, reduce one risk, you increase another. For instance, if I would do the news application for United States, people would prefer to do local host and request the news feeds directly from the servers. But in Russia, it will be completely opposite. In Russia, people don't trust the internet provider. So they prefer to use cloud. So cloud will hide what they are reading.

Another problem, random police check. Sometimes police in Russia will come to you and ask you to show them your telegram and unlock it. And if you will unlock, they will find some bad channels and you will go to jail. And if you don't unlock, they will break your legs. This is why the Russian cyberpartisan, they create a fork of telegram which allows you to add two different pin numbers. And if you will enter the second pin number, it will automatically delete the wrong channels before unlocking the phone. So summary. Find your principles. Don't work only for the internet.

And there are a lot of problems. So, we are pop-up on the next Monday, please, by moving to the Kookalist analytics. You reduce services which have access to the private data. Think about the local host and then let's discuss other countries' privacy problems on afterparty. This is my contact. You can find all the links and the names of frameworks there. I will post the links to the slides.

So, the first one is actually brings you greater performance in the first place as well. If you are trying to sell this as an idea to people, privacy is a thing you can sneak in under performance if you try it that way around as well. My favorite one, feature deliverance speed. A lot of people, like linear, they are told after they move to the syncing giant, it is easy for them to deliver a feature quicker because they don't need to spend time on the networking.

We have a couple of questions. I think they are coming up on the screen now. Yes. Lovely. Okay. So, that was the top one. Yeah. So, the question is, by doing all these steps, when you then, I guess, sync to the server, the government has access to storage and our cell phones. So, how do we prevent observation? I think you covered a couple of bits of that. Yeah. How do we prevent the government from looking? Localhost protects you from government coming to the server side, to your server and find the data on the server storage because everything is scripted. They can come with, like, law enforcements because there is nothing you can share. Of course, they can, like, open your device and find something there, but they need to know whom to go. And this is the main problem because they can check every person in the country, at least, right now. And the third way, there is a lot of ways to protect users as well. And I show that, like, a second PIN solution. This is a very good solution for this case. Yeah. That's a genius kind of hack to that, to protect things with a second PIN.

Very sad that it was not from the official telegram. Yeah, right. Yeah. If they were to implement that, even better. Even better. I think you showed this up on the slide at one point.

The person asked, are you aware of Evalue? Is that your framework as well? What was your one? My framework called Logax. Log and Redux. It's all, sorry. But Evalue is a very nice system. I spoke with the author about a few weeks ago. Yeah, it's pretty neat. To be honest, my favorite one, it's, like, electric scale mostly because it's more flexible. But Evalue is nice. I highly recommend it, especially if it fits your needs. Great technology. Nice. Nice. Yeah. I mean, you put a lot of logos up there, so there's a lot of support for this local first kind of thing anyway. Also, there is a nice solution called Just. Just. Just. Check it out.

This is a good one. How do you manage encrypted databases with multi-user applications? Oh. It was one of the slides which I need to remove to, like, put in the limits. So the solution is a little tricky, but it's not hard. It's possible to implement it.

It's possible to implement it. Each user needs to have a public key and publish it to the server. Then owner of the document create a document and create a password. And this password, he will encrypt with a public key of each user and send to them through the, like, direct messages, encrypted direct messages on the server. Then we will receive this key and we will open it. When you open it, it will remove somebody. You need to rotate the key, generate new one, and send new key to the old users. So it's tricky to implement, but still possible.

Are there frameworks for that kind of thing as well? There is no frameworks for that one. This is a Wild Wild West situation. Like, it's free, but it's very easy to implement something to become, you know, famous. I actually, I saw a talk earlier this year by a friend of mine, who, live, kind of, builds an encrypted chat, which I think does that kind of thing as well. So that might be worth looking up, if you are interested in that kind of multi-user encrypted stuff. Check out his talk on building an encrypted chat.

How do we protect users from data loss when using local first and something bad happens to the device? So there is a few ways. First, of course, you have always a copy on your phone. But second one, the server is not just, you know, it also stores the data. The main problem is, like, the main unique feature is that this data is that log, which I talked about, but this log is encrypted. So you still have a data on the cloud, but only you can open it if you remember the password. And this is the problem. So I'm a very big fan of the things called passkey. Passkey is a new way of, you know, authentication. And it has a very interesting extension when you can put a random byte on the passkey account. And this random byte could be an end-to-end password. And this is a very good way to help people not forget the encryption.

And this is a very good way to help people not forget the encryption. That's fantastic. I mean, yeah, I absolutely love passkeys. I was on this stage last year talking about them, funnily enough. And their ability to, yeah, give users something that's so hard to get, because they can't ever remember it. It has to be stored. It has to be kind of encrypted in the cloud. But I didn't know you could do that with it. That's very cool. But it's like it's still not 100% production-ready, as usual. About half of the system supports this extension. But I think with smaller clusters, the support will grow.

Yeah. I mean, it's good enough. It's nice enough that all the browsers now support passkeys anyway. Firefox was a bit of a holdout for a while, but we got there in the end. But now we have to prove the usage and then get to how can we add these extensions to make things even better. And even open source passmanager supported, like Bitwarden. Yes. I have Bitwarden and Firefox fighting to save my passkeys right now. Awesome. Let's see what else we got.

Actually. Yeah, we'll go for it. Yes. It does work. Brilliant. Next question. I use Notion to share notes between different devices and my wife. Yeah.

I think I can answer this question as well. That's a way with public keys, et cetera. Like Obsidian can do this. Yeah, right. Obsidian is a very cool app.

I think you tried to answer this next one as well. How do you convince marketing to ditch Google Analytics? So many reasons. There is also another thing which I did not have time to put on the slides. Ask the questions. Like what data did we use last year to make decisions? Because like if you collect some data and did not use it to make a decision, this is just obsession. You know, like a person with a lot of garbage in their apartment. This is the same style of the private data obsessions. Like if they don't use the data to make decisions, they don't need it.

Yes. I agree. In fact, I seem to remember sitting through kind of internal data kind of looking after presentations where you get a presentation from somebody saying, don't ever take data that you're not going to use. Because then yeah, that's actually against several different countries kind of data privacy acts. Making sure that yeah. You are not using it. You're not using it. You still cannot use it because it's not uniform. Right. And so once you get that, you get to prove that the non-cookie analytics work. Yeah. Perfect. So yeah. No GDPR pop up, better performance and safer data. Absolutely. Awesome. All right. That is our time for questions here. Thank you for the question. Amazing question, by the way. Give it up again for Andre. Thank you so much.