Concerns about security with deletion/new account request protocol

I have some questions about the security details of the process to request a new Anytype account. I refer specifically to this post:
https://community.anytype.io/t/request-new-account-to-clear-all-anytype-data-or-in-case-of-lost-passphrase/1704

In the highly unlikely event that we have lost access to all our Anytype instances and have not kept our Anytype ID elsewhere, you offer to get a new account by sending an email to support@anytype.io with the subject “I lost access and want to start over”.

A. from the email addresses we’ve used with Anytype :warning: :warning: :warning:
B. or writing the invitation code and email/forum alias we’ve used in the Anytype site, if any.

But further on you also mention this about Anytype ID “This allows us to understand if a user exists (just that) and can provision users to delete their encrypted data from our servers by request & consent that all their information will be deleted.”

So here are my questions:

1. How does this “request & consent” process work from the user’s point of view?

2. This seems to strongly suggest the possibility that Anytype’s staff and its entire infrastructure can delete any user’s data. Don’t you see this as a security issue?

3. What happens to our offline data on our various devices in case of a data deletion from your side? I imagine that the automatic synchronization will delete all of our data everywhere, but in case of misuse by a hacker who would have obtained access to our email address, it would be quite a digital disaster in this case.

4. Would you allow a hacker with access to our email address to initiate a deletion of all our data without having to provide any identifying information? That’s what point A implies.

5. Do you intend to strengthen the security of our accounts regarding the upcoming possibility of becoming a subscription member? I imagine that email will become an even more common way to interact with our accounts, and I can’t see how we can get away from it for this kind of use while balancing security and usability for everyone.

6. Will you keep the power to delete our data after the official release of Anytype?

7. Why not just give priority to the creation of a new account while leaving the old one inaccessible and lost until proven otherwise?

9 Likes

Agreed with much of what was said here - more transparency over the amount of control and visibility the Anytype team has over our accounts and data would be very much appreciated. The control the Anytype team has over our account was also demonstrated a few months back during their Sets, Types and Relations rollout for existing alpha testers, where those users must have attended separate training to understand and have the “database” functionality enabled for their account.

I’d also like to pitch in with my own experience with the account “wipe” proccess - a few months ago (around Nov/Oct 2021), I had requested an account reset and wipe with the aforementioned process by emailing support@anytype.io with my existing Anytype ID. I received a new invitation code, yet, contradictory to the “all data will be deleted” warning, my previous Anytype keychain phrase and account still works with all of its data intact to this day.

4 Likes

Yeah, ok, so I think this might confirm what I was thinking. Forewarning: I could be wrong about this, and I’m new to Anytype, so yeah…

Remember that Anytype uses IPFS as its backend. IPFS is a peer-to-peer network. That’s why the backups are called “nodes” and why things “sync” to those nodes. The more nodes there are, the more “peers” you have.

So, if your data gets deleted on your local device, your data is still located on all of these other peers/nodes. All you would have to do then is to resync that data to your local computer and then decrypt it (all your data is encrypted, which is presumably why you have to have the keychain stuff).

What this means is that their “backup node” acts as a peer for everyone’s encrypted data. If they delete your data, but you don’t delete it, then it would just resync back up (presumably) to the backup node. But just like with torrents, if all of the peers of your data are gone - there are no longer any peers/nodes with that data - then you can no longer retrieve that data anymore. There only has to be 1 peer with your data in order to retrieve it again (assuming that peer is accessible).

So, by them deleting your data, they are really just deleting that backed-up encrypted data so that they are no longer a peer of that data, but this does not propagate. Just like deleting a torrent from your computer does not delete the torrent from everyone elses. It merely deletes their backup of it and stops them from being a peer of that data.

Note also that this is not the same thing as deleting objects from within your data. What’s actually happening there is you are creating new files that specify what changed within your data - kinda like a version control (think of diff or patch files, for example).

Now, the way that users and app features seem to be handled seems to me to be separate from how the user data is handled. And that’s mainly because it’s an invitation beta, so they want to control access to the application itself for now, I suppose.

5 Likes

Thank you @edwards for your feedback, now we need to know if as @krixano seems to suspect your old Anytype’s account would have kept your data because they would not have been properly erased locally or if as you suspect, the backup node does not erase your data. :thinking:

Also, regarding the on-the-fly actionable features, I would like the Anytype’s staff to explain how this degree of control could differ or not reflect the official release. Because it would be unfortunate that a web 3.0 project doesn’t want to be totally decentralized.

2 Likes

Well even if the backup node never erased the data, the data is still encrypted afaik, so nobody can see it, let alone modify it (how modification is prevented is based on encryption, but also IPFS - don’t ask me to explain IPFS… it’s complicated :grin: . But you can go over to the IPFS docs if you’re wanting to learn more about how that works: Concepts | IPFS Docs).

Also, the team is working on adding the ability to host your own backup node, it just isn’t finished or released yet. I seen this when I did my onboarding zoom stream 2 days ago.

2 Likes

I just wanted to raise some security questions that apparently I’m not the only one to ask, but I have no doubt that some clever developers will be able to check the security when the source code will made public.

3 Likes

Yeah, that’s understandable. Anytype is using a new type of thing - decentralized internet and IPFS - that is gaining popularity among tech people and developers, but not necessarily among non-techy people, and I think it’s because there’s like a lot to learn and consider on how it actually works. And I don’t know for sure, but I suspect that’s probably one reason for the required onboarding stuff, maybe?

Anyways, I imagine they would get rid of the invitation code stuff after release, since I don’t see why they would need to control features or do A/B testing then, but yeah, idk.

Another thing that I wanted to throw out there, but that I don’t think applies to Anytype actually, is that Decentralized Unique Usernames is basically an unsolved problem :laughing:
And this is why some projects have went towards using Blockchains, because that’s one of the solutions. I personally don’t think it’s a very good solution, at least not yet, because of how much energy is requires, how cost-ineffective it really is, and some other things. The other solution projects use is to just forego usernames altogether and just give everyone a unique string identifier (which happens to be a public encryption key). Some projects try to do a bit of both (like ZeroNet).

But… from what it looks like Anytype doesn’t have any of this necessarily. It just has content-addressed data that is being shared over IPFS, and then the invitation code and client id (which I believe is the Anytype ID) for accessing the application itself. So I suspect after release, they would just get rid of the invitation stuff and they wouldn’t have any centralized storage of users. Again, I’m definitely speculating here, lol

5 Likes

It’s worth keeping in mind that any closed-source app can theoretically do anything your operating system allows it to. So there’s always a degree of trust necessary. This is why I’m really looking forward to the open-source version. And at the same time, won’t store any sensitive information in Anytype until then.

  1. It’s a bit vague indeed. The best I understand it, you have 2 options.
    First option is that you give them your Anytype ID. And they’ll delete your data from their ipfs node. Depending on how ipfs is configured in Anytype, it might still keep the data locally. Based on @edwards experience, it seems it is kept locally (which IMO is good).
    Second option is that you email them or send invitation code. I’d assume that in this case they can’t delete your data but I’m not sure.
    In both cases, you can create a new Anytype ID, which is a new separate account/dataset.
    @Oshyan might be able to elaborate on this.

  2. Yes, it’s a mild security issue. But as long as the Anytype app itself doesn’t delete local data immediately. Then your devices would still have the data. If you lost data on your devices at the same time, it’d be lost permanently, hence the security issue. If you use Anytype semi-regularly and have at least 2 devices, this should be extremely unlikely.
    If you don’t, the solution to this is to be able to host your own ipfs node. Or delegate that to some other storage provider. Which AFAIK is in the works.

  3. Can be avoided by keeping the data locally, which seems to be the case already.

  4. See answer 1, second option. Basically, I don’t think they delete your data in this case. Based on answer 3, the data should remain locally too.

  5. Not sure I understand the question. Are you basically asking whether questions 1-4 will be addressed?

  6. I’d assume yes. Storing the data is a cost for Anytype and since it’s encrypted, there isn’t really any value in it by itself.

  7. The account is effectively inaccessible if you don’t have the keyphrase anyways. The keyphrase is the only way to get access. If a hacker has your keyphrase, they can delete your data without contacting Anytype. If you lose the keyphrase, Anytype can’t help you.
    All Anytype (and any hacker impersonating you) can do is give you access to a new account. And to delete their local copy of your data.
    It seems you can request deleting data only with Anytype ID, which I think is essentially next to your keyphrase. So a hacker who had your Anytype ID could probably just use your keyphrase to delete your data, without contacting Anytype.

  8. IMO the biggest security concern is Anytype permanently shutting down before they make the code open-source. In that case, your best bet is exporting data. Or the open-source community writing Anytype from scratch (or reverse engineering).

If you’re very paranoid, you can periodically export your data (probably a good idea given the alpha status anyways).

I made some assumptions above, which I think are reasonable. And will be verifiable when the code is open-source. Hopefully it gives some clarity on your questions.

7 Likes

This is my opinion too.

This is related to the question 4 in the sense that I don’t know what a hacker will be able to do if he has access to my email address, in case it’s used for/with a paid subscription plan?

2 Likes

Thank you for your feedback!
Your security concerns are absolutely reasonable. We considered that this process may be ok for MVP. In the nearest future we will provide in-app deletion that will wipe out all the data from our servers with 30 days for possible rollback.

5 Likes

This feature will be useful :smiley: Nevertheless, some essential questions remain about the level of security that will be applied after the official release:

  1. Besides the users in-app deletion feature, after this MVP stage will Anytype’s devs could still technically delete any user’s data?

  2. After this MVP stage will an hacker who could access to your servers could delete any user’s data?

  3. Could it then affect only the data on the backup-node, or also those on our devices?

  4. If our backup-node is wiped, will the data of our devices synchronized with it be erased too?

Once the source code will be published, developers willing to investigate will have the possibility to do so, but the subject is quite important to deserve detailed answers regarding these concerns.

3 Likes

There are two aspects that we plan to address in different ways: account and data deletion and account security.

We are planning to make a distributed storage.
Part of the backed up data may be stored on unaffiliated to Anytype devices (like https://filecoin.io/ do), part on Anytype’s. We want to provide a high rate of replication giving reliability and a high level of decentralization giving independence. Technically every hard drive could be wiped out, but the storage will be re-balanced.

Data is encrypted and we have no logic to call for remote deletion on your other device. Account data will be deleted from backup servers only. Your logged-in devices will still have all the data after 30 days period. But you won’t be able to sign in on a new device anymore.

Attackers having no personal mnemonic key could only try to delete some data on some server, with no ability to attack particular users. Of course, the might be more complex attacks with network sniffing of one of your devices, attempting to disable all servers backing your data, but high decentralization should avoid that.

We would be glad to see white-hat hackers trying to break Anytype after open sourcing! And we will continue working on security aspects in Anytype with the community :heart:

5 Likes

Thank you very much for all these explanations! :pray:t2: There is only one point I don’t really understand.

In which case and for which reason we would not be able to sign in on a new device anymore?
More importantly, how to be able to sign-in again?

2 Likes

Even though this topic was marked as resolved, I’d like to check-in about the 0.26.0 update that was released yesterday:

@Vova could you elaborate on how the two statements work together? The account deletion is irreversible, and data cannot be recovered, but you CAN recover it within 30 days? (so it is not irreversible for a month?)

Presumably it is irreversible only after the 30 days, because it doesn’t delete your data from the backup node until after the 30 days. That’s how I read the statements, but I suppose it would be good to be hyper-specific about this, since security is particularly important.

2 Likes

@sambouwer @krixano That’s correct, after the 30 day expiration of “irreversible” account deletion (initiated by the owner), their data is permanently erased from our backup node.

1 Like