Shortcut 2: C:\Users\my.user\AppData\Local\Programs\anytype\Anytype.exe --user-data-dir=“C:\Users\my.user\Documents\Anytype\Public” ← Connected to the Anytype network
That is why I have to accounts and for the one connected to the Anytype network I have a membership.
After the update from 0.53.1 to 0.54.0 I realized that suddenly my local-only vault is syncing to the Anytype network which if I am being honest made me a bit angry Despite being encrypted I do not want the loca-only data to be synced.
After I logged out and changed the settings to local-only before logging back in again, it worked as expected again. But that should not happen in the future again.
HOW TO REPRODUCE IT
Outline the steps needed to reproduce the behavior in sequence:
Have a local-only vault in 0.53.1.
Update to 0.54.0.
See your data being synced to the Anytype network
THE EXPECTED BEHAVIOR
The mode should not change (or falback to a default) when doing an update.
ADDITIONAL CONTEXT
As a relict I have now used remote storage after I deleted my synced data.
Are you referring to data from your now again local-only vault? In order to delete this data, you will need to switch modes again and deleting it from the app.
For what it’s worth as another data point for the team, I don’t see my local only vault being synced. However, I have never synced anything to the Anytype network, so it’s possible that I am completely missing the required configuration to do it and the user reporting this issue is not as they have some of their vaults synced and others not.
I’m so frustrated because the whole reason I’m using Anytype is that my data STAYS on my device. Now its uploaded to your servers because of a small overnight in update? That shouldn’t even be possible. If this can happen so easily it doesn’t make me feel secure about my data being stored in Anytype in not leaving my device.
I know you’re saying its encrypted but to be honest I don’t think thats some magical ‘its all ok’. It’s still a vulnerability whether you like it or not
How can you advertise as local first and then not even have an option of choosing to not upload to your servers as default.
How can people affected by this make sure their data is deleted from the Anytype Node after they switched back?
You released a post mortem but have no step by step for us on what to to restore our vault back to normal?
I’m sorry that this situation has caused you distress and we totally understand why.
This bug is not ok and it is definitely an issue. There’s no two ways about it. Mentioning that the data is end-to-end encrypted simply means that there is no loss of data privacy, it does not mean that this isn’t an issue—this bug is 100% a problem and not intended.
‘Local-first’ is not a marketing term we’ve coined, it does not explicitly mean that your data is only ever on your device or only stored locally. The reason why ‘local-only’ mode is not the default is because most users want a ‘local-first’ experience where data is not only stored on their devices but it is also synced across their devices with the convenience of a network.
With end-to-end encryption and local storage, you are simply using the network to sync data without the loss of privacy. In short, we cannot access the content of Anytype users regardless of their app being in local-only or being synced to Any Network. The mention of end-to-end encryption is not intended to come across as a ‘magical it’s all ok’, we’re hoping that it clarifies the extent of the issue.
We’ve explained the reason of why it happened in the post-mortem—a resetting of app settings due to app update errors. It doesn’t make the bug ok nor the mistake we made. However we have learned from this issue and fixed it. It is understandable that you’ve lost trust in Anytype, however we simply can’t guarantee that our app will be completely bug free.
We will re-verify with our engineers even more comprehensive steps that you can take so you can understand how your data is handled. I hope this answer suffices for now.
So does this mean that the files aren’t stored on the network but just pass through it when syncing?
I’m not asking for guarantees that the app is bug free and totally expect bugs to pop up, but this my own data which I chose how it was to be used and didn’t think it would be so easy to render my vault open to network syncing if I wanted it to remain on my device.
That’s a valid point.
And I must admit that I also was “p*ssed” when I’ve started with Anytype, more then two years ago.
I’ve expected that “Local-first” means, that the data are nothing else then local, UNTIL I actively decide to sync!
I was very disappointed when I found out that the fresh installed app directly starts to sync my holly data to some server without my active permission!
@kaye I’m late with that, but I strongly suggest to the team to rethink the default behavior.
After installation, Anytype should ask the user if he wants to sync, or not.
The user must be forced to make a clear decision before he’s even able to use the app. And if he denies syncing, not even a single bit should go outside (telemetry included). – Yes, not even a simple network ping. NOTHING!
This was clearly what I’ve expected. But it wasn’t so.
And I’m still wondering about myself why on earth I stayed with Anytype. – I can tell you, that I would have forgiven no other App such a behavior as Anytype has shown.
Yes absolutely. But it seems like its impossible to use Anytype now local only or even local first. What’s the point of saying you’re local first if theres no option to actually be that? It’s so confusing.
My files have been added to the backup node, I have no way to turn this off. Is it only files and not note content that get uploaded to the node?
i’m just so annoyed this has happened and I’m even more confused now after this:
But its not locally stored - my data is now on the backup node, your servers that I have no way of knowing your process of encryption and if it’s actually secure and don’t want my data lying on a server going into the future. So my privacy in the immediate term may be not in immediate threat but it’s another node of exposure I didn’t consent to.
Going beyond this bug into the larger conversation of ‘local-first’ vs. ‘local-only’ requires a much bigger and detailed explanation that doesn’t make sense in this setting. However, it is very important for us to clearly outline these differences, so I will take some time in the future to write a post about this.
I don’t want to leave you hanging though, so I will address some points now. Just be aware that it may not be as detailed or well-explained as you desire.
No. When syncing on our network, your data is essentially sharded and stored on multiple nodes. This means bits of your data is broken up and encrypted. In order to put these shards back together, you need to have a key—which only the user has. Any Network has a ‘backup’ of your data, however this is not what it looks like in the traditional sense due to the way our infrastructure is designed from a security and privacy perspective. It’s not a simple folder/zip file that can just be opened from our database, which is what it may be like in other apps. You can be sure that there is no way for anybody to access your data, in Anytype or outside us. This is the way end-to-end encryption works which is verifiable in our open codebase.
If you want to remove your account from the Any Network, then the most comprehensive method we have today is to export all of your spaces, create a new account, import it all into the new account, check that everything is ok, and then delete your old account. This will trigger account deletion from our servers in 30 days. This is the best we can do today to mitigate this issue. If you’d like to expedite this, then we can try to coordinate this directly, to locate your account and delete it. However, it’s worth noting that taking this step will not make a meaningful difference to your data security or privacy. I outline the reasons below.
Again, we apologise for this bug, as it was not intended to be the case. It’s worth noting that when selecting ‘local-only’ mode, the app prompts warnings that it is an experimental mode because we are aware of the many issues that users may run into when in that mode. For example, a reddit user ran into data corruption issues and wanted us to diagnose/resolve it, but it was very difficult to do so because they were in local-only mode. Again, it doesn’t make the bug ok, but it is not a mode that we optimise for because the reasons I’ll outline below.
Local-first is exactly what Anytype is. Local-only is not the same thing, they are not synonymous terms, and Anytype does not strive to be ‘local-only’. Cloud-first apps (which is the default these days people are used to) means that all of your data is stored on the cloud/servers, and you cannot access it without an internet connection—because your data is not stored on your device. Local-first (which is Anytype) means that all your data is stored on your device, and you can access it even without an internet connection—because the network is only required for syncing, not access. This is why it’s termed ‘local-first’ and not ‘local-only’. Anytype was never designed to be a ‘local-only’ app, the vision of local-first is based on data sovereignty with connectedness—not data isolation.
Indeed, you are both right that these terms are not well-known or understood by the general public. If the expectations of users of ‘local-first’ means that no data ever leaves their device, then there is a lot more work to do on education. Although they are not terms we invented, we do use them because they are used by the greater software movement— this Ink & Switch article is a great definition for it. Within the confines of this software conversation, Anytype is indeed local-first but I 100% understand that not everybody understands its distinction with local-only.
This conversation is much too large to explain here, so I’ll give the high level points.
There is no meaningful security or privacy benefit between local-first and local-only. It seems like on the surface that ‘local-only’ would be more secure and private, but this is based on intuition not the reality of security and privacy threats. Local-only mode actually comes with many distinct drawbacks, the most obvious being no syncing and no collaboration. This is why we call it an experimental mode. Users will go into local-only looking for tangible security and privacy benefits, but they won’t really get any and mostly suffer notable tradeoffs.
There are meaningful benefits between local-first and self-hosting, such as infrastructure cost control, but that is a different conversation. Even though self-hosting is great, it also comes with the tradeoff of not being able to collaborate with any Anytype users outside of their self-hosted network. All models have their tradeoffs.
The reason why we don’t make ‘local-only’ an option as default for users is simply because most people do not understand the difference. On the surface, it seems like you’re gaining big security and privacy benefits, when this isn’t really true. If users want an app that is entirely designed to be local-only, offline, and no collaboration—then Anytype is a poor solution. Many of the challenges we face are explicitly because we want to address real-time collaboration in this context of data ownership.
We can maybe do a better job with educating users with explanations in apps, but frankly I’m not sure that’d help because most people skip through long explainers. And this topic cannot be explained in short.
Yes, you’re right that you did not want your data to be synced onto the Any Network. Again, we 100% recognise this as being an error and a mistake on our part. No excuses. However, I bring up the same point which is that there has been no compromise in your privacy or security in this situation—your data has not been breached. On the Any Network, your data is sharded and encrypted across our nodes, and it is not possible for anybody to access them. If you want to perform the account deletion process, you are 100% welcome to. However, it’s worth pointing out that this doesn’t actually change your privacy or security in a meaningful way (you’re not more/less likely to be exposed than if you kept your account). However, we recognise that this may feel a lot better for you, so that’s why we’ve provided clear steps for you to do so.
We can reiterate that your data and our encryption methodology is secure, however that’s just ‘us’ saying stuff that you might not trust. The way you can verify the security of your data is exactly why we have an open codebase: anybody on the planet can check to see how data is handled on Anytype—from that perspective the community at large certainly can verify that it is ‘secure’.
I 100% recognise that this is a distressing, annoying, and frustrating experience. I hope none of the above explanations are seen as deferring blame or making it sound like this bug was ok. It’s not. However, I provided those explanations in spirit of bringing to light the concepts behind the technology and to answer your questions.
Sorry, but is is too short-sighted and only true from a single perspective, if one assumes certain axioms.
I could write much more about this, but point only on one single point:
For me it’s already a privacy issue that “someone” could seen when I sit on my PC and do there something!
Yeah, if “someone” analyzes my datastream (no matter how it is encrypted), he can conclude, that my daily rhythm is very irregular. I do things on my PC at every time at day and night. So, seemingly, I don’t do a regular job!
– That alone is already a datapoint that I may want to avoid in some situations!
Best way to do that would be to use a battery powered PC that’s completely disconnected from the internet.
Unfortunately, that’s not practicable in most cases, because I need the internet too often. So, from my point of view, it’s already a compromise to use an internet PC at all!
But since I’m de facto forced to accept such an compromise, I’m even more interested to have control over my data that goes over the internet!
From my point of view, it was already a giant scandal when I found out that the mere act of hovering over a web link in Anytype already “pings” the target in the internet!
When I’ve found out about that, I’ve started a big discussion about that and Anton was on the edge to kick me because of that.
Since then I avoid to paste certain URLs “as Link” into Anytype and paste them “as text” instead.
I simply don’t want that something “pings” over the normal internet while I’m surfing with TOR!
– This has less to do with “criminal things”, but in some cases it can have to do with things what the actual gov (aka “regime”) in your country may see as “criminal” these days; etc. etc.
And there is more “knowledge” in synced data, no matter how they are encrypted.
Having knowledge about the data volume makes it possible to conclude some things.
Some kB? – That looks like text.
1-6 MB? – That looks like an image!
More then 10 MB? – That looks like a video!
Assume you’re Edward Snowden. Or Julian Assange. Or a soldier in a conflict. And you already suspect that Big Brother looks what goes through your cable.
It should be clear that you want to avoid such data points at all costs in some situations!
Yes, already a sigle bit is a datum! It comes with a time stamp and vague information about your location!
These are drastic examples (and I could name some more), but there are also some less drastic examples.
I could talk a lot more about the whole topic. What of all examples I could give may be reasonable for you and the team is one thing. The relevant thing is, if that seems for ME look like a threat, or not!
It is (or it should be) the user’s sense of security what matters! It’s the user who does or doesn’t pay for your product!
And if many (or enough) of your users simply are paranoid stupidos, then your company must somehow deal with that fact, because they are your customers!
Not less of these stupidos have chosen Anytype deliberately, because of the (sometimes a little bold) statements on the website about security and privacy and so on.
It wasn’t different for me.
I was a long term user of a very old version of OneNote. I used deliberately an old version, because it didn’t force me into the cloud, as later versions do.
So, I was looking for a replacement when the old version wasn’t enough anymore to fulfill my needs.
After a lot research and tests, I ended up with Anytype.
But I must say that I was really p*ssed when I found out that it syncs data per default, without asking me for permission!
My normal act for every software, even for the OS, is to disable any kind of telemetry and auto-updates!
I want to decide myself when I make an update and when I allow data to go over my cable!
As said: I still wonder about myself why I’ve accepted what Anytype did, instead of immediately deinstalling it!
Maybe it’s because of my age meanwhile. Not so many years left anymore till I’ll rest three meters below the ground.
Indeed, this is why I said it’s much too large of a topic to cover in the scope of this conversation. Everything in this topic is on a spectrum, and a spectrum can have very extreme ends which isn’t meaningful for everybody. As we can’t address everybody’s exact security, privacy, anonymity profile individually, we need to make some broad generalisations otherwise there is no way to have basic conversations.
From that standpoint, the points I’ve made are mostly relevant for the average user of the internet. We can’t access your data even if it’s on our servers, and the government wouldn’t be able to either (at least to the knowledge of the general encryption community, maybe they got some super secret weapon lol). If users are worried to that level of telemetry data and making inferences, this is probably an entirely different level of advanced conversation going beyond local-first.
If one is looking for the absolute maximal security/privacy with no data transfer (even telemetry data), then I don’t think Anytype is the best solution. We can adjust our marketing to make that clear if that’s causing a mismatch of expectations. Anytype is a business, and it must survive from subscription payments—it is quite literally in the business of having a connection with users/customers.
Anyway, I don’t want to sidetrack this conversation any further. I hope to add further clarity in the future to how Anytype handles data, and then users can more transparently/easily decide if it makes sense for them. But again, it is too much to unpack in here.
I may be not up to date on this but I thought there was no way of backing up Anytype that preserves the layout of your space? Is this still correct?
So is it of Anytypes position that there’s no added security benefits to keeping your data offline? Like what are the risks of our data being hacked by a vulnerability in your servers? If malicious actors got into the Anytype servers there is no way for them to uncover the data even if they somehow retrieve the shards? What exactly are the potential risks? Especially with AI coordination of threat exploitation, do you face any difficulties being a small company in terms of security as I understand it doing audits etc is expensive. Surely with all these concerns, this warrants one to think there is meaningful security and privacy benefit in local only. I just would want to know what the risks would be if your servers were compromised. The way you’re wording it is saying its pretty much a guarantee the data can’t be read. But usually it’s not that simple… but I just don’t know so that’s why I’m asking.
Thanks for clarifying
And thanks for clarifying the priorities of Anytype - it is at heart a more private collaboration tool than notion or alternatives.
Here are two images of a space I exported and imported. You can see that they are almost the same with a few exceptions.
Space Member: In the original space, I had 16 space members—which are objects in themselves. Because you can’t literally ‘export’ a space member, they end up becoming ‘untitled’ objects.
Chat: Similarly, you cannot export chat messages because they are a different type of primitive.
Without knowing what is in your space, it’s hard for me to say how the import/export will go. But if you give it a try first (in the same account), then you can at least see what it looks like before deletion.
In the world of security, there is no such thing as 100% security with zero chance of risk. It’s also very difficult to quantify risk because it also entirely depends on the individuals threat profile. A well-known billionaire has a very different threat profile to the average citizen; what is considered secure to one person, would not be considered secure to another. It is a moving target.
As @Code-Jack rightfully points out, somebody could technically install a camera in your home pointed to your computer screen while you’re on Anytype. Does that make your content in Anytype not private anymore? Technically true, because it’s now recorded without your permission. Is it reasonable to say Anytype is not private because it doesn’t have a safeguard to this threat vector? Well, that’s a much more difficult question to answer. Anytype has no real guarantees against device and physical-level threats to your data. But in the general world of software apps, most people would consider Anytype to be private because it’s in context for its use case.
The key word here is ‘meaningful’ difference. Absolutely there are literal differences, but to what extent those differences matter to the average user is the question. We pretty much don’t have any information regarding our users’ threat profiles, thus we must make a general assumption that they’re the ‘average citizen’. When we say secure and private, we are assuming under normal conditions. Ultimately, it’s the user’s responsibility to use tools/systems that match their threat profile. Maybe an air-gapped device should be your choice if you’re a super spy.
From that stand point, it is our belief that for the average user there isn’t a meaningful difference between local-only and local-first—because data on Anytype nodes cannot be read due to the end-to-end encryption. Why do we not recommend local-only? There are many reasons, but I can explain one:
Security in isolation is pointless if your security method inhibits access. As an example, you can lock all your diamonds away in the most secure vault in the world, but if you lose the ability open the vault and access the diamonds—what was the point of the security? Security must also be weighed with accessibility and recovery. Local-only users typically means you will only access the data from one device and that you must be responsible for your regular backups, which is why we recommend users be responsible with this experimental mode. With no backup, if you lose your device, or it gets compromised, or whatever, then you will lose all of your data without any means of recovery.
This is the reason why we believe local-first makes sense for the average user using Anytype. We never set out to be the ‘most secure and local-only’ app. Local-first has a balanced approach to security, privacy, and accessibility while being able to provide real-time collaboration. Your data is safe, private, and backed up as long as your key is not compromised.
@jojo If you have further concerns, let’s connect privately so we walkthrough the solution together so you feel comfortable. We simply don’t have enough information about your situation to provide further advice that isn’t too generic.
P.S. Another example, I have no problem using a password manager with end-to-end encryption that stores all of my account passwords as a backup on a server. If I was to remove the server from my equation, I’d be much more worried about losing access to all my passwords if my physical devices were to get compromised. There is value in having remote backup on a server, especially if it’s end-to-end encrypted. This doesn’t mean this solution suits your threat profile, but I just want to be clear that something being on a server does not necessarily mean its more insecure than it being held locally.
If our nodes got hacked, a bad actor would not be able to read any data stored in your account. As it stored as a noise on our nodes and the only encryption key that you generated on your device can decrypt it. All computers in the world can’t brace it. So there is nothing worry about. You can read more about our philosophy here.
Thanks for the response and the time you have taken to explain.
I think I’ll just reassess what I use different apps for, and I’ll still continue to use Anytype I think.
I’m glad it’s helpful. In the future, I will post more material on this topic. Again, I apologise for any distress this situation has caused. Always feel free to reach out if we can help with anything else.
Despite being encrypted I do not want the loca-only data to be synced.
