WeFeel is a bit paranoid about keeping your private thoughts private. Instead of hiding how we do it we’d rather just show the world our technique. When designing how we store your data we had a few goals in mind:
- Data stored in the cloud can never be accessed unless a person has authenticated with a trusted provider: This is a good first line of defense, and is the default of any company that hosts sensitive info in the cloud.
- Once authenticated an account may only access their own journals, or ones which have been shared with them: This means if someone managed to login outside of our application (which shouldn’t happen), they still wouldn’t be able to access any data outside of that associated with the account they used to login.
- We don’t want to know your email address: “Wait what?!” you say. We’re not joking though. You’ll never get an email from us, and we’ll never sell your email info to anyone else because we simply don’t have it. Marketing people probably think we are nuts, but frankly we’ve moved on from email for customer interaction, it’s so last decade (said the guy who spent most of his career as an email expert).
- We don’t want to be able to identify you by your data: So here’s something a lot of people don’t realize- for many types of technology the people who run the tech have unlimited access to all your stuff. Sure all organizations hope they have good people who won’t abuse that right, but why have the temptation?
How well did we do in meeting those goals?
- Microsoft Azure Mobile Services allows us to let you use whatever login system you prefer. It also means that we can rely on that trusted system to ensure people authenticate before they can access the service. It means that your account is as secure as which ever service you chose to use when you created your account.
- Microsoft DocumentDB storage allows us to restrict access to individual records. When you create your account we have you enter your email address (which we don’t keep) and a secret phrase. We use those two pieces of information to create an SHA-512 hash. We then combine that again with the account with which you’ve logged into our service and generate a specific identifier for your data. To us this is what “you” look like:
Think of it as your DNA footprint in our system. With WeFeel everyone is unique! That identifier is given access to the specific record in our system. Because it is generated when you authenticate and regenerated each time you request to access data that only way to get it is to know your email address, your secret phrase, and then to also be logged in to our system. Using this method does slow things down a tiny bit when you log in, but we think it is worth it.
- Your email address is only used to generate your unique identifier. One thing we do have to be careful of is making sure that each person’s record in our system is unique. We also need to be able to “find” you again if you sign in from another device. Since everyone has an email address, and all email addresses must be unique this gives us an easy way to make sure our stuff works, while reducing what you have to remember. It also means that we don’t need to store that email address anywhere. This is also why we use in app purchases to pay for our service. Doing so completely separates the data we are storing from the information needed to bill your account. Sure we’d make more money if we did our own processing, but then we’d need your email address to send bills to, and have to have a system tying the fact that you’ve paid to your account.
- Obfuscation makes it really hard to figure out which record belongs to which account. Remember that super long “DNA” string we use to identify you? Well that really is all that ties the record to your account. Yes it does mean you cannot forget your passphrase, because we need to find that identifier but it also means we couldn’t do something sneaking like type your email address into our algorithm and get back who you are. We need both parts. This makes sure you are in control. That being said, as of the current release, there are a few bits of data we don’t encrypt that with effort we could sort of figure out who you are. The first is GPS coordinates. If you choose to be able to track exactly where you are when you enter a new journal entry we’ll have those coordinates in our system. That means we could punch them into a map and we would know where you are. We still wouldn’t know your name, email address, or anything else. The second way is if you write personal identifying information in journal entries. If you write an entry that says “This is Jane Doe, and my phone number is 555-555-555” we’d be able to see that. We are considering adding encryption to that field, but that will add a lot of complexity which often drives up costs. Currently we think most people won’t be creating entries like that but we welcome your feedback.
Putting it all together here’s exactly what the data looks like in our system:
“journalEntry”:”Feeling really stressed today”,
“journalEntry”: “Today is Awesome!”,
Makes perfect sense, right!