[NayamAmarshe]

On the privacy front, we're never going to compromise the user data, never going to sell it, never going to share it with anybody else. We'll be making writedown self-hostable as well.

On the security front, we're using firebase firestore as the database. So at rest, it's well encrypted.

We're thinking of introducing some sort of encryption via passwords (kinda how I already am doing it on https://maglit.me). E2EE would be quite difficult and would affect the usability.

[laurent123456]

Is encryption at rest that useful? These days it's trivial to enable full disk encryption on most systems so it's not so important what individual apps are doing.

E2EE is definitely important however, personally I wouldn't use a journaling app that doesn't have this. In which way would it affect usability?

[NayamAmarshe]

Here's some more information about the encryption: https://cloud.google.com/firestore/docs/server-side-encrypti...

> In which way would it affect usability?

Cloud sync would be quite difficult and I'd like to avoid the backup-restore game that most other apps don't seem to mind, because writedown's focus is on reducing complexity for people.

I'm not someone who uses Notion, I find it rather complicated and most apps that I've tried just try to do too much. Telegram is great for storing notes but it doesn't support markdown.

Handling the keys with E2EE is a big challenge. There's not a normal way to use E2EE without affecting the sync capabilities, login capabilities, offline capabilities or usability.

[laurent123456]

There would be extra complexity for sure, especially with key management, but I don't think it would affect sync much. It's end-to-end so by definition it should only happen client-side, and instead of sending plaintext to the cloud your send the ciphertext.

[NayamAmarshe]

Yep, it's a good challenge too. I'm not giving up on the idea of E2EE, of course. Just trying to find ways to do it so that there are no compromises with usability.

[ohgodplsno]

Considering you use Firebase,"we're never going to sell your data" is something I've heard a lot, until the first Firebase invoices come in.

[anaganisk]

The problem with Firebase I've seen is not the E2EE but rather the ACLs being set. There have been 10s of websites that were exposed to public, that have been exposed in the recent past. Not to claim you are doing something wrong, just a caution to anyone who uses firebase.

[NayamAmarshe]

Yes, you're not wrong. The Firebase rules have to be perfect for the app to be secure. Thanks for the heads-up, we'll make sure our rules are perfect :)