Yeah, I've thought a lot about it. In theory, there's nothing you can really do to keep private data private once it's published — someone can always take a screenshot of your note. There are a variety of techniques that can help in practice though:
- Use AUTH to implement read access
- Use NIP 70 to ask other relays not to store your events
- Strip signatures (this is the nuclear option, it basically breaks nostr, but could be used in specific situations)
- Encrypt your content
- Use clients that are smart about replicating stuff
- Include relay urls in events and have both relays and clients validate that the event came from the designated relay (this isn't done anywhere, but I may use it for flotilla).
hodlbod /
npub1jl…jynqn
2024-10-10 19:23:00
in reply to nevent1q…3xz5
Author Public Key
npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqnPublished at
2024-10-10 19:23:00Event JSON
{
"id": "01814f49e16cf781e5790a07c0529905773ad1d61d3b3a31e5702b9a34af0d35",
"pubkey": "97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322",
"created_at": 1728588180,
"kind": 1,
"tags": [
[
"p",
"da18e9860040f3bf493876fc16b1a912ae5a6f6fa8d5159c3de2b8233a0d9851",
"wss://relay.damus.io/",
"Dustin"
],
[
"e",
"dc36d36ecf1fb0e126010291014f82cf8096df384c545ec46fcd8e20b8e025fc",
"wss://relay.damus.io/",
"root"
],
[
"e",
"2204683610d6e3cc92636e36b739d41094331e9efe307fa8a63656e2b3a3dfe5",
"",
"mention"
],
[
"e",
"e9d2c918098789135ee1d33359eb10f070917d55ab1f5b828ad4fe59fb355d9c",
"wss://relay.damus.io/",
"reply",
"da18e9860040f3bf493876fc16b1a912ae5a6f6fa8d5159c3de2b8233a0d9851"
],
[
"client",
"Coracle",
"31990:97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322:1685968093690"
]
],
"content": "Yeah, I've thought a lot about it. In theory, there's nothing you can really do to keep private data private once it's published — someone can always take a screenshot of your note. There are a variety of techniques that can help in practice though:\n\n- Use AUTH to implement read access\n- Use NIP 70 to ask other relays not to store your events\n- Strip signatures (this is the nuclear option, it basically breaks nostr, but could be used in specific situations)\n- Encrypt your content\n- Use clients that are smart about replicating stuff\n- Include relay urls in events and have both relays and clients validate that the event came from the designated relay (this isn't done anywhere, but I may use it for flotilla).",
"sig": "915344c2a790781a30122f7ed2e0fcbc1f1eb12e642dd9630cb0a7f01b64c451ed7a696c74737d741a0da6e9b0a9336acc37f1bbf97fe5440f8652a1f14cb161"
}