back

building trust through transparency

2024-11-28·6 min read

When we tell people that Secluso is end-to-end encrypted, the first question is always: "How do I know you're telling the truth?"

It's the right question. It's also the question most companies hope you never ask.

trust is a design problem

Most security products ask you to trust the company. Read our privacy policy. Check our certifications. Believe our marketing. This model is fundamentally broken because it requires continuous faith in an organization's goodwill, competence, and resistance to external pressure.

trust-based model
  • • "we promise not to look"
  • • requires ongoing faith
  • • vulnerable to subpoenas
  • • single point of failure
  • • trust ≠ verify
verifiable model
  • • "we mathematically cannot look"
  • • verify once, trust forever
  • • nothing to subpoena
  • • distributed security
  • • trust = verify

how we make it verifiable

Three principles guide our architecture:

1. open source cryptography

Our encryption implementation is fully open source. Not "source available" with a restrictive license—actually open, MIT licensed, auditable by anyone. You don't need to trust our claims; you can read the code.

// key generation (simplified)

async function generateDeviceKeys() {
  // Keys are generated on YOUR device
  // Private key never leaves your hardware
  const keyPair = await crypto.subtle.generateKey(
    { name: "ECDH", namedCurve: "P-384" },
    false,  // not extractable
    ["deriveKey"]
  );
  
  // Only public key is shared with our servers
  return {
    privateKey: keyPair.privateKey,  // stays local
    publicKey: await exportPublicKey(keyPair.publicKey)
  };
}

2. reproducible builds

Our firmware uses reproducible builds. Given the same source code, anyone can compile the exact same binary, byte-for-byte. This means you can verify that the firmware running on your device matches the audited source code.

┌────────────────────────────────────────────────────────────────┐
│                    REPRODUCIBLE BUILD FLOW                     │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  Source Code ──┬──▶ Our Build ────▶ Binary A ──┐              │
│    (public)    │                               ├──▶ Compare   │
│                └──▶ Your Build ───▶ Binary B ──┘      ✓       │
│                                                                │
│  If Binary A == Binary B, the firmware is unmodified          │
│                                                                │
└────────────────────────────────────────────────────────────────┘

3. zero-knowledge architecture

We designed our systems so we literally cannot access your data. Not "won't" —cannot. The encryption keys exist only on your devices. If the FBI shows up with a warrant, we can hand them encrypted blobs that are computationally impossible to decrypt.

"The most trustworthy system is one that doesn't require trust."

the hard parts

This approach has real tradeoffs. Account recovery is harder—if you lose all your devices and didn't save your recovery key, your footage is gone forever. We can't help you because we can't access it. Some users will hate this.

But we think the tradeoff is worth it. The same architecture that makes recovery hard makes surveillance impossible.

We're publishing our full security architecture next month. If you're interested in reviewing it, reach out.