diff --git a/README.md b/README.md index 8b46715..8d91810 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,22 @@ It's built on a simple idea: feedback should be accessible to everyone, not just If someone wants more permanence - to keep their posts across devices or browsers - they can optionally register a passkey. No password, no email. Just a biometric or device PIN. Their identity belongs to them, stored on their own device, not in your database. +## 🔒 Identity, privacy, and why we don't want your email + +Most platforms demand an email address before you're allowed to speak. That email becomes a leash - used for marketing, sold to data brokers, leaked in breaches, and weaponized for account recovery attacks. Echoboard doesn't ask for it because Echoboard doesn't need it. Nobody needs it. It was never about verification - it was about control. + +Identity in Echoboard works as a spectrum. You choose how much of yourself to reveal, and you can change your mind at any time: + +**Just show up** - the moment you visit, a random token is stored in your browser cookie. That's your identity. No form, no click-through, no consent banner for data you never gave. You can vote, comment, and submit posts immediately. If you clear your cookies, that identity is gone - and that's fine. The feedback you left behind still stands on its own. Your words matter more than your name. + +**Save a recovery phrase** - if you want a safety net without committing to anything permanent, you can generate a six-word recovery phrase from the settings page. Write it on a sticky note, put it in a password manager, tattoo it on your arm - your call. If cookies get wiped, you type those six words and you're back. The phrase is hashed with bcrypt and looked up via a blind index - even we can't read it. It's single-use and expires after 90 days, so there's no permanent token sitting in a database waiting to be stolen. + +**Register a passkey** - for people who want real persistence across browsers and devices. Passkeys use WebAuthn - your phone's fingerprint reader, your laptop's face unlock, or a hardware security key. The private key never leaves your device. We store a public key that can verify you, but can't impersonate you. No password to forget, phish, or leak. No email to harvest. + +At every level, display names are encrypted at rest with AES-256-GCM. Lookups happen through blind indexes (HMAC-SHA256) so the database never stores plaintext names alongside user records. There is no email column in the users table. There is no phone number column. There is no "real name" column. These fields don't exist because we made a deliberate choice not to build the infrastructure of surveillance, even if we promise not to use it. The safest data is data that was never collected. + +The people who use your feedback board are helping you build better things. The least you can do is not make them pay for that privilege with their personal information. + ## 🗳️ How people use it **As a visitor**, you land on a board and immediately see what others have submitted. You can vote on things you care about, leave comments, file your own feature requests or bug reports - all without signing up for anything. A browser cookie ties your activity together for the session. Close the tab and come back later, you're still you (as long as cookies persist). @@ -185,18 +201,6 @@ To add a team member: go to Team in the admin panel, click Invite, choose a role Each team member gets a display name and optional team title (like "Product Lead" or "Support") that shows alongside their responses in the public feed. -## 🔒 Identity and privacy - -Echoboard treats identity as a spectrum, not a binary: - -**Anonymous** (default) - a random token stored in a browser cookie. Zero friction, zero data collection. If cookies get cleared, the identity is gone. - -**Recovery code** (optional) - a six-word phrase the user saves somewhere. Lets them get back to their anonymous identity if cookies are lost. Single-use, expires after 90 days. - -**Passkey** (optional) - WebAuthn biometric or device PIN. The strongest option - works across devices, no password to remember or leak. The private key never leaves the user's device. - -At every tier, the user's display name is encrypted at rest. Blind indexes allow lookups without exposing the plaintext. There is no email field, no phone number field, no "real name" field. The person decides how much of themselves to share. - ## 🧩 Plugin system Plugins extend Echoboard without modifying the core code. They're zip files uploaded through the admin dashboard - no server restart, no command line.