Privacy model

The privacy model was designed with the following objectives in mind:

  1. A user can synchronize data between devices with confidence that no one else can read it.
  2. The user’s data must remain encrypted irrespective of the integrity and competency of the hosting company.
  3. A user can share and revoke access to the data with persons of his choice.
  4. Manipulation of the communication link between user and service host must not expose the user’s data.
  5. The cryptographic software must be well-regarded.

Synchronization privacy

Ensuring privacy while synchronizing data via the Internet requires encryption on the user’s device. Data must never be transmitted unencrypted.

Untrusted host

The host service can not be trusted to keep users data confidential under every possible circumstance. This assumption requires that the encryption key be physically unobtainable by the hosting company. The key must never leave the user’s care.

Sharing privacy

To give selective access to ones data requires sharing encryption keys. Public key encryption is used to achieve this without distributing users’ private keys.


A successful man-in-the-middle attack will allow the modification of any HTML/JavaScript application that runs in a browser to reveal a user’s data. The Selective Share agent is implemented as a standalone command line application to prevent such undetected modification.

NOTE: This applies to communication between the sltv agent and the data hosting service. Apps running inside a browser face a similiar issue which must be dealt with separately.

Crypto software

GPG was selected as the cryptographic tool.