Securely Storing Telemetry Data In Open Source App

I’m creating an open source mobile app where the user is paid for the length of time they play certain music on their phone. I want to get telemetry for how long they were playing the music. How would I use the Safe network to store this telemetry data? Ultimately, I want to know how long each person played music, so I can pay them accordingly. Since the app is open source, I don’t want to compromise any private keys. Is this possible?

You create a public AppendOnly data which the user authorises as part of the safe.auth_app flow. They are the owner of the data, you have read-only access. On page unload (or when they skip / stop a song) you write a new index to the AppendOnly log.

Since you have read access, you can read the log for telemetry information. This is a perfect use case for the nodejs library, no worry about public / private keys, those are only stored locally on your machine, you just need to hardcode your public identity xorurl in the app.

4 Likes

Ok, let me echo back what I’m hearing.

  1. The app author creates (and therefore owns?) public AppendOnly data, which is where the log of music start & stop times will be stored.
  2. The user authorizes something (this is where I get lost)

As you can see, I’m confused, lol. Please bear with me, I’m coming from the centralized internet model, so I’m still wrapping my head around decentralized workflows. Can you dumb it down for me a bit more and explicitly state (1) who should own what, (2) who is permitting access, (3) what level of access is being permitted by whom and for whom. Thanks for your patience.

3 Likes

THank you for asking @JeromeBell .

this is something I need to get head around properly. I’m looking forward to some more clarification/advice for idiots on this.

1 Like

The primary challenge will be confirming the telemetry data is legit. If the telemetry can be tampered with, an evil actor is incentivized to game the client to send false telemetry. (This is kind of related to the Brave Browser trying to verify their users are viewing certain ads; I couldn’t immediately find information about how they go on about this though.) So, how do you know someone did indeed listen to or play the music?

SAFE Apps are agents that a user has to authorize for it to interact with the network. The SAFE App is executed client-side and can create and interact with various data type instances on the network.

Have you read the primer yet? If you have, a good start is to read the RFC about the AppendOnly type and variants. Next read the proposed RFC about data types that changes the terminology and explains key mechanisms.

2 Likes

I think about Safenet permissions as somehow similar to UNIX file permissions. Application is only a tool, that creates and manages data on behalf of it’s user. In @Shane’s scenario your app creates an AppendOnly data for Alice with full access, giving also read access to your account. Another app’s user, Bob, creates another AppendOnly data through the app, also giving access to you, because your account’s xor address is hardcoded into app.

@loziniak that makes a lot of sense. The crucial element is preventing false telemetry created by the client. How can I prevent false telemetry by the client?