Zbay applied for a ZF grant! Any feedback on our proposal?

Zbay has just applied for a ZF grant to support journalists and whistle-blowers by building the most secure and convenient way to communicate without revealing one’s identity.

We are extremely excited about this, and would love to get feedback on our proposal. Would anyone like to share their thoughts or questions?

To summarize it here, the core deliverables are:

1. Light-wallet support in Zbay, so that users don’t have to download gigabytes of blocks to send their first message.
2. Improvements to the existing Tor integration, so that Zbay connects via Tor by default and provides comparable protection to posting to a website using Tor.
3. Rebranding and reworking our site to emphasize private, high-stakes communication.
4. Making our roadmap and issue tracker public and improving the experience of contributing to Zbay for developers and volunteers outside our team.

We’ll also running a series of public interviews with journalists, artists, activists and other notable folks in Zbay—over Zcash encrypted memos—to glean usability insights and (we hope) bring more attention both to our project and to Zcash as a platform.

Once these objectives are reached there will still be much more work to be done, but we believe we’ll have a minimum viable product for secure communication that is as anonymous in principle as other Tor-based options but more convenient and easy-to-use, which is a big deal! From there we’d prepare for a security audit, pursue other sources of funding, and add features like multiple identities, account recovery, an integrated fiat on-ramp, and more.

Trying Zbay and seeing what we’ve built so far might be helpful for evaluating our proposal. Even though it’s a full node, sync happens fairly quickly as long as you have the disk space, and we even send you a few cents in ZEC to get started. We’ve been working on making it as compatible as possible with ZECwallet, too. Here’s the link! Just sign up for the beta and we’ll send you download links for each platform: https://zbay.app. You can also see our work on Github and Figma.

Here’s the link to our proposal, and again, feedback from all of you would be extremely helpful!

I love the direction that zbay is going in, there are lots of interesting ideas and considerations at play. One thing in particular though concerns me about this application.

support journalists and whistle-blowers by building the most secure and convenient way to communicate without revealing one’s identity.

This is a very bold claim - the risk profile for journalists communicating with sources has very deep roots and lots of potential pitfalls, pivoting a marketplace app to one that is suitable for such a risk models - especially in such a short time period - seems like it needs further thinking through.

Once these objectives are reached there will still be much more work to be done, but we believe we’ll have a minimum viable product for secure communication that is as anonymous in principle as other Tor-based options but more convenient and easy-to-use, which is a big deal!

I wouldn’t be comfortable in taking a minimal-viable product approach - especially when considering the security of products like SecureDrop that have gone through such intense real world testing and consider a large variety of potential threats.

I would strongly suggest that the timeline for this grant is reevaluated to include a period of threat modelling up front in line with the journalist interviews to really drive the requirement set and feature prioritization - and toning down the security and privacy claims until they can be backed up - and to explicitly include the cost of external review - if this is a direction to move forward in then it is worth doing right.

Not that I don’t love the ambition inherent in joining together funding and source communication, and all the other potential directions this project could go in, but if we want to be taken seriously then we must take these threat models seriously.

@sarahjamielewis I agree completely with all of these points, and I’m really grateful for you taking time, as a leader in this space, to lay them out here.

I’m completely open to reworking the proposal along the lines you recommend. Interviews with journalists and organizations that provide security tools to journalists is already something we’ve been working on, and I agree that making these interviews, threat modeling, and external review an explicit part of the proposal make it more complete.

It might mean splitting the project into two phases and re-applying for a second grant for a later phase, but I expect that this would be alright.

Would you be open to having a look at draft changes and providing feedback?

Definitely. Feel free to send them my way.