How StreetWitness Works

Access is controlled by invite codes, but the system is designed so it cannot link an invite code to the person who used it.

When you redeem an invite code, your device creates a random secret and cryptographically blinds it — a transformation that hides its content. The server signs this blinded secret without ever seeing what it signed. Your device then unblinds the result to get a valid access token.

The server can verify the token is legitimate, but it cannot connect it back to the invite code that produced it. This is called a blind signature (RSA-BSSA, RFC 9474). It's the same principle behind privacy-preserving digital cash.

Almost nothing, by design:

• ✓No IP logging — your IP address is never stored or logged
• ✓No cookies or analytics — zero tracking scripts, no telemetry, no third-party code
• ✓No accounts — access tokens are the only credential, and they're unlinkable
• ✓GPS reduced to ~100m — coordinates are truncated to 3 decimal places before storage, placing videos at the block level rather than a specific address
• ✓Video metadata stripped — device info, timestamps, and GPS tags embedded in the video file are removed during processing
• ✓Browser fingerprint minimised — your user agent is reduced to just the browser family (Chrome, Firefox, Safari)

Even if the database were seized, there is no mapping from videos to uploaders.

Videos are stored on IPFS — a decentralised, content-addressed network. Every file gets a unique fingerprint (called a CID) based on its content. The same file always produces the same fingerprint, which makes tampering detectable and content independently verifiable.

Anyone with a CID can fetch the content from the IPFS network. No special permissions, no API keys, no dependence on StreetWitness servers.

Storage is replicated across multiple providers for redundancy — a self-hosted IPFS node plus third-party pinning services.

The archive survives. Every video and its metadata exists on IPFS, independent of this server. Database backups are also pinned to IPFS and published to permanent, public addresses (IPNS names).

If this server disappears, anyone can:

1. Resolve the public IPNS names to find the database index
2. Download the database backup from IPFS
3. Query it for every video's content fingerprint
4. Fetch every video directly from the IPFS network

The entire archive is independently verifiable and reconstructable by any third party. No cooperation from the operator is needed.

Videos are uploaded as a chain of small chunks. Each chunk contains a pointer to the previous chunk's content fingerprint, forming a self-authenticating chain with no session IDs, no user IDs, and no cookies.

Each chunk proves its position in the sequence by referencing the one before it. The server stores only the chain data — it cannot associate chunks with a particular person.

If a recording is interrupted — phone smashed, connection lost, app crashed — the chunks already uploaded are not lost. An automated recovery process finds orphaned chains and assembles whatever footage exists into a published video.

Evidence is preserved even when the person recording cannot complete the upload.

Access tokens rotate on every request. Each time you load a video, your device swaps the current token for a new one using the same blind signature scheme as the initial invite.

The server validates your current token and signs a new blinded one in a single exchange. It cannot correlate requests into a session or build a viewing history. Every request looks like it comes from a different person.

Not yet. End-to-end encryption is planned using threshold access control (TaCo), which would encrypt video in the browser before upload so the server never sees the content in the clear.

Threshold encryption means no single key holder can decrypt — a minimum number of independent nodes must participate. This prevents any one party from being compelled to hand over a decryption key.

This is in development. Today, videos are stored unencrypted on IPFS. Privacy protections currently focus on unlinking videos from uploaders, not encrypting the video content itself.

Yes. The entire system is open-source with no proprietary dependencies. Anyone can clone the repository, configure a handful of environment variables, and run their own instance.

Because content is stored on IPFS, separate instances can access the same videos by CID. A future goal is federation — multiple instances sharing content automatically.