How StreetWitness Works

Access is controlled by invite codes, but the system is designed so it cannot link an invite code to the person who used it.

When you redeem an invite code, your device creates a random secret and cryptographically blinds it — a transformation that hides its content. The server signs this blinded secret without ever seeing what it signed. Your device then unblinds the result to get a valid access token.

The server can verify the token is legitimate, but it cannot connect it back to the invite code that produced it. This is called a blind signature (RSA-BSSA, RFC 9474). It's the same principle behind privacy-preserving digital cash.

Almost nothing, by design:

• ✓No IP logging — your IP address is never stored or logged
• ✓No cookies or analytics — zero tracking scripts, no telemetry, no third-party code
• ✓No accounts — access tokens are the only credential, and they're unlinkable
• ✓GPS reduced to a coarse grid — coordinates are snapped to a 0.0025deg grid cell (~175-278m depending on latitude), placing videos at block/neighborhood level rather than a specific address
• ✓Video metadata stripped — device info, timestamps, and GPS tags embedded in the video file are removed during processing
• ✓No persistent browser fingerprinting — the server derives an in-memory rate-limit key from user-agent + accept-language and does not store it with videos

Even if the database were seized, there is no mapping from videos to uploaders.

Videos are stored on IPFS — a decentralised, content-addressed network. Every file gets a unique fingerprint (called a CID) based on its content. The same file always produces the same fingerprint, which makes tampering detectable and content independently verifiable.

Anyone with a CID can fetch the content from the IPFS network. No special permissions, no API keys, no dependence on StreetWitness servers.

Storage is replicated across multiple providers for redundancy — a self-hosted IPFS node plus third-party pinning services.

The archive survives. Every video and its metadata exists on IPFS, independent of this server. Database backups are also pinned to IPFS and published to permanent, public addresses (IPNS names).

If this server disappears, anyone can:

1. Resolve the public IPNS names to find the database index
2. Download the database backup from IPFS
3. Query it for every video's content fingerprint
4. Fetch every video directly from the IPFS network

The entire archive is independently verifiable and reconstructable by any third party. No cooperation from the operator is needed.

Everything you need is public. No cooperation from the operator is required.

1. Source code

Clone the repository from codeberg.org/MintyMagpie/streetwitness. Licensed under AGPL-3.0— if you run a modified version as a service, you must publish your changes.

2. Database recovery

Database backups rotate across 7 public IPNS addresses. Resolve any of them to find the latest backup CID, then fetch the PostgreSQL dump from IPFS:

3. Resolve and restore

4. Run your own instance

No proprietary dependencies. The entire stack is Docker Compose + open-source software.

Videos are uploaded as a chain of small chunks. Each chunk contains a pointer to the previous chunk's content fingerprint, forming a self-authenticating chain with no session IDs, no user IDs, and no cookies.

Each chunk proves its position in the sequence by referencing the one before it. The server stores only the chain data — it cannot associate chunks with a particular person.

If a recording is interrupted — phone smashed, connection lost, app crashed — the chunks already uploaded are not lost. An automated recovery process finds orphaned chains and assembles whatever footage exists into a published video.

Evidence is preserved even when the person recording cannot complete the upload.

Right now, all videos are publicly viewable, so access tokens are not required to watch. That means there is no per-user account/session trail for viewing.

When access tokens are used, they rotate per request: the server validates the current token and signs a new blinded one in the same exchange. This is designed to prevent stable session linkage and viewing-history correlation.

Not yet. Current privacy protections focus on unlinking videos from uploaders; the video content itself is stored unencrypted on IPFS.

Planned: every video sealed on upload and automatically released into the public record after 2 weeks. The seal is enforced by threshold encryption on the TaCo network — a cohort of independent nodes where no single party can decrypt alone. Once an upload is scheduled for release, that release cannot be cancelled, delayed, or suppressed. Not by us, not by a court order served on the operator, not by the people in the footage. The decision is fixed the moment the upload lands.

Two weeks is chosen deliberately:

• Witnesses have time to get somewhere safe before footage is public and identifiable.
• Journalists can verify and report responsibly, instead of the first 15-second clip defining the story.
• Lawyers have time to file complaints and preserve parallel evidence (bodycam requests, witness statements) before public attention lands and institutions have reason to stonewall.
• Officers' own written reports of an incident exist on the record before the footage contradicts them. Any falsehoods in those reports are already signed and filed by the time the video drops.

Early access before the 2 weeks expire will be available to press, researchers, and legal teams via paid tokens (BTC, ETH, XMR) or invite codes. This funds the platform without affecting the guaranteed public release.

This is in development, not live. Honest caveat on the planned design: your location is already truncated on your own device before upload, so the server never sees your real GPS. The server will, however, still briefly see video pixels during processing (to compress and re-encode), then encrypt the result and discard the plaintext. This is not end-to-end encryption — it is encrypted-at-rest with a trusted processing window on the server.

Yes. The entire system is open-source with no proprietary dependencies. Anyone can clone the repository, configure a handful of environment variables, and run their own instance.

Because content is stored on IPFS, separate instances can access the same videos by CID. A future goal is federation — multiple instances sharing content automatically.