Delivery Confirmation

Once the shards have been 'sent', peers who were aware of the underlying mechanism of scuttlebutt questioned whether this was an honest statement. While the messages may have published to your local log / database, this does not mean that the messages have left the source computer.

Peers stated that this was misleading and / or obfuscating of reality. There is no guarantee the shard has actually left your computer and this inevitably would prove to be problematic.

Peers expressed a desire for, at the bare minimum, some kind of sync indicator to be shown when disconnected from other peers / offline in order to ensure that the app doesn't mislead you into believing a shard has left your computer when it actually hasn't.

Peers also expressed a desire for a confirmation that the shard has been delivered and received.

Push or Pull?

One peer suggested Dark Crystal lends itself more strongly to push notifications, rather than pull-based notifications.

In the case where a request has been sent for a shard to be returned to the originator, there is no clear indicator to the shard custodian that a request has arrived. The custodian must go searching for this information. While this was conceived of by the developers as as a strength (the onus is on the originator of the secret to actively contact their custodians to request the return of the shard), to one peer this seemed counter-intuitive.

This peer stated that due to the importance of the request, it makes sense that the custodians are notified immediately that their trusted contact is in need of their secret. Its a clear indicator to trusted contacts that either the request is genuine, or the identity of the secret originator has been compromised. In both cases it is possibly better for all parties involved to be notified of this sooner rather than later. This approach has merit. Technically it needs further consideration by the team as it runs counter to the 'pull-based' nature of Scuttlebutt.

Consent

Several peers raised the issue that currently there is no consent mechanism whereby a potential custodian of the shard can be asked if they want to actually are willing to be a custodian.

In a recent podcast about Dark Crystal, Cory Doctorow raised a possible threat model that the project faces, whereby those that are implicated in being custodians of a secret are potentially under threat from an attacker seeking to reveal that secret. This is incredibly problematic if the custodian is not a willing party in this arrangement. A clear consent mechanism is an important / necessary feature in order to ensure this application behaves up to the ethical standard to which we hold ourselves and doesn't implicate people unknowingly or unwillingly into potentially dangerous situations.

This has been a discussion throughout the process and the team is well aware of consent as a core component of the application. It was screened out in the initial implementation as it was felt by the team that it was more important to build a working prototype, and the mechanism for obtaining consent warranted further research and discussion.