put note about responsible offline usage

[derhuerst]

Thanks for building a tool that will hopefully help the public hold government forces accountable!

As the deployed version is a public website, it could send your unscrubbed images to a server, exposing people in the photos as well as your IP, browser fingerprint, etc.

• We should use a Content-Security-Policy of default-src 'self' (and probably a few more directives) to limit the attack surface for creepy middleware (like misbehaving antivirus systems, browser extensions, router-based spyware, etc).
• We should explain people that this is a website, and that they should download it to their computer (what about the phone?) and use it offline. This does not prevent all possible ways data could leak (e.g. service workers uploading later), but it's a first step.
• We should link to trustworthy tools, especially mobile apps, for doing this offline.

[derhuerst]

More discussions & background info on privacy implications can be found in the corresponding HN thread.

[everestpipkin]

Thank you, useful notes and I agree! Will work on this.

[everestpipkin]

Closing this as we've implemented most of these suggestions. :)