Privacy in Web Payments [Was: Re: Nigeria launches national electronic ID cards] from Steven Rowat on 2014-09-10 (public-webpayments@w3.org from September 2014)

From: Steven Rowat <steven_rowat@sunshine.net>
Date: Wed, 10 Sep 2014 10:19:29 -0700
To: Web Payments CG <public-webpayments@w3.org>
Message-ID: <54108821.1070705@sunshine.net>

[The original thread was moved by Manu to Credentials, but I think 
this aspect is more germane to Web Payments, hence the new thread.]

[I previously wrote:]
>> and that certain sockets are built into the payments code that won't
>> permit the system to function unless they are fulfilled.

On 9/9/14 6:42 PM, Manu Sporny wrote:
> Sure, for some value of "certain sockets", "won't permit", and
> "fulfilled". If you have an idea of what these values are, that would be
> helpful. Keep in mind that it's hard to define those values w/o also
> making value judgments.

True, there will be value judgments made about which ones to 
concentrate on --
but aren't we all agreed that 'some' level of privacy is important? If 
so, that's also a value judgment.

I think the main point I was attempting to make, and perhaps didn't 
express well, was that since money is fundamental to the operation of 
the world society, then there must be some level of privacy that is 
fundamental to the web payments standard -- as a design criteria. Not 
all the protection of privacy should lie in the 'credentials' arm, 
since the two things are separable.

Or to put it another way, the most important privacy, as far as 
governments, criminals, and corporations are concerned, is in the 
movement of money. Therefore they will concentrate on hacking and 
controlling that. Therefore a high degree of technological security -- 
as high as possible -- needs to be put into assuring that some 
fundamental privacy is respected in the movement of money (as well as 
in other things), unless
    a) there's legislation or a legislated court order otherwise; or
    b) there's opt-in by the owner of the data, agreeing that they can 
be 'harvested'.

Perhaps I'm mistaken about how the handshaking between the two arms 
(payments and credentials) will work, but it seems possible to me that 
unless the above is put in the web-payments protocol itself, 
credentials-only safeguards will be insufficient to prevent a 
worldwide monitoring of the payments system.

> I agree that we should make it as hard as possible to run w/o basic
> privacy considerations. In fact, I don't think it's difficult to meet
> the "basic privacy considerations" bar.

Would these include 'who paid who how much when for what'?
I'd be satisfied with that. ;-)

> The design approach we've used for much of the Web Payments specs to
> date is assuming that we're wrong and the system will be broken, and
> once it's broken, it should be easy to replace the broken bits with
> working bits w/o much effort. For example, the graph normalization and
> digital signature algorithm we use is designed to be replaced overnight
> if there is a security compromise, and we specifically did that because
> we made the assumption that people with more resources than we have will
> find a way to break it.

+1

Steven Rowat

Received on Wednesday, 10 September 2014 17:20:02 UTC