Re: Privacy in Web Payments [Was: Re: Nigeria launches national electronic ID cards]

On 09/10/2014 01:19 PM, Steven Rowat wrote:
> [The original thread was moved by Manu to Credentials, but I think
> this aspect is more germane to Web Payments, hence the new thread.]


> On 9/9/14 6:42 PM, Manu Sporny wrote:
>> Sure, for some value of "certain sockets", "won't permit", and 
>> "fulfilled". If you have an idea of what these values are, that
>> would be helpful. Keep in mind that it's hard to define those
>> values w/o also making value judgments.
> True, there will be value judgments made about which ones to
> concentrate on -- but aren't we all agreed that 'some' level of
> privacy is important? If so, that's also a value judgment.

You're right, it is.

> I think the main point I was attempting to make, and perhaps didn't 
> express well, was that since money is fundamental to the operation
> of the world society, then there must be some level of privacy that
> is fundamental to the web payments standard -- as a design criteria.
> Not all the protection of privacy should lie in the 'credentials'
> arm, since the two things are separable.

+1, I think those that are designing the specs are in agreement with that.

> Or to put it another way, the most important privacy, as far as 
> governments, criminals, and corporations are concerned, is in the 
> movement of money. Therefore they will concentrate on hacking and 
> controlling that. Therefore a high degree of technological security
> -- as high as possible -- needs to be put into assuring that some 
> fundamental privacy is respected in the movement of money (as well as
> in other things), unless a) there's legislation or a legislated court
> order otherwise; or b) there's opt-in by the owner of the data,
> agreeing that they can be 'harvested'.


> Perhaps I'm mistaken about how the handshaking between the two arms 
> (payments and credentials) will work, but it seems possible to me
> that unless the above is put in the web-payments protocol itself, 
> credentials-only safeguards will be insufficient to prevent a
> worldwide monitoring of the payments system.

That is correct. See a recent discussion we had on the telecon about
this and digital receipts:

>> I agree that we should make it as hard as possible to run w/o
>> basic privacy considerations. In fact, I don't think it's difficult
>> to meet the "basic privacy considerations" bar.
> Would these include 'who paid who how much when for what'? I'd be
> satisfied with that. ;-)

Yes, it would certainly include that in principle. The devil is in the

For example, we can certainly mask the payer's identity from the payee,
but we can't necessarily mask the item that was purchased from an offer
that includes multiple payees. That is, if there were 20 payees that
should get paid when a particular widget is sold, none of those 20
payees will know who the buyer is, but they will know what the buyer
purchased. Is that a bad thing? I don't think we've explored that in depth.

So, while our hearts may be in the right place here, we still need to
ask these sorts of questions of the community and see what possible
attacks a payee could launch given this information.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments

Received on Friday, 19 September 2014 01:11:17 UTC