In the seventh session of this 12 part series, join status' core contributors as we discuss and debate to which degree we uphold our principles, how we can improve our performance, and what we're adding to our Wall of Shame.
Privacy:
Privacy is the power to selectively reveal oneself to the world. For us, it’s essential to protect privacy in both communications and transactions, as well as being a pseudo-anonymous platform. Additionally, we strive to provide the right of total anonymity.
Slide Deck:
Seminar Opening presentation
Seminar Index
Privacy Session Notes (reprinted below)
Youtube:
Wall of shame
- Akshi: Studio in future: think about how much info collect about users and ensuring it is minimal, email address etc
- Barry: Balance open transparent org with privacy, e.g. compensation schemes open, legit trade-off
- Graeme: if connected two people can see same person, can't act in public group under assumption of being public
- Anna: Testfairy example, should be able to control and understand consequences of what collected, paranoid mode switch off, no collect data should be possible ideally
- JB: Agree with Barry, hiring privacy of individual transparency of, public channels for discussion hiring could leak sensitive info
- Ricardo: can't filter out spam if all private, for privacy itself we can have multiple accounts (pseudo-anon)
- Sergey: relying on 3rd party service in our source code
- Sergey: if have contact can know how much funds contact have
- Shawn: marketing compelling statement vs privacy of tailor experience, GA/segment/remarketing
- Corey: tie everything to single public key, if do anything with it can understand contact code code / content of wallet
- exiledsurfer: We haven't confirmed that all contributors want to be listed publicly on https://people-ops.status.im/status-direct/
- Oskar we don't know what we are leaking
- Oskar we don't support private transactions
- Oskar we don't allopw for multiple wlalets
- Ben, Incubate open up program for entire community, respectful of some projects might not want to publicize fact that seeking funding etc
- exiledsurfer: signature principles made public, exposed keys
- Corey: we don't have copy / people don't know what privacy losing with actions taken within Status. Nabil agrees
- Ricardo: don't know consequences of exposure of privacy
Non participant
- Michele ?
- Oleksii ?
- Ganna No input (- Dani?) (- Ivan?)
...
NOTES
EFF link
[Michael] Privacy hasn't been around for millenia, it's modern.
-- Oskar disagrees :P what do you mean by this more precisely?
Define privacy:
- Anna: I define which information is shared with who.
- Barry: Bitcoin whitepaper is a good example. Satoshi chose how much of his info to share.
- Ganna: Give user the ability to reveal information
- Graeme: [sorry graeme - missed your audio]
- JB: Privacy is a wall, and I can choose what to keep within, or let outside
- Jonathan: For me, it's like a filter, that I can choose what is showing of me
- Oleksii: Something I can share with a person that I can share with myself
- Sergey: Managing of leakage/data that I don't want someone to know.
- Shawn: Who can see information about me, when can they see it, and what information can they see specifically about me.
- Iuri: Me choosing what I want to share with the world. My information should remain private unless I choose to share it.
Begin general discussion:
[Michael]
"Privacy is dead. Get over it". I chose to be a "glass man".
[Barry]
This is largest public deployment of cryptography in history.
[Corey]
Pushing forward the boundaries of cryptography as it pertains to privacy.
[Michael]
I have a fear of blockchain data being indestructible.
[Iuri]:
"The right to be forgotten" brings challenges. Can be misued. Should it be possible to remove data?
[Anna]
Can separate between what the app can do, and what can happen in the real world (screenshot or sharing verbal information). But if I'm talking to a friend in a room, I want to be sure that no one is listening to that conversation. People will reveal based on what we share, and the space we are talking in.
[Ricardo]
Algorithms are safe, for now. I could collect all the data and decrypt in the future.
[Michael]
Example: Tor. Government collecting data and running traffic analysis.
[Ricardo]
It's not guaranteed that whoever sends the message is who they say they are. It may be possible to decrypt, but it may never happen.
[Barry]
Possible that an actor (nation state) can already decrypt. They wouldn't let us know.
[Oskar] Important not to be overly paranoid. Given what we currently know, it seems like this current representation is safe. If a nation state wants to target you specifically, there's not much you can do.
[Ricardo] That's important. Distinction between small individuals (hackers, criminals) and nation states.
[Corey] If someone wants to attacj you, then can. It's about motivation and resources. Need to make it as difficult as possible, so they don't have motivation or resources.
[Michael] Check this article. http://files.howtolivewiki.com/cyber/blind in the panopticon.pdf
[Oskar] Mossad vs non mossad
https://www.schneier.com/blog/archives/2015/08/mickens_on_secu.html
https://www.usenix.org/system/files/1401_08-12_mickens.pdf
[Michael]
What do we feel strongly about? What guarantees should we make?
[Corey]
That your funds won't be stolen.
[Ricardo]
That you're not going to be censored.
[Oskar]
Some guarantee around darkness. What the theortical leakage is.
[Graeme]
How is darkness measured?
[Oskar]
There's been some work in Tor and other networks. There should be metrics or research.
[Barry]
Use of our mailservers - central points within Status right now. Is there a privacy concern there?
[Oskar]
It's a trusted form of relationship.
[Ricardo]
In future, you'll subscribe to an address so the mailserver knows you want a message.
[Michael]
How will that change as we scale? Does the threat model change with the size of the network increasing?
[Oskar]
Depends where the data lives, and the specifics of how we implement it.
[Graeme]
Clearest one - amount of data used to send a message. The more "dark" the more resources it takes. More resource therefore equals darker? Adam / Dmitry knowledge on this topic.
[Michael]
What are we doing to support:
- Oskar we don't support private transactions
- Oskar we don't allopw for multiple wlalets
[Corey]
Working on allowing you to spin up miltiple identities. You can choose what to share with whom. Whenever you enter a chat, you join as one of your identities. That should allow you to have better options and settings. Because we're separating the keys, we're separating the ability to see funds associated with public chats. That's a privacy gain.
[Ricardo]
Create a new type of identity that starts up every 15 mins, or every message, to make things anonymous.
[Michael]
Make a user setting to choose how long their data is retrievable? Is that doable?
[Ricardo]
I think yes, if you became a mailserver for your own message.
[Oskar]
Signal has disappearing messages. You can choose when they self destruct. Social contract. Doesn't work for me though.
[Michael]
Privacy concerns and economic concern. There's a huge amount (cat pics) that doens't need to be perpetuated.
[Ricardo]
Introduce cryptoeconomics later.
[Michael]
Can we program in "data-destruction"?
[Oskar]
Can't guarantee it. Best-effort basis.
[Ricardo]
I think what we need are "circles of trust". Group permissions to assign data. Could have one identity for Status circle, another for family circle. Interface switching within the client.
...