search

OpenBitcoinPrivacyProject / wallet-ratings

Criteria for evaluating Bitcoin wallets' privacy properties.
GNU General Public License v2.0
47 stars 10 forks source link

Disclosure of risks to users #63

Open kristovatlas opened 8 years ago

kristovatlas commented 8 years ago

@wtogami suggested that we consider the degree to which wallet providers disclose risks to users transparently. For example, it might be helpful to let users know what party service is used for lookup queries, if one is used.

A sample "attack" might be something like: "The wallet provider misleads users about or neglects to inform users about risk X" with the "countermeasure" being informing users about risk X.

The task is to come up with a list of risk X's that we think are worth disclosing. We could also consider degrees of effectiveness of disclosure, though this is added complexity. A place to start is to simply make it binary.

Relevant criteria would likely have to be gathered in a questionnaire response from wallet providers.

JeremyRand commented 8 years ago

I've seen more than one wallet vendor (I won't name names since it's not relevant here) make claims similar to "Your transactions are anonymous." without any qualifiers. I'm not 100% sure of how to precisely quantify this as a criterion, but I think it's reasonably accurate to say that there aren't any blockchain systems that are definitely anonymous with no qualifiers, and that any wallet provider that makes such claims is harming their users' privacy (if nothing else because users who are told that they are anonymous with no qualifiers are psychologically more likely to do risky things).

There are more specific risks as well which should be disclosed, but I think the nonexistence of absolute anonymity should definitely be on the list.

kristovatlas commented 8 years ago

attack - mislead users about privacy properties

kristovatlas commented 8 years ago

The attack that has been added in the PR:

Hide adverse privacy behavior from users by not disclosing or by misrepresenting privacy risks.

The obvious countermeasure is:

Disclose privacy risks to users in a public location.

Proposed criteria:

  1. Wallet provider provides a link to our assessment of their wallet in a past report or a comparable analysis, or includes all of our material relevant to their wallet in their public document. (100) OR
  2. Wallet provider provides limited analysis of privacy risks to users. (50) OR
  3. Wallet provider does not provide any public analysis of their users' privacy risks, or they misrepresent their risk. (0)
kristovatlas commented 8 years ago

Unable to come to consensus about the countermeasure. Moving milestone.

kristovatlas commented 7 years ago

The attack will be left with an empty list of countermeasures for 3rd edition. We discussed this attack tonight and decided to try to "penalize" wallets who obviously publicly misrepresent their privacy in the blurb describing the wallet in the next report, rather than factoring it into the 3rd edition score.

We'll revisit the issue of countermeasures/criteria for 4th edition of the threat model.