dcousens
commented
7 years ago I think it should be a weighting based on the perceived entropy of that information, added together. Requires more measurement work though.
Open kristovatlas opened 8 years ago
dcousens
commented
7 years ago I think it should be a weighting based on the perceived entropy of that information, added together. Requires more measurement work though.
kristovatlas
commented
7 years ago @dcousens since we've ACK'd https://github.com/OpenBitcoinPrivacyProject/threat-model-scoring-system/pull/6 , let's revisit that thought for the 4th edition
Since this criteria is currently weighted and there is a variety of forms of PII that can be collected, I'd suggest we might want to break this down a bit more.
Worst: Require specific and necessarily sensitive PII, such as a social security number, verified address, etc. Best: Require no PII.
Grey areas in between: Require an email address. It's possible to generate an ephemeral email address, even via Tor, but the average user doesn't know how to do this and will just supply their dumb firstnamelastname@gmail.com address.
An addition grey area: Require user to enter something that looks like an email address, but do not require the user to verify it by e.g. clicking on a link in an email.
Another: Require a phone number that can receive SMS. Some services will allow you to use free virtual SMS numbers as a throaway, but others won't. In general, it is much more expensive to purchase a "burner"/ephemeral phone for SMS than it is to create an ephemeral email address.
My proposed scoring for this might look something like this. Choose the highest watermark of information that is required upon account creation.
https://en.wikipedia.org/wiki/Personally_identifiable_information
Group A: Highly sensitive, validated information: SSN, National Identification Number, Verified Full Name, Verified Mailing Address of Residence or Business, Passport number, vehicle registration number, driver's license number, biometric data, verified credit card number, verified SMS number with common free virtual SMS numbers blocked (any of first 5 tries blocked)
Group B: For most users, directly tied to their personhood, but can be created ephemeral easily: verified email address, date of birth, birthplace, verified SMS number without common free virtual SMS numbers blocked (none of first 5 tries blocked)
Group C: For most users, directly tied to their personhood, but can be lied about easily: unverified email address, unverified zip/postal code, unverified gender, unverified race
100: Require no PII when creating a new wallet 50: Group C 25: Group B 0: Group A