W3P: 3 Title: Privacy features audit concept for security audit organizations & whitehackers (research) Status: preparation Type: Research Created: 2023-10-01
90%+ of the privacy services in web3 lack basic security audit. High risk for anyone using them without a third-party attestation. At the same time, security audit companies aren't focused on privacy features but analyze smart contracts etc. So we want to increase the "security" levelling of the privacy services by facilitating new kinds of Privacy features attestation by white hackers (working for companies or themselves).
This will significantly protect the general public from compromised services with backdoors, poor code execution & false privacy claims. Meanwhile, it will prove privacy claims from the broader community, contributing to the latest encryption, ZK-research & other privacy-tech execution concepts.
| Feature | Observation |
|---|---|
| Selected privacy technology maturity | latest, old (outdated) etc |
| Selected privacy technology delivery | state of the privacy tech: test-net, poor code execution etc |
| Default privacy | enabled, not; requires sigh-in, consent etc |
| Privacy policies (data collection policies) | what data is collected & why; marking non-essential data collection practices |
| Non-consent data collection practices | IP, wallet, balance etc |
| Anonymity set | "data profile" service reveals/knows about you & how it cares about your anonymity set |
| Third-party privacy tech maturity | If service is a part of ecosystem - security audit company comments on core tech privacy (Ethereum, Waku etc) |
| Traceability | How traceable are transactions (if applicable) |
| Decentralization | permission, permissionless etc |
| Feature | Observation |
|---|---|
| Privacy risk | low, medium, high |
- there's a thin line between privacy & security, so we approach it like this: if privacy is compromised -> it becomes a security issue (threat)
- some privacy observations are ethical (like "compliance"), so tech companies couldn't say it's "good" or "bad" -> we will just highlight them on our public platform (like KYC, team reputation etc)
- Community member: discuss - Join Signal group, do - make Pull Request here
- Privacy organization: donate - Contact, do - make Pull Request here
- Security audit company: reflect - Join Signal group, do - make Pull Request here