Update Scoringmodel.md
This commit is contained in:
rodič
402e6ca68e
revize
7409aad7e5
|
@ -50,13 +50,38 @@ _Reference_: https://tosdr.org
|
|||
|
||||
Reference: https://kycnot.me/about#scores
|
||||
|
||||
**On-going community research (survey) within the privacy experts - all answers on how to score services privacy (non-redacted)**:
|
||||
## *On-going community research (survey) within the privacy experts
|
||||
**all answers on how to score services privacy (non-redacted)**:
|
||||
|
||||
_Questions to be observed_
|
||||
- does it has untracebility ? (ie addresses is hidden from public ledger)
|
||||
- does it has unlinkability? (ie transactions can't be linked between each other)
|
||||
- does amount of transfer is hidden?
|
||||
- does IP address of participants hidden?
|
||||
- is it decentralized and based on opensource technology ?
|
||||
|
||||
1) much the users in control of their data disclosure? (Scale 1-10)
|
||||
2) how well commnity feedback and evaluation is built into product dev? (the less -» the more centralised it is -» the smaller the % of it staying private without the collectiv intelligence. this is like the web3privacynow - platform part actually, for sales but also i found this really relevant.
|
||||
2/b) is there a community bug / security bounty program / platform?
|
||||
3) how much transparent disclosure is avaliable on the tech and company - like smart contract audits, security audits,source of financing?
|
||||
4) how private the tech stack it uses on all layers. from hardware to l3/l4 etc. how well it is disclosed what they built on and where they host stuff, or if the tech is decentralised like nym - is there avaialbe dashboard data about this?
|
||||
5) product roadmap and release flexibiity - this is harder one, and I'm not sure it makes sense. what i mean is its also important to have a clear vision but at the same time to react to current needs / bugs / fixing vulnerabilities. maybe its redundant with no2 and no2b
|
||||
|
||||
1. What are the trust assumptions the user has by using the platform?
|
||||
2. What and how is user information stored and transmitted?
|
||||
3. How much PII is it stored/collected?
|
||||
4. How is information collected + processed + disseminated
|
||||
5. How completely you can participate with total privacy?
|
||||
|
||||
**Docs**
|
||||
- read the documentation
|
||||
- Good and comprehensive documentation
|
||||
|
||||
**Third-party analisys**
|
||||
- ask about its weaknesses from competitors
|
||||
- Number of peer reviewed articles at conferences and journals of team members
|
||||
- Where's the code, has it been audited
|
||||
|
||||
- try to trace a transaction
|
||||
- Precise description of the concrete privacy properties. Privacy is complicated so if they don't say exactly what they protect, then its likely vapor
|
||||
- Usability - for end users or in the developer experience if it is a B2B project.
|
||||
|
@ -83,3 +108,61 @@ Reference: https://kycnot.me/about#scores
|
|||
**Team**
|
||||
- ideological team
|
||||
- Reputation of team
|
||||
|
||||
- Privacy Policy content
|
||||
- Time of test and battletested code - (e.g. how BSC had passed the stress time of withdrawals with FTX drama or crypto schemes such as ECDSA with more than 2-3 decades alive)
|
||||
- If the speed in connection is too fast most probably there no privacy there and rather a direct channel between user - app
|
||||
|
||||
1) network privacy - (how do you connect to the chain? can you do it via Tor?)
|
||||
2) blockchain privacy - (do the resulting on chain transactions offer the user any on chain obfuscation?)
|
||||
3) censorship resistance - (how resistant is the project to external pressure. will the project censor you?)
|
||||
4) permission - (do I need to create an account to access the thing or is the thing open access?)
|
||||
5) custody of funds - (at any point is the user out of control of their own keys?)
|
||||
|
||||
privacy audit, number of people using it, is it famous, is it purely marketing oriented or it seems created by researcher/developers, are the developers anons?
|
||||
|
||||
**Token**
|
||||
- is there a token since the beginning ?
|
||||
- if token since beginning, weird
|
||||
|
||||
**Infrastructure**
|
||||
- How much to run a node.
|
||||
- Where are the nodes
|
||||
- Number of nodes/servers/ -> the larger the footprint the best privacy
|
||||
|
||||
1. Reliant on one encryption method or multiple
|
||||
2. Combined those encryption methods effectively (holistic solution)
|
||||
3. Decentralised throughout, including hosting
|
||||
4. Trustless- No ID required (this is where ZK's are useful I think
|
||||
5. Permissionless & accessible to all
|
||||
|
||||
|
||||
**Storage**
|
||||
- -e2e encrypted LOCAL storage
|
||||
- What user information is stored? (username, IP address, last connectino, wallets associate, etc)
|
||||
- Where is it stored? (centralized server, certain jurisdictions, on chain, in browser/local cache)
|
||||
|
||||
-no email or tel nr for signup
|
||||
-p2p / no central server
|
||||
|
||||
2) Immutability
|
||||
3) Amount of transactions
|
||||
|
||||
**Governance**
|
||||
- DAO structure (if applied)
|
||||
|
||||
Encryption /
|
||||
Metadata privacy
|
||||
|
||||
- Cost
|
||||
- Latency
|
||||
- Entropy (non-trivial to estimate, different measurements for type of service) some examples:
|
||||
- https://arxiv.org/abs/2211.04259
|
||||
- https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d…
|
||||
- Censorship-resistant (how hard it's for a powerful party to block/censor a given service)
|
||||
- Onboarding steps
|
||||
|
||||
Confidentiality of transactions, control over personal data, ability to hide transactional data from the public, strong encryption algorithms, and user #privacy protection policies…
|
||||
|
||||
3. How is it being transmited? (encrypted, unencrypted, offuscated, etc)
|
||||
|
||||
|
|
Načítá se…
Odkázat v novém úkolu