Discuss and apply our principles to make product decision regarding the feature ‘Send transaction’.
We currently allow sending a transaction to anyone we come across on Status. This offers some great utility such as sending kudos in a public chat. This utility comes with a drawback:
- we expose the wallet address by default. And more than merely exposing the wallet address, we are exposing a mapping between the wallet address and what people say.
- we do not inform users that there wallet address is exposed as soon as they join any chat
I think this is unacceptable if our intention is:
“to build a secure communication tool that upholds human rights, enables community money, community law, and through privacy preserves culture.”
In the distance there are more complex solutions coming up regarding key and pofile management. This is a proposal for a short term solution.
- Remove the option to ‘Send a transaction’ for all users that have not added you to their contact list (a.k.a. Trusted user group). This option appears in the UI:
- Profile view
- Command features in chat
- Send transaction > Select recipient
- Inform users what information they share when adding someone as a contact (a.k.a. assign to a Trusted user group). As is part of the latest Profile designs.
This is not a new topic. I’ve heard many arguments in the past. Here’s my take on some, looking forward to hear more.
#1 What’s the problem?
Anyone can see what transactions you’ve made and match them to what you say, with ENS, this can be connected to who you are and by that a host of other information bits. The biggest issue in that is the fact that this mapping is exposed without consent and knowledge and required to use basic functionality of the app (chat).
#2 This is inherent to transparency on the blockchain.
Transparency of transactions is; Transparency of the mapping between transactions and what we say is not.
#3 We would lose utility, people should be able to send transactions
People still can, they would need to ask the other person to add them as a contact.
Key management, and allowing people to decide what key they use in Chat versus other activities would be a much more secure and private way to provide this utility. A utility of which we don’t know to what extend it is actually being used.
#4 You can derive the wallet address from the contact code anyway
Awareness and capability to derive the address is different from having it served to you in our UI. Mitigation of an undesireable threat doesn’t mean resolving it, but at least we are reducing a risk.