Privacy Issues

[mikedilger]

I am opening this issue as a general place to discuss and debate privacy issues surrounding nostr. I will post specifics once I link to it from another thread. https://github.com/nostr-protocol/nips/pull/136

[mikedilger]

I am trying to make gossip a client that is usable by people who care deeply about privacy. You can disable loading of avatars, checking of NIP-05. It does not use web rendering so there's no deep web-standards gotchas to suprise you. It works great over Tor. I don't think I'll add geospatial stuff because I don't care for it and I don't want to scare away my userbase.

That being said, I don't think adding any feature to the protocol compromises privacy. Because the protocol doesn't create privacy - privacy is something you create for yourself.

Nostr is weakly censorship resistant in the sense that you can move about to different relays and your identity is self-controlled. On nostr, anybody can post anything. That means Google and/or Facebook can post to nostr, and those posts can dox your location. There is nothing we can do to stop this... because we want censorship resistance.

Privacy is not something to require of others, it is something you must achieve for yourself. If you want to keep a secret, don't post it. If you want to hide your location, use Tor and don't leak it. Only use clients that honor your wishes.

Enabling geolocation tags or events does not change this state of affairs.

[mikedilger]

I thought for a little bit that maybe each NIP could have a section listing known privacy concerns, like NIP-01 could mention that metadata pictures might be used for tracking, could contain malicious content or could be infinitely sized. But if we did make such lists, I think there's a real risk people would (even if they knew better) come to believe that if they tick off all the items on all the privacy lists that they now have a privacy-aware client, and I'm not so sure we could make lists that are complete. So I'm not so sure.

[ghost]

I am opening this issue as a general place to discuss and debate privacy issues surrounding nostr. I will post specifics once I link to it from another thread. #136

Thanks for creating this issue.

I am trying to make gossip a client that is usable by people who care deeply about privacy. You can disable loading of avatars, checking of NIP-05. It does not use web rendering so there's no deep web-standards gotchas to suprise you. It works great over Tor. I don't think I'll add geospatial stuff because I don't care for it and I don't want to scare away my userbase.

I appreciate that you care about privacy of users. I have tried gossip but would use it more often now.

Privacy is not something to require of others, it is something you must achieve for yourself. If you want to keep a secret, don't post it. If you want to hide your location, use Tor and don't leak it. Only use clients that honor your wishes.

Enabling geolocation tags or events does not change this state of affairs.

I have shared my opinion in this comment a few minutes back:

https://github.com/nostr-protocol/nips/pull/136#issuecomment-1404685267

I thought for a little bit that maybe each NIP could have a section listing known privacy concerns, like NIP-01 could mention that metadata pictures might be used for tracking, could contain malicious content or could be infinitely sized. But if we did make such lists, I think there's a real risk people would (even if they knew better) come to believe that if they tick off all the items on all the privacy lists that they now have a privacy-aware client, and I'm not so sure we could make lists that are complete. So I'm not so sure.

Concept ACK. I like the idea of having a privacy section in most NIPs for privacy recommendations.

[xz-cn]

I like the idea of adding privacy-related section in an NIP. It makes people aware of the privacy challenge one NIP may introduce.

[ghost]

I am opening this issue as a general place to discuss and debate privacy issues surrounding nostr.

In my opinion the biggest problems of nostr are these:

• Clarify the relay role regarding other relays
• Key distribution, rotation, and recovery
• faq: general security/privacy issues
• A very simple idea to solve the "key revocation" problem
• Sensitive content needs to be handled better (NIP-36 & elsewhere)
• Stateless key rotation using a series of hidden commitments
• 🙏Q&A: How to recover data
• relay migration documentation
• Clarifications needed about Censorship Resistance claims
• Clarify incentives to run relays in FAQ
• Keys security
• Remove the need of third party relays
• Feature: Public-Key-Inherit
• Key rotation

I will post specifics once I link to it from another thread.

it would be interesting to create a label with the word: "privacy/security issue". For example,