diff --git a/docs/CARD_PRIVACY.md b/docs/CARD_PRIVACY.md index 9178b6f..6d6af6d 100644 --- a/docs/CARD_PRIVACY.md +++ b/docs/CARD_PRIVACY.md @@ -1,6 +1,10 @@ # Card Privacy -## Brief +## Payment tracking + +This document describes the different levels of privacy possible with bolt card implementations. + +## Card NDEF The URI that is programmed into the card and returned as the NDEF consists of three parts. 1. The static part @@ -23,7 +27,32 @@ lnurlw://card.yourdomain.com/ln?p= &c= | encrypted | unique id and counter values encrypted by the card | | authentication | a value to authenticate that the entire URI is as generated by the card | -## NXP NTAG424DNA features +## Card privacy levels -## Implementation +In order for the system to work, the card must provide the point-of-sale with a URL for the backend server. +For maximum privacy, it should not be possible for the point-of-sale to identify the card any further than this. +Unfortunately, early implementations do not have this fully built out. + +You can check your card/s by reading the NDEF value (e.g. with the NXP TagInfo app) to check for a static identifier or a static UID value. This will enable you to find the level of privacy that has been implemented on creating the card. + +### Minimal privacy (aka tracker) + +An identifier is included in the static part of the lnurlw. +This is used on the server side to look up the decryption key and the authentication key per card. +This is how early systems were implemented and allows the point-of-sale devices to track the use of the card. + +### Good privacy + +There is no identifier included in the static part of the lnurlw. +This is made possible by holding the decryption key at database level. +The authentication key is still recorded per card. + +This protects against leaking of point-of-sale databases and log files, however, a untrustworthy point-of-sale could still obtain the card UID using proprietary NXP commands. + +### Best privacy + +There is no identifier included in the static part of the lnurlw. +In addition, the UID field is made inaccessible by NXP proprietary commands by using the Random ID feature. + +This protects against individual card tracking by trustworthy and untrustworthy point-of-sale systems.