Published on: 2022-02-01T18:10:45+00:00
In a recent Lightning-dev forum post, concerns were raised about KYC Node Verification and Payment Reason Aggregation in the Lightning Network. The post cited Bottlepay as an example of a company that requires users to verify their nodes by including personally identifiable information (PII) in the description field of a specialized invoice. This information is then stored and shared with third parties, regulators, and governments. The post argues that this practice could have long-term consequences for the reputation-based system of the Lightning Network if it becomes more widespread.One major concern is payment reason aggregation, which has the potential to reveal personal information that could be collected by third-party analytic aggregators. This raises concerns about censorship and the sharing of transactions with malicious parties. To address this issue, it is suggested that users be clearly informed that the information they include in their invoices can be verified by third parties, and ideally, descriptions should be removed entirely.There are also concerns about exploitation in Bolt11 invoices and the need for increased security measures. One suggestion is to add a salt to descriptions to prevent guessing common payment reasons. While using a description hash instead of a description may be better in terms of privacy, there are user experience considerations that may not fully solve the problem. It is recommended to save the description to the wallet database instead of including it in the invoice. This would allow users to conceal the real reason behind a payment, even if their wallet is a custodian.Furthermore, the lack of support for descriptions can help hinder mass surveillance in the Lightning space. The current reliance on custodians allows them to see and store payment information, which can reveal sensitive data when exchanges relay invoices to chain analytic companies. By removing the ability for users to include descriptions in their wallets, the risk of revealing personal information can be reduced.Overall, the concerns raised highlight the need for greater privacy and security measures within the Lightning Network. Educating users about the potential risks and implementing changes at the application layer, such as removing descriptions from wallets, can help protect user privacy and hinder mass surveillance.
Updated on: 2023-08-01T00:05:05.007072+00:00