The Interledger Community 🌱

Cover image for Data Privacy Impact Assessment for "Survey Rewards and Payment Service"

Data Privacy Impact Assessment for "Survey Rewards and Payment Service"

This Data Privacy Impact Assessment is part of the project Reciprocal ecosystem for citizen science and is written by Winfried Tilanus.

Functionality of the system

The survey reward system is built for the use case where a site wants to give a user a monetary reward. The survey reward system sits in between a site that wants to reward a user for some action and a payment service. The payment is sent using a payment pointer.

Scope of this DPIA

Because the survey reward system is one element in a bigger flow, this DPIA is limited to only the part of the flow the survey reward system is involved in. This DPIA covers the interaction between the survey service that is giving the reward and the payment service itself. Out of scope are:

  • The site giving the reward

  • The payment service used to pay the rewards

  • The payment service to receive the rewards

All of these can be chosen freely by the owners of the site or by the user receiving the payment. So it is not possible to include them in this DPIA. 

This DPIA is written in such a way that it can be copied and pasted into a larger DPIA for a complete setup.

Description of the system

The Survey Reward and Payment Service consists of two parts:

  • A small software library that can be included in a survey service that wants to hand out a payment.

  • A separate payment service that handles the payment using a payment pointer and an account at a payment service provider. This payment service is run by the site owner.

Once the library is invoked, it forwards the user to the payment server where the user can enter their payment pointer. Subsequently the payment server transfers the amount of the reward to the payment service behind the payment pointer. The payment service is protected against impersonation attacks and replay attacks.

Goals and legal grounds for processing

The goal of the processing of personal data by the Survey Reward and Payment Service is to perform payments to users of a website. The legal ground for this processing of data is 'the performance of a contract' (GDPR article 6.1b) because the payment is part of the (implicit) contract between the user and the owner of the website.

Data subjects

The following data subjects are involved in the payment process:

  • the user receiving the payment

When the survey service is owned by a natural person and when the natural person is using their personal account or wallet to send the payments, the website owner is also a data subject.

Personal data processed

The Survey Reward and Payment Service processes the following personal data:

  • An identifier that is unique per transaction

  • The payment pointer of the user receiving the payment

When the payments are made from a personal account or wallet:

  • The wallet details of the owner of the site

Risks for data subjects

1. Correlation risks

The site may collect large amounts of personal data and even sensitive data, for example when it is running a survey the user is rewarded for. Correlating such data with an unique identifier of the user makes the user trackable across multiple sites. The other way around a payment service may correlate the payment with certain characteristics of the user when it can correlate the site or the activity on the site with a payment pointer.

1a Correlation by the site owner

The site owner may use the payment pointer to track the user across visits on the site or across different sites. This may even be used to create a profile of the user.

Mitigation:

  • Separation of the site and the payment services.

  • Using only an unique id per transaction and no other id to hand over the transaction to the payment services.

  • Separating the logfiles so these can only be correlated by hand, for example to track errors.

1b Correlation by receiving payment service

The receiving payment service may use the sending payment wallet to correlate the site with a payment. This may be used to trace the user.

Mitigation:

  • The sending payment wallet can (and should) be used for more than one site, action or survey, so the service can only correlate on a very global level.

1c Correlation by sending payment services

The sending payment service may use the receiving payment wallet to correlate the site with a payment. This may be used to trace the user.

Mitigation:

  • The sending payment wallet can (and should) be used for more than one site, action or survey, so the service can only correlate on a very global level.

2. Data leak risks

Leaking the content of the site or information about the payments, may reveal personal data about the user.

2a Leaking data from the paying site

The paying site may collect quite a lot of sensitive data. There should be no risk that this data is revealed via the payment service.

Mitigation:

  • Data minimisation; the payment system processes only the per transaction ID, the amount to pay and the payment pointer, so there is no risk leaking data because it is not there.

2b Leaking data about payments

The size of the reward or the timing of the reward, may reveal some information about the activities on the site. So in some cases this information can be damaging.

Mitigation:

  • The sending payment wallet can (and should) be used for more then one site, action or survey, so an observer can only correlate on a very global level.

3. Risk of unlawful retention

Storing data longer than is needed for the goal of its processing, is a violation of the rights of the data-subject in itself and is therefore a risk in itself. The period the data may or must be retained, depends on local regulations for retention of payment data.

Mitigation:

  • Rotate and delete the logs of the site and the payment service according to the local rules.

Assessment of risks and residual risks

Risk Initial size Residual risk after mitigation
1a Correlation by the site owner High Low: correlation is still possible, but not trivial and it is an illegal action that has to be taken deliberately.
1b Correlation by receiving payment service Medium Low: correlation is only possible to a limited extent.
1c Correlation by sending payment services Medium Low: correlation is only possible to a limited extent.
2a Leaking data from the paying site Medium None
2b Leaking data about payments Medium Low: correlation is only possible to a limited extent.
3 Risk of unlawful retention High None

Oldest comments (0)