non-repudiation-privacy
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseNon-Repudiation Privacy Analysis (LINDDUN N)
不可否认性隐私分析(LINDDUN N)
Analyze source code for non-repudiation threats where forced accountability
creates privacy risks. In privacy, non-repudiation becomes a threat when it
creates irrefutable proof linking users to sensitive activities where plausible
deniability should be preserved. This is the inverse of STRIDE Repudiation.
分析源代码中因强制问责而引发隐私风险的不可否认性威胁。在隐私领域,当系统在应保留合理否认权的场景下,生成了将用户与敏感活动绑定的不可辩驳证据时,不可否认性就成为一种威胁。这与STRIDE中的否认性是相反的。
Supported Flags
支持的标志
Read for full flag
documentation. This skill supports all cross-cutting flags.
../../shared/schemas/flags.md| Flag | Non-Repudiation-Specific Behavior |
|---|---|
| Default |
| Grep patterns only: scan for comprehensive audit logging and signature mechanisms. |
| Full code read, classify logged actions by sensitivity, assess deniability gaps. |
| Trace audit trail coverage across the system. Map which sensitive actions create irrefutable evidence. |
| Deep + adversarial subpoena simulation: model what a legal adversary can prove from system records. |
| Filter output. Severity depends on sensitivity of the activity being irrefutably logged. |
| Generate selective logging, retention limits, and anonymous channel implementations. |
阅读获取完整的标志文档。此技能支持所有跨领域标志。
../../shared/schemas/flags.md| 标志 | 不可否认性专属行为 |
|---|---|
| 默认值为 |
| 仅使用Grep模式:扫描全面的审计日志和签名机制。 |
| 完整读取代码,按敏感度分类已记录的操作,评估否认权缺口。 |
| 追踪系统内的审计轨迹覆盖范围。映射哪些敏感操作会生成不可辩驳的证据。 |
| 深度分析+对抗性传票模拟:模拟法律对手可从系统记录中证明的内容。 |
| 过滤输出。严重程度取决于被不可辩驳记录的活动的敏感度。 |
| 生成选择性日志记录、保留限制和匿名通道实现方案。 |
Framework Context
框架背景
LINDDUN N -- Non-repudiation (Privacy Context)
Non-repudiation in a privacy context occurs when the system creates irrefutable
proof that a specific user performed a sensitive action, in situations where
plausible deniability should be available. Read
for the
full LINDDUN framework reference including the relationship between LINDDUN N
and STRIDE R.
../../shared/frameworks/linddun.mdPrivacy Property Violated: Plausible Deniability
STRIDE Mapping: Repudiation (inverse relationship -- STRIDE treats
deniability as a security threat; LINDDUN treats forced accountability as a
privacy threat)
LINDDUN N——不可否认性(隐私语境)
在隐私语境中,不可否认性指的是:当系统在应保留合理否认权的场景下,生成了特定用户执行敏感操作的不可辩驳证据。阅读获取完整的LINDDUN框架参考,包括LINDDUN N与STRIDE R之间的关系。
../../shared/frameworks/linddun.md被侵犯的隐私属性:合理否认权
STRIDE映射:否认性(反向关系——STRIDE将否认权视为安全威胁;LINDDUN将强制问责视为隐私威胁)
Workflow
工作流程
Step 1 -- Determine Scope
步骤1——确定范围
- Parse flag (default:
--scope).changed - Resolve to a concrete file list.
- Filter to relevant files: audit logging modules, transaction logging, digital signature implementations, blockchain integrations, session recording, and compliance audit code.
- Prioritize files containing: audit trail logic, activity logging, digital signature verification, immutable storage writes, and user action recording.
- 解析标志(默认值:
--scope)。changed - 解析为具体的文件列表。
- 筛选相关文件:审计日志模块、交易日志、数字签名实现、区块链集成、会话记录和合规审计代码。
- 优先处理包含以下内容的文件:审计轨迹逻辑、活动日志记录、数字签名验证、不可变存储写入和用户操作记录。
Step 2 -- Analyze for Non-Repudiation Privacy Threats
步骤2——分析不可否认性隐私威胁
Read each scoped file and assess whether accountability mechanisms create
privacy risks:
- Classify logged actions by sensitivity: Distinguish routine actions (login, purchase) from sensitive ones (health queries, political content, whistleblowing, personal searches).
- Check audit granularity: Determine whether logging is applied uniformly or selectively based on sensitivity classification.
- Assess digital signature scope: Identify where signatures create irrefutable proof of user involvement in sensitive activities.
- Examine retention policies: Check whether audit logs of sensitive actions have appropriate retention limits or persist indefinitely.
- Look for anonymous alternatives: Check whether sensitive features allow pseudonymous or anonymous participation.
At or , model the full audit trail and determine
what a legal adversary or data breach could reveal about user behavior.
--depth deep--depth expert读取每个范围内的文件,评估问责机制是否引发隐私风险:
- 按敏感度分类已记录的操作:区分常规操作(登录、购买)与敏感操作(健康查询、政治内容、举报、个人搜索)。
- 检查审计粒度:确定日志记录是统一应用还是根据敏感度分类选择性应用。
- 评估数字签名范围:识别哪些场景下签名会生成用户参与敏感操作的不可辩驳证据。
- 检查保留策略:检查敏感操作的审计日志是否有适当的保留限制,还是会无限期留存。
- 寻找匿名替代方案:检查敏感功能是否允许假名或匿名参与。
在或模式下,建模完整的审计轨迹,确定法律对手或数据泄露可能会泄露哪些用户行为信息。
--depth deep--depth expertStep 3 -- Report Findings
步骤3——报告发现结果
Output findings per .
Each finding needs: id, title, severity (based on activity sensitivity
and irrefutability of proof), location with snippet, description of evidence
created, impact (what can be proven if logs are subpoenaed), fix (selective
logging, retention limits, or anonymous channels), and CWE/LINDDUN references.
../../shared/schemas/findings.mdNREP-NNN按照输出发现结果。每个发现需要包含:编号、标题、严重程度(基于活动敏感度和证据的不可辩驳性)、带代码片段的位置、生成的证据描述、影响(如果日志被传票调取可证明的内容)、修复方案(选择性日志记录、保留限制或匿名通道),以及CWE/LINDDUN参考。
../../shared/schemas/findings.mdNREP-NNNAnalysis Checklist
分析检查清单
- Does the system log every user action regardless of sensitivity classification?
- Are sensitive queries (health, legal, political) logged with user identity?
- Do digital signatures create irrefutable proof of user involvement in sensitive actions?
- Are there features (whistleblowing, reporting) that require real identity?
- Can audit logs be subpoenaed to prove user behavior in sensitive contexts?
- Do immutable storage systems (blockchain, append-only logs) prevent erasure?
- Are there retention policies limiting how long sensitive action logs persist?
- Is there a sensitivity classification for routine vs. sensitive actions?
- 系统是否无论敏感度分类如何,都会记录每个用户操作?
- 敏感查询(健康、法律、政治)是否与用户身份关联记录?
- 数字签名是否会生成用户参与敏感操作的不可辩驳证据?
- 是否存在需要真实身份的功能(举报、投诉)?
- 审计日志是否可被传票调取以证明用户在敏感场景下的行为?
- 不可变存储系统(区块链、追加式日志)是否会阻止擦除操作?
- 是否有保留策略限制敏感操作日志的留存时长?
- 是否对常规操作与敏感操作进行了敏感度分类?
What to Look For
检查要点
- Blanket audit logging: All actions logged without sensitivity classification.
- Grep:
audit\.log|auditLog|audit_trail|AuditEvent|createAuditEntry|logActivity
- Grep:
- User identity in sensitive action logs: User IDs linked to sensitive operations.
- Grep:
log.*userId.*search|audit.*user.*query|record.*identity.*action
- Grep:
- Digital signatures on all transactions: Signatures applied without privacy assessment.
- Grep:
sign\(|createSignature|digitalSignature|crypto\.sign|jwt\.sign.*action
- Grep:
- Immutable storage of user actions: Append-only or blockchain storage linking users to actions.
- Grep:
blockchain|immutable|append.only|ledger|write.*once|WORM
- Grep:
- Session recording with identity: Full session capture linked to identified users.
- Grep:
sessionRecording|screenCapture|fullStory|hotjar|mouseflow|session.replay
- Grep:
- Missing anonymous channels: No pseudonymous alternatives for sensitive features.
- Grep:
anonymous|pseudonym|whistleblow|report.*anonymous|tipline
- Grep:
- Indefinite retention of action logs: No TTL or cleanup for sensitive audit records.
- Grep:
retention|ttl|cleanup|purge|expire.*audit|delete.*log.*older
- Grep:
- 全面审计日志记录:所有操作都被记录,未进行敏感度分类。
- Grep关键词:
audit\.log|auditLog|audit_trail|AuditEvent|createAuditEntry|logActivity
- Grep关键词:
- 敏感操作日志中的用户身份:用户ID与敏感操作关联。
- Grep关键词:
log.*userId.*search|audit.*user.*query|record.*identity.*action
- Grep关键词:
- 所有交易的数字签名:未进行隐私评估就应用签名。
- Grep关键词:
sign\(|createSignature|digitalSignature|crypto\.sign|jwt\.sign.*action
- Grep关键词:
- 用户操作的不可变存储:追加式或区块链存储将用户与操作关联。
- Grep关键词:
blockchain|immutable|append.only|ledger|write.*once|WORM
- Grep关键词:
- 带身份的会话记录:完整会话捕获与已识别用户关联。
- Grep关键词:
sessionRecording|screenCapture|fullStory|hotjar|mouseflow|session.replay
- Grep关键词:
- 缺失匿名通道:敏感功能没有假名替代方案。
- Grep关键词:
anonymous|pseudonym|whistleblow|report.*anonymous|tipline
- Grep关键词:
- 操作日志无限期留存:敏感审计记录没有TTL或清理机制。
- Grep关键词:
retention|ttl|cleanup|purge|expire.*audit|delete.*log.*older
- Grep关键词:
Regulatory Mapping
合规性映射
| Regulation | Provision | Relevance |
|---|---|---|
| GDPR Art. 17 | Right to erasure | Irrefutable audit trails may conflict with deletion rights |
| GDPR Art. 5(1)(e) | Storage limitation | Indefinite audit logs violate storage limitation principle |
| GDPR Art. 5(1)(c) | Data minimization | Excessive logging collects more data than necessary |
| EU Directive 2019/1937 | Whistleblower protection | Anonymous reporting channels must protect identity |
| HIPAA Privacy Rule | Minimum necessary standard | Access logs should record minimum necessary detail |
| CCPA 1798.105 | Right to delete | Users may request deletion of activity records |
| 法规 | 条款 | 相关性 |
|---|---|---|
| GDPR Art. 17 | 被遗忘权 | 不可辩驳的审计轨迹可能与删除权冲突 |
| GDPR Art. 5(1)(e) | 存储限制 | 无限期留存审计日志违反存储限制原则 |
| GDPR Art. 5(1)(c) | 数据最小化 | 过度日志记录收集了超出必要范围的数据 |
| EU Directive 2019/1937 | 举报人保护 | 匿名举报通道必须保护身份 |
| HIPAA Privacy Rule | 最小必要标准 | 访问日志应记录最少必要的细节 |
| CCPA 1798.105 | 删除权 | 用户可要求删除活动记录 |
Output Format
输出格式
Use finding ID prefix NREP (e.g., , ).
NREP-001NREP-002All findings follow the schema in
with:
../../shared/schemas/findings.md- :
references.cwe(Logging of Excessive Data)CWE-779 - :
references.owasp(Security Logging & Monitoring Failures -- excessive audit trail)A09:2021 - :
metadata.tool"non-repudiation-privacy" - :
metadata.framework"linddun" - :
metadata.category"N"
Summary table after all findings:
| Non-Repudiation Pattern | Critical | High | Medium | Low |
|-----------------------------|----------|------|--------|-----|
| Blanket audit logging | | | | |
| Identity in sensitive logs | | | | |
| Mandatory signatures | | | | |
| Immutable action records | | | | |
| Session recording | | | | |
| Missing anonymous channels | | | | |Followed by: top 3 priorities, sensitivity classification gaps, and overall assessment.
使用发现结果编号前缀NREP(例如:、)。
NREP-001NREP-002所有发现结果遵循中的 schema,包含:
../../shared/schemas/findings.md- :
references.cwe(过度数据记录)CWE-779 - :
references.owasp(安全日志记录与监控失败——过度审计轨迹)A09:2021 - :
metadata.tool"non-repudiation-privacy" - :
metadata.framework"linddun" - :
metadata.category"N"
所有发现结果后的汇总表:
| 不可否认性模式 | 严重 | 高 | 中 | 低 |
|-----------------------------|----------|------|--------|-----|
| 全面审计日志记录 | | | | |
| 敏感日志中的身份信息 | | | | |
| 强制签名 | | | | |
| 不可变操作记录 | | | | |
| 会话记录 | | | | |
| 缺失匿名通道 | | | | |后续内容:前3个优先事项、敏感度分类缺口和总体评估。