I don’t know if vaults know the public key of the requestor - I don’t see why they would so that needs checking.
I agree vaults might know the xor address, although this needs checking also as I said, because I don’t see why they need this. I would think only the data managers need it, although it might be more effient to let the vaults see this too.
However, the xor address is random and temporary and so not associated with an account beyond a certain time (I don’t know the limits - but no more than a session at the most).
So there is a very small window for any vault to collect data about a user, and any vault is quite likely to see that same xor address only once anyway because one vault holds such a tiny fraction of all the data any single user will access during a session.
The question then is who does see the public key. I don’t see why vaults need it, so this may be an error - the wording you quote mentions it in the first instance but drops it from the second.
Could be a good catch for a documentation error, and also an issue to explore more - who can see a public key and how could this be used to gather data on an account.
There is a limit even here though. If you are one vault who can see the public keys of every user accessing the chunks you hold, how much information can you gather on a particular account? Very, very little, because you hold such a tiny fraction of all the data they might access.
So to do any significant snooping an attacker would have to collate the logs from many different nodes.
Also, they would have to gather and store all that information - because they have no way to focus on a particular public key, until they have linked it to an account.
So, it needs clarifying, but even the worst case is not as serious as making the network non-anonymous.
Can anyone clarify what public keys of an account are exposed and for how long? I have a feeling these are only session keys - so thrown away like the xor address after a relatively short period - but I can’t confirm that.
Good digging @DaBrown95, don’'t stop