Comments — ML-Draft-008

In our last meeting, the question came up as to whether Google can see all your clicks during a Google OAUTH session. It came up because we use Web3Auth for Gov Hub or Canopi and it has many OAUTH sign-in options including Google, and there was concern that Google would see all the traffic. The answer is.... No — Google does not see every click in your app just because someone signed in with Google through Web3Auth. Google’s role in that flow is identity at login time, not a live proxy for everything the user does afterward. What happens at sign-in The user is sent to Google’s OAuth page (accounts.google.com). At this point, your IP address and other information including what page you are on is captured and stored indefinitely by Google. They approve scopes (email, profile, etc., depending on your Web3Auth / Google Cloud config). Google returns tokens to Web3Auth (not to your app directly in the usual OpenLogin flow). Web3Auth establishes its own session and wallet/key material. During that popup/redirect window, Google obviously sees that authentication traffic. That’s expected. After the session is active Once login finishes: Clicks and navigation in your app (gov-hub, Canopi extension UI, etc.) go to your origins and Web3Auth’s endpoints when the SDK needs them — not to Google on each interaction. Google is not in the request path for “user clicked button X” unless you separately added Google services that phone home. So a valid Web3Auth session does not mean Google gets a stream of every click. This is the important thing.

The notion of federated strong authentication as the first desirable property was introduced by Vint Cerf at the kickoff on Sept 16, 2024. I interpreted this to mean federation among decentralized social: ActivityHub / Mastadon, AT Protocol, Nostr, and Lens. But the reality is most people I know don't even know what those are. They have a Gmail, use Google Docs, and are happy to sign in with Google. Last year, I noticed that my friend Jomari was using Web3Auth for multi-modal authentication and it generated wallet addresses. I was happy to see that it handles many popular social platforms, email and phone, and hundreds of wallets. We have that out of the box and I am planning on a custom flow for decentralized social. Best of all worlds is supporting all legit auth methods. Let the community decide what auth methods they want to allow. Let community configure and the market decide. The communities I want to be in will allow any auth but you need proof of unique humanity to impact reputation or vitality. I like Fractal ID, but again I say let the community decide what POUH.

Vint Cerf suggested this as the first Desirable Property!

This is key.

My comment

Authenticating on Google means nothing except you set up an email, so trust should not follow.

I think overlapping is not the correct word here