Non-Repudiation Privacy Analysis (LINDDUN N)

Analyze source code for non-repudiation threats where forced accountability creates privacy risks. In privacy, non-repudiation becomes a threat when it creates irrefutable proof linking users to sensitive activities where plausible deniability should be preserved. This is the inverse of STRIDE Repudiation.

Supported Flags

Read ../../shared/schemas/flags.md for full flag documentation. This skill supports all cross-cutting flags.

Flag Non-Repudiation-Specific Behavior

--scope

Default changed . Focuses on files containing audit logging, digital signatures, transaction receipts, and immutable record storage.

--depth quick

Grep patterns only: scan for comprehensive audit logging and signature mechanisms.

--depth standard

Full code read, classify logged actions by sensitivity, assess deniability gaps.

--depth deep

Trace audit trail coverage across the system. Map which sensitive actions create irrefutable evidence.

--depth expert

Deep + adversarial subpoena simulation: model what a legal adversary can prove from system records.

--severity

Filter output. Severity depends on sensitivity of the activity being irrefutably logged.

--fix

Generate selective logging, retention limits, and anonymous channel implementations.

Framework Context

LINDDUN N -- Non-repudiation (Privacy Context)

Non-repudiation in a privacy context occurs when the system creates irrefutable proof that a specific user performed a sensitive action, in situations where plausible deniability should be available. Read ../../shared/frameworks/linddun.md for the full LINDDUN framework reference including the relationship between LINDDUN N and STRIDE R.

Privacy Property Violated: Plausible Deniability

STRIDE Mapping: Repudiation (inverse relationship -- STRIDE treats deniability as a security threat; LINDDUN treats forced accountability as a privacy threat)

Workflow

Step 1 -- Determine Scope

• Parse --scope flag (default: changed ).

• Resolve to a concrete file list.

• Filter to relevant files: audit logging modules, transaction logging, digital signature implementations, blockchain integrations, session recording, and compliance audit code.

• Prioritize files containing: audit trail logic, activity logging, digital signature verification, immutable storage writes, and user action recording.

Step 2 -- Analyze for Non-Repudiation Privacy Threats

Read each scoped file and assess whether accountability mechanisms create privacy risks:

• Classify logged actions by sensitivity: Distinguish routine actions (login, purchase) from sensitive ones (health queries, political content, whistleblowing, personal searches).

• Check audit granularity: Determine whether logging is applied uniformly or selectively based on sensitivity classification.

• Assess digital signature scope: Identify where signatures create irrefutable proof of user involvement in sensitive activities.

• Examine retention policies: Check whether audit logs of sensitive actions have appropriate retention limits or persist indefinitely.

• Look for anonymous alternatives: Check whether sensitive features allow pseudonymous or anonymous participation.

At --depth deep or --depth expert , model the full audit trail and determine what a legal adversary or data breach could reveal about user behavior.

Step 3 -- Report Findings

Output findings per ../../shared/schemas/findings.md . Each finding needs: NREP-NNN id, title, severity (based on activity sensitivity and irrefutability of proof), location with snippet, description of evidence created, impact (what can be proven if logs are subpoenaed), fix (selective logging, retention limits, or anonymous channels), and CWE/LINDDUN references.

Analysis Checklist

• Does the system log every user action regardless of sensitivity classification?

• Are sensitive queries (health, legal, political) logged with user identity?

• Do digital signatures create irrefutable proof of user involvement in sensitive actions?

• Are there features (whistleblowing, reporting) that require real identity?

• Can audit logs be subpoenaed to prove user behavior in sensitive contexts?

• Do immutable storage systems (blockchain, append-only logs) prevent erasure?

• Are there retention policies limiting how long sensitive action logs persist?

• Is there a sensitivity classification for routine vs. sensitive actions?

What to Look For

• Blanket audit logging: All actions logged without sensitivity classification.

• Grep: audit.log|auditLog|audit_trail|AuditEvent|createAuditEntry|logActivity

• User identity in sensitive action logs: User IDs linked to sensitive operations.

• Grep: log.*userId.*search|audit.*user.*query|record.*identity.*action

• Digital signatures on all transactions: Signatures applied without privacy assessment.

• Grep: sign(|createSignature|digitalSignature|crypto.sign|jwt.sign.*action

• Immutable storage of user actions: Append-only or blockchain storage linking users to actions.

• Grep: blockchain|immutable|append.only|ledger|write.*once|WORM

• Session recording with identity: Full session capture linked to identified users.

• Grep: sessionRecording|screenCapture|fullStory|hotjar|mouseflow|session.replay

• Missing anonymous channels: No pseudonymous alternatives for sensitive features.

• Grep: anonymous|pseudonym|whistleblow|report.*anonymous|tipline

• Indefinite retention of action logs: No TTL or cleanup for sensitive audit records.

• Grep: retention|ttl|cleanup|purge|expire.*audit|delete.*log.*older

Regulatory Mapping

Regulation Provision Relevance

GDPR Art. 17 Right to erasure Irrefutable audit trails may conflict with deletion rights

GDPR Art. 5(1)(e) Storage limitation Indefinite audit logs violate storage limitation principle

GDPR Art. 5(1)(c) Data minimization Excessive logging collects more data than necessary

EU Directive 2019/1937 Whistleblower protection Anonymous reporting channels must protect identity

HIPAA Privacy Rule Minimum necessary standard Access logs should record minimum necessary detail

CCPA 1798.105 Right to delete Users may request deletion of activity records

Output Format

Use finding ID prefix NREP (e.g., NREP-001 , NREP-002 ).

All findings follow the schema in ../../shared/schemas/findings.md with:

• references.cwe : CWE-779 (Logging of Excessive Data)

• references.owasp : A09:2021 (Security Logging & Monitoring Failures -- excessive audit trail)

• metadata.tool : "non-repudiation-privacy"

• metadata.framework : "linddun"

• metadata.category : "N"

Summary table after all findings:

Followed by: top 3 priorities, sensitivity classification gaps, and overall assessment.