I am trying to understand how payment by credit cards can be used to link real world and pseudo identities. I’ll use Substack as an example. I signup up as PSEUD with my own pseud email address. I want to access material or participate in communities that are pay-walled in some way so I need to subscribe. I use my credit card linked to REAL WORLD ID for this. Substack receives payment through Stripe. Who sees what? My understanding:
Stripe sees that REAL WORLD ID paid Substack for something.
Substack receives money from Stripe and confirms that PSEUD is a paid subscriber to a particular publication.
Publication receives money from Substack and has PSEUD as a paid subscriber.
REAL WORLD ID and PSEUD remain separate and can only be linked through something like Mass Surveillance Payment method correlation (as mentioned in PG knowledge base).
If I understand correctly, your question is - who can see payment data?
Businesses that process payment information have certain legal obligations that need to be met in order to do business. This is why many businesses outsource that job to a service like Stripe, Square, PayPal, etc. Generally speaking, a business (such as Substack in this case) likely doesn’t want to know the payment details because that opens them up to certain liabilities which are outside the scope of thier business model, but this is all assumption because maybe Substack does have the infrastructure to handle that data on their end? There’s no way to know for certain.
Jack Teixeira, the Air National Guard member who leaked TS/SCI data onto Discord, was found because of billing details. This tells us that either Discord was able to see them or the FBI went to the payment processor for that information.
The complaint, which does not mention Discord by name, indicates the platform assisted the FBI by providing the credentials behind the account associated with the leak on April 12. The billing name associated with the account was Jack Teixeira and the address in North Dighton, according to the complaint.
My threat model doesn’t place a high regard on anonymity, moreso privacy and security, but when I am wanting to achieve an anonymous purchase, I use cash and purchase a giftcard from a store that I don’t regularly shop at. It’s important here that you don’t pull the cash from an ATM right next to the store because that could be traceable by a determined investigator. If you’re somebody who regularly pays for things with cash (meaning a regular history on your account of ATM visits), it won’t appear out of the ordinary to be pulling cash from a machine to conduct this purchase.
Thanks for your response. who can see payment data? is a part of my question.
My threat model requires pseudonymity and I am trying to get clear about how to maintain this while paying for subscription access to publications (i.e. Substack), or channels (i.e. Rumble).
I am also interested, but this is perhaps a different question for another post, how pseudonymity can be maintained on the other side: i.e., as someone with a Substack publication who wants to monetize their content; or someone with a Website who wants to monetize their content while receiving subscription payments, etc.
Now, will Substack share this information with Substack publications? Maybe, I don’t know how exactly Substack works, but many similar platforms will have a publisher link their own Stripe account to accept payments, and then the publisher would be able to see this data.
For example, GitHub Sponsors works this way, so a person you sponsor on GitHub would receive this data.
