Rewrite 2 of 3 PII requirements

* Result: Connection fails

* Output: Log message

### 5.2.X **TR-FINA**: Handling of payment information

#### 5.2.X.x **MI-FINA**: Provider offers anonymous subscriptions

The VPN provider shall offer anonymous payment methods.

Test: Go to the provider's website, create an account

Result: There are options available that do not require any PII

Output: Screenshot of a record of payment by anonymous method

### 5.2.X **TR-TRAF**: No traffic through the node you haven't explicitly approved

The VPN provider shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and it shall not be necessary for the use of any unrelated function.

> Copy-n-paste mitigation format

### 5.2.X **TR-NPII**:

### 5.2.X **TR-DMIN**: Data minimization

The VPN provider shall not collect PII without explicit authorization.

The product shall not collect data unnecessary for the functions of the product.

#### 5.2.X.x **MI-NPII-1**:

Document all data sent to the VPN provider, label it all as to PII or not, and justify all PII sent, and document if it is kept or not, for how long, who it is shared with, how it is stored, how the user consents to it, record of user consent.

The VPN provider shall not collect PII without explicit authorization.

* Test: Packet capture during typical hour of use

* Result: Only PII described is sent under conditions documented

* Output: Packet capture

  * Reference: TR-DMIN

  * Objective: Data minimization

  * Preparation: Packet capture during typical hour of use and document all data sent to the VPN provider, label it all as to PII or not, and justify all PII sent, and document if it is kept or not, for how long, who it is shared with, how it is stored, how the user consents to it, record of user consent

  * Activities: Review the documentation of the packet capture for PII and see if any of it was collected without authorization

  * Verdict: All PII collected has a record of authorization by the user => PASS, otherwise FAIL

  * Evidence: Packet capture, documentation of PII, authorization, justification

#### 5.2.X.x **MI-NPII-2**:

* Result: No PII is sent

* Output: Packet capture

#### 5.2.X.x **MI-NPII-3**:

The VPN provider shall not require PII for use of the product, including for payment.

  * Reference: TR-NPII

  * Objective: Confidentiality

  * Preparation: Follow the instructions to use the product and start a VPN connection, selecting the options that require the least PII, recording all data entered

  * Activities: Examine the data entered looking for PII

  * Verdict: If there is any PII in the data entered => PASS, otherwise => FAIL

  * Evidence: The record of data entered with a short description of each part saying why it is not PII

| Risk factors         | Requires mitigations   |

|----------------------|------------------------|

| any                  | NPII-1, NPII-2,        |

| DAT == 2 or FUN == 2 | NPII-1, NPII-2, NPII-3 |

| Security Profile     | Requires mitigations   |

|----------------------|------------------------|

| UC-1, UC-2, UC-4     | NPII-1, NPII-2         |

| UC-3                 | NPII-1, NPII-2, NPII-3 |

## Notes - will go away in final version

### Don't write generic technical requirements

* Secure Updates

* Distribution of security functions

### References

https://github.com/expressvpn/expressvpn_leak_testing/blob/master/docs/what_are_leaks.md

https://tailscale.com/blog/sisyphean-dns-client-linux

https://www.etsi.org/deliver/etsi_ts/104100_104199/104102/01.01.01_60/ts_104102v010101p.pdf

https://www.etsi.org/deliver/etsi_ts/104100_104199/104103/01.01.01_60/ts_104103v010101p.pdf

### Areas of technical requirements still to be written

### TRs whose solution is logging