Cell phone number requested upon SPID authentication, but not used/available

[djechelon]

I would like to open an issue to the development team with regards to a non-critical privacy issue.

On a discussion on Forum Italia, a community member complains that they are able to see someone else's payment cards based on the equality of the cell phone number.

In this issue, however, I'd like to focus on the attributes used for CIE/SPID logins. CIE does not support any mobile phone / email attribute, as this data is not bound to the principal when the card is issued (otherwise one would need to change them in the future before renewing the card). SPID supports both attributes. Email is collected by IO to setup a PagoPA account and give access to payment history.

Today, when re-logging in via SPID, I stumbled upon IO requesting for cell phone number. Aruba, which is my IdP, reveals the information to be submitted before I authorize access.

I also saw that in the "My profile" section of IO app I can amend my PagoPA email address and I can display the email address issued by SPID (spolier alert: they are different in my case), but no trace of mobile phone number.

Proposed solution 1

Remove the mobile phone number from data requested to SPID, limit information to Tax Code and email address. This to adhere to the data minimization principle. Same could be said about Residence Address.

Proposed solution 2

Display all these information in the "My profile" section. So the user can see what PagoPA knows about themselves.

Needless to say, I'd prefer the first 😄