One great thing about Persona is that it doesn't have to get involved every time I log into some website. The keys can be cached, so Persona doesn't need to know which websites I visit the most frequently, how long I spend on each site, which pages I read, etc. Persona just provides the identity and stops there. In that sense, Persona's very design makes it an unattractive target of surveillance. Not much data there.
Right now, Mozilla knows my email address, my (hopefully salted and hashed) password, some keys associated with said password, and the set of IP addresses from which I ever accessed Persona. Maybe also the set of IP addresses from which its key was requested, but that's not a particularly useful piece of information when NSA is trying to figure out what I'm up to.
However, Two of the planned changes to Persona gets me worried a little. The first is that Persona will allow people to add multiple email addresses to each account and choose which one to use at any given time. This means that if NSA gains access to the contents of a Persona server, they'll be able to link several (seemingly unrealted) email addresses to the same account. If you're a heavy Redditor, imagine that somebody will be able to find out every throwaway account that you made and abandoned over the years to talk about things you don't want traced back to you. That's the sound of the Eureka! that the NSA agent utters when he finds out that the person who has been posting anti-factory-farming comments all over the place is actually the same guy who retweeted some anti-Esso catchphrase, who is the same guy whose personal blog contains pictures from a recent trip to Pakistan.
My second worry is that Mozilla expects email service providers to serve as a Persona provider for their users. If I'm not sure whether I want to trust the Mozilla Foundation (the good guys) with information about my various alter egos, I'm definitely going to be wary of giving Google, Yahoo, and Microsoft the same kind of information. Although it's possible for you to be your own Persona provider, realistically, not many people are their own OpenID providers at the moment, and not many of them are going to be their own Persona provider, either. Decentralization is often advertised as one of the better features of Persona, but I suspect that it's going to remain little more than an advertisement. Everyone else will just use Google-hosted Persona with their Google-hosted email, with no real improvement of privacy.
Unless I'm mistaken[1], right now the popup that has multiple emails in it is the part that will eventually become native to the browser itself, so no service should have access to that list of multiple emails.
Each of those emails is instead tied to an identity provider: for example, you might have a GMail address that uses Google as the IdP, while a Yahoo one would use Yahoo as the IdP. But Google and Yahoo don't actually know that you're using multiple emails to login to stuff, they only deal with the emails you register with them.
What happens right now is that Mozilla Persona hosts the JS-powered popup that lets you choose between emails, so we end up with that info. This is for use in the short-term and for older browsers, but long term I think it will shift to client-side only.
[1] I work for Mozilla, but not on the Persona project, so there is a chance that I'm completely wrong. Doh!
When I log into persona.org, it seems to allow me to remove my (currently only) email address by clicking the first blue "Edit" button and then clicking "Remove" next to my email address. So I assumed that, in the future, I might also be able to add email addresses. Sorry if I was wrong about this.
You can add email addresses now, this is just for the bridge, so it allows you to use alternate addresses to log in with. It's not specific to Persona, it's just how they designed the current bridge (which they aim to phase out in the long run).
Right now, Mozilla knows my email address, my (hopefully salted and hashed) password, some keys associated with said password, and the set of IP addresses from which I ever accessed Persona. Maybe also the set of IP addresses from which its key was requested, but that's not a particularly useful piece of information when NSA is trying to figure out what I'm up to.
However, Two of the planned changes to Persona gets me worried a little. The first is that Persona will allow people to add multiple email addresses to each account and choose which one to use at any given time. This means that if NSA gains access to the contents of a Persona server, they'll be able to link several (seemingly unrealted) email addresses to the same account. If you're a heavy Redditor, imagine that somebody will be able to find out every throwaway account that you made and abandoned over the years to talk about things you don't want traced back to you. That's the sound of the Eureka! that the NSA agent utters when he finds out that the person who has been posting anti-factory-farming comments all over the place is actually the same guy who retweeted some anti-Esso catchphrase, who is the same guy whose personal blog contains pictures from a recent trip to Pakistan.
My second worry is that Mozilla expects email service providers to serve as a Persona provider for their users. If I'm not sure whether I want to trust the Mozilla Foundation (the good guys) with information about my various alter egos, I'm definitely going to be wary of giving Google, Yahoo, and Microsoft the same kind of information. Although it's possible for you to be your own Persona provider, realistically, not many people are their own OpenID providers at the moment, and not many of them are going to be their own Persona provider, either. Decentralization is often advertised as one of the better features of Persona, but I suspect that it's going to remain little more than an advertisement. Everyone else will just use Google-hosted Persona with their Google-hosted email, with no real improvement of privacy.