W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Re: Rule of law

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 18 Feb 2016 18:49:36 +0000
Message-ID: <CAM1Sok3K1nr+mW9mhZbVd3D6yDxmZfndbt7zAit3Pq1y_coqOg@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>, W3C Credentials Community Group <public-credentials@w3.org>
Reviewing the TOS[1] I always find interesting,

Yet essentially, the issue remains including but not exclusive to service
operators / device vendors, et.al.

Whilst I entirely agree, accountability is v.important for law-enforcement,
and, I'm not American, don't get to vote in the US, so, I prefer local
context that enables me to lobby for changes to law should that be
necessary; rule of law, kinda needs to be supported...

The identifiers in this case include particular FBI representatives on
particular machines carrying out particular tasks for a particular case,
with particular court approvals, on a particular phone that has an array of
other identifiers both identifying that Phone to be unique, and that it is
indeed associated to the court-order related suspect (person).

So, IMHO, there's enough keys there to make those old films scenes of the
two keys turned simultaneously to launch the weapon, whether in submarine
or otherwise, look kinda antiquated.

You could put additional requirements, like sensor requirements - it needs
to see a specially encoded 2d barcode, within a particular GPS location,
etc. etc.

It's not all or nothing, and any president would want it that way I
imagine. We all want phones that don't get hacked, but we are subject to
rule of law for which we are all accountable, no matter who we work for or
what we do. Isn't that the theory?

I also note, online child sexual exploitation law enforcement teams
locally, apparently couldn't use semantic / image analytics to
automatically flag content. If Interpol made that capability available,
would you allow processing for specific use? Perhaps if the gov issue them
a credential to including specified capabilities for which citizens have a
right to fair trial / court / access to justice, etc.

Is it Apple, Facebook, Google who that makes the decision about how image
processing can be used? Do you need to send them your blood sample to have
it checked? What ads do you get after you've got your blood tested?
Insurance offers the same?

Market based 'knowledge banking' providers, with really good outlines for
data ownership.

Yet if the law says 'you've been sent to war'.... If a judge says open it.
Then to say it's all or nothing, seems incorrect...

We've been working on solutions here... I guess they'll say, no solution
currently available to market can solve this problem, or some similar
thing?

Meh.


[1] http://images.apple.com/legal/sla/docs/iOS91.pdf

On Fri, 19 Feb 2016 at 5:29 AM, Dave Longley <dlongley@digitalbazaar.com>
wrote:

> On 02/18/2016 12:50 PM, Timothy Holborn wrote:
> > So,
> >
> > I assume apple[1] can decrypt it.
>
> I think that's a big assumption. Have they said that? I don't know how
> they do their encryption, but if they are using symmetric encryption
> where the key is derived from a password only the user knows, then, no,
> they can't decrypt it. Unless the password is easily guessable, it's not
> feasible to brute force attack the encryption.
>
> > So, the issue is how to trust gov? Locally or internationally?
> >
> > Couldn't a bunch of approved credentials be used to present something
> > at the phone that in-turn allows that device to say, recognise the
> > president said - executive orders - open it.
>
> You could do two forms of encryption: one for the user and one using a
> public key owned and protected by the government. Of course, then the
> government can read everyone's private data.
>
> I suppose you could require a credential from a court (signed by the
> court's public key) indicating a court order was granted to the
> government in order to use their key to read the data ... but it's all a
> little unclear as to whether or not these protections would actually be
> followed, or rather, if they weren't, that a violation of them could be
> easily detected.
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
> http://digitalbazaar.com
>
Received on Thursday, 18 February 2016 18:50:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC