W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Re: Rule of law

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sat, 20 Feb 2016 15:54:28 +0000
Message-ID: <CAM1Sok18N07Vy9pWmwD+mW-V7OQeBccSw6zSC2FWcRLXDMu6gA@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>, Rob Trainer <rob.trainer@accreditrust.com>, W3C Credentials Community Group <public-credentials@w3.org>
Also note the use of the term "subject"[1]

[1]
http://www.wired.com/wp-content/uploads/2016/02/Apple-iPhone-access-MOTION-TO-COMPEL.pdf

On Fri, 19 Feb 2016 at 6:06 AM, Rob Trainer <rob.trainer@accreditrust.com>
wrote:

>
> https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption/
>
>
>
> *Rob Trainer | Vice President of Technology*
>
> *Accreditrust Technologies, LLC*
>
> C: 410.303.9303
>
> E: rob.trainer@accreditrust.com
>
> W: www.accreditrust.com
>
>
>
> [image: TrueCred-Signature-Logo]
>
>
>
> *From:* Timothy Holborn [mailto:timothy.holborn@gmail.com]
> *Sent:* Thursday, February 18, 2016 1:50 PM
> *To:* Dave Longley <dlongley@digitalbazaar.com>; W3C Credentials
> Community Group <public-credentials@w3.org>
> *Subject:* Re: Rule of law
>
>
>
> Reviewing the TOS[1] I always find interesting,
>
> Yet essentially, the issue remains including but not exclusive to service
> operators / device vendors, et.al.
>
> Whilst I entirely agree, accountability is v.important for
> law-enforcement, and, I'm not American, don't get to vote in the US, so, I
> prefer local context that enables me to lobby for changes to law should
> that be necessary; rule of law, kinda needs to be supported...
>
> The identifiers in this case include particular FBI representatives on
> particular machines carrying out particular tasks for a particular case,
> with particular court approvals, on a particular phone that has an array of
> other identifiers both identifying that Phone to be unique, and that it is
> indeed associated to the court-order related suspect (person).
>
> So, IMHO, there's enough keys there to make those old films scenes of the
> two keys turned simultaneously to launch the weapon, whether in submarine
> or otherwise, look kinda antiquated.
>
> You could put additional requirements, like sensor requirements - it needs
> to see a specially encoded 2d barcode, within a particular GPS location,
> etc. etc.
>
> It's not all or nothing, and any president would want it that way I
> imagine. We all want phones that don't get hacked, but we are subject to
> rule of law for which we are all accountable, no matter who we work for or
> what we do. Isn't that the theory?
>
> I also note, online child sexual exploitation law enforcement teams
> locally, apparently couldn't use semantic / image analytics to
> automatically flag content. If Interpol made that capability available,
> would you allow processing for specific use? Perhaps if the gov issue them
> a credential to including specified capabilities for which citizens have a
> right to fair trial / court / access to justice, etc.
>
> Is it Apple, Facebook, Google who that makes the decision about how image
> processing can be used? Do you need to send them your blood sample to have
> it checked? What ads do you get after you've got your blood tested?
> Insurance offers the same?
>
> Market based 'knowledge banking' providers, with really good outlines for
> data ownership.
>
> Yet if the law says 'you've been sent to war'.... If a judge says open it.
> Then to say it's all or nothing, seems incorrect...
>
> We've been working on solutions here... I guess they'll say, no solution
> currently available to market can solve this problem, or some similar
> thing?
>
> Meh.
>
>
> [1] http://images.apple.com/legal/sla/docs/iOS91.pdf
>
>
>
> On Fri, 19 Feb 2016 at 5:29 AM, Dave Longley <dlongley@digitalbazaar.com>
> wrote:
>
> On 02/18/2016 12:50 PM, Timothy Holborn wrote:
> > So,
> >
> > I assume apple[1] can decrypt it.
>
> I think that's a big assumption. Have they said that? I don't know how
> they do their encryption, but if they are using symmetric encryption
> where the key is derived from a password only the user knows, then, no,
> they can't decrypt it. Unless the password is easily guessable, it's not
> feasible to brute force attack the encryption.
>
> > So, the issue is how to trust gov? Locally or internationally?
> >
> > Couldn't a bunch of approved credentials be used to present something
> > at the phone that in-turn allows that device to say, recognise the
> > president said - executive orders - open it.
>
> You could do two forms of encryption: one for the user and one using a
> public key owned and protected by the government. Of course, then the
> government can read everyone's private data.
>
> I suppose you could require a credential from a court (signed by the
> court's public key) indicating a court order was granted to the
> government in order to use their key to read the data ... but it's all a
> little unclear as to whether or not these protections would actually be
> followed, or rather, if they weren't, that a violation of them could be
> easily detected.
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
> http://digitalbazaar.com
>
>


image001.png
(image/png attachment: image001.png)

Received on Saturday, 20 February 2016 15:55:07 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC