W3C home > Mailing lists > Public > public-credentials@w3.org > March 2016

Re: Use-Cases - pseudo-anonymity examples

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Wed, 02 Mar 2016 09:57:16 +0000
Message-ID: <CAM1Sok2teiMbGQnkRN8_-ih+BNkz8TX4oQm-9U5NVnr7M=QbDQ@mail.gmail.com>
To: public-credentials@w3.org
Cc: Steven Rowat <steven_rowat@sunshine.net>
I've spent some time today trying to put together a succinct set of
concepts around considerations that relate to pseudo-anonymity, and how it
may be achieved whilst still providing effective means for a
non-blockchain, methodology for accountability (and trust).

On Wed, 2 Mar 2016 at 10:21 Steven Rowat <steven_rowat@sunshine.net> wrote:

> On 3/1/16 9:30 AM, msporny@digitalbazaar.com wrote:
> > Manu Sporny:  Please send feedback on the mailing list, the
> >    VCTF/Credentials CG/ or WPIG mailing list, whichever you have
> >    access to.  ...[snip]...
> > Manu Sporny:  So also feedback on the use cases.
>
> +1 to Pseudo-Anonymity remaining as an "Essential" claim as now
> provided in the Use Cases document. I'd be very distressed if it was
> chopped for any reason. Glad to see it still there! :-)
>
> +1 Yet, the term Pseudo-Anonymity was from memory defined as distinct from
anonymity as the capacity to provide true-anonymity was considered to be
impossible.  Therein seems important to define the reasoning and intended
qualities whilst considering the concept of pseudo-anon as it was intended
to be  in providing a documented examples and a constituents, of what the
spec supports and how the intended purpose may be delivered effectively.

IMHO: the reasoning for the use of the term 'pseudo-anonymity' was due to
the concept of True Anonymity or 100% secure being impossible.  As was
described to me many years ago, 100% secure is a quality that relates to
something that doesn't actually exist.

Yet the concept of pseudo-anonymity has an array of design requirements if
it is to be effectively made available in a manner that still supports
accountability or qualities of trust.  Therein additional complexities
relate to the means in which pseudo-anonymity properties do not unduely
limit accessibility to the trust and/or accountability properties as to
produce a discriminatory outcome as may produce the unintended outcome of
financial barriers blockading the trustworthiness of an actor; for reasons
that may include but not be exclusive to, the operation cost of the
technology lifecycle itself as to support its intended functional / service
properties.

CONCEPT:  Perhaps the existing cost/function marker to compare against; for
technology that that supports decentralised accountability and
pseudo-anonymity - is the operation of block-chain based solutions.  I
believe other aspects of block-chain based solutions include both the
amount of energy used, and how it scales to provide a particular capability
around the number of transactions per second.

Ideally this solution would have a economic benefits as an alternative for
particular use-cases best suited to this technology solution / related
apparatus.



> But... in support of that: to get future readers of the document to
> agree on its importance, I believe the single scenario given (June
> going to buy a bottle of wine and not wishing to divulge anything
> other than age) doesn't adequately convey the scope of why this is
> essential, society-wide.
>
>
IMHO, two aspects interact greatly.

1. Accountability factors: which includes but is not limited to,

- The ability to identify whether an assumption is correct
- The ability to identify influences to any false assumptions
- The ability to identify the scope of valid assumptions
- The ability to effectively interpret the specific definition of a valid
assumption
- The ability to remediate erroneous assumptions.
- The ability to verify the validity of a statement to be true.
- The ability to apply specificity to a statement
- The ability to validate 'fit for purpose' in relation to the specified
statement.
- The ability to break-down statements to specified claims
- The ability to consider the 'trust provider' of specified claims.
- The ability to declare the methodology used to form an assumption.

NOW THEREFORE:

IMHO, the authoring considerations for creds / HTTP Signed docs. Can be
produced in a very modular fashion that in-turn provides referencing
between granular claims.

In current RDBMS / SILO based applications; a single 'trust provider' or
'claims provider' details the scope of claims about the subject via the
singular provider.  This functionality in-turn (IMHO) relates to the
technical capacities of RDBMS systems as distinct to the additional
functionality provided by Linked-Data enabled systems and the use of
web-addressable ontological definitions; inclusive of 'SameAs' statements,
which in-turn may be subjected to verification by authoritative agents.

In-turn Credentials / Verifiable Claims, can use an array of authoritative
agents which in-turn may be packaged together to create a bigger claim.  If
data about eyesight changes, then that may be automatically referenced by a
drivers license claim that incorporates a reference to the medical
clinician.

Yet Equally; whether someone inspecting that credential (which could in
future be a motor vehicles computer, say in a mining site) knows why the
credential failed is different.  As are the implications of ensuring
'trust' across the contributors for a sophisticated incorporated
credential.  If someone has a bad relationship break-down, how easily would
it be for them to make a particular claim that may have wide-spread
consequences.  Ie: husband is upset with soon to be ex.wife, so generates a
medical credential that says their blind or have another problem that
invalidates other verifiable claims.

These sorts of use-cases relate to the accountability systems which in-turn
provides the scientific methodology in which to consider the term 'trust'.
If we don't know if an agent has 'got in' and 'changed a record', then it
is a possibility that an agent got in and changed a record erroneously. If
no available agent is able to check whether that is the case or not, then
it is a viable possibility (regardless of the plausability of likelihood
considered by others that it may or is a consideration worth checking).

QUESTION:  Given existing methodologies for referencing RDF schema is via
HTTP URI and therefore is it important to consider (perhaps as later or
future work) the concept of decentralising the ontological schemas?

Different territories have different prerequisites for particular claims.
In this way, for example, a drivers license is not the same qualification
in every region as sourced from any one particular region.  I'm sure other
instances of these sorts of conditional statements exist.

Within the Education market (as an example); that may relate to learning
outcomes of particular units as they collectively produce a statement of a
degree.  Therein, the learning outcomes, the unit descriptions and the
capacities shown as they've been analysed all produce constituents of what
becomes a degree qualification (for example).

In terms of economic efficiencies, the concept of 'recognition of prior
learning' has often been difficult to obtain as the institution is awarded
for enrolments into units, and these enrolment structures have not
traditionally easily supported a plurality of participants who only need a
few of the units for a broader qualification.  Other mechanics can include
the use of specified use-cases embodied within particular texts as means of
assessing prior-learning, which in-turn may relate better to a proprietary
learning strategy (and revenue implication) rather than educational
institutions providing services to industry and community in market-segment
ownership of qualification services of individuals as to ensure workforce
and indeed insurance requirements for effective businesses have a
verifiable basis in which the risks for any particular organisation is made
accountable and considered in terms of merit; which may further be applied
through business analysis in workforce considerations where some
individuals may have gaps, and therefore the organisation may be better
supported by identifying means in which to bridge persons over a project
life-cycle dynamically.

Yet, given the dynamic and distributed nature in which claims may be
processed; I do wonder whether an infrastructure agent is required to
separate the requests from the individual to a larger provider, where
in-effect the request becomes non-specific to the individual; but rather,
to a particular provider, and if this is the case, then at what levels is
technical support required to support that functionality.

One of the related concepts i learn't about the field of statistics; is
that whilst the statistics themselves are made available as an anonymised
output; the raw data still needs to be available somewhere to prove the
statistics were not simply 'made-up'.

Another may be where those skills were obtained in relation to something
that is subject to non-disclosure of secrecy agreement or circumstance.




> I'm thinking of the more specific 'protection from known danger'
> scenarios, such as: journalists reporting from countries that threaten
> them with death, scientists whistleblowing from corporate crime,
> novelists writing about their own dysfunctional social milieu.
>
> Any of these scenarios may be of large value to the society, and to
> work best, or work at all in some cases, they require that we can
> identify the origin of the conveyed information as trustworthy without
> needing the originator to broadcast publicly their personal contact
> information.
>
>
In-turn,Ii'm led to believe a decentralised methodology for providing
aggregated service delivery is perhaps one of the better means in which to
support that type of capability whilst also supporting pragmatic means for
pseudo-anonymity.  Yet i also believe that perhaps this is part of a
particular type of methodology that may be a particular utility of
verifiable claims, which has particular functional requirements that need
to be addressed as part of the scope of works; without necessarily solving
all the problems alone.

QUESTION: What consideration has been made about the relationship between
Verified Claims and LDP/SoLiD?  I understand SoLiD currently uses WebID-TLS
as the most significant piece of technology for authentication, privacy and
related functionality support. Yet, IMHO, WebID-TLS seems like a far better
candidate for establishing particular parameters around a particular
Machine, rather than a particular user.   What discussion has been had
about the use of both Credentials and WebID-TLS and/or interoperability of
these two technologies within a broader purposeful life-cycle?

WebID-TLS is a seemingly useful technology to identify aspects of computer
usage, such as whether an actor is using a corporate computer (where data
is presumed owned by the company) vs. a personal device.  Or indeed, the
ability to create machine-readable distinctions that are agreed upon
between various legal entities for session level application, in relation
to a humans use of a device and in-turn their expectations of
pseudo-anonymity.

Additionally; I think it is worthwhile noting (IMHO) that in many areas of
law, consideration is made in relation to the concept of 'damages', and if
the data is deemed to be 'valueless' then there is in-effect no damages
that are applicable, should that data be used for purposes not expressly
permitted or intended.  These elements in-turn may seemingly be addressed
through contract law, yet for the purpose of specifications; what elements
of the technology definition would need to be considered as part of a
life-cycle that supports access or application of justice with regard to
misuse or intentional exploitation of personal data without explicit
agreement?

The capacity to make user-centric declarations about expectations of
specified use ("data rights" as was discussed some time ago) may form an
ontological set of requirements that can further support users; yet, i am
unsure of how those pieces of work relate to the future specificity of the
Verifiable Claims works. Indeed the beneficiaries for any-such additions
may be both natural legal entities and within the field of commerce between
organisations; where 'agreement terms' may be carried out in a manner that
lowers the cost of 'deal-flow', by way of digitally asserting standardised
agreement terms;

Further considering the relationship between more effective or efficient
licensing vs. data-aggregation and commercial reuse.  I think overall, a
very complex area of consideration.

With regard to the recent case of a court-order and Apple Computers (vs.
FYI); The concept of trust is being electronically tested in a variety of
ways as a result.  Whether it be through the various opinions of what was
said/requested, what the options were, or the specificity of the words used
in the court and how they've been translated for subjective opinion by the
world of internet users.

IMHO, trust or trustworthiness relates specifically to the outcomes born by
way of the assumption matrix which provides the basis in-which to form a
position whereby an actor decides to 'trust' something, in relation to
their needs for a specified purpose.  Should assumptions be poorly
supported by claims that are made available in an accountable and specified
way, unintended consequences; indeed, including significant harm - can be
born through such misunderstandings.

I'm not sure to what level we could aim to address that problem digitally;
whilst simultaneously doing so in a manner that services pseudo-anonymity
as best as is plausibly viable.  The idea of an infrastructure agent
providing a 'yes'/'no' answers. is amongst the more important
considerations.  I think also a means in which to 'rate' claims, may also
be important.  If online university of some weird country issues a PhD
claim for a quick $100, or a person can get their 'lord' prefix asserted to
their name for purchasing 1 square meter of the moon, or some other bit of
land; then it is different to the normalised consideration made by similar
claim outcomes.  I'm sure a great deal of that is part of the ontological
references produced by agents yet, perhaps important as part of the means
to support an effective 'yes/no' anonymised response.

IMHO: Usually in the real-work, the concept of trust relates very much to
the concept of 'agreement', and as such is a symmetrical concept when
applied in its true form. Asymmetrical trust is seemingly a distinct
concept that better considers the concept of 'assertion' rather than the
concept of symmetrical trust which relates to the concept of 'agreement',
'agreed fact',  'mutually agreed fact', or 'mutually trusted fact/s'.

I also think we have an opportunity for human advancement should we improve
our means for verification of claims, and that the means in which a person
with the least financial means may present their case most effectively to a
court of law to seek that mix between 'rule of law' and 'natural justice' ,
embodying so many other things; shouldn't be at the cost of personal
liberty.

SUMMARY

I think overall, the realised definition of pseudo-anonymity would depend
on the implementation strategy.  My hope is that the considerations above
provide an array of (attack) vectors that may be considered in relation to
the strategies that may be employed, and the cross-functional segmentation
analysis that relates to the delivery of outcomes; and effective
operational properties.


> June and the bottle doesn't convey those use-cases for me, although
> it's technically still a pseudo-anonymity. It's important also, but
> different. So I think we need at least one of each kind.
>
>
> Steven Rowat
>
>
Received on Wednesday, 2 March 2016 09:57:59 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 2 March 2016 09:58:00 UTC