- From: Steven Rowat <steven_rowat@sunshine.net>
- Date: Sat, 20 Feb 2016 17:03:19 -0800
- To: public-credentials@w3.org
On 2/20/16 8:32 AM, Timothy Holborn wrote: > I'm investigating similar ideas with the hope to pursue via ISOC for > storage of personal data on SoLiD / Credentials related software > platforms operated by service providers. It's all good and well trying > to help maintain people's rights, yet, once it's operating on service > provider infrastructure, often all they need to do is change their TOS > then use the data however they want, which when considering SoLiD like > technology stacks, might result in unintended honeypots for commercial > use... Perhaps one possible solution to would be linking or incorporating something like ODRL (Open Digital Rights Language) into data packages, so that owners/creators/legal managers of a given set of information can at least define specifically and in a machine-readable way the most important 'Permissions' of what is or isn't allowed to be done with the data. I believe ODRL avoids getting into legal definitions because these vary worldwide; instead they make a common vocabulary to define what the intent of the creator/holder is with respect to the data. This would at least ensure that those using the data could not plead 'there was no restriction on the use of this data that we knew about'. Steven > > Theory is, contract law is demonstrated via various means to provide > the capacity via commercial disincentives, to effectively manage and > fund litigation / enforcement costs should it be made necessary... > > Tim. > > > On Sun, 21 Feb 2016 at 3:21 AM, Steven Rowat > <steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>> wrote: > > On 2/20/16 7:54 AM, Timothy Holborn wrote: > > Also note the use of the term "subject"[1] > > > > [1] > > > http://www.wired.com/wp-content/uploads/2016/02/Apple-iPhone-access-MOTION-TO-COMPEL.pdf > > Tim, just to clarify.... (that's a 35-page document, scanned and so > non-searchable, which is a bit daunting without some other guidance). > > You mean the use on page 3 of "...THE FBI'S SEARCH OF THE SUBJECT > DEVICE..." [caps original]. ? > > Steven > > > > > > On Fri, 19 Feb 2016 at 6:06 AM, Rob Trainer > > <rob.trainer@accreditrust.com <mailto:rob.trainer@accreditrust.com> > > <mailto:rob.trainer@accreditrust.com > <mailto:rob.trainer@accreditrust.com>>> wrote: > > > > > https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption/ > > > > > ____ > > > > __ __ > > > > *Rob Trainer | Vice President of Technology____* > > > > *Accreditrust Technologies, LLC____* > > > > C: 410.303.9303____ > > > > E: rob.trainer@accreditrust.com > <mailto:rob.trainer@accreditrust.com> > > <mailto:rob.trainer@accreditrust.com > <mailto:rob.trainer@accreditrust.com>>____ > > > > W: www.accreditrust.com <http://www.accreditrust.com> > <https://www.accreditrust.com/>____ > > > > __ __ > > > > TrueCred-Signature-Logo____ > > > > __ __ > > > > *From:*Timothy Holborn [mailto:timothy.holborn@gmail.com > <mailto:timothy.holborn@gmail.com> > > <mailto:timothy.holborn@gmail.com > <mailto:timothy.holborn@gmail.com>>] *Sent:* Thursday, February 18, > > 2016 1:50 PM *To:* Dave Longley <dlongley@digitalbazaar.com > <mailto:dlongley@digitalbazaar.com> > > <mailto:dlongley@digitalbazaar.com > <mailto:dlongley@digitalbazaar.com>>>; W3C Credentials Community > > Group <public-credentials@w3.org <mailto:public-credentials@w3.org> > > <mailto:public-credentials@w3.org > <mailto:public-credentials@w3.org>>> *Subject:* Re: Rule of law____ > > > > __ __ > > > > Reviewing the TOS[1] I always find interesting, > > > > Yet essentially, the issue remains including but not exclusive to > > service operators / device vendors, et.al <http://et.al> > <http://et.al>. > > > > Whilst I entirely agree, accountability is v.important for > > law-enforcement, and, I'm not American, don't get to vote in the > > US, so, I prefer local context that enables me to lobby for changes > > to law should that be necessary; rule of law, kinda needs to be > > supported... > > > > The identifiers in this case include particular FBI representatives > > on particular machines carrying out particular tasks for a > > particular case, with particular court approvals, on a particular > > phone that has an array of other identifiers both identifying that > > Phone to be unique, and that it is indeed associated to the > > court-order related suspect (person). > > > > So, IMHO, there's enough keys there to make those old films scenes > > of the two keys turned simultaneously to launch the weapon, whether > > in submarine or otherwise, look kinda antiquated. > > > > You could put additional requirements, like sensor requirements - > > it needs to see a specially encoded 2d barcode, within a particular > > GPS location, etc. etc. > > > > It's not all or nothing, and any president would want it that way I > > imagine. We all want phones that don't get hacked, but we are > > subject to rule of law for which we are all accountable, no matter > > who we work for or what we do. Isn't that the theory? > > > > I also note, online child sexual exploitation law enforcement teams > > locally, apparently couldn't use semantic / image analytics to > > automatically flag content. If Interpol made that capability > > available, would you allow processing for specific use? Perhaps if > > the gov issue them a credential to including specified capabilities > > for which citizens have a right to fair trial / court / access to > > justice, etc. > > > > Is it Apple, Facebook, Google who that makes the decision about how > > image processing can be used? Do you need to send them your blood > > sample to have it checked? What ads do you get after you've got > > your blood tested? Insurance offers the same? > > > > Market based 'knowledge banking' providers, with really good > > outlines for data ownership. > > > > Yet if the law says 'you've been sent to war'.... If a judge says > > open it. Then to say it's all or nothing, seems incorrect... > > > > We've been working on solutions here... I guess they'll say, no > > solution currently available to market can solve this problem, or > > some similar thing? > > > > Meh. > > > > > > [1] http://images.apple.com/legal/sla/docs/iOS91.pdf____ > > > > __ __ > > > > On Fri, 19 Feb 2016 at 5:29 AM, Dave Longley > > <dlongley@digitalbazaar.com <mailto:dlongley@digitalbazaar.com> > <mailto:dlongley@digitalbazaar.com > <mailto:dlongley@digitalbazaar.com>>> > > wrote:____ > > > > On 02/18/2016 12:50 PM, Timothy Holborn wrote: > >> So, > >> > >> I assume apple[1] can decrypt it. > > > > I think that's a big assumption. Have they said that? I don't know > > how they do their encryption, but if they are using symmetric > > encryption where the key is derived from a password only the user > > knows, then, no, they can't decrypt it. Unless the password is > > easily guessable, it's not feasible to brute force attack the > > encryption. > > > >> So, the issue is how to trust gov? Locally or internationally? > >> > >> Couldn't a bunch of approved credentials be used to present > > something > >> at the phone that in-turn allows that device to say, > > recognise the > >> president said - executive orders - open it. > > > > You could do two forms of encryption: one for the user and one > > using a public key owned and protected by the government. Of > > course, then the government can read everyone's private data. > > > > I suppose you could require a credential from a court (signed by > > the court's public key) indicating a court order was granted to > > the government in order to use their key to read the data ... but > > it's all a little unclear as to whether or not these protections > > would actually be followed, or rather, if they weren't, that a > > violation of them could be easily detected. > > > > > > -- Dave Longley CTO Digital Bazaar, Inc. > > http://digitalbazaar.com____ > > >
Received on Sunday, 21 February 2016 01:03:52 UTC