- From: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Date: Mon, 8 Jun 2020 22:23:42 -0700
- To: Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CACrqygDnrey9Z5FZDB8aEf_f5nu0uFi2e29+d43vogUv9TLfhA@mail.gmail.com>
A final version of this Verifiable Credentials bill passed today. First bill I know of authorizing the use of Verifiable Credentials. A short video: https://share.medcreds.com/WnubKWwO Bill: http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB2004 — Christopher Allen On Tue, May 5, 2020 at 1:58 PM Christopher Allen < ChristopherA@lifewithalacrity.com> wrote: > I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room > 4202, with qualified support of: > > ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair) > on AB 2004 (Calderon) – As Amended March 12, 2020 > > SUBJECT: Verifiable credentials: medical test results > > SUMMARY: This bill would permit an issuer of COVID-19 test results or > other test results to use verifiable credentials, as defined by the World > Wide Web Consortium (W3C), for the purpose of providing test results to > individuals. The bill would also require that verifiable credentials issued > for this purpose follow the open source W3C Verifiable Credentials Data > Model, including incorporation of decentralized identifiers, verifiable > credentials, and JavaScript Object Notation for Linked Data (JSON-LD). > > Video at https://share.privatemedcreds.com/lluDExQ8 > > After the testimony, this bill passed this committee to move forward to > the next stage for additional deliberation & amendments. > > There were some problems with audio quality, so here is the full text of > what I wanted to present. > > — Christopher Allen > 510-908-1066 > > My name is Christopher Allen, and I am the founder of Blockchain Commons, > a benefit corporation supporting security infrastructure, software > development, and research. I also speak on behalf of the broader > international standards W3C Credentials Community Group where I am a > co-chair. My past achievements include being co-author of SSL/TLS, the > broadest deployed security standard in the world, and the basis upon > which most Internet traffic moves securely. > > As regards the subject matter of this bill, I am not a lawyer, regulatory > expert, or lobbyist, but I am one of the leading experts on the new > security architecture known as Verifiable Credentials and Decentralized > Identifiers, the first being now an International Standard through the > World Wide Web Consortium, the second in late stages of the international > standardization process after 5 years of incubation. > > As far as any questions in regards to these underlying technologies > themselves for the use by the State of California I do not have > reservations — these new technologies offer a number of privacy by design > features and address security issues that legacy credential and identity > technologies do not. Organizations around the world including the US > Department of Homeland Security, the Canadian government, Taiwan, New > Zealand, and a number of EU nations are committed to moving toward > solutions using these new architectures. > > My reservations regarding this bill are less about the efficacy of this > technology, but the immaturity of robust health privacy and risk models, > adversary analysis, and expected public health benefits in regards to the > future use of these for specific public health purposes, which were not > included in the original use cases originally defined in these standards. > In particular, I feel that specific use of Verifiable Claims for Immunity > Credentials require additional risk analysis and possibly additional > legislation. > > For instance, given the current lack of understanding of the effectiveness > of COVID19 immunity test from the public health perspective, I have > concerns in regard to the success of the suggested outcomes if an Immunity > Credential was rushed to market too soon. In addition, I believe that the > use of immunity Credentials may have discriminatory effects that may > require additional work for the Assembly to address, such as including > whether NOT having a disease can be used as consideration in layoffs, the > ability to get fair compensation or unemployment or to apply for disability. > > However, I do believe that if the State Assembly is going to authorize > some form of investigation, proof of concept, or implementation of new > privacy-preserving health care technology, that Verifiable Claims and > Decentralized Identifiers should be authorized as being acceptable, as they > are the safest architecture available today. Implementors still need to be > careful with the details — it is still possible to use these tools in ways > that may compromise their intended goals for security & privacy. > > That being said, continued use of the current extremely fragmented legacy > architectures for identity and personal health information in the health > care community has higher risks. I urge you to support allowing the use of > new Verifiable Claims international standards in your regulations. > > Thank you for the opportunity to speak before the Assembly on this topic. > Let me know if you need more details on the topics above or if there are > other ways my expertise can be of service. > >
Received on Tuesday, 9 June 2020 05:24:08 UTC