- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sat, 28 Mar 2020 04:50:10 +0100
- To: Credentials Community Group <public-credentials@w3.org>
On 2020-03-27 22:02, Joe Andrieu wrote: > > > On Fri, Mar 27, 2020, at 1:44 PM, Anders Rundgren wrote: >> If centralized registers is not an option, how do you envision that taxation is to be carried out? > > GREAT question. > > What is needed for things like taxation are unique identifiers that can correlate taxable activities with tax payments. > > You can design such systems in ways that better protect the privacy of tax payers: > > 1. Stop (even outlaw) using tax identifiers for non-tax activites (like credit) > > 2. Separate the identifying records associated with such identifiers, both from each other (they don't need to all be in once place) and from the identifier system. DO NOT store it all in a big single database. > > 3. Encrypt the link between identifying records and identifiers and require a court order before allowing anyone to get that link decrypted, to enable due process and the rule of law. > > 4. Separate within the operational system, with a series of circuit breakers so that production systems can only get access to the identifying records with multiple independent actors performing a mutual approval. Treat these keys like those that control nuclear bombs. > > 5. Allow a myriad of identifiers per taxpayer (tie the legal use of the identifier to payment, not to the person), to defend against service providers who might need to know a given tax identifier. Bring your own ID, using cryptography to proof control of identifiers (DIDs). > > 6. NEVER associate any identifiers with anyone's age, ethnicity, health, religion, gender, health or any other information that might be used in a manner that could violate their civil or human rights. > > 7. Limit access, even with crypto keys, to relatively small subsets of the data, so any given compromise can only discover a small set. Set size will directly related to complexity of key management, but isolation reduces the risk of mass abuse of the records. > > There are other schemes and even this one could be adjusted to meet particular legal requirements, all without a central database that let's the next round of Nazis to round up all of any class of people. All is great except that our nowadays GLOBAL "SSNs", like anders.rundgren.net@gmail.com are already in thousands of registers. I leave the discussion there; designing "Nazi-safe" IT-systems is not my cup of tea since such systems will likely be quite awkward to use ( "myriad of identifiers"). If anybody wants to communicate off-list on this topic, you are welcome. There are from my (conservative?) point of view two unresolved issues: - Bidirectional, non-interactive communication without GUIDs - When you give somebody consent to some piece of your personal data, you are no longer the sole owner of it. What's happening with that data is out of your control. That is, in the end it all boils down to trust and legal issues. There will (obviously) be mishaps every now and then, particularly in the healthcare sector. Thanx, Anders > > -j > > -- > Joe Andrieu, PMP joe@legreq.com <mailto:joe@legreq.com> > LEGENDARY REQUIREMENTS +1(805)705-8651 > Do what matters. http://legreq.com <http://www.legendaryrequirements.com> > >
Received on Saturday, 28 March 2020 03:50:27 UTC