Fwd: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

FYI.

If you would like to offer your own support (or concerns) about enabling
legislation for use of Verifiable Credentials in health care, I urge you to
contact Michael Magee <michael.magee@asm.ca.gov>.

— Christopher Allen, co-chair W3C Credentials CG

---------- Forwarded message ---------
From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Tue, May 5, 2020 at 1:58 PM
Subject: My Testimony before the CA Assembly Re: Authorizing use of
Verifiable Credentials
To: <assemblymember.chau@assembly.ca.gov>, <
assemblymember.calderon@assembly.ca.gov>, <michael.magee@asm.ca.gov>

I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room
4202, with qualified support of:

ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair)
on AB 2004 (Calderon) – As Amended March 12, 2020

SUBJECT: Verifiable credentials: medical test results

SUMMARY: This bill would permit an issuer of COVID-19 test results or other
test results to use verifiable credentials, as defined by the World Wide
Web Consortium (W3C), for the purpose of providing test results to
individuals. The bill would also require that verifiable credentials issued
for this purpose follow the open source W3C Verifiable Credentials Data
Model, including incorporation of decentralized identifiers, verifiable
credentials, and JavaScript Object Notation for Linked Data (JSON-LD).

Video at https://share.privatemedcreds.com/lluDExQ8

After the testimony, this bill passed this committee to move forward to the
next stage for additional deliberation & amendments.

There were some problems with audio quality, so here is the full text of
what I wanted to present.

— Christopher Allen
     510-908-1066

My name is Christopher Allen, and I am the founder of Blockchain Commons, a
benefit corporation supporting security infrastructure, software
development, and research. I also speak on behalf of the broader
international standards W3C Credentials Community Group where I am a
co-chair. My past achievements include being co-author of SSL/TLS, the
broadest deployed security standard in the world, and the basis upon which
most Internet traffic moves securely.

As regards the subject matter of this bill, I am not a lawyer, regulatory
expert, or lobbyist, but I am one of the leading experts on the new
security architecture known as Verifiable Credentials and Decentralized
Identifiers, the first being now an International Standard through the
World Wide Web Consortium, the second in late stages of the international
standardization process after 5 years of incubation.

As far as any questions in regards to these underlying technologies
themselves for the use by the State of California I do not have
reservations — these new technologies offer a number of privacy by design
features and address security issues that legacy credential and identity
technologies do not. Organizations around the world including the US
Department of Homeland Security, the Canadian government, Taiwan, New
Zealand, and a number of EU nations are committed to moving toward
solutions using these new architectures.

My reservations regarding this bill are less about the efficacy of this
technology, but the immaturity of robust health privacy and risk models,
adversary analysis, and expected public health benefits in regards to the
future use of these for specific public health purposes, which were not
included in the original use cases originally defined in these standards.
In particular, I feel that specific use of Verifiable Claims for Immunity
Credentials require additional risk analysis and possibly additional
legislation.

For instance, given the current lack of understanding of the effectiveness
of COVID19 immunity test from the public health perspective, I have
concerns in regard to the success of the suggested outcomes if an Immunity
Credential was rushed to market too soon. In addition, I believe that the
use of immunity Credentials may have discriminatory effects that may
require additional work for the Assembly to address, such as including
whether NOT having a disease can be used as consideration in layoffs, the
ability to get fair compensation or unemployment or to apply for disability.

However, I do believe that if the State Assembly is going to authorize some
form of investigation, proof of concept, or implementation of new
privacy-preserving health care technology, that Verifiable Claims and
Decentralized Identifiers should be authorized as being acceptable, as they
are the safest architecture available today. Implementors still need to be
careful with the details — it is still possible to use these tools in ways
that may compromise their intended goals for security & privacy.

That being said, continued use of the current extremely fragmented legacy
architectures for identity and personal health information in the health
care community has higher risks. I urge you to support allowing the use of
new Verifiable Claims international standards in your regulations.

Thank you for the opportunity to speak before the Assembly on this topic.
Let me know if you need more details on the topics above or if there are
other ways my expertise can be of service.