Re: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

this is very well said, Christopher. Thanks for forwarding.

On Tue, May 5, 2020 at 2:05 PM Christopher Allen <
ChristopherA@lifewithalacrity.com> wrote:

> FYI.
>
> If you would like to offer your own support (or concerns) about enabling
> legislation for use of Verifiable Credentials in health care, I urge you to
> contact Michael Magee <michael.magee@asm.ca.gov>.
>
> — Christopher Allen, co-chair W3C Credentials CG
>
> ---------- Forwarded message ---------
> From: Christopher Allen <ChristopherA@lifewithalacrity.com>
> Date: Tue, May 5, 2020 at 1:58 PM
> Subject: My Testimony before the CA Assembly Re: Authorizing use of
> Verifiable Credentials
> To: <assemblymember.chau@assembly.ca.gov>, <
> assemblymember.calderon@assembly.ca.gov>, <michael.magee@asm.ca.gov>
>
> I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room
> 4202, with qualified support of:
>
> ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair)
> on AB 2004 (Calderon) – As Amended March 12, 2020
>
> SUBJECT: Verifiable credentials: medical test results
>
> SUMMARY: This bill would permit an issuer of COVID-19 test results or
> other test results to use verifiable credentials, as defined by the World
> Wide Web Consortium (W3C), for the purpose of providing test results to
> individuals. The bill would also require that verifiable credentials issued
> for this purpose follow the open source W3C Verifiable Credentials Data
> Model, including incorporation of decentralized identifiers, verifiable
> credentials, and JavaScript Object Notation for Linked Data (JSON-LD).
>
> Video at https://share.privatemedcreds.com/lluDExQ8
>
> After the testimony, this bill passed this committee to move forward to
> the next stage for additional deliberation & amendments.
>
> There were some problems with audio quality, so here is the full text of
> what I wanted to present.
>
> — Christopher Allen
>      510-908-1066
>
> My name is Christopher Allen, and I am the founder of Blockchain Commons,
> a benefit corporation supporting security infrastructure, software
> development, and research. I also speak on behalf of the broader
> international standards W3C Credentials Community Group where I am a
> co-chair. My past achievements include being co-author of SSL/TLS, the
> broadest deployed security standard in the world, and the basis upon
> which most Internet traffic moves securely.
>
> As regards the subject matter of this bill, I am not a lawyer, regulatory
> expert, or lobbyist, but I am one of the leading experts on the new
> security architecture known as Verifiable Credentials and Decentralized
> Identifiers, the first being now an International Standard through the
> World Wide Web Consortium, the second in late stages of the international
> standardization process after 5 years of incubation.
>
> As far as any questions in regards to these underlying technologies
> themselves for the use by the State of California I do not have
> reservations — these new technologies offer a number of privacy by design
> features and address security issues that legacy credential and identity
> technologies do not. Organizations around the world including the US
> Department of Homeland Security, the Canadian government, Taiwan, New
> Zealand, and a number of EU nations are committed to moving toward
> solutions using these new architectures.
>
> My reservations regarding this bill are less about the efficacy of this
> technology, but the immaturity of robust health privacy and risk models,
> adversary analysis, and expected public health benefits in regards to the
> future use of these for specific public health purposes, which were not
> included in the original use cases originally defined in these standards.
> In particular, I feel that specific use of Verifiable Claims for Immunity
> Credentials require additional risk analysis and possibly additional
> legislation.
>
> For instance, given the current lack of understanding of the effectiveness
> of COVID19 immunity test from the public health perspective, I have
> concerns in regard to the success of the suggested outcomes if an Immunity
> Credential was rushed to market too soon. In addition, I believe that the
> use of immunity Credentials may have discriminatory effects that may
> require additional work for the Assembly to address, such as including
> whether NOT having a disease can be used as consideration in layoffs, the
> ability to get fair compensation or unemployment or to apply for disability.
>
> However, I do believe that if the State Assembly is going to authorize
> some form of investigation, proof of concept, or implementation of new
> privacy-preserving health care technology, that Verifiable Claims and
> Decentralized Identifiers should be authorized as being acceptable, as they
> are the safest architecture available today. Implementors still need to be
> careful with the details — it is still possible to use these tools in ways
> that may compromise their intended goals for security & privacy.
>
> That being said, continued use of the current extremely fragmented legacy
> architectures for identity and personal health information in the health
> care community has higher risks. I urge you to support allowing the use of
> new Verifiable Claims international standards in your regulations.
>
> Thank you for the opportunity to speak before the Assembly on this topic.
> Let me know if you need more details on the topics above or if there are
> other ways my expertise can be of service.
>
>

Received on Wednesday, 6 May 2020 03:24:12 UTC