Re: Fwd: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

Christopher,

The whole of your remarks are good, but in particular, you said: 
"Specific use of Verifiable Claims for Immunity Credentials require 
additional risk analysis and possibly additional legislation."  I 
strongly agree.

Regards, Bill Claxton (williamc@nextid.com <mailto:williamc@nextid.com>)
LinkedIn, Facebook, Telegram, Slack, Skype, Twitter or Gmail: wmclaxton
SG Voice, Text or Whatsapp: +65-9012-4327
US Voice, Text or Voicemail: +1-415-797-7348


On 5/6/2020 5:03 AM, Christopher Allen wrote:
> FYI.
>
> If you would like to offer your own support (or concerns) about 
> enabling legislation for use of Verifiable Credentials in health care, 
> I urge you to contact Michael Magee <michael.magee@asm.ca.gov 
> <mailto:michael.magee@asm.ca.gov>>.
>
> — Christopher Allen, co-chair W3C Credentials CG
>
> ---------- Forwarded message ---------
> From: *Christopher Allen* <ChristopherA@lifewithalacrity.com 
> <mailto:ChristopherA@lifewithalacrity.com>>
> Date: Tue, May 5, 2020 at 1:58 PM
> Subject: My Testimony before the CA Assembly Re: Authorizing use of 
> Verifiable Credentials
> To: <assemblymember.chau@assembly.ca.gov 
> <mailto:assemblymember.chau@assembly.ca.gov>>, 
> <assemblymember.calderon@assembly.ca.gov 
> <mailto:assemblymember.calderon@assembly.ca.gov>>, 
> <michael.magee@asm.ca.gov <mailto:michael.magee@asm.ca.gov>>
>
> I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly 
> Room 4202, with qualified support of:
>
>     ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau,
>     Chair) on AB 2004 (Calderon) – As Amended March 12, 2020
>
>     SUBJECT: Verifiable credentials: medical test results
>
>     SUMMARY: This bill would permit an issuer of COVID-19 test results
>     or other test results to use verifiable credentials, as defined by
>     the World Wide Web Consortium (W3C), for the purpose of providing
>     test results to individuals. The bill would also require that
>     verifiable credentials issued for this purpose follow the open
>     source W3C Verifiable Credentials Data Model, including
>     incorporation of decentralized identifiers, verifiable
>     credentials, and JavaScript Object Notation for Linked Data (JSON-LD).
>
> Video at https://share.privatemedcreds.com/lluDExQ8
>
> After the testimony, this bill passed this committee to move forward 
> to the next stage for additional deliberation & amendments.
>
> There were some problems with audio quality, so here is the full text 
> of what I wanted to present.
>
> — Christopher Allen
>      510-908-1066
>
> My name is Christopher Allen, and I am the founder of Blockchain 
> Commons, a benefit corporation supporting security infrastructure, 
> software development, and research. I also speak on behalf of the 
> broader international standards W3C Credentials Community Group where 
> I am a co-chair. My past achievements include being co-author of 
> SSL/TLS, the broadest deployed security standard in the world, and the 
> basis upon which most Internet traffic moves securely.
> As regards the subject matter of this bill, I am not a lawyer, 
> regulatory expert, or lobbyist, but I am one of the leading experts on 
> the new security architecture known as Verifiable Credentials and 
> Decentralized Identifiers, the first being now an International 
> Standard through the World Wide Web Consortium, the second in late 
> stages of the international standardization process after 5 years of 
> incubation.
> As far as any questions in regards to these underlying technologies 
> themselves for the use by the State of California I do not have 
> reservations — these new technologies offer a number of privacy by 
> design features and address security issues that legacy credential and 
> identity technologies do not. Organizations around the world including 
> the US Department of Homeland Security, the Canadian government, 
> Taiwan, New Zealand, and a number of EU nations are committed to 
> moving toward solutions using these new architectures.
>
> My reservations regarding this bill are less about the efficacy of 
> this technology, but the immaturity of robust health privacy and risk 
> models, adversary analysis, and expected public health benefits in 
> regards to the future use of these for specific public health 
> purposes, which were not included in the original use cases originally 
> defined in these standards. In particular, I feel that specific use of 
> Verifiable Claims for Immunity Credentials require additional risk 
> analysis and possibly additional legislation.
> For instance, given the current lack of understanding of the 
> effectiveness of COVID19 immunity test from the public health 
> perspective, I have concerns in regard to the success of the suggested 
> outcomes if an Immunity Credential was rushed to market too soon. In 
> addition, I believe that the use of immunity Credentials may have 
> discriminatory effects that may require additional work for the 
> Assembly to address, such as including whether NOT having a disease 
> can be used as consideration in layoffs, the ability to get fair 
> compensation or unemployment or to apply for disability.
> However, I do believe that if the State Assembly is going to authorize 
> some form of investigation, proof of concept, or implementation of new 
> privacy-preserving health care technology, that Verifiable Claims and 
> Decentralized Identifiers should be authorized as being acceptable, as 
> they are the safest architecture available today. Implementors still 
> need to be careful with the details — it is still possible to use 
> these tools in ways that may compromise their intended goals for 
> security & privacy.
> That being said, continued use of the current extremely fragmented 
> legacy architectures for identity and personal health information in 
> the health care community has higher risks. I urge you to support 
> allowing the use of new Verifiable Claims international standards in 
> your regulations.
> Thank you for the opportunity to speak before the Assembly on this 
> topic. Let me know if you need more details on the topics above or if 
> there are other ways my expertise can be of service.
>