Re: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

Tony,
Thanks for this context, and yes, talk about rapid response.

Please keep us informed and we will do what we can to help extend or elevate any applicable messaging.

-Taylor

________________________________
From: Tony Rose <tony@proofmarket.io>
Sent: Wednesday, May 6, 2020 12:10 PM
To: Christopher Allen; Credentials Community Group; Taylor Kendal
Subject: Re: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

Christopher & Taylor -

I’ve been working closely with Ally Medina, Raj Gupta & the office of Assemblymember Calderon on crafting this bill language and getting it through the Privacy Committee. This was accepted by Asm Calderon only 11 days ago and to have it crafted and passed committee in such a short time has been a whirlwind.

I can serve as point person on what is needed from the community as it progresses to the next step. As soon as we know what the next step is, and what is needed in terms of letters of support etc. I will reply to this e-mail thread.

Thanks!

Tony


--
Tony Rose
CEO | Proof Market
PrivateMedCreds.com<https://privatemedcreds.com>
+1 650 504 5154

The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
On May 5, 2020, 11:07 PM -0700, Taylor Kendal <taylor@learningeconomy.io>, wrote:
Christopher,
Yes, very well said. thanks for sharing and for valuing civil discourse. The other comments in support and opposition also offer some useful and telling context.

I’ll be following the progression of this bill and help to inform the CCI community<https://www.covidcreds.com/>.

-Taylor Kendal
Learning Economy<https://www.learningeconomy.io/>

________________________________
From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Sent: Tuesday, May 5, 2020 3:05 PM
To: Credentials Community Group
Subject: Fwd: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

FYI.

If you would like to offer your own support (or concerns) about enabling legislation for use of Verifiable Credentials in health care, I urge you to contact Michael Magee <michael.magee@asm.ca.gov<mailto:michael.magee@asm.ca.gov>>.

— Christopher Allen, co-chair W3C Credentials CG

---------- Forwarded message ---------
From: Christopher Allen <ChristopherA@lifewithalacrity.com<mailto:ChristopherA@lifewithalacrity.com>>
Date: Tue, May 5, 2020 at 1:58 PM
Subject: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials
To: <assemblymember.chau@assembly.ca.gov<mailto:assemblymember.chau@assembly.ca.gov>>, <assemblymember.calderon@assembly.ca.gov<mailto:assemblymember.calderon@assembly.ca.gov>>, <michael.magee@asm.ca.gov<mailto:michael.magee@asm.ca.gov>>

I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room 4202, with qualified support of:

ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair) on AB 2004 (Calderon) – As Amended March 12, 2020
SUBJECT: Verifiable credentials: medical test results
SUMMARY: This bill would permit an issuer of COVID-19 test results or other test results to use verifiable credentials, as defined by the World Wide Web Consortium (W3C), for the purpose of providing test results to individuals. The bill would also require that verifiable credentials issued for this purpose follow the open source W3C Verifiable Credentials Data Model, including incorporation of decentralized identifiers, verifiable credentials, and JavaScript Object Notation for Linked Data (JSON-LD).

Video at https://share.privatemedcreds.com/lluDExQ8

After the testimony, this bill passed this committee to move forward to the next stage for additional deliberation & amendments.

There were some problems with audio quality, so here is the full text of what I wanted to present.

— Christopher Allen
     510-908-1066

My name is Christopher Allen, and I am the founder of Blockchain Commons, a benefit corporation supporting security infrastructure, software development, and research. I also speak on behalf of the broader international standards W3C Credentials Community Group where I am a co-chair. My past achievements include being co-author of SSL/TLS, the broadest deployed security standard in the world, and the basis upon which most Internet traffic moves securely.

As regards the subject matter of this bill, I am not a lawyer, regulatory expert, or lobbyist, but I am one of the leading experts on the new security architecture known as Verifiable Credentials and Decentralized Identifiers, the first being now an International Standard through the World Wide Web Consortium, the second in late stages of the international standardization process after 5 years of incubation.

As far as any questions in regards to these underlying technologies themselves for the use by the State of California I do not have reservations — these new technologies offer a number of privacy by design features and address security issues that legacy credential and identity technologies do not. Organizations around the world including the US Department of Homeland Security, the Canadian government, Taiwan, New Zealand, and a number of EU nations are committed to moving toward solutions using these new architectures.

My reservations regarding this bill are less about the efficacy of this technology, but the immaturity of robust health privacy and risk models, adversary analysis, and expected public health benefits in regards to the future use of these for specific public health purposes, which were not included in the original use cases originally defined in these standards. In particular, I feel that specific use of Verifiable Claims for Immunity Credentials require additional risk analysis and possibly additional legislation.

For instance, given the current lack of understanding of the effectiveness of COVID19 immunity test from the public health perspective, I have concerns in regard to the success of the suggested outcomes if an Immunity Credential was rushed to market too soon. In addition, I believe that the use of immunity Credentials may have discriminatory effects that may require additional work for the Assembly to address, such as including whether NOT having a disease can be used as consideration in layoffs, the ability to get fair compensation or unemployment or to apply for disability.

However, I do believe that if the State Assembly is going to authorize some form of investigation, proof of concept, or implementation of new privacy-preserving health care technology, that Verifiable Claims and Decentralized Identifiers should be authorized as being acceptable, as they are the safest architecture available today. Implementors still need to be careful with the details — it is still possible to use these tools in ways that may compromise their intended goals for security & privacy.

That being said, continued use of the current extremely fragmented legacy architectures for identity and personal health information in the health care community has higher risks. I urge you to support allowing the use of new Verifiable Claims international standards in your regulations.

Thank you for the opportunity to speak before the Assembly on this topic. Let me know if you need more details on the topics above or if there are other ways my expertise can be of service.