- From: Adrian Gropper <agropper@healthurl.com>
- Date: Thu, 16 Sep 2021 20:30:42 -0400
- To: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Cc: Alan Karp <alanhkarp@gmail.com>, Chris Rothfuss <Chris.Rothfuss@wyoleg.gov>, Clare Sullivan <cls268@law.georgetown.edu>, Credentials Community Group <public-credentials@w3.org>, Dazza Greenwood <dazza@civics.com>, Moses Ma <moses.ma@futurelabconsulting.com>
- Message-ID: <CANYRo8hjBU2E=0=vFj+zKokYoAjHJpTR+GhOqqSw6rUMJOnKkA@mail.gmail.com>
The phrase "a showing of the efficacy of any security procedure" sends shivers down my spine. The unintended human rights consequences of a law as broad and underspecified as this could be huge. Imagine how many things (surveillance, data aggregation) are limited only by the inefficiency and inaccuracy of legacy identity. Now, introduce a bunch of techies that make these things orders of magnitude more "efficacious" without any obvious mitigations. I expect the counter-argument to be that efficacious security will contribute to efficacious privacy as the mitigation. However, hope is not a strategy and this law says nothing about either privacy or human rights. A law like this must only be introduced in the context of privacy and human rights, rather than security. Is this really what we had in mind as a self-sovereign identity? - Adrian On Thu, Sep 16, 2021 at 7:09 PM Christopher Allen < ChristopherA@lifewithalacrity.com> wrote: > > > On Thu, Sep 16, 2021 at 3:29 PM Adrian Gropper <agropper@healthurl.com> > wrote: > >> Three questions for Chris and our group related to real-word >> challenges to SSI progress: >> >> W1 - Is the Wyoming process concerned only about the identity and >> authority of natural persons and, if so, does the need for "efficiency" in >> cases where an identity is about a role or a thing introduce confusion into >> our work products? >> > > At this point the Wyoming law is purely foundational, and does not define > specific roles, rights, duties, or best practices. See the full text at > https://wyoleg.gov/Legislation/2021/SF0039 — it is quite short. > > It also does not deal with entities that may have identifIERS BUT do not > have any Principal Authority. However, in addition to personal digital > identity it also defines corporate digital identity. Corporations in US > apparent do have “personhood” sufficient that they too can have a basis for > having the “buck stops here” root aspect of Principle Authority. This may > not apply in other jurisdictions. > > W2 - How would the Wyoming process apply to biometrics as a component of >> identity? See https://github.com/w3c-ccg/community/issues/211 for a few >> specifics. >> > > I would say that future legislation would present that since natural > persons have some Principal Authority over their blood, body parts, civil > rights, image in photographs and recordings of themselves, etc for their > physical selves, which if delegated (say a tissue sample to a hospital) > have certain duties of care, and should benefit the natural person. > > Thus natural persons would also have similar rights over their digital > selves, which if delegated, have certain duties of care, and should benefit > the natural person. > > W3 - When authority over identity maps into authority over a verifiable >> credential, would the Wyoming process deal with request and authorization >> protocols differently as applied to the Issuer vs the Holder of the VC? >> > > The first key for me when looking at this is to see if a similar right > exists in the physical world, then it should exists in the digital world. > Like a police officer with due cause can demand your physical drivers > license, if there emerge similar “due cause” in the digital world they can > do so as well. However, like the real world the official has a duty of > care, and customs & best practices of what they can, or can’t do with that > license. It is these “Law of Custom” are what need to be defined in future > legislation & regulation. > > — Christopher Allen > >>
Received on Friday, 17 September 2021 00:31:08 UTC