W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

Re: Principal Authority – new article on Wyoming law defining Digital Identity

From: Dazza Greenwood <dazza@civics.com>
Date: Thu, 16 Sep 2021 20:39:42 -0400
Message-Id: <3C91E8DE-0ABE-42D0-9DDF-F6968829C794@civics.com>
Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>, Alan Karp <alanhkarp@gmail.com>, Chris Rothfuss <Chris.Rothfuss@wyoleg.gov>, Clare Sullivan <cls268@law.georgetown.edu>, Credentials Community Group <public-credentials@w3.org>, Moses Ma <moses.ma@futurelabconsulting.com>
To: Adrian Gropper <agropper@healthurl.com>
The phrase is from the Uniform Electronic Transactions Act and it’s been the law of the land in the USA for a couple decades now with respect to electronic contracts, signatures, and transactions. The Wyoming statute is just tracking to well worn existing closely related law and not changing or making new law, in that respect.  

Daniel "Dazza" Greenwood, JD
CIVICS.com & Law.MIT.edu
Sent from an iPhone

> On Sep 16, 2021, at 8:30 PM, Adrian Gropper <agropper@healthurl.com> wrote:
> 
> 
> The phrase "a showing of the efficacy of any security procedure" sends shivers down my spine.
> 
> The unintended human rights consequences of a law as broad and underspecified as this could be huge. Imagine how many things (surveillance, data aggregation) are limited only by the inefficiency and inaccuracy of legacy identity. Now, introduce a bunch of techies that make these things orders of magnitude more "efficacious" without any obvious mitigations. 
> 
> I expect the counter-argument to be that efficacious security will contribute to efficacious privacy as the mitigation. However, hope is not a strategy and this law says nothing about either privacy or human rights.
> 
> A law like this must only be introduced in the context of privacy and human rights, rather than security. Is this really what we had in mind as a self-sovereign identity?
> 
> - Adrian
> 
>> On Thu, Sep 16, 2021 at 7:09 PM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote:
>> 
>> 
>>> On Thu, Sep 16, 2021 at 3:29 PM Adrian Gropper <agropper@healthurl.com> wrote:
>>> Three questions for Chris and our group related to real-word challenges to SSI progress:
>>> 
>>> W1 - Is the Wyoming process concerned only about the identity and authority of natural persons and, if so, does the need for "efficiency" in cases where an identity is about a role or a thing introduce confusion into our work products?
>> 
>> At this point the Wyoming law is purely foundational, and does not define specific roles, rights, duties, or best practices. See the full text at 
>> https://wyoleg.gov/Legislation/2021/SF0039 — it is quite short. 
>> 
>> It also does not deal with entities that may have identifIERS BUT do not have any Principal Authority. However, in addition to personal digital identity it also defines corporate digital identity. Corporations in US apparent do have “personhood” sufficient that they too can have a basis for having the “buck stops here” root aspect of Principle Authority. This may not apply in other jurisdictions.  
>> 
>>> W2 - How would the Wyoming process apply to biometrics as a component of identity? See https://github.com/w3c-ccg/community/issues/211 for a few specifics.
>> 
>> I would say that future legislation would present that since natural persons have some Principal Authority over their blood, body parts, civil rights, image in photographs and recordings of themselves, etc for their physical selves, which if delegated (say a tissue sample to a hospital) have certain duties of care, and should benefit the natural person.
>> 
>> Thus natural persons would also have similar rights over their digital selves, which if delegated, have certain duties of care, and should benefit the natural person.
>> 
>>> W3 - When authority over identity maps into authority over a verifiable credential, would the Wyoming process deal with request and authorization protocols differently as applied to the Issuer vs the Holder of the VC?
>> 
>> The first key for me when looking at this is to see if a similar right exists in the physical world, then it should exists in the digital world. Like a police officer with due cause can demand your physical drivers license, if there emerge similar “due cause” in the digital world they can do so as well. However, like the real world the official has a duty of care, and customs & best practices of what they can, or can’t do with that license. It is these “Law of Custom” are what need to be defined in future legislation & regulation.
>> 
>> — Christopher Allen

Received on Friday, 17 September 2021 00:39:57 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC