W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

Re: Principal Authority – new article on Wyoming law defining Digital Identity

From: Adrian Gropper <agropper@healthurl.com>
Date: Thu, 16 Sep 2021 20:48:32 -0400
Message-ID: <CANYRo8h9HxSH=ueafnx230-QPcwfBAEhht=xnpKa30nLtV7pcw@mail.gmail.com>
To: Dazza Greenwood <dazza@civics.com>
Cc: Alan Karp <alanhkarp@gmail.com>, Chris Rothfuss <Chris.Rothfuss@wyoleg.gov>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Clare Sullivan <cls268@law.georgetown.edu>, Credentials Community Group <public-credentials@w3.org>, Moses Ma <moses.ma@futurelabconsulting.com>
Exactly. The current legal situation is entirely inadequate to nearly free
networking, storage, and computation even before we introduce even more
effective digital identity and credentials on top of the nearly free
technology that is already out of control.

Just because privacy regulation is hard does not justify kicking the can
down the road.

- Adrian

On Thu, Sep 16, 2021 at 8:39 PM Dazza Greenwood <dazza@civics.com> wrote:

> The phrase is from the Uniform Electronic Transactions Act and it’s been
> the law of the land in the USA for a couple decades now with respect to
> electronic contracts, signatures, and transactions. The Wyoming statute is
> just tracking to well worn existing closely related law and not changing or
> making new law, in that respect.
> Daniel "Dazza" Greenwood, JD
> CIVICS.com & Law.MIT.edu
> Sent from an iPhone
> On Sep 16, 2021, at 8:30 PM, Adrian Gropper <agropper@healthurl.com>
> wrote:
> The phrase "a showing of the efficacy of any security procedure" sends
> shivers down my spine.
> The unintended human rights consequences of a law as broad and
> underspecified as this could be huge. Imagine how many things
> (surveillance, data aggregation) are limited only by the inefficiency and
> inaccuracy of legacy identity. Now, introduce a bunch of techies that make
> these things orders of magnitude more "efficacious" without any obvious
> mitigations.
> I expect the counter-argument to be that efficacious security will
> contribute to efficacious privacy as the mitigation. However, hope is not a
> strategy and this law says nothing about either privacy or human rights.
> A law like this must only be introduced in the context of privacy and
> human rights, rather than security. Is this really what we had in mind as a
> self-sovereign identity?
> - Adrian
> On Thu, Sep 16, 2021 at 7:09 PM Christopher Allen <
> ChristopherA@lifewithalacrity.com> wrote:
>> On Thu, Sep 16, 2021 at 3:29 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>> Three questions for Chris and our group related to real-word
>>> challenges to SSI progress:
>>> W1 - Is the Wyoming process concerned only about the identity and
>>> authority of natural persons and, if so, does the need for "efficiency" in
>>> cases where an identity is about a role or a thing introduce confusion into
>>> our work products?
>> At this point the Wyoming law is purely foundational, and does not define
>> specific roles, rights, duties, or best practices. See the full text at
>> https://wyoleg.gov/Legislation/2021/SF0039 — it is quite short.
>> It also does not deal with entities that may have identifIERS BUT do not
>> have any Principal Authority. However, in addition to personal digital
>> identity it also defines corporate digital identity. Corporations in US
>> apparent do have “personhood” sufficient that they too can have a basis for
>> having the “buck stops here” root aspect of Principle Authority. This may
>> not apply in other jurisdictions.
>> W2 - How would the Wyoming process apply to biometrics as a component of
>>> identity? See https://github.com/w3c-ccg/community/issues/211 for a few
>>> specifics.
>> I would say that future legislation would present that since natural
>> persons have some Principal Authority over their blood, body parts, civil
>> rights, image in photographs and recordings of themselves, etc for their
>> physical selves, which if delegated (say a tissue sample to a hospital)
>> have certain duties of care, and should benefit the natural person.
>> Thus natural persons would also have similar rights over their digital
>> selves, which if delegated, have certain duties of care, and should benefit
>> the natural person.
>> W3 - When authority over identity maps into authority over a verifiable
>>> credential, would the Wyoming process deal with request and authorization
>>> protocols differently as applied to the Issuer vs the Holder of the VC?
>> The first key for me when looking at this is to see if a similar right
>> exists in the physical world, then it should exists in the digital world.
>> Like a police officer with due cause can demand your physical drivers
>> license, if there emerge similar “due cause” in the digital world they can
>> do so as well. However, like the real world the official has a duty of
>> care, and customs & best practices of what they can, or can’t do with that
>> license. It is these “Law of Custom” are what need to be defined in future
>> legislation & regulation.
>> — Christopher Allen
Received on Friday, 17 September 2021 00:48:58 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC