Re: Human rights perspective on W3C and IETF protocol interaction from Mike Prorock on 2022-01-05 (public-credentials@w3.org from January 2022)

From: Mike Prorock <mprorock@mesur.io>
Date: Wed, 5 Jan 2022 10:53:50 -0500
To: Adrian Gropper <agropper@healthurl.com>
Cc: Bob Wyman <bob@wyman.us>, GNAP Mailing List <txauth@ietf.org>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAGJKSNTVFPjOhgnS0Q=gJD5PT6ipMXLspLofSyX03cQYLkDeNg@mail.gmail.com>
In the interest of keeping things in scope to the CCG I would be happy to
co-author and support a report work item related to something like "Ethical
Implications of Digital Credentials".  I share many of the same concerns
around fundamental definitions as noted by Bob, and those details could be
flushed out while working on such a report.

Mike Prorock
mesur.io

On Wed, Jan 5, 2022, 10:14 Adrian Gropper <agropper@healthurl.com> wrote:

> Bob's are important questions in the context of our specific protocol
> work. I do not mean to scope this thread to general W3C or IETF groups or
> their governance. *Bold* is used below to link to Bob's specific
> questions.
>
> I might also argue to limit the scope to protocols and not VC, DID,
> biometric templates, or other data models even though effective standards
> for these drive quantitative and possibly qualitative improvements in the
> efficiency of surveillance because a common language seems essential to
> discussing protocols. Adverse consequences of the efficiency of common
> interoperable language can be mitigated at the protocol level.
>
> I'm responding in personal terms to Bob's questions. *I urge all of us
> engaged in the protocol engineering effort to bring their own perspective
> on "Human Rights" and to advocate for specific technical solutions in
> specific workgroups.* For example, I have chosen to focus attention on
> authorization for verifiable credential issue. I hope others will
> prioritize human rights impact of authentication protocols especially where
> biometrics could be involved.
>
> *The specific aspects of our protocol work that give rise to human rights
> issues relate to the efficiency of standardized digital credentials to
> human persons.* What works for drugs in a supply chain or cattle on a
> farm can and usually will be misused on people. Also, transferring
> responsibility from an issuer to a subject of a VC is a burden that needs
> to be recognized and mitigated. With respect to the UDHRs, I would point to
> 12 (privacy and confidentiality), 13 (anonymity), 14 (limit the reach of
> DHS and other state actors), 17 (the right to associate with and delegate
> to others), 18 (associate with and delegate to communities one chooses), 20
> (association, again), 21 (secret elections), 22 (anonymity), 23 (trade
> unions as delegates), 24 (burden of managing decisions in an asymmetric
> power relationship with the state or with dominant private platforms), 29
> (duties to and scope of the community).
>
> *I'm suggesting that we formally address the issue of human rights as
> applied to the VC-API standardization process.* I'm also suggesting that
> we use a process in VC-API that formally harmonizes our work with IETF GNAP.
>
> Adrian
>
> On Tue, Jan 4, 2022 at 11:45 PM Bob Wyman <bob@wyman.us> wrote:
>
>> Adrian,
>> Given that you're starting a new thread, I would appreciate it if you
>> could do some context setting and clarifying:
>>
>>    - *What do you mean by "Human Rights?" *Hopefully, you won't consider
>>    that a foolish question. The issue is, of course, that since Internet
>>    standards are developed in a multicultural, multinational context, it isn't
>>    obvious, without reference to some external authority, what a
>>    standards group should classify as a human right. Different cultures and
>>    governments tend to differ on this subject... As far as I know, the "best"
>>    source of what might be considered a broad consensus definition of human
>>    rights is found in the UN's 1948 Universal Declaration of Human Rights
>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights>
>>     (UDHR).
>>       - Does the UDHR contain the full set of rights that you think
>>       should be addressed by standards groups? If not, are there additional
>>       rights that you think should be considered?
>>       - In his document, Human Rights Are Not a Bug
>>       <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>,
>>       Niels ten Oever refers to the UN Guiding Principles for Business
>>       and Human Rights
>>       <https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf>,
>>       which adds to the rights enumerated in the UDHR a number of additional
>>       rights described in the International Labour Organization’s Declaration
>>       on Fundamental Principles and Rights at Work
>>       <https://www.ilo.org/declaration/lang--en/index.htm>. Given that
>>       you appear to endorse ten Oever's report, do you also propose the same
>>       combined set of rights? (ie. UDHR + ILO DFPRW?)
>>       - Some have argued that the Internet introduces a need to
>>       recognize rights that have not yet been enumerated either in the UDHR or in
>>       any other broadly accepted documents. If this is the case, how is a
>>       standards group to determine what set of rights they must respect?
>>    - *What specific aspects of the issues being addressed by this
>>    community group give rise to human rights issues?* Also, if you
>>    accept that one or some number of documents contain a useful list of such
>>    rights, can you identify which specific, enumerated rights are at risk?
>>    (e.g. if the UDHR is the foundation text, then I assume privacy issues
>>    would probably be considered in the context of the UDHR's Article 12
>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2012,interference%20or%20attacks.>
>>    .)
>>    - *Are you suggesting that this group should formally address the
>>    issue of rights*, with some sort of process, or just that we should
>>    be aware of the issues?
>>       - ten Oever suggests that "Those who design, standardize, and
>>       maintain the infrastructure on which we run our information societies,
>>       should assess their actions, processes, and technologies on their societal
>>       impact." You apparently agree. Can you say how this should be done?
>>       - The UN Guiding Principles for Business and Human Rights describe
>>       a number of procedural steps that should be taken by either governments or
>>       corporations. Are you aware of a similar procedural description that would
>>       apply to standards groups?
>>       - I think it was in the video that it was suggested that, in
>>       Internet standards documents, "a section on human rights considerations
>>       should become as normal as one on security considerations." Do you agree?
>>       If so, can you suggest how such a section would be written?
>>
>> bob wyman
>>
>>
>> On Tue, Jan 4, 2022 at 9:05 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> This is a new thread for a new year to inspire deeper cooperation
>>> between W3C and IETF. This is relevant to our formal objection issues in
>>> W3C DID as well as the harmonization of IETF SECEVENT DIDs and GNAP with
>>> ongoing protocol work in W3C and DIF.
>>>
>>> The Ford Foundation paper attached provides the references. However,
>>> this thread should not be about governance philosophy but rather a focus on
>>> human rights as a design principle as we all work on protocols that will
>>> drive adoption of W3C VCs and DIDs at Internet scale.
>>>
>>> https://redecentralize.org/redigest/2021/08/ says:
>>>
>>> *Human rights are not a bug*
>>>> Decisions made by engineers in internet standards bodies (such as IETF
>>>> <https://www.ietf.org/> and W3C <https://www.w3.org/>) have a large
>>>> influence on internet technology, which in turn influences people’s lives —
>>>> people whose needs may or may not have been taken into account. In the
>>>> report Human Rights Are Not a Bug
>>>> <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>
>>>>  (see also its launch event
>>>> <https://www.youtube.com/embed/qyYETzXJqmc?rel=0&iv_load_policy=3&modestbranding=1&autoplay=1>),
>>>> Niels ten Oever asks *“how internet governance processes could be
>>>> updated to deeply embed the public interest in governance decisions and in
>>>> decision-making culture”*.
>>>> “Internet governance organizations maintain a distinct governance
>>>> philosophy: to be consensus-driven and resistant to centralized
>>>> institutional authority over the internet. But these fundamental values
>>>> have limitations that leave the public interest dangerously neglected in
>>>> governance processes. In this consensus culture, the lack of institutional
>>>> authority grants disproportionate power to the dominant corporate
>>>> participants. While the governance bodies are open to non-industry members,
>>>> they are essentially forums for voluntary industry self-regulation. Voices
>>>> advocating for the public interest are at best limited and at worst absent.”
>>>> The report describes how standards bodies, IETF in particular, focus
>>>> narrowly on facilitating interconnection between systems, so that *“many
>>>> rights-related topics such as privacy, free expression or exclusion are
>>>> deemed “too political””*; this came hand in hand with the culture of
>>>> techno-optimism:
>>>> “There was a deeply entrenched assumption that the internet is an
>>>> engine for good—that interconnection and rough consensus naturally promote
>>>> democratization and that the open, distributed design of the network can by
>>>> itself limit the concentration of power into oligopolies.
>>>> This has not proved to be the case.”
>>>> To improve internet governance, the report recommends involving all
>>>> stakeholders in decision procedures, and adopting human rights impact
>>>> assessments (a section on *human rights considerations* should become
>>>> as normal as one on *security considerations*).
>>>> The report only briefly touches what seems an important point: that
>>>> existing governance bodies may become altogether irrelevant as both tech
>>>> giants and governments move on without them:
>>>> “Transnational corporations and governments have the power to drive
>>>> internet infrastructure without the existing governance bodies, through new
>>>> technologies that set de facto standards and laws that govern “at” the
>>>> internet not “with” it.”
>>>> How much would having more diverse stakeholders around the table help,
>>>> when ultimately Google decides whether and how a standard will be
>>>> implemented, or founds a ‘more effective’ standardisation body instead?
>>>
>>>
>>> Our work over the next few months is unbelievably important,
>>>
>>> - Adrian
>>>
>>
Received on Wednesday, 5 January 2022 15:55:25 UTC