Re: Human rights perspective on W3C and IETF protocol interaction from Mike Prorock on 2022-01-05 (public-credentials@w3.org from January 2022)

From: Mike Prorock <mprorock@mesur.io>
Date: Wed, 5 Jan 2022 12:42:40 -0500
To: MXS Insights <mxsinsights@gmail.com>
Cc: Adrian Gropper <agropper@healthurl.com>, Bob Wyman <bob@wyman.us>, GNAP Mailing List <txauth@ietf.org>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAGJKSNTg-09A9oYhUUR4=PiLXHu6c_h8Qkk4exHSEwZfcEmYCg@mail.gmail.com>
Thanks Michael.  We will definitely be looking for broad input on this, and
would appreciate your insights for sure.

Mike Prorock
mesur.io

On Wed, Jan 5, 2022, 11:35 MXS Insights <mxsinsights@gmail.com> wrote:

> Hi Mike,
>
> As a usual ‘watcher’ on the this list, I would be very interested in
> working with you on such a report.  If this moves forward, please include
> me in the effort.
>
> Michael Shea
>
>
>
>
> On Jan 5, 2022, at 4:53 PM, Mike Prorock <mprorock@mesur.io> wrote:
>
> In the interest of keeping things in scope to the CCG I would be happy to
> co-author and support a report work item related to something like "Ethical
> Implications of Digital Credentials".  I share many of the same concerns
> around fundamental definitions as noted by Bob, and those details could be
> flushed out while working on such a report.
>
> Mike Prorock
> mesur.io
>
> On Wed, Jan 5, 2022, 10:14 Adrian Gropper <agropper@healthurl.com> wrote:
>
>> Bob's are important questions in the context of our specific protocol
>> work. I do not mean to scope this thread to general W3C or IETF groups or
>> their governance. *Bold* is used below to link to Bob's specific
>> questions.
>>
>> I might also argue to limit the scope to protocols and not VC, DID,
>> biometric templates, or other data models even though effective standards
>> for these drive quantitative and possibly qualitative improvements in the
>> efficiency of surveillance because a common language seems essential to
>> discussing protocols. Adverse consequences of the efficiency of common
>> interoperable language can be mitigated at the protocol level.
>>
>> I'm responding in personal terms to Bob's questions. *I urge all of us
>> engaged in the protocol engineering effort to bring their own perspective
>> on "Human Rights" and to advocate for specific technical solutions in
>> specific workgroups.* For example, I have chosen to focus attention on
>> authorization for verifiable credential issue. I hope others will
>> prioritize human rights impact of authentication protocols especially where
>> biometrics could be involved.
>>
>> *The specific aspects of our protocol work that give rise to human rights
>> issues relate to the efficiency of standardized digital credentials to
>> human persons.* What works for drugs in a supply chain or cattle on a
>> farm can and usually will be misused on people. Also, transferring
>> responsibility from an issuer to a subject of a VC is a burden that needs
>> to be recognized and mitigated. With respect to the UDHRs, I would point to
>> 12 (privacy and confidentiality), 13 (anonymity), 14 (limit the reach of
>> DHS and other state actors), 17 (the right to associate with and delegate
>> to others), 18 (associate with and delegate to communities one chooses), 20
>> (association, again), 21 (secret elections), 22 (anonymity), 23 (trade
>> unions as delegates), 24 (burden of managing decisions in an asymmetric
>> power relationship with the state or with dominant private platforms), 29
>> (duties to and scope of the community).
>>
>> *I'm suggesting that we formally address the issue of human rights as
>> applied to the VC-API standardization process.* I'm also suggesting that
>> we use a process in VC-API that formally harmonizes our work with IETF GNAP.
>>
>> Adrian
>>
>> On Tue, Jan 4, 2022 at 11:45 PM Bob Wyman <bob@wyman.us> wrote:
>>
>>> Adrian,
>>> Given that you're starting a new thread, I would appreciate it if you
>>> could do some context setting and clarifying:
>>>
>>>    - *What do you mean by "Human Rights?" *Hopefully, you won't
>>>    consider that a foolish question. The issue is, of course, that since
>>>    Internet standards are developed in a multicultural, multinational context,
>>>    it isn't obvious, without reference to some external authority, what a
>>>    standards group should classify as a human right. Different cultures and
>>>    governments tend to differ on this subject... As far as I know, the "best"
>>>    source of what might be considered a broad consensus definition of human
>>>    rights is found in the UN's 1948 Universal Declaration of Human
>>>    Rights
>>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights>
>>>     (UDHR).
>>>       - Does the UDHR contain the full set of rights that you think
>>>       should be addressed by standards groups? If not, are there additional
>>>       rights that you think should be considered?
>>>       - In his document, Human Rights Are Not a Bug
>>>       <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>,
>>>       Niels ten Oever refers to the UN Guiding Principles for Business
>>>       and Human Rights
>>>       <https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf>,
>>>       which adds to the rights enumerated in the UDHR a number of additional
>>>       rights described in the International Labour Organization’s Declaration
>>>       on Fundamental Principles and Rights at Work
>>>       <https://www.ilo.org/declaration/lang--en/index.htm>. Given that
>>>       you appear to endorse ten Oever's report, do you also propose the same
>>>       combined set of rights? (ie. UDHR + ILO DFPRW?)
>>>       - Some have argued that the Internet introduces a need to
>>>       recognize rights that have not yet been enumerated either in the UDHR or in
>>>       any other broadly accepted documents. If this is the case, how is a
>>>       standards group to determine what set of rights they must respect?
>>>    - *What specific aspects of the issues being addressed by this
>>>    community group give rise to human rights issues?* Also, if you
>>>    accept that one or some number of documents contain a useful list of such
>>>    rights, can you identify which specific, enumerated rights are at risk?
>>>    (e.g. if the UDHR is the foundation text, then I assume privacy issues
>>>    would probably be considered in the context of the UDHR's Article 12
>>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2012,interference%20or%20attacks.>
>>>    .)
>>>    - *Are you suggesting that this group should formally address the
>>>    issue of rights*, with some sort of process, or just that we should
>>>    be aware of the issues?
>>>       - ten Oever suggests that "Those who design, standardize, and
>>>       maintain the infrastructure on which we run our information societies,
>>>       should assess their actions, processes, and technologies on their societal
>>>       impact." You apparently agree. Can you say how this should be done?
>>>       - The UN Guiding Principles for Business and Human Rights
>>>       describe a number of procedural steps that should be taken by either
>>>       governments or corporations. Are you aware of a similar procedural
>>>       description that would apply to standards groups?
>>>       - I think it was in the video that it was suggested that, in
>>>       Internet standards documents, "a section on human rights considerations
>>>       should become as normal as one on security considerations." Do you agree?
>>>       If so, can you suggest how such a section would be written?
>>>
>>> bob wyman
>>>
>>>
>>> On Tue, Jan 4, 2022 at 9:05 PM Adrian Gropper <agropper@healthurl.com>
>>> wrote:
>>>
>>>> This is a new thread for a new year to inspire deeper cooperation
>>>> between W3C and IETF. This is relevant to our formal objection issues in
>>>> W3C DID as well as the harmonization of IETF SECEVENT DIDs and GNAP with
>>>> ongoing protocol work in W3C and DIF.
>>>>
>>>> The Ford Foundation paper attached provides the references. However,
>>>> this thread should not be about governance philosophy but rather a focus on
>>>> human rights as a design principle as we all work on protocols that will
>>>> drive adoption of W3C VCs and DIDs at Internet scale.
>>>>
>>>> https://redecentralize.org/redigest/2021/08/ says:
>>>>
>>>> *Human rights are not a bug*
>>>>> Decisions made by engineers in internet standards bodies (such as IETF
>>>>> <https://www.ietf.org/> and W3C <https://www.w3.org/>) have a large
>>>>> influence on internet technology, which in turn influences people’s lives —
>>>>> people whose needs may or may not have been taken into account. In the
>>>>> report Human Rights Are Not a Bug
>>>>> <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>
>>>>>  (see also its launch event
>>>>> <https://www.youtube.com/embed/qyYETzXJqmc?rel=0&iv_load_policy=3&modestbranding=1&autoplay=1>),
>>>>> Niels ten Oever asks *“how internet governance processes could be
>>>>> updated to deeply embed the public interest in governance decisions and in
>>>>> decision-making culture”*.
>>>>> “Internet governance organizations maintain a distinct governance
>>>>> philosophy: to be consensus-driven and resistant to centralized
>>>>> institutional authority over the internet. But these fundamental values
>>>>> have limitations that leave the public interest dangerously neglected in
>>>>> governance processes. In this consensus culture, the lack of institutional
>>>>> authority grants disproportionate power to the dominant corporate
>>>>> participants. While the governance bodies are open to non-industry members,
>>>>> they are essentially forums for voluntary industry self-regulation. Voices
>>>>> advocating for the public interest are at best limited and at worst absent.”
>>>>> The report describes how standards bodies, IETF in particular, focus
>>>>> narrowly on facilitating interconnection between systems, so that *“many
>>>>> rights-related topics such as privacy, free expression or exclusion are
>>>>> deemed “too political””*; this came hand in hand with the culture of
>>>>> techno-optimism:
>>>>> “There was a deeply entrenched assumption that the internet is an
>>>>> engine for good—that interconnection and rough consensus naturally promote
>>>>> democratization and that the open, distributed design of the network can by
>>>>> itself limit the concentration of power into oligopolies.
>>>>> This has not proved to be the case.”
>>>>> To improve internet governance, the report recommends involving all
>>>>> stakeholders in decision procedures, and adopting human rights impact
>>>>> assessments (a section on *human rights considerations* should become
>>>>> as normal as one on *security considerations*).
>>>>> The report only briefly touches what seems an important point: that
>>>>> existing governance bodies may become altogether irrelevant as both tech
>>>>> giants and governments move on without them:
>>>>> “Transnational corporations and governments have the power to drive
>>>>> internet infrastructure without the existing governance bodies, through new
>>>>> technologies that set de facto standards and laws that govern “at” the
>>>>> internet not “with” it.”
>>>>> How much would having more diverse stakeholders around the table help,
>>>>> when ultimately Google decides whether and how a standard will be
>>>>> implemented, or founds a ‘more effective’ standardisation body instead?
>>>>
>>>>
>>>> Our work over the next few months is unbelievably important,
>>>>
>>>> - Adrian
>>>>
>>>
>
Received on Wednesday, 5 January 2022 17:43:04 UTC