Re: Human rights perspective on W3C and IETF protocol interaction

I wonder how many services President Trump lost access to when they banned
his twitter account.

Can someone explain how GNAP improves on OAuth in this regard?

I can't find anything here:
https://datatracker.ietf.org/doc/html/draft-ietf-gnap-resource-servers#section-7

Also heads up that this "Internet-Draft" of "Intended status: Standards
Track" expires on 13 January 2022.


OS


ᐧ

On Wed, Jan 5, 2022 at 3:46 PM Adrian Gropper <agropper@healthurl.com>
wrote:

> Bob,
> The design principle is Separation of Concerns (separating control from
> possession).
>
> The human rights issue is to mitigate the often absolute sovereignty of
> the Issuer by making it obvious in both the technical and the regulatory
> sense when the Issuer is reducing the capacity or choice of the Subject
> through mandates like OAuth client credentials. GNAP, as opposed to OAuth,
> makes it very obvious when delegation is restricted without justification.
> As such, it will tend to keep the Issuers more honest and make them more
> transparent and easier to judge in terms of human rights.
>
> Adrian
>
> On Wed, Jan 5, 2022 at 4:26 PM Bob Wyman <bob@wyman.us> wrote:
>
>> Adrian,
>> I'm confused by your latest comments. Could you please explain how CCG's
>> adoption of GNAP would facilitate "a focus on human rights as a design
>> principle" (i.e. the goal you stated in your original message) Please
>> forgive me if I'm missing something important in what you've said.
>>
>> bob wyman
>>
>>
>> On Wed, Jan 5, 2022 at 3:57 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> In this thread, my focus is the relationship between CCG and GNAP. RFCs
>>> are considered in the broader context of an Internet security layer such as
>>> Sam Smith and KERI are addressing. My proposal is that CCG will be
>>> well-served by adopting GNAP (and RAR) in as many protocol efforts as it
>>> can. If CCG does not outsource some protocol concerns to GNAP and other
>>> RFCs, then I believe other groups will bypass CCG-related protocols as we
>>> are already seeing in EU and ISO with mDL.
>>>
>>> The VC and DID work on data models and related registries is valuable
>>> with or without CCG protocol tie-ins. If I were to suggest a formal CCG
>>> work item, it would be to develop which specific authorization and
>>> authentication protocols should be layered on top of GNAP and RAR.
>>>
>>> Adrian
>>>
>>> On Wed, Jan 5, 2022 at 2:53 PM Alan Karp <alanhkarp@gmail.com> wrote:
>>>
>>>> RFCs have a Security Considerations section.  Are you suggesting that
>>>> these groups include a Human Rights Considerations section in addition?
>>>>
>>>> --------------
>>>> Alan Karp
>>>>
>>>>
>>>> On Wed, Jan 5, 2022 at 7:14 AM Adrian Gropper <agropper@healthurl.com>
>>>> wrote:
>>>>
>>>>> Bob's are important questions in the context of our specific protocol
>>>>> work. I do not mean to scope this thread to general W3C or IETF groups or
>>>>> their governance. *Bold* is used below to link to Bob's specific
>>>>> questions.
>>>>>
>>>>> I might also argue to limit the scope to protocols and not VC, DID,
>>>>> biometric templates, or other data models even though effective standards
>>>>> for these drive quantitative and possibly qualitative improvements in the
>>>>> efficiency of surveillance because a common language seems essential to
>>>>> discussing protocols. Adverse consequences of the efficiency of common
>>>>> interoperable language can be mitigated at the protocol level.
>>>>>
>>>>> I'm responding in personal terms to Bob's questions. *I urge all of
>>>>> us engaged in the protocol engineering effort to bring their own
>>>>> perspective on "Human Rights" and to advocate for specific technical
>>>>> solutions in specific workgroups.* For example, I have chosen to
>>>>> focus attention on authorization for verifiable credential issue. I hope
>>>>> others will prioritize human rights impact of authentication protocols
>>>>> especially where biometrics could be involved.
>>>>>
>>>>> *The specific aspects of our protocol work that give rise to human
>>>>> rights issues relate to the efficiency of standardized digital credentials
>>>>> to human persons.* What works for drugs in a supply chain or cattle
>>>>> on a farm can and usually will be misused on people. Also, transferring
>>>>> responsibility from an issuer to a subject of a VC is a burden that needs
>>>>> to be recognized and mitigated. With respect to the UDHRs, I would point to
>>>>> 12 (privacy and confidentiality), 13 (anonymity), 14 (limit the reach of
>>>>> DHS and other state actors), 17 (the right to associate with and delegate
>>>>> to others), 18 (associate with and delegate to communities one chooses), 20
>>>>> (association, again), 21 (secret elections), 22 (anonymity), 23 (trade
>>>>> unions as delegates), 24 (burden of managing decisions in an asymmetric
>>>>> power relationship with the state or with dominant private platforms), 29
>>>>> (duties to and scope of the community).
>>>>>
>>>>> *I'm suggesting that we formally address the issue of human rights as
>>>>> applied to the VC-API standardization process.* I'm also suggesting
>>>>> that we use a process in VC-API that formally harmonizes our work with IETF
>>>>> GNAP.
>>>>>
>>>>> Adrian
>>>>>
>>>>> On Tue, Jan 4, 2022 at 11:45 PM Bob Wyman <bob@wyman.us> wrote:
>>>>>
>>>>>> Adrian,
>>>>>> Given that you're starting a new thread, I would appreciate it if you
>>>>>> could do some context setting and clarifying:
>>>>>>
>>>>>>    - *What do you mean by "Human Rights?" *Hopefully, you won't
>>>>>>    consider that a foolish question. The issue is, of course, that since
>>>>>>    Internet standards are developed in a multicultural, multinational context,
>>>>>>    it isn't obvious, without reference to some external authority, what a
>>>>>>    standards group should classify as a human right. Different cultures and
>>>>>>    governments tend to differ on this subject... As far as I know, the "best"
>>>>>>    source of what might be considered a broad consensus definition of human
>>>>>>    rights is found in the UN's 1948 Universal Declaration of Human
>>>>>>    Rights
>>>>>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights>
>>>>>>     (UDHR).
>>>>>>       - Does the UDHR contain the full set of rights that you think
>>>>>>       should be addressed by standards groups? If not, are there additional
>>>>>>       rights that you think should be considered?
>>>>>>       - In his document, Human Rights Are Not a Bug
>>>>>>       <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>,
>>>>>>       Niels ten Oever refers to the UN Guiding Principles for
>>>>>>       Business and Human Rights
>>>>>>       <https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf>,
>>>>>>       which adds to the rights enumerated in the UDHR a number of additional
>>>>>>       rights described in the International Labour Organization’s Declaration
>>>>>>       on Fundamental Principles and Rights at Work
>>>>>>       <https://www.ilo.org/declaration/lang--en/index.htm>. Given
>>>>>>       that you appear to endorse ten Oever's report, do you also propose the same
>>>>>>       combined set of rights? (ie. UDHR + ILO DFPRW?)
>>>>>>       - Some have argued that the Internet introduces a need to
>>>>>>       recognize rights that have not yet been enumerated either in the UDHR or in
>>>>>>       any other broadly accepted documents. If this is the case, how is a
>>>>>>       standards group to determine what set of rights they must respect?
>>>>>>    - *What specific aspects of the issues being addressed by this
>>>>>>    community group give rise to human rights issues?* Also, if you
>>>>>>    accept that one or some number of documents contain a useful list of such
>>>>>>    rights, can you identify which specific, enumerated rights are at risk?
>>>>>>    (e.g. if the UDHR is the foundation text, then I assume privacy issues
>>>>>>    would probably be considered in the context of the UDHR's Article
>>>>>>    12
>>>>>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2012,interference%20or%20attacks.>
>>>>>>    .)
>>>>>>    - *Are you suggesting that this group should formally address the
>>>>>>    issue of rights*, with some sort of process, or just that we
>>>>>>    should be aware of the issues?
>>>>>>       - ten Oever suggests that "Those who design, standardize, and
>>>>>>       maintain the infrastructure on which we run our information societies,
>>>>>>       should assess their actions, processes, and technologies on their societal
>>>>>>       impact." You apparently agree. Can you say how this should be done?
>>>>>>       - The UN Guiding Principles for Business and Human Rights
>>>>>>       describe a number of procedural steps that should be taken by either
>>>>>>       governments or corporations. Are you aware of a similar procedural
>>>>>>       description that would apply to standards groups?
>>>>>>       - I think it was in the video that it was suggested that, in
>>>>>>       Internet standards documents, "a section on human rights considerations
>>>>>>       should become as normal as one on security considerations." Do you agree?
>>>>>>       If so, can you suggest how such a section would be written?
>>>>>>
>>>>>> bob wyman
>>>>>>
>>>>>>
>>>>>> On Tue, Jan 4, 2022 at 9:05 PM Adrian Gropper <agropper@healthurl.com>
>>>>>> wrote:
>>>>>>
>>>>>>> This is a new thread for a new year to inspire deeper cooperation
>>>>>>> between W3C and IETF. This is relevant to our formal objection issues in
>>>>>>> W3C DID as well as the harmonization of IETF SECEVENT DIDs and GNAP with
>>>>>>> ongoing protocol work in W3C and DIF.
>>>>>>>
>>>>>>> The Ford Foundation paper attached provides the references. However,
>>>>>>> this thread should not be about governance philosophy but rather a focus on
>>>>>>> human rights as a design principle as we all work on protocols that will
>>>>>>> drive adoption of W3C VCs and DIDs at Internet scale.
>>>>>>>
>>>>>>> https://redecentralize.org/redigest/2021/08/ says:
>>>>>>>
>>>>>>> *Human rights are not a bug*
>>>>>>>> Decisions made by engineers in internet standards bodies (such as
>>>>>>>> IETF <https://www.ietf.org/> and W3C <https://www.w3.org/>) have a
>>>>>>>> large influence on internet technology, which in turn influences people’s
>>>>>>>> lives — people whose needs may or may not have been taken into account. In
>>>>>>>> the report Human Rights Are Not a Bug
>>>>>>>> <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>
>>>>>>>>  (see also its launch event
>>>>>>>> <https://www.youtube.com/embed/qyYETzXJqmc?rel=0&iv_load_policy=3&modestbranding=1&autoplay=1>),
>>>>>>>> Niels ten Oever asks *“how internet governance processes could be
>>>>>>>> updated to deeply embed the public interest in governance decisions and in
>>>>>>>> decision-making culture”*.
>>>>>>>> “Internet governance organizations maintain a distinct governance
>>>>>>>> philosophy: to be consensus-driven and resistant to centralized
>>>>>>>> institutional authority over the internet. But these fundamental values
>>>>>>>> have limitations that leave the public interest dangerously neglected in
>>>>>>>> governance processes. In this consensus culture, the lack of institutional
>>>>>>>> authority grants disproportionate power to the dominant corporate
>>>>>>>> participants. While the governance bodies are open to non-industry members,
>>>>>>>> they are essentially forums for voluntary industry self-regulation. Voices
>>>>>>>> advocating for the public interest are at best limited and at worst absent.”
>>>>>>>> The report describes how standards bodies, IETF in particular,
>>>>>>>> focus narrowly on facilitating interconnection between systems, so that
>>>>>>>>  *“many rights-related topics such as privacy, free expression or
>>>>>>>> exclusion are deemed “too political””*; this came hand in hand
>>>>>>>> with the culture of techno-optimism:
>>>>>>>> “There was a deeply entrenched assumption that the internet is an
>>>>>>>> engine for good—that interconnection and rough consensus naturally promote
>>>>>>>> democratization and that the open, distributed design of the network can by
>>>>>>>> itself limit the concentration of power into oligopolies.
>>>>>>>> This has not proved to be the case.”
>>>>>>>> To improve internet governance, the report recommends involving all
>>>>>>>> stakeholders in decision procedures, and adopting human rights impact
>>>>>>>> assessments (a section on *human rights considerations* should
>>>>>>>> become as normal as one on *security considerations*).
>>>>>>>> The report only briefly touches what seems an important point: that
>>>>>>>> existing governance bodies may become altogether irrelevant as both tech
>>>>>>>> giants and governments move on without them:
>>>>>>>> “Transnational corporations and governments have the power to drive
>>>>>>>> internet infrastructure without the existing governance bodies, through new
>>>>>>>> technologies that set de facto standards and laws that govern “at” the
>>>>>>>> internet not “with” it.”
>>>>>>>> How much would having more diverse stakeholders around the table
>>>>>>>> help, when ultimately Google decides whether and how a standard will be
>>>>>>>> implemented, or founds a ‘more effective’ standardisation body instead?
>>>>>>>
>>>>>>>
>>>>>>> Our work over the next few months is unbelievably important,
>>>>>>>
>>>>>>> - Adrian
>>>>>>>
>>>>>>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

Received on Wednesday, 5 January 2022 22:13:17 UTC