Re: [technical-discuss] Civil Society Response to TSA mDL Rule Making

Hi All,

If anyone is interested there is a Congressional hearing on mobile driver’s
licenses (mDLs) tomorrow (Dec 5) from 2-5pm ET. It can be viewed at
https://homeland.house.gov/hearing/identity-management-innovation-looking-beyond-real-id/

Best Regards,
Keith


On Tue, Oct 24, 2023 at 7:42 AM Adrian Gropper <agropper@healthurl.com>
wrote:

> Hi Oskar,
>
> The incompetence that you are asking about is our unwillingness to admit
> that individuals do not care about identity either digital or analog.
>
> People care about having a reputation in context, having an address that
> they can be reached at, being anonymous when that is appropriate, being
> left alone, etc…
>
> Until those of us who see identity in terms of cryptography change our
> perspective to people who are most likely to mistrust us as they are to
> misunderstand us we will be the incompetent ones.
>
> Adrian
>
>
> On Tue, Oct 24, 2023 at 4:31 AM Deventer, M.O. (Oskar) van <
> oskar.vandeventer@tno.nl> wrote:
>
>> Sebastian, all,
>>
>>
>>
>> Thanks for that info. It is good to hear about improvement work on the
>> European law. Still, I do not understand how the cited changes in (55)
>> address the issue. As long as the European law does not include some strong
>> negative statements (e.g. “it shall be made technically impossible to …”),
>> the offending parts of the ARF and PID would remain compliant, and it would
>> be left to national governments to remedy.
>>
>>
>>
>> <rant> It amazes me. We have federated identity for decades. We have
>> FIDO2. We have 3GPP SUCI/SUPI. We all know how to technically prevent
>> unwanted/illegal correlations, and how to combine
>> cryptographically-enforced privacy protection with reliable identity
>> matching. What incompetence causes that we continue to have these
>> discussions with our own governments, in particular the European one that
>> introduced GDPR itself? </rant>
>>
>>
>>
>> Anyway, reasons enough to join the OWF Safe Wallet SIG (
>> https://tac.openwallet.foundation/SIGs/safe-wallet/,
>> https://github.com/openwallet-foundation/tac/issues/57,
>> https://github.com/openwallet-foundation/safe-wallet-sig/discussions/7).
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Oskar
>>
>>
>>
>>
>>
>> *From:* Sebastian Elfors <sebastian.elfors@idnow.io>
>> *Sent:* dinsdag 24 oktober 2023 09:55
>> *To:* Deventer, M.O. (Oskar) van <oskar.vandeventer@tno.nl>;
>> Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>;
>> zeuthen@google.com; andrewhughes@pingidentity.com
>> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider
>> <daniel@openwallet.foundation>; Credentials Community Group <
>> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
>> *Subject:* RE: [technical-discuss] Civil Society Response to TSA mDL
>> Rule Making
>>
>>
>>
>> Oskar, all,
>>
>>
>>
>> Yes, it is correct that the first eIDAS2 proposal that was drafted by the
>> EU Commission in June 2021 included the following statement on ‘unique
>> identification’:
>>
>>
>>
>> *“(55)  ‘unique identification’ means a process where person
>> identification data or person identification means are matched with or
>> linked to an existing account belonging to the same person.’;”*
>>
>>
>>
>> This recital has been heavily critized by several privacy organizations
>> in the EU and the unique identifier even violates the constitution in a
>> number of EU Member States.
>>
>>
>>
>> So recital 55 has been modified as follows in the EU Council eIDAS2
>> proposal (December 2022):
>>
>>
>>
>> *(55)  ‘record matching’ means a process where person identification data
>> or, person identification means, qualified electronic attestation of
>> attributes or attestations of attributes issued by or on behalf of a public
>> sector body responsible for an authentic source are matched with or linked
>> to an existing account belonging to the same person.’*
>>
>>
>>
>> And it has been modified even further in the EU Parliament eIDAS2
>> proposal (February 2023):
>>
>>
>>
>> *“(55)  ‘identity matching’ means a process where person identification
>> data or person identification means are matched with or linked to an
>> existing account belonging to the same person.’”*
>>
>>
>>
>> The exact formulation of recital 55 is currently being negotiated in the
>> eIDAS2 trialogue between the EU Commission, EU Parliament, and EU Council.
>> The final eIDAS2 regulation is expected to be issued in November 2023.
>>
>>
>>
>> Kind regards,
>>
>> Sebastian
>>
>>
>>
>> *From:* technical-discuss@lists.openwallet.foundation <
>> technical-discuss@lists.openwallet.foundation> *On Behalf Of *Deventer,
>> M.O. (Oskar) van via lists.openwallet.foundation
>> *Sent:* Monday, 23 October 2023 11:47
>> *To:* Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>;
>> zeuthen@google.com; andrewhughes@pingidentity.com
>> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
>> daniel@openwallet.foundation>; Credentials Community Group <
>> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
>> *Subject:* Re: [technical-discuss] Civil Society Response to TSA mDL
>> Rule Making
>>
>>
>>
>> *CAUTION:* This email originated from outside the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>>
>> All,
>>
>>
>>
>> For your information, the European use of mDL and VC (EUDI wallet, ARF,
>> PID) suffers from similar privacy/abuse/over-identification issues, see
>> https://en.epicenter.works/document/4566. The worst offence is the
>> assignment of a “unique identifier” to each European citizen, which enables
>> colluding verifiers to easily correlate their users.
>>
>>
>>
>> Protection measures that Europe looks into, is “Identified Verifier” and
>> “Authorized Verifier”. That is, after an identification transaction, the
>> citizen has non-repudiable proof when, how and by whom they were
>> identified. And possibly, the transaction fails for non-authorized
>> verifiers. Still very unsure/unclear …
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Oskar
>>
>>
>>
>>
>>
>> *From:* Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>
>> *Sent:* vrijdag 20 oktober 2023 19:11
>> *To:* zeuthen@google.com; andrewhughes@pingidentity.com
>> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
>> daniel@openwallet.foundation>; Credentials Community Group <
>> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
>> *Subject:* RE: [External] Re: [technical-discuss] Civil Society Response
>> to TSA mDL Rule Making
>>
>>
>>
>> The rule to me seems void of defining the underlying principles
>> surrounding the use of this technology “for official purposes”.
>>
>>    - *How will the holder know that their mDL is being read for official
>>    purposes… ONLY because a TSA uniform is being worn by the in-person
>>    requester?  Will there be any official audits of the transaction “for
>>    official purposes” that can be reviewed by the public if needed? How,
>>    electronically, will the mDL ecosystem determine, enforce, and penalize
>>    improper use of the personal data during the issuance and/or verification
>>    processes – including any intermediation  (e.g., retention, sharing,
>>    breaches)? How will Data subjects be informed of same?*
>>
>>
>>
>> We know, for example, that US Passports are easy targets for fraud due to
>> their vulnerability to morph attacks and acceptance of poor quality photos
>> which impacts the Authenticity, Accuracy, and Uniqueness of the identity
>> represented
>>
>>    - *When mDLs are used “for official purposes”, how will the Issuer,
>>    Holder and Verifier be assured that the subject represented is: (1) unique
>>    within the target population (and how will that be measured? To what
>>    FNIR/FPIR?), (2) that the photo is actually authentic – not simply
>>    cryptographically signed by the issuance authority, and (3) of sufficient
>>    quality for automated facial recognition?*
>>
>>
>>
>> If the mDL is to a proxy for Foundational Identity within the US, I feel
>> we should be able to answer these questions – and many others – especially
>> “for official use”.
>>
>>
>>
>> Thank You,
>>
>> *Daniel Bachenheimer *
>>
>> *Digital Identity Innovations **|  **Technology Lead*
>>
>> Office: Arlington, VA  *| * USA
>>
>> Direct:  +1 703.947.1659  *|*  Mobile:  +1 202.251.7073
>>
>> Email: daniel.bachenheimer@accenture.com
>>
>>
>>
>>
>>
>> *From:* technical-discuss@lists.openwallet.foundation <
>> technical-discuss@lists.openwallet.foundation> *On Behalf Of *David
>> Zeuthen via lists.openwallet.foundation
>> *Sent:* Friday, October 20, 2023 12:00 PM
>> *To:* andrewhughes@pingidentity.com
>> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
>> daniel@openwallet.foundation>; Credentials Community Group <
>> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
>> *Subject:* [External] Re: [technical-discuss] Civil Society Response to
>> TSA mDL Rule Making
>>
>>
>>
>> *CAUTION:* External email. Be cautious with links and attachments.
>>
>>
>>
>> Hi,
>>
>>
>>
>> +1 to what Andrew said from someone who's also working on that particular
>> set of ISO groups. And, yes, we could spend bandwidth discussing the merits
>> of various SDOs but, really, that's been all done before, they all have
>> their flaws, and at the end of the day the comparison table might not even
>> help the claim that ISO is the one where it's the most difficult to have
>> your voice heard, just saying :-). I'm here because I want to work with
>> everyone else who wants to make Digital Identity better for people on this
>> planet, not discuss which SDO is my favorite because at the end of the day
>> reaching this goal for sure will require participation in more than just
>> one SDO.
>>
>>
>>
>> This is not to say that we shouldn't encourage SDOs to do better but
>> let's not alienate people in a place that decidedly is SDO-neutral
>> territory.
>>
>>
>>
>> Thanks,
>>
>> David
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Oct 19, 2023 at 7:30 PM Andrew Hughes via
>> lists.openwallet.foundation <
>> andrewhughes=pingidentity.com@lists.openwallet.foundation> wrote:
>>
>> Please stop calling ISO processes "closed" in ways that insinuate some
>> nefarious intent. Use a different word. Just because the way that
>> international standardization organization works is not to your liking does
>> not mean that it is inherently "bad". The particular ISO committee you
>> denigrate has gone out of its way to engage and accommodate other
>> communities, within the rules of the organization. We can always do better
>> for sure - but the language used in some of these communities does not
>> inspire a desire to work together. Please don't pick on us just because we
>> are trying to engage - there are other actually closed organizations that
>> have far more influence over you but you don't seem to bother them.
>>
>>
>>
>> *Andrew Hughes*
>> Director - Identity Standards
>> andrewhughes@pingidentity.com
>> Mobile/Signal: +1 250 888 9474 <(250)%20888-9474>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Oct 19, 2023 at 4:07 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>> Here's my observation of shared goals independent of technical
>> implementations:
>>
>>    - *We build on top of the VC standard rather than any closed data
>>    models and processes.* That means we need to understand the
>>    goals behind ISO mDL and decide whether we want to influence their closed
>>    process or replace mDL with VC as data models? Which way will OWF consensus
>>    go?
>>    - *We build on protocols that put human VCs ahead of any non-human
>>    applications.* Human VC issue and verification protocols have to deal
>>    with biometrics either directly or indirectly. Supply chain and other
>>    use-cases do not have any benefit or liability from biometrics. Almost none
>>    of the CCG related protocol work has been based on this distinction and the
>>    perception that we're barcoding or chipping humans needs to be dealt with
>>    sooner or later. Adding privacy features and principles to standards that
>>    apply to both people and things may not be an optimal strategy. If OWF does
>>    not develop protocols, then where will the open human rights based
>>    standards come from?
>>    - *We recognize that choosing among dozens of VCs, making selections
>>    for selective disclosure on some of them, and often using another
>>    credential for payment is a burden to the person.* Given what we know
>>    about human propensity for convenience over privacy, how likely is it that
>>    platforms will evolve to "help" us with these decisions along with
>>    surveillance and lock-in? Does OWF have a consensus on how to prevent
>>    platform dominance by recognizing the freedom to choose our helpful agents
>>    and representatives as a Universal Human Right, not just an option?
>>    - *We deal explicitly with the reality that DHS border guards, law
>>    enforcement, and maybe the TSA will reserve and routinely exercise their
>>    right to "call home" and to verify witnessed biometrics no matter what
>>    privacy principles we build into the open wallet protocols. *The
>>    argument that allowing any uses of VCs that call home opens the door for
>>    this abuse outside of government use-cases is valid. Nonetheless, does OWF
>>    have consensus on how to ensure that calling home can be regulated or
>>    technically prevented by design vs. just hoping that non-government
>>    verifiers will do the right thing just because they can?
>>
>> These four specific categories of potential consensus are more or less
>> independent. By cross-posting them with the CCG protocol and OWF
>> demonstration discussion groups, I'm hoping to discover a forum for seeking
>> the consensus.
>>
>>
>>
>> Adrian
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Oct 19, 2023 at 4:03 PM Daniel Goldscheider <
>> daniel@openwallet.foundation> wrote:
>>
>> Point well taken.
>>
>>
>>
>> In my mind, they should know that we value their perspective and want to
>> speak with them. If they lack time or interest to talk to us that’s their
>> prerogative of course.
>>
>>
>>
>> Technical standards and solutions come and go. I think it’s useful to
>> agree on shared goals that are independent of technical implementations to
>> have consensus on what we want to achieve before discussing how to get
>> there.
>>
>>
>>
>> All the best,
>>
>> Daniel
>>
>>
>>
>>
>>
>>
>>
>> On 19 Oct 2023, at 12:53, Adrian Gropper <agropper@healthurl.com> wrote:
>>
>> 
>>
>> Hi Daniel,
>>
>>
>>
>> These four groups are not staffed to participate directly in the kind of
>> work being done in our digital  ID communities. As a result, they are
>> almost exclusively reactive, and negative. I myself, am not paid, have
>> never been paid, for working on DIDs and VCs since the beginning. Even so,
>> or maybe because I don't represent a commercial interest, my perspective
>> has been mostly ignored or treated as an annoyance by CCG-related
>> workgroups.
>>
>>
>>
>> I don't know if OWF will be different. Getting ahead of the adoption
>> issue should be the highest priority of OWF and I still don't see an open
>> discussion of who will do that work and how. Interoperability and privacy
>> "principles" are not enough.
>>
>>
>>
>> Adrian
>>
>>
>>
>> On Thu, Oct 19, 2023 at 3:36 PM Daniel Goldscheider <
>> daniel@openwallet.foundation> wrote:
>>
>> Hi Adrian,
>>
>>
>>
>> I had already reached out to EFF and ACLU before this came out and
>> completely agree with you.
>>
>>
>>
>> We should do try to engage with all 4. Ideally I’d love to get to their
>> support for open interoperable wallets and explore if we can agree on
>> privacy principles as well.
>>
>>
>>
>> Would you be willing to talk to EPIC and suggest a conversation?
>>
>>
>>
>> All the best,
>>
>> Daniel
>>
>>
>>
>>
>>
>>
>>
>> On 19 Oct 2023, at 12:20, Adrian Gropper <agropper@healthurl.com> wrote:
>>
>> 
>>
>> Thanks, Kaliya!
>>
>>
>>
>> The comment also mentions Open Wallet Foundation so I'm cross-posting.
>>
>>
>>
>> I have worked with all four of the signing organizations over the years
>> and am on the EPIC Advisory Board. It would be useful, maybe essential, to
>> consider their concerns and get ahead of the next round of mandates and
>> adoption issues.
>>
>>
>>
>> Adrian
>>
>>
>>
>> On Thu, Oct 19, 2023 at 1:12 PM Kaliya Identity Woman <
>> kaliya@identitywoman.net> wrote:
>>
>> Hi Folks,
>>
>>
>>
>>  This was just shared with me and I wanted the list to see it.  The ACLU,
>> EFF, Center for Democracy and Technology, and EPIC (Electronic Privacy
>> Information Center) collaborated on a response to the proposed rule-making
>> by TSA re: mDL.
>>
>>
>>
>>
>> https://www.eff.org/document/10-16-2023-aclu-eff-epic-comments-re-tsa-nprm-mdls
>> <https://urldefense.com/v3/__https:/www.eff.org/document/10-16-2023-aclu-eff-epic-comments-re-tsa-nprm-mdls__;!!OrxsNty6D4my!9L5vw4BuWBoHTcbGfkzOefSaLaf7IoKL-UspS9Yak0dRWUh-k5vaS34vd2At8EQ_mexhLJ0pmy8ErafaTz76ramnXZ-Ozaoa9Ftk05aCAeS1IQIHxjLh$>
>>
>>
>>
>> They mention Verifiable Credentials several times and urge the TSA to
>> slow down to ensure the best most privacy enhancing options can be chosen
>> as things continue to mature rather then rush forward.
>>
>>
>>
>>  It shows that engaging with and educating civil society groups who are
>> interested and tracking technology developments is a good thing.
>>
>>
>>
>>  - Kaliya
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited..
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>>
>>
>>
>> --
>>
>>
>>
>> David Zeuthen |
>>
>>  zeuthen@google.com |
>>
>>  Google
>>
>> | Android Hardware-Backed Security
>>
>>
>>
>>
>> ------------------------------
>>
>>
>> This message is for the designated recipient only and may contain
>> privileged, proprietary, or otherwise confidential information. If you have
>> received it in error, please notify the sender immediately and delete the
>> original. Any other use of the e-mail by you is prohibited. Where allowed
>> by local law, electronic communications with Accenture and its affiliates,
>> including e-mail and instant messaging (including content), may be scanned
>> by our systems for the purposes of information security, AI-powered support
>> capabilities, and assessment of internal compliance with Accenture policy.
>> Your privacy is important to us. Accenture uses your personal data only in
>> compliance with data protection laws. For further information on how
>> Accenture processes your personal data, please see our privacy statement at
>> https://www.accenture.com/us-en/privacy-policy.
>>
>> ______________________________________________________________________________________
>>
>> www.accenture.com
>>
>>
>>
>> This message may contain information that is not intended for you. If you
>> are not the addressee or if this message was sent to you by mistake, you
>> are requested to inform the sender and delete the message. TNO accepts no
>> liability for the content of this e-mail, for the manner in which you use
>> it and for damage of any kind resulting from the risks inherent to the
>> electronic transmission of messages.
>>
>> _._,_._,_
> ------------------------------
> Links:
>
> You receive all messages sent to this group.
>
> View/Reply Online (#211)
> <https://lists.openwallet.foundation/g/technical-discuss/message/211> | Reply
> To Sender
> <agropper@healthurl.com?subject=Private:%20Re:%20Re%3A%20%5Btechnical-discuss%5D%20Civil%20Society%20Response%20to%20TSA%20mDL%20Rule%20Making>
> | Reply To Group
> <technical-discuss@lists.openwallet.foundation?subject=Re:%20Re%3A%20%5Btechnical-discuss%5D%20Civil%20Society%20Response%20to%20TSA%20mDL%20Rule%20Making>
> | Mute This Topic
> <https://lists.openwallet.foundation/mt/102067342/6906901> | New Topic
> <https://lists.openwallet.foundation/g/technical-discuss/post>
> Your Subscription
> <https://lists.openwallet.foundation/g/technical-discuss/editsub/6906901>
> | Contact Group Owner
> <technical-discuss+owner@lists.openwallet.foundation> | Unsubscribe
> <https://lists.openwallet.foundation/g/technical-discuss/unsub> [
> keith.kowal@swirldslabs.com]
> _._,_._,_
>
>

-- 


*Keith Kowal*

*Director Product Management*

Phone: 250.888.6744

Email: keith.kowal@swirldslabs.com

SwirldsLabs.com <https://swirldslabs.com/>