Re: [EXT] Re: Could Jevons Paradox take digital credentials in the wrong direction? from Kyle Den Hartog on 2023-06-25 (public-credentials@w3.org from June 2023)

From: Kyle Den Hartog <kyle@pryvit.tech>
Date: Mon, 26 Jun 2023 10:46:16 +1200
To: Drummond Reed <Drummond.Reed@gendigital.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CA+_U+e3ptWi=Zrz1zUX+MexJ4yc24f7__78Gghh+JN2v6JG9kg@mail.gmail.com>
So as I understand the technical solutions presented for the mDL API use
case the two plausible technical solutions are “verify the verifiers” which
is being done via domain certificates currently and “public availability of
VP requests” which is being done by relying on the mDL standardized schema.

I think we can use this particular use case to really hone in past the high
level approaches and as a community offer feedback to this spec and get
very specific about some of these answers now. We no long need to settle
for high level sound bites.

For example, do we believe this API should even exist? My hunch says even
if we unanimously say no it will still get shipped.

So, do we believe that all websites should be able to request the mDL or
just some?

If it’s just some how should the API determine which are acceptable and
which aren’t?

Is a high level “all or nothing consent request” based on the permissions
UI in browsers (the ones used to request location) adequate for the first
iteration of this API? Should selective disclosure be required in the first
iteration?

Do we believe that the technology should be leading the use case here or
should regulation be setting guard rails first like we’ve seen already with
some states regulating adult content websites? If regulations and/or trust
frameworks should lead here how does the API design enforce that or is it
expected that the websites self enforce this?

Do we need to advocate in legislative bodies some sort of reporting
structure such as you can report it to your attorney general to report
websites that are abusing the API?

Adrian mentioned the usage of delegation here, how might delegation be used
or excluded within this use case?

Put simply, I’d like to reframe this discussion to focus specifically on
the use case we have at hand here so that we can specifically engage with
the main contributors in the WICG working on this. For me personally, I’m
hesitant to say we as a society are ready to enable this technology having
seen how COVID Passes went. There was a lot of controversy globally caused
by them even if it was a small minority. Now we’re looking at exploring how
to provide a high value credential to any website next. Are we ready for
this?

Just some questions for thought to help guide this discussion a bit better.

-Kyle



On Mon, 26 Jun 2023 at 10:02 AM Drummond Reed <Drummond.Reed@gendigital.com>
wrote:

> First, I want to underscore Anders point that mobile phone numbers,
> followed by email addresses, have already become the must ubiquitous
> “tracking cookies” in human history. What’s worse is that there’s nothing
> we can do to prevent it, because the communications networks for which
> those addresses were designed to give us—the addressees—nearly zero control
> over the use of those addresses.
>
>
>
> We have the power to change that with verifiable credentials—to start to
> assert addresses over which we DO have control—both control over tracking
> (by using non-correlate-able identifiers) and control usage (by using
> digital watermarking of our data and personal agents to block unauthorized
> usage).
>
>
>
> Second, while I certainly welcome verify-the-verifier regulations, I
> disagree they are the only solution to prevent “papers please”. I believe
> non-implementers are not considering *the public availability of
> verifiable presentation requests* (the technical name for when a verifier
> asks a holder to present a proof of some data). In short, if a verifier is
> overreaching in a verifiable presentation request, any holder in the world
> encountering such a request will be able to expose it to the world
> (including regulators).
>
>
>
> I believe this is going to create *greater public and regulatory pressure
> towards data minimization*, not the opposite. I can attest that 100% of
> the verifiable credential ecosystems that Gen is currently working on
> developing with our customers are keenly aware of this and are being very
> carefully designed for data minimization (in fact some of our customers are
> thrilled that they will not need to collect as much personal data as it is
> steadily becoming as much of a liability as an asset).
>
>
>
> Net net: short of repressive regimes which can already dictate “papers
> please” (which we can’t do anything about), in the rest of the free world
> the adoption of digital wallet and credentials has greater potential to
> increase privacy and user control than to harm it.
>
>
>
> =Drummond
>
>
>
> *From: *Anders Rundgren <anders.rundgren.net@gmail.com>
>
>
> *Date: *Sunday, June 25, 2023 at 6:43 AM
> *To: *W3C Credentials Community Group <public-credentials@w3.org>
> *Subject: *[EXT] Re: Could Jevons Paradox take digital credentials in the
> wrong direction?
>
> The #1 privacy issue remains unaddressed: the ubiquitous use of mobile
> phone numbers and e-mail addresses effectively constitute of a GLOBAL "SSN"
> registry.
>
> Anders
>
Received on Sunday, 25 June 2023 22:46:33 UTC