RE: [EXT] Re: Could Jevons Paradox take digital credentials in the wrong direction?

Kyle,

This seems related to some active work in the FICG to define a charter for a W3C WG that would work on a FedCM-like browser API that would enable any website to make a request for any information from any Identity Provider.

Currently, the architecture has the user squarely in the middle and wallets of VCs should be a possible source of the IdP data.


From: Kyle Den Hartog <kyle@pryvit.tech>
Sent: Sunday, June 25, 2023 4:46 PM
To: Drummond Reed <Drummond.Reed@gendigital.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>; W3C Credentials Community Group <public-credentials@w3.org>
Subject: Re: [EXT] Re: Could Jevons Paradox take digital credentials in the wrong direction?

So as I understand the technical solutions presented for the mDL API use case the two plausible technical solutions are “verify the verifiers” which is being done via domain certificates currently and “public availability of VP requests” which is being done by relying on the mDL standardized schema.

I think we can use this particular use case to really hone in past the high level approaches and as a community offer feedback to this spec and get very specific about some of these answers now. We no long need to settle for high level sound bites.

For example, do we believe this API should even exist? My hunch says even if we unanimously say no it will still get shipped.

So, do we believe that all websites should be able to request the mDL or just some?

If it’s just some how should the API determine which are acceptable and which aren’t?

Is a high level “all or nothing consent request” based on the permissions UI in browsers (the ones used to request location) adequate for the first iteration of this API? Should selective disclosure be required in the first iteration?

Do we believe that the technology should be leading the use case here or should regulation be setting guard rails first like we’ve seen already with some states regulating adult content websites? If regulations and/or trust frameworks should lead here how does the API design enforce that or is it expected that the websites self enforce this?

Do we need to advocate in legislative bodies some sort of reporting structure such as you can report it to your attorney general to report websites that are abusing the API?

Adrian mentioned the usage of delegation here, how might delegation be used or excluded within this use case?

Put simply, I’d like to reframe this discussion to focus specifically on the use case we have at hand here so that we can specifically engage with the main contributors in the WICG working on this. For me personally, I’m hesitant to say we as a society are ready to enable this technology having seen how COVID Passes went. There was a lot of controversy globally caused by them even if it was a small minority. Now we’re looking at exploring how to provide a high value credential to any website next. Are we ready for this?

Just some questions for thought to help guide this discussion a bit better.

-Kyle



On Mon, 26 Jun 2023 at 10:02 AM Drummond Reed <Drummond.Reed@gendigital.com<mailto:Drummond.Reed@gendigital.com>> wrote:
First, I want to underscore Anders point that mobile phone numbers, followed by email addresses, have already become the must ubiquitous “tracking cookies” in human history. What’s worse is that there’s nothing we can do to prevent it, because the communications networks for which those addresses were designed to give us—the addressees—nearly zero control over the use of those addresses.

We have the power to change that with verifiable credentials—to start to assert addresses over which we DO have control—both control over tracking (by using non-correlate-able identifiers) and control usage (by using digital watermarking of our data and personal agents to block unauthorized usage).

Second, while I certainly welcome verify-the-verifier regulations, I disagree they are the only solution to prevent “papers please”. I believe non-implementers are not considering the public availability of verifiable presentation requests (the technical name for when a verifier asks a holder to present a proof of some data). In short, if a verifier is overreaching in a verifiable presentation request, any holder in the world encountering such a request will be able to expose it to the world (including regulators).

I believe this is going to create greater public and regulatory pressure towards data minimization, not the opposite. I can attest that 100% of the verifiable credential ecosystems that Gen is currently working on developing with our customers are keenly aware of this and are being very carefully designed for data minimization (in fact some of our customers are thrilled that they will not need to collect as much personal data as it is steadily becoming as much of a liability as an asset).

Net net: short of repressive regimes which can already dictate “papers please” (which we can’t do anything about), in the rest of the free world the adoption of digital wallet and credentials has greater potential to increase privacy and user control than to harm it.

=Drummond

From: Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>>

Date: Sunday, June 25, 2023 at 6:43 AM
To: W3C Credentials Community Group <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: [EXT] Re: Could Jevons Paradox take digital credentials in the wrong direction?
The #1 privacy issue remains unaddressed: the ubiquitous use of mobile phone numbers and e-mail addresses effectively constitute of a GLOBAL "SSN" registry.

Anders