Re: [technical-discuss] Civil Society Response to TSA mDL Rule Making

Hi Oskar,

The incompetence that you are asking about is our unwillingness to admit
that individuals do not care about identity either digital or analog.

People care about having a reputation in context, having an address that
they can be reached at, being anonymous when that is appropriate, being
left alone, etc…

Until those of us who see identity in terms of cryptography change our
perspective to people who are most likely to mistrust us as they are to
misunderstand us we will be the incompetent ones.

Adrian


On Tue, Oct 24, 2023 at 4:31 AM Deventer, M.O. (Oskar) van <
oskar.vandeventer@tno.nl> wrote:

> Sebastian, all,
>
>
>
> Thanks for that info. It is good to hear about improvement work on the
> European law. Still, I do not understand how the cited changes in (55)
> address the issue. As long as the European law does not include some strong
> negative statements (e.g. “it shall be made technically impossible to …”),
> the offending parts of the ARF and PID would remain compliant, and it would
> be left to national governments to remedy.
>
>
>
> <rant> It amazes me. We have federated identity for decades. We have
> FIDO2. We have 3GPP SUCI/SUPI. We all know how to technically prevent
> unwanted/illegal correlations, and how to combine
> cryptographically-enforced privacy protection with reliable identity
> matching. What incompetence causes that we continue to have these
> discussions with our own governments, in particular the European one that
> introduced GDPR itself? </rant>
>
>
>
> Anyway, reasons enough to join the OWF Safe Wallet SIG (
> https://tac.openwallet.foundation/SIGs/safe-wallet/,
> https://github.com/openwallet-foundation/tac/issues/57,
> https://github.com/openwallet-foundation/safe-wallet-sig/discussions/7).
>
>
>
> Best regards,
>
>
>
> Oskar
>
>
>
>
>
> *From:* Sebastian Elfors <sebastian.elfors@idnow.io>
> *Sent:* dinsdag 24 oktober 2023 09:55
> *To:* Deventer, M.O. (Oskar) van <oskar.vandeventer@tno.nl>;
> Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>;
> zeuthen@google.com; andrewhughes@pingidentity.com
> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider
> <daniel@openwallet.foundation>; Credentials Community Group <
> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
> *Subject:* RE: [technical-discuss] Civil Society Response to TSA mDL Rule
> Making
>
>
>
> Oskar, all,
>
>
>
> Yes, it is correct that the first eIDAS2 proposal that was drafted by the
> EU Commission in June 2021 included the following statement on ‘unique
> identification’:
>
>
>
> *“(55)  ‘unique identification’ means a process where person
> identification data or person identification means are matched with or
> linked to an existing account belonging to the same person.’;”*
>
>
>
> This recital has been heavily critized by several privacy organizations in
> the EU and the unique identifier even violates the constitution in a number
> of EU Member States.
>
>
>
> So recital 55 has been modified as follows in the EU Council eIDAS2
> proposal (December 2022):
>
>
>
> *(55)  ‘record matching’ means a process where person identification data
> or, person identification means, qualified electronic attestation of
> attributes or attestations of attributes issued by or on behalf of a public
> sector body responsible for an authentic source are matched with or linked
> to an existing account belonging to the same person.’*
>
>
>
> And it has been modified even further in the EU Parliament eIDAS2 proposal
> (February 2023):
>
>
>
> *“(55)  ‘identity matching’ means a process where person identification
> data or person identification means are matched with or linked to an
> existing account belonging to the same person.’”*
>
>
>
> The exact formulation of recital 55 is currently being negotiated in the
> eIDAS2 trialogue between the EU Commission, EU Parliament, and EU Council.
> The final eIDAS2 regulation is expected to be issued in November 2023.
>
>
>
> Kind regards,
>
> Sebastian
>
>
>
> *From:* technical-discuss@lists.openwallet.foundation <
> technical-discuss@lists.openwallet.foundation> *On Behalf Of *Deventer,
> M.O. (Oskar) van via lists.openwallet.foundation
> *Sent:* Monday, 23 October 2023 11:47
> *To:* Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>;
> zeuthen@google.com; andrewhughes@pingidentity.com
> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
> daniel@openwallet.foundation>; Credentials Community Group <
> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
> *Subject:* Re: [technical-discuss] Civil Society Response to TSA mDL Rule
> Making
>
>
>
> *CAUTION:* This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> All,
>
>
>
> For your information, the European use of mDL and VC (EUDI wallet, ARF,
> PID) suffers from similar privacy/abuse/over-identification issues, see
> https://en.epicenter.works/document/4566. The worst offence is the
> assignment of a “unique identifier” to each European citizen, which enables
> colluding verifiers to easily correlate their users.
>
>
>
> Protection measures that Europe looks into, is “Identified Verifier” and
> “Authorized Verifier”. That is, after an identification transaction, the
> citizen has non-repudiable proof when, how and by whom they were
> identified. And possibly, the transaction fails for non-authorized
> verifiers. Still very unsure/unclear …
>
>
>
> Best regards,
>
>
>
> Oskar
>
>
>
>
>
> *From:* Bachenheimer, Daniel <daniel.bachenheimer@accenture.com>
> *Sent:* vrijdag 20 oktober 2023 19:11
> *To:* zeuthen@google.com; andrewhughes@pingidentity.com
> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
> daniel@openwallet.foundation>; Credentials Community Group <
> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
> *Subject:* RE: [External] Re: [technical-discuss] Civil Society Response
> to TSA mDL Rule Making
>
>
>
> The rule to me seems void of defining the underlying principles
> surrounding the use of this technology “for official purposes”.
>
>    - *How will the holder know that their mDL is being read for official
>    purposes… ONLY because a TSA uniform is being worn by the in-person
>    requester?  Will there be any official audits of the transaction “for
>    official purposes” that can be reviewed by the public if needed? How,
>    electronically, will the mDL ecosystem determine, enforce, and penalize
>    improper use of the personal data during the issuance and/or verification
>    processes – including any intermediation  (e.g., retention, sharing,
>    breaches)? How will Data subjects be informed of same?*
>
>
>
> We know, for example, that US Passports are easy targets for fraud due to
> their vulnerability to morph attacks and acceptance of poor quality photos
> which impacts the Authenticity, Accuracy, and Uniqueness of the identity
> represented
>
>    - *When mDLs are used “for official purposes”, how will the Issuer,
>    Holder and Verifier be assured that the subject represented is: (1) unique
>    within the target population (and how will that be measured? To what
>    FNIR/FPIR?), (2) that the photo is actually authentic – not simply
>    cryptographically signed by the issuance authority, and (3) of sufficient
>    quality for automated facial recognition?*
>
>
>
> If the mDL is to a proxy for Foundational Identity within the US, I feel
> we should be able to answer these questions – and many others – especially
> “for official use”.
>
>
>
> Thank You,
>
> *Daniel Bachenheimer *
>
> *Digital Identity Innovations **|  **Technology Lead*
>
> Office: Arlington, VA  *| * USA
>
> Direct:  +1 703.947.1659  *|*  Mobile:  +1 202.251.7073
>
> Email: daniel.bachenheimer@accenture.com
>
>
>
>
>
> *From:* technical-discuss@lists.openwallet.foundation <
> technical-discuss@lists.openwallet.foundation> *On Behalf Of *David
> Zeuthen via lists.openwallet.foundation
> *Sent:* Friday, October 20, 2023 12:00 PM
> *To:* andrewhughes@pingidentity.com
> *Cc:* Adrian Gropper <agropper@healthurl.com>; Daniel Goldscheider <
> daniel@openwallet.foundation>; Credentials Community Group <
> public-credentials@w3.org>; technical-discuss@lists.openwallet.foundation
> *Subject:* [External] Re: [technical-discuss] Civil Society Response to
> TSA mDL Rule Making
>
>
>
> *CAUTION:* External email. Be cautious with links and attachments.
>
>
>
> Hi,
>
>
>
> +1 to what Andrew said from someone who's also working on that particular
> set of ISO groups. And, yes, we could spend bandwidth discussing the merits
> of various SDOs but, really, that's been all done before, they all have
> their flaws, and at the end of the day the comparison table might not even
> help the claim that ISO is the one where it's the most difficult to have
> your voice heard, just saying :-). I'm here because I want to work with
> everyone else who wants to make Digital Identity better for people on this
> planet, not discuss which SDO is my favorite because at the end of the day
> reaching this goal for sure will require participation in more than just
> one SDO.
>
>
>
> This is not to say that we shouldn't encourage SDOs to do better but let's
> not alienate people in a place that decidedly is SDO-neutral territory.
>
>
>
> Thanks,
>
> David
>
>
>
>
>
>
>
> On Thu, Oct 19, 2023 at 7:30 PM Andrew Hughes via
> lists.openwallet.foundation <
> andrewhughes=pingidentity.com@lists.openwallet.foundation> wrote:
>
> Please stop calling ISO processes "closed" in ways that insinuate some
> nefarious intent. Use a different word. Just because the way that
> international standardization organization works is not to your liking does
> not mean that it is inherently "bad". The particular ISO committee you
> denigrate has gone out of its way to engage and accommodate other
> communities, within the rules of the organization. We can always do better
> for sure - but the language used in some of these communities does not
> inspire a desire to work together. Please don't pick on us just because we
> are trying to engage - there are other actually closed organizations that
> have far more influence over you but you don't seem to bother them.
>
>
>
> *Andrew Hughes*
> Director - Identity Standards
> andrewhughes@pingidentity.com
> Mobile/Signal: +1 250 888 9474 <(250)%20888-9474>
>
>
>
>
>
>
>
> On Thu, Oct 19, 2023 at 4:07 PM Adrian Gropper <agropper@healthurl.com>
> wrote:
>
> Here's my observation of shared goals independent of technical
> implementations:
>
>    - *We build on top of the VC standard rather than any closed data
>    models and processes.* That means we need to understand the
>    goals behind ISO mDL and decide whether we want to influence their closed
>    process or replace mDL with VC as data models? Which way will OWF consensus
>    go?
>    - *We build on protocols that put human VCs ahead of any non-human
>    applications.* Human VC issue and verification protocols have to deal
>    with biometrics either directly or indirectly. Supply chain and other
>    use-cases do not have any benefit or liability from biometrics. Almost none
>    of the CCG related protocol work has been based on this distinction and the
>    perception that we're barcoding or chipping humans needs to be dealt with
>    sooner or later. Adding privacy features and principles to standards that
>    apply to both people and things may not be an optimal strategy. If OWF does
>    not develop protocols, then where will the open human rights based
>    standards come from?
>    - *We recognize that choosing among dozens of VCs, making selections
>    for selective disclosure on some of them, and often using another
>    credential for payment is a burden to the person.* Given what we know
>    about human propensity for convenience over privacy, how likely is it that
>    platforms will evolve to "help" us with these decisions along with
>    surveillance and lock-in? Does OWF have a consensus on how to prevent
>    platform dominance by recognizing the freedom to choose our helpful agents
>    and representatives as a Universal Human Right, not just an option?
>    - *We deal explicitly with the reality that DHS border guards, law
>    enforcement, and maybe the TSA will reserve and routinely exercise their
>    right to "call home" and to verify witnessed biometrics no matter what
>    privacy principles we build into the open wallet protocols. *The
>    argument that allowing any uses of VCs that call home opens the door for
>    this abuse outside of government use-cases is valid. Nonetheless, does OWF
>    have consensus on how to ensure that calling home can be regulated or
>    technically prevented by design vs. just hoping that non-government
>    verifiers will do the right thing just because they can?
>
> These four specific categories of potential consensus are more or less
> independent. By cross-posting them with the CCG protocol and OWF
> demonstration discussion groups, I'm hoping to discover a forum for seeking
> the consensus.
>
>
>
> Adrian
>
>
>
>
>
>
>
>
>
> On Thu, Oct 19, 2023 at 4:03 PM Daniel Goldscheider <
> daniel@openwallet.foundation> wrote:
>
> Point well taken.
>
>
>
> In my mind, they should know that we value their perspective and want to
> speak with them. If they lack time or interest to talk to us that’s their
> prerogative of course.
>
>
>
> Technical standards and solutions come and go. I think it’s useful to
> agree on shared goals that are independent of technical implementations to
> have consensus on what we want to achieve before discussing how to get
> there.
>
>
>
> All the best,
>
> Daniel
>
>
>
>
>
>
>
> On 19 Oct 2023, at 12:53, Adrian Gropper <agropper@healthurl.com> wrote:
>
> 
>
> Hi Daniel,
>
>
>
> These four groups are not staffed to participate directly in the kind of
> work being done in our digital  ID communities. As a result, they are
> almost exclusively reactive, and negative. I myself, am not paid, have
> never been paid, for working on DIDs and VCs since the beginning. Even so,
> or maybe because I don't represent a commercial interest, my perspective
> has been mostly ignored or treated as an annoyance by CCG-related
> workgroups.
>
>
>
> I don't know if OWF will be different. Getting ahead of the adoption issue
> should be the highest priority of OWF and I still don't see an open
> discussion of who will do that work and how. Interoperability and privacy
> "principles" are not enough.
>
>
>
> Adrian
>
>
>
> On Thu, Oct 19, 2023 at 3:36 PM Daniel Goldscheider <
> daniel@openwallet.foundation> wrote:
>
> Hi Adrian,
>
>
>
> I had already reached out to EFF and ACLU before this came out and
> completely agree with you.
>
>
>
> We should do try to engage with all 4. Ideally I’d love to get to their
> support for open interoperable wallets and explore if we can agree on
> privacy principles as well.
>
>
>
> Would you be willing to talk to EPIC and suggest a conversation?
>
>
>
> All the best,
>
> Daniel
>
>
>
>
>
>
>
> On 19 Oct 2023, at 12:20, Adrian Gropper <agropper@healthurl.com> wrote:
>
> 
>
> Thanks, Kaliya!
>
>
>
> The comment also mentions Open Wallet Foundation so I'm cross-posting.
>
>
>
> I have worked with all four of the signing organizations over the years
> and am on the EPIC Advisory Board. It would be useful, maybe essential, to
> consider their concerns and get ahead of the next round of mandates and
> adoption issues.
>
>
>
> Adrian
>
>
>
> On Thu, Oct 19, 2023 at 1:12 PM Kaliya Identity Woman <
> kaliya@identitywoman.net> wrote:
>
> Hi Folks,
>
>
>
>  This was just shared with me and I wanted the list to see it.  The ACLU,
> EFF, Center for Democracy and Technology, and EPIC (Electronic Privacy
> Information Center) collaborated on a response to the proposed rule-making
> by TSA re: mDL.
>
>
>
>
> https://www.eff.org/document/10-16-2023-aclu-eff-epic-comments-re-tsa-nprm-mdls
> <https://urldefense.com/v3/__https:/www.eff.org/document/10-16-2023-aclu-eff-epic-comments-re-tsa-nprm-mdls__;!!OrxsNty6D4my!9L5vw4BuWBoHTcbGfkzOefSaLaf7IoKL-UspS9Yak0dRWUh-k5vaS34vd2At8EQ_mexhLJ0pmy8ErafaTz76ramnXZ-Ozaoa9Ftk05aCAeS1IQIHxjLh$>
>
>
>
> They mention Verifiable Credentials several times and urge the TSA to slow
> down to ensure the best most privacy enhancing options can be chosen as
> things continue to mature rather then rush forward.
>
>
>
>  It shows that engaging with and educating civil society groups who are
> interested and tracking technology developments is a good thing.
>
>
>
>  - Kaliya
>
>
>
>
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
>
> --
>
>
>
> David Zeuthen |
>
>  zeuthen@google.com |
>
>  Google
>
> | Android Hardware-Backed Security
>
>
>
>
> ------------------------------
>
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security, AI-powered support
> capabilities, and assessment of internal compliance with Accenture policy.
> Your privacy is important to us. Accenture uses your personal data only in
> compliance with data protection laws. For further information on how
> Accenture processes your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
>
>
> This message may contain information that is not intended for you. If you
> are not the addressee or if this message was sent to you by mistake, you
> are requested to inform the sender and delete the message. TNO accepts no
> liability for the content of this e-mail, for the manner in which you use
> it and for damage of any kind resulting from the risks inherent to the
> electronic transmission of messages.
>
> _._,_._,_
> ------------------------------
>
> Links:
>
> You receive all messages sent to this group.
>
> View/Reply Online (#206)
> <https://lists.openwallet.foundation/g/technical-discuss/message/206> | Reply
> To Sender
> <?subject=Private:%20Re:%20Re%3A%20%5Btechnical-discuss%5D%20Civil%20Society%20Response%20to%20TSA%20mDL%20Rule%20Making>
> | Reply To Group
> <technical-discuss@lists.openwallet.foundation?subject=Re:%20Re%3A%20%5Btechnical-discuss%5D%20Civil%20Society%20Response%20to%20TSA%20mDL%20Rule%20Making>
> | Mute This Topic
> <https://lists.openwallet.foundation/mt/102067342/7464479> | New Topic
> <https://lists.openwallet.foundation/g/technical-discuss/post>
> Your Subscription
> <https://lists.openwallet.foundation/g/technical-discuss/editsub/7464479>
> | Contact Group Owner
> <technical-discuss+owner@lists.openwallet.foundation> | Unsubscribe
> <https://lists.openwallet.foundation/g/technical-discuss/unsub> [
> sebastian.elfors@idnow.io]
>
> _._,_._,_
>