- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 28 Aug 2024 15:56:39 +0000
- To: public-credentials@w3.org
Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2024-08-27/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2024-08-27/audio.ogg A video recording is also available at: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-08-27.mp4 ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2024-08-27 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Harrison Tang, Kimberly Linson, Will Abramson Scribe: Our Robot Overlords and Our Robot Overlords Present: Harrison Tang, Yvonne Nwogu, Rashmi Siravara, Gregory Natran, Joni Brennan, Dave Roberts, Sam Smith, Jennie M, Mike Xu, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Kerri Lemoie, PL/T3, Kimberly Linson, Will Abramson, Divad Strebor, Paul Jackson, Nis Jespersen , James Chartrand, Leo, Sylvain Martel(MCN), Joe Andrieu, Dmitri Zagidulin, Ricky Ng-Adam (MCN, Philippe Allard, Hiroyuki Sano, Japan, Kaliya Young, Tim Cappalli, Greg Bernstein, Brandi Delancey, Alex H Our Robot Overlords are scribing. Harrison_Tang: Let me try to start the recording. Our Robot Overlords are scribing. Harrison_Tang: Great hopefully this works. Harrison_Tang: All right I think the chance uh transcribe also works great all right so um welcome to this week's w3c cgg meeting um welcome everybody um so today we are very pleased to have uh Joanie and Gregory from the dayak digital identity and authentication Council uh from Canada uh to present 10 Canadian trust Frameworks. Harrison_Tang: uh but. Harrison_Tang: Just want to quickly go through a couple administrative uh agendas first of all just a quick reminder on the code of ethics and professional conduct uh just want to make sure that we have Khan conversations and discussions I think we've been doing that uh please continue to do that. Harrison_Tang: Second um just want to uh make a quick note on the intellectual property anyone can participate in these calls however all substantive contributions to any ccg work items must be member of the ccg with full IPR agreement signed so if you have any questions in regards to the agreement or the w3c account please feel free to reach out to any of the cultures. Harrison_Tang: Uh couple quick call notes uh these meetings are being automatically recorded and transcribed uh we will publish the meeting minutes the transcriptions the audio and video recordings in the next 1 to 2 days. Harrison_Tang: Uh we use GT chat to do the speakers you can type in Q Plus to add yourself to the queue or cue minus to remove and you can type in Q question mark uh to see who is in the queue. Harrison_Tang: All right um I think it's time for the introductions and reintroductions so if you're new to the community or you haven't been active and want to re-engage uh please feel free to just unmute you don't have to type in Q Plus you can just unmute and introduce yourself. Harrison_Tang: Don't be shy it's okay I'm not going to call on people though but uh if you are if you feel you know Brave and just uh unmute and uh introduce uh you to the uh introduce yourself to the community. Harrison_Tang: All right any announcements or reminders. Harrison_Tang: Anyone have a come in the events uh they want to announce or remind the community about. Kaliya Young: Yeah we've got the internet identity Workshop coming up October 29 to 31st. Kaliya Young: We have. Kaliya Young: Have a bunch of sponsorship opportunities still available. Kaliya Young: Um and they are very affordable let's just say sponsoring iiw can cost you as much as going to another conference so. Kaliya Young: I'll just put that out there folks want to. Kaliya Young: Connect um and early bird pricing ends I think. Kaliya Young: At the end of this week so. Kaliya Young: Please um get registered if you want that um price and then we also have the did unconference Africa happening in Cape Town. Kaliya Young: September 25th to 27th. Harrison_Tang: Great thanks Gia. Harrison_Tang: Any other announcements or reminders. Kaliya Young: https://internetidentityworkshop.com/. + my e-mail if you want to learn about sponsorship. kaliya@identitywoman.net Kaliya Young: https://didunconf.africa/ Harrison_Tang: So a quick preview of what's coming uh so next week we'll have a great comeback again to follow up and wrap up on the conversation regards to Anonymous holder binding and then the week after that uh we actually invited um uh people from the uh nonprofit open mind to talk about uh they are a nonprofit around AI governance uh so change a little bit topic uh to talk about their work there and then the week after that uh we have Wayne to talk about proof uh proofly forgotten signatures. Harrison_Tang: So that's what's coming. Harrison_Tang: Right last calls for announcements and reminders. Harrison_Tang: All right uh any uh notes on the work items. Harrison_Tang: So we've scheduled a couple sessions in regards to the different work item updates in the next few weeks uh so please stay tuned and we'll have another open discussion on the work items uh in quarter 4 of this year. Harrison_Tang: So let's get to the main agenda so uh as I stated uh earlier in the call very excited to have this conversation very excited to have Joanie and Gregory from the IAC to talk about pain Canadian trust Frameworks uh this topic uh is dear to my heart I think a lot of times uh most of the time we talk about digital signatures we talk about cryptography we talk about selected disclosures but I think 1 of the key things in regards to uh ensuring the uh identity self identity can be realized is trust Frameworks and governance so uh this is a a very interesting topic and I really look forward to uh Joanie and Gregory's uh presentation. Harrison_Tang: Johnny Gregory the 4 Shores thank you. Gregory_Natran: All right so I'll take over the first bit and I'll share my screen can everybody hear me okay there's a lot of background noise here. Gregory_Natran: Hopefully you're looking at a PowerPoint presentation. Gregory_Natran: There you go. Gregory_Natran: Up on screen. Harrison_Tang: Gregory it should be the third button oh there we go. Gregory_Natran: Yeah yeah I don't think it's it's the buttons here it's the security settings on my Mac. Harrison_Tang: We can see your full entire screen by the way not just the window okay. Gregory_Natran: That's okay there's nothing there's nothing here confidential so there that should do it uh so just a quick clarification uh for Harris Joanie is the president of the digital identity and authentication Council of Canada I'm a business and. Gregory_Natran: Information analyst working at beige cyber Tech so I don't but I've done a lot of work with Dak and so when Harrison first mentioned about trust Frameworks. Gregory_Natran: You may recall late in the spring I thought well we've got we've got a a whole background on trust Frameworks through the pan Canadian trust framework. Gregory_Natran: But before we get to some details on that and I turn it over to Joanie um I thought I'd present some context uh because we're going to be we're shifting gears a little bit here um my own personal background is I'm not I don't I'm not a computer scientist I'm by training I'm a librarian I have a master's degree in library and information science so so the did did methods uh Json data structures is all important but we're going to shift the way a little bit from that to um how a lot of those Technical Solutions. Gregory_Natran: Fully adopted in how we can generate trust in a. Gregory_Natran: in a. Gregory_Natran: Security and identity context that very quickly expands beyond the context of a single organization. Gregory_Natran: Particularly important my own background is about 20 years of government uh Canadian public sector Services moving those online and the. Gregory_Natran: Constant push for better faster more Integrated Service delivery is is the context for coming from so. Gregory_Natran: There's it's a very basic agenda. Gregory_Natran: I don't. Gregory_Natran: Think we'll need an entire hour to run through it but. Gregory_Natran: in the. Gregory_Natran: In terms of the trust Frameworks how do we de-risk the adoption of digital identities and related cyber security initiatives. Gregory_Natran: Get the trust needed for Meaningful Digital Services online um and in in part that's responses to the changing online service Demands a decentralized and self-suffering identity of which all of the good w3c verifiable credentials are essential. Gregory_Natran: But it is Shifting and how do we. Gregory_Natran: How do we deal with the fact that that entire ecosystem that shows up in the. Gregory_Natran: Uh verifiable credentials data model how do you build the trust between everybody in that ecosystem and across the board in the absence of what you might call a formal uh commercial framework like that exists in the financial sector in the banking world and the credit card world and things like that. Gregory_Natran: The way I framed this is and a lot of this will not be uh new or particularly relevy to the people on this call. Gregory_Natran: But moving Digital Services demanding is on trust we need a level of trust that's difficult to get online there's a great volume of personal information uh involved and it's you know particularly for high value high-risk interactions and what I mean by that are um. Gregory_Natran: I think. Gregory_Natran: Moving transactions remote transactions for uh not just buying and purchasing. Gregory_Natran: You know your toothpaste from Amazon but buying and selling houses and dealing with the requirements for a remote identity verification in the legal sector which is something that that Dak is now looking at. Gregory_Natran: Of course all of that is undertaken Within. Gregory_Natran: Uh an environment where people expect convenient seamless integrated. Gregory_Natran: They want their service experience to be like that they want privacy they want consent they want transparency they want the right to be forgotten. Gregory_Natran: They want it all to be simple and easy and of course none of this is particularly simple and easy when you get down into the technical weeds of it. Gregory_Natran: What it has done though. Gregory_Natran: I would argue is the dominant digital identity and security models are now strained. Gregory_Natran: Centralized identity meaning you know your your username and password that serves 1 particular company or service uh has reached its peak uh we know the limitations of it. Gregory_Natran: Standing beyond that single identity context is difficult. Gregory_Natran: Uh and the other thing that often gets lost in the technical discussions is it's also incredibly expensive for a small and medium Enterprises and for local governments that simply don't have. Gregory_Natran: The resources or even the Mandate in some cases to develop and put together a complete digital identity solution that can be fully integrated with every other government around them. Gregory_Natran: But if we don't get and meet these requirements and expectations. Gregory_Natran: All the promise of you know uh the digital the Cyber economy the digital economy become harder to realize particularly if you're in Canada this is particularly true if you look outside of the main um the main cities and urban areas it is very difficult to move a lot of this into the Arctic regions. Gregory_Natran: That's just not uh not that simple. Gregory_Natran: Uh I thought I'd throw in just a few um statistics that Dak has collected um. Gregory_Natran: With digital identity people the and these date back a little bit Joanie you can correct me but they're going back about what 2 years 3 years. Gregory_Natran: Yeah so most people see the benefits but there's a there's a large percentage. Gregory_Natran: of about. Gregory_Natran: A quarter that are highly skeptical about uh you know sharing their personal information giving it over to government uh integrating and linking everything up. Gregory_Natran: But a lot of the a lot of people are interested in learning more about it. Gregory_Natran: The the digital wallet concept is. Gregory_Natran: Becoming more familiar and gaining gaining popularity. Gregory_Natran: I would say largely through the efforts of apple and and Google here. Gregory_Natran: Um and only about 14% you know are completely unfamiliar with what that means. Gregory_Natran: So we do have a. Gregory_Natran: We have a population a user population out there that's that's uh educated not 100 no no they may not be technical experts but they see the potential benefits of this but it's that highly skeptical. Gregory_Natran: Core that we have to that we have to address to a certain degree. Gregory_Natran: So how do you do that. Gregory_Natran: All seen this you know it security is an issue we have lots of personal information all scattered across disconnected databases all over the place some of them connected to the sum not doesn't matter still a target for a hacker they're often protected by weak authentication or at best usernames and passwords and of course they're all susceptible to social engineering attacks whether it's a publicly facing database or just a internal facing. Gregory_Natran: Business system that falls prone to to employees that can be scammed just as easily as anybody else Federated identity of course uh we that's been on the scene for a while offset the cost you get a better client experience. Gregory_Natran: you can. Gregory_Natran: Core ID functions to trusted parties. Gregory_Natran: but what. Gregory_Natran: Happens and this is the the. Gregory_Natran: I would think of where the trust Frameworks come in is your trust domain starts to extend beyond your Direct Control. Gregory_Natran: Your your corporate it perimeter your corporate security perimeter just exploded. Gregory_Natran: So what's the response over the last couple of years better it security. Gregory_Natran: Factor in adaptive Authentication. Gregory_Natran: I don't like having Microsoft authenticator installed on my phone having to enter codes all the time but I understand that why the company does it. Gregory_Natran: To end encryption minimizing data access privileges. Gregory_Natran: And data loss prevention all of that. Gregory_Natran: Rolling up into the zero trust security model which is uh good. Gregory_Natran: I would. Gregory_Natran: Arguments inappropriate but it doesn't resolve. Gregory_Natran: Issue uh you're still collecting lots of personal information if you're a large service provider um I'm and I'm not even talking here surreptitiously like Google trying to collect everything and anything about you as you search through I'm just. Gregory_Natran: Collected to actually legitimately offer you a service online there's redundant collection uh I see this because as an information an analysis part it's almost it's almost impossible to find 2 systems that actually don't have any overlap and share information. Gregory_Natran: Data discrepancies you've got privileged accounts that still exist that can be compromised. Gregory_Natran: And you're still in a security arms race with malicious actors. Gregory_Natran: and they are. Gregory_Natran: Is going to be trying to get in there. Gregory_Natran: So you've always got to be uh watching what you're doing and we see it with all we saw with the uh the crowd strike failures of a few weeks ago. Gregory_Natran: Uh of course the other response decentralized identity which is. Gregory_Natran: Verifiable credentials play in it draws heavily on that. Gregory_Natran: we want. Gregory_Natran: Ate the number and the size of the repositories that centralized personal information. Gregory_Natran: Basic model is everybody here knows keep the personal information with the owner decentralizing storage and control of it often using technology that mimics physical identities where you can pull out your you pull out your driver's license and give it to the police officer or the person that wants to try and and uh verify your identity but with more privacy because you're not handing over you're not oversharing. Gregory_Natran: So better get better privacy and transparency you can consolidate digital identities into 1 interface. Gregory_Natran: But your trustee means still beyond the direct control of your organization or your service provider. Gregory_Natran: Still that those credentials those identities those verifiers are all part of a broader ecosystem. Gregory_Natran: In a very simplified way we've kind of described as being consistent of 3 groups. Gregory_Natran: There's the solutions and the providers. Gregory_Natran: the bottom. Gregory_Natran: That is the w3c the community standards groups nist is a big 1 in there they are the ones that develop technical standards in many cases they develop the open source code that can be put out into the community and enrolled into commercial uh and other products there are the adopters at the top of the of the screen there uh who have certain duty of care to their clients to meet not only to meet their expectations but increasingly to meet legal and Regulatory uh requirements. Gregory_Natran: On the front. Gregory_Natran: Line of those expectations and uh want to be able to offer the kind of services and experiences that their customers want and. Gregory_Natran: just as. Gregory_Natran: That's a that is a Hyundai logo I couldn't find a a logo that would suffice for all adopters all service providers I chose that 1 because allegedly it's supposed to be a stylized version of 2 people shaking hands I guess agreeing to buy Hundai vehicle but in my in my non-working life I have a I have an interesting car so that's why I picked that 1 if you're wondering where that relationship came from. Gregory_Natran: Uh so what bridges in between these groups the solution providers and the adopters that's where the trust framework comes in. Gregory_Natran: And in this case um. Gregory_Natran: What we can talk about most authoritatively is the Dak and it's Peng Canadian trust framework but there are others out there. Gregory_Natran: Australia the United Kingdom have them uh they've all been working on the Singapore does. Gregory_Natran: I think even maybe the Philippines where they're looking at. Gregory_Natran: Trying to develop auditable outcome based criteria. Gregory_Natran: Against which the participants in the verifiable credential and digital identity ecosystems. Gregory_Natran: Can be assessed in a whether that's. Gregory_Natran: Normal assessment by an auditor or just a a self-claimed that says look this is how we go about doing our business this is the technical standards we meet this is how we implement it this is the process we use for identity and verification these are the process we use for verification and revocation of our our verifiable credentials. Gregory_Natran: And most of them are based on the recognized schemes that are coming out of the solutions and the providers themselves so that's um where we're kind of positioning the trust framework is uh not technical not entirely legal and Regulatory and in fact in the pan Canadian experience. Gregory_Natran: Had to make quite clear that. Gregory_Natran: the truck. Gregory_Natran: Work did not. Gregory_Natran: Uh supersede or negate any legal or regulatory uh requirement that a member had if they were participating in or adopting the framework uh that's not the intent the intent is to supplement the they often. Gregory_Natran: Convoluted and sometimes. Gregory_Natran: Dated legislation that doesn't move at the same speed as uh the technical technical sector uh and fill that out and try and provide guidance to. Gregory_Natran: The uh adopters that are looking at it in this case I'll refer back to the legal Community coming to Dak and looking for guidance on how they can best do verific uh remote identity verification for their members. Gregory_Natran: With that as a context. Gregory_Natran: um I think. Gregory_Natran: Invest to hand it over to uh Joanie who's the president and can speak much more authoritatively on Dak and the trustee Market itself. Joni_Brennan: Yep um thanks Greg excuse me it's great to be here um in with this group today thank you for the invitation um it's great to see names that I've known and I'm familiar with um and also um those that are new so uh so thanks for the time today um for the about the Dak um we are a nonprofit Association um back in the end we were created as a result of the global financial crash in uh 2008 2009 a p the um Department of Finance at the federal level put together a task force to review our payment system and to look at our payment system in the context of what was happening globally and make recommendations for how our payment system could be you know what was working and we needed some areas for improvement within our payment ecosystem out of that payment task force um that included public and private. Joni_Brennan: Matter experts was a series of recommendations um toward what our payment system would benefit from and the and the recommendations that were the Mandate for our organization to be founded where that we needed a uh our payment system would benefit from a digital identity and authentication framework that that framework should be developed through collaboration of the public and private sector and that that framework should be developed that collaboration should be hosted under a self-governing body so those 3 recommendations were the foundation for how our organization was founded and um and the organization was founded by um a series of uh a group of um. Joni_Brennan: National institutions telecommunications provider and um uh federal government and provincial governments um today our uh board includes representation from organization small medium and large um Canadian and Multinational and provinces including British Columbia Ontario Quebec and New Brunswick um helping to bring together a common common views around um digital identification and authentication um we're about 85 members um you know in in terms of the our size and we are uh we've actually evolved our mission and we're focused on um what we've learned and Greg showed some stats but we've learned that digital ID or digital identification is confusing to most listeners um when we're speaking to experts or people who are working in this space like people in this call you understand it. Joni_Brennan: when we're. Joni_Brennan: Speaking to the adopter. Joni_Brennan: Um of these types of Technologies and capabilities they don't always understand what digital ID means and sometimes they think it means something completely different um than what we are intending and we also in the Canadian ecosystem I would say in my experience suffer from. Joni_Brennan: Quite a bit of um misinformation and disinformation which is uh 1 of the factors in a in a public trust Gap around adopting um you know emerging and existing Technologies and so we do work as an organization to advance what we now um call digital trust so these are the suite of capabilities and tools to help people and organizations build confidence in their transactions um the trust framework is a concrete uh tool that designers of services can use and that Services can get certified against um and then we also do a lot of Education and Research to help adopters to to better understand which messages adopters um can understand and resonate and you know where we need to adjust some of our language for our education um 1 of the things that Greg mentioned that I also think is important to call out is that um the the trust framework you know just like the words digital ID or digital identification uh We've. Joni_Brennan: I find people use the. Joni_Brennan: Words trust framework and. Joni_Brennan: A lot of different. Joni_Brennan: Ways and so sometimes that can be confusing as well. Joni_Brennan: For us the trust framework is a a set of auditable criteria that help to mitigate and remove risk um and help to build Assurance in different solutions and services and so this means that the trust framework is really a risk mitigation framework that helps the adopter to have confidence in the solutions that they're that they're using that they're you know that they're adopting I think another power of the trust framework and the way that ours has been designed is to sit as a complimentary extension to technical standards and to open source. Joni_Brennan: And so this means that this framework helps. Joni_Brennan: Adopters and helps um helps a community to not only measure the risk mitigation and Assurance of a single solution built on a single technical stack but also how to measure risk management and Assurance against different solutions that may be built on different technical stacks and for me personally I think this is a very powerful tool because 1 of the things that we see in Canada and for those of us you know those of you who are working on this problem both locally and globally we see a suite of solutions um we see a suite of technical standards um and open source and we don't seek kind of a single solution so this means that we will um something that's very important for our community as a whole is to know how we can measure trust and assurance and risk management across different communities across different Technologies um to help with that uh trust interoperability for how um how the information that goes into credit. Joni_Brennan: Essentials is verified. Joni_Brennan: And has not. Joni_Brennan: Been tampered with as well as how we can move trust through credentials and other tools between different communities and um which is a certainly important for cross border and moving across different Industries so. Joni_Brennan: so I think. Joni_Brennan: That's a power. Joni_Brennan: Ful feature of what trust Frameworks can do um this trust framework is also unique in that we um we have taken that collaborative approach we use uh uh public review process where everyone from around the world has the opportunity to comment we do dispositions of comments um so taking that collaborative public and private working together I would say is unique um whereas you know some jurisdictions do it solely for government from a government uh perspective we've tried to do it as a as a collaborative approach between public and and private sector um we find that people do feel in at least in our research they report that having public and private work together helps to provide checks and balances that they gives them more comfort and helps helps um people to build trust so yeah we're uh really extending um the technical aspects and so this is uh this Frame you know our framework and and you know others as Greg mentioned there's there's. Joni_Brennan: certainly a a hand. Joni_Brennan: Full of them out there. Joni_Brennan: Multiples Frameworks out there uh but for us it's how do we add value add context um and extend for things like verifiable credentials and then also how can these verifiable credentials or the trust trusted information be used in trusted networks and all the way into even traditional Federation really you know helping with that extended layer so we're we're a complimentary tool into the work that this group is doing um and all of this is really to help uh reduce uncertainty for adopters and I think Greg mentioned that last point on last part I'll share is. Joni_Brennan: We've seen a lot of adoption we know that there is a a. Joni_Brennan: You know the move or or the adoption and the evolution from kind of traditional identity and access management or Federated identity um takes time and as we move to more distributed ecosystems in use of tools like digital wallets verifiable credentials we will still have uh those kind of traditional channels that do exist and so 1 of the things that we're seeing where the areas that we're seeing adoption here is um by Regulators um and how this how framework can help to provide an air gap for a regulator keeping them neutral and separate from the solutions providers and then providing um a signal of auditability of verification and where we're seeing adoption uh 1 of the areas that we're seeing adoption that's interesting you know for me at least is um. Joni_Brennan: Societies and lawyers uh we know that uh it'll take time for pervasively available usable verifiable credentials for people to hold these in their trusted devices um so this actually also helps with the adoption of things like um other types of solutions that would do photo ID capture comparative comparing photo IDs to known um counterfeit characteristics using uh traditional credit file methods and combinations of credit file and photo ID check so we know that there will be a Continuum of the shift and Adoption of these Technologies and so we're also seeing a lot of adoption in this space on um something that is a predecessor to something like verifiable credentials which is important to help our communities step through the the adoption chain as they would eventually eat we we hope and 1 of our Visions is that eventually um there will be pervasively available government issued um government issued identity credentials as. Joni_Brennan: as well as private sector. Joni_Brennan: We're part of a supporting uh our tool is 1 of the supporting tools the pctf um to help with a comprehensive risk management approach that helps adopters and helps um people like lawyers or others who are professionals who we need you know the the professionals at the front lines of of trust um to know that they can adopt a particular they can use a particular technology or solution and they know that it's been verified which protects uh the adopter that they have invested in the care of their clients their customers their users um and helps the ultimately um and most importantly the person who is you know using these tools to know that these tools have been verified and that they're um within the expectation of care for that person's data and that person's experience as they're using those tools so it is a collaborative um the work that we all do as a community is is collaborative sometimes we're working on kind of overlapping pieces of the puzzle. Joni_Brennan: um sometimes. Joni_Brennan: On you know. Joni_Brennan: Different pieces of the puzzle so I appreciate the opportunity to share um what our experience has been and and where we're going and certainly uh verifiable credentials will play an important role trust Registries will play an important role digital wallets while we step through the chain and and traditional Federation and trusted Network operators and kind of we'll have multiple of of how we do verification in society so we're you know we're proud to be 1 part of that um working collaboratively in an ecosystem and uh we're think we thank you for the time today to share our experience. Harrison_Tang: Thank you thanks Joey. Harrison_Tang: Sorry I agree. Gregory_Natran: That was that was it we we didn't go into details on the I I refer you to the the pctf website itself uh for all the details but uh we wanted to kind of position where the trust framework sit and how they are um valuable relative to the work of bodies like this not. Harrison_Tang: Great thank you uh any questions for uh Gregory or Jones. Harrison_Tang: You can type in Q Plus to add yourself to the queue authoring 1 question Johnny so earlier you mentioned about uh most of the people they don't really know what digital identity is or what the values are so can you share some insights like in regards to what are the top 3 to 5 value that resonates with adopters in other words when you're trying to convince someone to adopt digital identity like what are the top 3 to 5 bullet points that can get them to adopt it. Joni_Brennan: Yeah we um that thank you for that question um and 1 of the so how we've come up with the the the data around um understanding what the audience's understanding what they don't understand is we've used a qualified third-party research firm uh we've done 4 waves of research across Canada uh both legal both um official languages and and across the entire country and so we've got data both point in time for 4 different research waves and then we've got data overtime for how perceptions have changed um and you know what we have seen is that when we ask people about digital Identity or digital ID it it's it's low we've only uh their understanding is low we've only just gotten over 50% being able to conjure some kind of definition for digital ID or digital identity um we we've seen that um 23%. Joni_Brennan: are just. Joni_Brennan: Well we see about 55% once we do explain it or they do kind of have an idea that they feel uh positive about it they see benefits um we see 23% are really unsure and 22% are highly highly skeptical so you know it's it's really just about a 50-50 split there between the people seeing benefits uh across from those who are unsure and those who are very um skeptical and have a negative perception what we do find um and based on that research we've um committed to undertaking a storytelling campaign so you're going to see that coming out of our organization um in the as the fall approaches um using what we call you know if you're Canadian we're using Tim Horton's language and what we mean there is coffee shop language using language that just kind of an average person can understand um very plain non-technical. Joni_Brennan: That's 1 of. Joni_Brennan: 1 of the things. Joni_Brennan: 1 pillar is used very plain language don't use technical speak um that technical speak is relevant when we're speaking with each other as Professionals in the space when we're speaking with adopters who could be lawyers they could be my mom they could be ministers or Deputy ministers and government um that plain language is always a winning approach um to lean away from the technical we find leaning into the capabilities the specifics is more useful so we find that talking about credentials or wallets or you know even authentication people understand that more than this kind of broad term of digital identity which is kind of too too wide and too confusing um so talk more specifically about the specific capability versus kind of the very broad um definition and you know most importantly I would say well kind of plain language most important um next to that is. Joni_Brennan: Talk about what is going to do for people so talk about the why people don't necessarily want they don't wake up in the morning wanting to adopt digital identity um they want to be a part of the digital economy they want to start a business easily they want to know that they can onboard employees um you know meeting their obligations safely and securely they want to know that their teams can work remotely um safely and securely uh people want to know that they can manage their uh dependent children in the homes records and that they can manage their dependent senior you know maybe their their parent who may or may not live with them so it's all about um kind of getting things done using digital to do it and knowing that you're cared for uh that your data is cared for so talk more to people talk in plain language talk about the problems that they have in front of them that they need to solve um and then you know map the capabilities into it versus kind of something. Joni_Brennan: really big. Joni_Brennan: Digital identity um that that people have a hard time understanding so we can't expect the world to be experts um the way that a group like this is uh we have to talk to them and really plain language that that addresses the problems they're trying to solve every day. Harrison_Tang: And and uh earlier you mentioned that uh you noticed that there are some misinformation or disinformation in regards to digital ID so I'm curious what are they and how do you kind of educate the public to kind of dispel these uh misinformation and disinformation. Joni_Brennan: Yes absolutely so um thank you for that question. Joni_Brennan: The uh I would I'll speak in my personal context um you know you I think you know maybe others as well but I've observed kind of the grand conspiracy theory of all conspiracy theories that's really um you know there's always been there are rightful concerns around digital around surveillance surveillance capitalism around um authoritarian governments like these these concerns are are rightful and they're valid so I want to start there and this is the reason that I do this work because I felt that people's privacy was being eroded and people were not are not and we're not in control of data about them and that's why I do this work that that's my why so these are rightful concerns how you know that said um through the Advent um you know through the capabilities of tools that we have now like uh social media social media is fine-tuned to amplify um to amplify uh uh uh conflict. Joni_Brennan: The attention economy and so social media is fine-tuned to kind of amplify these things that incite conflict and and get a you know get an angered reaction um so we have kind of have the perfect set of tools to spread inflammatory information to get reactions out of people um and so what we you know and then you kind of add in the pandemic um you add in fears around rightful fears uh and confusion around the pandemic around uh local and Global economies around security and you kind of have the perfect mix for misinformation and disinformation to flow and to be Amplified um. Joni_Brennan: That certainly um amplification around the time of the pandemic um the vaccine credential certainly um was a a part of that uh conspiracy theory kind of amplification what would the vaccine create credential be used for was it right or was it wrong and I'm not here to comment on that um but certainly it was part of that conspiracy theory and like many of us saw even like 5G it you know you the vaccine has microchips you know lots of different conspiracy theories around that that spread around um in the Canadian ecosystem I personally was targeted by a far-right-wing uh political leader and a particular information me uh online media um website um who who claimed that uh the work that that was being done around digital identity uh digital ID is part of government's wanting to track and surveil and force people to get the vaccine uh the co you know the. Joni_Brennan: We saw that very I saw that personally I'll speak on my own behalf um and a lot of targeted um threats and harassment campaign that flowed out of that so and and and what I'll say is while it's a while it's a disruptive uh story you know no 1 should have to go through that uh no 1 should have to go through that type of online and targeted harassment um myself included uh that you know we also have to know notice that these types of you know certainly there's disinformation in their people knowingly spreading false information to for for their own purposes which is often to destabilize um societies. <harrison_tang> if you have questions, just type in "q+" to add yourself to the queue. Joni_Brennan: Um and uh and often targets women and um you know visible minorities or other vulnerable populations um but but then the misinformation is is you know I've had friends who were sharing disinformation and I had to sit down and explain to them what digital identity was and once I did they said oh no that's fine I want that you know so I had firsthand experience with people of that nature but then you know the other poor important piece is that when people um when misinformation and disinformation does flow and it moves around what I'll call an unauthenticated space like Twitter for example or Reddit um it actually causes uh governments and private sector to stop their work uh to stop their work on protecting people and protecting their data and to move more into a defensive posture and to even sometimes Keep information quieter when in fact we need more transparency um but we do need to more transparency about this work and what it is and what it means for people and why we're doing. Joni_Brennan: it um. Joni_Brennan: And not less transparency um but we do have to meet people where they are and we do have to know that the goal is not to get everyone to want to use this technology because that's that's not going to happen um the goal is to help people have better information to make better choices about the tools that they use and to help inform policy uh Echoes forward to to properly govern and regulate uh these types of Technologies. Harrison_Tang: It kind of changed the topic I'm just curious like uh how what's the difference or similarities uh between the Canadian trust framework versus like you European Union standards and obviously it's quite different from the US Paradigm but can you kind of highlight the similarities and differences. Joni_Brennan: Yeah so um in the EU uh so the European Union takes a you know has taken and it is currently taking a more regulatory approach um and you know what we've seen we've been we've seen over time with the EI Dash um regulatory framework and digital signatures and moving toward a digital single digital market for um EU citizens and residents to be able to access services so taking a very government regulatory top-down approach um and and regarding the EU di the and the digital wallet implementation uh work we could debate on whether it's a strategically sound to put particular Technologies into the regulatory framework um I'm not here to make a view on whether that's right or that's wrong I think that's debatable um so certainly there's a more regulatory based approach in the European ecosystem um in the um you know in the Canadian. Joni_Brennan: ecosystem and. Joni_Brennan: I like to think about Canada. Joni_Brennan: And and in fact the US you know we're all federations we're all federations in Canada it's provinces and territories in the federal government in the US it's it's states in the federal government now we do have less provinces and territories than in Canada than the US has States um but still we're we're all a collaborative um the US has taken a much less um. Joni_Brennan: Hands-On approach and we know there's a new 863 uh document out so may may be folks who are reading that over the weekend and that's certainly exciting um. Joni_Brennan: Where 863 was really built for for private sector to offer services to the federal government and a lot of the work over the last 5 to ten years has been to make that work that frame that um n 863 more usable in the private sector for example um in Canada we also have a flavor of um there there's even an identity Assurance uh framework in where I am in British Columbia that is specific to British Columbia so we have um both uh jurisdictional regulatory schemes Federal regulatory schemes in Canada our finances federally regulated but our education and our health for example is pro regulated um so we are all sitting kind of at the intersections of federal and jurisdictional Regulation and then non-regulated spaces as well so I do think that we have a lot in common um we're all trying to solve similar uh challenges and and bring similar opportunities to to our to our. Joni_Brennan: Cultural aspects and the governance aspects um there are differences like in in Canada we do have a robust um corporate registry you know jurisdictional and federal Registries um I know that you know I think that that's a bit lacking in the US for example so we all have to work with what what our strengths are um and work across our challenges as well and work with our cultures and what our what our culture what our um citizens and residents and Society culturally expect which might be a bit different um from 1 jurisdiction to the next so I think we have a lot of similarities but then um Canada I think sets a little bit in the middle space between uh EU which is very regulated and us which is very not regulated I think we kind of sit in the middle um you know between those 2 those 2 polls of of approach. Harrison_Tang: Cool thank you. Harrison_Tang: Anyone have any other questions. Gregory_Natran: Stop sharing this Harrison. Harrison_Tang: And uh I'm just curious like seems we're talking about wallet uh I think uh. Harrison_Tang: Uh you know like. Harrison_Tang: In in the old like feder Vietnam or the existing Federated identity system I think we've seen that Google and Facebook emerged as the dominant players right essentially it becomes a centralized system and then the now with the wallets uh you know it does appear that their numbers are showing that the Apple and Google are probably going to uh win the wallet War right with quite significant market share um and so I'm just wondering if uh uh you have any thoughts in regards to uh the potential dominance of Apple and Google kind of platforms over the uh kind of the wallet Wars for lack of better terms uh or if it's not really a concern and if it is a concern like what can we do to kind of mitigate this kind of recent centralization of power. Joni_Brennan: Right um so for people in that that's a great question um for people in this group and you may you may know or be familiar with um not sakamura um former uh former nor more research institute in Japan not has a great video um on YouTube where you know he talks about the. Joni_Brennan: Kind of the Paradox of decentralization which is its kind of always leading back to centralization um you know these decentralized when it's successful is kind of trying to push you to 1 Network stack or 1 um approach so there's a little bit of a paradox there in that um. Joni_Brennan: You know the decentralized approach does tend to lead back to centralization and often um the decentralized approach in order to when you need to do transactions of value or transactions that have risk um quite often intermediaries are the way that you get those things done to build in those uh protective structures that you're looking for so I mean these are kind of philosophical points around centralization and decentralization that I feel like probably people in this group could sit around a table and debate and be quite pleased to have that debate um for the for the wallet specifically you know I'll I'll say I'm I'm in the Apple ecosystem as a p as a person that not only does this work but as a user I have a phone a computer a watch an iPad so I've made I had a decision um and then also contacts as you know helped with some of those decisions um to be in that ecosystem. Joni_Brennan: So uh so I do use my Apple wallet quite a bit and I think that and where we do see a lot of this use on wallets is payments people are getting more familiar with it um the I think that the question comes forward with what can be done is you know govern governments have I would argue you know the authority here um in terms of using their influence and using uh the authoritative levers that they do have both at a federal and jurisdictional level um to try to help push um along with a different jurisdictions like the EU to try to help um push uh large platforms to conform to a set of criteria to to that they are caring for people's data as people would expect their data to be cared for that that lock in is avoided um that said you know back with my user hat on if if there was sets of criteria if there was testing if there was guidance and. Joni_Brennan: a large. Joni_Brennan: Uh could meet that bar I would be happy to have my government credential in my Apple wallet but that's a big if right and and that's where the policy and regulate regulatory um can be an influencer um to to help you know bring uh large platform providers to where they are more respectful of people's data um. Joni_Brennan: Really where these tools come come into play is you know there should be an ecosystem of wallets um that people can know digital wallets that people can know have met certain criteria that are trustworthy and some people will want to use those platform wallets and some people will want to use independent wallets and we all also know that the choice of where the credential gets issued to is up to the issuer can be up to the issuer um so I think that the the issuers will also help to drive that market we'll have to see about you know which goals are most important and you know are we going for more adoption which might say Okay large platform providers have an important role to play here and if they can meet criteria then great um this is my personal view um and we we want to promote choice and so we know that you know Cho 1 of the things our research shows as well is that choice is an important feature to help people have trust some people will only trust you know those large. Joni_Brennan: platform big. Joni_Brennan: Only trust independent and open source some people will only trust governments so that we can have a Level Playing Field with tools like Frameworks um and Regulatory schemes and with sound and transparent and open technical standards and open source we all have a part to play in this so I we don't have an answer uh but I do think all these pieces come together and um and and I think you know especially regulatory has a role to play here along with um working with private sector working around technical standards and and Regulatory Frameworks. Harrison_Tang: Cool thank you and uh we only have 3 minutes uh I I just want to ask 1 last question uh which is uh what are the upcoming latest developments or initiatives that uh you guys are working on like you mentioned about some educational pieces that's coming out okay you kind of preview a little bit more. Joni_Brennan: Um yeah so first I want to thank Greg Natron he's pretty modest he he was our technical he was our um lead technical editor for version 1 of the pctf so you know with Greg being in this group you have somebody that you can always lean on who knows the ins and outs of the Dax work on the pctf and our collaboration so I want to thank Greg for that and his role in recognize him um and. Gregory_Natran: Thank you and I'm still still participating just not as editor. Joni_Brennan: Yeah there you go thanks Greg um so yeah please always feel free to ask Greg some questions around that and then um so I mentioned the the 2 newest components are the um digital wallet which is auditable criteria can work with any different technology uh on top of so the digital wallet component and then the um trust Registries component to help uh organizations who have who are managing authoritative data in their ecosystem so like for us at Dak we're we're trust registry for who certified so you lots of trust Registries out there so I would say look at those pieces from technical aspects um from from the framework side and then we're doing a lot of work uh around an educational storytelling campaign and plain language um which is really to help uh those adopters which is often people who don't speak our language who don't know the technology who are not digital identity and identity and access management experts and helping with um the language and the stories and the. Joni_Brennan: To help to resonate with them so look for that storytelling campaign um and look for more education advocacy and research on our side so those 2 sides of the house around the storytelling and the education and the research uh look for that in the fall uh from coming out from our organization and then uh we continue on a yearly basis unless uh ecosystem conditions push sooner we do continue to um evolve the the pctf criteria and I would say look at the digital wallet component look at the trust registry component and we've just re-released um authentication as well so uh so you can pull those from the shelf and have a look at those and just keep in mind that they will work as complimentary to you and on top of the w3c work or ietf work or um open source uh so yeah this is a complimentary tool so I would look there. Harrison_Tang: Oh thanks look forward to it well thank you thank you Tony and thanks Gregory uh again for the coming here today to present the pain Canadian trust framework and also share your thoughts on on that so thanks a lot. <joni_brennan> Thank you! Harrison_Tang: All right so this concludes uh this week's uh shishi meeting uh so thanks for thanks everyone for attending and we'll publish the. Gregory_Natran: I think I think you got 1 sorry Harrison I think you got 1 hand up maybe. Harrison_Tang: I think oh Phil do you have any questions. Gregory_Natran: Thank you for having us here. Harrison_Tang: No I think he just probably pressed the wrong button all right thanks a lot have a good 1. Joni_Brennan: Thank you bye.
Received on Wednesday, 28 August 2024 15:56:46 UTC