Re: No Phone Home statement by ACLU, EFF, Brave, CDT, etc.

And what if server retrieval mode is deprecated? What will you all complain
about next?

Andrew Hughes CISM
m +1 250.888.9474
AndrewHughes3000@gmail.com
https://www.linkedin.com/in/andrew-hughes-682058a


On Thu, Jun 19, 2025 at 4:44 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On Sun, Jun 8, 2025 at 2:14 PM Tobias Looker <tobias.looker@mattr.global>
> wrote:
> > I too am supportive of the overarching message that I believe the no
> phone home statement is trying to make
>
> Good, I'm glad we agree on that. I hope that you, Oliver, and Andrew,
> given that each of you have played a central role in the mDL
> specification and its implementation, including the current version
> that specifies server retrieval, will remove server retrieval from ISO
> 18013-5.
>
> > There are also numerous other possible examples of possible "phone-home"
> vectors associated to W3C VC based credentials
>
> There is a significant amount of "whataboutism" in both your and
> Oliver's responses and that's distracting from one of the more
> concrete asks that led to the nophonehome.com website.
>
> I do agree that the compare/contrast is muddying the waters. If we
> need to focus on one thing here, we need to focus on the removal of at
> least verifier-based server retrieval, or any mechanism that strongly
> identifies the subject of interest to the issuer. That includes in
> both mDL and VCs and anywhere else this well-known anti-pattern pops
> up.
>
> Right now, the anti-pattern is firmly specified in ISO 18013-5. That's
> the difference here; server retrieval is NOT specified for W3C VCs (on
> purpose), and the sorts of "phone home dangers" both you and Oliver
> have outlined have well-known mitigations AND are explicitly called
> out as attacks on privacy in the W3C VC specifications. The mDL spec
> went in the opposite direction; it doesn't identify verifier-issuer
> server retrieval as an attack on privacy, AND it went further and
> specified exactly how to do it.
>
> All of this "whataboutism" is avoiding one of the core points of
> contention with the mDL specification.
>
> > It's hurtful to imply people aren't treating this seriously which is
> certainly how I interpret this statement
>
> Allow me to clarify then, because my intent isn't to hurt anyone's
> feelings. I know you, Oliver, and Andrew are thoughtful people and do
> care about security and privacy. I expect there are others in the WG
> that believe the same as well (but who knows how many since all of
> ISO's meetings on mDL are not minuted and are inaccessible to most of
> us; there's zero transparency there -- but, I admit that this is a
> separate issue worthy of its own thread).
>
> What I meant by "take it seriously" is that this criticism isn't going
> away. This is not the first time that you, Oliver, Andrew, or anyone
> else in the ISO WG have heard criticisms around server retrieval. It
> came in during multiple public review periods for mDL over the last
> several years that some nation states held on adoption of mDL.
> However, nothing happened to server retrieval as a result of that
> public commentary.
>
> That is why this is escalating now -- because the ISO 18013-5 WG
> didn't listen to the public commentary, or attempted to justify the
> privacy anti-pattern of server retrieval. Andrew's initial response
> was a repeat of how the previous responses had always gone: "Yes, the
> mDL WG thought about this long and hard and ended up where we are
> today for many good reasons." -- and then all the ensuing
> "whataboutism" in this thread that is muddying the waters on the
> initial concrete ask.
>
> The ISO 18013-5 WG should just fix the privacy harm that server
> retrieval introduces -- remove server retrieval since all of us agree
> that it's not broadly good for a free society.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>
>