Re: No Phone Home statement by ACLU, EFF, Brave, CDT, etc. from Mahmoud Alkhraishi on 2025-06-19 (public-credentials@w3.org from June 2025)

From: Mahmoud Alkhraishi <mahmoud@mavennet.com>
Date: Thu, 19 Jun 2025 15:19:21 +0000
To: Andrew Hughes <andrewhughes3000@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>
CC: "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <YTBPR01MB3981DAC00FBA973D4ADDCA66CC7DA@YTBPR01MB3981.CANPRD01.PROD.OUTLOOK.COM>

Hi Andrew,

It is understandable to be frustrated as this is obviously a charged topic, however I believe this message is both needlessly aggressive and reductive of a genuine concern that many in the community are feeling.

Regards,
Mahmoud

________________________________
From: Andrew Hughes <andrewhughes3000@gmail.com>
Sent: Thursday, June 19, 2025 10:56 AM
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: No Phone Home statement by ACLU, EFF, Brave, CDT, etc.

And what if server retrieval mode is deprecated? What will you all complain about next?

Andrew Hughes CISM
m +1 250.888.9474
AndrewHughes3000@gmail.com<mailto:AndrewHughes3000@gmail.com>
https://www.linkedin.com/in/andrew-hughes-682058a

On Thu, Jun 19, 2025 at 4:44 PM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On Sun, Jun 8, 2025 at 2:14 PM Tobias Looker <tobias.looker@mattr.global> wrote:
> I too am supportive of the overarching message that I believe the no phone home statement is trying to make

Good, I'm glad we agree on that. I hope that you, Oliver, and Andrew,
given that each of you have played a central role in the mDL
specification and its implementation, including the current version
that specifies server retrieval, will remove server retrieval from ISO
18013-5.

> There are also numerous other possible examples of possible "phone-home" vectors associated to W3C VC based credentials

There is a significant amount of "whataboutism" in both your and
Oliver's responses and that's distracting from one of the more
concrete asks that led to the nophonehome.com<http://nophonehome.com> website.

I do agree that the compare/contrast is muddying the waters. If we
need to focus on one thing here, we need to focus on the removal of at
least verifier-based server retrieval, or any mechanism that strongly
identifies the subject of interest to the issuer. That includes in
both mDL and VCs and anywhere else this well-known anti-pattern pops
up.

Right now, the anti-pattern is firmly specified in ISO 18013-5. That's
the difference here; server retrieval is NOT specified for W3C VCs (on
purpose), and the sorts of "phone home dangers" both you and Oliver
have outlined have well-known mitigations AND are explicitly called
out as attacks on privacy in the W3C VC specifications. The mDL spec
went in the opposite direction; it doesn't identify verifier-issuer
server retrieval as an attack on privacy, AND it went further and
specified exactly how to do it.

All of this "whataboutism" is avoiding one of the core points of
contention with the mDL specification.

> It's hurtful to imply people aren't treating this seriously which is certainly how I interpret this statement

Allow me to clarify then, because my intent isn't to hurt anyone's
feelings. I know you, Oliver, and Andrew are thoughtful people and do
care about security and privacy. I expect there are others in the WG
that believe the same as well (but who knows how many since all of
ISO's meetings on mDL are not minuted and are inaccessible to most of
us; there's zero transparency there -- but, I admit that this is a
separate issue worthy of its own thread).

What I meant by "take it seriously" is that this criticism isn't going
away. This is not the first time that you, Oliver, Andrew, or anyone
else in the ISO WG have heard criticisms around server retrieval. It
came in during multiple public review periods for mDL over the last
several years that some nation states held on adoption of mDL.
However, nothing happened to server retrieval as a result of that
public commentary.

That is why this is escalating now -- because the ISO 18013-5 WG
didn't listen to the public commentary, or attempted to justify the
privacy anti-pattern of server retrieval. Andrew's initial response
was a repeat of how the previous responses had always gone: "Yes, the
mDL WG thought about this long and hard and ended up where we are
today for many good reasons." -- and then all the ensuing
"whataboutism" in this thread that is muddying the waters on the
initial concrete ask.

The ISO 18013-5 WG should just fix the privacy harm that server
retrieval introduces -- remove server retrieval since all of us agree
that it's not broadly good for a free society.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Thursday, 19 June 2025 15:19:30 UTC