Re: No Phone Home statement by ACLU, EFF, Brave, CDT, etc.

See? Kyle’s got the right idea here!
These are indeed interesting problems that all the credentials projects
would do well to consider.
This is stuff I think we can pick up and deliberate about. Not promising
that the result will satisfy anyone or everyone!
Thanks Kyle
Andrew.

Andrew Hughes CISM
m +1 250.888.9474
AndrewHughes3000@gmail.com
https://www.linkedin.com/in/andrew-hughes-682058a


On Thu, Jun 19, 2025 at 5:31 PM Pryvit NZ <kyle@pryvit.tech> wrote:

> Personally, here’s a few things are on my list still:
>
> 1. We’re still issuing with privacy correlating cryptographic signatures
> in a lot of places, which is like to see be deprecated.
>
> 2. Increased sharing of personal data and corresponding reduction of
> privacy due to reduced friction for sharing such identity data, aka the
> Jevons Paradox problem.
>
> 3. Reliance on 3P attested identity data centralizes trust on the Web
> further
>
> 4. Increased restriction of the ability to publish, view, and participate
> on the Web, and corresponding fragmentation of the Web as a whole as
> digital credentials still broadly (of all formats) are adopted further
>
> 5. Reduction of user agency and perpetuation of existing societal power
> imbalances
>
> While Brave originally raised this complaint specifically with the digital
> credentials API because it’s the first protocol to use it within the
> browser, the same problems stand irregardless of the format of how
> credentials are used. Given the focus on mDLs within that API, I’d be
> curious to know more of what technical details are being added to the ISO
> spec at the protocol layer or data model layer to address these concerns.
> For example, there’s been some good descriptions of how 2 can be solved by
> restricting the sites which can request an mDL to only verifiers that are
> authorized to with a PKI infrastructure [1]. Is there work going into this
> by chance?
>
> - Kyle Den Hartog
>
> [1]:
> https://github.com/w3c-fedid/digital-credentials/issues/35#issuecomment-2315300567
>
> On Fri, Jun 20, 2025 at 2:55 AM, Andrew Hughes <andrewhughes3000@gmail.com
> <On+Fri,+Jun+20,+2025+at+2:55+AM,+Andrew+Hughes+%3C%3Ca+href=>> wrote:
>
> And what if server retrieval mode is deprecated? What will you all
> complain about next?
>
> Andrew Hughes CISM
> m +1 250.888.9474
> AndrewHughes3000@gmail.com
> https://www.linkedin.com/in/andrew-hughes-682058a
>
>
> On Thu, Jun 19, 2025 at 4:44 PM Manu Sporny < msporny@digitalbazaar.com>
> wrote:
>
>> On Sun, Jun 8, 2025 at 2:14 PM Tobias Looker <tobias.looker@mattr.global>
>> wrote:
>> > I too am supportive of the overarching message that I believe the no
>> phone home statement is trying to make
>>
>> Good, I'm glad we agree on that. I hope that you, Oliver, and Andrew,
>> given that each of you have played a central role in the mDL
>> specification and its implementation, including the current version
>> that specifies server retrieval, will remove server retrieval from ISO
>> 18013-5.
>>
>> > There are also numerous other possible examples of possible
>> "phone-home" vectors associated to W3C VC based credentials
>>
>> There is a significant amount of "whataboutism" in both your and
>> Oliver's responses and that's distracting from one of the more
>> concrete asks that led to the nophonehome.com website.
>>
>> I do agree that the compare/contrast is muddying the waters. If we
>> need to focus on one thing here, we need to focus on the removal of at
>> least verifier-based server retrieval, or any mechanism that strongly
>> identifies the subject of interest to the issuer. That includes in
>> both mDL and VCs and anywhere else this well-known anti-pattern pops
>> up.
>>
>> Right now, the anti-pattern is firmly specified in ISO 18013-5. That's
>> the difference here; server retrieval is NOT specified for W3C VCs (on
>> purpose), and the sorts of "phone home dangers" both you and Oliver
>> have outlined have well-known mitigations AND are explicitly called
>> out as attacks on privacy in the W3C VC specifications. The mDL spec
>> went in the opposite direction; it doesn't identify verifier-issuer
>> server retrieval as an attack on privacy, AND it went further and
>> specified exactly how to do it.
>>
>> All of this "whataboutism" is avoiding one of the core points of
>> contention with the mDL specification.
>>
>> > It's hurtful to imply people aren't treating this seriously which is
>> certainly how I interpret this statement
>>
>> Allow me to clarify then, because my intent isn't to hurt anyone's
>> feelings. I know you, Oliver, and Andrew are thoughtful people and do
>> care about security and privacy. I expect there are others in the WG
>> that believe the same as well (but who knows how many since all of
>> ISO's meetings on mDL are not minuted and are inaccessible to most of
>> us; there's zero transparency there -- but, I admit that this is a
>> separate issue worthy of its own thread).
>>
>> What I meant by "take it seriously" is that this criticism isn't going
>> away. This is not the first time that you, Oliver, Andrew, or anyone
>> else in the ISO WG have heard criticisms around server retrieval. It
>> came in during multiple public review periods for mDL over the last
>> several years that some nation states held on adoption of mDL.
>> However, nothing happened to server retrieval as a result of that
>> public commentary.
>>
>> That is why this is escalating now -- because the ISO 18013-5 WG
>> didn't listen to the public commentary, or attempted to justify the
>> privacy anti-pattern of server retrieval. Andrew's initial response
>> was a repeat of how the previous responses had always gone: "Yes, the
>> mDL WG thought about this long and hard and ended up where we are
>> today for many good reasons." -- and then all the ensuing
>> "whataboutism" in this thread that is muddying the waters on the
>> initial concrete ask.
>>
>> The ISO 18013-5 WG should just fix the privacy harm that server
>> retrieval introduces -- remove server retrieval since all of us agree
>> that it's not broadly good for a free society.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> https://www.digitalbazaar.com/
>>
>>