- From: Joe Andrieu <joe@legreq.com>
- Date: Fri, 2 May 2025 15:58:42 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAEOiD0Eytd42naXs50NHKMWVVnyM0e7ioodhE1pxJnnkApDbdA@mail.gmail.com>
I think the way to untangle the knot is to recognize the difference between tracking when individuals are acting on behalf of the state versus when they are acting on their own. IMO, the former has very different privacy characteristics. When a police officer or a building inspector is using the authority of their office to gain access to a facility or compel action by the individual, it is, IMO, entirely appropriate for the state to know when and where that activity occurs. However, the underlying identity system should NOT enable any kind of phone home capability or feature, because it will be used for surveillance regardless of the situation. The identity system that wins is going to be the one we can use in any circumstance by anyone. If the cop or the inspector have to use separate apps to prove their official capacity, then we will have a divergence of wallets, as I expect we will see in Europe, as the EUDI wallet's revocation requirements makes them effectively useless for commercial identity. So, in Europe you'll have multiple wallet architectures to satisfy different needs. That will require duplicate recovery and continuity frameworks not to mention independent specification, vetting, and certification. I'd prefer an identity system that works for you whether acting in an official capacity or not. My position is that the right place to support socially legitimate phone home is to add that at a second layer to maintain the ability for the private individual to have a single wallet that protects all of their identity credentials, cryptocurrency keys, and other cryptographic secrets. The second layer enables a clean separation for situations where surveillance is necessary without baking it into the underlying identity protocol. Enabling the wallet to phone home, e.g., using a property in a VC, would, IMO enable a privacy-invading practice that ANY issuer can turn on for ANY credential, and which the average user is never going to fully understand. That's far too much overreach to accept in a free society. So, if I'm using my identity wallet, I should be able to trust that it isn't phoning home just because my credential enables it. It's my wallet. I expect it to serve me, as a user agent. I do not accept that it might also serve the state as a surveillance platform. If the parties I give my credentials to, do, in fact, notify the state, (1) there is nothing I can do about that, technically and (2) as long as I understand that is the quid-pro-quo for a specific kind of credential, I can decide whether or not to participate in society in that way. If you want to be an EMT, understand that the state will be notified when you volunteer for emergency response. But that SHOULD only be true using additional rails explicitly created and operated separately from those securing my identity. Frankly, any wallet that phones home as a matter of course will not be used by those of us who value freedom through decentralization. If you need the capability for isolated use cases, build it elsewhere. -j <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Fri, May 2, 2025 at 1:41 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > Starting the weekend off with a charged question that I expect this > community to have some strong feelings about. :) > > As we presented earlier this year, some of us are working with first > responders (fire fighters, emergency medical technicians, law > enforcement, and support personnel) to deploy verifiable credentials > for large scale disaster response scenarios. > > The first and simplest use case is a "digital badge" for a first > responder that identifies who they are to security personnel that are > trying to secure a particular area during a wildfire, earthquake, > hurricane, or other large scale disaster. It can also be useful for > citizens that need to check a first responder's credentials that might > need to enter their property or their home. > > For this use case, some of these first responder organizations are > wondering if we can implement a form of "phone home", with the consent > of the responder, to "check in" when their badge is verified. There > are even requests for an "active tracking beacon" for firefighters > going into dangerous areas that might need to be rescued themselves if > they get into trouble. > > So, the "phone home" here is opt-in/consent-based and viewed by both > the responders and their agencies as a safety feature that could save > lives. This feature would exist on the physical badges (VC barcodes) > and digital badges (VCs). It could probably be implemented as a > ping-back mechanism, where a verifier scanning the badge would call an > HTTP endpoint with the VC that was scanned and possibly geocoordinates > (for rescue/audit purposes) and a VC for the entity performing the > scan (for auditability purposes). It could be "turned off" by choosing > NOT to selectively disclose the pingback location (but that would > probably only work in the digital badge version). > > Now, clearly, this sort of functionality is something we've > collectively warned against for a very long time. Implementing this > for something like a driver's license is a horror show of potential > privacy and civil liberty violations. However, implementing this for a > first responder that's running into a wildfire to save a town feels > different. > > If we think this is a legitimate use case, standardizing it might > allow digital wallets to warn people before presentation of the > digital credential. So, rather than organizations implementing this > anyway, but in a proprietary way where the "phone home" is hidden, > this would be a way of announcing the privacy danger if the badge is > used w/o consent or selective disclosure. > > So, some questions for this community: > > 1. Is this a legitimate use case? > 2. Is this sort of feature worth standardizing? > 3. Is there a more privacy-preserving way to accomplish this feature? > 4. Should there be wallet guidance around this feature? If so, what > should it be? > 5. Should there be verifier guidance around this feature? If so, what > should it be? > 6. What horrible, civil liberties destroying outcome are we most afraid of > here? > > Interested to... oh, wait a sec... *puts on a flame retardant suit*... > > Interested to hear everyone's thoughts. :) > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > > -- Joe Andrieu President joe@legreq.com +1(805)705-8651 ------------------------------ Legendary Requirements https://legreq.com
Received on Friday, 2 May 2025 22:58:59 UTC