Re: When is "phone home" ok, if ever? from Manu Sporny on 2025-05-06 (public-credentials@w3.org from May 2025)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 6 May 2025 09:32:50 -0400
To: W3C Credentials CG <public-credentials@w3.org>, carsten.stoecker@spherity.com
Message-ID: <CAMBN2CRYoaYsFOEzNrE9RJ5iKQbBQEb5mFLvWvaO=ZbNSzBmSw@mail.gmail.com>
Forwarding a really solid write up from Carsten since the email seems to
have not gone through on the CCG mailing list.

---------- Forwarded message ---------
From: <carsten.stoecker@spherity.com>
Date: Tue, May 6, 2025 at 4:09 AM
Subject: AW: When is "phone home" ok, if ever?

Dear all,



Thanks for raising the important questions around first responder
credentials, tracking, and consent. Your post sparked a deeper analysis on
our end about how fundamentally different “citizen” and “employee” use
cases are when it comes to verifiable credentials, privacy, tracking,
consent management and UX. We conducted the analysis drawing on our
expertise in employee wallets and business requirements, supported by
in-depth research facilitated through OpenAI Deep Research.



We’ve compiled our findings from an employee related perspective into a .md
document, which you can access here:
https://hackmd.io/@KsjE2xL6Q_CAsVkYWt58iA/BJ3I9Vwxxx

The key takeaway is that employee credentials—like those for first
responders—must be treated with different assumptions than citizen ones.
Tracking, consent, wallet structure, and UX expectations diverge
significantly due to operational and legal differences.



For example, we argue that:

   - Employee credentials justify tracking (with limits) for safety,
   compliance, and auditing.
   - Privacy-enhancing technologies are often counterproductive in these
   scenarios.
   - Terms of use should define purpose, context, and data retention
   obligations.
   - Wallet and verifier design should account for these distinctions to
   protect workers while supporting operations.

We also suggest formalizing the separation of private and
employment-related wallets to avoid consent ambiguity and security policy
conflicts as well as “wallet dance” when business processes engage with
personal wallets on private hardware outside the broader organisational
ecosystem infrastructure.



Looking forward to hearing your thoughts—and happy to contribute to
standardization discussions on this topic.



Best regards,
Carsten





*Key Concepts from our Research Document*



*1. Distinction between X2C and X2E Use Cases*

   - *X2C (Entity-to-Citizen):* Consent-centric, minimal disclosure,
   governed by strong privacy expectations (e.g. GDPR).
   - *X2E (Entity-to-Employee):* Includes justified tracking for
   compliance, safety, and auditing—subject to workplace transparency and
   proportionality requirements.


*2. Citizen vs Employee Credentials*

   - Employee credentials (e.g. digital badges for first responders)
   support operational needs like authentication, location tracking, and
   role-based access.
   - These are structurally and functionally different from credentials
   used in purely personal contexts.


*3. Separate Wallets for Personal and Professional Use*

   - Distinct wallets avoid “wallet dance” issues and reduce privacy and
   compliance friction.
   - eIDAS 2.0’s one-wallet policy introduces complications, especially in
   high-security employment settings.
   - A business wallet infrastructure is proposed, inheriting verified
   identity elements under organizational control.


*4. Consent and Privacy Management*

   - In X2E scenarios, consent is often non-voluntary, and must be replaced
   with transparent policy-based controls.
   - Privacy-enhancing technologies (PETs) offer limited value in
   operationally intensive environments and may impair usability and
   interoperability.


*5. Terms of Use for Credentials and Presentations*

   - Terms should specify scope, context, permitted data uses, and data
   retention/deletion timelines.
   - Wallets and verifier apps should enforce or warn on violations of
   these terms, helping avoid repurposing or misuse.


*6. UX and Simplicity for Critical Scenarios*

   - Especially in the case of first responders, the focus should be on
   operational simplicity and trust—not abstract privacy guarantees.
   - The use of verifiable credentials should enhance coordination without
   introducing excessive technical complexity.

 Mit freundlichen Grüßen / Kind regards



*Carsten Stöcker*Founder, CEO Spherity GmbH
+49 152 08930 990

Spherity GmbH <http://spherity.com/> | Emil-Figge-Str. 80 | 44227 Dortmund
Received on Tuesday, 6 May 2025 13:33:34 UTC