Re: When is "phone home" ok, if ever?

Carsten:

There is some important thinking here. Thank you for sharing it.

Can I suggest that perhaps it would be nice to change a term before you
spread this thinking more widely? I believe that the use of the term
"citizen" is problematic, because it puts anyone who is not a citizen into
a non-existent third category, and it invites the incorrect assumption that
the right of ordinary people to hold non-employee credentials is somehow
tied to their government status. Stateless persons living in refugee camps
should be able to get most forms of verifiable credentials. I was an expat
living in Switzerland; my right to drive was proved with a drivers license
issued by the Swiss government, but I was not a citizen there. I just went
to a meet-and-greet with Afghan refugees; they are not citizens of the
country where they live, but they pay taxes and need VCs documenting their
vaccinations, their education, etc.

Perhaps X2P (P = person) would be a better label.

--Daniel

On Tue, May 6, 2025 at 7:35 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> Forwarding a really solid write up from Carsten since the email seems to
> have not gone through on the CCG mailing list.
>
> ---------- Forwarded message ---------
> From: <carsten.stoecker@spherity.com>
> Date: Tue, May 6, 2025 at 4:09 AM
> Subject: AW: When is "phone home" ok, if ever?
>
> Dear all,
>
>
>
> Thanks for raising the important questions around first responder
> credentials, tracking, and consent. Your post sparked a deeper analysis on
> our end about how fundamentally different “citizen” and “employee” use
> cases are when it comes to verifiable credentials, privacy, tracking,
> consent management and UX. We conducted the analysis drawing on our
> expertise in employee wallets and business requirements, supported by
> in-depth research facilitated through OpenAI Deep Research.
>
>
>
> We’ve compiled our findings from an employee related perspective into a
> .md document, which you can access here:
> https://hackmd.io/@KsjE2xL6Q_CAsVkYWt58iA/BJ3I9Vwxxx
>
> The key takeaway is that employee credentials—like those for first
> responders—must be treated with different assumptions than citizen ones.
> Tracking, consent, wallet structure, and UX expectations diverge
> significantly due to operational and legal differences.
>
>
>
> For example, we argue that:
>
>    - Employee credentials justify tracking (with limits) for safety,
>    compliance, and auditing.
>    - Privacy-enhancing technologies are often counterproductive in these
>    scenarios.
>    - Terms of use should define purpose, context, and data retention
>    obligations.
>    - Wallet and verifier design should account for these distinctions to
>    protect workers while supporting operations.
>
> We also suggest formalizing the separation of private and
> employment-related wallets to avoid consent ambiguity and security policy
> conflicts as well as “wallet dance” when business processes engage with
> personal wallets on private hardware outside the broader organisational
> ecosystem infrastructure.
>
>
>
> Looking forward to hearing your thoughts—and happy to contribute to
> standardization discussions on this topic.
>
>
>
> Best regards,
> Carsten
>
>
>
>
>
> *Key Concepts from our Research Document*
>
>
>
> *1. Distinction between X2C and X2E Use Cases*
>
>    - *X2C (Entity-to-Citizen):* Consent-centric, minimal disclosure,
>    governed by strong privacy expectations (e.g. GDPR).
>    - *X2E (Entity-to-Employee):* Includes justified tracking for
>    compliance, safety, and auditing—subject to workplace transparency and
>    proportionality requirements.
>
>
> *2. Citizen vs Employee Credentials*
>
>    - Employee credentials (e.g. digital badges for first responders)
>    support operational needs like authentication, location tracking, and
>    role-based access.
>    - These are structurally and functionally different from credentials
>    used in purely personal contexts.
>
>
> *3. Separate Wallets for Personal and Professional Use*
>
>    - Distinct wallets avoid “wallet dance” issues and reduce privacy and
>    compliance friction.
>    - eIDAS 2.0’s one-wallet policy introduces complications, especially
>    in high-security employment settings.
>    - A business wallet infrastructure is proposed, inheriting verified
>    identity elements under organizational control.
>
>
> *4. Consent and Privacy Management*
>
>    - In X2E scenarios, consent is often non-voluntary, and must be
>    replaced with transparent policy-based controls.
>    - Privacy-enhancing technologies (PETs) offer limited value in
>    operationally intensive environments and may impair usability and
>    interoperability.
>
>
> *5. Terms of Use for Credentials and Presentations*
>
>    - Terms should specify scope, context, permitted data uses, and data
>    retention/deletion timelines.
>    - Wallets and verifier apps should enforce or warn on violations of
>    these terms, helping avoid repurposing or misuse.
>
>
> *6. UX and Simplicity for Critical Scenarios*
>
>    - Especially in the case of first responders, the focus should be on
>    operational simplicity and trust—not abstract privacy guarantees.
>    - The use of verifiable credentials should enhance coordination
>    without introducing excessive technical complexity.
>
>  Mit freundlichen Grüßen / Kind regards
>
>
>
> *Carsten Stöcker*Founder, CEO Spherity GmbH
> +49 152 08930 990
>
> Spherity GmbH <http://spherity.com/> | Emil-Figge-Str. 80 | 44227 Dortmund
>
>
>