[MINUTES] CCG Atlantic Weekly 2026-03-17 from meetings@w3c-ccg.org on 2026-03-17 (public-credentials@w3.org from March 2026)

From: <meetings@w3c-ccg.org>
Date: Tue, 17 Mar 2026 18:54:20 -0500
To: public-credentials@w3.org
Message-ID: <CA+ChqYcQdc4Y_9gN6ab_hiKWLt6Esaw1TcsCrR9_mtuh1+M8VA@mail.gmail.com>
This CCG Atlantic Weekly meeting, initially intended to focus on Wayne's
presentation, pivoted to an open discussion on Self-Sovereign Identity
(SSI) and related legislative efforts in Utah, due to Wayne's and other key
attendees' absence. Steven McCown, a member of the Utah Privacy Commission,
provided an in-depth overview of Utah's recent legislation on digital
identity, including the establishment of an Identity Bill of Rights and the
state's approach to digital credentials. The discussion also touched upon
the potential for this legislation to influence other states and the
technological considerations for interoperability. The meeting concluded
with a preview of next week's session on the technical architecture for
autonomy.

Here's a summary of the topics covered:

   - *Meeting Logistics and Re-routing:* Due to the absence of expected
   presenters, the meeting was repurposed to discuss Self-Sovereign Identity
   (SSI) and related legislative developments, with Steven McCown stepping in
   to share information.
   - *Utah's Digital Identity Legislation (SETI):* Steven McCown detailed
   Utah's progress in establishing a state-endorsed digital identity
   framework, including the passage of legislation that enshrines an Identity
   Bill of Rights and mandates the SETI credential as an option for various
   services. This legislation aims to give individuals more control over their
   identity and data.
   - *Identity Bill of Rights:* The core principles of Utah's Identity Bill
   of Rights were discussed, emphasizing that individual identity is innate
   and independent of the state, and outlining protections against
   surveillance and profiling. This bill was passed unanimously by the Utah
   legislature, indicating strong bipartisan support.
   - *Technological Implications and Interoperability:* The discussion
   explored the technological underpinnings of Utah's SETI framework, with a
   leaning towards a core CAI specification, and the critical need for
   interoperability with various credential types and systems. The state is
   looking at solutions that allow for credential exchange rather than strict
   binary compatibility to avoid introducing weaknesses.
   - *Legal and Ethical Considerations:* Key legal and ethical aspects were
   highlighted, including the concept of "duty of loyalty" for digital wallet
   providers and verifiers, ensuring they act in the individual's best
   interest and do not exploit their data. The legislation also clarifies that
   using a SETI credential does not imply consent for a device search,
   addressing a significant privacy concern.
   - *Potential Conflicts with Existing Regulations:* Manu Sporny raised
   concerns about potential conflicts between the new "duty of loyalty"
   legislation and existing regulations requiring retailers to retain certain
   data for age-restricted sales verification. The discussion suggested that
   implementation rules and legal contracts around transactions will need to
   mediate these potential conflicts, with a focus on collecting only the
   minimum necessary data.
   - *Incentives for Other States to Adopt Similar Legislation:* The
   upcoming SETI summit was highlighted as a key initiative to engage
   lawmakers from other states and promote the adoption of similar digital
   identity legislation, emphasizing the open-source nature of Utah's approach.
   - *Bipartisan Support and ACLU Endorsement:* The broad bipartisan
   support for Utah's legislation, including an endorsement from the ACLU, was
   noted as a significant achievement, demonstrating a consensus built by
   listening to various concerns and embodying them in the legislation.
   - *Individual Choice and Non-Compulsion:* A unique aspect of Utah's
   legislation is that individuals are not compelled to adopt digital
   credentials, with physical identification remaining a viable alternative,
   which was crucial for achieving consensus.
   - *Transition of Verifiable Credential Working Group (VCWG)
   Deliverables:* Manu Sporny announced that deliverables from the CCG,
   specifically three verifiable credential specifications, are being moved
   into the VCWG and will require community group report publication, IP
   release processing, and re-enrollment for participants in the VCWG.

*Action Items:*

   - *For CCG Chairs:* Authorize the reuse of the current meeting time slot
   for official VCWG meetings.
   - *For CCG Chairs and Manu Sporny:* Assist individuals involved in work
   items transitioning to the VCWG in becoming invited experts if they are not
   already W3C members.
   - *For All Participants Involved in VCWG Deliverables:* Re-enroll in the
   VCWG to agree to the new intellectual property release for the 20
   specifications the group is working on.
   - *For Interested Parties:* Review the code of ethics and professional
   conduct for CCG calls.
   - *For Interested Parties:* Ensure all IPR agreements are signed if they
   are substantive contributors to CCG work items.
   - *For Attendees:* Monitor the mailing list for announcements regarding
   the publication of final community group reports for the three documents
   transitioning to the VCWG.

Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-atlantic-weekly-2026-03-17.md

Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-atlantic-weekly-2026-03-17.mp4
*CCG Atlantic Weekly - 2026/03/17 11:58 EDT - Transcript* *Attendees*

Alex Higuera, Benjamin Young, Dmitri Zagidulin, Elaine Wooton, Erica
Connell, Greg Bernstein, Harrison Tang, Hiroyuki Sano, Ivan Dzheferov,
Jennie Meier, Joe Andrieu, Kayode Ezike, Manu Sporny, Otto Mora, Parth
Bhatt, Phillip Long, Rob Padula, Steven McCown, Ted Thibodeau Jr, Wendy
Seltzer, Will Abramson
*Transcript*

Otto Mora: Hey folks,…

Manu Sporny: Hey.

Phillip Long: We get a confirmation from Wayne.

Otto Mora: are we waiting on Wayne? I guess. Okay.

Harrison Tang: I'm checking right now.
00:05:00

Manu Sporny: Does anyone want me to ping him? I can do that.

Harrison Tang: Or maybe we can give other people about a minute or two. If
not, then I don't see Will on too. So Will or Mamu. So if they don't come
in, then we can just cancel it. Yeah, I think so.

Otto Mora: I thought Steve Macan was going to be here.

Harrison Tang: I see on the calendar invite.

Harrison Tang: Go. No,…

Otto Mora: Let me just ask Stephen McC because I think he's one of the key
people behind this.

Will Abramson: Hey, sorry I'm late. I thought is Mammud on the call. My
apologies.

Harrison Tang: I don't see my move here too So

Will Abramson: So, yeah, this is terrible of both of us. I thought Mood was
taking this one and I got into a call. But the bigger question really is
Wayne here? And I don't see him on the call either.

Manu Sporny: I just pinged him on signal. Yep.

Will Abramson: I don't know what's happened. This has happened a couple of
times now and it's like basically I have this process where a week before I
try to message the person who's going to come on next week. and a couple of
times people just haven't responded. I guess maybe we need a backup or
something when that happens. I'm sorry to take people's time like this.
Feel bad. yeah,…

Manu Sporny: Some of us have read through the SETI stuff and can give a
high level. we could spend a little bit of time doing that.

Will Abramson: that's not a bad idea Maybe I did also try to invite Steve
Macau on because I thought he would be interested in this talk, but I don't
see him on either. I would love to maybe just have an open discussion about
SEI. I'm not deep into it. So, Manu or anyone else who wants to, start a
conversation, I think that would be very interesting to me at least. maybe
at the very same time, I'll ping Steve as well, see if you want to start

Manu Sporny: I mean, Phil's also fairly knowledgeable about this.

Manu Sporny: Maybe we can cover some of the CCG front matter because
there's some things that we need to do about transitioning documents and…

Will Abramson: Right. Yes.

Will Abramson: Okay. Yeah.

Manu Sporny: things like

Will Abramson: To totally. Let me start the call properly and then we can
start. Sorry, my head was not in the zone. yeah. So, apologies again
Welcome to today's CCG call. it looks like we're going to have a slight
change of plan and just have a discussion about SEI. But before we do that,
I need to do the standard spiel. So please read the code of ethics and
professional conduct and follow that to keep making this a friendly
welcoming environment for folks. Secondly IP note anyone is welcome to
participate in these calls. However substantiative contributors to any CCG
work items must be members of the CCG with all IPR agreements signed. yeah
I think that's it. Blah blah blah. introductions reintroductions.

Will Abramson: I'm just whizzing through assuming no but do jump on the
call on the queue if you want to say hi. finally announce Does anyone have
any announcements or reminders for the group? Manu go for it.

Manu Sporny: Yeah, just a quick one. last week the verifiable credential
working group made a resolution to pull in the deliverables that they have
in the new charter into the group. So the CCG currently has three documents
that need to be moved doing this off the top of my head unfortunately. the
verifiable issuers and verifiers spec which was just renamed to verifiable
credentials for recognition like recognized actions like issuance and…

Harrison Tang: One.
00:10:00

Will Abramson: Okay.

Manu Sporny: verifying this morning. in the verifiable credential API for
life cycle management spec this community and Benjamin sent an email to the
mailing list about it. this community needs to publish final community
group reports for each one of those documents, trigger the intellectual
property release process for those documents, and then we'll be asking
people to sign the intellectual property release for anyone that
contributed content to any of those specifications. this is a process we
have done many times over the years.

Manu Sporny: So, we're just doing it again for these three specifications
to get it into the verifiable credential working group officially. and for
those of you that didn't know, the new charter just took effect. So,
there's a 2026 to 2028 charter that the verifiable credential working group
was just rechartered It is in effect and active now. There are 20
specifications that the group is currently producing and moving through the
standards process. focused on maintaining the verifiable credential 20
suite of specifications and doing new ones over protocols and visual
display and transmission via barcodes and transmission via NF NFC and
Bluetooth. There's work around the European digital wallet stuff. There's
work on European digital product passport.

Manu Sporny: there is no shortage of work to be done. so if you would like
to help out in this work, please join us and help out if you can. so that's
just to say that we are now moving work. We're graduating work from this
community that this community has been incubating into the global
standardization process and we will continue that work there. The other
thing to mention is that and again I think CCG chairs will need to weigh in
on this but the VCWG plan was to continue using the same time slot that the
CCG meetings are in for these work items the same meeting location to now
start having official working group meetings.

Manu Sporny: in order to do that, we need to make sure that everyone that's
participating in this work is officially in the verifiable credential
working group. there are two ways to do that. Either you're a W3C member or
if you're bringing something special to the group you can be as an invited
expert. and we already have many of the people working on this stuff in as
invited experts. But if you are involved in any of these work items and you
are not yet an invited expert, please let the CCG chairs know so that they
can help you with getting into the BCWG as an invited expert. sorry that
was a bit long but we're now transitioning all this stuff into the BCWG and
it requires both the CCG and VCWG to do quite a bit of work over the next
two weeks. That's it.

Will Abramson: Yeah, that's Great context. Thanks, Yeah, and I think the
CCG chairs are happy to,…

Will Abramson: authorize this. I guess I don't see I haven't talked to the
other chairs, but I don't see a problem with reusing this call time. What
makes sense to me? so yeah, we're happy to support however you need us to
do. Joe, great.

Joe Andrieu: Yeah,…

Joe Andrieu: I just wanted to add with the new chartering, if you were
already a member, you'll need to reup. And my apologies if you said that,
Manny, but it flew by me. So, I just want to let people know. Go join
again. if you want to participate in

Manu Sporny: I did not say that. Thank you very much, Yes, absolutely. and
the reason for that is you need to agree to the new intellectual property
release for the 20 specs that the group's working on.

Manu Sporny: That's the reason they ask you to rejoin.

Will Abramson: Great. Thanks.

Will Abramson: Any final reminders or announcements for the community,
Greg? Great.

Greg Bernstein: Does that include invited experts?

Manu Sporny: I believe so. Yes.

Greg Bernstein: Okay, I'll look for the paperwork somewhere.

Will Abramson: Not seeing anyone else on the queue. So, yeah, apologies
again that Wayne hasn't showed up. However, Steve has also joined, I
believe. Hi, Steve. Thanks so much for joining last minute. I really
appreciate that. So I don't know how the format we want to do, but I think
probably if you don't mind, Steve, I would hand over you to set the scene
maybe you can just present on what SEI is and some of the key features or I
don't know if you have a presentation prepared that you've done in the
past, whatever you think is best and then we can open the floor and just
have a discussion about ZI and in the context of the CCG what are other are
there things that the CCG should be doing work items or is it
00:15:00

Will Abramson: just informationational sharing. Either way

Steven McCown: Okay, thank you.

Steven McCown: I wasn't aware that I had a presentation today. please
forgive me. I actually have a presentation. and I'm struggling to find it
on my computer at the moment. So, let me just kind of go over talk through
what's going on in Utah and then everybody just feel free to interrupt and
ask me any questions you want. So, kind of how I got involved in all of
this is a couple of years ago, I was, nominated by our governor of the
state, Governor Cox, to serve on what's called the Utah Privacy Commission.
And so I was invited along with Sam Smith, both of us as cyber security
experts.

Steven McCown: And so we both serve on that commission. And what we do
there is we kind of look around we invite different organizations within
the state different departments to bring their systems and come and present
on how those systems work. And then we give advice and feedback on the
privacy implications of what they're doing. so there's been a number of
things that have happened. So we kind of started off there and along about
the same time there was a lot of discussion about decentralized identity
all the different standards that kind of fall under that larger umbrella
and what that really meant.

Steven McCown: we looked at some of the traditional kinds of systems and
some of the pros and cons that they had. And then what we did is we started
putting together some legislation. And when I say I was more like a
technical reviewer advisor. I'm not a legislator, so I don't actually write
legislation, but part of my role was to, give some feedback on what was
possible, what was good, wording, technology changes and so forth. And so,
we've done that. Last year, we did a couple of things.

Steven McCown: we had an initial SETI bill that said that we are changing
the way identity works in Utah. So typically when you go to your local
government, whether that's US or wherever, you kind of go to them and they
give you your credentials and so they give you this identity which kind of
implies that they can revoke it or control it in some way. And so we didn't
really appreciate that and that's traditionally how it's been here in the
US as well. but one of the landmark things from the SETI legislation from
last year was that your identity originates with when a child's born their
parents name them.

Steven McCown: the identity comes through their social constructs where
they live and the state doesn't really create that. So the individual's
identity originates with the individual. So we put that in there and we set
the ball rolling to analyze what a future digital identity system would
look like and the kinds of requirements that it would want to present to
all of our residents in the state. this year it went quite a bit further.

Steven McCown: we actually took the referendum from last year. We passed
some new legislation that really sets the ball rolling for creating a
department for allocating funds for really changing how identity works in
the state. one of the landmark things and I've blogged about this on
LinkedIn there's an article there is an identity bill of rights that we put
out in the legislation. I think Phil Long's got that handy. so if he wants
to display some of that we can kind of talk through that.
00:20:00

Phillip Long: I will see…

Steven McCown: Otherwise,…

Phillip Long: if I can find the file that I put up ready to go. it's SP275.

Steven McCown: yeah, it's SP275. otherwise we can just grab that off the
web page.

Phillip Long: Yeah. …

Steven McCown: But yeah, if you got that handy, that's easier.

Phillip Long: I thought I did because I just brought it onto my screen.

Steven McCown: Okay. Let me see…

Phillip Long: But I'm not seeing it in the list. And that's probably

Steven McCown: if I can grab it real quick and…

Phillip Long: That's the best.

Steven McCown: then Yeah.

Manu Sporny: I put a link into the chat if it's just the direct link to the
red lines in the digital identity bill of rights. I can bring it up if you
want. this thing, is this what we're talking about? Okay.

Steven McCown: Yes. Yes. So, yeah, if you can zoom that just a tad. so one
of the things that we did is put in this identity bill of rights and this
is in the state of Utah. this is how we view identity and how it relates
this kind of contract between the government and the individual. And this
is modeled after our US Constitution that when it was passed there was a
series of bill of rights that were part of the original negotiation in
order to there was some disagreements on what belonged to the individual
what belonged to the federal government.

Steven McCown: So we kind of modeled this after that and there on line 1026
point number one possesses an individual identity innate to the
individual's existence and independent of the state which is fundamental
and inalienable. And so that's our assertion that your identity belongs to
you whatever your name is. obviously they don't like offensive names for
people with governments but other than that something like that.

Steven McCown: that's yours so we've codified this this was passed this
particular bill with all the things in it was passed unanimously by both
our house and senate and I haven't checked to see if the governor has
signed it but he's expected to sign it. So if not already for all intents
and purposes this is Utah law. so yeah, if anybody has any questions,
please just interrupt. Manu

Will Abramson: Did I go for a minute?

Manu Sporny: Yeah, I wanted to underscore what you just said, Stephen, it
was passed unanimously by both sides. there wasn't a single vote, a
dissenting vote against this, which I thought was awesome and amazing,
especially in the US today. and it feels there's a lot of momentum because
of it and I think there plans to pull in many other states in the US this
happened and…

Phillip Long: Get

Manu Sporny: it's so strongly aligned with a lot of what this community has
been trying to build for many years. what we've been missing is like a
state legislature that really gets it and SETI seems to get it at a very
deep level. could you speak maybe these are all very important things to we
should cover them…

Manu Sporny: but what does it look like after this is it only going to
happen in Utah is it going to spread to other states what were some of the
technology choices is

Steven McCown: Yeah. …

Steven McCown: yeah, as Bill mentioned in the chat, there's been a number
of states north of 10 that have expressed interest. I think we had 15
states We had a conference put on by the state in Utah Valley University
called the SETI summit last October and I think we had about 15 states
attend. I know the state of Idaho has introduced their own city like
legislation just this year. and a number of states are interested in what's
going on.
00:25:00

Steven McCown: typically a lot of states have kind of been surprised by our
assertion of these kinds of things in this list and what we're doing here
in the state. So how it works is the SETI so a state endorsed digital
identity. So think of it like you bring your did and your birth certificate
kind of things and the state will issue you a digital credential. and that
is going to be what this bill did is it required that for all new systems
here in the state of Utah, the SETI credential will be required for any
system that accepts a digital identity of any type. SETI will have to be
one of those options.

Steven McCown: It also put in a number of things listed in this bill down
below are things like cigarette or alcohol sales, things that are typically
controlled by the government in some way. when your identification is
presented for those purchases, SETI will need to be an option. the other
big thing is that for hospitals and health care organizations that receive
more than $10 million of public funding, they will also need to accept the
SETI credential. So what we're seeing is the state really took charge of
defining what the credential is and then using it for its own operational
purposes.

Steven McCown: But what is foreseen is that so for example if somebody
purchases cigarettes or vapes or things like that that require the
presentation of an identity those purchases are often made at a ga gas
station or convenience store or something like that. so there will be
opportunities for or companies that make verification terminals to
incorporate that. So while the state can only mandate what it does within
its own sphere of influence there's going to be a lot of collateral
opportunities such as those making the verafones and whoever that make
those kinds of terminals. and then hospitals and health care is its own big
arena and those will be required in the state as well.

Steven McCown: Demetri, you had a question of the technology of the
credential or…

Dmitri Zagidulin: Yeah. Can you speak a little bit more on the importance
or the implications of this with regards to status quo of the legislation?

Steven McCown: how do you mean? Yeah. the legisl Sorry, I was talking over
you.

Dmitri Zagidulin: No, no,…

Steven McCown: Go ahead.

Dmitri Zagidulin: that go on. one of the legislation specifically.

Steven McCown: So, the legislation things are expected to take place
starting on or about May 1st, I believe, is the date that's in the bill.
And there it'll take some time. What'll happen is the state will start
fleshing out what the technology stack looks like. There's been some
initial work in that area. my sense don't hold me to this but my sense is
what this is going to look like is a core system of the carry specification
including ACDC's.

Steven McCown: but one of the things that I I pushed for two things that I
thought were really important that we need to figure out a way to be
interoperable with other systems. and the purpose behind zero knowledge
proofs of being able to assert a piece of information without giving the
piece of information like I'm over 21 or I live in this county or excuse me
something like that.

Steven McCown: those need to be in there as well. The initial discussions
anticipate incorporating a wide variety of technologies but with a kind of
a core carry base is where they're leaning. the reason they're doing that
is Kerry has two main features that got a lot of attention. one is that
with all its pre-rotation of keys and everything, what it does is it allows
you to kind of detect when a key has been compromised and then recover from
key theft detection and was kind of a big thing.
00:30:00

Steven McCown: but I made the observation that carri is just not widely
used, especially in the W3C community. and so finding ways to be
interoperable is important. Now, our initial discussions on that were not
to carry binary compatible with something else. I advocated more of a
credential exchange type of thing. So for example, whoever's issuing me say
a W3C credential, I can go there, use my SETI credential to assert my
identity, but then be issued this other type of credential that I can use
in more places. And so like I say, these are kind of my thoughts at this
point. This is not set in stone. I want to reiterate that.

Steven McCown: But finding ways to be interoperable without being binary
compatible in the traditional sense allows us to have multiple credential
types interoperate together without sometimes when you make things binary
compatible like that, you introduce weaknesses that weren't in either
original system. And so we're kind of trying to avoid that. and part of the
motivation for I kind of pushed that a lot was we're having the Winter
Olympics here in 2034 as long as we have snow of course and we're going to
have people from all over the world bringing all their credential types
whether they're e EUDI kind of credentials or MOSIP credentials

Steven McCown: or MDL credentials or whatever. And so finding a way to have
people be able to use their wallets and the credentials they come with was
important. And how that shapes out, that's still to be defined, but those
are some of the things we're anticipating in response to this.

Dmitri Zagidulin: I fell.

Will Abramson: Yeah.

Phillip Long: If I could add to this from the perspective of what the
implications are for the state because the thing that the legislation does
is that creates a series of statements about what an individual can and
can't do and what the state can and can't do. So on the one hand, it
protects that it doesn't force anyone to use a digital identifier or a
digital credential if they don't want to do that. And on the other hand, it
makes sure that the digital credential that is present if a choosing person
wants to do that is equally useful in any place that a physical credential
would otherwise have been used. that's kind of an important ground setting
thing.

Phillip Long: It also instantiates the notion of selective disclosure that
the individual has the right to disclose those elements of the credential
that they feel is appropriate. There will be presumably legislation that
mandates a minimal set of things for particular circumstances but the
selective disclosure is specifically part of the digital identity bill of
rights. It also states that it's an item 10 in that digital bill of rights.
you can expect to be free from surveillance profiling tracking or
persistent monitoring of the individual's assertions from an identifier by
the state and with the caveat that there is authorized by law which will be
disute at a point of disputation no doubt.

Phillip Long: but the other thing I think it's important to note is that it
means that any of the provisions that the state would normally give to
someone from the ability to fish in lakes with a fishing license as Steve
mentioned when you're born you have a birth certificate and the state has
in their vital records office a copy of that. nothing about any of the
provisions that are things that can result in your digital identity being
revoked when one of those provisions is revoked.
00:35:00

Phillip Long: and the last thing I'll say is there's a duty of loyalty
which I thought was really important also in SB 0275 and basically it says
that the digital wallet providers verifiers a relying party or a guardian
are constrained they shall refrain from practices or activities related to
the processing of the digital identity attributes that either conflict with
the best interests of the individual take advantage or exploit the
individual, result in disproportionate risk to the individual, add any
individual detriment, or cause harm. That's under the category duty of
loyalty. And I thought that was a really unique provision in this
legislation. Thanks,

Steven McCown: Yeah. No, excellent points. I say, this SETI framework that
has been put out really really changes a lot of things and that's why the
identity bill of rights was kind of upfront. we tackled a lot of things.
there won't be a state wallet. So I mean the state will probably provide
one as a reference point, but it's anticipated that you'll get to pick your
wallet. that this digital guardianship is something that we haven't seen in
other jurisdictions.

Steven McCown: and so that's one of the big ads that we'll be making to the
technology stack and protocols as they emerge. the other thing that we
tried to tackle was there was this concern we've seen this in lawsuits in
other states other countries do it different ways is this notion that to
assert your identity in a digital format you basically unlock your device
and sometimes they scan a QR code you can do btle the Bluetooth low energy
stuff

Steven McCown: or whatever. And sometimes you end up handing your phone to
the person doing the verification. And that's one of the things we also
anticipated here is that using your SETI does not imply consent to search
of your device. and so it's a little sentence there, but There's a lot we
have part of getting this effort underway here in the state of Utah was we
have people across the political spectrum. we have, people on the far left
and people on the far right and some of those even for different reasons
are very concerned about privacy and this in implicit consent to search.

Steven McCown: and in other states where this hasn't been specified in
legislation or proven in courts, it's kind of left up to the discretion of
whoever and then the courts have to sort it out. And so, the SETI authors
in this bill wanted to state that up upfront that using your phone to
assert your identity does not imply that you're unlocking the device and
consenting to search. other rules might apply for whatever reason, but as
far as using your SETI that this is the case duty of loyalty that Phil
mentioned, that's a real important one. when it comes to privacy, we live
in a surveillance economy. we just really do.

Steven McCown: the book surveillance capitalism that I know you're all
familiar with. that's really how things work. And so there's whether it's
cookies or analytics requested data that we're trying to put that genie
back in the bottle a bit and give the individual discretion on whether how
they're used. So there's a stipulation in there that there won't be any
inherent tracking allowed under selective disclosure is a different aspect
of that same type of thing.

Steven McCown: and then the duty of loyalty portion essentially means at a
real high level if I give you elements of my identity and the contract by
which we do that in a subsecond exchange is you promise to use that for
whatever the express purpose is and not sell it to people and data
aggregators and use it for other purposes.
00:40:00

Steven McCown: then that's part of a duty of loyalty. And so embodying that
in the code here, what that did is it gave the individual recourse. So if
you go to the gas station and you, buy alcohol or whatever and you present
your state identity and they data mine the heck out of you and they sell it
to Amazon and Facebook and whatever, you have recourse there. There's legal
recourse under that because we believe that you shouldn't like inherit a
migration of your personal information just by virtue of using the system
without your knowledge and…

Phillip Long: That man.

Steven McCown: consent. And so that's what this session is a section is
about that consent. all right who's next on the queue? man, I see your
hands up.

Manu Sporny: So on the duty of lo loyalty thing. So I think this is great,
I mean there's a lot of legislation in other states that totally does not
do this at all. same thing with kind of federal leg legislation. So, I
think this is a super powerful bit of model legislation that other states
should pick up. since you mentioned convenience stores and since we work
with a number of them I'm wondering and again this is a great foundational
statement. I'm wondering what happens when current regulations conflict
with this statement.

Manu Sporny: So, for example, you go to a convenience store, you get your
driver's license scanned, they're supposed to only use that for that
transaction. one of the things we know that convenience stores do, not that
they want to do this by and large, is, they sometimes take your driver's
license or some portion of it and kind of store it in their logs because
they have to prove that they actually checked ID.

Steven McCown: Mhm.

Manu Sporny: Because convenience stores are sued sometimes because people
are like, "Hey, you sold alcohol to my underage kid." And so the
convenience store's only defense in that case is no, we checked his ID and
it said he was over 21. Maybe he has a fake ID, but your kid gave a fake ID
to us. We did our duty to try and check it, but it was a really good fake
ID. And so, things got through.

Manu Sporny: So there are things like that where that information needs to
be used in a court of law and is often subpoenaed by law enforcement. There
are often things, on the books that say that, retailers have to collect
this information. and I think I'm pretty sure those I would be surprised if
Utah did not have similar laws and…

Steven McCown: Mhm.

Manu Sporny: legislation about, duty of care when you're selling things
like agegated product. So, both of these laws are on the books. Now, the
duty of loyalty thing, you cannot act against the best interests of the
person coming in to, buy age restricted product in your store.

Manu Sporny: And then the other side of it, which is lawsuit happens,
somebody claims the store didn't check ID. and they need to be able to
produce something to the prosecutors and that is a state, they're usually
like state prosecutors that do that kind of thing,…

Manu Sporny: so what do you know if there's been kind of discussion around
what happens when the laws conflict? Which one takes over? are we just
looking, towards a bunch of lawsuits to figure this stuff out? Thoughts on
that?

Steven McCown: Excellent questions.

Steven McCown: So I think what'll happen, yes, there are apparent things
that might seem to conflict right now. I think when this is embodied, what
will happen is part of the disclosure for making a purchase at a
convenience store will be this transaction will be logged by the store. So
what led to some of this was I was in a presentation last year and I was
talking about some of the downsides of logging data and transactions.
00:45:00

Steven McCown: And so with the state operating the city and environment not
operating but at least overseeing in some sense what one of the downsides
is let's say one of your employees is you're putting on a conference and
alcohol will be served and they run to this store and they buy a case
because then they go to the next store and so all week long they're on
record as buying a case here and a case there. What we didn't want to have
happen was some of this assimilate all those transactions and say, " gosh,
John over there is really buying more alcohol than we think he ought to
buy."

Steven McCown: and then create some sort of action based on that. and so we
were real concerned about what data analytics is doing. when there's a
lawsuit that says, the convenience store, sold alcohol to my underage kid,
there needs to be some way for the store to say, we did verify the
identity. this is what we have. We sold based on that assertion. and so
these things will sort each other out. My sense is that during the
transaction because this duty of loyalty basically says it puts terms of
service around your transaction.

Steven McCown: And if the store says, I want 17 pieces of information and I
want to use it in all these other ways, the consumer can say no and just
not do that. But if they say, we only collect the minimum necessary to
prove that out as required by other law and they go against that, that's
where the individual has right of action. And so when you enter into this
transaction, it's in a sense creating a legal contract for what data will
be collected and how it will be used and maintaining some log of that
transaction. It's going to be required by other law. So it will have to be
in here. But that's how it would be embodied.

Will Abramson: I think it's Heat.

Phillip Long: Yeah, I just wanted to say Manu in particular with respect to
the true age credential which you're referring to I think that actually
acts as a model that can be used as they go through and and negotiate the
actual implementation rules that this legislation conveys where there are
conflicts the implementation rules it's my expectation that they will in
fact be the place where mediation between the two is developed and so that
operationally there is likely going to be a whole period of time where
conflicts exist if they exist there is then the question of all right what
was the intent and

Phillip Long: what are the actual operational rules will govern this so
that conflict is mitigated in the spirit of the intentions involved. so I
think you have an opportunity to do a lot because of the work that you've
done to get to this point, a lot of opportunity to help them see the
context for this. And also since the convenience stores that are accepting
true wage and using it exist in Utah anyway, you already have a model for
how to introduce it into point of sale terminals that other point of sale
systems might want to leverage. And so,…

Phillip Long: I don't think anybody wants to invent this stuff from scratch
if there's a model to follow. And I would expect in this particular case
that would be welcomed. I don't know, Steve, you'd agree with that or not.
That's my perception from the conversations.

Steven McCown: Yeah. Yeah.

Steven McCown: No, that's very well stated. yeah, I'm not writing the
technology stack. let me be clear on that. I know who and in talking with
them, there's a desire to be open as long as it doesn't compromise privacy
and security. those are big deals for us. The other thing I want to throw
this in there is because we were able to achieve a unanimous out of the
entire legislature vote on this. There were a number of things that are in
the bill. first of all, there is not going to be a prioritization of
physical credentials like your plastic driver's license over your digital
credentials.
00:50:00

Steven McCown: And so if somebody gets into a situation where they're
trying to make a transaction of whatever sort and the terms of service for
the digital credential state, sell your data to all the aggregators or
something off the wall like that and they just don't like it. they can
always use their physical identity and assert and just show their regular
identification card. and that was one of the things necessary to achieve
this giant consensus. was that you won't be compelled in or out of the
digital environment.

Steven McCown: And that was a big concern here in the state with certain
groups that they didn't want to be compelled into the digital. although
they were interested in it, they just didn't want to be compelled by it.
and so that's another unique thing. Usually when identity systems stand up,
there's kind of a compulsion to be involved and to use the new credential
type. that's not what we've done here. we've made it 100% individual
option. So if you feel comfortable in one sense…

Steven McCown: but not in another, that's your choice.

Will Abramson: Great. Thanks,…

Will Abramson: Steve.

Manu Sporny: Yeah, a plus one to all of that. and I should make it very
clear, I'm just speaking on my personal capacity, not, on, Drew H's behalf
or National Associate of Convenience Stores, just making statements using
publicly known data. maybe it would be good to also cover kind of the SETI
summit that's coming up. I did pull up the link here.

Manu Sporny: Maybe Stephen can you kind of talk a bit about that?

Steven McCown: This is coming up next month right before I and…

Steven McCown: I think this summit is targeting lawmakers from other
states. So Utah this is our culture. we are happy to be independent and
just build our thing the way we like it. But that said, interoperability
really is important and with the cross flow of people in and out of our
state and other states, what we're trying to do is build a consensus.

Steven McCown: last year at April's IIW, and a few others presented some
privacy concerns about the mobile driver's license. And even though that's
wildly popular in certain states we found some privacy issues with that and
caused a big rockus that you've all known but doubt heard about. that's
part of what has pushed Eddie forward is that we're addressing those
privacy concerns, but what we really want is we want lots of states to
participate with us and so we're not just kind of our, remote island here.
what we'd like to see is lots of other states protect the privacy of their
citizens and residents as well.

Steven McCown: and so that's what this summit is about is to talk about
what led into it, all the cool things it does, but then invite other
lawmakers from other states to u do the same thing in their state. So this
legislation, it really is open source in the sense that what we're trying
to do is hand this over to other legislators and people in other states so
that they can join in as well. And so that's why the state is sponsoring
the SETI summit this year in order to do that to bring people together to
have these discussions.

Steven McCown: other states might have unique requirements and so
extraterrestrial identity. I've thought that more than once or twice as we
talk about SETI. but as far as I know, we have no telescopes involved. but
yeah, so that's what's going on on here. with this is we're trying to get
other legislators. I know Chris Bramwell, our chief privacy officer for the
state. He's been very very involved in talking with CPOS from other states
and even other countries are interested in what we're doing at least from a
data acquisition perspective at this point.
00:55:00

Steven McCown: But yeah, what we hope to do is put the individual back in
control of their identity and have some say in how the data that's
collected or part of a transaction is subsequently used. so yeah, that's
happening here as well.

Phillip Long: Steve, you mentioned that the legislative committee was
entirely supportive and…

Phillip Long: there was only people speaking in favor of it at the hearing.
But the one thing I remember about that is that the committee chair said
that they had even received u a le an email of endorsement from the US
Department of Agriculture and that he was surprised that even the cattle on
the farms in Utah were in support as well.

Steven McCown: That's awesome. yeah, I hadn't heard that One thing I'd like
to point out, which leads to how bipartisan this really is we've had
support from the American Civil Liberties Union, the ACLU, which typically
is very very against digital identity systems for a variety of reasons. but
Jay Stanley their guy in charge of here. this article so what Jay has said
and he was involved in the no phone home effort with us as well.

Steven McCown: What he said is that Utah is really the only state that
they're happy with how the identity system is lay laid out. And I don't
want to misrepresent his words. Feel free to read this article. It's really
good. but the fact that we've been able to achieve such a broad consensus
and any of you watching national politics in the US these days know that
there's not entirely a consensus on everything. but being able to achieve
that across the political left and…

Steven McCown: the political right has been really really neat. And we've
done that by listening to the various sides and what their unique concerns
are and then embodying that in the legislation. So yeah,…

Will Abramson: Okay,…

Will Abramson: Steve, thank you so much for coming on a last minute and,
holding for us. Just this has been a great session. And I really appreciate
you taking the time, especially when I just miss.

Steven McCown: my pleasure. Sorry I didn't have any glossy slides or
anything at this point,…

Will Abramson: That's quite all right.

Steven McCown: but hopefully you've all enjoyed the discussion.

Will Abramson: Yeah, it was wonderful. and apologies to everyone else for
the late arrival and slightly confusing nature of this call. But, look
forward to seeing you next week. hopefully we'll resume more normal
sessions. Who do we have on?

Will Abramson: Christopher is going to talk to us about the technical
architecture for autonomy.

Steven McCown: Thanks, Phil.

Will Abramson: You all next week. Thanks Thanks again have a great rest of
your week. Cheers.
Meeting ended after 00:59:17 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Tuesday, 17 March 2026 23:54:29 UTC