Uncategorized

Infominer and I have been publishing the weekly Identosphere Newsletter and Summary of all that is happening Self-Sovereign and Decentralized Identity.

These are ways you can contribute a one time end of the year contribution:

Prices
	$500 $500.00 USD
	$1000 $1,000.00 USD
	$1500 $1,500.00 USD
	$2000 $2,000.00 USD
 

Or subscribe with a contribution every month this button will take you to a page where you can pick a monthly contribution amount.

You can also choose to pay monthly via Patreon.

Or you can reach out to Kaliya and ask for an invoice kaliya@identitywoman.net

Today, Sept 8th, the FTC held a Public Forum on commercial surveillance and data security and I made a public comment that you can find below.

I think the community focused on SSI should collaborate together on some statements to respond to the the FTC advance notice of proposed rulemaking related to this and has a series of 95 questions (in federal register or on the FTC site) that it invites written public comment on by October 21st. Here is a 3 page fact sheet about what they are focused on.

The Federal Trade Commission (“FTC”) is publishing this advance notice of proposed rulemaking (“ANPR”) to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.

– federal register

Here are my Comments:

Thank you, My name is Kaliya Young and my online handle is “Identity Woman” – I have been working for 20 years on the challenge of how people can control and represent their digital selves online with dignity and be empowered. I co-founded the Internet Identity Workshop in 2005 and continue to convene it every 6 months. 

A lot of of the questions put forward relate to regulating these “bad things” happening by companies to people. I also encourage the FTC to take a forward looking approach by consider the work of values based technical communities working on alternative mechanics for data sharing between consumers and companies. 

Two projects I advise Dazzel Dao and JLINX are seeking to end surveillance capitalism via open standards and open source tools to: 

1. Give people tools collect of data that they generate in the digital world
2. Being able organize and get value from THEIR data from a range of sources 
3. and ways to share data under the consumer’s control with companies they trust in with new mechanisms to technically withdraw consent for having the information. 

Rule making should support these positive constructive efforts of ethical technologists. 

—————-

The risk of technology are often not seen until it is too late – I want to bring the Commissioners attention to a key issue that they could help with under the rule making related to data security as it relates to digital wallets – needed for the exchange and sharing of data between consumers and companies via protocols like Verifiable Credentials. 

There is a very real risk that because two companies control the mobile handset operating systems – Apple and Google – the will work to limit access to the APIs within the phone  preventing any wallets created by other companies working well.  

This doesn’t have to happen and the risk of it happening will be reduced if the FTC gets involved to ensure a level playing field for wallet makers – and ensuring consumers will have a choice of who they trust with the sensitive data about who they transact with across the digital world. Thank you.  

This series began in November with Logging Off Facebook: What Comes Next?

The 2nd event will be March 4th online

Both events are going to be Open Space Technology for three sessions. We will co-create the agenda the opening hour.

The 3rd Event will be April 1 online.

Building on the previous one we will consider how to mitigate harms as we enter into Web 3.

This is the text of an email I got today from a company that i had a contract with last year. It is really really really annoying the whole process of sending secure communications and documents. Once I finished reading it – I was reminded quite strongly why we need DIDComm as a protocol to enable the secure transport of all sorts of things not just signed VCs but intermediate uses – just PDF based things that have important information. Greetings from Tax1099.com !

Your 1099-NEC was submitted by COMPANY X for 2021.

Instructions for opening the form: Click on the attachment provided with this email. You will be prompted for your password, which is 8 characters. Please enter the first 4 letters of the name listed after the word ‘Dear…’ at the beginning of this email, all lowercase, and the last 4 digits of the tax ID (either SSN/EIN or ITIN).

For example:1. If your name appears on the form as Mary May with an SSN of 711223456, then the password would be mary3456 (first 4 characters of your Full Name / Business Name + last 4 digits of your SSN/ITIN number). 2. If your business name appears on the form as A & D with ITIN as 012847934, then the password would be ad7934 (first 2 characters without spaces and special characters of your organization name + last 4 digits of your ITIN/EIN number).  3. If your business name appears on the form as Mary May PLLC with ITIN as 012847934, then the password would be mary7934 (first 4 characters of your organization name + last 4 digits of your ITIN/EIN number). 4. If your name appears on the form as Al & D with ITIN as 517223355, then the password would be ald3355 (first 3 characters (ignore special characters and spaces) of your Full Name / Business Name since the Full Name / Business Name is shorter than 4 characters + last 4 digits of your SSN/ITIN number). 5. If your name appears on the form as Mary May without an SSN/ITIN number, then the password would be mary (first 4 characters of your Full Name / Business Name). 6. If your name appears on the form as Al & D without SSN/ITIN number, then the password would be ald (first 3 characters (ignore special characters and spaces) of your Full Name / Business Name since the Full Name / Business Name is shorter than 4 characters). 7. If your name or business name appears on the form as My Test with TIN as 012847934, then the password would be myte7934 (first 4 characters of your name or organization name + last 4 digits of your TIN/EIN/SSN number).

If you encounter any problem in opening your eForm, please check whether:1.You have entered the first 4 characters of your name/organization name (in lowercase letters). 2.You have entered the last 4 digits of your SSN/ITIN/EIN number.

I am pleased to share that I have joined the Secure Justice Advisory board. I have known Brian Hofer since he was one of the leaders within Oakland Privacy that successfully resisted the Domain Awareness Center for Oakland.

I wrote a guest blog post about a philosophy of activism and theory of change called Engaging with Industry that I share with Brian.

He has agreed to join the Advisory board for the next Thoughtful Biometrics Workshop that I am organizing for 2022.

I’m speaking today at the Phocuswright conference and this post is sharing key resources for folks who are watching/attending who want to get engaged with our work.

The Covid Credentials Initiative where I am the Ecosystems Director is the place to start. We have a vibrant global learning community striving to solve challenge of common standards for covid credentials and health passes.

• Subscribe to our newsletter – comes out every 2 weeks.
• Join/Get Involved and you can join our Slack

We have a Travel Summit Dec 1 & 2

As more and more governments adopt major COVID certificate standards to reopen borders, the travel industry is working hard to catch up on their technology to meet the evolving travel requirements. However, there is still no shortage of complaints from travelers about their cumbersome international travel experiences. 

Our community has been working within Linux Foundation Public Health (LFPH) to support the implementers of COVID credential solutions with a particular focus on facilitating interoperability among technology standards while preserving the privacy of individual data. At this critical juncture of global reopening, LFPH and Affinidi, a leading player in the space, are bringing key actors from the travel industry and technology vendors who are serving the travel industry together, to share and discuss:

• What technology solutions are in use to issue, process, manage and verify COVID certificates along the journey for international travelers, from before they leave home to their arrival at the hotel at their destination
• How they navigate and implement the complicated health policies and travel rules
• What the key challenges they are facing to provide a safe and smooth travel experience, including major technology and policy gaps that the LFPH/CCI community can help address

The agenda and speakers will be announced soon. Grab your seat today!

APAC Edition Dec 1

EU/US Edition Dec 2

We collaborated with Good Health Pass Collaborative on developing the Good Health Pass Interoperability Blueprint within the Trust over IP Foundation.

We at CCI are keen to continue this work and get travel happening together and welcome more active participation from the travel industry. Please join us!

There is also the Travel and Hospitality Special Interest Group at the Decentralized Identity Foundation it was this group that inspired and started work within the Trust over IP working group to develop a hospitality addendum.

It became clear to me again today why we here in California need Verifiable Credentials. I teach in a CCC – a California Community College. This summer I have a class and right now is the “census deadline” to drop students who haven’t been attending class.

Below is the note we were sent regarding fraudulent student applications.

Dear Faculty teaching summer 2021 courses, Fraudulent CCC Apply applications may have impacted the enrollment of your class. If so, these would be “students” that you were likely preparing to DROP with Census for no show. It is even that much more important that you COMPLETE YOUR Census ON Time. If you are not sure if any student is from a fraudulent application, you can look at your student roster. If there is a student with no phone number listed, they may be fraudulent because this is one of the identifying markers with this statewide problem. If you have students like this that have not attended class, complete your census, and please email your class code and the student ID number to __@____.edu

I am writing this essay to support those of you who are confused about why some of the technologists keep going on and on about Intellectual Property Rights (IPR). First of all, what the heck is it? Why does it matter? How does it work? Why should we get it figured out “now” rather than later?

IPR and the tone of worry around it confused me early on in 2005 when I was just getting started leading the Internet Identity Workshop. At that first workshop, a session had been called by Johannes Ernst, who at the time had created a protocol he called LID, Lightweight IDentity, to support people using a URL they had control of to do authentication (i.e., to prove they were the owner of that URL). He called a session with the other URL-based/URL-like identity authentication protocols in the room — OpenID (when it was a LiveJournal thing), Sxip and XRI. These formed into what they called YADIS — yet another digital identity system. After they began working on it … they decided OpenID was the best name of the bunch so they called it that.

At the time they kept worrying about how they could collaborate and they sensed that they needed to have IPR dealt with, but I couldn’t understand what they were going on about. This small thing delayed them working together for a long time. They literally had to spin up a new organization, get new bylaws developed and get everyone to join and sign off on the IPR regime before they could formally talk together about how to get all work to align and come up with one protocol.

Why couldn’t they just talk together and build something? Why did they need an organization and a structure and agreements? They had met at IIW just fine and talked…but what was different when it came to formally collaborating and writing something together?

Without an IPR agreement in place, many bad things could happen that would necessitate lawyers, after which all the well-meaning people’s work could be lost. What you are saying? Lawyers and lost causes…it all sounds so dramatic.

Introduction to IP

So, where to begin. There are several different forms taken by intellectual property, and almost all of them come into play here with their own rights structures.

Patents — A patent is a form of right granted by a given government to an inventor or their successor-in-title in a given jurisdiction, giving the owner the right to exclude others from making, using, selling, offering to sell, and importing an invention for a limited period of time, in exchange for the public disclosure of the invention.

Copyright — A copyright gives the creator of an original work exclusive rights to it, usually for a limited time. Copyright may apply to a wide range of creative, intellectual, or artistic forms, or “works”.

Trademarks — A trademark is a recognizable sign, design or expression which distinguishes products or services of a particular trader from similar products or services of other traders.

Organizations of all types work together to create all three of these types of intellectual property. When employees join companies or contractors work for them, they generally sign agreements that say the work they do for hire for the company is owned by the company (not the individual people doing it), so even within organizations there are explicit systems for managing intellectual property rights.

Corporations file paperwork with the relevant government(s) to be granted patents and trademarks. They might also file for specific copyrights, but these rarely have to be filed in advance to be exerted.

Collaborating around IP

So given that IPR exists, how do you manage it when you are working together in technical communities to define specifications that are open and to collaborate on open source code. There are slightly different considerations for each, and these require different IPR regimes before companies feel safe collaborating. This post centers on specification and we will talk about the difference between Open Source and Open Standards in an upcoming article.

Let’s start with a protocol or a specification that you want to be “open”, meaning that after it is done, anyone can use it (i.e., anyone can create code that speaks the protocol). Anyone who had patents that are included in the protocol can not charge licence fees for usage of the protocol. (Nit: Some technical organizations charge a fee for the text of the specifications as a dues structure to sustain the sponsoring organization, but this is not to be conflated with licensing, since the implementation of the specification is licence fee free.) Examples of open protocols include the e-mail protocols SMTP and POP, and web protocols HTTP and HTTPS.

Companies working in technology have various things under patent. To make the space for collaboration safe for everyone, they want an organizational boundary in place that can require everyone to agree upfront (i.e., before they contribute to a specification) that they will not go after anyone who implements the standards for violating a patent they have that is included in the mechanics of the specification.

In plain language, this means that even if they hold patents related to the work being done collaboratively, they agree going forward not to charge users of the resulting, collaboratively-designed specification or protocol for the use of ideas that went into the process that are covered by patents.

Shark sightings

If you just have a group of companies collaborating on a project without an IPR boundary or “membrane” that filters out potential future patent problems, today’s goodwill between participants is little guarantee.

There is a lot of diversity in the category of future patent problems. Someone who was contributing without declaring that they hold a patent related to the work can claim they had a patent later (years after the specification is finished) and seek payment from everyone using/implementing the standard, claiming licensing rights or even lost revenue on ideas they legally own.

This sucks and it has happened before. Because this has happened before…companies are smart and they will not implement a standard that doesn’t have the sign-off from everyone who created the standard so they don’t have to deal with the future risk of being sued by one of the creators.

If work happened to be created outside an IPR framework, but at a later time everyone who created it retroactively agrees to an IPR regime, then others will be able to use it without fear. That might sound reassuring, but “everyone” is doing a lot of work in that sentence. The process of retroactively finding all the companies and individuals who contributed, particularly if work was done remotely by an open-source community including pseudonymous or volunteer members, and then having all of them and their employers’ legal counsel sign off on any post-facto agreement is very time-consuming and there is always the risk that someone won’t sign or that you can’t find one of the past contributors.

Furthermore, “significant contribution” can be difficult to define, and even more difficult to prove or disprove, so the list of parties included in “everyone” can be difficult to pin down. For this reason, guests and listeners on standards calls are often admonished not to say anything “too specific” or concrete about specific solutions to problems discussed, as those could be considered significant contributions that changed the course of the collective conversation and solutions produced by it. The tension between openness of conversations and IPR protection it is best to read the IPR agreement, and if needed get legal opinion about how you/your company can contribute if you want to.

Another hazard against which collaboration needs to be protected is that ideas discussed or generated in a working group or other collaborative context can be “taken,” i.e., patented, by any listener or observer. In fact, patents can sometimes be obtained quite quickly in other jurisdictions, or exerted retroactively to the time of first filing, so an idea can effectively be patented the day it is first discussed in any collaborative context that does not require its participants to waive all patenting rights. This kind of waiver can be daunting to for-profit participants, but it also supports collaboration of the most productive kind.

This balance is usually struck by agreeing very explicitly and in granular detail about the exact scope of a group and waiving patent rights to the resulting specification (While retaining the right to the patents for usage outside the specification), while censuring discussion beyond it.Some companies are more sensitive than others about this and really want to make sure all the pieces of a potential implementation are covered by IPR, including implementation details a little further from the working core of the code like schemata, data dictionaries, and other semantics. In the decentralized identity space, this includes not just identities and data structures but also credentials, data flows, architectural designs, etc..

Read all posted signs before jumping in deep water

Before you can contribute to an open standards working group, it is important that you always disclose (and in some cases release) any patents that might conflict with the scope of the working group. This is why the scope of working groups is defined in a charter, and why its so important to have participants adopt the charter.

It is also why it is risky to have a vague or open-ended scope, since people won’t know if their existing IP is relevant or not. Furthermore, if the working group later decides to reinterpret the scope in a way that impacts the IP of existing members, this can cause real problems, as it becomes very difficult to distinguish which ideas down the road would or would not have been arrived at without the earlier participation of the parties that did not yet know they had a patent conflict. Substantial changes in scope are generally cause to close the group and recharter a new one, to minimize this kind of legal ambiguity.

Participating actively in the scoping discussions is the best way to get a rich and multidimensional understanding of the boundaries of a given charter’s scope, and discussing with trusted (and tech-savvy) counsel is a close second. When in doubt, ask a lawyer — we are in the ideas business, after all.

Hopefully this quick introduction made clear why starting a working group (or even joining one!) is such a complex deliberative process — and gave you the tools to navigate it for yourself.

I should have written this post at the beginning of the year…but the year is still young.

I have two new part time roles that I’m really excited about.

I am the Ecosystems Director at the Covid-19 Credentials Initiative. I am working with a fantastic team helping lead/organize this community. Lucy Yang is the Community Director and John Walker is the Community Architect.

I am the Chair of the Verifiable Credentials Policy Committee which is under the Blockchain Advocacy Coalition lead by Ally Medina.

I continue my community leadership work co-chairing the Interoperability Working Group at DIF and the Secure Data Store working group at DIF/CCG.

I am publishing a weekly newsletter/summary of SSI news that covers the Identosphere. This is in partnership with Infominer. You can subscribe here and support us on Patreon here (yes two different places) .

I do an (almost) weekly podcast with Seth Goldstein called Privacy Surveillance and Anonymity Today.

I have a new page up with Media Coverage if you want to check it out.

Yes I do do consulting. If you have a question you need answered about this emerging industry. I can help you figure it out.

I just learned about the internet of people project. It seems cool…I need to dig in a bit more…but already there is a huge red flag/disconnect for me.

These are the guys who are signing off on this post they put a picture of themselves on zoom.

These are the women (many of them of color) at the top of the page.

I was so hopeful when I started reading this post that this group of women was actually leading this project. THEY ARE JUST STOCK PHOTO.

Protip: If you want to build the future of the web and make it for people your team needs women and people of color on it.

Pretending with photos doesn’t cut it.