decentralized-id.github.io/_posts/identosphere-dump/public_sector/policy.md
2022-12-02 03:40:42 -05:00

36 KiB
Raw Blame History

published
false

Policy

  • GDPR: Everything you need to know - is a great post by authentic explaining it at a high level that we thought would be helpful to those trying to orient. This is a round-up from Ally Medina (who was at IIW). She worked on getting AB 2004 passed in California that permitted Verifiable Credentials to be used for Covid-19 test results. It covers other California developments too.

Hearings in Wyoming this week. Go to this page and click on the 11/2/2020 meeting details. The section of interest is the 9:30 am (Wyoming time) discussion on Disclosure of private cryptographic keys.

  • Consumer Online Privacy Rights Act (COPRA) (Democrats) Sponsored in November 2019 by Democratic Senator Maria Cantwell of Washington, this bill is considered by some to be “GDPR-esque” and more consumer than business friendly.
  • Setting an American Framework to Ensure Data Access, Transparency and Accountable Ability Act (SAFE DATA Act) (GOP) Combining three previous bills, the SAFE DATA Act is considered by some as more “business friendly”.
  • Information Transparency and Personal Data Control Act – Re-introduced by Congresswoman Suzan DelBene (WA-01) for the fourth time (the latest on March 10, 2021), this bill “… protects personal information including data relating to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, Social Security Numbers, and religious beliefs. It also keeps information about children under 13 years of age safe. ”Beyond this it requires businesses to write their privacy policies in simple language.“

this article deconstructs the self-sovereign identity model and examines how it stacks up against The Personal Data Protection Bill, 2019.

Each government moves at its own pace for as many reasons as there are countries, and digital identity/SSI will only become a reality once governments voice their support, regulations, and standards are adopted, infrastructure is created or upgraded, and interoperability, inclusion, and education are all addressed.

The UK Information Commissions (ICO) Childrens Code, officially known as the“Age Appropriate Design Code: a code of practice for online services,” after a year grace period, goes into effect Thursday, Sept. 2, 2021.

In this article, well try to summarize the key points surrounding the infrastructure bill and the effect it has on crypto.

  • [...]

it is likely that many dApp developers now need an identity solution that preserves privacy but ensures compliance which is exactly the solution that we are building at SelfKey. EU DATA GOVERNANCE ACT MEETS TOIP FRAMEWORK TOIP

The DGA defines an “intermediary” that facilitates processing and sharing of data for individuals and organizations to “…increase trust in data intermediation services and foster data altruism across the EU”. In the MyData framework for user-controlled data sharing, intermediaries are called MyData Operators and there is a certification program in place.

We must promote access to safe and affordable financial services.  Many Americans are underbanked and the costs of cross-border money transfers and payments are high.  The United States has a strong interest in promoting responsible innovation that expands equitable access to financial services, particularly for those Americans underserved by the traditional banking system, including by making investments and domestic and cross-border funds transfers and payments cheaper, faster, and safer, and by promoting greater and more cost-efficient access to financial products and services.  The United States also has an interest in ensuring that the benefits of financial innovation are enjoyed equitably by all Americans and that any disparate impacts of financial innovation are mitigated.

On March 24th, 2022, the European Parliament and Council reached an agreement on the final version of the Digital Markets Act (DMA). According to the European Commission, the DMA regulation is expected to be reviewed and enacted by October 2022.

Canada

a framework that Digital Identity Ecosystem Participants can use to assess the degree to which the digital wallets that are part of their respective ecosystems accomplish the following:

  1. Provide Citizens and Consumers with a Digital Identity Wallet that complies with the human rights principles of preserving peoples privacy and control over their information.
  2. Introduces a consistent identity metaphor and consent-driven automated experience across all Ecosystem Participants to reduce impact on users caused by Digital Transformation.
  3. Contribute to a stable infrastructure with longevity and world-wide interoperability by adopting and supporting relevant standards as appropriate (e.g., W3C Standards for Verifiable Credentials and DIDs).
  4. Counter cyber vulnerability and extortion by enabling Service Providers to incrementally replace existing login mechanisms, some of which may be exploitable, without suffering negative impact to business.
  5. Establish an environment of trust within which the wallets owner can interact with other Ecosystem Participants such as Issuers, Verifiers, and other Relying Parties.

Do you trust technology and government to protect your data? On this week's State of Identity podcast, host, Cameron D'Ambrosi is joined by Gareth Narinesingh, Head of Digital Identity at HooYu to discuss the bridge between payments and identity wallets, the UK's next big push in adopting shared identity standards, and the foundation of decentralized identity verification across Web3 applications and the metaverse.

Updates to the framework include new guidance on creating a consistent approach on user experience, rules on how to manage digital identity accounts, clearer definitions for the frameworks role and details on how organisations will be certified.

Lets examine how SSI meets each of the articles from #13 to #22.

What most people want but dont have the terms to describe is respectful digital relationships. In the same way there is an unspoken code for respectful behavior in physical-realm relationships, this same type of behavior is just as essential when engaging with an online service or website.

  • MiCA (Markets in Crypto-Assets Regulation) whose scope covers cryptocurrencies, utility tokens and stablecoins ;
  • the Pilot Regime Regulation for DLT Market Infrastructures (PRR) project. With these two texts, the Commissions goal is to regulate crypto-asset players and not the assets as such.

One of MyDex CICs founders, Alan Mitchell shares a feeling of Vindication in a post celebrating the companies early articulation of key principles and how the EUs proposed new Data Governance Act aligns with that.

These providers will have to comply with a number of requirements, in particular the requirement to remain neutral as regards the data exchanged. They cannot use such data for other purposes. In the case of providers of data sharing services offering services for natural persons, the additional criterion of assuming fiduciary duties towards the individuals using them will also have to be met.

California law requires a data broker, as defined in California Civil Code § 1798.99.80, to register with the Attorney General on its internet website that is accessible to the public, on or before January 31 following each year in which a business meets the definition of a data broker.

  • Establish a task force made up of key federal agencies and state representatives.
  • Direct NIST to create a new framework of standards to guide agencies in implementing identity systems.
  • Establish a grant program within the DHS to support states in upgrading.

The Utah bill, on the other hand, allows public agencies to use facial recognition as long as certain guidelines are followed. Most notably, law enforcement officers must submit a written request before performing a facial recognition search, and must be able to provide a valid reason for doing so.

The Financial Action Task Force (FATF) held its winter Plenary session on 22nd, 24th, and 25th February and welcomed over 205 delegates to its third virtual conference since the start of the pandemic.

Indian Data Legislation

  • Revisiting the non-personal data governance framework

    In July 2020, an expert committee established by the Ministry of Electronics and Information Technology (MEITY) released a report on the Non-Personal Data (NPD) governance framework for India. The document is well-intentioned in that it recognises the public value of data, and the need to democratise its use.

  • Potential Impacts of Draft India Personal Data Protection Bill (PDPB) (Deloitte)

  • USPTO: CIO Jamie Holcombe

    CIO Jamie Holcombe says identity verification with blockchain might be in the future for USPTO and talks about navigating changes in policy & law when considering a distributed ledger to store patents & trademarks. Among the interesting questions: do we start with patent #1 (applicant: George Washington)?

  • Katryna Dow - Data minimisation: value, trust and obligation

    Katryna talks to Oscar about her career (including inspiration from Minority Report), Meecos personal data & distributed ledger platform, the importance of data minimisation to inspire trust in organisations, and cultural differences in attitudes towards digital identity.

  • Data: Governance and Geopolitics Tony Fish

    How data is governed can be thought of along several lines of activity: legislating privacy and data use, regulating content, using antitrust laws to dilute data monopolies, self-regulating by the tech giants, regulating digital trade, addressing intellectual property rights (IPR) infringement, assuring cybersecurity, and practicing cyber diplomacy. Of these, antitrust, regulation, and privacy are most immediately in the spotlight, and are the focus of this commentary, but it will also touch briefly on the connections with other issues.

  • Ministry of Economy, Trade and Industry and OpenID Foundation in Liaison Agreement on eKYC & IDA for Legal Entities

    The OpenID Foundation (OIDF), the international standards development organization which maintains the OpenID Connect for Identity Assurance (OIDC4IDA) standard, and the Japanese Governments Ministry of Economy, Trade and Industry (METI) have signed a liaison agreement to work together.

Under the agreement, METI will lead policy efforts to implement identity assurance frameworks for legal entities in Japanese Government and private sector while the OIDFs eKYC & Identity Assurance (eKYC & IDA) Working Group continues to advance the technical standards that enable many digital identity solutions. The agreement:

  • Provides a mechanism to collaborate “about Authentication and Identity Assurance for Legal Entity”, mutually approved white papers, workshops, podcasts and other outreach activities;
  • Allows participation of each partys staff and members in the other partys meetings, as mutually agreed;
  • Provides for direct communications to communicate (without obligation and only to the extent each party chooses) about new work and upcoming meetings;
  • Supports common goals, including where appropriate and mutually agreed, to Specifications of Authentication and Identity Assurance for Legal Entity.

End-to-end messaging encryption is a domain where mistakes matter. The current draft of the DMA imposes a tight deadline for interoperability to begin (on the reasonable assumption that Big Tech monopolists will drag their feet otherwise) and this is not a job you want to rush.

On May 4th, California Governor Gavin Newsom signed into effect a “Blockchain Executive Order”

“[to] assess how to deploy blockchain technology for state and public institutions, and build research and workforce development pathways to prepare Californians for success in this industry”.

Bedoyas research has shined a light on digital surveillance and its impact on people of color, immigrants, and the working class. He founded the Center on Privacy & Technology at Georgetown Law to focus on the importance of consumer privacy rights.

In this letter, we focus on two questions relevant to identifying Bank Secrecy Act (“BSA”) regulations and  guidance that may be outdated, redundant, or do not promote a risk-based AML/CFT regulatory regime  for financial institutions.

Would we rather have a high level of security or self-sovereignty? Unfortunately, the two aspects are at different ends of the spectrum. If we only allow pre-verified and approved parties to retrieve identity data, as currently envisaged by the eIDAS regulation, this severely restricts usage

Older article not covered here, yet

The adoption of the self-sovereign identity model within the Canadian public sector is still being realized in 2020. It is too early to tell how it will change the technological infrastructure or the institutional infrastructure of Canadian public services.

This paper will explore the global conversation and consensus around data privacy regulation, with specific attention to the European Union and Canada. It will work to understand how blockchain-based firms situate themselves amid this regulation in relation to the storage of personally identifiable information by looking at relevant policy decisions, legal cases, and commentary from regulatory bodies and commissions.

California

California is a major center of new privacy law and regulation, creating opportunities for internet safety advocates to help design policies that will ripple out well beyond the states borders. Their Privacy Rights Act (CPRA), passed by ballot proposition in 2020, created the California Privacy Protection Agency (CPPA), which seems to be getting closer to initiating its first formal rulemaking process.

  1. Invest in a public/private partnership to co-develop a self-sovereign identity solution for Europe.

Specifically, the FTC will be more closely monitoring all companies covered by the Childrens Online Privacy Protection Act of 1998 (COPPA), with particular attention to ed tech, to ensure that children have access to educational tools without being subject to surveillance capitalism.

In this letter, we focus on a couple of issues that would be beneficial in expanding the Australian regulatory frameworks to include crypto assets. Furthermore, our comments pertain specifically to fiat-backed stablecoins, which are backed on a 1:1 basis by reserve assets, such as bank deposits and short-term government bonds.

We have monitored and involved ourselves in this new agency since its inception, and Lisa LeVasseur (our Executive Director) and Noreen Whysel (Director of Validation Research) shared their expertise on product audits and dark patterns, respectively, in a recent pre-rulemaking CPPA Stakeholder Session (May 5-6).

Last week, the Prime Minister of Finland, Sanna Marin, stated that she will not give consent to the media to take and publish photos of her child. This led to wide discussion and international headlines even though the right to privacy is guaranteed under the Convention on the Rights of the Child.

It is on this last point that I do see a slight gap between the UK and Aotearoa. In the UK and in Europe more generally there seems to be more awareness of, and a sense of urgency around, the vulnerability of mobile smartphones, given the expectation that they will be the device of choice for most people to download digital identity related wallet apps.

American Data Privacy and Protection Act

  • The Federal Trade Commission would have to maintain a public registry of data brokers and present a way for users to opt out of targeted advertisements and other data sharing practices.
  • Consumers could access, correct and delete their own data and companies would have to tell third parties to change user data where users request it.

If a business has had an annual revenue less than “$41 million, did not collect or process the data of more than 100,000 individuals, and did not derive more than 50% of revenue from transferring personal information” in the last three years, they are not considered a covered entity in this bill.

A hearing on the proposed regulations will occur on August 24 and 25, 2022 at 9:00 am Pacific Time. Media and members of the public are encouraged to RSVP via the link above.

Persons who wish to submit written comments on the proposed regulations must submit them by August 23, 2022

California SB1190 that would establish a “Trust Framework” at the state level. This bill was introduced to the state senate in early March by Robert Hertzberg, close friend of Los Angeles billionaire investor Nicholas Berggruen

There is a common misconception that cryptoassets provide a ready-made avenue for sanctions evasion because they sit outside the regulatory and legal perimeter. In fact, sanctions authorities in many jurisdictions have ensured that relevant legal and regulatory requirements apply comprehensively to activity conducted in cryptoassets.

The FTC is issuing an advanced notice of proposed rule-making to address commercial surveillance, the “business of collecting, analyzing, and profiting from information about people”. [...] The public can offer input on the FTC notice and the commission will hold a virtual public forum on 8 September.

The intention of the European Commission is to allow or even force acceptance in a wide range of sectors in the public and private domain and thereby ensure that identities are as wisely usable as possible (interoperability). The principle of consent will also be met, as it is already fulfilled with current eID solutions notified under eIDAS and other EU regulations, such as GDPR and PSD2. One of the explicit requirements of the proposal is selective disclosure, in line with GDPRs rules on data minimalisation.

The plan also signals that Beijing will take a more active role in handling the personal data generated by these platforms. Some of the directives outlined in the plan require any user-facing aspect of the digital human industry to be subject to rules that protect information about and generated by platform users, while also treating user data as a resource to be traded on the countrys new data exchanges.

Hiring

Hey Tech Twitter, @TruvityHQ (where I work) is hiring engineers for the Infrastructure Developer (Go/Kubernetes) role, details are on the thread

Kaliya met the CEO this week at the Open Source Summit Dublin and was impressed.

The Verifiable Credentials Policy Committee, (that Kaliya Chairs) in California had a big win this week

Policy

We believe it is vital that certification bodies work with DCMS and UKAS in a spirit of partnership bringing together the cumulative value of dozens of great minds! To this end, we have  been encouraged by the proactive approach of DCMS in creating forums where the 5 certification bodies can discuss ideas and feedback on the program in action.

I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a band-aid for the American people who are just fed up with the lack of privacy online

Responding to the experiences of the American public, and informed by insights from researchers, technologists, advocates, journalists, and policymakers, this framework is accompanied by From Principles to Practice—a handbook for anyone seeking to incorporate these protections into policy and practice

As an abstract of the bill explains, while existing law requires such records “to contain certain information and to be printed on chemically sensitized security paper, as specified,” the new legislation enables a county recorder to, upon request, issue a birth, death, or marriage record “by means of verifiable credential, as defined, using blockchain technology, defined as a decentralized data system, in which the data stored is mathematically verifiable, that uses distributed ledgers or databases to store specialized data in the permanent order of transactions recorded.”

Is the EU discussion about data portability missing a key point?

In its discussion of data portability the EU rightly recognises the economic importance of this issue, stressing that “market imbalances arising from the concentration of data restricts competition, increases market entry barriers and diminishes wider data access and use.”

Verifiable Credentials

  • Verifiable Credentials: Mapping to a Generic Policy Terminology

    Why is this useful? When writing policy, you need a succinct model which is clear enough for subsequent interpretation. To do this, you need conceptual buckets to drop things into. Yes, this model is likely to change, but its my best and latest crack at it to synthesize the complex world of digital credentials with an abstraction that might be useful to help us align existing solutions while adopting exciting new capabilities.

  • VCs Policy Committeee (California) Participate in passing legislation to create a California Trust Framework! by Kaliya Young, Ally Medina Slides

    discussed how the Blockchain Advocacy Coalitions sponsorship of AB 2004 pushed verifiable credentials into mainstream political discourse and how companies can help us shape public policy and government pilot programs of Verifiable Credential technology.

    We are planning on working with legislators to introduce a bill that creates a California Trust Framework and lays the groundwork for use of the technology in the public and private sector.