36 KiB
published |
---|
false |
Policy
- GDPR: Everything you need to know - is a great post by authentic explaining it at a high level that we thought would be helpful to those trying to orient. This is a round-up from Ally Medina (who was at IIW). She worked on getting AB 2004 passed in California that permitted Verifiable Credentials to be used for Covid-19 test results. It covers other California developments too.
Hearings in Wyoming this week. Go to this page and click on the 11/2/2020 meeting details. The section of interest is the 9:30 am (Wyoming time) discussion on Disclosure of private cryptographic keys.
- IPR - what is it? why does it matter?
There is a lot of diversity in the category of future patent problems. Someone who was contributing without declaring that they hold a patent related to the work can claim they had a patent later (years after the specification is finished) and seek payment from everyone using/implementing the standard, claiming licensing rights or even lost revenue on ideas they legally own.
- What Are the Six Key Areas of the FATF Consultation? Elliptic
On March 19th, Paris-based Financial Action Task Force (FATF), the global standard-setting body for anti-money laundering and counter-terrorism finance (AML/CFT), released its Draft Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. Or, in compliance acronym speak the FATF's draft guidance for its RBA to VAs and VASPs.
- Privacy in Ontario? Webistemology John Wunderlich
MyData Canada recently submitted a report to the Government of Ontario in response to its consultation for strengthening privacy protections in Ontario.
- A US National Privacy Law Looks More Likely Than Ever
from the plethora of federal privacy bills put forward, there are three standouts:
- Consumer Online Privacy Rights Act (COPRA) (Democrats) – Sponsored in November 2019 by Democratic Senator Maria Cantwell of Washington, this bill is considered by some to be “GDPR-esque” and more consumer than business friendly.
- Setting an American Framework to Ensure Data Access, Transparency and Accountable Ability Act (SAFE DATA Act) (GOP) – Combining three previous bills, the SAFE DATA Act is considered by some as more “business friendly”.
- Information Transparency and Personal Data Control Act – Re-introduced by Congresswoman Suzan DelBene (WA-01) for the fourth time (the latest on March 10, 2021), this bill “… protects personal information including data relating to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, Social Security Numbers, and religious beliefs. It also keeps information about children under 13 years of age safe. ”Beyond this it requires businesses to write their privacy policies in simple language.“
this article deconstructs the self-sovereign identity model and examines how it stacks up against The Personal Data Protection Bill, 2019.
- Digital Identity Around the World: Why Some Countries are Embracing Self Sovereign Identity Quicker Hackernoon
Each government moves at its own pace for as many reasons as there are countries, and digital identity/SSI will only become a reality once governments voice their support, regulations, and standards are adopted, infrastructure is created or upgraded, and interoperability, inclusion, and education are all addressed.
The UK Information Commission’s (ICO) Children’s Code, officially known as the“Age Appropriate Design Code: a code of practice for online services,” after a year grace period, goes into effect Thursday, Sept. 2, 2021.
- The Infrastructure Bill and What it Holds for Crypto SelfKey Foundation
In this article, we’ll try to summarize the key points surrounding the infrastructure bill and the effect it has on crypto.
- [...]
it is likely that many dApp developers now need an identity solution that preserves privacy but ensures compliance – which is exactly the solution that we are building at SelfKey. EU DATA GOVERNANCE ACT MEETS TOIP FRAMEWORK TOIP
The DGA defines an “intermediary” that facilitates processing and sharing of data for individuals and organizations to “…increase trust in data intermediation services and foster data altruism across the EU”. In the MyData framework for user-controlled data sharing, intermediaries are called MyData Operators and there is a certification program in place.
- Executive Order on Ensuring Responsible Development of Digital Assets White House - President Biden
We must promote access to safe and affordable financial services. Many Americans are underbanked and the costs of cross-border money transfers and payments are high. The United States has a strong interest in promoting responsible innovation that expands equitable access to financial services, particularly for those Americans underserved by the traditional banking system, including by making investments and domestic and cross-border funds transfers and payments cheaper, faster, and safer, and by promoting greater and more cost-efficient access to financial products and services. The United States also has an interest in ensuring that the benefits of financial innovation are enjoyed equitably by all Americans and that any disparate impacts of financial innovation are mitigated.
On March 24th, 2022, the European Parliament and Council reached an agreement on the final version of the Digital Markets Act (DMA). According to the European Commission, the DMA regulation is expected to be reviewed and enacted by October 2022.
Canada
a framework that Digital Identity Ecosystem Participants can use to assess the degree to which the digital wallets that are part of their respective ecosystems accomplish the following:
- Provide Citizens and Consumers with a Digital Identity Wallet that complies with the human rights principles of preserving people’s privacy and control over their information.
- Introduces a consistent identity metaphor and consent-driven automated experience across all Ecosystem Participants to reduce impact on users caused by Digital Transformation.
- Contribute to a stable infrastructure with longevity and world-wide interoperability by adopting and supporting relevant standards as appropriate (e.g., W3C Standards for Verifiable Credentials and DIDs).
- Counter cyber vulnerability and extortion by enabling Service Providers to incrementally replace existing login mechanisms, some of which may be exploitable, without suffering negative impact to business.
- Establish an environment of trust within which the wallet’s owner can interact with other Ecosystem Participants such as Issuers, Verifiers, and other Relying Parties.
- Digital Identity and Attributes Trust Framework State of Identity
Do you trust technology and government to protect your data? On this week's State of Identity podcast, host, Cameron D'Ambrosi is joined by Gareth Narinesingh, Head of Digital Identity at HooYu to discuss the bridge between payments and identity wallets, the UK's next big push in adopting shared identity standards, and the foundation of decentralized identity verification across Web3 applications and the metaverse.
- UK Draft Digital Identity Framework Published Research Live
Updates to the framework include new guidance on creating a consistent approach on user experience, rules on how to manage digital identity accounts, clearer definitions for the framework’s role and details on how organisations will be certified.
Let’s examine how SSI meets each of the articles from #13 to #22.
-
SSI is a digital movement that aims to enable individuals or organizations to have sole ownership of their identity, and to have control over how their data is shared and used.
-
The Policymaker’s Guide to Respectful Technology in Legislation
What most people want but don’t have the terms to describe is respectful digital relationships. In the same way there is an unspoken code for respectful behavior in physical-realm relationships, this same type of behavior is just as essential when engaging with an online service or website.
-
Overview of Member States' eID strategies
The report focusses on the approaches towards eID outlined in national strategy documents, together with other supporting documentation and web resources, with the aim of offering a thorough understanding of the eID state of play across Europe.
-
Understanding the MiCA and Pilot Regime crypto regulation
The European Commission’s proposal for the regulation of crypto-assets markets is based on two draft texts :
- MiCA (Markets in Crypto-Assets Regulation) whose scope covers cryptocurrencies, utility tokens and stablecoins ;
- the Pilot Regime Regulation for DLT Market Infrastructures (PRR) project. With these two texts, the Commission’s goal is to regulate crypto-asset players and not the assets as such.
- EU Data Governance Act officially released
foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU
One of MyDex CIC’s founders, Alan Mitchell shares a feeling of Vindication in a post celebrating the companies early articulation of key principles and how the EU’s proposed new Data Governance Act aligns with that.
These providers will have to comply with a number of requirements, in particular the requirement to remain neutral as regards the data exchanged. They cannot use such data for other purposes. In the case of providers of data sharing services offering services for natural persons, the additional criterion of assuming fiduciary duties towards the individuals using them will also have to be met.
-
In a digital age, how can we reconnect values, principles and rules? Kaliya Young and Tony Fish
“what do we think is the north star for data and identity and on what principle they are built?” How do these principles help us agree on risks, and will our existing rules help or hinder us?
-
Data Broker Registry State of California Department of Justice
California law requires a data broker, as defined in California Civil Code § 1798.99.80, to register with the Attorney General on its internet website that is accessible to the public, on or before January 31 following each year in which a business meets the definition of a data broker.
- Establish a task force made up of key federal agencies and state representatives.
- Direct NIST to create a new framework of standards to guide agencies in implementing identity systems.
- Establish a grant program within the DHS to support states in upgrading.
- Data Exchange Board to Improve the EU Data Governance Act
- Utah State Legislature Passes Facial Recognition Bill
The Utah bill, on the other hand, allows public agencies to use facial recognition as long as certain guidelines are followed. Most notably, law enforcement officers must submit a written request before performing a facial recognition search, and must be able to provide a valid reason for doing so.
The Financial Action Task Force (FATF) held its winter Plenary session on 22nd, 24th, and 25th February and welcomed over 205 delegates to its third virtual conference since the start of the pandemic.
Indian Data Legislation
-
Revisiting the non-personal data governance framework
In July 2020, an expert committee established by the Ministry of Electronics and Information Technology (MEITY) released a report on the Non-Personal Data (NPD) governance framework for India. The document is well-intentioned in that it recognises the public value of data, and the need to democratise its use.
-
Potential Impacts of Draft India Personal Data Protection Bill (PDPB) (Deloitte)
-
CIO Jamie Holcombe says identity verification with blockchain might be in the future for USPTO and talks about navigating changes in policy & law when considering a distributed ledger to store patents & trademarks. Among the interesting questions: do we start with patent #1 (applicant: George Washington)?
-
Katryna Dow - Data minimisation: value, trust and obligation
Katryna talks to Oscar about her career (including inspiration from Minority Report), Meeco’s personal data & distributed ledger platform, the importance of data minimisation to inspire trust in organisations, and cultural differences in attitudes towards digital identity.
-
Data: Governance and Geopolitics Tony Fish
How data is governed can be thought of along several lines of activity: legislating privacy and data use, regulating content, using antitrust laws to dilute data monopolies, self-regulating by the tech giants, regulating digital trade, addressing intellectual property rights (IPR) infringement, assuring cybersecurity, and practicing cyber diplomacy. Of these, antitrust, regulation, and privacy are most immediately in the spotlight, and are the focus of this commentary, but it will also touch briefly on the connections with other issues.
-
The OpenID Foundation (OIDF), the international standards development organization which maintains the OpenID Connect for Identity Assurance (OIDC4IDA) standard, and the Japanese Government’s Ministry of Economy, Trade and Industry (METI) have signed a liaison agreement to work together.
Under the agreement, METI will lead policy efforts to implement identity assurance frameworks for legal entities in Japanese Government and private sector while the OIDF’s eKYC & Identity Assurance (eKYC & IDA) Working Group continues to advance the technical standards that enable many digital identity solutions. The agreement:
- Provides a mechanism to collaborate “about Authentication and Identity Assurance for Legal Entity”, mutually approved white papers, workshops, podcasts and other outreach activities;
- Allows participation of each party’s staff and members in the other party’s meetings, as mutually agreed;
- Provides for direct communications to communicate (without obligation and only to the extent each party chooses) about new work and upcoming meetings;
- Supports common goals, including where appropriate and mutually agreed, to Specifications of Authentication and Identity Assurance for Legal Entity.
- End-To-End Encryption is Too Important to Be Proprietary Cory Doctorow
End-to-end messaging encryption is a domain where mistakes matter. The current draft of the DMA imposes a tight deadline for interoperability to begin (on the reasonable assumption that Big Tech monopolists will drag their feet otherwise) and this is not a job you want to rush.
On May 4th, California Governor Gavin Newsom signed into effect a “Blockchain Executive Order”
“[to] assess how to deploy blockchain technology for state and public institutions, and build research and workforce development pathways to prepare Californians for success in this industry”.
Bedoya’s research has shined a light on digital surveillance and its impact on people of color, immigrants, and the working class. He founded the Center on Privacy & Technology at Georgetown Law to focus on the importance of consumer privacy rights.
- Response to FinCEN RFI Centre
In this letter, we focus on two questions relevant to identifying Bank Secrecy Act (“BSA”) regulations and guidance that may be outdated, redundant, or do not promote a risk-based AML/CFT regulatory regime for financial institutions.
- Trust in the digital space Lissi ID
Would we rather have a high level of security or self-sovereignty? Unfortunately, the two aspects are at different ends of the spectrum. If we only allow pre-verified and approved parties to retrieve identity data, as currently envisaged by the eIDAS regulation, this severely restricts usage
- Canada: Enabling Self-Sovereign Identity Tim Bouma
Older article not covered here, yet
The adoption of the self-sovereign identity model within the Canadian public sector is still being realized in 2020. It is too early to tell how it will change the technological infrastructure or the institutional infrastructure of Canadian public services.
- Old Policy, New Tech: Reconciling Permissioned Blockchain Systems with Transatlantic Privacy Frameworks By Remy Hellstern and Victoria Lemieux
This paper will explore the global conversation and consensus around data privacy regulation, with specific attention to the European Union and Canada. It will work to understand how blockchain-based firms situate themselves amid this regulation in relation to the storage of personally identifiable information by looking at relevant policy decisions, legal cases, and commentary from regulatory bodies and commissions.
California
- Our Input to the California Privacy Protection Agency (CPPA) Pre-Rulemaking Stakeholder Sessions Me2BA
California is a major center of new privacy law and regulation, creating opportunities for internet safety advocates to help design policies that will ripple out well beyond the state’s borders. Their Privacy Rights Act (CPRA), passed by ballot proposition in 2020, created the California Privacy Protection Agency (CPPA), which seems to be getting closer to initiating its first formal rulemaking process.
- Invest in a public/private partnership to co-develop a self-sovereign identity solution for Europe.
Specifically, the FTC will be more closely monitoring all companies covered by the Children’s Online Privacy Protection Act of 1998 (COPPA), with particular attention to ed tech, to ensure that children have access to educational tools without being subject to surveillance capitalism.
In this letter, we focus on a couple of issues that would be beneficial in expanding the Australian regulatory frameworks to include crypto assets. Furthermore, our comments pertain specifically to fiat-backed stablecoins, which are backed on a 1:1 basis by reserve assets, such as bank deposits and short-term government bonds.
- Our Input to the California Privacy Protection Agency (CPPA) Pre-Rulemaking Stakeholder Sessions Me2Ba
We have monitored and involved ourselves in this new agency since its inception, and Lisa LeVasseur (our Executive Director) and Noreen Whysel (Director of Validation Research) shared their expertise on product audits and dark patterns, respectively, in a recent pre-rulemaking CPPA Stakeholder Session (May 5-6).
Last week, the Prime Minister of Finland, Sanna Marin, stated that she will not give consent to the media to take and publish photos of her child. This led to wide discussion and international headlines – even though the right to privacy is guaranteed under the Convention on the Rights of the Child.
- Postcard from the UK DIGITAL IDENTITY NEW ZEALAND
It is on this last point that I do see a slight gap between the UK and Aotearoa. In the UK and in Europe more generally there seems to be more awareness of, and a sense of urgency around, the vulnerability of mobile smartphones, given the expectation that they will be the device of choice for most people to download digital identity related wallet apps.
American Data Privacy and Protection Act
- The Federal Trade Commission would have to maintain a public registry of data brokers and present a way for users to opt out of targeted advertisements and other data sharing practices.
- Consumers could access, correct and delete their own data and companies would have to tell third parties to change user data where users request it.
- What is the American Data Privacy and Protection Act? IdentityReview
If a business has had an annual revenue less than “$41 million, did not collect or process the data of more than 100,000 individuals, and did not derive more than 50% of revenue from transferring personal information” in the last three years, they are not considered a covered entity in this bill.
A hearing on the proposed regulations will occur on August 24 and 25, 2022 at 9:00 am Pacific Time. Media and members of the public are encouraged to RSVP via the link above.
Persons who wish to submit written comments on the proposed regulations must submit them by August 23, 2022
- Soulbound Tokens, Trust Networks, and California's Big Test Wrenchinthegears
California SB1190 that would establish a “Trust Framework” at the state level. This bill was introduced to the state senate in early March by Robert Hertzberg, close friend of Los Angeles billionaire investor Nicholas Berggruen
There is a common misconception that cryptoassets provide a ready-made avenue for sanctions evasion because they sit outside the regulatory and legal perimeter. In fact, sanctions authorities in many jurisdictions have ensured that relevant legal and regulatory requirements apply comprehensively to activity conducted in cryptoassets.
The FTC is issuing an advanced notice of proposed rule-making to address commercial surveillance, the “business of collecting, analyzing, and profiting from information about people”. [...] The public can offer input on the FTC notice and the commission will hold a virtual public forum on 8 September.
The intention of the European Commission is to allow – or even force – acceptance in a wide range of sectors in the public and private domain and thereby ensure that identities are as wisely usable as possible (interoperability). The principle of consent will also be met, as it is already fulfilled with current eID solutions notified under eIDAS and other EU regulations, such as GDPR and PSD2. One of the explicit requirements of the proposal is selective disclosure, in line with GDPR’s rules on data minimalisation.
The plan also signals that Beijing will take a more active role in handling the personal data generated by these platforms. Some of the directives outlined in the plan require any user-facing aspect of the digital human industry to be subject to rules that protect information about and generated by platform users, while also treating user data as a resource to be traded on the country’s new data exchanges.
Hiring
Hey Tech Twitter, @TruvityHQ (where I work) is hiring engineers for the Infrastructure Developer (Go/Kubernetes) role, details are on the thread
Kaliya met the CEO this week at the Open Source Summit Dublin and was impressed.
The Verifiable Credential’s Policy Committee, (that Kaliya Chairs) in California had a big win this week
-
California Moves Forward to Allow Vital Records to be Issued on Blockchain Coindesk
-
approved another on Wednesday that instructs county records offices to allow for the use of blockchain technology and verifiable credentials. The technology would be established in the distribution of birth, death and marriage records, allowing PDFs to be sent immediately rather than using a typical 10-day postal delivery.
Policy
- 6 months of KI Identity Assurance in the UK Kantara Initiative
We believe it is vital that certification bodies work with DCMS and UKAS in a spirit of partnership – bringing together the cumulative value of dozens of great minds! To this end, we have been encouraged by the proactive approach of DCMS in creating forums where the 5 certification bodies can discuss ideas and feedback on the program in action.
I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a band-aid for the American people who are just fed up with the lack of privacy online
- Blueprint for an AI Bill of Rights - MAKING AUTOMATED SYSTEMS WORK FOR THE AMERICAN PEOPLE Whitehouse.Gov
Responding to the experiences of the American public, and informed by insights from researchers, technologists, advocates, journalists, and policymakers, this framework is accompanied by From Principles to Practice—a handbook for anyone seeking to incorporate these protections into policy and practice
- California Legalizes Blockchain-based Vital Records MobileDataWorld
As an abstract of the bill explains, while existing law requires such records “to contain certain information and to be printed on chemically sensitized security paper, as specified,” the new legislation enables a county recorder to, upon request, issue a birth, death, or marriage record “by means of verifiable credential, as defined, using blockchain technology, defined as a decentralized data system, in which the data stored is mathematically verifiable, that uses distributed ledgers or databases to store specialized data in the permanent order of transactions recorded.”
Is the EU discussion about data portability missing a key point?
In its discussion of data portability the EU rightly recognises the economic importance of this issue, stressing that “market imbalances arising from the concentration of data restricts competition, increases market entry barriers and diminishes wider data access and use.”
Verifiable Credentials
- Verifiable Credentials: Mapping to a Generic Policy Terminology
Why is this useful? When writing policy, you need a succinct model which is clear enough for subsequent interpretation. To do this, you need conceptual buckets to drop things into. Yes, this model is likely to change, but it’s my best and latest crack at it to synthesize the complex world of digital credentials with an abstraction that might be useful to help us align existing solutions while adopting exciting new capabilities.
- VCs Policy Committeee (California) – Participate in passing legislation to create a California Trust Framework! by Kaliya Young, Ally Medina Slides
discussed how the Blockchain Advocacy Coalition’s sponsorship of AB 2004 pushed verifiable credentials into mainstream political discourse and how companies can help us shape public policy and government pilot programs of Verifiable Credential technology.
We are planning on working with legislators to introduce a bill that creates a California Trust Framework and lays the groundwork for use of the technology in the public and private sector.