Re: [GNAP] Human rights perspective on W3C and IETF protocol interaction

Bron Gondwana <brong@fastmailteam.com> Thu, 06 January 2022 00:08 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4560C3A0D3F for <txauth@ietfa.amsl.com>; Wed, 5 Jan 2022 16:08:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=gqr/l9fx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=hyIgrzmw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvBtolahMDRV for <txauth@ietfa.amsl.com>; Wed, 5 Jan 2022 16:08:13 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34B403A0D3D for <txauth@ietf.org>; Wed, 5 Jan 2022 16:08:13 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 0467E3201DFB; Wed, 5 Jan 2022 19:08:10 -0500 (EST)
Received: from imap43 ([10.202.2.93]) by compute1.internal (MEProxy); Wed, 05 Jan 2022 19:08:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:cc:subject:content-type; s=fm1; bh=akO4 M+/8PrLevOtEY2hbY/lAk5ToMSbLv6p3MCp6Osw=; b=gqr/l9fx9szXKyOoArIG MV7JqeRjwD0DP6EFBDBf35i7Xs6d3YCYYg6vYb2oBQvfxO2PfAmk4TNKMchJKdVU cgcb7MILmnLtACmy8gdL53dfCtQyLrEiv3Cu0H/tIbDoBHI1G89euaccbI/g7pHY 9KyZr8xQXryo6ykJqSAmM/xvfDPDJF4YuAG6UOtI42w0B/5ce9MmsbzBjFlXr3qG 4XA/KVthWt5i9BtkzKaER37uPsn+JQJIo8pb9f9hchdhHqPZLjxR1Xbe9seaJb1U YmeTjcYzIvVu/Z7swv0n15lLvHFb5JDPJ8zl131fqQ1RmNA7mLmgOSypFyXSxpHv lg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=akO4M+ /8PrLevOtEY2hbY/lAk5ToMSbLv6p3MCp6Osw=; b=hyIgrzmw6CyYZgxAyYE6uo acmNtP4XpdDaVFtcICobnod/RcFLmhoqYTiHDNRa49fQKtQ/pVxCfSZ70SmCr8cE W+WQTn9oFoNMHHGzyKHbCV21gxxN1XvR06aFClWXR/WsN9k9uKtddwSW6GC2PfmR XIxnHg/WiRRkIJVaqmrW0G/F+DaB9qBInT0PqL/ZA2onw+xYK+egYh39QXroLFnp Fw91aUfS3WLtQTXND+j9Q11TUZ6pbCcbyTZtfeNdXtZxpe0Q1rxuIYxc35WHIgHA XA0+Y7P1BHmIzoyWwlSqMUgKa+K6JqazB7anQTWljWWweXHvcYbDDIRv31/rTbCg ==
X-ME-Sender: <xms:6TLWYWnlyjmrm86pbKOrh9DlJVFFM3o0gYbg0-hez1A3qsX7XD1NzA> <xme:6TLWYd0fQriLPDwCgm9wA1emaLg5yv-4NbQ00xhtS4rj9ALRzW0djlf9UfEfMhxBl QfDk5rn-8Y>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudefjedgleeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreerjeenucfhrhhomhepfdeurhho nhcuifhonhgufigrnhgrfdcuoegsrhhonhhgsehfrghsthhmrghilhhtvggrmhdrtghomh eqnecuggftrfgrthhtvghrnhepvdfghfetffehuedtuedvfeehkeduhfdvgeetkeffgedt ueeludeijeeikeeltdeknecuffhomhgrihhnpehunhdrohhrghdpfhhorhgufhhouhhnug grthhiohhnrdhorhhgpdhohhgthhhrrdhorhhgpdhilhhordhorhhgpdhrvgguvggtvghn thhrrghlihiivgdrohhrghdpihgvthhfrdhorhhgpdiffedrohhrghdphihouhhtuhgsvg drtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pegsrhhonhhgsehfrghsthhmrghilhhtvggrmhdrtghomh
X-ME-Proxy: <xmx:6jLWYUp35Nnxsz0eb_0p01__2nb3738o6pseqgKmzQbRntJsSn2l3A> <xmx:6jLWYamyjnJ4LmKIL17_jG_fgpohEY_wItsuJkATX5o1p1irU9F4eg> <xmx:6jLWYU2sVXmz-quhAUwWv2nGZYf4MGOTAxsfxtVxy6wAzCs5H-rCzA> <xmx:6jLWYR8KIEq-1XY0sal_AougXNfkluY9rHKPrbd18zz0O0nydxeNBQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EEA2BAC0E99; Wed, 5 Jan 2022 19:08:09 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4526-gbc24f4957e-fm-20220105.001-gbc24f495
Mime-Version: 1.0
Message-Id: <fdab6ef0-7b59-4c15-b43c-3200463d39ad@dogfood.fastmail.com>
In-Reply-To: <CANYRo8jUaP=9eX3HJWhFOmMCeaU7gkTQ9FdLg3=E61AUFQv8qQ@mail.gmail.com>
References: <CANYRo8i=H3p23boH4OQ6sCXds8ADqaizwDHebE6-xMP2mZ5QEg@mail.gmail.com> <CAA1s49VWs_Qe9qryJOwWG4oHTS6Wa-6p6jAVSDT6Vqn4cwdUwQ@mail.gmail.com> <CANYRo8jUaP=9eX3HJWhFOmMCeaU7gkTQ9FdLg3=E61AUFQv8qQ@mail.gmail.com>
Date: Thu, 06 Jan 2022 11:07:49 +1100
From: "Bron Gondwana" <brong@fastmailteam.com>
To: "Adrian Gropper" <agropper@healthurl.com>, "Bob Wyman" <bob@wyman.us>
Cc: "W3C Credentials Community Group" <public-credentials@w3.org>, "GNAP Mailing List" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary=07040a3e17a446549980b06badfa5d99
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ShbZLZ5IAZryK5zzqPLgXH5ixe8>
Subject: Re: [GNAP] Human rights perspective on W3C and IETF protocol interaction
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2022 00:08:19 -0000

Hi Adrian,

I'm having trouble understanding this:

*I urge all of us engaged in the protocol engineering effort to bring their own perspective on "Human Rights" and to advocate for specific technical solutions in specific workgroups.*

It doesn't meaningfully define human rights and allow a reviewer to tell whether a protocol definition has addressed human rights adequately, it's the "I know it when I see it" standard - with everybody is bringing their own idea of what "it" is.

I'd love to have a human rights considerations section in IETF documents in the same way that we have a security considerations.  Many things that are currently in security considerations would probably be just as appropriate for human rights considerations, as many IETF authors already bring their own perspective on human rights and advocate for technical solutions which they believe support those rights.  But that's not the same as having an agreement on what human rights are relevant for our technical work.

Regards,

Bron.

On Thu, Jan 6, 2022, at 02:11, Adrian Gropper wrote:
> Bob's are important questions in the context of our specific protocol work. I do not mean to scope this thread to general W3C or IETF groups or their governance. *Bold* is used below to link to Bob's specific questions.
> 
> I might also argue to limit the scope to protocols and not VC, DID, biometric templates, or other data models even though effective standards for these drive quantitative and possibly qualitative improvements in the efficiency of surveillance because a common language seems essential to discussing protocols. Adverse consequences of the efficiency of common interoperable language can be mitigated at the protocol level.
> 
> I'm responding in personal terms to Bob's questions. *I urge all of us engaged in the protocol engineering effort to bring their own perspective on "Human Rights" and to advocate for specific technical solutions in specific workgroups.* For example, I have chosen to focus attention on authorization for verifiable credential issue. I hope others will prioritize human rights impact of authentication protocols especially where biometrics could be involved.
> 
> *The specific aspects of our protocol work that give rise to human rights issues relate to the efficiency of standardized digital credentials to human persons.* What works for drugs in a supply chain or cattle on a farm can and usually will be misused on people. Also, transferring responsibility from an issuer to a subject of a VC is a burden that needs to be recognized and mitigated. With respect to the UDHRs, I would point to 12 (privacy and confidentiality), 13 (anonymity), 14 (limit the reach of DHS and other state actors), 17 (the right to associate with and delegate to others), 18 (associate with and delegate to communities one chooses), 20 (association, again), 21 (secret elections), 22 (anonymity), 23 (trade unions as delegates), 24 (burden of managing decisions in an asymmetric power relationship with the state or with dominant private platforms), 29 (duties to and scope of the community).
> 
> *I'm suggesting that we formally address the issue of human rights as applied to the VC-API standardization process.* I'm also suggesting that we use a process in VC-API that formally harmonizes our work with IETF GNAP.
> 
> Adrian
> 
> On Tue, Jan 4, 2022 at 11:45 PM Bob Wyman <bob@wyman.us> wrote:
>> Adrian,
>> Given that you're starting a new thread, I would appreciate it if you could do some context setting and clarifying:
>>  * *What do you mean by "Human Rights?" *Hopefully, you won't consider that a foolish question. The issue is, of course, that since Internet standards are developed in a multicultural, multinational context, it isn't obvious, without reference to some external authority, what a standards group should classify as a human right. Different cultures and governments tend to differ on this subject... As far as I know, the "best" source of what might be considered a broad consensus definition of human rights is found in the UN's 1948 Universal Declaration of Human Rights <https://www.un.org/en/about-us/universal-declaration-of-human-rights> (UDHR). 
>>    * Does the UDHR contain the full set of rights that you think should be addressed by standards groups? If not, are there additional rights that you think should be considered? 
>>    * In his document, Human Rights Are Not a Bug <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>, Niels ten Oever refers to the UN Guiding Principles for Business and Human Rights <https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf>, which adds to the rights enumerated in the UDHR a number of additional rights described in the International Labour Organization’s Declaration on Fundamental Principles and Rights at Work <https://www.ilo.org/declaration/lang--en/index.htm>. Given that you appear to endorse ten Oever's report, do you also propose the same combined set of rights? (ie. UDHR + ILO DFPRW?)
>>    * Some have argued that the Internet introduces a need to recognize rights that have not yet been enumerated either in the UDHR or in any other broadly accepted documents. If this is the case, how is a standards group to determine what set of rights they must respect?
>>  * *What specific aspects of the issues being addressed by this community group give rise to human rights issues?* Also, if you accept that one or some number of documents contain a useful list of such rights, can you identify which specific, enumerated rights are at risk? (e.g. if the UDHR is the foundation text, then I assume privacy issues would probably be considered in the context of the UDHR's Article 12 <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2012,interference%20or%20attacks.>.)
>>  * *Are you suggesting that this group should formally address the issue of rights*, with some sort of process, or just that we should be aware of the issues?
>>    * ten Oever suggests that "Those who design, standardize, and maintain the infrastructure on which we run our information societies, should assess their actions, processes, and technologies on their societal impact." You apparently agree. Can you say how this should be done?
>>    * The UN Guiding Principles for Business and Human Rights describe a number of procedural steps that should be taken by either governments or corporations. Are you aware of a similar procedural description that would apply to standards groups?
>>    * I think it was in the video that it was suggested that, in Internet standards documents, "a section on human rights considerations should become as normal as one on security considerations." Do you agree? If so, can you suggest how such a section would be written?
>> bob wyman
>> 
>> 
>> On Tue, Jan 4, 2022 at 9:05 PM Adrian Gropper <agropper@healthurl.com> wrote:
>>> This is a new thread for a new year to inspire deeper cooperation between W3C and IETF. This is relevant to our formal objection issues in W3C DID as well as the harmonization of IETF SECEVENT DIDs and GNAP with ongoing protocol work in W3C and DIF.
>>> 
>>> The Ford Foundation paper attached provides the references. However, this thread should not be about governance philosophy but rather a focus on human rights as a design principle as we all work on protocols that will drive adoption of W3C VCs and DIDs at Internet scale.
>>> 
>>> https://redecentralize.org/redigest/2021/08/ says:
>>> 
>>>> *Human rights are not a bug*
>>>> Decisions made by engineers in internet standards bodies (such as IETF <https://www.ietf.org/> and W3C <https://www.w3.org/>) have a large influence on internet technology, which in turn influences people’s lives — people whose needs may or may not have been taken into account. In the report Human Rights Are Not a Bug <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/> (see also its launch event <https://www.youtube.com/embed/qyYETzXJqmc?rel=0&iv_load_policy=3&modestbranding=1&autoplay=1>), Niels ten Oever asks *“how internet governance processes could be updated to deeply embed the public interest in governance decisions and in decision-making culture”*.
>>>> “Internet governance organizations maintain a distinct governance philosophy: to be consensus-driven and resistant to centralized institutional authority over the internet. But these fundamental values have limitations that leave the public interest dangerously neglected in governance processes. In this consensus culture, the lack of institutional authority grants disproportionate power to the dominant corporate participants. While the governance bodies are open to non-industry members, they are essentially forums for voluntary industry self-regulation. Voices advocating for the public interest are at best limited and at worst absent.”
>>>> The report describes how standards bodies, IETF in particular, focus narrowly on facilitating interconnection between systems, so that *“many rights-related topics such as privacy, free expression or exclusion are deemed “too political””*; this came hand in hand with the culture of techno-optimism:
>>>> “There was a deeply entrenched assumption that the internet is an engine for good—that interconnection and rough consensus naturally promote democratization and that the open, distributed design of the network can by itself limit the concentration of power into oligopolies.
>>>> This has not proved to be the case.”
>>>> To improve internet governance, the report recommends involving all stakeholders in decision procedures, and adopting human rights impact assessments (a section on *human rights considerations* should become as normal as one on *security considerations*).
>>>> The report only briefly touches what seems an important point: that existing governance bodies may become altogether irrelevant as both tech giants and governments move on without them:
>>>> “Transnational corporations and governments have the power to drive internet infrastructure without the existing governance bodies, through new technologies that set de facto standards and laws that govern “at” the internet not “with” it.”
>>>> How much would having more diverse stakeholders around the table help, when ultimately Google decides whether and how a standard will be implemented, or founds a ‘more effective’ standardisation body instead?
>>> 
>>> 
>>> Our work over the next few months is unbelievably important,
>>> 
>>> - Adrian
>>> 
> -- 
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
> 

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@fastmailteam.com