Re: [GNAP] Human rights perspective on W3C and IETF protocol interaction

Alan Karp <alanhkarp@gmail.com> Wed, 05 January 2022 19:54 UTC

Return-Path: <alanhkarp@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8053A0115 for <txauth@ietfa.amsl.com>; Wed, 5 Jan 2022 11:54:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZNV2E-ppxuy for <txauth@ietfa.amsl.com>; Wed, 5 Jan 2022 11:54:21 -0800 (PST)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 681FD3A0122 for <txauth@ietf.org>; Wed, 5 Jan 2022 11:53:20 -0800 (PST)
Received: by mail-pj1-x1032.google.com with SMTP id l10-20020a17090a384a00b001b22190e075so5450426pjf.3 for <txauth@ietf.org>; Wed, 05 Jan 2022 11:53:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RXHklElvNXrItLfVFbeaPcoILXRr402sxoqD23pOg9M=; b=nC9Nra8XygaRqNqrr6d5oy6rLwFKUg9vvm9tlOaBVCHbp1kNj3rCfeZiamv1+6jZZg 212ApakBUYO0iZel/mTtV8WEiD7UX3mB1jtjTrGqVT5EpATseAdgwfL/1LXHaTeucF4R E4FNoPiHgRUS9oBBXhlSvLu+ZAPnZ+zHwmo7bzv0aCeYoNGzWrVEjV6nA1W/PpeOjr7v IRBDMm0Fs0oDqgf+KV16GWm81nTuhq9bgWPTmnhOQ81gsj6C/O1fPp6qVCurLABF4+x/ cGtWDjj4S+VD4VFar3EGtvJwmfS2oDgaWLK2SfQggjRzHg4hvKKn3Z04GknBoX3h4DDZ 2Kig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RXHklElvNXrItLfVFbeaPcoILXRr402sxoqD23pOg9M=; b=iLMX20P5lpXedCKNBShYuwfiOLLhohuLKG3WBudXnZBCvQdwENDqmFHXeqIGm0ai3q gDn/8ImUHZ7sWqu8TS0e3PhLpmeS8SsWObK011sG8K83U4ZHSJl6chDh+zkeXYs5USZJ j8HURq8JqqcUJpPF0qbXcYCGma4STEwNLfDpbw7QaV/A6nDb43AN1rCnejABe0dXY0f5 oyT6R9q43PLuFdCqsMF8DkW8nMA85hDPdifuMfOycLZnjNvdpgvXs8r+W8VYTiuSDUDn 6XRJMbmJZsZzjqIlHgqpePzy7XxcdEXAlt/b36lXIimoB9qcKBOqE8xy/t+XxXpORSLZ dkcg==
X-Gm-Message-State: AOAM532UghdR81f/1RQDHtsncZaflDDvsFlzta+8vaYAUCZd+J3M/0tr Lv2Cdjg0yWiVF80QlcDV06siq1aKSzERfMb7grw=
X-Google-Smtp-Source: ABdhPJzubqioxw6U6bZfuP141D9KRB4NFlhn7SjKgRlSAhEWR24wFUoprJ9z4MTutvJvEG1pVE3ZaCPstoHanChtJJM=
X-Received: by 2002:a17:90a:f0d2:: with SMTP id fa18mr5970009pjb.208.1641412398719; Wed, 05 Jan 2022 11:53:18 -0800 (PST)
MIME-Version: 1.0
References: <CANYRo8i=H3p23boH4OQ6sCXds8ADqaizwDHebE6-xMP2mZ5QEg@mail.gmail.com> <CAA1s49VWs_Qe9qryJOwWG4oHTS6Wa-6p6jAVSDT6Vqn4cwdUwQ@mail.gmail.com> <CANYRo8jUaP=9eX3HJWhFOmMCeaU7gkTQ9FdLg3=E61AUFQv8qQ@mail.gmail.com>
In-Reply-To: <CANYRo8jUaP=9eX3HJWhFOmMCeaU7gkTQ9FdLg3=E61AUFQv8qQ@mail.gmail.com>
From: Alan Karp <alanhkarp@gmail.com>
Date: Wed, 5 Jan 2022 11:53:07 -0800
Message-ID: <CANpA1Z2WBT69AJ6ynsYCHuOAAoB7F3fn+ebtV3fjBdeYTT-D+Q@mail.gmail.com>
To: Adrian Gropper <agropper@healthurl.com>
Cc: Bob Wyman <bob@wyman.us>, GNAP Mailing List <txauth@ietf.org>, W3C Credentials Community Group <public-credentials@w3.org>
Content-Type: multipart/alternative; boundary="000000000000f4a5b205d4db1a04"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/XTq_mOXaiULMwCNJDKjVJHnqWkY>
Subject: Re: [GNAP] Human rights perspective on W3C and IETF protocol interaction
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 19:54:27 -0000

RFCs have a Security Considerations section.  Are you suggesting that these
groups include a Human Rights Considerations section in addition?

--------------
Alan Karp


On Wed, Jan 5, 2022 at 7:14 AM Adrian Gropper <agropper@healthurl.com>
wrote:

> Bob's are important questions in the context of our specific protocol
> work. I do not mean to scope this thread to general W3C or IETF groups or
> their governance. *Bold* is used below to link to Bob's specific
> questions.
>
> I might also argue to limit the scope to protocols and not VC, DID,
> biometric templates, or other data models even though effective standards
> for these drive quantitative and possibly qualitative improvements in the
> efficiency of surveillance because a common language seems essential to
> discussing protocols. Adverse consequences of the efficiency of common
> interoperable language can be mitigated at the protocol level.
>
> I'm responding in personal terms to Bob's questions. *I urge all of us
> engaged in the protocol engineering effort to bring their own perspective
> on "Human Rights" and to advocate for specific technical solutions in
> specific workgroups.* For example, I have chosen to focus attention on
> authorization for verifiable credential issue. I hope others will
> prioritize human rights impact of authentication protocols especially where
> biometrics could be involved.
>
> *The specific aspects of our protocol work that give rise to human rights
> issues relate to the efficiency of standardized digital credentials to
> human persons.* What works for drugs in a supply chain or cattle on a
> farm can and usually will be misused on people. Also, transferring
> responsibility from an issuer to a subject of a VC is a burden that needs
> to be recognized and mitigated. With respect to the UDHRs, I would point to
> 12 (privacy and confidentiality), 13 (anonymity), 14 (limit the reach of
> DHS and other state actors), 17 (the right to associate with and delegate
> to others), 18 (associate with and delegate to communities one chooses), 20
> (association, again), 21 (secret elections), 22 (anonymity), 23 (trade
> unions as delegates), 24 (burden of managing decisions in an asymmetric
> power relationship with the state or with dominant private platforms), 29
> (duties to and scope of the community).
>
> *I'm suggesting that we formally address the issue of human rights as
> applied to the VC-API standardization process.* I'm also suggesting that
> we use a process in VC-API that formally harmonizes our work with IETF GNAP.
>
> Adrian
>
> On Tue, Jan 4, 2022 at 11:45 PM Bob Wyman <bob@wyman.us> wrote:
>
>> Adrian,
>> Given that you're starting a new thread, I would appreciate it if you
>> could do some context setting and clarifying:
>>
>>    - *What do you mean by "Human Rights?" *Hopefully, you won't consider
>>    that a foolish question. The issue is, of course, that since Internet
>>    standards are developed in a multicultural, multinational context, it isn't
>>    obvious, without reference to some external authority, what a
>>    standards group should classify as a human right. Different cultures and
>>    governments tend to differ on this subject... As far as I know, the "best"
>>    source of what might be considered a broad consensus definition of human
>>    rights is found in the UN's 1948 Universal Declaration of Human Rights
>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights>
>>     (UDHR).
>>       - Does the UDHR contain the full set of rights that you think
>>       should be addressed by standards groups? If not, are there additional
>>       rights that you think should be considered?
>>       - In his document, Human Rights Are Not a Bug
>>       <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>,
>>       Niels ten Oever refers to the UN Guiding Principles for Business
>>       and Human Rights
>>       <https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf>,
>>       which adds to the rights enumerated in the UDHR a number of additional
>>       rights described in the International Labour Organization’s Declaration
>>       on Fundamental Principles and Rights at Work
>>       <https://www.ilo.org/declaration/lang--en/index.htm>. Given that
>>       you appear to endorse ten Oever's report, do you also propose the same
>>       combined set of rights? (ie. UDHR + ILO DFPRW?)
>>       - Some have argued that the Internet introduces a need to
>>       recognize rights that have not yet been enumerated either in the UDHR or in
>>       any other broadly accepted documents. If this is the case, how is a
>>       standards group to determine what set of rights they must respect?
>>    - *What specific aspects of the issues being addressed by this
>>    community group give rise to human rights issues?* Also, if you
>>    accept that one or some number of documents contain a useful list of such
>>    rights, can you identify which specific, enumerated rights are at risk?
>>    (e.g. if the UDHR is the foundation text, then I assume privacy issues
>>    would probably be considered in the context of the UDHR's Article 12
>>    <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2012,interference%20or%20attacks.>
>>    .)
>>    - *Are you suggesting that this group should formally address the
>>    issue of rights*, with some sort of process, or just that we should
>>    be aware of the issues?
>>       - ten Oever suggests that "Those who design, standardize, and
>>       maintain the infrastructure on which we run our information societies,
>>       should assess their actions, processes, and technologies on their societal
>>       impact." You apparently agree. Can you say how this should be done?
>>       - The UN Guiding Principles for Business and Human Rights describe
>>       a number of procedural steps that should be taken by either governments or
>>       corporations. Are you aware of a similar procedural description that would
>>       apply to standards groups?
>>       - I think it was in the video that it was suggested that, in
>>       Internet standards documents, "a section on human rights considerations
>>       should become as normal as one on security considerations." Do you agree?
>>       If so, can you suggest how such a section would be written?
>>
>> bob wyman
>>
>>
>> On Tue, Jan 4, 2022 at 9:05 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> This is a new thread for a new year to inspire deeper cooperation
>>> between W3C and IETF. This is relevant to our formal objection issues in
>>> W3C DID as well as the harmonization of IETF SECEVENT DIDs and GNAP with
>>> ongoing protocol work in W3C and DIF.
>>>
>>> The Ford Foundation paper attached provides the references. However,
>>> this thread should not be about governance philosophy but rather a focus on
>>> human rights as a design principle as we all work on protocols that will
>>> drive adoption of W3C VCs and DIDs at Internet scale.
>>>
>>> https://redecentralize.org/redigest/2021/08/ says:
>>>
>>> *Human rights are not a bug*
>>>> Decisions made by engineers in internet standards bodies (such as IETF
>>>> <https://www.ietf.org/> and W3C <https://www.w3.org/>) have a large
>>>> influence on internet technology, which in turn influences people’s lives —
>>>> people whose needs may or may not have been taken into account. In the
>>>> report Human Rights Are Not a Bug
>>>> <https://www.fordfoundation.org/work/learning/research-reports/human-rights-are-not-a-bug-upgrading-governance-for-an-equitable-internet/>
>>>>  (see also its launch event
>>>> <https://www.youtube.com/embed/qyYETzXJqmc?rel=0&iv_load_policy=3&modestbranding=1&autoplay=1>),
>>>> Niels ten Oever asks *“how internet governance processes could be
>>>> updated to deeply embed the public interest in governance decisions and in
>>>> decision-making culture”*.
>>>> “Internet governance organizations maintain a distinct governance
>>>> philosophy: to be consensus-driven and resistant to centralized
>>>> institutional authority over the internet. But these fundamental values
>>>> have limitations that leave the public interest dangerously neglected in
>>>> governance processes. In this consensus culture, the lack of institutional
>>>> authority grants disproportionate power to the dominant corporate
>>>> participants. While the governance bodies are open to non-industry members,
>>>> they are essentially forums for voluntary industry self-regulation. Voices
>>>> advocating for the public interest are at best limited and at worst absent.”
>>>> The report describes how standards bodies, IETF in particular, focus
>>>> narrowly on facilitating interconnection between systems, so that *“many
>>>> rights-related topics such as privacy, free expression or exclusion are
>>>> deemed “too political””*; this came hand in hand with the culture of
>>>> techno-optimism:
>>>> “There was a deeply entrenched assumption that the internet is an
>>>> engine for good—that interconnection and rough consensus naturally promote
>>>> democratization and that the open, distributed design of the network can by
>>>> itself limit the concentration of power into oligopolies.
>>>> This has not proved to be the case.”
>>>> To improve internet governance, the report recommends involving all
>>>> stakeholders in decision procedures, and adopting human rights impact
>>>> assessments (a section on *human rights considerations* should become
>>>> as normal as one on *security considerations*).
>>>> The report only briefly touches what seems an important point: that
>>>> existing governance bodies may become altogether irrelevant as both tech
>>>> giants and governments move on without them:
>>>> “Transnational corporations and governments have the power to drive
>>>> internet infrastructure without the existing governance bodies, through new
>>>> technologies that set de facto standards and laws that govern “at” the
>>>> internet not “with” it.”
>>>> How much would having more diverse stakeholders around the table help,
>>>> when ultimately Google decides whether and how a standard will be
>>>> implemented, or founds a ‘more effective’ standardisation body instead?
>>>
>>>
>>> Our work over the next few months is unbelievably important,
>>>
>>> - Adrian
>>>
>>