evidence URL, purpose and best privacy practice

[jeroenlicht]

It is not yet clear to me how the evidence property of a badge is meant to be used. The specifications say that this can link to videos or other documents related to the performance by the recipient. I was thinking that it could also be useful as a way of identifying whether the person claiming to have earned the badge is really the one who did the work. For instance, if a video was recorded of the recipient doing a test, then it can be a way of confirming their identity. On the other hand, making a video recording, photo or passport copy of the badge recipient public through the evidence URL, published with the badge, is a privacy issue. If the email of the badge recipient is hashed to protect their identity, doesn't a photo or video of the recipient on the evidence URL cancel out this privacy protection?

So that leaves me wondering what is the intended use of the evidence URL. Is it meant as evidence of the recipient identity, or evidence of the quality of work done?

If it is meant as evidence of identity, should further security measures be implemented on the page that the evidence URL refers to? For instance, maybe the visitor of the evidence URL can be asked to provide the email of the recipient, or some token that is given by the recipient through a different communication channel? What kind and level of privacy measures would be acceptable here from a usability and privacy perspective? What would be the risks of having no further protection here and directly providing a photo or video of the badge recipient?

[ottonomy]

Thanks for posting, @jeroenlicht. The evidence url is intended to be evidence of the work that was done to meet the criteria of the badge, but it often is personally identifiable and can also serve to verify that the earner of the badge is the person who is presenting it to you.

I would be interested in explicitly pursuing that second use case as an extension perhaps. I'm interested also in what you mentioned in the end of your comment, in ways that systems can decide whether or not to serve the badge evidence to a requester. By default, the badges ecosystem has been assuming evidence links should be public, but I don't necessarily believe that's a valid assumption. I'm interested in exploring ways we can protect evidence and give badge recipients control over who has access to view it (i.e. give access to particular viewers, that might be time-limited)

[jeroenlicht]

I have currently implemented two workarounds to this problem: 1) The normal evidence page does not have personally identifiable information: https://pendragoned.co.uk/certificate/b8wkctc/?lang=en But on our LMS profile page, the recipient also gets a private sharing URL, which has a 128+bit key variable appended to the end, which will reveal the recipients name and other details. In the future, I plan to make this 're-freshable', to invalidate the key that has been shared earlier, as well as to update the email address attached to the certificate and badge. 2) I added a simple form field in which anyone can verify the email address of the recipient. Currently, I don't see this basic functionality included with any badge displayer, and therefore only remains possible for people with technical knowledge (i.e. developers and hackers). So it seems to me that this adds some necessary usability for employers and recruiters, without reducing the actual security any further. Any thoughts on risks or possibilities here that I might have overlooked?

[timothyfcook]

Evidence property has been updated, as has documentation. Moving to archive.

https://github.com/openbadges/openbadges-specification/pull/99/commits/05a9d01f5ab20058adcc8caf822999859eda905e