agropper
commented
3 years ago I agree with @jandrieu analysis and suggestions but there's an even bigger risk than herd privacy if DID Core allows things that could be done in DID methods.
Governments, employers, and manufacturers have the power to decide which DID methods they will accept. They are the sovereigns by virtue of their asymmetric power in most cases. We are familiar with US services that ask for your social security number or with Indian Aadhaar identifiers being required for access to non-government services. When we weaken the privacy protections in DID core we are guaranteeing that methods will use that feature to serve the business interests associated with those methods. I believe we are already seeing this as unspoken substrate to this issue.
If we allow this to happen, it threatens the very foundation of our work on self-sovereign identity and it risks wasting the huge investment we have all made in this work.
DID core must not tacitly encourage privacy compromises. The differentiating factors among DID methods must be highly visible and clearly linked to the DID method.
Consider, for example, the way renters are protected by standardized rental agreements in most large cities. Nothing prevents the landlord from amending the standard rental contract but those amendments stand out when they are added in longhand and that triggers discussion. Loan agreements have similar protections that require certain standard features like the effective interest rate to be in unmistakably bold type.
I think of DID core as the equivalent to that standard rental agreement. For consumer protection and the very principles of self-sovereignty that we're working towards, every deviation from privacy by default (as nicely described by @jandrieu above and with respect to various issues) must stand out as prominently as we can make it. If we don't our good work could turn out to be overtaken by unintended consequences.
ChristopherA
iherman
jandrieu
talltree
TallTed
rhiaro
Continuing a conversation from PR #480
Section 10.5 Herd Privacy https://w3c.github.io/did-core/#herd-privacy says
However, there is some debate about what herd privacy means and how to apply it to DIDs.
This issue is for developing a consensus definition, after which one or more PRs are expected to be proposed to provide corrections to the DID specifications.
Herd privacy works exactly to the extent that a given feature applies to all DIDs and DID Subjects. That's the herd. When a feature applies to just certain DID Subjects, that enables privacy penetration that would not be possible if true herd privacy exists. When the herd is separable into distinguishable segments, it is possible to discern unintended details about each segment, causing privacy leaks.
For comparison, consider IP v4 addresses which, have excellent herd privacy. Every public IP address is structured and interpreted the same way and reveal nothing about who owns the machine responding to that IP address, what applications are running on that IP, or what type of hardware or network is running at the endpoint. In fact, you can't even tell if that IP address is just a first hop in a forwarding process that ends up with some other machine—with a different IP address—actually doing the work of composing a response.
The exceptions to herd privacy with IP addresses are informative.
First, there are a few, special, functionally unique private addresses are which do behave differently. There are the private identifier subnets like 192.168., link-local address like 169.254.*, and localhost 127.0.0.0. If the IP address is one of those exceptions, you know something about the initial destination (it's on a private subnet, its likely on a network without DHCP or an assigned IP, and its running on the same machine), but NOTHING else. You still don't know who owns it, what machine is running there, or what applications might be running on it.
Second, the process of assigning IP addresses has a historical legacy that makes it possible to guess, with some level of accuracy who owns a given IP, or at least who secured that IP address from IANA, and often what region of the world that party is from. This was originally done to simplify IP-based routing and the bureaucratic overhead of issuing IP numbers. These optimizations are not part of the IP spec, but rather a management decision that has ongoing consequences.
Third, the inevitable visibility of IP addresses on the network—you can't route an IP packet without looking at the destination header—means that network analysis can, to some level of accuracy, identify the geographic destination of IP addresses. As a result, there are numerous directory services that provide exactly this functionality. They don't always get it right, especially when Network Address Translation is used by large aggregators, but it is a privacy leak with the design. VPNs, TOR, NATs, and other approaches help mitigate these problems. However, IP addresses sometimes can and ARE used to de-anonymize parties and, in some cases must be treated a PII or personal data.
How does this apply to DIDs?
For DIDs to be a privacy-respecting technology, it is imperative that DIDs for different Subjects remain indistinguishable from each other, modulo the functional mechanisms necessary to establish proof of control over the unique identifiers themselves. You should not be able to tell, by looking at a DID, a DID-URL, or a DID Document, that the Subject of that DID is a particular person or organization, nor what type of entity it is: a human, a corporation, or an inanimate object.
The community behind DIDs already established a privacy-respecting way for assertions about Subjects to be made and managed, Verifiable Credentials (VCs). VCs allow anyone to say anything about any Subject and, thanks to Verifiable Presentations (VPs), there is, in the specification, a concrete mechanism to ensure that reliance upon a given assertion is consented to by the holder. When the holder signs a VP, it establishes that a party who controls the identifier of the Subject consents to its use for some purpose under some terms.
DIDs by their nature don't have that. DID resolution, like IP addresses, requires that DIDs, DID-URLs, and DID Documents be visible and resolvable by anyone. Yes, you can, in theory, add a privacy layer for "private" DIDs whose DID Document is only retrievable after some form of authentication, authorization, or consent protocol. However, those very mechanisms cannot be validated externally; they create a dependency on a trusted endpoint for deciding who does or does not get the cryptographic material associated with a given identifier. In order for DIDs to realize their goal of decentralization, it MUST be possible to retrieve the cryptographic material that secures subsequent interactions WITHOUT reliance on a trusted third party.
Yes, one could look at did:peer, did:key, and did:schema as counter examples, but those are all mechanisms that are either not publicly resolvable (and therefore unsuitable for cross-context verification like VCs), not updatable (without explicit communication to all parties using the identifier, which may be impossible), or they don't provide a means to demonstrate proof-of-control at all. Like the exceptions to public IP addresses, these methods demonstrate ways that you can work within the DID spec to recreate existing paradigms like PGP, public/private keypairs, and CIDs, rather than innate capabilities that are necessary and applicable to all DID Methods.
Which is fine. If you want your DID Method to be for Subjects of a particular nature, such as a DID Method that ALWAYS represents cars, go for it. DID Methods are free to violate herd privacy in this manner. But DID Core should not.
Returning to the IP example, there are services that will, based on publicly available information, map an IP address to a specific geographic location with some level of accuracy and precision. These services highlight a flaw in IP addresses' herd privacy that could have been avoided. This is a lesson we must take to heart.
What can be scraped, will be.
What can be observed on the network, will be.
These threat vectors MUST be included in the privacy analysis of everything that goes into DID Core.
What can be provided at another layer, should be.
We have a moral obligation to avoid these sorts of privacy problems whenever possible. Herd privacy is how we do that. Herd privacy is violated directly proportionally to the variability that can be used to separate the herd.
As such, we must bring the DID Spec into alignment with principles of herd privacy, while allowing DID Methods to innovate and extend.
DID Core is a meta-standard that enables unbounded extensibility. The burden is on us to make sure that the foundation is privacy respecting. Only those properties and features which are necessary and appropriate should be enshrined in DID Core. Because DID Methods have the freedom to innovate, THAT is where potentially risky or harmful ideas are best tried out. In contrast, properties in DID Core literally define commonality and best practices, which, even when "optional" encourage new DID Methods to use those features. This amplification effect is why it is so imperative that we minimize the potential harms from features of DID Core. If we do not, we will actively encourage DID Method designers to adopt harmful practices.
Finally, I want to directly refute a claim made by one of the DID Core spec editors @TallTree: https://github.com/w3c/did-core/pull/480#issuecomment-754780062
This reflects a fundamental misunderstanding of how herd privacy works. Herd privacy ONLY works when it applies to all DIDs equally. Any differentiation between classes of DIDs directly from features defined in DID Core undermines herd privacy.
Discussion welcome.