Add Use-Case for Ambient Surveillance

[agropper]

This article describes Clear as an example of what I'm calling ambient surveillance.

We might or could stipulate that what an airport or stadium can do in 2018, a school, midsize restaurant, taxi operator, or local merchant will be able to do in 2021. The ambient surveillance cameras, networks, and a bit of AI are now as expensive as a $500 iPhone mounted by the door. Ambient surveillance is even cheaper when contact with the data source or service provider is online. In that case, the merchant or institution doesn’t even have to pay for the phone because you will.

The whole thing boils down to what these ambient identity sensors are hooked up to. Clear? the local police (today’s surveillance cameras) or public health authority (today’s contact tracing org)? Google? What will limit how many cameras and iris scanners are deployed and how many places each one of them will connect to? This is the core of standards and the Gold Button context #101 and #102 and #110, etc...

As we drive to consensus on the Service Endpoint issues https://github.com/w3c/did-core/issues/382 we might use an ambient surveillance use-case to inform how DIDs participate in authentication both in-person and online. My guess is that solving this issue will clarify the role of both mediators and authorization servers as normative service endpoints.

[jandrieu]

The chairs discussed this today. This looks interesting and we are sympathetic. However, it is still early stage and the link to DIDs is hard to see. Since we are trying to wrap up work on the use case document, it's not likely that this will make it into this round.

@agropper if you feel this is an important use of DIDs that the current conversation is missing, we're open to hear your case for that, especially if you can make as a concise PR with a human story explaining the value proposition.

[agropper]

I think this is a critical use-case for DIDs and has not been covered elsewhere. Here's a brief version I can help expand into a PR:

Casey is concerned about cameras in public places making databases and looking up her identity based on facial recognition. She has heard that some cities and states are banning the practice but that does not cover the paces she frequents. Although somewhat sympathetic to law enforcement uses of ambient surveillance, Casey is concerned that current laws like GDPR and CCPA do not give her a way to know that her identity and activity is being sent to a data broker and do not mandate that she provide opt-in consent for private use and notice, at least, notice when allowed for law enforcement.

Casey feels that her only choice short of a Guy Fawkes mask is to tag her face with a QR code that links to a service that she controls as a self-sovereign person and where the operators of ambient surveillance cameras can provide notice and seek authorization. Casey tatoos the QR code associated with her digital identity to her chest http://everyoneincluded.org/wp-content/uploads/2016/04/15169658965_0664ceccd3_z-e1460396728682.jpg to be sure that any camera can undeniably capture both her biometric and her self-sovereign identity at the same time. Casey hopes that this will drive for stronger regulations that will outlaw the use of identity sensors and brokerage without notice and consent.

Casey is a bit worried about the permanence of her tattoo as a point of correlation. She wishes she could have a way of rotating her notice and consent service endpoint the way her COVID exposure notification app rotates her random proximity ID or her iPhone app rotates her advertising identifier. Casey is looking forward to a time when her exposure notification, her advertising, and her ambient surveillance trackers could all be managed (for notice and authorization) by her self-sovereign agent in the cloud.

BTW, Casey Quinlan is a pal and fellow healthcare activist. Her QR code is a link to a health record and the password is in plaintext around the margins. That's why we need both EDVs and ADVs https://github.com/decentralized-identity/secure-data-store/issues/131

[philarcher]

Thanks for this Adrian.

@jandrieu and I have discussed it at length. We are struggling with the idea of tattooing an identifier on oneself as a common or recommended practice. Certainly not for the use case given. How does tattooing an identifier help to obscure one's identity? We note that Casey Quinlan's actual use case is different, namely the provision of a means to access critical healthcare information. This 'breaking the glass' use case is, we feel, adequately covered, although not in a healthcare situation, in the law/executor focal case. As highlighted in the recent F2F, we're trying to zero in on any use cases that yield new requirements, and not simply more examples of how DIDs can be used. That list is, we hope, much longer than the list of UCs in this doc.

If there are use cases that do extend the requirements, that are grounded in likely human behavior, and that are being met in the currently chartered work on the Core spec, then, of course, they should be added. But we are not convinced that this use case meets, or nearly meets, those criteria.

[agropper]

The pandemic, as well as recent laws like the CPRA (California update to CCPA), has made this use-case abundantly clear, although my tongue-in-cheek explanation did not focus on this.

Of course, I'm not suggesting did:tattoo. What I am proposing is a need for a standardized consent protocol that would allow active DID badges to be worn in public. When the law prevents processing of PII (especially biometrics) without consent and you're a restaurant or sports stadium or just a security camera on the street, the only solution I can think of for such processing is to ask the DID controller.

On Fri, Nov 20, 2020 at 10:54 AM Phil Archer notifications@github.com wrote:

Thanks for this Adrian.

@jandrieu https://github.com/jandrieu and I have discussed it at length. We are struggling with the idea of tattooing an identifier on oneself as a common or recommended practice. Certainly not for the use case given. How does tattooing an identifier help to obscure one's identity? We note that Casey Quinlan's actual use case https://cancerforchristmas.com/qr-code-tattoo/ is different, namely the provision of a means to access critical healthcare information. This 'breaking the glass' use case is, we feel, adequately covered, although not in a healthcare situation, in the law/executor focal case https://w3c.github.io/did-use-cases/#law. As highlighted in the recent F2F, we're trying to zero in on any use cases that yield new requirements, and not simply more examples of how DIDs can be used. That list is, we hope, much longer than the list of UCs in this doc.

If there are use cases that do extend the requirements, that are grounded in likely human behavior, and that are being met in the currently chartered work on the Core spec, then, of course, they should be added. But we are not convinced that this use case meets, or nearly meets, those criteria.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/w3c/did-use-cases/issues/113#issuecomment-731283101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABB4YN3LKSDOYEY3FS5GCDSQ2NNJANCNFSM4S7UIO6A .

[agropper]

The market is waiting for us: https://www.healthcareittoday.com/2020/11/23/idions-patient-id-tattoo-fashion-fad-becomes-patient-innovation/

[agropper]

@jandrieu and @philarcher Apologies about my levity around tattoos. The issue of ambient surveillance or ambient authentication as a use-case is still open in my mind. Is this covered somewhere else?

[jandrieu]

It isn't covered, and I think I get where you're headed, or at least a way we might be able to add it. And, in fact, it's a big oversight to not have it.

With DIDs, there is no single service provider who gets to see all of your logins, as you have when relying OAuth style identity providers. In addition, one can use pair-wise DIDs to minimize the ability for vendors to collude behind your back.

While this won't get rid of cookies or literal surveillance cameras, I can see how it can improve the situation wrt ambient surveillance.

Let me take a stab at some text.

[agropper]

Here's support for this use case from EFF: https://www.eff.org/deeplinks/2021/01/why-eff-doesnt-support-bans-private-use-face-recognition

[jandrieu]

@agropper how about something like this:

Correlation-controlled Services Cary is frustrated by the seemingly ubiquitous systems of capitalist surveillance that monitor her actions in an attempt to improve their "monetization". She was one the first adopters of anti-cookie features and anti-adware software. Unfortunately, this also means all she doesn't get the benefits offered by many of today's online services. She just isn't willing to sacrifice her privacy by using OAuth or OpenID Connect for a convenient login: all sign-ins with those technologies are visible to the "identity provider". Further, behind the scenes, every service is able to correlate the identifier she uses for authentication with each other, collecting information that Cary may not have divulged if asked directly. She finds it manipulative at best, and at times, outright coercive. With Decentralized Identifiers, Cary creates a pair-wise unique DID for every service provider she interacts with, and her browser-integrated wallet not only manages which DID is used for which service, it also manages--if she approves it--automatic authenticate with those services she trusts. She now has cryptographically unique identifiers that are correlatable only by those services she chooses to use them--and a single-sign-on experience with her client-side wallet--without introducing a third party who knows every site she visits.

@philarcher will turn this into a PR if it works for you.

[philarcher]

For me, the term 'Web 2.0' is a no-no. I'd just make that into "... meant that she can't get all the benefits offered by many of today's online services.

[jandrieu]

+1 to that suggestion of removing "web 2.0"

[jandrieu]

Updated (in the comment)

[agropper]

(my suggestions are in bold to make the diff easier)

Correlation-controlled Services Cary is frustrated by the seemingly ubiquitous systems of privatized surveillance that monitor her actions in an attempt to improve their convenience. She was one the first adopters of anti-cookie features and anti-adware software and avoids "Sign-in with (some platform)". Unfortunately, this also means all she doesn't get the benefits offered by many of today's online services including the ability to cut the airport security line or shop by using her face at the neighborhood market. She just isn't willing to sacrifice her privacy by using OAuth or OpenID Connect for a convenient login: every sign-in with those technologies are visible to the "identity provider". Further, behind the scenes, every service is legally able to correlate the identifier she uses for authentication with each other, collecting information that Cary may not have divulged if asked directly. She finds it manipulative at best, and at times, outright coercive. With Decentralized Identifiers, Cary creates a pair-wise unique DID for every service provider she interacts with, and her wallet and/or agent not only manages which DID is used for which service, it also manages--if she approves it directly or though policy --automatic authentication and authorization with those services she trusts. She now has cryptographically unique identifiers that are correlatable only by those services she chooses to use them--and a single-sign-on experience with her semi-autonomous client-side self-sovereign or fiduciary delegate --without introducing a third party who knows every site she visits.

[jandrieu]

LGTM @philarcher What do you think?

[philarcher]

Merged as PR #140 Thanks for your persistence and patience @agropper - we got there in the end.