Agency: California Assembly Committee on Privacy and Consumer Protection
Date: May 5, 2020
Authors: Christopher Allen
The bill passed the legislature and was vetoed by the Governor.
Christopher testified virtually in CA Assembly Room 4202 with qualified support:
My name is Christopher Allen, and I am the founder of Blockchain Commons, a benefit corporation supporting security infrastructure, software development, and research. I also speak on behalf of the broader international standards W3C Credentials Community Group where I am a co-chair. My past achievements include being co-author of SSL/TLS, the broadest deployed security standard in the world, and the basis upon which most Internet traffic moves securely.
As regards the subject matter of this bill, I am not a lawyer, regulatory expert, or lobbyist, but I am one of the leading experts on the new security architecture known as Verifiable Credentials and Decentralized Identifiers, the first being now an International Standard through the World Wide Web Consortium, the second in late stages of the international standardization process after 5 years of incubation.
As far as any questions in regards to these underlying technologies themselves for the use by the State of California I do not have reservations — these new technologies offer a number of privacy by design features and address security issues that legacy credential and identity technologies do not. Organizations around the world including the US Department of Homeland Security, the Canadian government, Taiwan, New Zealand, and a number of EU nations are committed to moving toward solutions using these new architectures.
My reservations regarding this bill are less about the efficacy of this technology, but the immaturity of robust health privacy and risk models, adversary analysis, and expected public health benefits in regards to the future use of these for specific public health purposes, which were not included in the original use cases originally defined in these standards. In particular, I feel that specific use of Verifiable Claims for Immunity Credentials require additional risk analysis and possibly additional legislation.
For instance, given the current lack of understanding of the effectiveness of COVID19 immunity test from the public health perspective, I have concerns in regard to the success of the suggested outcomes if an Immunity Credential was rushed to market too soon. In addition, I believe that the use of immunity Credentials may have discriminatory effects that may require additional work for the Assembly to address, such as including whether NOT having a disease can be used as consideration in layoffs, the ability to get fair compensation or unemployment or to apply for disability.
However, I do believe that if the State Assembly is going to authorize some form of investigation, proof of concept, or implementation of new privacy-preserving health care technology, that Verifiable Claims and Decentralized Identifiers should be authorized as being acceptable, as they are the safest architecture available today. Implementors still need to be careful with the details — it is still possible to use these tools in ways that may compromise their intended goals for security & privacy.
That being said, continued use of the current extremely fragmented legacy architectures for identity and personal health information in the health care community has higher risks. I urge you to support allowing the use of new Verifiable Claims international standards in your regulations.
Thank you for the opportunity to speak before the Assembly on this topic. Let me know if you need more details on the topics above or if there are other ways my expertise can be of service.