--- title: Testimony Misc robots: noindex, nofollow keywords: testimony --- # Testimony Misc * Time Sensitive * New Version of Bitcoin Standup [Mac Version] * Build by Git Cloning master and run Xcode * TEST Compile * TEST DMG in Mojave [tomorrow] * Can look at information dialogues [dialogue boxes, infotips], and they're wordy, clean them up, cut them down, whatever * May need to rethink: have more descriptions and info box HERE, first time you run the app STARTER BOX, or whatever I think: consider the content and learning, not just what's there * PROOF docs again * Bitcoin Standup: New High Level * Different Versions w/Images * Quick Connect * Developer * Pull out unneeded content * Think about it in term of other multiple * Cryptographic libraries * Overview of a letter for Wyoming WYOMING LETTER [intro: about expertise and identity; who I speak for and why I'm authoritative to speak about this topic] [TL;DR: summary of main points] [major areas A.) PRIVATE KEY CONSIDERATIONS MUST INCLUDE IDENTITY KEYS. Last year's HB-0041, production of private key prohibition, uses language "disclose a digital security or virtual currency to which a private key provides access", problem is that private keys also used for identity, (1) would like to see identity keys in next versions; (2) think not in prior because there's not a lot of establishing terminology about what is digital identity (which is to say adding digital identity requires more work, maybe new bill)] D.) ADDITIONAL LAWS ARE REQUIRED CONCERNING DIGITAL IDENTITY. As I've had it explained: Wyoming doesn't currently have a strong legal basis around digital identity. Most of it existing is around property law & theft. Strongly encourage as they are evolving a legal basis around digital identity, be careful of property-law-centric approaches. [Refer to articles]. EXAMPLE: Property law covers using identity info to steal from bank acount; but it doesn't cover when you destroy my good name by impersonating me, because that's not property law; doesn't cover voting in my company; attesting to legal manners; using my name to benefit someone else's reputation or business or whatever. [REPUTATION, LEGAL ATTESTATION, VOTING.] In my ideal world, would love people to use ten self-sovereign identity principles and use that as a basis. FOR EXAMPLE, with #1, want to make sure that even if troubles with digital identity, you can still have mechanisms outside of digital identity that give you the rights as a citizen, to access services. You are more than your digital existence. [Example, India denying people services because of digital identity problems.] That's just ONE PRINCIPLE of ten SSI principals and applying it to new laws, the other nine are critical too. Understand that it's hard work, but no one else has done it before, you'd be the first. (May want to accept another state's wholesale, but no one has done this, and will help) In general, digital identity is something they touched on loosely, but spent a year or more to do tokens and such right in old Blockchain Taskforce, this will similarly be a multi-year effort, urge them to be the leader in this area, in the same way they are around digital assets and tokens, NOT just adopting another state's policies wholesale. Extra work will be worth it. B.) WE NEED TO BE CAREFUL WITH PUBLIC-HEALTH INFORMATION COLLECTION. There is currently a rush to do public-health information due to COVID-19, and because techs that Christopher is expert on can support this, Chris is getting a lot of calls, and recently testified in CA, which led to a bill. All of this being said, BE CAREFUL. We should create enabling legacy that allows for privacy-preserving technologies in healthcare pilots, etal., but it's not enough, there needs to be other legacy about protecting healthcare information, just enabling VCs isn't enough. (Allow VC to be used, DON'T mandate them, but do other work; need to look into discrimination issues and other experts) C.) CORPORATE IDENTITY PROJECT MUST INCLUDE INTEROPERABILITY; AND SO SHOULD OTHER INITIATIVES. There is a pilot that has passed for doing corporate digital identity that's been delayed. [disappointing] When they do selection, it needs to support broader interoperability of multiple kinds of DIDs and VCs because there are mutiple companies doing multiple things. This is what Homeland Security is doing now [See PRESENTATION, look for "interoperability", near bottom of slide about diversity and interoperability], saying have to demonstrate interoperability and no vendor lockin. [HAVE TEXT]. It's very important not just in corporate identity, but in all funding of pilots, Wyoming not allow vendor lock-in, focus on having parties prove interoperability & flexibility. Future-proof. --- from previous testimony: --- B) Data Rights, Movement away from Personal Private Data & Identity being defined as Property Rights 1) The essential problem is that that the "ownership" models for for data can cause problems. 2) Best article on this is: https://medium.com/@hackylawyER/do-we-really-want-to-sell-ourselves-the-risks-of-a-property-law-paradigm-for-data-ownership-b217e42edffa 3) Also good link: https://www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/ --- ## TESTIMONY ABOUT IDENTITY NOT BEING PROPERTY Chris Land ask me to share with you some of the more interesting current thoughts about identity & privacy today, before the Wyoming Legislative Blockchain Task Force meeting next Monday & Tuesday. One in particular I thought was was worthy of discussion as a basic principle is to careful about applying property rights approaches to personal data. This discussion has ultimately lead to the W3C (World Wide Web Consortium, the international standards organization that creates the standards that underly the web) to largely move from language of "owning" personal data and identity in our technical documents, to "controlling" it instead. We aren't certain that even control is the perfect language, but we are certain in our technical community that the language of ownership is creates a number of problems as once sold, property can be resold. I'm particularly concerned about being careful about ideas like that recently proposed by California Governor Gavin Newsom when he suggested that the state’s consumers should get a piece of the billions of dollars that technology companies make by capitalizing on personal data they collect, and asked aides to develop a proposal for a “data dividend” for California residents. “Companies that make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it…California’s consumers should also be able to share in the wealth that is created from their data.” Though beneficial in spirit, I'm concerned that Gov. Newsom's approach of selling property rights to consumer's data may be fundamentally flawed. I'm certain that there could be many companies that might come to you with similar suggestions for Wyoming. The best general article on this topic is by legal scholars Elizabeth Renieris and Dazza Greenwood , which I have enclosed below. Chris Land, you may want to include this document your event documents. --- ## TESTIMONY ABOUT CORPORATE IDENTITY In the last Wyoming legislative session, you passed HB0070-2019 asklng the Wyoming Department of State to "develop and implement an industry leading filing system through which all required filings…may be submitted." Unfortunately, the language was watered down from earlier drafts to "may" and a long deadline for the end of 2021. There are multiple companies and organizations today that would be willing to enable this capability for Wyoming's Secretary of State for low cost as an early adopter, with solutions that are standards based. However, if this waits until 2022, you will loose the opportunity to be a leader in this area. In particular, British Columbia has already implemented OrgBook, which is exactly such a system for their Canadian provincial government, using the open source project Hyperledger Indy. They already have over 535K active legal entities registered with over 1.4M digital verifiable credentials about those entities. All using standards based technology. They have a whitepaper on what motivated them to do this project at https://www.hyperledger.org/resources/publications/orgbook-case-study. I spoke with John Jordan <John.Jordan@gov.bc.ca> of that project yesterday and he would be glad to help Wyoming get started. In addition, another company, Digital Bazaar, has been doing a number of pilots of simalar government related registries, including with US HLS and CBP focused on supply chain tracking, that also supports digital corporate filings. You should also know that the CBP is mandating the use of standards-based DIDs and Verifiable Claims in the near future and encouraging other Federal Agencies to do so as well. Here is an news item about their project for the CBP last year, and they have moved forward significantly since: https://www.supplychaindive.com/news/CPB-fail-fast-approach-blockchain/530936/ I have also spoken with Adam Lake <alake@digitalbazaar.com> and they too would love to help Wyoming implement digital commercial filings system. Besides these leaders, there are several other organizations that could help Wyoming rapidly deploy this technology. I'm not sure how to best advise and help Wyoming move more rapidly in implementing these capabilities. I am concerned that your other efforts such as fully implementing the possibilities offered by your "Corporate stock-certificate tokens act" HB0185-2019 may be slowed down due to the lack of this capability. ## Homeland Security Info --- From Anil John, DHS I am attaching as an FYI for both yourself and the Wyoming legislative co-chairs two items that convey our support and our rationale for the security, privacy and interoperability work that is needed in this area: 1. Our congressional testimony (To the Committee on Science, Space, and Technology Subcommittee on Oversight & Subcommittee on Research and Technology) on this topic back on May 8, 2018. The testimony provides a more long term and strategic perspective on our work and what we see as the trajectory of the technology. 2. An overview briefing of our Blockchain work to date which includes details such as lessons learned from R&D and our proof of concept deployments with CBP Office of Trade and Border Patrol. That important information is informing a more focused and nuanced industry engagement and the work we are currently doing thru our DHS S&T Silicon Valley Innovation Program (SVIP) to meet the needs of USCIS, TSA and CBP – the briefing includes details of the specific problems our operational components are seeking to solve using Blockchain technology. ---- ## FINAL TEXT for last month's testimony: TO: Wyoming Legislative Select Committee on Blockchain, Financial Technology, and Digital Innovation Technology FROM: Christopher Allen, Blockchain Commons, LLC, 7302 Yellowstone Rd., Cheyenne WY 82009-2077 ‭(307) 222-2140‬ Committee Chairs, Members of the Select Committee & LSO: My name is Christopher Allen, and I am the founder of Blockchain Commons, a blockchain infrastructure development and research organization. I also represent the broader international standards W3C organization as co-chair of the Credentials Community Group. My past achievements include being co-author of SSL/TLS, the broadest deployed security standard in the world, and the basis upon which most Internet traffic moves securely. Over the last three years, I have been quite proud to witness Wyoming, through the Blockchain Task Force, become a leader in the area of digital asset technology & regulation. It is because of laws successfully begun at those meetings that I established my organization Blockchain Commons to be domiciled in Wyoming and have encouraged other companies to do the same. I was asked by the LSO to prepare a one-pager in advance of your meeting next week to offer my thoughts on your possible agenda for the upcoming legislative year. My personal first priority is to suggest this Committee reintroduce the 2020 HB0041 bill on the “Disclosure of private cryptographic keys”. I believe this topic is critical for the security of not only blockchain technology but also to the future of digital identity. As the Task Force heard in extensive testimony last year, once a private cryptographic key is disclosed to a judge it is permanently compromised, even if the judge attempts to protect it from further disclosure; all assets and identities tied to that private key are also permanently compromised, as is all future value that may accrue to that key (in the form of forks and airdrops). Even if well-intentioned, such compelled disclosure could put at risk the entire custody businesses of multi-billion dollar companies because a private key cannot simply be changed once it’s compromised, as a password can. To be clear, a judge can still achieve the desired outcome by compelling the use of private cryptographic keys (such as to turn over assets in a divorce proceeding, or to prove ownership of an asset) without requiring the disclosure of the key itself. 2020 HB0041 simply resolves essential differences between how cryptographic security works and how it is misunderstood by prosecutors & law enforcement. In the category of Digital Assets & Property, I’ve found a few areas that need clarification as digital technology organizations move to Wyoming to implement the opportunities offered under the newly enacted legislation. New laws could accomplish some of these, others could simply be resolved with a formal letter from the Committee to regulators and third-parties parties requesting changes in their policies. These are as follows: In 2019-F125 custody of digital assets by banks is defined in 34‑29‑104 “Digital asset custodial services” and control is defined in 2020-SF0047. However, there are some ambiguities in leveraging newer and safer digital assets custodial practices that don’t quite fit these current definitions and may apply outside of custodial services and rules about control by non-custodians. I suggest the following: That in the case of assets held by multi-signature technology, if Wyoming entities hold the majority of the private keys or have sufficient authority to control or leverage digital assets held by private keys, then the assets should remain “located” in Wyoming. The existence of other non-exclusive non-control private keys used to ensure the resilience of holder’s assets by parties outside of Wyoming should not put the assets under some other state's authority. That custodial entities like banks and other fiduciaries may make use of multisignature technologies to add resilience to their custodial security and operational practices, and that such use should not violate their mandate to have exclusive control over the digital assets in their custody. That private keys held by fiduciaries under a time-lock branch of a smart contract should not be considered to be in control of the digital asset, and thus custodial, until the time-lock is activated. This allows lawyers and other fiduciaries the ability to accept emergency time-lock keys to protect digital assets against disaster and or key loss of their proper holder. There may be some other advantages and implications of multisignature technology and regulation that the office of the Banking Commissioner may want to research and suggest. I would like to see the funding of an independent review of the technical software and hardware requirements to meet the new Banking Commission’s regulations for digital asset custodians. The current rules are great, but turning them into practice may turn up problems that can serve as feedback to Banking Commission’s policies. For instance, in my first reading, some commonly accepted digital assets practices like BIP32 derived keys don’t meet legacy FIPS hardware requirements, as FIPS covers only a small list of cryptographic algorithms that take decades to evolve. Other new blockchain tools like zero-knowledge proofs may also not follow legacy architectures. Digital asset custodians in Wyoming should be able to use best-practices of today, not of banks ten years ago. The funding for this research could potentially come out of application fees. There are also significant threats to “Digital Assets & Property” that fall outside the scope of pure digital assets blockchain-related laws, but are related to technology. In particular, the use of DRM (digital rights management) by big corporations and laws against circumventing DRM (so-called Anti-DRM laws) aids parties as diverse as John Deere and HP in disadvantaging and disenfranchising property owners: they prevent owners from repairing their tractors or even personal cars; they stop computer and printer owners from upgrading their hardware; and they result in purchasers of digital books having their ownership revoked arbitrarily. In addition, cryptographic researchers investigating the security of these practices or aiding property owners with tools to take control of their property are being arrested, deported, or sued even when such practices are covered by “fair use” laws. I believe this is a good time for Wyoming to take a strong stance against those leveraging anti-DRM laws to erode the rights of legitimate property holders in Wyoming. See https://www.eff.org/deeplinks/2018/09/defeating-drm-hill-climbing-our-way-glory I had a few more general comments concerning the utilization of digital properties in Wyoming: Cryptocurrency Payments to Attorneys. I’ve been told by several companies seeking domicile in Wyoming that Wyoming attorneys are saying that the Wyoming Bar will not let them accept cryptocurrency as payments. (This may or may not be true.) Other attorneys have also told me that their insurance will not allow them to accept custody of cryptocurrency for trustee & fiduciary accounts. I would like to see Wyoming lawyers be able to accept digital assets as payment, to be able to hold those assets in a trust account on behalf of their client, and to be able to hold a private key that is part of a multisignature or time-lock smart contract to help protect the resilience of digital assets held by their clients. These may not require new laws: it could be that these problems can be addressed by sending a letter from the Legislative Committee to Wyoming Bar and to Wyoming regulators of insurance for lawyers. Decentralized Registration of Companies. At the final Blockchain Task Force meeting in Laramie last year, I presented a demo showing the opportunity to use decentralized identity blockchain technologies for the registration of corporations, which countries like Estonia have been doing for several years. I demonstrated how a Wyoming resident could apply to become a registered agent, and upon approval apply to create a Wyoming corporation by submitting electronic documents to the Wyoming Secretary of State. This demo used approaches and international standards to avoid vendor lock-in. The demo was in support of moving the year-old HB0017-2019 "Commercial Filing System" from "study" to "implement". I have not heard since if there is any progress by the Wyoming Secretary of State on this topic, and I encourage the Commission to urge completion of the study and to fund any implementation. Registered Agents & Blockchain Laws. I still have a concern that older laws and regulations about the requirements of registered agents to store information about their clients may conflict with some of the new 2018 and 2019 corporate blockchain laws allowing entities to use keys to represent stockholders. A registered agent should be able to offer other parties & authorities the ability to serve notice to their clients. Still, a higher standard should be held for the release of personal information of their clients, even if the registered agents are not lawyers. This may require some research by the LSO to see if these concerns are valid. The LSO did not ask for comments about Digital Identity & Privacy. As an expert on these technologies and advisor to governments around the world about emerging best practices in these areas, I’d like to see future meetings of this Committee look into a number of these issues as well. I do believe these can impact and restrict Wyoming’s ability to be a leader in attracting Digital Assets & Property businesses. In particular, given current events related to COVID19, enabling new practices such as contact tracing, immunity credentials, face recognition, biometrics, and others without sufficient regulation may significantly erode the expectations of privacy by Wyoming citizens. Thank you for the opportunity over the last three years to address the Wyoming Legislature through my testimony. Let me know if you need more details on the topics above or if there are other ways I can be of service. Regards, Christopher Allen ---- ## FINAL TEXT FOR LAST MONTHS CA Testimony [verifiable health credentials] A final version of this Verifiable Credentials bill passed today. First bill I know of authorizing the use of Verifiable Credentials. A short video: https://share.medcreds.com/WnubKWwO Bill: http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB2004 — Christopher Allen On Tue, May 5, 2020 at 1:58 PM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote: I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room 4202, with qualified support of: ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair) on AB 2004 (Calderon) – As Amended March 12, 2020 SUBJECT: Verifiable credentials: medical test results SUMMARY: This bill would permit an issuer of COVID-19 test results or other test results to use verifiable credentials, as defined by the World Wide Web Consortium (W3C), for the purpose of providing test results to individuals. The bill would also require that verifiable credentials issued for this purpose follow the open source W3C Verifiable Credentials Data Model, including incorporation of decentralized identifiers, verifiable credentials, and JavaScript Object Notation for Linked Data (JSON-LD). Video at https://share.privatemedcreds.com/lluDExQ8 After the testimony, this bill passed this committee to move forward to the next stage for additional deliberation & amendments. There were some problems with audio quality, so here is the full text of what I wanted to present. — Christopher Allen 510-908-1066 My name is Christopher Allen, and I am the founder of Blockchain Commons, a benefit corporation supporting security infrastructure, software development, and research. I also speak on behalf of the broader international standards W3C Credentials Community Group where I am a co-chair. My past achievements include being co-author of SSL/TLS, the broadest deployed security standard in the world, and the basis upon which most Internet traffic moves securely. As regards the subject matter of this bill, I am not a lawyer, regulatory expert, or lobbyist, but I am one of the leading experts on the new security architecture known as Verifiable Credentials and Decentralized Identifiers, the first being now an International Standard through the World Wide Web Consortium, the second in late stages of the international standardization process after 5 years of incubation. As far as any questions in regards to these underlying technologies themselves for the use by the State of California I do not have reservations — these new technologies offer a number of privacy by design features and address security issues that legacy credential and identity technologies do not. Organizations around the world including the US Department of Homeland Security, the Canadian government, Taiwan, New Zealand, and a number of EU nations are committed to moving toward solutions using these new architectures. My reservations regarding this bill are less about the efficacy of this technology, but the immaturity of robust health privacy and risk models, adversary analysis, and expected public health benefits in regards to the future use of these for specific public health purposes, which were not included in the original use cases originally defined in these standards. In particular, I feel that specific use of Verifiable Claims for Immunity Credentials require additional risk analysis and possibly additional legislation. For instance, given the current lack of understanding of the effectiveness of COVID19 immunity test from the public health perspective, I have concerns in regard to the success of the suggested outcomes if an Immunity Credential was rushed to market too soon. In addition, I believe that the use of immunity Credentials may have discriminatory effects that may require additional work for the Assembly to address, such as including whether NOT having a disease can be used as consideration in layoffs, the ability to get fair compensation or unemployment or to apply for disability. However, I do believe that if the State Assembly is going to authorize some form of investigation, proof of concept, or implementation of new privacy-preserving health care technology, that Verifiable Claims and Decentralized Identifiers should be authorized as being acceptable, as they are the safest architecture available today. Implementors still need to be careful with the details — it is still possible to use these tools in ways that may compromise their intended goals for security & privacy. That being said, continued use of the current extremely fragmented legacy architectures for identity and personal health information in the health care community has higher risks. I urge you to support allowing the use of new Verifiable Claims international standards in your regulations. Thank you for the opportunity to speak before the Assembly on this topic. Let me know if you need more details on the topics above or if there are other ways my expertise can be of service. ---- Manu Sporny via lifewithalacrity.com 6:47 AM (4 hours ago) to public-credentials On 6/9/20 2:17 AM, Tony Rose wrote: > My focus as a member of the SSI community has been to seek guidance from > experts in our community and provide a definition that encapsulates what > a verifiable credential is: Private, Secure, Portable, Verifiable, and > Non Correlate able. Since we're dipping our toes in legislation, I'd like to point out that your definition above for what a verifiable credential is -- is not always correct. In some cases, the definition you provided is dangerously wrong. :) If you are going to use a definition of what a verifiable credential is... use the one from the specification: https://www.w3.org/TR/vc-data-model/#terminology """ credential: A set of one or more claims made by an issuer. A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. """ That definition was hard won over years of debate. Specifically, noting the definition you used, a Verifiable Credential is: * NOT private when it's published on the open Web. * Correlatable among colluding parties if *any* correlatable information is included in the payload... and, some would argue, that this is the vast majority of VCs being issued today. In other words, we have to be very, very careful to not infer that VCs are some sort of magic technology that achieves all the things that you listed all of the time. My apologies if this comes across as overly pedantic... but you seem to be in a position where laws are being contemplated using this technology... and so, we have to be very careful about what the law is going to say on these matters. --- Adrian Gropper via lifewithalacrity.com 7:08 AM (4 hours ago) to Manu, W3C There's danger in pushing VCs in the context of patients / employees. We would do well to take the EFF comments on this law seriously. I wrote https://github.com/agropper/secure-data-store/blob/master/COVID-19_Health_Report_Use_Case.md#41-review-of-issues-raised-by-eff with this in mind. ---