11I/ Identity Escrow - Accountability AND Privacy

From IIW

Identity Escrow - Accountability AND Privacy

Wednesday 11I

Convener: Sam Curren, Ken Ebert, Suresh Batchu, Kiran Addepalli

Notes-taker(s): Kiran Addepalli [kiran@digitaltrust.net]

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Link to Slides: https://docs.google.com/presentation/d/1kHoDZ-4BFjjJpVL1NnQVRMZdzTIDCddg31Q23Q4AwAw/edit?ts=606f6eab#slide=id.gd2e8d1fc4c_3_4

  1. Can the escrow hold the "Proof of the information" as opposed to the information itself.

  2. Mortgage Service - might seem to be an authorization to access the data directly or the issuer present directly.

    1. What gets put into escrow is flexible.

  3. Trigger event or a lockbox kind of capability. How is the claim released to relying parties? How does it eliminate mischief and false claims.

    1. There needs to be some accountability on the service provider to claim false releases. Automation may not be able to completely eliminate false triggers, some level of human intervention for complex cases.

    2. Contractual wrapper for

    3. Technical and legal framework for accountability.

  4. Don’t have data but key to unlock the escrow. So that no insider can unlock the data. Separating the data release from the encryption release would be better.

  5. It is better to hold proof of data. Because of the risk and liability, it can create incentives to escrow providers.

  6. We should chat about the CDDE (Community Distributed Data Escrow) that we have developed with UN, WEF, NYU Gov lab for data handling in disaster settings. Very related to this. Blind trust, etc. for self shielding.

  7. Niels van Dijk - Encrypt the personal data with a future data - polymorphic pseudonyms one would encrypt using the keys of the future recipient. polymorphic pseudonyms one would encrypt using the keys of the future recipient.

  8. In terms of using standard semantics for this (with receipts as a mechanism for escrow) then e.g. A contract notice receipt would have the rights for the contract associated - and the notice/rights are the escrow container (or semantic container)

  9. Incentivizing the users to keep the data fresh with the escrow service.

  10. Escrow is nice concept because of its “just in time” element of availability. NFT market would benefit from Identity escrow.

  11. Escrow concept is also great to explain what we might see as a transaction receipt with a credit card. In which payment is shown in escrow - at checkout..

  12. Legal interoperability across escrow agreements can be partial and still useful.

Just like ALL contracts now have identical bankruptcy clauses, whatever the context. All escrow agreements may share a subset of terms.

  1. Agree. Seems like this could be very useful for Estate Planning/generational transfers etc, where there are not only multiple parties involved in a transaction, but transactions that unravel over time?

  2. Acting from beyond the grave! Like trusts. Beware the rule against perpetuities!

  3. Guardian in case of incapacitation

  4. If escrow takes liability without knowing what data is being saved. Daniel - Verifiable Encryption . If the key is the one that is generated by the Escrow service, then they know that they…https://link.springer.com/chapter/10.1007/978-3-540-45146-4_8

  5. There needs to be uniformity of standardized contracts. That constitutes governance itself. Constructions , bankruptcy clauses, like standard contracts. Escrow can be provisional things but practices will grow and become institutionalized down the line.

  6. Community initiated distributed escrow - every holder of the data and escrow agent. If there is a trigger, the data sharing.

  7. Scott ! - that’s why we should use internationally standards semantics for the Escrow framework .. Identity Governance like a PII controller.

  8. Cryptographic commitment - potential substitute for escrow service.

Humans dwell in cure periods for default. We defaulters all!

Contracts can be formed by mere humans among themselves (P2P duty creation) - Public laws cannot

Contracts require less process and are more nimble. Public law isn’t

No administrative procedures act for contracts.

  1. Harder to pre-consent. Query whether might have a problem under the EU “derogation” position on GDPR. Does pre consent to trigger of release of Identity constitute an unpermitted “too general” consent?

  2. If contracts cannot be understood, there cannot be a meeting of the minds. If there is no meeting of the minds, the contract is voidable from formation. How deal with unconscionability issue in consumer/citizen facing contexts. Interesting note: Most people have no idea how escrows work.

  3. Standardized contracts are reviewed by an "AI Lawyer".

  4. So, here is another possibility. Identity escrow makes it possible to instantiate GDPR type rights IN ANY JURISDICTION. We can form GDPR community in US?

  5. So, here is another possibility. Identity escrow makes it possible to instantiate GDPR type rights IN ANY JURISDICTION. We can form GDPR community in US?

Links that came up during the call:



• Feedback loop into privacy law: https://kantarainitiative.org/confluence/display/WA/Privacy+as+Expected%3A+UI+Signalling+a+Consent+Gateway+For+Human+Consent