20B/ Agency By Design (Privacy is not Enough)

From IIW

Agency by Design (Privacy is not enough)

Thursday 20B

Convener: Adrian Gropper

Notes-taker(s): Adrian Gropper 

Tags for the session - technology discussed/ideas considered:

Agency, GNAP, Delegation, Graph Databases, Capabilities

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Agency vs. Delegation

Learning Stack:

  • Me

  • My Agent / Fiduciary / semi-autonomous

  • Community

  • Vendors and Institutions

Relationship with companies

  • Dashboard for our lives

  • Portable shopping cart

CAPCHAS

  • Browser is not enough

  • Force APIs

  • GNAP

  • API in healthcare

How would an API World function

  • Intelligence

  • Choice

The GNAP at the IETF: https://tools.ietf.org/html/draft-ietf-gnap-core-protocol-04

Is server a bad concept

  • Ethereum as the ultimate server

Clear application? Needed a model how a real human uses / not the tech / highly motivated

Social Context is important to the average user

The back end is most important

Real estate “agents” vs. DSIY - Zillow - the GNAP RFC at the IETF: https://tools.ietf.org/html/draft-ietf-gnap-core-protocol-04

Adoption at the human level is critical

Few people will use a tool solely for privacy or security. The tool must be useful by itself, but it is possible to have privacy and security in an easy to use tool. We had one user ask us how to turn on security.

Delegate to enforce least privilege.

CLEAR is ambient surveillance due to convenience

HTML and JSON / OAuth 2.0 Token Exchange - support for delegation semantics ( https://tools.ietf.org/html/rfc8693 )

A password manager that puts the user in full control. https://sitepassword.alanhkarp.com/

Human-centric approach - SSI is the first step - not enough - agency and delegation go together

Counter the allure of “free”

The “thing” is a password manager

Agency by Design (Privacy is not Enough)

Adrian Gropper:

I’m not a fan of Privacy by Design.

In the industry are only concerned about compliance, very rarely talk about Human Agency

Privacy by Default is the opposite in some sense to privacy by design

The problem is that It conflict with community in many cases. (e.g. social credit score)

Cultural differences (EU accepts better centralization than US)

Delegation and agency are one the same thing

Agency is a much bigger thing and delegation is a mechanism that supports it

I want my fiduciaries to know as much as possible of me (e.g. my doctor, my lawyer)

Model Agency as hierarchy and delegation is the mean to have it.

Alan Karp: I can do many things that I want without delegation (delegation is only one part, a subset, of agency)

Doc Searls: Agency from the beginning was in the website (e.g. e-commerce cart). We can’t achieve agency in web browser. SSI gives hope to give us agency. Individuals have real power on that.

Adrian: Corporation, how people fell about … is the evil. Assure that we as individuals do not have the ability to delegate. They insist that we remain barefoot in the world. One aspect of agency is the role of protocols in order to eliminate the user interface component with all our interactions with organizations.

Doc: How APIs don’t have to be the ultimate instrument of control. We depend on APIs and then they go away.

Adrian: an api that expect to be a human on the other and is anti-agency by definition. We need api that respect the delegate. Authorization token. More friendly than OAuth. How you take a request and turn that into an authorization token that you can use.

Kevin Dean: How an API world would function? Any change to interaction model requires a backward compatibility. A user interface change the interaction model immediately. Agency will be offered by some commercial company.

Adrian: In healthcare we don’t have a choice.

Doc: Subordination effect that OAuth and . the primary actors are servers. We don’t have privacy because we are always delegating

Adrian: Think Ethereum and Smart Contract as the ultimate SSI server. It cannot sensor you, it does exactly what the SC was. There is no privacy policy with anybody.

Adrian: Running your smart contract in github as SSI individuals. Allowing the server doing the separation of concern between the author of the contrracts and the runners of the servers. So, server itself is not a bad thing anymore. You can now have your smart contract either public or private.

D. Crocker: My frustration is that everybody is very knowleadgeable. There are grand ideas but tends to be abstract. Is not clear how it does apply in real world application. What is driving this is a personal desire. Is not done for the average consumer.

Devin Dean: Only expert people can evaluate it. The average consumer cannot do evaluation on privacy.

Michael Shea: What is needed for adoption? This is a highly skilled audience. We are in the Windows vs Apple. There is a lot of work involved. We all know that the average user don’t even has a clue that data is being collected and 99% will not care about it.

Alan Karp: The complex interaction that you want is done under the hood. User never knew about the delegation that happen under the hood. Is possible, it doesn’t have to be difficult to the average user.

Adrian: We all associate Agent with Real Estate

Bill Wendel: Adrian is right there 2 million real estate licences.

Doc Searls: Organization of elements that already exist in the world. “Invention is the mother of necessity”. People doesn’t know the TCP/IP works but they use it everyday, they learned how to type in a QWERTY keyboard. You need to be motivated to learn new technology.

Z. Celine: I’m not a deep down technologist. Getting adoption at the human level is so critical. There are many people that are working on solutions. Over the course of the next year you will see very interesting solutions coming out. Easy to use, completely behind the scenes. We have to give them agencies without calling like that to the average user. I think momentum has started.

Karri Lemoie: 2 things: First, it is a lot of cycling concepts at the development level. And this is awesome. 94 DID-methods. Second, The average user doesn’t really care. We have the opportunity to build new business models based on this technology and this is the key.

Alan Karp: Usable Tool. The user use a thing when is useful. Delegation can do: enforce privacy. With agency I can do that in a way that is transparent to the user.

Adrian: I want to respond to Karri’s point with an example: People that take you picture or. They created a global biometric database. They share 1/3 of the revenue with the airport, they then go to stadium and other places that needs security gates, giving the service for free. They introduced Ambiance surveillance at scale. People is paying for the privilege of having an FBI db to a private company.

Adrian: Too much worry to the 93 Did-methods and not enough attention on the unintended uses that can be done.

Colin Jaccino: I think we have already the technology building blocks. On captcha is annoying, is a security control, that is needed only when you have human interfaces. https://tools.ietf.org/html/rfc8693

Adrian: Step back. We are the IIW, 80% is SSI. We are failing to do what is necessary for adoption. We are designing for the wrong thing. We have to design for my 1password replacement.

Colin: is challenging the ensure security and keep the use cases.

Philippe: I like the Agency. You have to take care to not kill the agency. You have to reverse the flow. Agency and delegation go together. As a human you are delegating all the time.

Michael Shea: Give all the biometrics to a corporation. In the browser world everything is free but everything is taken from you. What’s the counter, how do you count the alert of free?

Kevin Dean: We have seen a lot in internet. The services that respect privacy have to collect money from the user and they fail. The services that are free and collect data from the user succeed.

Michael: How do we get to actually use the agency?

Adrian: you do that through education and not through commerce. Is about Open Education.

Karn Verma: Other than education you see other means to bring agency in the realm of “must have” instead of “nice to have”?

Doc Searls: I think a couple of things: trying to educate people doesn’t adjust the screw that we are having. 2015 study: “People want to give consent to be followed everywhere”. We need instrument on our own. Something that is like the “browser” or the “app” was. Someone needs to invent something with UI that is “gotta have it”. We really need “The thing”. Then big corporations will come in. (like bill gates did with internet)

Adrian: Smart Password Manager. SSI password manager. Goes from 200/300 entries to one with thousands entities. The thing we are missing in SSI community. Is realizing that the UI is not gonna look like a web page in a service but is gonna look like an Authorizaton Server.

Alan Karp: I don’t agree. User needs an application centric API.
Adrian: In the SSI we are not talking enough of what we are talking now in this session.

Retrieved from "https://iiw.idcommons.net/index.php?title=20B/_Agency_By_Design_(Privacy_is_not_Enough)&oldid=23779"