Mobile First Digital Identities and Your Privacy
11:51PM Jul 28, 2020
Good evening everyone, and welcome to the next talk for hope. 2020. I hope you are enjoying yourself, and I hope you've been watching lots of hope talks we have Next up, Alexis Hancock who is from the E FF. She is the lead developer attorney for HTTPS Everywhere. And she's been doing web and system admin work for the better part of 10 years now since she graduated from Rochester Institute of Technology. Alrighty. And she's here to talk to us today about mobile first. So with no further ado, Alexis thank you very much for coming and over to you.
Hello, everyone. Thank you for coming to my talk today. I am Alexis Hancock, and
I am a staff technologist
at the FF sorry about the trip around there. And today I'm talking about digital identities in your privacy,
just went over my title
at Pff, I've been an ear for for about two years almost now, and I am the lead developer on HTTPS Everywhere web extension
project. And the tool that helps encrypt your web traffic online, and
are offered in in most major browsers, and I definitely encourage you to download it. And definitely encourage open source contribution to it. My other titles are also educator activist for close to 10 years now, and I have been mainly working in the space of helping others get their site together, essentially, when it comes to doing their work, educating others, or when they want to go organize in some sort of way. With this project FF I've done quite a bit of research when it comes to digital identity in particular and people's privacy when they're online with technologies with what that looks like and how does that get implemented in the world, rather than just looking at data in transit, what does that look like where someone is being able to actually obtain something and go forth safely and security and securely in all modes. So I usually go to a lot of rabbit holes, when I'm talking about this really broad vague discussion of internet and privacy. And so, the rabbit hole I'm taking you down today is something called self sovereign identity. Today I'm going to talk to you about what that means exactly the technologies that are involved with that, particularly with standards bodies like the web, the World Wide Web Consortium, which, if you're not familiar with. They also have like an entire organization dedicated to web standards so that's what the W three c is. And the international standards organization, and a few other examples that I will give to you today, around the implications of privacy concerns that we have the FF and that I have. And further discussion around disparities, around the digital first conversation. And what that what SSI can look like in the future, especially with marginalized communities.
Compromise threat models, etc.
different parts of identity you ask different people what identity is and what their identity is
you'll likely get different answers. I have very
common concepts of what a person's identity may entail here definitely doesn't encompass everything of what someone considers their identity. A lot of this is around like production in society. So, take that with a grain of salt identity is much more than this, obviously, but some of the things you may have as certifications, degrees, government issue ID the numbers of course would be a very authoritative authoritative stance and your identity as a person, as a citizen emails and emails very important because you sign up for a lot of online accounts via email. There's other ways to sign up for online accounts now with like single sign on through. Like maybe Google profiles or Facebook profiles some sort of authentication that way, but generally the standard way to sign up for something is through email so your email may be tied to many sorts of identities that you may have online in different groups and different services. You may have publications may have blogs, you may have academic research. You may have just, you know, whatever forms that you may be involved with with commentary that could look like different things, your job. A lot of people, tie in their job to the identity or it may not. But it's definitely a part of who they are, in the day to day function
may have some awards out there that you may consider a part of your identity
and much much more hobbies, whatever activities you may be into. These are the things that go forth and form and shape who you are. And that also considers your past and what your future ideals are, and your principles, but I'm talking about more tangible things of course as you can see
with the examples that I have in here.
The concept of the self sovereign identity.
Something has been in development since the early 2000s especially
when people have been considering what does identity look like online.
so sovereign identity has claims or one's identity, the, you know, they're the data pertain to one's identity is controlled by you, and without having to go through the intermediary party or a centralized authority to verify who you are in different scenarios, so its core, theoretically, identity credential should be asynchronous decentralized and portable.
these go against the principles of centralized authority and identity, we may have with like mobile driver's licenses or sorry, driver's licenses. In particular, or, you know, presenting any other sort of form of identification like social security numbers like those things are generally portable by you know paper card, or whatever material that it's made of. But the sense of being able to verify who you are usually have to go through a process to do that.
the part of the process here and maybe with your health data or having to get a referral or having to renew your license, things of that nature. So, one of the models I wanted to talk to you about is the W three c verify credentials data
So, this is not in itself a technology.
This is a data model that mentions many
and a verifiable credential
has been defined to be just a claim that is trusted between issuer holder and a verifier.
And you can read more on that specification. But the model that gets displayed here something called like the issue holder verifier trust model, it's not really a fancy name or term for it,
I believe, but
trust model you'll see here with the holder. An issued document from the issuer. They have right privileges to the verifiable data registry and verifier will have read privileges
and holder will be able to present a immutable piece of identification
digitally to the verifier.
So, this is what the trust model will look like. In its most bird's eye view form
a part of the verify credential
is something called decentralized identifiers.
So decentralized identifiers,
or D ID is also an Working Draft with a W three C, and it's a portable URL based identifier, also known as the ID, like I said, with associated with an entity in particular, and it's really important to highlight the context in the ID of where the D ID is referenced and this is a decentralized piece that you're alleged to be able to be portable from repository repository to verifier or another verifier without blinking. Personal identical identifiable information. With these multiple verifications in different places with your D ID, you should be able to express some sort of authentication of who you are. With that D ID, that's the concept around this. And involved with that would be something called JSON LD. So there's other types of specifications and technologies that talk about linked data sets and what that can look like within a decentralized decentralized identifier documents or D ID, but right now we're just going to focus on with the major ones which is Jason link data and link data is a concept that programmatically it's been discussed for a while. There's a video here explaining JSON LD but the irony is not lost on me that I was about to play a video with in a video and
I won't put you through that.
So, built with this
in mind was restful services, a lot of restful services, follow JSON object notation. So that's data interoperability and unstructured databases, so unstructured database databases will look like things like MongoDB couchdb, those types of databases and juxtaposition to the more traditional databases like SQL.
So you'll see highlighted here context that ID
and context and Id are very important and pieces, and I would say the most important pieces when talking about a JSON LD set. And this gets incorporated into the D ID document. So you'll see context and Id there so those two things are very important. And this would qualify as a Jason like data set, and being able to use some sort of authentication you'll see some service here. that's in context and public key infrastructure sets here that are linked here within the data set itself in the document.
So, another piece of technology to disk
gets discussed, often is something called blockchain. If you haven't heard of it. But, peer to peer distributed Ledger's is the main concept of blockchains right.
So our blockchain based technology.
And you'll hear blockchain get brought up in talking about decentralized identification measures where you're talking about Messer, actually the storage of the decentralized identifier, in particular and storage in a distributed ledger. So having something that's immutable.
Easily tracked through a party that notice,
allegedly decentralized and being able to not have to go through a centralized authority to gain such, and to access such. So that's usually where blockchain comes in, when we're discussing these things.
And it's not a requirement. So, the specifications that we discussed like verified credentials they discussed that blockchain is not required but they do mention that it is a possible implementation for a data registry.
So going into a another standards body,
talking about international standards organization. Here, and the mobile's driver's license application
or MDL for short.
And here you will see that the MDL interface will mimic the same trust model that we saw earlier with the verify credentials,
you'll see an issuing authority.
Mobile driver's license holder and a MDL reader. And that will be presented by whoever the verifying party is.
So, in this case.
This makes the technologies that we mentioned earlier. A little different because this explicitly states something that's on your mobile device, whereas the previous technology we talked about doesn't necessarily explicitly say your phone or your tablet but you would generally consider that's how these technologies would get ported, even though they discuss it in more broader range as in like using it in web applications. This in particular, is it narrows the scenario down to using it to your phone. And this is a very much so bird's eye view of what could happen in terms of being able to exchange a document
or your phone instead
to verify who you are to an authority that asks for something like a driver's license which
you would think, the, the first
scenario pop in your head would be law enforcement.
particular standard talks about examples where, you know, you have to give over a documentation or a piece of paper or whatever the material is for a driver's license, you would have to actually physically Hand it over, and it would list all the information
that you would normally have
to the party, and it may be a little bit of oversharing so you may not want to share your address with the party that's asking for your state ID, but you have to hand over the whole document. This was presented as a means of actually
alleviating that and
not necessarily having to hand over all information on your driver's license. In particular, or your ID in one setting but just having to having the choice of which pieces of information you want to get over that are relevant. So, of course, I'm skipping over with. mdl at the moment, the concerns that surround that, because you can get into situations where it'd be maybe a hostile Miss mismatch with law enforcement where they ask for more information than you really get what happens in those scenarios. So mdo spesification particular talks about you know a lot of things like cipher suites Bobo all specifications that I discussed, go over the, the security concepts that they would use and the types of session encryption, they would use. But actually, before I get into the privacy concerns, in particular, I do want to share with you
some documentation here
What that data exchange could look like with a mobile driver's license. So Once activated, you'll see it activated through something maybe like NFC or barcode. And you'll see that transfer device engagement would occur, and very cyclical relationship between the tokenized data set that or the token authentication. That would have with a mobile driver's license reader. So, when the MDL reader asks for this this could happen a number of ways NFC Bluetooth Wi Fi aware, a web API or web application particularly or open ID connect or oh I DC. And this is a token set so we'll say that token what send the, the needed authorization to be able to verify
the person holding the mobile driver's license with the verifying authority.
So, this I tried to make the black and white graphic from the spec, look a little bit more interesting. But either way, this is the graph that they had for the data exchange in particular. So data retrieval will look a little different, and setting where they talk about that session encryption piece, and they talk about what they use, and what type of hardware modules you would need in order to actually store this type of information on your phone correctly, and what type of specifications to verify with me.
So let me go back to discussing privacy concerns.
I talk about what that looks like when
you have discussing these digital ties identities, and a lot of discussions I've had a lot of low risk situations get, you know explained like, you know, verifying you for 21 to a bouncer rather than giving your whole information set from driver's license. But I've seen in the wild, very risky concerning
scenarios, talking about
different sorts of ways verify credentials implemented in particular with COVID-19 pandemic that's currently happening with immunity passports and verify credentials immunity passports are not just simple immunization results it's something that's, it's a new type of document. It's a piece of health verification that would
this banned you from actually being able to turn somewhere or venue, or possibly keep you from coming back to work, or possibly keep you out of some sort of area in particular if you do not have the needed antibodies, and according to health experts immunity passport and immunity testing is very very elementary right now. And the research for it isn't solid so we are concerned about the discussion around immunity passports, with verify conditionals because of the fact that this is something that's not necessarily standardized within the communities that we have we don't really have something where I mean the passport is a norm for different diseases. So, presenting verified credentials doesn't necessarily solve the problem of the meaning passport itself, and immune privilege in the US, in particular, has a very long history of discriminating results.
that, I'm sorry.
With that said,
with self sovereign identity and nationalize IDs.
This become concerned when the private
sector is using SSI based technology and thought to kind of deviate away from the privacy recommendations and sort of push their products through by using decentralized IDs or some form of verify credential, in some way, and
we're concerned that
Dave may go and say well this is a secure technology. This is a very well built, engineer technology from a standards body we're going to use this norm to push out and nationalize on federal ID, and that's not the direction we want to go. We don't want to have a nationalized ID database for everyone to adhere to. And you have seen that go wrong in so many ways, especially in places like India, where there was a massive data breach with nationalized ID system and a large amount of discrimination, and also been been implemented in Latin America and that's also come up with a lot of concerns. One of the examples that I have is the clear company. You may have seen it in an airport. Next to TSA precheck is pretty much privatized TSA precheck and for those of you don't may not know what that is it's just expedited way to get through security in the airport by going through a certain set of background checks and then when you get to the airport you're verified, to be able to expedite your way through security because you've met the requirements. How arbitrary they may be to go through airport security and clear offers TSA precheck in that way. And they're not just a TSA precheck company they offer themselves up as a digital identity platform. So they have actually pushed through something called
And they're advertising this to employers, what this could look like for them by having like some sort of way of the member identifying themselves through biometrics and biometrics is something that has been very much so discussed as something that would not necessarily guarantee privacy or security in the context of verify credentials this starts marrying actually more so to your identity, than it would if it wasn't in use. So
this is an example of something that's been very worrisome.
When discussing verify credentials with other parties where
it's not discussed, where
there could be some sort of discriminatory practices play,
or some sort of
repercussions that could happen because of the fact that you don't have your health pass and what
occurs there. Digital first and digital disparities.
So we want to talk about how the fact that, you know, even though smartphone access has been increased even though. Overall internet access has been increased it's still very much a huge divide especially in the United States have access to broadband internet. Even though the specifications talk about how like offline storage could possibly occur with digital identities. Things update things need to change within your phone system the operating system and often, more often than not, people don't carry the latest and greatest them all the time so they can be susceptible to certain things that may occur as something that's a non factor for someone who has high speed internet privilege to be able to access a new phone at the drop of a hat. And since in the United States we pay the most for
have a slower speeds among nations with similar development, that's something to consider especially since 23 point 4 million rural Americans internet speeds are so low, and with the digital divide. You can't necessarily say that we can get behind digital first identities, because of the fact that accidental access is closed off and gap, until everyone is receiving high speed internet and doable, access to new technologies phone software updates,
You can't push through digital first identities,
or you'll just exacerbate the digital divide that's already there. So we want to talk about self sovereign identity and harm reduction because self sovereign identity as a concept in digital AI DS as a concept isn't a bad thing inherently. These things can help in probably certain scenarios especially low risk scenarios with low correlation of personal identifiable identity information, especially with the age 21 scenario that given a lot device fingerprinting still exists, so any application that uses this in particular and asked for access to a D ID, in particular, or uses it should be restricted from using the rest of the phone's ecosystem that could automatically marry and make a high correlation and a unique ID, based off the information that's passed through. So we definitely need a structure for that for applications that use this.
And sole sovereign identity.
Things like verify credentials and community, and COVID immunity passports. You don't want to introduce new potential barriers for someone, especially if they're marginalized, especially if they're already struggling, especially if they're going through something like we're all going through right now with the pandemic. We don't want to add more stressors on a person's life. By implementing a technology that initially was marketed to be helpful.
And continuing that line of thought digitize SSI,
as a requirement situations with central authorities and law enforcement, that's always going to have an imbalanced relationship so we talk about driver's licenses when we're talking about anytime that we have to go to an authority. This defeats the purpose of the overall discussion around having your own ownership around data, and having your own ownership that's decentralized and having a portable identification and not have to go through an intermediary to actually be able to prove who you are or carry who you are with you. And if you should have the choice whether or not you're going to prove or carry who you are, to law enforcement. Through this means in particular, you should have access to be able to minimize contact if needed. And if you push through something like digital IDs first or mobile identification first that could cause some issues, and handing over your phone to law enforcement may not necessarily need especially when you have technologies like NFC where you notice with a knock a four centimeter range right or Bluetooth technology with the ranges a little bit more. Even then, those scenarios can be hostile because with the officer just asked for your home phone wholesale because their verifier or their reader isn't working, or some sort of scenario that could could occur where they may ask for your phone altogether or they may ask for you to unlock your phone, even though, potentially with some of these specifications they say that you can actually preset and be able to transmit your digital ID without having to unlock your phone. These are more theoretical and they haven't been really displayed in the wild or
deployed in different states as something that's been successful yet.
So, we shouldn't assume these scenarios that they're going to be safe just because we implemented a secure way to transmit data.
So no matter how well engineer. Some, something is in particular, especially
with data in transit and data at rest, there's always a risk for a breach, nothing is unhackable. We all know that. So, in particular with data breaches we've seen that with nationalized D Systems I've mentioned one in India, where they had a data breach, and loss of information was leaked everywhere. In terms of what type of information that the citizens had, and that in turn
has a discussion
around, whether or not that digital first or a large set database that's centralized somewhere, is a good idea.
even though we're discussing decentralized ID. There's 40 is a half have massive amounts of data around about us with, you know, driver's licenses, etc. And having all that information in one place, and being able to issue it to a person and so they can have it portable doesn't really necessarily answer that question, or help it in any way. So issuing authorities have notoriously had issues with also updating status in a system. Lots of bureaucracy, it could be late paperwork, it could be delayed paperwork. And we should not tie these same systems with law enforcement. So, having digital first with law enforcement may not work out because things like license plates readers can be notoriously outdated, to the point where out here in the Bay Area. There was someone pulled over in a car that was allegedly dated as stolen when actually it was a rental car that was redeemed from that scenario when it was stolen someone's prior, and given to a rental company or they acquired it in some way, but in a police. The police saw in the license plate reader that it was a stolen car, so they pulled people over, and it was a very hostile situation and it could have ended really badly. If engagement occurred, you know, in any sort of way that was deemed quote unquote threatening.
we don't want to marry these systems together, where we have digital first in haven't solved the issue of centralized authorities and their issues with data and data keeping.
So considered following.
You get to build my reference. Cool.
But either way, with self sovereign identity.
We want to decouple
the constant need to verify one's personal identical identifiable information to gain state benefits. That could be an idea or, in many cases, there has been studies, when people try to go get benefits of Social Security they actually have to give a lot of information about themselves. Bill statements bank statements, so many things where something like self sovereign identity could potentially help, where you don't have to keep shoveling out massive amounts of data to social services or whatever sort of entity, you may have to prove yourself to in order to gain the proper benefits that you need, disability, or could be home SNAP benefits, or it could be some sort of housing benefits veteran benefits, etc. That's a potential police piece that could be explored SSI that acts as a temporary credential for services and facilities that normally ask for state or city based identification, thinking about New York City, in particular where they have the NYC ID, where they sort of took care of the need to have a state verified identification to enter and get free museum for day access or access library services. So I'm thinking that in low risk scenarios like this, where SSI can act as a temporary credential for a service or facility, you may not use all the time. You may only need to use it once every other month or you may only want to go, you know, to museum. This time of year for this exhibit, and you don't necessarily want to get a hold permanent credential just to go and enter maybe a temporary credential based off of information that you already given me for
so low risk scenarios online transactions that have
asked for state IDs, I know in particular that some online education platforms they ask for state identification they want you to take a picture of the front in the back, and send it to them and really feels unsafe to do. Generally when you do something like that. So maybe SSI can stay help here, like a bearer credential they discuss what bearer credentials are more in depth in the W three c spec of verified credentials. But basically it's a temporary issued credential, one time single use thing that you can go through and potentially not have to actually give over your entire driver's license information, just to take a course online so reducing that risk, reducing the surface area of someone's risk, reducing the amount of data that they have to give over. Those are great ideas, and it's all where SSI can possibly come in and actually be a good solution.
So, in conclusion, like I said,
we want to reduce the area risk we don't want to increase the surface area of risk with SSI techno solutions. Digital identities can be offered, but it should not be enforced. And unless data laws are standardized nationally we should not trust centralized entities in implementing digitized credentials, and in particular I'm thinking about
covert immunity passports, where
the state government is in California is looking into. And there was other countries as well believe Germany, or the UK was looking into immunity passports were their centralized authorities that wants to implement something that generally doesn't have a premise, and it doesn't have a good premise if, if any, so unless data laws actually are enacted to protect our privacy on a national level in your country, and especially here in a unit in the US. We don't want to push for something like this where. Because there's the technology that is there and present doesn't necessarily mean that the technology is the solution itself. If the inherent concept causes risk and harm and possible discrimination in future. You don't want to push an idea through, simply because you have all your needs met on a level of like okay we have strong encryption strong encryption doesn't necessarily mean that the concept of itself is a good idea. So you want to implement good security standards. But what does that mean when you implement something that person has to tie to their identity, that wasn't there before. And now they have to account for this piece of themselves as well to authorities to venues to their job. They want to think about things like that. So, I want to conclude this with technology is political. This farm and dynamics influenced by society so we can't sit there and say that we're going to completely do something or roll a product out saying that, hey, we're using this web body standard we're using this standard. We're using using this in order to accomplish certain technical solution that may be pushed through. If you're not thinking about who you're impacting, or you may harm or who you're helping all together at once. You don't want to push through a technical solution. You don't want to use the technology itself as a reason to implement a particular idea. You want to implement the idea, because you want to actually help the your, your community, help society, and not cause more harm or more ways for someone to account for how someone else can know about who they are online, or another data breach, because of the fact that there's yet another data set out there that exists that shouldn't have existed in the first place, or someone shouldn't have had access to in the first place. Thank you so much for listening to my talk, and please download HTTPS Everywhere for Firefox and Chrome, and I will be here waiting for your questions, so thank you
and welcome back
everyone. That was the pre recorded session. And now we're going to go into q&a with Alexis, so I see some of you have been putting your questions into the matrix chat. If you haven't and you have questions for Alexis please head over to session q&a and type in a question for her there. What we've seen so far there's a few people have thanked you Alexis for your work with HTTPS Everywhere I think several of us use that tool and very happy to see that you were doing that work. The other thing that came up was a question I know you answered in the chat for those that can't see the chat I'll just read it out with Dino Guinea. If there is any existing precedent for US law enforcement reading NFC data of an arrested person with or without a warrant, and and so you know you indicated that you haven't seen the legal precedent that although I think we all know that that happens. But certainly that's something to keep an eye on. One of the other things that you had mentioned in your talk was until the digital divide is no more so. Is that just a very optimistic view Alexis, or did you just not want to let your pessimism show through.
It's my optimism trying to cover my pessimism as I try to strive for, for a better future digitally. So, if I don't believe in a certain goal then I'll begin with the use of all my organizing right what's the use of doing these talks What's the use of educating people if I don't think that there's a possibility one day that the digital divide can close I do think there's a way of addressing this especially with broadband. In America, in particular, and the access to it, and getting fiber as a priority. But until then, I do not want to see efforts saying that they want to roll out things digitally and things that are connected to the internet, where the access to internet is highly variable from state to state, County county neighborhood to neighborhood. So that's mainly just me trying to establish a baseline, more than anything.
Awesome. All right, so we have a question on what you were talking about the question is have you looked at the California REAL ID standard at all and do you have any opinions about that.
So haven't looked at it in depth, I looked at it from a bird's eye view, because the REAL ID measure has hit, you know, pretty much most of the states in some way, at some level so New York's REAL ID. This, this general indication saying that you need a certain amount of security credentials on card or indicators on a card to suggest that you know tampering has not been done to that particular document, and it's been a lot of issues especially how expensive it can be to switch over to Real ID, in particular, and also, obtaining an eye and REAL ID when you already have a driver's license possibly already have an ID and kind of going towards this more federalized standard of being able to travel. state. The state like I believe Pennsylvania had was basically told that they do not switch over to Real ID that US citizens need passports just to go to another state, because that has security indicators on it that they want it so there's been a lot of problems with real, real ID in general and E FF has definitely written on this in particular but I have not looked into in depth in California is REAL ID.
Okay. Super. And so we have that q&a channel open for any other questions but while we're waiting on that one question I wanted to ask you, you know you brought up the question of people asking in various different transactions for a state ID. And to what extent has FF been working around where that is invalid and how we can push back on that further.
So in particular with law enforcement, we have been doing a lot of work especially on the border. That's been the most contentious issue in the past couple of years where border security has been brought up as an excuse to over do sort of the the amount of investigation that a law enforcement officer will do when one person if they found some sort of probable cause or some sort of way to obtain more information than needed in a particular exchange. So, on the border in particular, especially with immigration issues, there was a student that had came into the country, and they try to get them to agree to certain amount of information sharing social media sharing so we've done a lot of work especially with that as of late, making sure that you don't have to unlock your phone for an officer, if they ask or you don't have to give biometric data, or you don't have to put your fingerprint on the phone, and generally we discourage if you go out and you feel like you may be a compromised person or has some sort of threat model that indicates that you'd be worried about. So that sort of thing with international law enforcement, generally indicate like do not have biometric systems, because of the fact that you can be subject to some sort of pattern of abuse by law enforcement. So we've definitely been doing a lot of work around that and trying to see where that goes with different cases.
Great, thank you. Alexis. Next question you just mentioned, being driven to make a positive difference. What advice might you give to other people, who also would like to choose projects and passions that will make a positive difference.
The advice I would give to someone who wants to make a positive change in the world is develop as much empathy as possible for the people around you for the struggles around you, and try to figure out how you can help. More than anything you don't necessarily have to start an initiative, you don't have to start a project,
you can just join one, see
the struggles that happened in for there, and you can usually find your place. My place has been in tech and tech activism. And I first thought I had to go out in March and protest and create signs, but then I realized, most of my friends and activist friends that were protesting didn't really have a good secure setup tech nology wise, and I realized I knew a lot more of my network than most people. So that's where I found my foot. And I started walking in that step so that's usually how you can find out is how you can help, and where where you can find your place. Usually, so I definitely say, you know, the starting thing just start looking start seeing where you fit in, and where your skills are needed most.
Do you think that the reduce friction of digital ID will lead to more demands for presenting ID in our daily lives.
Yes, I've already seen that happen with the specifications I talked about in the talk,
especially with the fact that
the immunity passport issue in particular where it was like okay we have a specification now that's been published. Let's start using it, and people have kind of been using the excuse of okay we have more ease and more ways of being safe with this, but then implementing something that is entirely new president in America Muni passports aren't a thing. So, people asking more and more for a digital identification or digital sort of validation or reference definitely seems like something that could be a more incurring problem, or reoccurring, so I'm definitely watching that so that's why I did this talk in the first place is to not only shed light on the specifications I've been published in discussing those but kind of discussing those in the context of where I've seen them in play in action, and try to get people to re scope it back to the privacy concerns that were listed in the first place about these particular issues when you're getting over a digitized doc document to someone to a verifier that has a relationship when you're getting over something especially to an authority like law enforcement, that has a relationship you have to address that dynamic is not even, so I definitely see that coming up more, unfortunately, and more negative ways and positive.
Absolutely. So we have a couple more questions that are varying on a tangent again. So I'm going to take both of them in turn, but if anyone has a last question on on the topic at hand, feel free to throw it in the q&a. The first one, back to the work you're doing with HTTPS Everywhere, which set of challenges, or the worst technical political or social.
I'm sorry. can you say that question one more time.
The question reads which set of challenges are the worst technical political, social, or whatever.
I believe the challenges are intersection of socio political so technology itself is not a solution in my opinion, Techno solutions are not something I advocate for when there's an existing societal problem when there's an existing political issue. I would much rather address the political issue first much rather address the societal issue first, before I start introducing technology.
Okay. You brought up. This is another one on the digital divide, so that this question of disparity of internet access, and quality of internet between communities. The questioner asks, Is the E FF doing any work to close this divide.
Yes, I'm so there's several initiatives and do know. We particularly work on broadband access and the definition of what robbery and looks like with the FCC there's a recent post if you go on the deeplinks blog on e ff.org, you'll probably see that post in the most recent order under a nest Oh Falcon, he's the author, and he does a lot of work around trying to address the issue of broadband because the FCC actually has a very low bar of what they define as broadband I think I brought that up in one of my slides with that 25 megabits up, versus down and trying to raise that baseline to where it matches other countries with similar developments. So that's one piece we do another body of work around right to repair, and I also think that has a lot to do with digital divide, because if you're not able to go out and actually be able to fix your own devices and get the proper management you need, and maintenance and not have to go through one singular proprietary entity, just to get your laptop fixed just to get your machine fixed in any sort of way. I believe that closes the right to, to the digital divide in some way, being able to actually have that access to the parts you need in order to maintain machining cut down on us and not have to buy an entirely new machines because your RAM is soldered in or your battery soldered in which makes me very mad when I see machines like that so
think there's other pieces of work that he does that helps to close the digital divide, but those are the two things and the two most active parts of it I believe I've seen as of late that we do a lot of work around.
So the last question we have actually plays off of that, I think, and the conversations we've been having, which is Can you summarize please. Our fourth amendment rights as they relate to being asked a digital ID, right. So, and for that matter, having digital ID taken without our permission.
That is definitely something that I feel like one of our lawyers would have a better time by
sure question right. Yeah. Um,
so I feel like the Fourth Amendment and being able to actually summarize, along with digital ID doesn't have a lot of legal premise yet.
but what I want to say around that is with your mobile phone in particular. You do not have to go and give over your device to law enforcement without a warrant. You do not have to talk to law enforcement. My first rule is don't talk to law enforcement, stay remain silent utilize that with the Fourth Amendment in particular. You do not have to give over biometrics data that's tied to the fourth member now with legal premise.
particular, unlocking a phone with biometrics.
Well, thank you again Alexis great talk great q&a, and unfortunately we have to wrap it there. But we hope everyone will hang around for the next talk. Thank you.