[Discuss] This API should address the Jevons Paradox around increased consumption of verifiable credentials and the rise of their abuses about digital-credentials HOT 9 OPEN

FWIW using intentional friction to reduce the likelihood of abuse is exactly the direction I've proposed for Chrome's implementation. I imagine some way of computing a risk score (eg. anonymous age verification is lower risk than known unique ID sharing or unknown arbitrary data sharing), then adapting the Chrome/Android UI in response to the risk score. I imagine the details are something we would need to experiment with and iterate on over time, but the principles for enabling such a tradeoff space seem good to be discussing now.

from digital-credentials.

I imagine some way of computing a risk score (eg. anonymous age verification is lower risk than known unique ID sharing or unknown arbitrary data sharing), then adapting the Chrome/Android UI in response to the risk score.

I generally like the direction of this. Most claims could likely be naively calculated (EFF has a good blogpost on this) based on a number of bits of entropy they reveal in which case we could warn the user about this and suggest that too much information is being requested/add additional friction.

from digital-credentials.

@kdenhartog will you be able to join any of the upcoming calls?

from digital-credentials.

@kdenhartog will you be able to join any of the upcoming calls?

Yup, I intend to. Are the events listed on the WICG calendar or on a separate one? Also, let me make sure I'm a member of the WICG.

from digital-credentials.

@kdenhartog will you be able to join any of the upcoming calls?

Yup, I intend to. Are the events listed on the WICG calendar or on a separate one? Also, let me make sure I'm a member of the WICG.

@kdenhartog Apologies, missed this comment. All meeting details are here: https://github.com/WICG/identity-credential/blob/main/README.md

from digital-credentials.

@npdoty do you think this is something that PING should discuss vs this group?

from digital-credentials.

do you think this is something that PING should discuss vs this group?

+1 from me. In my opinion, PING and TAG should both be weighing in on these topics early to make sure there's general alignment between the goals of the API and the broader web architecture goals before we start committing to particular solutions.

from digital-credentials.

Definitely a question that PING should discuss, and I've opened a corresponding issue for the w3cping credentials considerations doc.

But also good for the identity-credential group to consider in API design, how we intend to limit overasking or how to introduce friction to prevent that particular trend towards a bad outcome.

from digital-credentials.

We agree that this is a concern. Excerpted from Mozilla's standards position:

A Web that follows our principles respects an individual’s choice about the identity they present to others. This is an essential part of making the Web a safe place for everyone. Credentials offered by governments and similar entities generally do not recognize this aspect of identity.

The potential that requests for digital credentials might become an expected part of online interactions exists and could damage this important characteristic of the Web. There are very few online interactions where providing identity is truly necessary, but many where sites (and governments) might prefer that the identity of a person be known. Increasing requests for identity does not mean a trivial annoyance. It could mean that people might be excluded from services and communities when they cannot provide credentials or instead choose to protect their privacy.

During the last meeting we discussed that it would be useful to decide what use cases are abuse and which aren't, and I think Jevons Paradox is a useful lens to use when building that distinction.

from digital-credentials.