Privacy Considerations: Addressing "unnecessary" usage of the API

[johannhof]

This seems to be one of the key Privacy topics we need to address for this API - how can DC protect users against illegitimate and/or unnecessary usage of the API. The spec cites an obvious case of "requesting a driver's license to log into a movie rating website", but we will likely see more nuanced examples going forward.

From what I understand, the definition of illegitimate can often be subject to government regulation. Obviously, this is something that DC implementers should defer to and provide the capabilities to support, and we could bolster the spec to more clearly define this requirement.

Where legitimacy is not clearly regulated, things get more interesting - to what degree can and should a user agent enforce its own protections?

It looks like this has been discussed several times as part of the incubation process, e.g. in #30, #35, #44 and #136. I don't think we can come to an entirely satisfying conclusion in the short term, but we should make an effort to reflect the state of the discussion and make sensible recommendations and requirements that we can agree on.

CC @npdoty @martinthomson @samuelgoto @bvandersloot-mozilla

[johannhof]

Another challenge here: Some regulatory environments may decide to filter / authorize verifiers at the Wallet level - this seems like a requirement that would be very difficult to reconcile at the browser level.

[johannhof]

Some very early but related concerns around overuse of real world identity by TAG members: https://w3ctag.github.io/web-no-papers/#overuse-of-identity further pointing to mechanisms like authorizing verifiers with separate credentials to ensure valid purpose for identity requests.

[simoneonofri]

Probably not exactly relevant to this issue, but one thing to avoid is using government credentials for authentication, especially in a verifier where the issuer is different from the verifier. If enforcement can be done on the API side, that could be a good thing.

Example:

1. I use my government credential to log in to the site where I have to file my tax return (OK)
2. I use my government credential to log in to the baker's website (KO)
3. I use my enterprise credential to log in to the site where I download my pay slip (OK)

I was told that example two was the result of a Hackathon related to driver's licenses, and in any case it is current practice - with Federated Identities - to use an arbitrary IdP to log in to an arbitrary RP.

[zoracon]

Linking a similar issue I raised: #317 (comment)

I was told none of this is able to get solved by the DC API. But what I am trying to get to the bottom of is what can. So instead of opening more issues that will get closed, maybe here is a place to discuss what is possible for the DC API to facilitate when it comes to verifier abuse and unnecessary requests.

[kdenhartog]

Following on from @zoracon question of "what can" be done, I'd like to also add are we placing restrictions on protocols or features that allow for the circumvention of unnecessary usage of the API? For example, are browsers expected to restrict access to protocols which are too permissive in their willingness to share credentials?

[marcoscaceres]

This issue asked for guidance on what constitutes "unnecessary" credential requests and how user agents should protect against them.

The spec now has a full "Unnecessary Requests for Credentials" section:

"Unnecessary credential requests are a key privacy risk to the entire digital credentials ecosystem."

This section covers intentional abuse, unnecessary requests without malicious intent, excessive data collection, and includes dedicated sub-sections for both government-issued and non-government-issued credentials with specific mitigations.

@johannhof, could you confirm within two weeks (by May 14) whether this addresses your concern? If we don't hear back, we'll proceed to close this issue.