reporting abuse of credential requests

[npdoty]

Given the risk of abusive, inappropriate or coercive requests for high assurance credentials, the ability to report abuse is important for accountability of usage of the API.

Reporting could include to the browser vendor or to some browser-consumed safety service, but also to the relevant data protection authority or registry or auditor/trustmark provider if those trust assurances are also documented or provided.

https://github.com/w3c/credential-considerations/blob/main/credentials-considerations.md#reporting-abuse

[simoneonofri]

Something similar to Safe Browsing?

[johannhof]

I think this is a good recommendation, and it's something we could incorporate into privacy considerations. But I want to make sure you were not imagining this as a normative spec requirement, because this reaches quite far into implementation-defined land.

[npdoty]

This topic could include both non-normative text and normative requirements.

Interoperability is quite important if we want reporting to actually work across websites and browsers. Also, if reporting would include not just a browser-vendor-managed capability but also relevant regulatory authorities who have registered, reviewed or approved a particular usage, then some standardization would be necessary to communicate where and how to report abuse (an endpoint, a URL with a human-readable form, contact info, etc.).

[jyasskin]

It seems important to have an interoperable abuse-reporting system for this, but does this WG have the expertise to develop it?
Important expertise might include:

• Social network folks, who'll have experience dealing with abusive reports of abuse.
• Any regulators who've created forms to report this kind of abuse.
• The folks who collect telemetry like Core Web Vitals, since a pure list of who's collecting what will be useful to researchers, even without explicit reports.

I could imagine following the Web Push route, where the first version leaves the server side up to implementations, and then we standardize that in a second iteration.

[npdoty]

If the plan were for gradual testing and roll-out of this technology, then abuse and accountability measures could be more iteratively or gradually developed. But my understanding is that we are working on a rushed timeline because of an expectation of massive deployment to many millions of people across many countries in a rapid coordinated fashion. In that case, I don't think we should push off abuse as something to pick up as an optional protection later.

I don't think this WG needs to be a sole host for that conversation. But I also don't see signs of its happening anywhere else, and I don't think we should just all point fingers at other groups while letting important protections slip.

[c2bo]

Agreed that reporting abuse (and also more generally speaking aggregated signals for abuse) are going to be important topics to make sure the ecosystems can grow and evolve securely.

In the context of EUDI wallets, there is currently planned support for abuse reports via national Data Protection Authorities invoked from within the wallet. The idea is that the responsible DPA is provided in the registration information of the verifier and the wallet allows the user to start a report from a transaction or the transaction log.

The imho problematic part is that there are no standardized interfaces for these interactions right now, resulting in somewhat manual processes with rather bad UX imho.

relevant link of the on-going discussion: https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts8-common-interface-for-reporting-of-wrp-to-dpa.md

Things like https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/ for privacy-preserving signals across the ecosystem might also prove to be very useful imho.

[timcappalli]

@jyasskin: It seems important to have an interoperable abuse-reporting system for this, but does this WG have the expertise to develop it?

No, and I would argue it is out of scope for our charter.

[npdoty]

In the context of EUDI wallets, there is currently planned support for abuse reports via national Data Protection Authorities invoked from within the wallet. The idea is that the responsible DPA is provided in the registration information of the verifier and the wallet allows the user to start a report from a transaction or the transaction log.

The imho problematic part is that there are no standardized interfaces for these interactions right now, resulting in somewhat manual processes with rather bad UX imho.

relevant link of the on-going discussion: https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts8-common-interface-for-reporting-of-wrp-to-dpa.md

Thanks for the link to the latest documentation there. This suggests a few methods for determining where to report abuse (either in certificates or in an optional lookup in a per-state registry?), and a few methods for doing so (browser form, email, maybe an API).

That flow suggests that reporting suspicious or illegitimate requests would require the user to affirmatively select a credential/wallet in the browser UI to present, and then from the wallet UI find the method to report abuse instead of presenting the credential. It's not clear, safe advice to the user to tell them to go ahead with a transaction that they find suspicious.

[c2bo]

It's not clear, safe advice to the user to tell them to go ahead with a transaction that they find suspicious.

In the current flows there is no DC API etc. - it is direct communication between Wallet and Verifier, invoked via custom uri scheme or QR code. That means the wallet call is the first time the user sees anything about the transaction.

My main motivation to link that was not to discuss the technical details of that approach, but to point out that other entities are also looking into this and we should at least try to align.