A very important point in today’s Apple #VisionPro announcement was that eye tracking is processed in the M2 Secure Enclave (like keys are). This is because it can be a huge risk to security and cognitive liberty… https://twitter.com/ChristopherA/status/1168260553921433600

Mon Jun 05 22:35:24 +0000 2023

“By tracking the eyes of someone sitting in front of a computer viewing a scene, researchers can measure “scanpaths”—the order in which somebody looks at an image or scene—or create “fixation maps,” in which the time that the eye lingers” https://www.aclu.org/news/national-security/privacy-invading-potential-eye-tracking-technology

Mon Jun 05 22:35:26 +0000 2023

Eye tracking can reveal secrets (birthday, credit card PINs, political & sexual preferences, and more) https://link.springer.com/article/10.3758/s13414-010-0001-x

Mon Jun 05 22:35:27 +0000 2023

Eye tracking can also be used to magnify persuasion: https://futureofmarketinginstitute.com/the-metaverse-from-marketing-to-mind-control/

Mon Jun 05 22:35:28 +0000 2023

So I commend Apple making these threats more difficult. But diligence is still required so that Apple doesn’t misuse this data.

Mon Jun 05 22:35:29 +0000 2023

“After Meta’s presentation, Stark said the outcome was predictable. And he suspects that the default “off” setting for face tracking won’t last long. “It’s been clear for some years that animated avatars are acting as privacy loss leaders,”” https://www.wired.com/story/metas-vr-headset-quest-pro-personal-data-face/ https://twitter.com/ChristopherA/status/1665849832966168582

Tue Jun 06 17:56:22 +0000 2023

“At the event announcing the new headset, Mark Zuckerberg, Meta’s CEO, described the intimate new data collection as a necessary part of his vision for virtual reality. “When we communicate, all our nonverbal expressions & gestures are often even more important than what we say”.

Tue Jun 06 18:00:12 +0000 2023

Replying to @TimoGlastra

Not that I know of, partly related to that JWTs require replication the canonical data, making multiple signatures large. In general VCs are also not being able to have multiple issuers. With signed Gordian Envelopes you can have both, or aggregate them privately in quorums.

Wed Jun 07 16:26:51 +0000 2023

I like this paper, written from a philosophy perspective, on “Hostile Epistemology”. It aligns with my own thinking about various forms of “adversarial analysis” which is how I approach design of security & trust systems. Why do we, as individuals and groups, make bad decisions? https://twitter.com/add_hawk/status/1666486887991894017

Thu Jun 08 01:13:51 +0000 2023

RT @ArcadeCityMayor: Best opening slide ever 👍 ⁦@LeaPetras⁩

Mon Jun 12 04:14:42 +0000 2023

That wellness data can be used against us. Imagine if some politicians had their way in the US and threw out the ACA, allowing insurance companies to discriminate based on the individual insurance market. They might start requiring activity-tracker data in an application! [3/12]

Tue Jun 13 16:22:02 +0000 2023

Remember the Fitbit murderer? He actually got caught thanks to the data on his wife’s Fitbit, but the case showed how much data there is on an activity tracker. [2/12] https://www.cnn.com/2017/04/25/us/fitbit-womans-death-investigation-trnd/index.html

Tue Jun 13 16:22:02 +0000 2023

What’s the most private data your have? Ignoring your browser history for a minute, it’s probably your healthcare data. It’s hugely sensitive, as @BlockchainComns wrote in a new article. 🧵… [1/12] https://www.blockchaincommons.com/articles/Dangerous-Wellness-Data/

Tue Jun 13 16:22:02 +0000 2023

Or imagine how GPS information revealing your visiting a strip club or attending a Trump rally might cost you your job depending on who your work for. (Or read about how a priest lost his job based on geo-data, though it didn’t come from a tracker) [5/12] https://nypost.com/2021/07/25/reporting-that-outed-catholic-priest-reveals-data-is-not-private/

Tue Jun 13 16:22:03 +0000 2023

Or imagine how body temperature info might be used to prosecute reproductive care in certain parts of the US. [4/12] https://www.mayoclinic.org/tests-procedures/basal-body-temperature/about/pac-20393026

Tue Jun 13 16:22:03 +0000 2023

At @BlockchainComns, our answer is “holder-based hashed elision”. The holder can elide their own data, but a Merkle Tree of hashes maintains its verifiability. It’s what we use in Gordian Envelope. [8/12] https://www.blockchaincommons.com/introduction/Envelope-Intro

Tue Jun 13 16:22:04 +0000 2023

There’s a flip-side to this! You’d like to share your wellness information with your doctor. You might want to monitor your kids’ health. You might want to support a clinical trial. How do you do these safely? [7/12]

Tue Jun 13 16:22:04 +0000 2023

It’s all in your wellness data! It’s all stored by your @fitbit tracker, Digimon Vital bracelet, @ouraring, and your Apple Watch. And this data can be very revealing! [6/12]

Tue Jun 13 16:22:04 +0000 2023

If you’re interested in developing Gordian Envelope to add privacy protection to your own data, join our Gordian Developer meetings! Our mailing list and Signal will keep you up to date. [11/12] https://www.blockchaincommons.com/subscribe.html#gordian-developers

Tue Jun 13 16:22:05 +0000 2023

Wellness data, such as that collected by an activity tracker, is very sensitive and also very powerful. It needs to be both protected and empowered! Our article discusses the topic more. [10/12] https://www.blockchaincommons.com/articles/Dangerous-Wellness-Data/

Tue Jun 13 16:22:05 +0000 2023

We recently wrote some Use Cases describing how wellness data could be protected with Gordian Envelope and still used for individual health, clinical studies, contact tracing, and more, all with strong privacy. [9/12] https://github.com/BlockchainCommons/Gordian/blob/master/Envelope/Use-Cases/Wellness.md

Tue Jun 13 16:22:05 +0000 2023

If you want to support our work, to help ensure that data in the future is properly protected, please become a patron of Blockhain Commons. [12/12] https://github.com/sponsors/BlockchainCommons

Tue Jun 13 16:22:06 +0000 2023

Replying to @mistakecav4566 and @BlockchainComns

We have some important additions to it at https://github.com/blockchaincommons/smartcustody#smartcustody-tools, in particular a good multisig scenario with @SparrowWallet as coordinator, @FOUNDATIONdvcs and Gordian Seed Tool, however…

Tue Jun 13 16:59:34 +0000 2023

Replying to @mistakecav4566, @BlockchainComns, @SparrowWallet and @FOUNDATIONdvcs

our beta-testing of with some of our supporters demonstrated that it was too complex without some technology improvements. This is the CSR Project (Collaborative Seed Recovery) that we are working on with multiple wallet vendors: https://github.com/BlockchainCommons/Gordian/blob/master/CSR/README.md

Tue Jun 13 17:01:25 +0000 2023

Replying to @mistakecav4566, @BlockchainComns, @SparrowWallet and @FOUNDATIONdvcs

Basically with CSR, you can initiate a “crypto-request” either as a QR or URL that initiates the creation of your seeds and properly back them up. Other crypto-requests will initiate multisig account creation, create & distribute public keys, and ease handling of PSBT signing.

Tue Jun 13 17:05:04 +0000 2023

Replying to @mistakecav4566, @BlockchainComns, @SparrowWallet and @FOUNDATIONdvcs

These will make it much easier for users to navigate the current NASCAR of every wallet having different UX, while allowing each to offer services that others may not. Once CSR is functional (Q3?) we plan to return to the book.

Tue Jun 13 17:06:46 +0000 2023

RT @mistakecav4566: @BlockchainComns When do you anticipate completing SmartCustody 2.0 with multisig?

Tue Jun 13 17:06:57 +0000 2023

RT @ChristopherA: @mistakecav4566 @BlockchainComns We have some important additions to it at https://github.com/blockchaincommons/smartcustody#smartcustody-tools, in particular a good…

Tue Jun 13 17:07:01 +0000 2023

RT @ChristopherA: @mistakecav4566 @BlockchainComns @SparrowWallet @FOUNDATIONdvcs our beta-testing of with some of our supporters demonstra…

Tue Jun 13 17:07:05 +0000 2023

RT @ChristopherA: @mistakecav4566 @BlockchainComns @SparrowWallet @FOUNDATIONdvcs Basically with CSR, you can initiate a “crypto-request” e…

Tue Jun 13 17:07:09 +0000 2023

RT @ChristopherA: @mistakecav4566 @BlockchainComns @SparrowWallet @FOUNDATIONdvcs These will make it much easier for users to navigate the…

Tue Jun 13 17:07:12 +0000 2023

@lifeext https://twitter.com/ChristopherA/status/1668654971817013253

Wed Jun 14 01:29:10 +0000 2023

Replying to @kobigurk, @daniel_d_kang and @AnnaRRose

We are working on a CBOR data format for attestation/provenance that also supports privacy. We also have started docs on use cases for education, data distribution, finance, and more. Interested in collaborating? We also are working with secure chip designers to support it. https://twitter.com/ChristopherA/status/1668654971817013253

Wed Jun 14 01:42:46 +0000 2023

RT @BlockchainComns: In our June Gordian Meeting, @WolfMcNally spoke about the conversion of our Gordian stack to Rust. https://t.co/va3y9C…

Wed Jun 14 20:02:38 +0000 2023

RT @BlockchainComns: This includes our new dCBOR library, our Shamir’s Secret Sharing and SSKR libraries, our Uniform Resources library, an…

Wed Jun 14 20:02:43 +0000 2023

RT @BlockchainComns: Basically, if you want to protect seeds, if you want to transmit and store information in an interoperable way, and if…

Wed Jun 14 20:02:47 +0000 2023

RT @BlockchainComns: The video also includes a nice demonstration of some of the work.

Wed Jun 14 20:02:49 +0000 2023

RT @BlockchainComns: Join us for future Gordian Developer meetings! The next is scheduled for August 5th


Wed Jun 14 20:02:52 +0000 2023

Majority of EU states want chat control despite warning of their lawyers “The control of interpersonal communication is a particularly serious restriction of the fundamental rights…the planned law is not compatible” (in German translated to English) https://netzpolitik.org/2023/staendige-vertreter-eu-staaten-wollen-chatkontrolle-trotz-warnung-ihrer-juristen/

Wed Jun 14 21:42:18 +0000 2023

Me too. 😤 https://twitter.com/AnastasiaU/status/1668419996618309636

Wed Jun 14 21:53:01 +0000 2023

I am hosting right now an @RWOTEvents “Open Office Hours” discussion on decentralized self-sovereign identity, and inspirations for self-sovereignty from history and elsewhere. DM me for Zoom URL.

Thu Jun 15 15:57:44 +0000 2023

Replying to @xovemnormie and @matthew_d_green

I have a shortcut that when you try to turn on airplane mode without a pin (say immediately after a theft) it will turn back off and force lock of phone.

Thu Jun 15 19:25:10 +0000 2023

You can slightly see the artist mirrored in the pearl in this 108 billion (!) pixel scan of Johannes Vermeer’s masterpiece “The Girl With The Pearl Earring”. I remember reading about it and when I was in The Hague where I looked for and spotted it. https://www.newscientist.com/video/2378702-scans-of-girl-with-a-pearl-earring-reveal-paintings-hidden-secrets/

Fri Jun 16 23:39:42 +0000 2023

#qotd “The man who wishes to keep at the problem long enough to really learn anything positively cannot take dangerous risks. Carelessness and overconfidence are usually more dangerous than deliberately accepted risks.” ~ Letters from Wilbur Wright https://www.commonlit.org/en/texts/letters-from-wilbur-wright

Sat Jun 17 14:22:17 +0000 2023

/ht https://twitter.com/jasoncrawford/status/1669451877208014848

Sat Jun 17 14:24:16 +0000 2023

RT @WebDevLaw: I don’t say this often anymore, but I (very slowly) wrote a blog post. It’s expanding on some recent thoughts I shared here…

Tue Jun 20 16:06:41 +0000 2023

RT @justinhendrix: What is Secure? An Analysis of Popular Messaging Apps

A deep dive into the design and technical security of encrypted a…

Tue Jun 20 16:26:05 +0000 2023

RT @JoyceWhiteVance: This bears close watching, It could be legit fraud investigation (the feds usually do that tho) but looks more like ta…

Wed Jun 21 17:18:39 +0000 2023

RT @sethforprivacy: 1/ Time to break down the latest response to the rightful outcry over the approach being taken with Ledger Recover and…

Wed Jun 21 17:21:57 +0000 2023

Replying to @n1ckler and @statusquont

So are x-only public keys in secp identifiable?

Wed Jun 21 18:08:36 +0000 2023

👍Wellness Capitalism “complex, privatized approach to public health…new regulations protecting worker  privacy and preventing discrimination are needed, regulation is not enough” This is why we wrote a use case for privacy & elision for wellness data
(More in following 🧵) https://twitter.com/datasociety/status/1671522823108538369

Wed Jun 21 18:31:46 +0000 2023


Wed Jun 21 18:31:47 +0000 2023

Replying to @n1ckler and @statusquont

Yes, but can you prove that only given the public key? Or do you need some other data? I’m not sure how you differentiate the two with only the public key. Related, if you can correlate, is it only 1-bit of correlation?

Wed Jun 21 18:36:33 +0000 2023

The answer “You don’t do this to human beings” is such a great answer to so many problems and questions. https://twitter.com/edels0n/status/1671605376645464064

Thu Jun 22 16:28:21 +0000 2023

Replying to @WebDevLaw and @WebDevLaw

Is there a Kindle edition available? Did you ever see my post on Four Kinds of Privacy? http://www.lifewithalacrity.com/2015/04/the-four-kinds-of-privacy.html I also have seven chapters in early draft on Lentz & Carmille and identity tragedy during WW2. I’d be interested in chatting with you.

Thu Jun 22 16:39:45 +0000 2023

This week @Ledger released a white paper on their Ledger Recover system. It’s primarily cryptography, and without deep-diving into that element (yet), some basics seem sound. I particularly appreciate moving toward VSS. The problems arise in the more human elements. 🧵… [1/16] [https://twitter.com/P3b7/status/1671489331737899010](https://twitter.com/P3b7/status/1671489331737899010)

Fri Jun 23 19:35:23 +0000 2023

It’s also a very conservative view for how identity works. As @JoeAndrieu wrote in his foundational primer on “functional identity”, identity is how we recognize and remember people we’ve met. Names are just handy labels for this ongoing process. [4/16] https://github.com/WebOfTrustInfo/rwot12-cologne/blob/main/advance-readings/functional-identity-primer.md

Fri Jun 23 19:35:24 +0000 2023

The biggest issue is Ledger’s use of “legal citizen identity”, including full name, as well as place and date of birth, for verification, something that’s given out to every “backup provider”. This is full-on privacy busting. [3/16]

Fri Jun 23 19:35:24 +0000 2023

At @BlockchainComns, we propose what we call the “Gordian Principles” as best practices: independence, privacy, resilience, and openness. In my opinion, Ledger Recover falls short in three out of four of these: everything but resilience. [2/16] https://github.com/BlockchainCommons/Gordian#gordian-principles

Fri Jun 23 19:35:24 +0000 2023

How do you authenticate a user without violating their privacy? You let them decide! They provide proofs when they shard their secret (be it phone #, email, legal identity, thumbprint, or a word), and then they prove access to their self-declared proofs by the other side. [6/16]

Fri Jun 23 19:35:25 +0000 2023

Ledger Recover misunderstands this tool as the end product and in doing so potentially exposes a user’s entire identity. It also totally ignores the precepts of data minimization: it’s way more than is needed. [5/16] https://www.blockchaincommons.com/musings/musings-data-minimization/

Fri Jun 23 19:35:25 +0000 2023

Do users have any choice of backup providers? What prevents collusion among the providers? Do users have any ability to privately store some shares? Is it rational to recover without a Ledger? These are crucial questions of independence, resilience, and openness. [9/16]

Fri Jun 23 19:35:26 +0000 2023

I focused on authentication because that’s one of the few topics the Ledger white paper addresses, other than the cryptography. There’s so much more we don’t know. Even with a white paper, we’re still short on transparency. [8/16]

Fri Jun 23 19:35:26 +0000 2023

The other problem with Recover’s authentication is that it’s homogeneous: all based on legal identity. Ledger says each backup provider must do independent ID verification, but it’s insufficient. Discrete & disconnected authentication methods provide better security. [7/16]

Fri Jun 23 19:35:26 +0000 2023

It tackles some of the problems we see with Ledger Recover. It lets users choose their “backup providers”, it advocates for those providers to offer a variety of differnet authentication methods, and it definitely doesn’t require legal identity [12/16].

Fri Jun 23 19:35:27 +0000 2023

We are taking a different approach at @BlockchainComns with a wallet interoperability project we call Collaborative Seed Recovery, or CSR [11/16].

Fri Jun 23 19:35:27 +0000 2023

Down the road, the question will be whether there’s any way to prove that the Ledger implements Recover as has been documented. [10/16]

Fri Jun 23 19:35:27 +0000 2023

And speaking of other points of view, please take a look at the excellent overview of some of the more technical elements by @sethforprivacy, including the revelation of a master decryption key. [15/16] https://twitter.com/sethforprivacy/status/1671532777441841158

Fri Jun 23 19:35:28 +0000 2023

We’d love to have you onboard, to tell us about your requirements and concerns. (We’d love to have @Ledger onboard too!) Our next “Gordian Developers” meeting will be on Wednesday July 5th. Sign up and join us! [14/16] https://www.blockchaincommons.com/subscribe.html#gordian-developers

Fri Jun 23 19:35:28 +0000 2023

We’re not going it alone because we don’t know best. Instead, we’re depending on a consortium of designers with a wide variety of interests including @FeralFile, @FOUNDATIONdvcs, and @proxy. [13/16]

Fri Jun 23 19:35:28 +0000 2023

If you want to signal your support for open, transparent standards for controlling digital assets, become a financial sponsor of @BlockchainComns via Github. [16/16] https://github.com/sponsors/BlockchainCommons

Fri Jun 23 19:35:29 +0000 2023

RT @BobMcElrath: @ChristopherA @Ledger I’m gonna second VSS here. It’s a damn good idea that has been neglected for too long because they c…

Sat Jun 24 14:10:28 +0000 2023

I’m pleased that a major publication is taking up this topic. I’ve been puzzling on how to add these 4 essential principles to #SSI: “The right to mental self-determination. The right to mental privacy. The right to mental integrity. The right to psychological continuity.” https://twitter.com/TIME/status/1673331642239275008

Tue Jun 27 02:23:30 +0000 2023


Tue Jun 27 02:23:31 +0000 2023

RT @RWOTEvents: RWOT 12 Early Bird Deadline is 7 Days Away

Advance Reading papers must be submitted by 7/7
to qualify for the Early Bird t…

Thu Jun 29 19:37:36 +0000 2023