Organizations | Identosphere Blogcatcher

Exploring the plural, context-dependent, and socially-negotiated nature of new literacies

Over the past couple of months, we’ve been working on an ‘AI Literacy’ project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:

What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy

In this post, we want to explore the tension we’ve felt between referring to ‘AI Literacy’ in the singular, versus referring to a plurality of ‘AI Literacies’. Ultimately, although our original brief used the singular form (as do many of our peers) we have decided to take the latter, plural, approach — for reasons we will explain below.

One very practical reason to emphasise ‘AI Literacies’ is that it is difficult to talk about ‘delivering’ a literacy. “Literacy” always begs the question of context: What does literacy mean to this particular person in this particular setting at this particular moment? What it means to be ‘AI literate’ is going to look very different to someone working in a corporate office job, compared to a teenager using AI for a creative project. Additionally, there are multiple literate behaviours when we think about AI — for example, understanding the socio-economic reality of the AI landscape versus knowing how to prompt an LLM to get the kind of information or answer you are looking for.

AI Literacies are therefore both plural and context-specific. They are also socially-negotiated. Literate behaviours depend on the community with which an individual is interacting. This becomes evident through a few examples.

Image CC BY-ND Visual Thinkery for WAO

If you are a parent of teenagers, you will have experienced a time when they respond in a way which makes sense to them and their friends, but not to you. You are likely to have to ask them what they mean or use a resource like the Urban Dictionary. Other behaviours such as using a particular emoji might be hilarious for reasons you cannot quite comprehend.

These “rhetorics of communication” are an important part of literacy practices, especially in the digital realm. They constitute ways of interacting with other people within a techno-social system which itself privileges and foregrounds certain kinds of behaviours, while either explicitly or implicitly discouraging others. For example, contemporary chat apps allow you to see not only that a message has been delivered, but whether it has been read. The act of not reading a particular message may be seen in multiple lights: Is the person ignoring me? Are they mad at me? Are they offline in the forest?

Any time we are communicating in ways which are mediated by technologies, part of literate behaviour involves understanding the “affordances” that the technology provides as well as understanding how that technology might be shaping our behaviour.

If you were, for example, quickly texting your teenager while at work, you might send your text and then open a workplace chat window which looks and feels very much like the social one which you have just been using. However, because the context is different — as well as perhaps both the demographic makeup and number of people in the chat — you act differently. =Your literate behaviours are thus socially-negotiated, meaning that you vary your behaviour in different situations.

As we start to understand AI Literacies, we need to think about the most common way in which people experience generative AI — by prompting a Large Language Model (LLM) through a chat window. The chat window is a familiar technology, but the fact that there isn’t a human on the other side of it is not. Part of AI Literacies therefore involves exhibiting and modifying our behaviours based on our knowledge and experience of factors that surround this particular chat window.

Image CC BY-ND Visual Thinkery for WAO

With personal or workplace chats, what is outside of the frame informs literate behaviours inside the frame. Similarly, when we are interacting with AI, the more we know about what is outside the frame, the more we can develop appropriate literate behaviours inside the frame. Again, these literate behaviours are plural: will others be able to tell that you are using the outputs of an LLM? (will they mind?) They are based on context: should you trust the company behind the technology you are using? And they are socially-negotiated: are there environmental concerns of which you should be aware?

Angela Gunder’s Dimensions of AI Literacies provides a helpful way to think about these issues. Building on my work on the Essential Elements of Digital Literacies, Gunder’s framework sets out a series of overlapping dimensions that shape how people interact with AI. This approach supports the idea that AI Literacies are not a fixed set of skills, but a collection of practices negotiated within communities and shaped by context.

AI Literacies, like Critical Media Literacies, Digital Literacies, Information Literacies, Data Literacies, and a whole host of “new” literacies, should be considered to be fundamentally plural. What counts as “literate behaviours” are socially-negotiated based on context. Words and phrases, however, are important to describe what we mean. And that is why we will be referring to AI Literacies in the project we’re doing with the RIC for the BBC.

Coming soon

We are working on a public version of our landscape setting and framework for AI Literacies. We’ll be sharing that soon. In the meantime, follow our contributions to this space through https://ailiteracy.fyi/ and get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology.

Thanks to Laura Hilliger for being a fantastic editor of this post.

AI Literacy or AI Literacies? was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

The Amazonian municipality of Caracaraí has 22,000 inhabitants and an overworked pharmacist named Samuel Andrade. Andrade arrives at work at 8 a.m. to handle hundreds of prescriptions from free government...

What if you could see what your customers are searching before they even hit 'buy'?

In today’s hyper-competitive marketplace, that’s exactly what the best brands are doing, and it’s giving them a serious edge.

In this episode, Chris Barnes, General Manager of Retail & Alternative Channels at Jungle Scout, joins hosts Reid Jackson and Liz Sertl to break down how brands are using real-time search, product, and shopper data to respond faster to market signals on Amazon and beyond.

Chris shares how companies are identifying market opportunities, protecting category share, and improving performance across pricing, inventory, and advertising, all by knowing what to look for in the data.

In this episode, you’ll learn:

How to use search and shopper behavior to guide product strategy

Why category management looks different in the age of marketplaces

The data brands overlook and how it impacts sales performance

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:07) Chris Barnes on his career journey

(04:38) Transforming strategy with data and intelligence

(05:55) Category management in-store vs. online

(09:23) AI’s impact on search and consumer behavior

(13:04) Dude Wipes’ growth and success

(15:35) Leveraging data to understand consumer needs

(19:17) Power of data analytics in product development

(20:48) Top strategies for maximizing growth

(27:37) The future of agencies and AI in business

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Chris Barnes on LinkedInCheck out Jungle Scout

The OpenID Shared Signals Working Group recommends approval of the following three specifications as OpenID Final Specifications: OpenID Shared Signals Framework OpenID CAEP OpenID RISC A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This note starts the 60-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a 14-day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Final Specifications.   The relevant dates are: Final Specification public review period: Wednesday, June 11, 2025, to Sunday, August 10, 2025 (60 days) Final Specification vote announcement: Monday, July 28, 2025 (14 days) Final Specification official voting period: Monday, August 11, 2025, to Monday, August 25, 2025 (14 days)  The Shared Signals working group page: https://openid.net/wg/sharedsignals/   Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.   You can send feedback on the specifications in a way that enables the working group to act upon it by (1) signing the contribution agreement at https://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “Shared Signals” working group on your contribution agreement), (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-risc, and (3) sending your feedback to the list.    Marie Jordan – OpenID Foundation Board Secretary

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Public Review Period for Proposed Three Shared Signals Final Specifications first appeared on OpenID Foundation.

The two-week voting period will be between Tuesday, June 24, 2025 and Tuesday, July 8, 2025 (12:00pm PT), once the 60 day review of the specification has been completed.

The OpenID DCP working group page is https://openid.net/wg/digital-credentials-protocols/. If you’re not already an OpenID Foundation member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

The vote will be conducted at https://openid.net/foundation/members/polls/364.

Marie Jordan – OpenID Foundation Secretary

  About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

The post Notice of Vote for Proposed OpenID for Verifiable Presentations Final Specification first appeared on OpenID Foundation.

Applications closed. Reviews done. It’s time to share who’s joining the Web3j mentorships this year under the Linux Foundation Decentralized Trust program. This year, there are two projects aimed at advancing Web3j, which is a highly modular, reactive, type safe Java and Android library for working with Smart Contracts and integrating with clients (nodes) on the Ethereum network.

After conquering Africa’s phones, Transsion wants to own its roads. The Chinese company, which controls about half of Africa’s smartphone market, entered the continent’s electric vehicle race by introducing its...

Chinese and American companies have long led the costly endeavor of developing autonomous ride-hailing services. Now, robotaxi firms are taking the competition global.  The Alphabet-owned Waymo, which launched the world’s...

The post Reinventing How Career Records Are Shared appeared first on Velocity.

Mastercard has launched advanced payment passkeys across Europe as part of its initiative to enhance online transaction security and replace traditional passwords. The company reports that its tokenization and passkey implementation has achieved nearly 50 percent adoption in European e-commerce transactions, building on its successful passkey deployment in Latin America earlier this year.

The payment technology company’s new security measures arrive at a critical time, as data shows that one in four business owners in Europe face targeting by scammers. A quarter of these businesses express concern about their ability to recover from potential cyber attacks. The expansion follows the broader industry trend toward passwordless authentication, with the FIDO Alliance reporting significant growth in enterprise passkey adoption.

OneSpan announced Thursday (June 5) its acquisition of Nok Nok Labs, a provider of FIDO passwordless software authentication solutions.

OneSpan said joining forces with Nok Nok enables the company to provide customers worldwide with a comprehensive authentication portfolio, available on-premises or in the cloud. This combined offering now includes support for OTP, FIDO, software, and hardware solutions, such as Digipass, FIDO2 protocols, and Cronto solutions for transaction signing.

Victor Limongelli, CEO at OneSpan, described the acquisition as a “bold step toward providing customers with maximum choice in authentication.” He added that the company is evolving its entire authentication platform to include FIDO standards, believing that passwordless authentication is an important part of the future. With Nok Nok’s technology and FIDO expertise, OneSpan aims to offer a comprehensive and versatile customer authentication solution.

Phillip Dunkelberger, president and CEO at Nok Nok, noted that joining OneSpan allows them to bring their vision, rooted in open standards like FIDO, to a broader audience via OneSpan’s global reach. Andrew Shikiar, executive director and CEO of the FIDO Alliance, said Nok Nok has been a “trailblazer” in the FIDO ecosystem.

Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.

One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.

Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use. 

On a weekday morning in May, the Hack Latino app issued an alert to its users: There were five Immigration and Customs Enforcement patrol vehicles on a certain avenue in...

NEWARK, NJ, June 5, 2025 – Edge, a leading provider of innovative technology solutions for higher education, today announced that IronBrick, a Workday resell partner specializing in selling Workday to the higher education and public sector markets, is now part of the EdgeMarket Cooperative Pricing System. The addition of this industry leader to EdgeMarket comes as a direct result of successful bids under the EdgeMarket’s Higher Education Ecosystem (HEES) Request for Proposal (RFP), solidifying the organization’s commitment to delivering transformative solutions to educational institutions.

The HEES RFP, a significant initiative aimed at providing access to an interconnected ecosystem of software and solutions designed to enable successful outcomes within higher education, seeks to identify best-in-class technology partners. Edge’s contract vehicle, coupled with IronBrick’s deep industry expertise and the power of the Workday platform, creates a powerful set of tools to address the unique challenges and evolving needs of colleges and universities.

“This alignment marks a significant milestone in Edge’s commitment to empowering higher education institutions with cutting-edge solutions. Workday and IronBrick are industry leaders enabling excellence in higher education operations. We are confident that this collaboration will deliver exceptional value and drive positive outcomes for participating institutions.”

— Dan Miller
AVP EdgeMarket and Solution Strategy, Edge

Workday Human Capital Management (HCM), Workday Financial Management, and Workday Students help to transform higher education institutions, modernize experiences, and streamline administrative and academic operations. Its cloud-native architecture provides scalability, agility, and real-time insights to help make data-driven decisions.

“IronBrick is excited to collaborate with Edge and Workday to provide a new avenue for purchasing Workday for higher education institutions under the HEES RFP,” stated Zebulon Mellett, President, IronBrick Associates, LLC. “Our focused expertise in the higher education sector, combined with Edge’s strong relationships and the Workday platform, will allow for long-term success for our clients.”

Edge, Workday, and IronBrick are committed to helping higher education institutions modernize operations, enhance the employee experience, and drive student and institutional success, via a contract designed to streamline time to procurement. This collaboration represents a powerful step forward in transforming core operational applications within the higher education community.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

About IronBrick

IronBrick excels at Adaptive Innovation. As a dedicated Workday partner, IronBrick is a reseller of Workday solutions to State and Local, Higher Education, and Federal clients. We strive to balance the wants and needs of application users with the technical challenges of IT organizations. IronBrick partners with leading System Integrators and specialized technology providers to deliver complete solutions. To learn more about IronBrick, visit ironbrick.com.

The post Edge Announces the Availability of Workday, via its Reseller, IronBrick, to the EdgeMarket Higher Education Ecosystem of Solutions appeared first on NJEdge Inc.

This article is adapted from Rest of World’s recent feature: The math tutor and the missing $533 million Named for its founder, Byju Raveendran, the learning app Byju’s (sometimes stylized...

The race for super-apps is intensifying in the Middle East. Unlike Western markets, where Google, Apple, and Meta maintain separate app ecosystems with strict integration limits, in countries like the...

(This is the second of a two-part series on migrant workers in Taiwan’s semiconductor industry. Read the first story here.) The chip worker set off from a small coastal town...

At Blockchain Commons, we design open infrastructure that prioritizes privacy, autonomy, and human dignity. That’s why I support and personally signed the No Phone Home Initiative. It is not just a position, it’s a call to preserve a foundational principle of decentralized identity: Credentials must be verifiable without enabling surveillance!

Why “No Phone Home” Matters

The problem is simple: when verifying a digital credential such as a mobile driver’s license or a diploma, many systems require contacting the original issuer. This creates a digital trail of who is verifying what, when, and why. That trail can be used to profile and surveil, allowing issuers to track credential holders without their knowledge.

Manu Sporny, in an email to the W3C Credentials Community Group (June 3, 2025), clarified the stakes:

“Retrieving a status list could be misinterpreted as ‘phoning home’ … but it’s not anywhere near the same level of “phoning home” that contacting the issuer and telling them ‘I’ve got Steve here at booze-hut.com, is he over 21?’ achieves.”

But the threat of direct identity leak is just the tip of the iceberg. That’s because credential presentation isn’t a one-off event. It’s recurrent. Even when identifiers or interactions are pseudonymous, repeated verifications leak sensitive metadata, allowing issuers or third parties to correlate time, location, and use-pattern metadata into behavioral profiles.

The Decentralized Identity Foundation talks about some of this in “Nearly 100 Experts Are Saying ‘No Phone Home’”:

“The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning.”

Problematically, this is how these systems are designed to work! As Kim Hamilton Duffy says in the first of a series of articles on mDL privacy that she’s currently working on:

“This isn’t an unintended consequence—it’s an architectural feature that can trivially enable persistent record-keeping of when and where you use your credentials, creating patterns that can be analyzed long after the original transaction by unknown third parties.”

This also reveals yet another danger: how “normal” it feels to let credential issuers remain silently in the loop.

Revocation Without Surveillance

Some argue that checking for the revocation of a credential requires phoning home. But that’s a false dilemma. In the same W3C thread, Sporny noted:

“There are a few ways to retrieve a status list without directly contacting the issuer that use commonly deployed web technology.””

Technical mitigations discussed and developed by the community include:

Large, pseudonymous status lists (e.g., Bitstring Status List) Use of CDNs or file mirrors to avoid direct issuer contact Oblivious HTTP (OHTTP) for unlinkable status fetching

There are still issues with these potential mitigations. For example, Kyle Den Hartog (Pryvit NZ) raised concerns about status list misuse:

“An issuer creates a bitstring list of sufficiently large size, but only includes 1 active credential index per bitstring list. All other indexes are spoofed. The rest of the list would look active to the holder/verifiers but could still be a tracking mechanism by the issuer.”

But, these edge-case attacks reinforce why the core architecture must be surveillance-resistant by default.

Privacy isn’t the only issue with revocation checking: it’s also a structural risk. If we tie credential validity to live status checks, we quietly shift power from holders to issuers. It becomes a form of dependency injection, one that contradicts the goal of self-sovereign identity.

Not Just Technical: It’s Ethical

This isn’t just a technical issue. It goes to the ethical heart of self-sovereign identity design.

Daniel Hardman offered this framing in a related thread on edge cases:

“Verifiable credentials verify without issuer coordination; that is what the ‘verifiable’ in ‘verifiable credential’ means.”

Joe Andrieu argued in the same May 2025 thread:

*The identity system that wins is going to be the one we can use in any circumstance by anyone. … It’s my wallet. I expect it to serve me, as a user agent. I do not accept that it might also serve the state as a surveillance platform.

At Blockchain Commons, we agree. The ability to verify credentials offline, without depending on a central service, is essential for resilience and civil liberties.

A report prepared for the American Civil Liberties Union (ACLU) put it clearly by requiring “No Issuer ability to track via phone home mechanism” and saying:

“One way a digital ID can differ from physical ID is that it can enable the issuers of the digital ID to track where, when, and to whom one shows their ID. This tracking can reveal very private and sensitive information about the digital ID holder — namely, when and where, online or off, they present their ID. Standards and technologies should be designed so that the issuer (or any of its agents or contractors) cannot engage in any of these forms of tracking.”

Emergencies Are Not an Excuse

Some use cases such as disaster response or first responder tracking have prompted discussions around consent-based “check-ins.” These are complex and worthy of consideration. But the VC Data Model 2.0 spec is clear:

“Credential status specifications MUST NOT enable tracking of individuals, such as an issuer being notified (either directly or indirectly) when a verifier is interested in a specific holder or subject. Unacceptable approaches include “phoning home …”

But compliance doesn’t equal safety. Even digital credentials that conform to existing standards—such as ISO 18013-5—can still include implementation choices that enable surveillance. Privacy must be baked into system design, not retrofitted through policy disclaimers.

As Alexis Hancock of the Electronic Frontier Foundation (EFF) warned (via State Scoop):

“We have to act now because governments are enthusiastic about digital ID, but if we don’t pin down these basic principles now, it’s going to be a problem later.”

We can build systems that are opt-in, purpose-specific, and out-of-band, without compromising the privacy baseline for everyone else.

Our Commitment

At Blockchain Commons, we believe decentralized identity should empower the individual, not quietly report on them. We are actively designing open standards such as Gordian Envelope and dCBOR to support truly private, verifiable, interoperable credentials.

We support “No Phone Home” because surveillance should never be the default. And we invite others to join us in making sure the future of identity remains decentralized, private, and just.

Technologies that promise to track, manage, and supervise workers, increasingly using artificial intelligence, are getting entrenched in the developing world, according to a new report by Coworker.org, a labor rights...

Kia ora,

Welcome to the May edition of the Digital Identity NZ newsletter. This month, we’re excited to introduce our new Executive Director, share insights from Techweek25’s Foundations for Tomorrow Event.

Andy Higgs Appointed as New Executive Director

We’re pleased to announce that Andy Higgs has joined Digital Identity NZ as our new Executive Director.

Andy brings over 20 years of experience across digital identity, AI strategy, and innovation in both public and private sectors. His background includes leadership roles at Futureverse and Centrality, where he focused on self-sovereign identity solutions and ecosystem partnerships.

His experience extends to policy development with the Department of Internal Affairs and Ministry of Business, Innovation and Employment, including work on the Digital Identity Services Trust Framework and the Consumer Data Right.

Andy’s collaborative approach will be valuable as DINZ continues to work alongside members to build a trusted digital identity ecosystem for everyone in Aotearoa.

Digital Public Infrastructure: Foundations for Tomorrow Event

During Techweek25, government, industry, and public sector leaders gathered at Parliament’s Legislative Chamber to discuss how digital public infrastructure (DPI) could transform service delivery across New Zealand.

Key takeaways for the digital identity community:

Ministerial vision: Hon Judith Collins KC announced plans for an all-of-government app allowing citizens to store digital credentials, receive notifications, and access services in one secure digital space.
  Economic benefits: Pete Herlihy from AWS highlighted that digital identity is one of four core components of DPI that can deliver significant economic growth—between 1-2% of GDP in developed nations.
  Human-centered approach: Deloitte’s Adithi Pandit emphasised how unified digital infrastructure could enable more joined-up social services and reduce fragmentation.
  Implementation plans: Public Service Commissioner Sir Brian Roche indicated a move toward greater centralisation with prescribed platforms and standards to make digital infrastructure a low-cost utility.
  Industry perspective: Xero founder Rod Drury called for greater urgency in digital identity implementation, suggesting New Zealand could leverage its small size to move quickly and “solve digital identity by Christmas.”

Read the full event recap here.

Member News

Our DINZ community continues to grow! We’re delighted to welcome POLipay as a member and look forward to featuring and engaging them in our ecosystem.

See all organisation members here.

Stay Connected

Thank you for being part of our community. We look forward to sharing more updates next month. 

Ngā mihi nui,

The team at Digital Identity NZ

Read full news here: Introducing Our New Executive Director | May Newsletter

SUBSCRIBE FOR MORE

The post Introducing Our New Executive Director | May Newsletter appeared first on Digital Identity New Zealand.

ABSTRACT: “Fair Witnessing” is a new approach for asserting and interpreting digital claims in a way that mirrors real-world human trust: through personal observation, contextual disclosure, and progressive validation. It can be implemented with the decentralized architecture of Gordian Envelopes to allow individuals to make verifiable statements while balancing privacy, accountability, and interpretability. At its core, fair witnessing is not about declaring truth, it’s about showing your work.

In the early days of decentralized identity, we referred to what we were working on as “Verifiable Claims.” The idea was simple: let people make cryptographically signed statements and allow others to verify them. But something unexpected happened. People assumed these claims would settle arguments or stop disinformation. They saw the term “verifiable” and equated it with “truth.”

The reality was more modest: we could verify the source of a claim but not its accuracy. We could assert that a claim came from a specific person or organization (or even camera or other object) but not whether that claim was unbiased, well-observed, or contextually complete.

This misunderstanding revealed a deeper problem: how do we represent what someone actually saw and how they saw it, in a way that honors the complexity of human trust?

A Heinleinian Inspiration

Iin Stranger in a Strange Land, Robert Heinlein described a special profession: the Fair Witness. A Fair Witness would be trained to observe carefully, report precisely, make no assumptions, and avoid bias. If asked what color a house was, a Fair Witness would respond, “It appears to be white on this side.”

It is this spirit we want to capture to fulfill the promise of the original verifiable claims.

A Fair Witness in our digital era is someone who not only asserts a claim but also shares the conditions under which it was made, including context, methodology, limitations, and bias:

What were the physical conditions of the observation? Was the observer physically present? Did they act independently? What interests or leanings might have shaped their perception? How did they minimize those biases?

These are not just nice-to-haves. They are necessary components of evaluating a claim’s credibility.

Beyond Binary Trust

Fair witnessing challenges binary notions of trust. Traditional systems ask a “yes” or “no” question: do you trust this certificate? This issuer?

But trust is rarely binary like this in the real world. It is layered, contextual, and progressive. The claim made by a pseudonymous environmental scientist might start out with low trust but could grow in credibility as:

They reveal their professional history. Others endorse their work. They disclose how they mitigated their potential biases.

Trust builds over time, not in a single transaction. That’s progressive trust.

Trust as a Nested Statement

To marry a fair witness claim to the notion of progressive trust requires the nesting of information. As shown in the example of the environmental scientist, the witnessing of an observation gains weight as the context is added: turning the scientist’s claims into a fair-witness statement required collecting together information about who the scientist is, what their training is, and what their peers think of them.

But as noted, progressive trust isn’t something that occurs in a single transaction: it’s revealed over time. We don’t want it to all be revealed at once, because that could result in information overload for someone consulting a claim and could have privacy implications for the witness.

A progressive trust model of fair witnessing requires that you show what you must and that you withhold what’s not needed—until it is.

Privacy and Accountability, Together

This model strikes a crucial balance. On one hand, it empowers individuals (fair witnesses) to speak from experience without needing permission from a centralized authority. On the other hand, it allows others to verify the integrity of the claim without requiring total exposure.

There are numerous use cases:

You can prove you were trained without revealing your name. You can demonstrate personal observation without revealing your exact location. You can commit to a fact today and prove you knew it later. Fair Witnessing with Gordian Envelope

The demands of Fair Witnessing go beyond the capabilities of traditional verifiable credentials (VCs), primarily because VCs can’t remove signed information but maintain its validation—and the ability to do so is critically important if you want to nest information for revelation over time.

Fortunately, a technology already exists that provides this precise capability: Blockchain Commons’ Gordian Envelope, which allows for: the organized storage of information; the validation of that information through signatures; the elision of that information; the continued validation of the information after elision; and the provable restoration of that information.

Any subject, predicate, or object in Gordian Envelope can itself be a claim, optionally encrypted or elided. This enables a deeply contextual, inspectable form of expression.

For example:

Alice could make a fair-witness observation, which would be an envelope. Information on the context of Alice’s assertion can be a sub-envelope. A credential for fair witness training can be a sub-envelope. Endorsements of Alice’s work as a fair witness can be sub-envelopes. Endorsements, credentials, and even the entire envelope can be signed by the appropriate parties. Any envelope or sub-envelope can be elided, without affecting these signatures and without impacting the ability to provably restore the data later.

It’s progressive trust appropriate for use with fair witnessing in an existing form!

Toward a New Epistemology

Being a Fair Witness isn’t about declaring truth. It’s about saying what’s known, with context, so others can assess what’s truth. Truth, in this model, is interpreted, not imposed. A verifier—or a jury—decides if a claim is credible, not because a central authority says so, but because the Fair Witness has provided information with sufficient context and endorsements.

In other words, fair witnessing is not about what is true, but about how we responsibly say what we believe to be true—and what others can do with that.

This is epistemology (the theory of knowledge) that’s structured as a graph. It’s cryptographically sound, privacy-respecting, and human-auditable. It reflects real-world trust: messy, contextual, and layered. By modeling that complexity rather than flattening it, we gain both rigor and realism.

Conclusion

In a world of machine-generated misinformation, ideological polarization, and institutional distrust, we must return to the foundations: observation, context, and human responsibility.

Fair witnessing offers a new path forward—one that is verifiable, privacy-respecting, and grounded in how humans actually trust.

Learn more: [ Progressive Trust Gordian Envelope ]

The official voting period will be between Monday June 16, 2025 and Monday, June 23, 2025 (12:00pm PT), once the 45 day review of the specification has been completed. For the convenience of members who have completed their reviews by then, early voting will begin on Monday, June 9, 2025.   The OpenID eKYC & IDA working group page is https://openid.net/wg/ekyc-ida/. If you’re not already an OpenID Foundation member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.   The vote will be conducted at https://openid.net/foundation/members/polls/361.

Marie Jordan – OpenID Foundation Secretary

  About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

The post Notice of Vote for Proposed OpenID Attachments 1.0 Final Specification first appeared on OpenID Foundation.

After decades of cautiously watching from the sidelines, governments around the world have started investing in, rolling out, and regulating digital identity systems on aggressive timelines. These foundational changes to government infrastructure and the economy are happening largely outside public awareness, despite their generational consequences for privacy.

Digital identity systems implemented by governments today will shape privacy for decades. Whatever ecosystems and technical architectures are established in the coming years could ossify quickly, and it would take enormous political will to make changes at such a foundational level if society develops buyer's remorse once the ripple effects become clear.

That's why nearly 100 experts across technology, policy, and civil liberties have united around one principle: digital identity systems must be built without latent tracking capabilities that could enable ubiquitous surveillance. Thus, the nophonehome.com petition.

Who's Behind This

Civil society groups working on legal advocacy and industry oversight (ACLU, EFF), cybersecurity experts (including Bruce Schneier), privacy-by-design software companies of various sizes (Brave, many DIF members), and experts from university faculties (Brown, Columbia, Imperial College London) all signed on. The list includes authors of collaborative open standards, chief executives, state privacy officers, and other public servants. This is not a coalition of "activists" so much as a broad coalition of experts and policy-watchers sounding an alarm about consequential decisions passing largely unnoticed by the average citizen and end-user.

The breadth of this coalition reflects widespread concern about the technical and policy implications of embedded tracking capabilities.

What "Phone Home" Means

As a general rule, "phone-home" is a shorthand for architectural principles of tracking enablement (just as "no phone-home" refers to tracking mitigation, broadly speaking). When a verifier of credentials interacts directly with the credential's issuer—even if just to check validity or revocation status—they are "phoning" the credential's "home." This opens the subject and/or the holder of that credential to privacy risks, no matter how well the request is anonymized or handled. These API connections create data that can be combined, correlated, and abused, especially when verifiers share information or when issuers abuse their role.

The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning. Over time, little mismatches and slippages in how these protocols work get exploited and stretched, amplifying glitches.

In the worst-case scenario, some systems enable real-time revocation decisions, giving issuers—potentially governments—immediate control over citizens' ability to access services, travel, or participate in society. A natural tendency to "over-request" foundational documents in situations where such strong identification is unjustified is amplified by familiarity, lack of friction, and other UX catnip; all the SHOULDs in the world won't stop verifiers from doing it. And verifiers over-asking without also providing a fallback or "slow lane" can make a sudden or temporary unavailability of foundational credentials painful or even exclusionary. The side-effects and externalities pile up dangerously in this industry!

Technologists see these kinds of capabilities (phone-home of any kind, remote revocation, low-friction foundational identity requests) like loaded guns in Act 1 of a Chekhov play: "If this capability exists within a digital identity system, even inactively, it will eventually be misused."

The Scale and Timing Problem

Most foundational identity systems being implemented for national-scale deployment include system-wide phone home tracking capabilities, either actively or latently. Many policymakers involved in these rollouts are not even aware of the tracking potential built into the standards they are adopting.

Four factors make this moment critical:

Scale of deployment: These systems will serve billions of users across developed nations, effectively replacing physical credentials. Precedent-setting effects: When one jurisdiction adopts tracking-enabled systems, it influences global practices and standards. Infrastructure persistence: Technical decisions made today will persist for decades, becoming prohibitively expensive to change once embedded. Mission creep inevitability: Capabilities developed for legitimate purposes like fraud prevention naturally accrue new private-sector and/or public-sector use-cases over time due to natural market pressures. Today's private-sector usage is tomorrow's public-sector secondary data market. The Fallacy of "Privacy by Policy"

The fundamental problem with latent tracking capabilities is that policies change, but technical architecture persists. If a system has surveillance capability—even if unused—it will eventually be activated. Emergencies, changing administrations, or shifting political priorities can quickly justify "pressing the button" to enable widespread tracking.

The solution is simple: they cannot press a button they do not have.

Consider AAMVA's recent decision to prohibit the "server retrieval" capability throughout the U.S.—a positive step that we welcome. However, most low-level implementations (e.g. core libraries) will likely implement the entire specification and leave it to the last-mile implementers to honor (or not) this policy. As an incubator of new specifications and prototypes, DIF feels strongly that jurisdiction-by-jurisdiction policies is just "turning off" what the specification still instructs software to implement for later policies to turn back on at the flick of a switch. We believe the underlying ISO specification needs to remove "server retrieval" completely, lest every authority in the U.S. remain one emergency away from activating broad, identity-based surveillance of all citizens.

Privacy-Preserving Alternatives Exist

The choice between security and privacy is false. Offline-first verification operates without server communication—the credential contains cryptographic proofs that can be validated independently. The ISO 18013-5 standard itself includes "device retrieval" mode, a privacy-preserving alternative that functions entirely offline.

Even credential revocation can be implemented without phone home capabilities. Privacy-preserving revocation systems are in production today, proving that security and privacy can coexist.

The technology exists. The standards exist. What has been missing is commitment to prioritize privacy over the operational convenience of centralized tracking.

Moving Forward

Awareness is growing. We welcome developments like AAMVA's prohibition of server retrieval, but more work is needed across the broader digital identity ecosystem to eliminate latent surveillance capabilities entirely.

The Decentralized Identity Foundation develops standards that prioritize privacy, supports implementations that respect user autonomy, and advocates for technical architectures that prevent tracking and add friction to data misuse. Our membership includes many technologists and vendors designing tracking-free alternatives for these and other use cases.

We encourage you to read the full No Phone Home statement at https://nophonehome.com. Whether you are building, deploying, or using these systems, your voice matters at this critical juncture.

The question is not whether we can build privacy-preserving digital identity—it is whether we will choose to do so. Let's build it right.

The Decentralized Identity Foundation (DIF) is an engineering-driven organization focused on developing the foundational elements necessary to establish an open ecosystem for decentralized identity and ensure interoperability between all participants. Learn more at identity.foundation.

Chinese companies are gaining ground in the global race to develop the next generation of artificial intelligence — not just chatbots, but autonomous agents designed to handle complex tasks with...

Last month, Brazil announced it is rolling out a data ownership pilot that will allow its citizens to manage, own, and profit from their digital footprint — the first such...

The OpenID FAPI working group recommends the approval of Errata corrections to the following specification:

First Errata Set for JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) 

An Errata version of a specification incorporates corrections identified after the Final Specification was published. This would be the first set of errata corrections for JWT Secured Authorization Response Mode for OAuth 2.0 (JARM). The corresponding previously approved specification is available at:

https://openid.net/specs/oauth-v2-jarm-final.html

This note starts the 45-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a seven-day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Implementer’s Draft. For the convenience of members who have completed their reviews by then, voting will actually begin a week before the start of the official voting period.

The relevant dates are:

Errata public review period: Thursday, May 29, 2025 to Sunday, July 13, 2025 (45 days) Errata vote announcement: Monday, July 14, 2025 Errata early voting opens: Monday, July 21, 2025* Errata official voting period: Monday, July 28, 2025 to Monday, August 4, 2025 (7 days)*

* Note: Early voting before the start of the formal voting period will be allowed.

The OpenID FAPI working group page is https://openid.net/wg/fapi/.

Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the Contribution Agreement at https://openid.net/intellectual-property/ to join the working group, (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-fapi, and (3) sending your feedback to the list

Marie Jordan – OpenID Foundation Secretary

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

 

The post Public Review of JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) first appeared on OpenID Foundation.

The OpenID FAPI working group recommends the approval of the following specification as an OpenID Final Specification:

FAPI 2.0 Message Signing

 
A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This note starts the 60-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a seven-day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Final Specification. For the convenience of members, voting will actually begin a week before the review period ends, for members who have completed their reviews by then.

The relevant dates are:

Final Specification public review period: Thursday, May 29, 2025 to Monday, July 28, 2025 (60 days) Final Specification vote announcement: Tuesday, Jul 29, 2025 Final Specification early voting opens: Tuesday, August 5, 2025 Final Specification official voting period: Tuesday, August 12, 2025 to Tuesday, August 19, 2025 (7 days)*

* Note: Early voting before the start of the formal voting will be allowed.

The OpenID FAPI working group page is https://openid.net/wg/fapi/.

Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the Contribution Agreement at https://openid.net/intellectual-property/ to join the working group, (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-fapi, and (3) sending your feedback to the list.

 

Marie Jordan – OpenID Foundation Secretary

 

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Public Review Period for Proposed FAPI 2.0 Message Signing Final Specification first appeared on OpenID Foundation.

OASIS Members Advance Digital Lexicography with an Interoperable Data Model for Dictionaries

Boston, MA – 29 May 2025 – Members of OASIS Open, the global open source and standards organization, have approved the Data Model for Lexicography (DMLex) Version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. Developed by the OASIS Lexicographic Infrastructure Data Model and API Technical Committee (LEXIDMA TC), DMLex v1.0 establishes a groundbreaking framework for internationally interoperable lexicographic work, advancing innovation in digital dictionaries, language services, and related industries. 

“We’re incredibly proud of what we’ve achieved with DMLex v1.0. This is a lifechanging milestone for lexicography, paving the way for a new level of digitisation and for truly innovative applications,” said Michal Měchura, Chair of the OASIS LEXIDMA TC. “By providing a common framework for structuring and exchanging lexicographic resources, DMLex empowers language documentors around the world to manage their content more effectively, to collaborate and to build smarter language technologies.”

Lexicography has undergone a profound transformation in the digital age, with dictionaries now being compiled from language corpora and consumed through web platforms, mobile apps, and integrated into search engines, writing tools, and machine translation software. However, legacy data models have been hampering further innovation. DMLex v1.0 addresses these challenges by introducing a modular, IT-friendly, and content-rich data model designed to meet the needs of both lexicographers and technology developers. DMLex has been designed to be easily and straightforwardly implementable in XML, JSON, RDF, NVH, as a relational database, and as a Semantic Web triplestore.

OASIS encourages widespread adoption of DMLex v1.0 and invites feedback from lexicographers, developers, and other stakeholders to further enhance its capabilities. Participation in the LEXIDMA TC is open to all through membership in OASIS. For more information, visit the TC homepage and read Michal Měchura’s blog post exploring the goals and impact of DMLex.

The post Data Model for Lexicography Approved as an OASIS Standard appeared first on OASIS Open.

Ameca, a humanoid robot, smiled and blinked at the crowd at Dubai AI Week 2025, a celebration of all things artificial intelligence. Landmark announcements marked the event, including a $545...

Digital identity security is entering a new era as the OpenID Connect Core 1.0 specification has been formally adopted, by incorporation, by the International Telecommunication Union (ITU) as Recommendation X.1285. This milestone represents the first time an OpenID Foundation (OIDF) specification has been recognized as an ITU-T standard, and it offers implementers even more confidence in the stability of digital IDs. Publication by the ITU will follow.

The OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling ‘networks of networks’ to interoperate globally.

This new Recommendation has been driven by the collaborative work of ITU-T Study Group 17 on standards-based authentication and identity frameworks that support secure, interoperable, and privacy-preserving digital ecosystems.

This recommendation by ITU-T places OpenID Connect Core 1.0 alongside other internationally significant identity specifications, such as the OSIA family of APIs (X.1281), which were recognized by ITU-T in March 2024, and the FIDO2 family of protocols, which were similarly recognized by ITU-T since the March 2018 ITU-T SG17 meeting.

Celebrating a team achievement

Securing ITU-T approval for an OpenID Foundation specification was no small feat. Over the past two years, ITU-T leaders, the OpenID Connect Working Group, and national delegations have reviewed the OpenID Connect Core 1.0 specifications and built the consensus needed for formal ITU-T Recommendation.

A heartfelt ‘thank you’ goes to:

Arnaud Taddei, Chair of ITU-T Study Group 17 (SG17) (Security) Abbie Barbir, Co-Rapporteur for ITU-T SG17 Question 10 (Q10/17) (Identity Management) Hiroshi Takechi, Co-Rapporteur for ITU-T SG17 Question 10 (Q10/17) (Identity Management) Debora Comparin, Chair of ITU-T SG17 Working Party 1 (WP1/17) Bjorn Hjelm, ITU Liaison and Lead Editor, ITU-T versions of OpenID Connect specifications Stephanie de Labriolle, SIA for SIDI Hub Q10 Liaison Manager Hiroshi Ota, ITU Secretariat for SG12 & SG15 Xiaoya Yang, Counsellor of ITU-T Study Group 17 – Security Oscar Giovanni León Suárez, Project Manager, Social Investment Solutions Mike Jones, Co-chair A/B Connect WG, and OIDF Board Member John Bradley, Co-chair A/B Connect WG, and OIDF Board Member Nat Sakimura, Co-chair A/B Connect WG, and Chairman, OpenID Foundation

Plus sincere thanks overall to ITU-T SG17 members who found a consensus to consent this text by incorporation, according to the Accelerated Approval Process (AAP), at the closing plenary of its last meeting in April 2025.

“Reaching X.1285 is a landmark success for our community. By incorporating OpenID Connect Core with ITU-T standards, we’re ensuring interoperable, secure identity on a truly global scale,”
—Debora Comparin, ITU-T WP1/17 Chair

“This recognition validates years of work and trust-building between the OpenID Foundation and ITU. It also sets a clear path for other OpenID Foundation specifications to follow, and establishes a solid cornerstone both for the industry and security itself as well as for all member states to adopt and leverage in their overall regulations with urgency on digital wallet, digital public infrastructure, telecommunication/ICTs. ”
—Arnaud Taddei, Chair, ITU-T SG17 / Global Security Strategist, Enterprise Security Group

“This is a milestone for ITU-T SG17 Question 10. We look forward to continued collaboration with OpenID Foundation in all areas including all decentralized Identity specifications. Together we can make these protocols globally accepted and interoperable”

–Abbie Barbir, Co-Rapporteur for ITU-T SG17 Question 10 (Identity Management)

The recognition of OpenID Connect Core by ITU reflects increasing alignment across standards organizations to support international interoperability. These ITU-T standards now serve as critical enablers of global trust frameworks, often being referenced in national policies and regulatory guidance.

A vision realized – thanks to Nat Sakimura

The idea to pursue formal ITU recognition for an OIDF spec originated with Nat Sakimura, a long-time advocate for global standardization. Nat’s early vision, and tireless coordination with national administrations, sparked the initiative:

“We are grateful to the ITU community for this first formal recognition of an OpenID Foundation standard as now an ITU Recommended standard. This recognition is a testament to the existing value of the OpenID Connect Core standard to the global community, and the potential to reach an even wider community with the ITU’s support.”
—Nat Sakimura, Chairman OpenID Foundation

Building on ISO/IEC success

This ITU milestone comes on the heels of another major achievement. In December 2023, the OpenID Foundation submitted a suite of OpenID Connect specifications to the ISO as Publicly Available Specifications (PAS). Following the ISO approval vote, the nine documents were published in 2024.

Before submission, the OpenID Connect Working Group meticulously applied all known errata to the specifications to ensure the ISO versions reflected the most up-to-date, error-free text. Publication of these ISO/IEC standards has already begun to foster broader adoption of OpenID Connect, particularly in jurisdictions requiring compliance with internationally recognized standards bodies.

Looking ahead – more standards on the horizon

With our first ITU and ISO/IEC successes secured, the OpenID Foundation will submit the remaining suite of OpenID Connect specifications, followed by the next wave of formal international OpenID Foundations standards. They include:

FAPI 1.0 – ISO PAS submission planned mid-2025, ITU recognition targeted for 2H 2025 OpenID for Identity Assurance – ISO PAS submission planned mid-2025, ITU recognition targeted for 2H 2025 FAPI 2.0 – targeting ISO PAS submission mid-2025, ITU recognition targeted for 2H 2025

Thank you to everyone who contributed to this journey with ITU, from editors and reviewers to national delegates and community volunteers. Together, we’re strengthening the security, interoperability, and global reach of digital identity. The road ahead is bright. We look forward to more OpenID Foundation specifications achieving formal recognition and empowering secure, seamless user experiences worldwide.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

About ITU-T SG 17

ITU-T Study Group 17 (SG17) is the International Telecommunication Union’s (ITU-T) primary body for security standardization. It is the lead study group on Identity Management. It focuses on developing standards to address security aspects of telecommunications, ICTs, and related applications. SG17 works on a wide range of security-related topics, including cybersecurity, security management, and identity management.

The post A new ITU-T standard ushers in a new era for OpenID first appeared on OpenID Foundation.

On May 5, 2025, the OpenID Foundation convened a landmark interoperability demonstration of digital identity credentials that brought together leading identity platforms, standards bodies, and government agencies from three regions. This is the first public demonstration of how a user can present their digital identity across digital platforms, devices, and credential formats in a way that is secure, private, interoperable, and globally scalable.

This interoperability event had four objectives: 

Prove out new specifications and open source tests by demonstrating their interoperability in online transactions Provide results and implementer insights back to standards body peers Brief government partners on standards progress Support global-scale adoption Interoperability Testing

The event featured two separate interop demonstrations – pair-wise and multi-wallet remote testing. 

The specifications tested included:

The OpenID Foundation’s OpenID for Verifiable Presentations (VP) draft 24  The OpenID Foundation’s OpenID for Verifiable Credentials High Assurance Interoperability Profile Implementer’s Draft 2.0 W3C’s Digital Credentials API (DC API) FIDO’s CTAP specification ISO/IEC IS 18013-5:2021 Mobile Driving License (mDL)  ISO/IEC TS 18013-7:2024 Mobile Driving License  IETF’s SD-JWT draft 17 https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ OAuth 2.0 OpenID Connect Core 1.0 WebAuthN Pairwise Testing

Th pairwise interop demonstration was conducted by the OpenID Foundation. Out of 224 possible wallet/verifier pairings, 153 tests were conducted, with over 90% passing successfully. This demonstrated the stability of the underlying specifications.

The participants executed four requests from the user’s digital identity credential stored on their device. These query scenarios use the new Digital Credentials Query Language (DCQL). These ranged from simple name retrieval in a mobile driving license (MDL) to more complex ‘over-18’ age proofs in both mobile driving license (mDL/mdoc) and Selective-Disclosure for JWT  (SD-JWT) formats. Under the High-Assurance Interoperability Profile (HAIP), verifiers required signed requests, encrypted responses, and client-ID restrictions. These tests successfully demonstrated that enhanced privacy and security need not compromise developer productivity.

Against this backdrop, the OpenID Foundation assembled more than a dozen implementers (8 wallets and 7 verifiers) prepared to test interoperability with each other. They included: 

1Password Android Animo/ Funke Wallet  Bundesdruckerei  MATTR  Microsoft OpenID Foundation (open source tests) Panasonic  Scytales  Spruce  An anonymous corporate Multi-Wallet Remote Interoperability Testing

The second interop demonstration was hosted by NIST NCCoE, with Microsoft supporting remote interoperability testing with an architecture tailored specifically for the NIST NCCoE mDL Project. Their contribution aimed to enable interoperability across multiple standards and technical specifications to ensure high success rates in digital identity verification for Mobile Driver’s Licenses (mDL) and Persistent Identifiers (PIDs) across multiple wallets, using a single verifier provisioned by Mattr. Similar to the pairwise testing, the multi-wallet remote interoperability testing achieved an overall success rate of 91.75%, measured across the following key elements:

Orchestration Layer: A Microsoft Entra tenant to coordinate interactions between multiple wallets to a single verifier (Mattr) Remote Presentation Architecture: Wallet-independent support for same-device and cross-device flows for multiple profiles and datasets Wallets Tested:  1 Password Animo:  Funke Bundesdruckerei: InnoWallet Google: Multipaz  Google: CM Wallet Scytales: Scytales Wallet Spruce ID: Showcase

At the end of the event, VIP observers bore witness to the demonstrations, assessing both the technical successes and the implications for their respective jurisdictional roadmaps. VIP observers participating in the live event were Ryan Galluzzo from the United States NIST, Mr. Soshi Hamagushi from the Japan Digital Agency, and Ajay Gupta from the California DMV. A big thanks to all of our VIP observers and our interop participation teams:

Why This Demonstration Mattered

Over the past 18 months, verifiable credentials have moved from promising prototypes to production pilots in finance, healthcare, transportation, and government services. In the California DMV and OIDF hackathons in October and November 2024, we saw a wide range of use cases demonstrated, and in Europe, we have seen a wide range of use cases realized as part of the European Digital Identity Wallet’s Large Scale Pilots. More recently, the UK.Gov, the Swiss Confederation, and Japan Digital Agency declared their selection of OpenID for Verifiable Presentation in their digital identity projects. Other jurisdictions are poised to follow suit. This interop event on May 5th served as the crucible to demonstrate the real-world interoperability of specifications that are on their way to final, in line with European Digital Identity Wallet and NIST NCCoE Mobile Driver’s License (mDL) project timelines. To get to this point, there were three key components:

Liaisons and Partnerships: The Foundation has long-term liaisons and partnerships with peer standards bodies such as W3C, ISO, IETF, and the FIDO Alliance. These liaisons and ongoing technical conversations have underpinned the development of interoperable standards demonstrated on May 5th, alongside the large number of leading-edge implementers ready to prove out the specifications together. The results of this interoperability event will be shared via a liaison statement with  ISO/IEC 18013-7 WG10 to inform this Work Group’s due diligence on online presentation specifications. Conformance Testing: OIDF developed open-source tests aligned to the specifications for use before and during the interop event. The implementers could prove their implementations against the tests before testing against their peers and provide critical feedback on the tests for the benefit of future implementers. Once the specs and open-source tests are finalized, implementers will be able to self-certify their implementations. Self-certification and other conformance requirements are often vital components of ecosystem governance to ensure all participants in an ecosystem have met the same high bar for security and interoperability.   Hybrid Interop Events: Finally, this event was hosted in a hybrid format, with some implementers together in Berlin and others remotely located in Tokyo, San Francisco, and beyond. The interop event proved that online presentation using OpenID for Verifiable Presentation works across platforms, across devices, and for different credential types.  

Gail Hodges concluded the session by framing the importance of this moment:

“The ability to issue a credential in one ecosystem, present it through any wallet, and verify it online in another jurisdiction, seamlessly and securely, is the future of digital identity. Today we proved that it’s not just a vision, but a reality.”

Implementer Feedback 

The feedback from the implementers on the benefits of the May 5th interop is positive and encouraging that we are at an inflection point:  

Juliana Cafik, Principal Program Manager and Identity Standards Architect said,

“Microsoft is dedicated to leading the advancement of secure and privacy-preserving digital identity solutions. This event highlights our commitment to creating a seamless and interoperable digital identity ecosystem through collaboration with global stakeholders. By participating in the development of open standards, we are ensuring that digital identities are universally accessible and trusted, empowering everyone to engage confidently in the digital world.”

Marina Ioannou from Scytales described their interoperability experience as “smooth and engaging.” Scytales, in partnership with Netcompany-Intrasoft—part of the NETCOMPANY Group A/S—was awarded the contract by the European Commission to develop the European Digital Identity Wallet (EUDI Wallet). This wallet aims to deliver a universal, interoperable digital identity solution, enabling electronic signatures, document validation across sectors, and full transparency in data usage.

“Participating in interoperability events like this one is an opportunity to validate the latest protocol drafts and versions, test the robustness of our implementation strategy and highlight any need for greater clarity in specifications to ensure better alignment.

At Scytales, we believe it’s critical for the global decentralized digital identity community to prioritize and strengthen interoperability across regions and ecosystems. As adoption accelerates worldwide, it’s vital that solutions built in one region work seamlessly with those from another. Only then can we ensure secure, privacy-preserving, and consistent identity experiences for users everywhere.”

Similarly, 1Password praised the clarity of the documentation and the supportive developer community:

“1Password is excited to be involved as a wallet and support the adoption of OID4VC. Thanks to the excellent documentation and developer community around these initiatives, we quickly built an early example of verifiable credential  support in 1Password for Android.”

Micha Kraus of Germany’s Bundesdruckerei GmbH, a German federal technology company, that prints German passports and identity credentials, observed:

“The new Digital Credentials (DC) API is a really critical building block for building wallets and for relying parties in multi-party, multi-device, multi-wallet scenarios. I’m looking forward to seeing the implementations of the DC API on different platforms. What has worked particularly well over the past month is that the editors and contributors were not afraid to re-evaluate some options, while removing other options in favour of simplicity, and to drive true interoperability. This was very much appreciated.

My wish for the global community is that more parties will join the ‘club’ and see how easy it is to implement this. We are already seeing some very good applications that are secure, user friendly, and privacy preserving.”

Dirk Balfanz, from Google and OpenID Foundation Board member, said:

“The way DCQL has simplified our development process has been a really positive change, it’s made implementation much easier. The results we’re seeing in the interoperability tests are giving the Android team confidence that we’re nearing the point where this can be rolled out at scale. Scaling up always brings a level of caution, as they want to ensure everything is thoroughly vetted before launch. But at this stage, they feel like we’re getting there.”

“We’re now in a position to confidently recommend this to our developers. Global scalability has always been a key goal of this project, and it’s exciting to see that becoming a reality.” You can read more about Android’s support of digital credentials here.

Wayne Chang, Founder and CEO of SpruceID said, “At SpruceID, we believe open standards are essential to building a digital identity ecosystem that is secure, private, and controlled by users. We are proud to demonstrate with this group that these technologies create secure interoperability for a user-centric model of digital identity.”

Timo Glastra from Animo shared their conclusions after the event in a LinkedIn blog post: 

“The overall results were a major success for proving the specification maturity, reaching over a 90% success rate. Most of the wallets and verifiers were able to get all DCQL queries working with both SD-JWT VC and mDOC.” Timo continued, “We’re looking forward to continue the interoperability testing and achieve 100% success rate across all wallets and verifiers.”

Oliver Terbu from MATTR stated:

“Over the past two interop events, we’ve seen clear signs of maturity across specifications like OID4VP and the Digital Credentials API, with near-perfect success rates. What’s encouraging is not just that things are working. We are also seeing convergence around practical implementation patterns using a common simplified query language that reduces complexity and code duplication, especially across different credential formats. As a next step, the issuance side is gaining traction. The DC API is beginning to demonstrate how a consistent, browser-integrated approach can support seamless and secure credential issuance, while building on the existing OID4VCI specification.”

Voices from government and standards leadership

From Japan’s Digital Agency, Soshi Hamaguchi highlighted a successful proof-of-concept integrating the country’s My Number Card for student enrollment, certification and transit ticketing.

“Though limited in scope, this demo showed how global specifications can combine with national identity schemes to streamline everyday services,” he reflected.

Torsten Lodderstedt, the specification editor and co-chair of the Digital Credentials Protocol Working Group, expressed gratitude for the live feedback from implementers:

“Validating these features in real-world scenarios is crucial as we head toward final publication,” he said, inviting new contributors to help the working group evolve the specification beyond its first edition.

Next Steps Toward Global Adoption

To close the day, OIDF Executive Director, Gail Hodges, reminded attendees that the OpenID4VP specifications are on track for final publication around the end of June 2025, and are currently open for public comment. Partnerships with W3C, ISO, and FIDO and other standards body peers will continue – and further pilots are already underway, from opening a bank accounts in partnership with the NIST NCCoE Mobile Driving License (mDL) project to transit in Japan and collaborations with open source providers, like MOSIP, to bring standards into the wallet solutions of lower income governments.

“This interoperability demonstration is a pivotal milestone in a long journey,” Gail concluded. “Thank you to every implementer, observer and liaison partner for making it possible. Together, we are building a truly global digital identity ecosystem, one that empowers users, protects privacy and delivers real-world value.”

The lessons learned at this event will resonate across the next wave of deployments. By proving that diverse wallets and verifiers can interoperate at scale, the OpenID Foundation and its partners have set a new standard: open, secure, and universally compatible credentials that travel anywhere in the world.

You can watch the online demonstration of the next generation of digital identity credentials here. 

Notice: This post has been updated from the original to add clarifications on the difference between the pairwise and multi-wallet testing, and to add in quotes from the Japanese Government and Google.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.  

 

The post A Global First: OpenID Foundation Demonstrates Real-World Interoperability of New Digital Identity Standards first appeared on OpenID Foundation.

In 1958, Oliver R. Smoot, a student at MIT, was famously used as a human measuring stick to measure the length of the Harvard Bridge. Smoot, measuring a mere 5 foot 7 inches (1.70 m), would lay down on the bridge as his associates noted his position. It took a fair bit of time to measure the bridge as Smoot had to be carried by his associates to each new position – but the effort was well worth it. Thus, a playful, unconventional unit of measure was born. Over the years, smoot is remembered as a symbol of creativity, collaboration, and the unique quality of grassroots development. 

(This is the first of a two-part series on migrant workers in Taiwan’s semiconductor industry. Read the second story here.) A group of migrant tech workers from the Philippines sat...

Mercari, the Japanese e-commerce company behind the Mercari marketplace, has surpassed 10 million registered users of passkeys for authentication.

Yubico, a provider of hardware authentication security keys, has announced the expanded availability of YubiKey as a Service to all countries in the European Union.

This builds upon the company’s existing reach in markets such as the UK, U.S., India, Japan, Singapore, Australia and Canada. In addition, Yubico has expanded the availability of YubiEnterprise Delivery across 117 new locations around the world.

This now brings the total to 199 locations (175 countries and 24 territories and it more than doubles existing delivery coverage of YubiKeys to both office and remote users in a fast nad turnkey way. “Enterprises today are facing evolving cyber threats like AI-driven phishing attacks,” said Jeff Wallace, senior vice president of product at Yubico.

Authentication software company Entersekt has launched a partnership with South Africa-based PayTech solution provider Stanchion.

The partnership is aimed at “enhancing payment integration capabilities and delivering cutting-edge solutions to financial institutions worldwide,” the companies said in a Wednesday (May 21) news release.

The collaboration combines Stanchion’s tools for “modernizing, transforming, and accelerating innovation within payment systems” with Entersekt’s 3-D Secure payment authentication solution, which provides transaction authentication across all three domains: the merchant acquirer domain, the card issuer domain and the interoperability domain.

Passwords have been used as the first line of defense in protecting one’s digital identity, but they are fast becoming obsolete due to rampant identity theft. There seems to be no value in passwords anymore due to the increase in breaches of security systems on different platforms. This calls for an easier method of suppressing theft.

It is equally important to recognize the rise of passkeys as they help a great deal in bolstering digital identity protection.

Mike Kiser and Jen Schreiber

Beyond the immediate promise of the Shared Signals Framework in managing live sessions through CAEP events, an event-based approach offers a compelling path forward for addressing longer-term identity challenges. One such challenge is identity lifecycle management, or provisioning and deprovisioning.

Challenges of provisioning

Many underestimate the challenges of provisioning; for those who have not considered it, it may appear relatively simple on the outside. Much like watching a talented busker juggling on the streets of…oh, really any international city…say London, for no real reason other than the (most recent) interop held in that fine city.

Watching someone juggle looks easy, and starts relatively simple. A couple of balls fly into the air and bounce between the hands of the performer. Back and forth go the objects. The transfer seems simple, easy. And provisioning can, indeed, be like that: two discrete systems with fairly similar schemas and use cases (like an HR syncing into a local employee directory). But keep watching the busker…things rapidly get more complicated. Now instead of two objects, there are six or eight. The balls are exchanged for sticks, which are then set on fire. Now things aren’t so simple or easy, are they? The real world of provisioning escalates in much the same way; as the number of systems proliferate, so do the interconnections that must be maintained. This soon becomes an intractable problem (even without setting it on fire).

In an effort to address the challenges of managing the lifecycle of an identity, the System for Cross-Domain Identity Management (SCIM) was created. While SCIM has seen some success in connecting identity repositories, the rise of event-based architectures points to the need for SCIM to move from transactional and bulk operations to an event-based and asynchronous approach that allows interconnected systems to share identity context and data in near real time.

The SCIM Profile for Security Event Tokens seeks to provide a pathway for SCIM in event-based architectures.

Playing off the standards

SCIM events employ existing standards to accomplish this goal, using the same format of Security Event Tokens as in CAEP and Risk Incident Sharing and Coordination (RISC) events. It’s important to note that while SCIM Events may use the Shared Signals Framework as a transport layer, it does not require it. The juggler may be tossing objects in the air or water, they might be throwing clubs, rings, or balls. It’s all entertaining. SCIM events can be transported via push/pull over HTTP, streaming technologies like Kafka or Kinesis, webhooks, or SSF. The specification is agnostic. That said, the popularity of the Shared Signals Framework may make it a preferred option.

Syncing vs Notification: A diverse approach

With the adoption of an event-based approach, this iteration of SCIM allows for more than just a flow of updated information; while some systems may need and be able to process a

stream of events, others may prefer to be only notified of changes. In practice, this allows them to request only the changes that they’re interested in on a secure back channel, saving effort and preserving privacy. Other systems may need to process asynchronously, dealing with this new information on their own, independent timeline. The standard allows for this customizable approach, making it flexible for a diverse set of architectures.

Benefits of real time SCIM events

The ability of SCIM Events to support real time provisioning is significant. Once adoption takes place and real-time updates can be shared within an enterprise system, zero standing privilege (and zero trust) becomes one step closer to a reality. Making changes in real time means that access is no longer permanent, it is provisioned as an identity requires it, and then removed once it is no longer needed.

SCIM events hold more promise than provisioning alone, by ingesting data from various sources in real time, a system finds its true security potential. An access policy that an organization wants to enforce needs current data and attributes. With input from SCIM events alongside CAEP and RISC as the sources of real-time information, the policy becomes as current as it can be.

Privacy from data minimization will greatly benefit with the adoption of SCIM events. Limiting data collection to only what is necessary is fundamental to privacy approaches. Minimal information SCIM events allows receivers to decide which attributes or resource lifecycle changes it can accept. Or, for a transmitter to restrict a receiving domain. Less data acquired translates to less risk for the organization.

Within a system, SCIM events can be used as a reaction to CAEP and RISC events. When these events relay that a session has been eliminated, the system can react to the underlying attributes data and to the accounts themselves to prevent future use.

Finally, an auditable record of everything that takes place within an organization is essential to prove compliance and risk detection within the enterprise. It is not enough to eliminate invalid sessions or adjust access and entitlements, all actions taken within a system must be recorded to ensure that it is “living by its own rules” and doing precisely what it claims to be doing. Thus, SCIM events enable not only provisioning in real time, but auditing and governance as well.

SCIM Events: A logical step

By adopting SCIM events, we move closer to addressing the long-term problem of provisioning: fragmented data stores, proprietary interfaces, and a disjointed approach to identity – the historical equivalent to juggling fire. But we achieve more than that as we move into this new paradigm: we gain real-time context for enhanced policy-based decision making. We bolster privacy-enhancing approaches to data minimization. We create concrete responses to CAEP and RISC events. And we do it all with an audit record that proves that we are moving closer to our goal – a world in which access is not available except when it is necessary.

In short, SCIM Events moves provisioning from a task that only seems simple into one that actually is. (The authors are still working on the other intractable problem: keeping five flaming bowling pins in the air simultaneously.)

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

 

The post Juggling with fire made easier: Provisioning with SCIM first appeared on OpenID Foundation.

The official voting period will be between Monday June 9, 2025 and Monday, June 16, 2025 (12:00pm PT), once the 60 day review of the specification has been completed. For the convenience of members who have completed their reviews by then, early voting will begin on Monday, June 2, 2025.

The OpenID EAP working group page is https://openid.net/wg/eap/. If you’re not already an OpenID Foundation member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

The vote will be conducted at https://openid.net/foundation/members/polls/358.

Marie Jordan – OpenID Foundation Secretary

  About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

The post Notice of Vote for Proposed Final EAP ACR Values Specification first appeared on OpenID Foundation.

As a precursor to the LF Decentralized Trust Mentorship 2025 Project, “Blockchain-Based OAuth 2.0 Authorization in 5G Core Networks with Hyperledger Fabric,” this blog is the first in a series that explores the evolution of OAuth 2.0 authorization in 5G Core Networks, highlighting its current limitations and the potential of decentralized frameworks to enhance security. In this series, we will discuss how OAuth 2.0 operates in 5G, its risks, and how the integration of Hyperledger Fabric can overcome these challenges.

Embedding Ethics for Audiences aged 14–19

WAO is currently working with the Responsible Innovation Centre for Public Media Futures (RIC), which is hosted by the BBC. The project, which you can read about in our kick-off post, is focused on research and analysis to help the BBC create policies and content to help improve the AI Literacy skills of young people aged 14–19.

We’re now at the stage where we’ve reviewed academic articles and resources, scrutinised frameworks, and reviewed input from over 40 experts in the field. They are thanked in the acknowledgements section at the end of this post.

One of the things that has come up time and again is the need for an ethical basis for this kind of work. As a result, in this post we want to share the core values that inform the development of our (upcoming) gap analysis, framework, and recommendations.

Public Service Media Values

Public Service Media (PSM) organisations such as the BBC have a mission to “inform, educate, and entertain” the public. The Public Media Alliance lists seven PSM values underpinning organisations’ work as being:

Accountability: to the public who fund it and hold power to account Accessibility: to the breadth of a national population across multiple platforms Impartiality: in news and quality journalist and content that informs, educates, and entertains Independence: both in terms of ownership and editorial values Pluralism: PSM should exist as part of a diverse media landscape Reliability: especially during crises and emergencies and tackling disinformation Universalism: in their availability and representation of diversity

These values are helpful to frame core values for the development of AI Literacy in young people aged 14–19.

AI Literacy Core Values

Using the PSM values as a starting point, along with our input from experts and our desk research, we have identified the following core values. These are also summarised in the graphic at the top of this post.

1. Human Agency and Empowerment

AI Literacy should empower young people to make informed, independent choices about how, when, and whether to use AI. This means helping develop not just technical ability, but also confidence, curiosity, and a sense of agency in shaping technology, rather than being shaped by it (UNESCO, 2024a; Opened Culture, n.d.). Learners should be encouraged to question, critique, adapt, and even resist AI systems, supporting both individual and collective agency.

2. Equity, Diversity, and Inclusion

All young people, regardless of background, ability, or circumstance should have meaningful access to AI Literacy education (Digital Promise, 2024; Good Things Foundation, 2024). Ensuring this in practice means addressing the digital divide, designing for accessibility, and valuing diverse perspectives and experiences. Resources and opportunities must be distributed fairly, with particular attention to those who are digitally disadvantaged or underrepresented.

3. Critical Thinking and Responsible Use

Young people should be equipped to think critically about AI, which means evaluating outputs, questioning claims, and understanding both the opportunities and risks presented by AI systems. In addition, young people should be encouraged to understand the importance of responsible use, including understanding bias, misinformation, and the ethical implications of AI in society (European Commission, 2022; Ng et al., 2021).

4. Upholding Human Rights and Wellbeing

Using a rights-based approach — including privacy, freedom of expression, and the right to participate fully in society — helps young people understand their rights, navigate issues of consent and data privacy, and recognise the broader impacts of AI on wellbeing, safety, and social justice (OECD, 2022; UNESCO, 2024a).

5. Creativity, Participation, and Lifelong Learning

AI should be presented as a tool for creativity, collaboration, and self-expression, not just as a subject to be learned for its own sake. PSM organisations should value and promote participatory approaches, encouraging young people to contribute to and shape the conversation about AI. This core value also recognises that AI Literacy is a lifelong process, requiring adaptability and a willingness to keep learning as technology evolves (UNESCO, 2024b).

Next Steps

We will be running a roundtable for invited experts and representatives of the BBC in early June to give feedback on the gap analysis and emerging framework. We will share a version of this after acting on their feedback.

If you are working in the area of AI Literacy and have comments on these values, please add them to this post, or get in touch: hello@weareopen.coop

Acknowledgements

The following people have willingly given up their time to provide invaluable input to this project:

Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox​, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager

References Digital Promise (2024). AI Literacy: A Framework to Understand, Evaluate, and Use Emerging Technology. https://doi.org/10.51388/20.500.12265/218 European Commission (2022) DigComp 2.2, The Digital Competence framework for citizens. Luxembourg: Publications Office of the European Union. https://doi.org/10.2760/115376. Good Things Foundation (2024) Developing AI Literacy With People Who Have Low Or No Digital Skills. Available at: https://www.goodthingsfoundation.org/policy-and-research/research-and-evidence/research-2024/ai-literacy Jia, X., Wang, Y., Lin, L., & Yang, X. (2025). Developing a Holistic AI Literacy Framework for Children. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (pp. 1–16). ACM. https://doi.org/10.1145/3727986 Ng, D. T. K., Leung, J. K. L., Chu, S. K. W., & Qiao, M. S. (2021). Conceptualizing AI literacy: An exploratory review. Computers and Education: Artificial Intelligence, 2(100041), 100041. https://doi.org/10.1016/j.caeai.2021.100041 OECD (2022) OECD Framework for Classifying AI Systems. Paris: OECD Publishing. https://www.oecd.org/en/publications/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en.html Opened Culture (n.d.) Dimensions of AI Literacies. Available at: https://openedculture.org/projects/dimensions-of-ai-literacies Open University (2025) A framework for the Learning and Teaching of Critical AI Literacy skills. Available at: https://www.open.ac.uk/blogs/learning-design/wp-content/uploads/2025/01/OU-Critical-AI-Literacy-framework-2025-external-sharing.pdf UNESCO (2024a) UNESCO AI competency framework for students. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391105 UNESCO (2024b) UNESCO AI Competency Framework for Teachers. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391104

Core Values for AI Literacy was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

ISL presented at ConPro 2025’s 9th Workshop on Technology and Consumer Protection. The conference was a perfect opportunity to showcase our presentation on Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels.

Open PDF

The post IEEE’s ConPro ’25: Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels appeared first on Internet Safety Labs.

Many in the DIF community are asking about the upcoming Global Digital Collaboration conference in Geneva. As the date is quickly arriving, we wanted to give a sneak preview of what's ahead.

Table of Contents:

About the GDC Conference The Agenda Learn more and participate About the GDC Conference Key Details When: July 1-2, 2025 Where: Centre International de Conférences Genève (CICG), Switzerland Cost: Free (registration required) Register: https://lu.ma/gc25 (registration is available through any co-organizing partner) What is the GDC?

Global Digital Collaboration is a landmark gathering bringing together 30+ global organizations to advance digital identity, wallets, and credentials - hosted by the Swiss Confederation.

What makes this conference truly unique is that, from the beginning, it's been co-organized by the participating organizations, who have worked with their communities, and with each other, to form an agenda that will help advance the most critical topics in digital identity.

Rather than being driven by a single organization's vision, the GDC represents a collaborative effort where international organizations, standards bodies, open-source foundations, and industry consortia have jointly defined priorities and sessions that address the most pressing challenges in digital trust infrastructure. This multi-stakeholder approach ensures broader perspectives are represented and creates unprecedented opportunities for alignment across traditionally separate communities.

Why Attend? Unprecedented collaboration: This conference's collaborative nature bridges organizations that rarely coordinate at this scale. Connect: Connect with peers from government and private sectors to advance standards coordination, cross-border interoperability, and robust digital public infrastructure Network with experts: Engage directly with technical leaders, government officials, and industry pioneers shaping the future of digital trust Who Is Organizing?

The current list of co-organizers can be seen in the header image, with more to be added later this week. As a brief preview, this includes:

International & Government Organizations

European Commission (DG-CNECT) International Telecommunication Union (ITU) United Nations Economic Commission for Europe (UNECE) World Health Organization (WHO)

Standards Development Organizations & Open Source Foundations

Decentralized Identity Foundation (DIF) Eclipse Foundation European Telecommunications Standards Institute (ETSI) FIDO Alliance International Electrotechnical Commission (IEC) International Organization for Standardization (ISO) Linux Foundation Decentralized Trust (LFDT) OpenWallet Foundation (OWF) Trust Over IP (TOIP) World Wide Web Consortium (W3C)

Industry Consortia

Cloud Signature Consortium (CSC) Digital Credentials Consortium (DCC) Global Legal Entity Identifier Foundation (GLEIF)

Next, we'll look at the exciting conference agenda and highlight key sessions for the DIF community.

The Agenda

The conference is structured across two distinct days, each with a specific purpose. Day 1 features plenary sessions designed to provide comprehensive overviews of global initiatives and sector-specific developments in digital identity. This agenda is nearly finalized and a draft has been published.

Day 2 offers a more interactive format with parallel presentations, technical deep dives, workshops, and collaborative sessions. The preliminary Day 2 schedule will be published next week, but we can share an early preview of the key themes and sessions that should be of particular interest to the DIF community.

Day 1: Global Landscape & Sector Scan Morning sessions feature updates from government and industry stakeholders worldwide Afternoon sessions explore major use cases across sectors including travel, health, education, and finance Morning: Opening & Global Landscape Opening addresses by leaders from ITU, ISO, WHO, and more Regional updates from: European Commission Switzerland United States China/Singapore Japan India Korea Australia Global South Afternoon: Sector Updates 🚘 Driving Licenses 🧳 Travel Credentials ⚕️ Health Credentials 📚 Educational Credentials 📦 Trade 💸 Payments 🏢 Organizational Credentials 🪙 Digital Assets 🪪 Standards for ID and Wallets 🔏 Digital Signatures 🔑 Car Keys Day 2: Technical Deep Dives and Working Sessions

Day 2 features parallel sessions where participants will be encouraged to follow their interests plus share their experience and expertise.

Parallel sessions across multiple tracks including:

Privacy & Security: Zero-knowledge proofs, unlinkability Industry and Organizational Focus: Industry 4.0, Digital Product Passports, European Business Wallet Implementation & Deployment: Real-world wallet applications Standards & Interoperability: Cross-border credential exchange Policy & Regulation: Governance frameworks Emerging Technology: Emerging needs around AI and digital identity Demo Hour: See wallet applications and more Learn More and Participate Get Updates

There will soon be a GDC web site to more easily access event information and schedule. For now, we recommend:

Follow Global Digital Collaboration on LinkedIn And of course, subscribe to the DIF blog for additional updates focused on the DIF community Ready to Register?

You can also register through any co-organizer available at https://lu.ma/gc25

👉 DIF community members are encouraged to use DIF's dedicated registration link: https://lu.ma/gc25-dif

Tickets are free of charge and grant full access to the entire conference, regardless of the organization used during registration

Hotels & Discounts

The upcoming GDC web site will be updated with the latest information. For now, feel free to use the discount codes on this google document.

Looking Forward

The Global Digital Collaboration conference represents a unique opportunity for advancing digital identity solutions that can work across borders while putting users in control. DIF is committed to ensuring privacy and agency remain front and center in these conversations.

For those in the DIF community and beyond, this is an unparalleled opportunity to shape the future of digital identity in collaboration with global decision-makers and implementers.

How do you build a beverage brand from scratch and land in over a thousand stores?

For Aisha Chottani, it started with stress and a few homemade “potions”.

In this episode, Aisha, Founder and CEO of Moment, joins hosts  Reid Jackson and Liz Sertl to talk through what really goes into launching and scaling a functional drink brand. From labeling boxes by hand to managing relationships with co-packers and navigating supply chain failures, Aisha shares the behind-the-scenes story most startup founders keep to themselves.

She also gets real about what went wrong, like barcode mix-ups and Amazon returns gone sideways, and how those lessons became systems that power Moment’s growth today.

In this episode, you’ll learn:

Why small brands need relationships more than volume

How early mistakes can turn into long-term wins

What to watch out for when scaling distribution and operations

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(01:34) Building a global mindset from four continents

(03:07) From McKinsey burnout to homemade “potions”

(06:06) Barcode errors and the pain of early logistics

(08:21) Growing Moment to 1,000 stores and 30 DCs

(11:33) What small brands can leverage on

(14:06) Collaborating with Lululemon

(17:15) Why Moment leans into a subscription model 

(20:39) Operational failures to learn from

(27:36) Aisha’s favorite technology

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Aisha Chottani on LinkedInCheck out Moment

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/EGWG-2025-05-15_-The-C2PA-Conformance-Program-Scott-Perry.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: Review of C2PA and its Governance

Date: May 15, 2024
Source: Excerpts from “GMT20250515-145218_Recording_2560x1440.mp4”
Presenter: Scott Perry, Co-chair of Trust over IP’s Foundations Steering Committee, Founder and CEO of the Digital Governance Institute, Co-chair of the Creator Assertions Working Group at the Decentralized Identity Foundation (DIF).
Topic: C2PA (Coalition for Content Provenance and Authenticity) and the Application of Trust over IP’s Governance Metamodel.

1. Executive Summary

This briefing summarizes a presentation by Scott Perry on the Coalition for Content Provenance and Authenticity (C2PA) and the application of the Trust over IP (ToIP) governance metamodel to its conformance program. The C2PA is an industry-wide initiative creating a technical standard to attach “truth signals” or provenance information to digital objects. Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.

2. Key Themes and Ideas The Problem of Trust in Digital Objects: The presentation highlights the growing challenge of establishing trust and authenticity for digital content in a world of easily manipulated or AI-generated media. This is particularly relevant for industries like telecommunications struggling with identity and verification, as noted by a participant’s observation about OTPs and SMS verification. C2PA as a Standard for Provenance and Authenticity: The C2PA specification aims to provide a technical solution by creating a “content credential” or manifest that is cryptographically bound to a digital object. This manifest acts as a ledger of actions taken on the object, providing a history and “nutrition label” of its source and modifications. “basically, it’s all of the major tech companies except Apple… coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” Content Credential (Manifest): This is the core mechanism of the C2PA. It is a digitally attached ledger of actions taken on a digital object, such as “Camera took picture,” “edited picture,” or “an AI took this picture.” This manifest is “bound to it and linked to it” in a “cryptographically binding format,” providing tamper evidence. Scope of C2PA Responsibility: The C2PA primarily focuses on “created assertions,” which are “product-driven,” documenting actions taken within a product (e.g., a camera generating a picture, Photoshop editing an image). Distinction from “Gathered Assertions”: The C2PA does not take responsibility for “gathered assertions,” which are claims made by individuals or organizations outside of a product (e.g., “I Scott Perry took the picture” or industry-specific identifiers). These are the purview of other groups like CAWG (Content Authenticity Working Group) and related efforts like the Creator Assertions working group at DIF. Binding Mechanism: The C2PA uses X.509 certificates to bind the generator product to the digital asset. “when a picture is taken, the X509 certificate will be used will be binding it will be used to bind it bind the product to the asset.” This requires camera manufacturers and other product vendors to obtain certificates from approved Certification Authorities (CAs). The Need for Governance: While the C2PA created a technical specification, they recognized the critical need for a governance framework to operationalize and control the standard’s implementation and use in the market. “the key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” Application of ToIP Governance Metamodel: Scott Perry highlights how the ToIP governance metamodel provided the necessary structure for the C2PA to build its conformance program. “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” Key Components of the Governance Program (based on ToIP):Risk Assessment: Started with a “threats and harms task force” to identify major risks, particularly around the tampering of evidence and manifests. Governance Requirements and Framework: Defined primary documents (specification, security requirements, legal agreements) and control documents (privacy, inclusion, equitability requirements). A key output is a glossary of terms for the new ecosystem. Governance Roles and Processes: Identified key roles: the Governing Authority (C2PA Steering Committee), the Administering Party (Conformance Task Force), and Governed Parties (CAs, Generator Product companies, Validator Product companies). Legal Agreements: Formal agreements are being established between the C2PA and governed parties outlining roles, responsibilities, conformance requirements, and dispute resolution mechanisms. Conformance Criteria and Assurance: Defined based on the C2PA specification and implementation security requirements. The program includes “four levels of of assurance around the implementation of products,” though initially rolling out with two levels. These levels are tied to “security objectives” and assessed against the “target of evaluation” (the product and its supporting infrastructure). Conformance Process: Involves an intake form, application review, assessment of infrastructure (initially self-assertion, moving towards independent attestation), legal agreement signing, and adding records to trust lists. Residual Risk Assessment and Adaptation: The program includes a process to learn from the rollout, identify unmet requirements or issues, and adapt the program for continuous improvement. Trust Lists (Registries): Central to the program are trust lists identifying approved Generator Products, Validator Products, and Certification Authorities. A timestamp authority trust list is also being added. Levels of Assurance: The program is defining levels (initially rolling out two) to reflect different degrees of confidence in the implementation of the C2PA specification and associated security requirements. Achieving a higher level of assurance requires meeting all requirements for that level. Self-Assertion (Initial Rollout): Due to the complexity of auditing and getting the program launched quickly, the initial phase requires participants to self-assert that they meet the specification and requirements. Conformance Certificate: Upon successful conformance, products will receive a certificate tied to an OID (Object Identifier) denoting the assurance level they have achieved. This OID in the manifest’s certificate will identify the assurance level of the provenance information. JPEG Trust and Copyright: While C2PA provides provenance information that can be used for copyright, it doesn’t define ownership or copyright laws. JPEG Trust is mentioned as an organization creating an ISO standard focused on copyrights in concert with the C2PA standard. Relationship with W3C: The C2PA is actively engaged with the W3C, with discussions happening at the technical working group level regarding related standards like PROV (for provenance). Future Directions: Plans include introducing higher levels of assurance, implementing independent attested conformance, developing quality control software for assessing product compliance, and establishing a fee structure for the conformance program. CAWG (Content Authenticity Working Group) as a Broader Ecosystem: CAWG is viewed as a potentially larger ecosystem dealing with identity, metadata, endorsements, and AI learning process specifications, which will need to create their own applications and standards that can integrate with the C2PA foundation. 3. Important Ideas and Facts The C2PA is the Coalition for Content Provenance and Authenticity. It includes major tech and product manufacturers, excluding Apple initially but aiming to include them. The core technical output is the Content Credential (Manifest), a digitally attached ledger of actions on a digital object. The manifest provides tamper evidence and binds the product to the asset using X.509 certificates. C2PA focuses on “created assertions” (product-driven actions), leaving “gathered assertions” (individual/organizational claims) to other groups like CAWG. The Trust over IP governance metamodel has been successfully applied to structure the C2PA conformance program. The program addresses threats and harms related to tampering and requires adherence to implementation security requirements. The C2PA conformance program will officially launch on June 4th at the Content Authenticity Initiative symposium in New York City. The initial launch will include two levels of implementation assurance and a self-assertion confidence model. Key outputs of the governance program are legal agreements and trust lists of conforming products and certification authorities. The C2PA standard is becoming an ISO standard this year. Timestamp authorities will play a crucial role in providing trust signals related to the time of claim assertion. The program includes mediation and dispute resolution mechanisms in its legal agreements. The governance program provides the structure for the C2PA to “operationalize the spec” and control its use. 4. Key Quotes “basically, it’s all of the major tech companies except Apple… Coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” “what it what it’s proposed to do is to create a ledger of actions against a digital object that is bound to it.” “It’s kind of the nutrition label on food… it’s really the nutrition label of all digital objects.” “The C2PA did not want to get involved in all of the the potential root, you know, actions and and variances about those types of things. They wanted to create the platform.” “They create the platform and they create the binding between the digital asset and the and the manifest using X509 certificates.” “The key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” “the governance program was needed to operationalize the spec. The spec was had, you know, a limitation in its usefulness without a governance program around it.” “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” “we’re creating a program which will hold generator and validator products accountable to the specific ification that’s already been published.” “We are creating two levels of implement implementation assurance and we are are using a self assertion confidence model we don’t have the mechanisms in place to hold organizations accountable for meeting the specification we don’t have an you know an assurance mechanism in place yet to do that.” “It is the hope that you know copyright laws can use the trust signals that are coming from the CTBA specification and conformance program in use for defining ownership and copyright.” “The conformance criteria is the spec and the spec is now at at level 2.2.” “we are looking at levels of assurance around the implementation of a product. Now it’s not just the product but it’s also its infrastructure.” “These are the kinds of records that were that are in the schema for the trust list.” 5. Next Steps Official launch of the C2PA conformance program on June 4th. Continued work on independent attestation and higher levels of assurance for the conformance program. Development of quality control software or processes for assessing product compliance. Ongoing collaboration with W3C and other relevant standards bodies. Further exploration of the broader CAWG ecosystem and its integration with C2PA.

This briefing provides a foundational understanding of the C2PA, its technical specification, and the crucial role of the newly established governance program, structured using the Trust over IP metamodel, in driving its adoption and ensuring trust in the digital content landscape.

For more details, including the meeting transcript, please see our wiki 2025-05-15 Scott Perry & The C2PA Conformance Program – Home – Confluence

https://www.linkedin.com/in/scott-perry-1b7a254/ https://digitalgovernanceinstitute.com/

The post EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry appeared first on Trust Over IP.

Read the full case studyhere.

NETOPIA Payments becomes the first online payment processor in the world to implement Click to Pay with Passkey FIDO (Fast Identity Online) – a modern online checkout solution built on EMV® global standards, designed to redefine the digital payment experience: faster, safer, and without manual card data entry.

Editors

Shane Weeden, IBM
An Ho, IBM

Abstract

Session hijacking is a growing initial attack vector for online fraud and account takeover. Because FIDO authentication reduces the effectiveness of other simpler forms of compromise, such as credential stuffing and phishing, cybercriminals turn to theft and re-use of bearer tokens. Bearer tokens are a form of credential which include session cookies used by browsers connecting to websites and OAuth access tokens used by other thick client application types such as native mobile applications. When these credentials are long-lived and can be “lifted and shifted” from the machine where they were created to be usable by a bad actor from another machine, their tradable value is significant. Emerging technologies such as Device Bound Session Credentials (DBSC) for browsers and Demonstrating Proof of Possession (DPoP) for OAuth applications seek to reduce the threat of session hijacking. This article describes how these technologies address the problem of session hijacking and how they complement strong phishing resistant authentication in online ecosystems.

Audience

This white paper is for chief information security officers (CISOs) and technical staff whose responsibility it is to protect the security and life cycle of online identity and access management from online fraud. 

Download the White Paper 1. Introduction

Authentication and authorization are integral parts of an identity lifecycle, especially for online credential ecosystems. The growing threat of online identity fraud with costly security incidents and breaches has enterprises looking for ways to protect and secure their workforces from account takeover through different attack vectors such as phishing, credential stuffing, and session hijacking. For authentication, FIDO authentication with passkeys provides users with “Safer, more secure, and faster online experiences”, and an increase in the adoption of passkeys has contributed to a reduction of the success of attack vectors of credential phishing, credential stuffing, and session hijacking accomplished via man-in-the-middle (MITM) phishing attacks. However, what happens after the authentication ceremony?

After authentication, browsers and application clients are typically issued other credentials. Enterprise applications generally fall into two primary categories: those that are web browser based and use session cookies for state management and those that are thick client applications using OAuth access tokens (this includes some browser-based single page applications and most native mobile applications). Both types of credentials (session cookies and access tokens) are considered, in their basic use, as “bearer” tokens. If you have the token (the session cookie or the access token), then you can continue to transact for the lifetime of that token as the user who authenticated and owned it.This whitepaper explores adjacent technologies that address the “lift and shift” attack vector for bearer tokens and how these technologies complement FIDO-based authentication mechanisms. In particular, this paper focuses on the proposed web standard Device Bound Session Credentials (DBSC) for protecting browser session cookies and OAuth 2.0 Demonstrating Proof of Possession (DPoP) for protecting OAuth grants.

2. Terminology

session hijacking: An exploitation of the web session control mechanism that is normally managed for a session cookie.

credential stuffing: An automated injection of stolen username and password pairs (credentials) into website login forms to fraudulently gain access to user accounts.

1. Passkeys – https://fidoalliance.org/passkeys/
2. Device Bound Session Credentials – https://github.com/w3c/webappsec-dbsc
3. OAuth 2.0 Demonstrating Proof of Possession (DPoP) – RFC9449: https://datatracker.ietf.org/doc/html/rfc9449
4. Session hijacking attack https://owasp.org/www-community/attacks/Session_hijacking_attack
5. Credential stuffing https://owasp.org/www-community/attacks/Credential_stuffing

access token: A credential used by a client-side application to invoke API calls on behalf of the user.

session cookie: A credential managed by browsers to maintain session state between a browser and a website.

bearer token: A token (in the context of this whitepaper may refer to either an access token or a session cookie) so called because whoever holds the token can use it to access resources. A bearer token on its own can be “lifted and shifted” for use on another computing device.

sender-constrained token: A token protected by a mechanism designed to minimize the risk that anything other than the client which established the token during an authentication process could use that token in subsequent requests for server-side resources.

Device Bound Session Credential (DBSC): A proposal for a W3C web standard defining a protocol and browser behavior to establish and maintain sender-constrained cookies. The mechanism uses proof of possession of an asymmetric cryptographic key to help mitigate session cookie hijacking.OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

3. Adjacent/complementary technologies for a secure ecosystem

While FIDO authentication technology can effectively eliminate phishing and credential stuffing attacks that occur during the login process, the addition of solutions to mitigate threats associated with bearer token theft is equally important. Bad actors whose attacks are thwarted during the login process will go after the next weakest link in the chain and try to steal post-authentication bearer tokens. This section explores two of these technologies for protecting bearer tokens: Device Bound Session Credentials (DBSC) protect browser-based session cookies and Demonstrating Proof of Possession (DPoP) protects OAuth grants. Alternative approaches to protect bearer tokens are also discussed.

Because no single piece of technology can protect against all threats, a combination of multiple techniques is required for adequate protection.

Table 1: Combination of technologies for increased security

TechnologiesAuthentication threatsPost-authentication threatsRemote PhishingCredential StuffingToken TheftPasskeysDBSC/DPoPPasskeys + DBSC/DPoP

3.1 Browser session cookie security

Before discussing Device Bound Session Credentials (DBSC), you will need to understand the problem being addressed regarding browser session cookies. Session hijacking via cookie theft allows an attacker, who possesses stolen cookies, to bypass end-user authentication, including any strong or multi-factor authentication (MFA). This is particularly problematic when browsers create long-lived session cookies (which are a type of bearer token), since these cookies can be traded as alternatives to a user’s primary authentication credentials and then used from the attacker’s machine. This can lead to unauthorized access to sensitive data, financial loss, and damage to an organization’s reputation. 

Attackers perform cookie theft through various methods such as man-in-the-middle phishing of a user’s existing MFA login process (when phishing-resistant authentication such as FIDO is not used), client-side malware, and occasionally through vulnerabilities in server-side infrastructure or software. Regardless of how cookie theft is perpetrated, when successful, these attacks are not only dangerous, but also hard to isolate and detect. Complementary technologies, such as Device Bound Session Credentials (DBSC), minimize the risks associated with browser cookie theft by making stolen cookies impractical to use from any machine other than the machine to which they were issued during authentication.

3.2 Device Bound Sessional Credentials – DBSC

DBSC refers to a proposed web standard currently in development within the Web Application Security working group of the W3C[2]. The goal of DBSC is to combat and disrupt the stolen web session cookies market. This is achieved by defining an HTTP messaging protocol and required browser and server behaviors to result in binding the use of application session cookies to the user’s computing device. DBSC uses an asymmetric key pair and in browser implementations the private keys should be unextractable by an attacker – for example stored within a Trusted Platform Module (TPM), secure element, or similar hardware-based cryptographic module.

At a high level, the API in conjunction with the user’s browser and secure key storage capabilities, allows for the following:

The server communicates to the browser a request to establish a new DBSC session. This includes a server-provided challenge. The browser generates an asymmetric key pair, then sends the public key along with the signed challenge to the server. This process is referred to as DBSC registration. Browser implementations of DBSC should use operating system APIs that facilitate secure, hardware-bound storage and use of the private key. The server binds the public key to the browser session by issuing a short-lived, refreshable auth_cookie which is then required to be transmitted in subsequent browser requests to the web server.

As the auth_cookie regularly expires, a mechanism is required for the browser to refresh the auth_cookie asynchronously to primary application web traffic. The refresh process requires signing a new server-issued challenge with the same private key created during DBSC registration, thereby re-proving (regularly) that the client browser is still in possession of the same private key.

Limiting the lifetime of the auth_cookie to short periods of time (for example, a few minutes) disrupts the market for trading long-lived session cookies. An attacker can only use stolen session cookies (including the auth_cookie) for a brief period, and cannot perform a refresh operation, since the private key required to perform a refresh operation is not extractable from the client machine.

DBSC may be introduced into existing deployments with minimal changes to the application. This is important as DBSC could easily be incorporated as a web plugin module in existing server-side technology (for example, Apache module, Servlet Filter, or reverse proxy functionality). This permits enterprises to roll out deployment of DBSC in phases without a complete overhaul of all current infrastructure and companies can prioritize certain critical endpoints or resources first.

DBSC server-side implementations can also be written in a manner that permits semantics, for example: “If the browser supports DBSC, use it, otherwise fallback to regular session characteristics.” This allows users to gain the security advantages of DBSC when they use a browser that supports it without having to require all users to upgrade their browsers first.

Refer to the Device Bound Session Credentials explainer for more details on the DBSC protocol and standard, including a proposal for enterprise-specific extensions that adds attestation to DBSC keypairs.

3.2.1 What makes DBSC a technology complementary to FIDO?

The DBSC draft standard permits the login process to be closely integrated with the DBSC API. While FIDO is a mechanism that makes authentication safer and phishing resistant, DBSC is a mechanism that makes the bearer credential (session cookie) safer post-authentication. They complement each other by reducing the risk of account takeover and abuse, making the entire lifecycle of application sessions safer.

3.2.2 Alternative solutions

DBSC is not the first standard to propose binding session cookies to a client device. Token Binding is an alternative that combines IETF RFCs 8471, 8472, and 8473. Token Binding over HTTP is implemented via a Transport Layer Security (TLS) extension and uses cryptographic certificates to bind tokens to a TLS session. Token Binding has had limited browser adoption and is complex to implement as it requires changes at the application layer and in TLS security stacks. The Token Binding over HTTP standard has not been widely adopted and only one major browser currently offers support.

3.2.3 Advice

The DBSC standard relies on local device security and operating system APIs for storage and use of the private key that is bound to the browser’s session. While these private keys cannot be exported to another device, the key is available on the local system and may be exercisable by malware residing on the user’s device. Similarly, in-browser malware still has complete visibility into both regular session cookies and short-lived auth_cookies. DBSC is not a replacement for client-side malware protection, and the threat model for DBSC does not provide protections from persistent client-side malware. Ultimately, the user must trust the browser.

As browsers start to support DBSC over time, it will be important for servers to be able to work with a mix of browsers that do and do not include support for this technology. Some enterprises may dictate that corporate issued machines include browsers known to support DBSC, but many will not. It will be necessary for server-side implementations to take this into consideration, using DBSC when the browser responds to registration requests, and tolerating unbound session cookies when the browser does not. When building or choosing a commercial solution, ensure you consider this scenario, and include the ability to implement access control policies that strictly require DBSC in highly controlled or regulated environments or for specific applications.

At the time of writing, DBSC is in early evolution. It remains to be seen whether or not it will be widely adopted by browser vendors. The hope is that incubating and developing this standard via the W3C will result in wider adoption than previous proposals, similar to the way that the WebAuthn API has been adopted to bring passkey authentication to all major browser implementations.

4. OAuth grants

The previous section introduced DBSC as a means to protect against session cookie theft in web browsers. Thick application clients, including mobile applications and single-page web applications, typically use stateless API calls leveraging OAuth grants instead of session cookies. An OAuth grant may be established in several ways, with the  recommended pattern for thick clients being to initially use the system browser to authenticate a user, and grant access for an application to act on their behalf. Conceptually this is remarkably similar to browser-based sessions, including the ability and recommendation, to use FIDO authentication for end-user authentication when possible. At the conclusion of the browser-based authentication portion of this flow, control is returned to the thick client application or single-page web application where tokens are established for use in programmatic API calls. 

The challenge that occurs from this point forward is almost identical to that described for browsers – the OAuth tokens are bearer tokens that if exposed to a bad actor can be used to call application APIs from a remote machine instead of from the legitimate application.

This section describes the use of DPoP, a technology for protecting the “lift and shift” of credentials used in OAuth-protected API calls which, just like DBSC, makes use of an asymmetric key pair and ongoing proof of possession of the private key.

4.1 Demonstrate Proof of Possession (DPoP)

OAuth 2.0 Demonstrating Proof of Possession (DPoP) is an extension of the existing OAuth 2.0 standard for implementing device bound (or sender-constrained) OAuth access and refresh tokens. It is an application-level mechanism that allows for the tokens associated with an OAuth grant (that is, refresh tokens and access tokens) to bind with the requested client using a public and private key pair. This requires the client to prove ownership of its private key to the authorization server when performing access token refresh operations and to resource servers when using access tokens to call APIs.

6. OAuth 2.0 for Native Apps https://datatracker.ietf.org/doc/html/rfc8252

High assurance OpenID specifications, such as Financial-grade API (FAPI 2.0), mandate the use of sender-constrained tokens and DPoP is the recommended method for implementing this requirement when Mutual TLS (mTLS) is not available.

At a high level, DPoP requires that:

The client generates a per-grant public/private key pair to be used for constructing DPoP proofs. Best practice implementations should use operating system APIs to ensure the private key is non-extractable. On initial grant establishment (for example, exchanging an OAuth authorization code for the grant’s first access token and refresh token), a DPoP proof (a JWT signed by the client’s private key that contains, among other things, a copy of the public key) is used to bind a public key to the grant. Requests to a resource server using an access token obtained in this manner must also include a DPoP proof header, continuously proving possession of the private key used during grant establishment. This is done for every API request. Resource servers are required to check if an access token is sender-constrained, confirm the public key, and validate the DPoP proof header on each API call. For public clients, subsequent refresh_token flows to the authorization server’s token endpoint must also contain a DPoP proof signed with the same key used during initial grant establishment. This is particularly important as the refresh tokens are often long-lived and are also a type of bearer token (that is, if you have it you can use it). The authorization server must enforce the use of a DPoP proof for these refresh token flows and ensure signature validation occurs via the same public key registered during initial grant establishment.

Unlike a plain bearer access token which can be used by any holder, DPoP based access tokens are bound to the client that initially established the OAuth grant, since only that client can sign DPoP proofs with the private key. This approach minimizes the risks associated with malicious actors trading leaked access tokens.

Refer to DPoP RFC 9449 – OAuth 2.0 Demonstrating Proof of Possession (DPoP) for more information.

4.2 What makes DPoP a complementary technology to FIDO?

FIDO can be leveraged for phishing resistant end-user authentication during establishment of an OAuth grant. Refresh and access tokens obtained by a client following this authentication should be safeguarded against “lift and shift” attacks just like session cookies in browser-based apps. DPoP is a recommended solution for protecting these OAuth tokens from unauthorized post-authentication use. Together, FIDO for end user authentication and DPoP for binding OAuth tokens to a client device complement each other to improve the overall security posture for identities used in thick client applications.

4.2.1 DPoP alternative solutions?

RFC8705 – OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens describes a mechanism that offers a transporter layer solution to bind access tokens to a client certificate. While it has been approved for use in FAPI 2.0 for open banking solutions, it is not particularly suitable for public clients such as native mobile applications.

RFC9421 – HTTP Message Signatures defines an application-level mechanism for signing portions of an HTTP message. Key establishment and sharing between the client and verifier are not defined by this specification, although this could be performed in a trust on first user manner during initial grant establishment in a similar manner to DPoP. There is no known public specification that maps the use of HTTP message signatures to the use case of sender-constrained bearer tokens in an OAuth client application. In the absence of such a public specification, widespread adoption for this use case is unlikely.

4.2.2 Advice

Sender-constrained tokens are a good idea, and, in some deployments, they are a regulatory requirement. For example, use of the FAPI profiles of OAuth is now mandated by many sovereign open banking initiatives. DPoP is a relatively simple way to achieve this requirement and is flexible enough to cover a wide range of application client types. That said, care must still be taken to adhere to the security considerations of DPoP. Pay close attention to section 11 of RFC9449, as well as apply other application security strategies for native or browser based single page applications as your scenario dictates. Remember that DPoP is focused solely on addressing the threats associated with token exfiltration, which include trading and use by malicious actors. It should be considered part of a defense-in-depth strategy for OAuth applications.

5. Conclusion

The intent of this paper is to inspire thinking around how different web security standards fit together and how those standards relate to the use of FIDO authentication for users. There are so many standards and standards bodies that it is often hard to understand which compete in the same space and which augment one another to form part of a comprehensive defense-in-depth strategy for identity fraud protection in online applications.

This paper tackled a specific, prevalent application security problem – the malicious trading and use of stolen cookies and access tokens. This paper also showed how technologies such as DBSC and DPoP mitigate the threats associated with token theft and how these technologies are complementary to FIDO authentication. Paired with FIDO, DBSC and DPoP provide greater overall identity fraud protection for your applications.

Community strategies and tools

cross-posted on the Amnesty UK blog

Community-driven change is more important than ever. Whether we are advocating for social justice, environmental sustainability, or political reform, collective action is how we create lasting impact. But how do we build a movement that starts with individual curiosity and grows into sustained activism? That’s where the Amnesty International UK (AIUK) community platform project comes in — a digital hub designed to empower individuals, support collaboration, and drive meaningful change.

This blog post outlines how the platform and community strategy work together to guide people from discovery of the AIUK community to becoming activists within it.

Image remixed from an original by Visual Thinkery for WAO 1. Discovery

The journey of community-driven change starts with discovery. This is the stage where individuals first come into contact with AIUK. Maybe they learn about an issue, identify it as important, and begin to consider how they might want to get involved. Or maybe they meet someone at a demonstration, and discover the community first-hand.

AIUK social media, through broadcasting, is just one tool that helps people discover Amnesty International UK. AIUK makes complex issues accessible and relatable. We want to do the same as AIUK highlights grassroots efforts and community initiatives.

We want to encourage posts that show:

Our dedicated community and highlight key grassroots initiatives and campaigns. Signposts to find local groups or events based on interests. Digital actions, such as petitions or downloading campaign guides, to help users take their first steps.

Such content ensures that even people who are new can find relevant AIUK communities and take the first steps toward engagement.

2. Intention to Engage

Once someone discovers a cause they care about, the next step is forming an intention to engage. This stage is all about commitment — moving from passive interest to active participation.

By showcasing community on the AIUK website, we both invite people in and celebrate what the community is achieving. We want to present clear pathways for involvement and help community members inspire others to take steps towards action.

We need to figure out processes that help:

Goal-setting: Encouraging community members to set personal milestones, like committing to attend 100 meetings. Sharing success: Telling success stories and finding testimonials that effectively attract new people while celebrating community achievements. Balancing information: Showcasing static information about past successes with dynamic, real-time updates on current campaigns from the community.

By making it easy for people to express their intent and take small but meaningful steps, we build confidence and lay the groundwork for deeper engagement.

3. Taking Action: Turning Intent into Impact

With intention comes action, and this is where real change begins. At this stage, people start to feel a sense of belonging and are ready to contribute to a cause they care about.

A knowledge base can help equip users with actionable tools. We’ll need clear resources and learning pathways that:

Guide people to the right information: Whether it’s organising a protest, writing letters to policymakers, or starting a local campaign, the knowledge hub can provide step-by-step guidance tailored to issues we work on. Help people collaborate: People should be able to connect with others who share their interests and work together on projects — whether virtually or in person. Best practices and community policies may also be at home in the knowledge hub. Show them into the community: Make sure that people feel supported and seen as they take action. Create an architecture of participation that brings them into the community platform.

This stage is about turning isolated actions into collective power, with the support of the community ensuring that every contribution counts.

4. Sustaining Action: Building Lasting Commitment

Sustained action is the key to creating lasting change. Too often, movements fizzle out after an initial burst of energy, but with a strong community strategy and integrated platform, we can keep momentum going.

To sustain engagement, the community platform needs to help people align with others in the AIUK movement. We need to think about:

Feedback loops: Regular check-ins with the community to understand their needs and ensure that we are adapting the community strategy and platform accordingly. A recognition ecosystem: Using digital badges and shoutouts for individuals or groups who demonstrate consistent commitment to help us make activism more visible. Storytelling opportunities: Sharing success stories and lessons learned will inspire others and keep motivation high.

By encouraging a sense of belonging and purpose, we ensure that members find reasons to continue building collective power for human rights.

5. Becoming an Activist: Empowering Future Leaders

The final stage is becoming an activist. At this point, individuals understand that community isn’t one person, but rather all of us. They begin to work on behalf of others, coordinate together and lift people up with their leadership.

These leaders will use other coordination tools and processes and that’s great! We want to empower the development of activist and leadership skills. We’ll need:

Decentralised coordination best practices: For members who are ready to take on larger roles, such as leading groups or campaigns. Mentorship programs: Connecting experienced activists with newcomers to share knowledge and build networks. Advocacy training: Workshops, webinars, and resources focused on effective communication, policy advocacy, and community organising.

Through these efforts, we can go beyond nurturing individual leaders to continue building a movement.

The Power of Community Work in Driving Change

The journey from discovery to becoming an activist is a process of gradual engagement and empowerment. There is a system of platforms, processes and content that help AIUK move people towards becoming an activist. Although we use various digital tools, the journey is an emotional and social one.

We are working hard to make sure the community platform project harnesses the collective strength of our community and makes a difference that lasts.

Building Power and Making Change was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

Designation as ISO/IEC 20153 Solidifies CSAF's Global Role in Standardized Vulnerability Reporting

Boston, MA USA; 20 May 2025 — The Common Security Advisory Framework (CSAF) Version 2.0, an open standard developed by OASIS Open, has officially been approved for release by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Now designated as ‘ISO/IEC 20153,’ the framework was successfully balloted through the Joint Technical Committee on Information Technology (JTC 1), marking a significant step forward in global security advisory standardization.

“Congratulations to OASIS on the publication of ISO/IEC 20153,” said Philip Wennblom, Chair of ISO/IEC JTC 1. “OASIS has been a valued JTC 1 partner since 2004, and this milestone highlights the strength of our collaboration in addressing critical challenges, including in cybersecurity, and advancing standards that benefit consumers, industries, and governments worldwide.”

Developed by the OASIS CSAF Technical Committee (TC) through a collaborative, cross-industry effort, CSAF v2.0 provides a modern, machine-readable framework for enhancing vulnerability reporting and response. With support for the Vulnerability Exploitability Exchange (VEX) profile, CSAF v2.0 seamlessly integrates with Software Bill of Materials (SBOM) data, allowing organizations to efficiently assess vulnerabilities and take informed actions.

“Achieving ISO/IEC recognition for CSAF 2.0 is a tremendous milestone for the global cybersecurity community,” said Omar Santos, co-chair of the OASIS CSAF TC. “This international standardization will drive broader, more consistent adoption of machine-readable vulnerability disclosures and response processes—ultimately helping organizations around the world protect their assets more effectively and streamline their cybersecurity practices. Whether vulnerabilities emerge in legacy environments or in cutting-edge AI solutions, CSAF 2.0 provides a modern framework for effective vulnerability reporting in hardware and software. We look forward to continuing our work within the OASIS CSAF TC to ensure the standard remains at the forefront of global cybersecurity efforts.”

“CISA is pleased that CSAF 2.0 is now recognized as an ISO/IEC standard, a significant achievement in strengthening global cybersecurity resilience. We value our work and ongoing partnership with OASIS,” said Justin Murphy, CISA Vulnerability Disclosure Analyst and co-chair of the OASIS CSAF TC. “CSAF 2.0 enables organizations to respond more effectively to evolving cyber threats across complex environments including critical infrastructure. We encourage and look forward to broader, global adoption of machine-readable standards for vulnerability management efforts.”

CSAF v2.0 was ratified as an OASIS Open Standard in November 2022 and subsequently submitted by OASIS to the ISO/IEC JTC 1 Information Technology body. As ISO/IEC 20153, this International Standard will continue to be maintained and advanced by the OASIS CSAF Technical Committee, which includes representatives of Cisco, Cryptsoft, Cyware, Huawei, Microsoft, Oracle, Red Hat, and others. New members are welcome, and participation in the CSAF TC is open to all through membership in OASIS.

About ISO/IEC JTC 1
ISO-IEC Joint Technical Committee (JTC 1) is a consensus based, voluntary international standards group focusing on information technology (IT). Many hundreds of experts from over 100 countries, represent their nation’s national standards body or national standards committee to mutually develop beneficial guidelines that enhance global trade, while protecting intellectual property. As one of the largest and most prolific technical committees in the international standardization community, ISO/IEC JTC 1 has had direct responsibility for the development of more than 3,500 published ISO standards, with nearly 600 currently under development. Its work in standardization also encompasses 24 subcommittees that make a tremendous impact on the global ICT industry.

About OASIS Open
One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement.
www.oasis-open.org

Media Inquiries: communications@oasis-open.org

Support for CSAF  

Cyware:
“Cyware is committed to advancing security automation through the adoption of open, machine-readable standards like CSAF. Integrating CSAF into our threat intelligence and security orchestration platforms enables real-time ingestion, normalization, and automated dissemination of vulnerability advisories, enhancing our customers’ ability to rapidly correlate threat data and initiate timely response actions.”
– Avkash Kathiriya, Sr. VP, Research and Innovation, Cyware Labs

Microsoft:
“The designation of the Common Security Advisory Framework (CSAF) as an ISO/IEC 20153 standard marks a significant milestone for the global vulnerability management ecosystem. At Microsoft, we are proud to support this advancement by publishing advisories conforming to the CSAF specification and expanding its adoption across our security practices. CSAF enhances automation, improves interoperability, and accelerates vulnerability response—empowering organizations worldwide to better protect their ecosystems.”
– Bret Arsenault, Corporate Vice President and Chief Cybersecurity Advisor, Microsoft

Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

The post OASIS Common Security Advisory Framework v2.0 Approved as an ISO/IEC International Standard appeared first on OASIS Open.

First is Visa Intelligent Commerce, which will make intentcasting happen in a big way. It will also elevate the roles of Inrupt and the open-source  Solid Project.

Second is making individuals first parties in their agreements with companies. It’s been the other way around ever since industry won the industrial revolution. Still, in the digital world, which runs on the Internet’s peer-to-peer protocols, we can fix that with an upcoming IEEE standard called IEEE P7012, aka MyTerms.

Third is the First Person Project, or FPP  (website pending). With help on the buy side from Customer Commons and on the sell side by Ayra, we can finally replace “show your ID” with verifiable credentials presented on an as-needed basis by independent and self-sovereign individuals operating inside their own webs of trust.

Fourth is personal AI. This is AI that is as much yours as your shoes, your bike, and your PC. Personal, not personalized.

To explain how these will work together, start here:

Not long after The Intention Economy came out in May, 2012, Robert Thomson, Managing Editor of The Wall Street Journal, wanted the book’s opening chapter to serve as the cover essay for the Marketplace section of an upcoming issue. Harvard Business Review Press didn’t like that idea, so I wrote an original piece based on one idea in the book: that shoppers will soon be able to tell the market what they’re looking for, in safe, secure and anonymous ways—a kind of advertising in reverse that the book called “personal RFPs” and has since come to be called “intentcasting.” This became The Customer as a God: The image above was the whole cover of the Marketplace section on Monday,  July 23, 2012. The essay opened with these prophetic words: “It’s a Saturday morning in 2022…”

It is now a Friday morning in 2025, and that godly future for customers is still not here. Yes, we have more market power than in 2012, but we are digital serfs whose powers are limited to those granted by  Amazon, Apple, Facebook, Google, Microsoft, and other feudal overlords. This system is a free market only to the degree that you can choose your captor.  This has led to—

The IONBA (Internet Of Notning But Accounts) is based on a premise: that the best customers are captive ones. In this relic of the industrial age, customers are captive to every entity that requires logins and passwords. Customers also have no ways of their own to globally control what data is collected about them, or how. Or to limit how that data is used.  This is why our digital lives are infected by privacy-killing data-collection viruses living inside our computers, phones, TVs, and cars.

If you didn’t know about those last two, dig:

Consumer Reports says “All smart TVs—from Samsung, LG, you name it—collect personal data.” They also come with lame “privacy” controls, typically buried deep in a settings menu. (Good luck exhuming them. The ones in our TCL and Samsung TVs have all but disappeared.) Mozilla calls new cars “the Worst Product Category We Have Ever Reviewed for Privacy.” There is also nothing you can do to stop your car from reporting on everything your car does—and everything you do, including sexual ativity—to the carmaker, insurance companies, law enforcement, and who knows who else. This data goes out through your car’s cell phone, misleadingly called a telematics control unit. The antenna is hidden in the shark fin on your car’s roof or in an outside mirror.

Businesses are also starting to lose faith in surveillance, for at least eight reasons:

People hate it. They also fight it. By 2015 ad blocking and tracking protection were the biggest boycott in world history. It tarnishes brands. Ad fraud is a gigantic problem, and built into the system. It commits Chrysoogocide (killing golden geese, most notably publishers). Bonus link. Regulatory pressure against it is getting bigger all the time. Advertisers are finally remembering that brands are made by ads aimed at populations, while personalized ads are just digital junk mail. Customers are using AI tools for guidance toward a final purchase, bypassing marketing schemes to bias purchasing decisions along the way. For more on that, see Tom Fishburne’s cartoon, and Bain’s report about it.

So our four roads to The Intention Economy start with the final failings of the systems built to prevent it. Now let’s look at those roads.

Visa Intelligent Commerce

The press release is Find and Buy with AI: Visa Unveils New Era of Commerce. Less blah is Enabling AI agents to buy securely and seamlessly. Here’s the opening copy.

Imagine a future where an AI agent can shop and buy for you. AI commerce — commerce powered by an AI agent — is going to transform the way consumers around the world shop.

Introducing Visa Intelligent Commerce, an initiative that will empower AI agents to deliver personalized and secure shopping experiences for consumers – at scale.

From browsing and selection to purchase and post-purchase management, this program will equip AI agents to seamlessly manage key phases of the shopping process.

Visa CEO Ryan McInerney says a lot more in a 1:22 talk at Visa Product Drop 2025. The most relevant part starts about 26 minutes in, with a demo starting at about 31:30. Please watch it. Much of what you see there owes to Inrupt and Solid, which Sir Tim Berners-Lee says were inspired by The Intention Economy. For more about where Inrupt and Solid fit in Visa Intelligent Commerce, see Standards for Agentic Commerce: Visa’s Bold Move and What It Means: Visa’s investment in safe Intelligent Commerce points to a future of standards-forward personal AI, by John Bruce, Inrupt’s CEO. John briefed Joyce and me over Zoom the other day. Very encouraging, with lots to develop on and talk about.

More links:

A tweet appreciative of Inrupt by Visa’s @JackForestell Privacy for Agentic AI, by Bruce Schneier, Inrupt’s CISO (as well as the world’s leading security expert, and an old pal through Harvard’s Berkman Klein Center). Also from Bruce: What Magic Johnson and Bruce Schneier taught us at RSAC 2025 and RSAC 2025: The Pioneers of the Web Want to Give You Back Control of Your Data Visa announces AI Agent Payment APIs – and a pathway to Empowerment Tech, by Jamie Smith, who writes Customer Futures, the most VRooMy newsletter out there.

Some news being made about Visa Intelligent Commerce:

Visa partners with AI giants to streamline online shopping Visa Gives AI Shopping Agents ‘Intelligent Commerce’ Superpowers Visa launches ‘Intelligent Commerce’ platform, letting AI agents swipe your card—safely, it says How major payment companies could soon let AI spend your money for you Visa, Mastercard offer support for AI agents Visa wants to give artificial intelligence ‘agents’ your credit card Visa adds ‘unknown concept’ where AI makes purchases for you – but shoppers suspect more ‘sinister purpose’ Visa Unveils Intelligent Commerce to Power AI-Driven Payments

IEEE P7012 “MyTerms”

MyTerms, the most important standard in development today, will be a keystone service of Customer Commons, the nonprofit spinoff of ProjectVRM. It will do for contract what Creative Commons did for copyright: give individuals a new form of control. With MyTerms, agreements between customers and companies will be far more genuine mutual, and open to new forms of innovation not based on the kind of corporate control that typifies the IONBA. For example, it can open Visa Intelligent Commerce to conversations and relationships that go far past transaction. Take for example Market intelligence that flows both ways. While this has been thinkable for a decade or more (that last link is from 2016), it’s far more do-able when customers and companies have real relationships based on equal power and mutual interests. These are best framed up on agreements that start on the customer’s side, and give customers scale across all the companies with which they have genuine relationships.

First Person Project (FPP)

To me, FPP begins with the vision “Big Davy” Sallis came up with while he was working for VISA Europe in 2012, and read the The Intention Economy. At the time, he wanted Visa to make VRM a real category, but assumed that would take too long. So he decided to create a VRM startup called Qredo. Joyce and I consulted Qredo until  Davy died (far too young) in 2015. Qredo went into a different business, but a draft I created for Qredo’s original website survives, and it outlines much of what the  FPP will make possible. That effort is led by Drummond Reed, another friend and collaborator of Davy’s and a participant in ProjectVRM from the start. Drummond says the FPP is inspired by Why We Need First Person Technologies on the Net, a post published here in 2014. That post begins,

We need first person technologies for the same reason we need first person voices: because there are some things only a person can say and do.

Only a person can use the pronouns  “I,” “me,” “my” and “mine.” Likewise, only a person can use tools such as screwdrivers, eyeglasses and pencils. Those things are all first person technologies. They were invented for individual persons to use.

We use first person technologies the same unique ways we use our voices.

Among other things, the First Person Project will fix how identity works on the Internet. With FPI—First Person Identity—interactions with relying parties (the ones wanting “your ID”) don’t need your drivers license, passport, birth certificate, credit card, or account information. You just give them what’s required, on an as-needed basis, in the form of verifiable credentials. The credentials you provide can verify that you are a citizen of a country, licensed to drive, have a ticket to a game, or whatever. In other words, they do what Kim Cameron outlined in his Laws of Identity: disclose minimum information for constrained uses (Law 2) to justifiable parties (Law 3) under your control and consent (Law 1). The credential you present is called a DID: a Decentralized Identifier. No account is required.

Trust in FPI also expands from individual to community. Here is how Phil Windley explains it in Establishing First Person Digital Trust:

When Alice and Bob met at IIW, they didn’t rely on a platform to create their connection. They didn’t upload keys to a server or wait for some central authority to vouch for them. They exchanged DIDs, authenticated each other directly, and established a secure, private communication channel.

That moment wasn’t just a technical handshake—it was a statement of first-person identity. Alice told Bob, “This is who I am, on my terms.” Bob responded in kind. And when they each issued a verifiable relationship credential, they gave that relationship form: a mutual, portable, cryptographically signed artifact of trust. This is the essence of first-person identity—not something granted by an institution, but something expressed and constructed in the context of relationships. It’s identity as narrative, not authority; as connection, not classification.

And because these credentials are issued peer-to-peer, scoped to real interactions, and managed by personal agents, they resist commodification and exploitation. They are not profile pages or social graphs owned by a company to be monetized. They are artifacts of human connection, held and controlled by the people who made them. In this world, Alice and Bob aren’t just users—they’re participants.

This also expands outward into community, and webs of trust. You get personal agency plus community agency.

The FPP covers a lot more ground than identity alone, but that’s where it starts. Also, Customer Commons is a funding source for the FPP, and I’m involved there as well.

Personal AI

Reza Rassool was also inspired by The Intention Economy when he started Kwaai.ai, a nonprofit community developing open-source personal AI. I now serve Kwaai as its volunteer Chief Intention Officer.

Let’s look at what personal AI will do for this woman:

Looks great, but we’re stuck in IONBA, she has little control over her personal data in all those spaces. For example,

She doesn’t have the digital version of what George Carlin called “a place for my stuff.” (Watch that video. It’s brilliant—and correct.) She has few records of where she’s been, who she’s been with and when—even though apps on her phone know that stuff and are keeping it inside the records of her giant overlords and/or selling it to parties unknown, with no way yet for getting it back for her own use. Her finances are possibly organized, but scattered between the folders she keeps for taxes, plus the ones that live with banks, brokers, and other entities she hardly thinks about. It would be mighty handy to have a place of her own where she could easily see all her obligations, recurring payments, subscriptions, and other stuff her counterparties would rather she not know completely. Her schedules are in Apple, Google, and/or Microsoft calendars, which are well app’d and searchable, but not integrated. She has no digital calendar that is independent and truly her own. Her business and personal relationship records are scattered across her contact apps, her Linkedin page, and piles of notes and business cards. She has no place or way of her own to manage all of them. Her health care records (at least here in the U.S.) are a total mess. Some of them ares inside the MyCharts and patient portals provided by separate (and mostly unconnected) health care specialists and medical systems. Some of it is in piles of printouts she has accumulated (if she’s kept them) from all the different providers she has seen. Some of it is in fitness and wellness apps, all with exclusive ways of dealing with users. None of it is in a unified and coherent form.

So the challenge for personal AI is pulling all that data out of all her accounts, and putting it into forms that give her full agency, with the help of her personal AIs.  Personalized AIs from giants can’t do that. We need our own personal AIs.

Four roads, one destination: a world where free customers prove more valuable than captive ones. Let’s make it happen.

The UK government has said it will roll out passkey technology across its digital services later in 2025, aiming to phase out SMS-based verification in favour of a more secure, user-friendly alternative.

Passkeys are unique digital credentials tied to a user’s personal device and offer a way to authenticate identity without the need for traditional passwords or one-time text codes.

Passkeys never leave the device and so cannot be reused across websites, which makes them resistant to phishing and other common attacks.

DIF members showcased their vision at this year's European Identity and Cloud Conference (EIC 2025), bringing together experts who are defining the future of human-centric digital identity. As AI capabilities accelerate, DIF members are tackling both the architectural foundations and philosophical implications of self-sovereign identity, and EIC provided an excellent forum to share how they are solving digital identity's most complex challenges.

The Philosophy Behind Standards: Values in Digital Identity

Markus Sabadello, CEO of Danube Tech and DIF Steering Committee member, delivered a compelling talk examining the philosophical underpinnings of digital identity standards. His presentation, "The Worldviews behind Digital Identity Standards," argued that technical choices in standards like OID4VC, DIDComm, SD-JWT-VC, and the W3C verifiable credential data model reflect deeper philosophical trajectories variously aligned with European values like Liberty, Equality, and Fraternity.

Markus Sabadello presents "The Worldviews behind Digital Identity Standards"

Sabadello illustrated how technologies like DIDComm prioritize fraternity through peer-to-peer connections, while JSON-LD enables innovation and liberty through permissionless semantic flexibility and self-publishing. As the industry standardizes wallets and verifiable credentials, he emphasized that these standards should be evaluated not only on technical merits but also on how they impact human values like sovereignty and equitable participation.

The talk concluded with an important reminder that technology is never value-neutral, highlighting the need to align digital identity standards with humanistic values while avoiding the pitfalls of fragmentation from competing, politically and commercially driven standards.

AI and Identity: A New Frontier

Another highlight of the conference was the Verifiable AI talk and panel series. In his talk "Private Personal AI and Verified Identity for AI Agents", Alastair Johnson (CEO of Nuggets) explored the challenges of implementing truly private personal AI that protects user sovereignty while creating verifiable identities for AI agents. Johnson explored how privacy-preserving technologies and self-sovereign identity frameworks can enable secure AI agent operations while maintaining individual control over personal data.

Alastair Johnson presents "Private Personal AI and Verified Identity for AI Agents"

The subsequent panel, "Verifiable AI: The New Frontier" was moderated by Ankur Banerjee, CTO of Cheqd and DIF TSC Co-chair. The panel brought together Matthew Berzinski (Ping Identity), Sebastian Rodriguez (Advisor to Privado.ID), and Alastair Johnson to explore the intersection of AI and digital identity.

The panel addressed critical questions about how private personal AI agents can securely interact with identity systems, approaches to verifying AI agent identities, and frameworks for establishing trust in AI-human interactions.

As Ankur described in his following LinkedIn post, key takeaways included:

The need for both decentralized and centralized/hybrid approaches for different scenarios, including "AI employees" like the Devin software engineering assistant The challenge of allowing "good bots" into systems designed to keep malicious automation out The emerging consensus that AI agents will need their own wallets (or at least high-stakes delegation capabilities to and from wallets, or operate inside of wallets), and what kind of unique identifiers can power these interfaces The vulnerability of AI agents to bribing, threats, and "social" engineering attacks despite (or due to their primarily) rule-based constraints The agentic "Ship of Theseus" problem: at what point is an AI agent sufficiently changed that it invalidates prior attestations? The Personhood Challenge: Humans in a World of AI

Another significant focus at the conference was the development of personhood credentials as a defense against AI-generated deepfakes. Drummond Reed, Director of Trust Services at Gen Digital, presented "First-Person Credentials: A Case Study," discussing a collaborative effort between the Ayra Association, Customer Commons, Trust Over IP, and DIF to create a people-powered, privacy-preserving proof of personhood.

Personhood Credentials Why is proof of personhood so hot? Because it sits at the intersection of AI and decentralized identity. The threat of generative AI deep fakes has accelerated the search for a sustainable… KuppingerCole

This work built on a 2024 paper titled "Personhood Credentials," which proposed using a decentralized architecture based on verifiable credentials and zero-knowledge proofs. Reed's presentation covered design goals, trust models, user experience considerations, and go-to-market strategies for this emerging approach.

Personhood Credentials: From Theory to Practice

The subsequent panel, "Personhood Credentials: From Theory to Practice," brought together Ankur Banerjee, Drummond Reed, Steven McCown (Chief Architect of Anonyome Labs), and Sebastian Rodriguez to examine real-world implementations and practical challenges in creating personhood credentials. The panel explored how technologies like zero-knowledge proofs and selective disclosure can preserve individual privacy while meeting legitimate verification requirements.

PANEL: Personhood Credentials: From Theory to Practice This panel features experts examining real-world implementations, emerging standards, and practical challenges in digital identity. They will explore how technologies such as zero-knowledge proofs… KuppingerCole Technical Innovations in Identity Infrastructure

The conference also featured several technical presentations on practical implementations of verifiable credentials and digital identity wallets:

Richard Esplin, Head of Product at Dock, presented "Biometrics and Verifiable Credentials: Balancing Security and Privacy," addressing the challenges biometric providers face as regulations become stricter. Esplin shared best practices for integrating biometrics with verifiable credentials without undermining privacy and flexibility.

Biometrics and Verifiable Credentials: Balancing Security and Privacy [Intermediate] Biometric providers are facing new challenges as regulations governing biometric data become stricter and organizations try to extend their biometric enabled business processes across ecosystems… KuppingerCole

Dr. Paul Ashley, CTO of Anonyome Labs, discussed the implementation of Hardware Security Modules (HSMs) in digital identity wallets in his talk "Digital Identity Wallet Utilizing a Hardware Security Module." The presentation explored how digital identity wallets can be enhanced through HSM integration to fulfill the requirements of the EU Digital Identity Wallet framework, with analysis of each credential standard's compatibility with various HSMs' cryptographic capabilities.

Dr. Paul Ashley presenting "Digital Identity Wallet Utilizing a Hardware Security Module" Looking Forward

The DIF community remains the leading forum for innovation in decentralized identity standards and implementations. The frameworks, protocols, and approaches discussed at the conference provide a clear architectural roadmap for solutions that protect individual autonomy while enabling secure, verified interactions between humans and AI systems. Through continued collaboration across our working groups, DIF remains committed to developing open standards that address both current and emerging identity challenges.

To learn more about these topics or to get involved with the Decentralized Identity Foundation's work, visit DIF's website.

ISL began its life as the Me2B Alliance, striving to create standards to enable greater power symmetry in the digitally facilitated relationship between consumers (“Me-s”) and the companies whose technology they use (“B-s”). We called this the M2B relationship. For mobile apps, all too often it’s a case of “Me2 Who Knows?!” People have a right to know who’s legally responsible for the apps they use, and it is anything but clear in mobile app stores today. App stores are failing to make clear the legal entity who is responsible for apps. ISL has filed responsible disclosures with Apple starting in late 2024 but our repeated attempts have been dismissed.

Anatomy of Responsible Party Info in the App Stores

Both Google and Apple allow for two kinds of developer accounts: individual and organization. The creation of either type of account requires identity validation, but it’s a lower bar for individuals than for organizations. Individuals must provide a government issued ID credential before being allowed to open a developer account. This validates the individual’s name and address. Organizations, however, must provide a DUNS number to validate the legal existence of the organization. 12

▶ Problem 1: How effective is this level of identification authentication? ISL recently found an app developer with 15 apps in the Google Play store with no verifiable legal existence whatsoever. Thus, the process is imperfect at best.

In both stores, the “Account Holder” (to use Apple’s language) is the individual/entity who is in a legal relationship with the app store [owner].

Figures 1a and 1b show two parts of an Apple App store listing. Note that the name in blue under the app name appears to be the Account Holder (Figure 1a). Note that the Information section of the app listing shows five other places where we expect to see the same Account Holder name and websites.

Figure 1a: Apple App Store Example – App Header

 

Figure 1b: Apple App Store Example – App Information

Figures 2a and 2b show a similar annotated view of the Google Play Store app listing. Between Figures 2a and 2b, there are six instances where the Account Holder name appears.

Figure 2a: Google Play Store Example – Part 1

 

Figure 2b: Google Play Store Example – Part 2

This all seems fine. What we see in practice, though, is that the various links and names presented in the app store listing that should be definitively showing the name of the legally party responsible for the app often have inconsistencies. Which brings us to additional problems.

▶ Problem 2: Account Holders can create additional user accounts within their account, including users with permissions to submit/delete apps.3 There’s seemingly no governance over this capability, left strictly in the hands of the Account Holder.

▶ Problem 3: The app store app listing doesn’t indicate if the developer of the app is an individual or a company. This information matters. People deserve to know if they’re using an app developed by an individual developer, or by a company. No matter what, so long as apps are collecting personal information, people have an unconditioned right to know who gets their data and what they’re doing with it.

▶ Problem 4: The Apple app store doesn’t disclose the location of the responsible app developer but the Google Play store does.4 The great thing about app ecosystems is that they foster worldwide participants. The problem is that the responsible developer can be oceans away from consumers, making it difficult or impossible to hold the developer accountable if there are issues.

▶ Problem 5: Apps have broken developer links. It’s wildly confusing when the name in blue or green font under the app name is different from the name that appears when you click on the developer link. Imagine if you went to a grocery store and there was a loaf of bread with no brand or company information. You wouldn’t want to eat that. When you click on the Developer Website link for the app shown in Figure 1b you find yourself not only not at a site that says Kepler47, you find a non-functional page for audiojoy.com (Figure 3).

Figure 3 Developer website URL for 12 Step AA NA Daily Meditation from the Apple App Store: https://audiojoy.com/cgi-sys/suspendedpage.cgi

▶ Problem 6: The Account Holder name from the listing header doesn’t match the name in the privacy policy OR in the App Support link. Figures 4a and 4b illustrate a case where the listed developer in the listing header is Will Aitchison (Figure 4a), but the privacy policy fails to indicate a legally responsible data controller entirely (Figure 4b).

 

Figure 4a: Account Holder name

 

Figure 4b: Privacy policy link for app by Will Aitchison: https://www.firststeporegon.org/docs/PrivacyPolicy_25-05-2018.pdf

 

Figure 4c: Privacy Policy from “Developer’s Website”

Note that there’s another layer of confusion for the First Step Oregon app, namely, the privacy policy found on the App Support page differs from the privacy policy linked in the app store (Figure 4c). This case is a case where the app developer was likely an individual affiliated with the organization who wrote and submitted the app on behalf of the company. Still, it leaves a question for users: who is responsible? Who does the user contact in the case of issues?

The Boggle: Arcade Edition app in the Apple store shows a similar situation. The Account Holder appears to be Zynga Inc. from the app store listing header (Figure 5a). But when you click on the App Support link you see the Take-Two Terms of Service (Figure 5.b). Similarly, the linked privacy policy is also Take-Two’s. Finally, this app includes a copyright showing Zynga Inc. in the information section (Figure 5c). In this instance, the original Account Holder (Zynga Inc.) was acquired by another company (Take-Two). Zynga appears to be a wholly owned subsidiary of Take-Two based on its California business registration status, but the “hybrid” information in the app store is confusing.

Figure 5a: Boggle App store listing header – Account Holder: Zynga Inc.

 

Figure 5b: Boggle App Support Link

 

Figure 5c: Boggle App store listing – Information Section

Interestingly, not all Zynga games in the app store show Take-Two info at the App Support link. Figure 6b shows the App Support link for FreeCell, another Zynga game.

Figure 6a: FreeCell App store listing header

 

Figure 6b: FreeCell App Support link

▶ Problem 7: App Information shows two different names. Figures 7a and 7b show elements of the Apple app store listing for the app, Count Money and Coins – Photo Touch Game. In the Information section of the app store listing, Innovative Investments Limited is shown as the Seller, but Grasshopper Apps is the copyright registrant.

Figure 7a: Count Money and Coins App store listing header

 

Figure 7b: Count Money and Coins app – Information section

▶ Problem 8: App store listings with broken privacy policy links. It’s relatively easy to find apps in the app stores whose privacy links are simply broken, non-functional. This is what we found with most of the Innovative Investments Limited apps (Figure 7c).

Figure 7c: http://www.grasshopperapps.com/privacy-policy

Conclusions

NONE of this should be happening today. App stores receive 30% of all app revenues and thus have ample resources to programmatically monitor these situations. Consumers should never have to conduct forensic research in order to figure out who they’re entering into a business relationship with. Here’s a recap of what the app store owners should do:

Make it crystal clear on your label who the legal entity responsible for the app is (I’ll call this “responsible developer”). Make sure ALL instances in and related to the app store listing consistently show the same responsible developer name. Make sure there is valid, working contact information for the responsible developer. Indicate if the developer is an individual or an organization.
a. Ideally, we’d like to know the organization type, as this effects their legal obligations. For instance, for-profit vs. non-profit vs. government entities.
b. It’s also important to indicate coarse location information of the developer—i.e. city, state and country. Make sure privacy policy links are functional all the time.

Here are Recommendations for app consumers:

If there isn’t a privacy policy, don’t install the app. If there are no privacy details provided in the Apple store, don’t install the app. If there’s no developer contact information provided, don’t install the app. Contact us if you find these or other problems with app store entries. Final Thoughts

We are well past the point of understanding the risks of these things, yet we see no systemic changes under development on the part of Apple and Google to put safety measures in place. Perhaps shining this light on some of the issues can help spur action.

Footnotes: https://support.google.com/googleplay/android-developer/answer/13628312?sjid=9574226792909682372-NC https://developer.apple.com/programs/enroll/ Summary of roles and permissions for Apple developer accounts: https://developer.apple.com/help/account/access/roles/ Location of the developer was met with some warranted and some dubious pushback from Android developers as shown on this Reddit thread https://www.reddit.com/r/androiddev/comments/17w3pgz/google_started_displaying_full_legal_name_and/?rdt=50889 . Mandatory disclosure of an individual developer’s location presents some risks. That said, the developer is capable of getting every user’s location information so it seems a reasonable requirement.

The post Me2B or Me2Who Knows: App Stores Fail to Provide Clear Legally Responsible Party appeared first on Internet Safety Labs.

We’re excited to introduce CATio Spaces, a new way for civil society organizations to connect with our team and talk about cybersecurity in a low pressure, friendly environment.

The post Introducing CATio Spaces: A Learning Space to Talk Cybersecurity appeared first on The Engine Room.

A decentralized repository for secure, scalable genomic data sharing & AI-driven personalized healthcare insights — powered by OriginTrail Decentralized Knowledge Graph (DKG).

OriginTrail powers the future of ethical AI in healthcare with ELSA

We’re excited to announce that OriginTrail is joining forces with the ELSA (European Lighthouse on Secure and Safe AI) initiative to shape the future of decentralized, privacy-preserving artificial intelligence (AI) in healthcare. Digital healthcare today faces three pressing challenges: safeguarding patient privacy, bridging fragmented data silos for seamless interoperability, and meeting strict regulatory requirements without stifling innovation.

At the heart of this collaboration lies a DeReGenAI — a decentralized repository for secure, scalable genomic data sharing and AI-driven personalized healthcare, powered by the OriginTrail Decentralized Knowledge Graph (DKG). This initiative tackles the most pressing challenges in digital health: enabling secure, compliant, and user-sovereign sharing of sensitive genomic data while unlocking the full potential of AI-driven personalized healthcare.

Trustworthy AI needs trustworthy infrastructure

AI is transforming healthcare — but for it to do so responsibly, it must be built on a foundation of trust, transparency, and ethics. That’s exactly what OriginTrail brings to the table within the ELSA consortium: an open-source, decentralized infrastructure that ensures data privacy, ownership, and interoperability at scale.

By integrating OriginTrail DKG, DeReGenAI becomes a decentralized repository that puts patients in control of their most personal asset — their genomic data. This enables:

User-managed permissions: Patients decide who can access their data, when, and for what purpose. Privacy-preserving monetization: Individuals can opt to share their data with research institutions or health providers on their own terms. AI-ready interoperability: Seamless interaction with AI systems while maintaining the integrity and provenance of the data.

At its core, the OriginTrail DKG act as a knowledge graph of knowledge graphs — a globally distributed network where each participant maintains control over their own knowledge node. These nodes interact in a fully decentralized manner, eliminating the risks of centralized data silos and single points of failure.

Here’s why this matters:

Global scale: Access data from diverse sources without compromising security. Privacy-first architecture: Data sovereignty is seamlessly integrated into the infrastructure. Compliance-ready: Designed with GDPR and other regulatory frameworks in mind. Interoperable: Built for seamless integration with AI technologies and healthcare systems. How does DeReGenAI work?

To power the next generation of personalized healthcare, DeReGenAI employs decentralized Retrieval-Augmented Generation (dRAG) — an evolution of how Large Language Models (LLMs) interact with external data.

Instead of querying a centralized source, the LLMs in DeReGenAI leverage the OriginTrail DKG to retrieve verified, decentralized knowledge. This unlocks:

More accurate AI insights, Context-aware healthcare recommendations, Trustworthy and verifiable AI behavior.

The ELSA initiative brings together top-tier European academic, industrial, and technology partners, such as University of Oxford, The Alan Turing Institute, NVIDIA, and others, to build a future where AI is both effective and ethical. As part of the ELSA initiative, OriginTrail is used to build a trusted data ecosystem for the AI age — one where people, not platforms, control their data, and where innovation never comes at the cost of ethics.

We’re proud to be driving this change, and even prouder to be doing it alongside an incredible group of partners.

Learn how OriginTrail is powering the shift to human-centric AI at https://origintrail.io/.

Trust the source.

OriginTrail powers the future of ethical AI in healthcare with ELSA was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

The OpenID Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft:

OpenID Connect Relying Party Metadata Choices 1.0

This would be the first Implementer’s Draft of this specification.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a seven-day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Implementer’s Draft. For the convenience of members who have completed their reviews by then, voting will actually begin a week before the start of the official voting period.

The relevant dates are:

Implementer’s Draft public review period: Tuesday, May 13, 2025 to Friday, June 27, 2025 (45 days) Implementer’s Draft vote announcement: Saturday, June 14, 2025 Implementer’s Draft early voting opens: Saturday, June 21, 2025* Implementer’s Draft official voting period: Saturday, June 28, 2025 to Saturday, July 5, 2025 (7 days)*

* Note: Early voting before the start of the formal voting period will be allowed.

The OpenID Connect working group page is https://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the contribution agreement at https://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB/Connect” working group on your contribution agreement), (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

Marie Jordan – OpenID Foundation Board Secretary

 

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Public Review Period for Proposed Implementer’s Draft of OpenID Connect Relying Party Metadata Choices first appeared on OpenID Foundation.

Current Landscape

The public safety sector is undergoing rapid digital transformation, embracing new technologies to enhance emergency response, law enforcement, and disaster management. However, this shift also brings challenges such as data security risks, privacy concerns, and the need for reliable information verification in critical situations.

When DIACC was established in 2012, its goal of creating a secure digital ecosystem extended to all sectors, including public safety. As a trusted authority in digital identity and authentication, DIACC’s mission is more crucial than ever as public safety agencies increasingly rely on digital systems and data sharing to protect communities.

By prioritizing digital trust, Canada can strengthen its public safety infrastructure, improve emergency response times, and enhance collaboration between various agencies. Interoperable frameworks, such as the DIACC Pan-Canadian Trust Framework (PCTF), ensure that public safety systems remain secure, adaptable, and trusted.

Advancing Digital Trust in Public Safety 1. Enhancing Emergency Response and Coordination

Implementing robust digital trust solutions can significantly improve emergency response by:

Enabling secure, real-time data sharing between agencies Verifying the authenticity of emergency communications Facilitating rapid and accurate identification of individuals in crises 2. Leveraging the DIACC PCTF for Public Safety

DIACC encourages public safety agencies to adopt the PCTF as a tool to:

Implement secure identity verification for first responders and emergency personnel Enhance the integrity of emergency alert systems Improve interagency collaboration through trusted data exchange 3. Addressing Privacy Concerns in Surveillance and Data Collection

To balance public safety needs with individual privacy rights, DIACCweDIACC recommendss:

Implementing transparent data collection and usage policies Adopting privacy-preserving technologies in surveillance systems Ensuring proper authentication and authorization for access to sensitive data 4. Combating Misinformation in Crisis Situations

Digital trust frameworks can help public safety agencies:

Verify the authenticity of information during emergencies Establish trusted channels for disseminating critical updates Collaborate with social media platforms to combat the spread of false information 5. Enhancing Cybersecurity in Critical Infrastructure

Public safety agencies can use digital trust solutions to:

Secure communication networks used in emergency response Protect critical infrastructure from cyber threats Implement robust identity and access management systems for sensitive facilities Best Practices and the Way Forward 1. Adopt Emerging Technologies

Public safety agencies should leverage technologies like Artificial Intelligence (AI) and Distributed Ledger Technologies (DLT) to enhance their digital trust capabilities and improve emergency response. AI can be used for real-time data analysis and decision-making, while DLT can ensure the integrity and immutability of critical information.

2. Foster Cross-Sector Collaboration

DIACC encourages collaboration between public safety agencies, technology providers, and other stakeholders to develop standardized digital trust practices.

3. Educate and Train

DIACC is committed to educating public safety personnel and the public about digital trust through:

Specialized training programs for emergency responders Public awareness campaigns on the importance of verified information during crises Advocacy for regulations that support the implementation of digital trust solutions in public safety Conclusion

The public safety sector urgently needs robust digital trust solutions to protect Canadians and Canadians and communities in an increasingly digital world. By adopting frameworks like the PCTF, public safety agencies can enhance their operational efficiency, build public trust, and improve their ability to respond to emergencies, providing a reassuring path forward.

Together, as public safety agency leaders, policymakers, and stakeholders in emergency management, we can create a public safety ecosystem that leverages digital trust to protect citizens, respects their privacy, and solidifies Canada’s position as a secure and effective leader in emergency management.

Download the paper here.

DIACC-Position-Advancing-Digital-Trust-to-Strengthen-Public-Safety_ENG

Play Video

Watch full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/2025-05-01-Agri-food-Data-Canada-Carly-Huitema-1.wav Summary

This briefing document summarizes a presentation about Agri-food Data Canada’s Semantic Engine, a suite of tools designed to enhance research data management in the agri-food sector by making data Findable, Accessible, Interoperable, and Reusable (FAIR). A central focus is the use of machine-readable data schemas authored with the Overlays Capture Architecture (OCA) standard, which is highlighted for its use of derived identifiers (digests) over traditional assigned identifiers for improved reproducibility and authenticity. The document also details the Semantic Engine’s practical tools and ongoing efforts to integrate these standards into existing research infrastructure, addressing challenges like data context and decentralized ecosystems.

Briefing Document: Agri-food Data Canada and the Semantic Engine

Date: May 1, 2025

Subject: Review of Agri-food Data Canada (ADC) project and its Semantic Engine, with discussion on data schemas, identifiers, and integration into research infrastructure.

Sources:

Excerpts from “2025.05.01-ToIP_EGWG.pdf” (Slides) Excerpts from “GMT20250501-145814_Recording.transcript.txt” (Transcript) Excerpts from “GMT20250501-145814_Recording_1920x1080.mp4” (Video – used for verification of content and speakers) Excerpts from “GMT20250501-145814_RecordingnewChat.txt” (Chat Log)

Attendees/Speakers: Carly Huitema (University of Guelph, ADC), Michelle Edwards (ADC, mentioned), Eric Drury (Forth Consulting), Scott Perry (Digital Governance Institute), Neil Thomson (QueryVision), Steven Milstein (Collab.Ventures), Donald Sheppard.

Overview

This briefing summarizes a presentation by Carly Huitema from Agri-food Data Canada (ADC) to the Trust over IP (ToIP) Ecosystem and Governance Working Group. The presentation focuses on ADC’s efforts to improve research data management in the agri-food sector, specifically through the development of the “Semantic Engine” suite of tools. A central theme is the importance of “FAIR” data (Findable, Accessible, Interoperable, Reusable) and how machine-readable data schemas, particularly using the Overlays Capture Architecture (OCA) standard, contribute to achieving this goal. The discussion also highlights the advantages of derived identifiers (digests) over assigned identifiers for reproducibility, authenticity, and decentralization, and ADC’s ongoing work to integrate their tools and schemas into existing research infrastructure.

Key Themes and Important Ideas Improving Research Data Management in a Decentralized Ecosystem: The research data ecosystem is described as highly decentralized with independent research groups. While guided by best practices, mandates for standardized approaches are often slow to adopt. Incentives can be conflicting, particularly the “publish or perish” culture versus the time needed for thorough data documentation. Long-term planning (e.g., 50-year repository funding) is a crucial consideration. ADC, a project at the University of Guelph funded by multiple Canadian sources (CFREF, Genome Canada, UoG, OMAFA, Compute Ontario, etc.), aims to address these challenges by working directly with researchers. Making Agri-food Data FAIR: A core objective of ADC is to make agri-food data FAIR: Findable: Ability to identify and locate data resources and their context. Accessible: Ability to access (with permission) and use data once found, often requiring open protocols. Interoperable: Using standards for data to ensure compatibility, including standard vocabularies. Reusable: Data with sufficient context (licenses, provenance, descriptions) can be reused by others for replication or new research. Carly Huitema states: “Findable is the ability to identify and find resources as well as their context. If it’s accessible that once found you can access it with permission and use it interoperable. Certainly lots of our work at Trust Over IP is about how to ensure interoperability of standards including vocabularies and reusable that that there are licenses and provenance and other things that help make this data reusable.” Data Requires Context: Data alone is insufficient; it needs context to be useful. This context includes details like sample source, analysis methods, data schemas, catalogue information, data licenses, data governance agreements, associated publications, methodologies, scripts, and contributors. The Semantic Engine: ADC is developing the Semantic Engine, a suite of tools designed to help researchers create “rich contextual and machine-readable data schemas.” The Semantic Engine aims to make the process of documenting data less daunting for researchers. It functions as a self-teaching web app, providing guidance and tutorials. The engine uses the Overlays Capture Architecture (OCA) standard for writing schemas. Data Schemas and Overlays Capture Architecture (OCA): A data schema describes the attributes of a dataset (e.g., columns in a table) and provides detailed information about them (type, units, description, format, etc.). OCA is highlighted as an international and open standard for documenting schemas, developed by the Human Colossus Foundation. Two key advantages of OCA: Embeds Digests: OCA schemas can embed derived identifiers (digests/fingerprints) for the schema itself and for its constituent parts. This is crucial for reproducibility and authenticity of digital artifacts. Organized by Features: OCA structures schemas by features (e.g., all descriptions, all units) rather than attribute by attribute (e.g., JSON-LD, XML Schema). This organization offers advantages: Task-based Governance: Allows for governance at the feature level (e.g., assigning responsibility for translation features). Optimized for Feature Management: Facilitates adding or removing features (like languages or units) without altering the identifiers of other features. Mix-and-Match: Enables easier combination and reuse of different schema components. ADC has developed an “OCA Package” which wraps the core OCA standard with extensions for community-specific features and developing standards, allowing for gradual migration of these features to the core standard as they become accepted. Assigned vs. Derived Identifiers: Assigned Identifiers (Names): Created by a governance body, linked to an object via a lookup table. Resolution requires trusting the authoritative governance body and their lookup table. “If you find an object, you cannot figure out the identifier – you must go to the authoritative body and look it up in their table.” Resolution services can only be hosted or delegated by the governance body. Derived Identifiers (Digests/Fingerprints): Calculated directly from a digital object using a hashing function. They are unique fingerprints for a specific version of the object. Key for reproducibility and authenticity: “You can identify the resource originally used. You can verify the resource is the same one that was originally used.” Anyone can calculate a derived identifier, build a resolution service, and verify the resolution service is pointing to the correct object. Derived identifiers enable objects to be hosted in multiple locations. Carly Huitema humorously quotes, “If you liked it, then you should have put a digest on it.” Derived identifiers are excellent for snapshots but do not handle dynamic content or versioning directly. Versioning requires a governing authority or a decentralized identifier (DID) system where subsequent versions are linked and controlled. Tools Provided by the Semantic Engine: Schema Authoring Web App: Guides researchers through creating machine-readable schemas. Data Entry Excel Generator: Creates an Excel spreadsheet with headers and schema descriptions based on the authored schema, helping standardize data collection. Includes the schema’s derived identifier. Data Entry on the Web / Data Verification Engine: A tool to verify data sets against the rules defined in a schema. Allows researchers to quickly check for inconsistencies before combining data from multiple sources. Integration into Research Infrastructure: ADC is working to integrate their schemas and tools into existing Canadian and international research infrastructure. Schemas can be deposited into long-term research data repositories (e.g., Borealis in Canada), often receiving assigned identifiers like DOIs. These schemas, with their embedded derived identifiers, can then be found through federated search engines that index multiple repositories (e.g., Lunaris in Canada, OpenAIRE in Europe). This allows researchers to publish papers referencing schemas by their identifiers, enabling others to find and verify the schema used. Addressing IP and Sensitive Data: The Semantic Engine itself does not store user data or schemas, reducing IP concerns related to the platform. Schemas are generally less sensitive than the actual data, allowing them to be more openly shared. This enables discovery of datasets and potential collaborations without exposing proprietary information. Schemas can include flags for sensitive data attributes (e.g., farm location). While ADC’s tools don’t currently enforce access controls based on these flags, this information in the machine-readable schema can be used by internal pipelines or other systems to manage sensitive data appropriately (e.g., triggering anonymization). Future Directions: ADC plans to continue integrating with research infrastructure, add digests as identifiers to more objects, and develop tools for other machine-readable standards (e.g., cataloging metadata, policy rules). They also aim to increase the number of features supported in the schema description process (e.g., range rules, ontology framing). Key Takeaways for ToIP The FAIR data principles are highly relevant to decentralized ecosystems and align well with ToIP goals. Derived identifiers (digests) offer significant advantages for reproducibility, authenticity, and decentralized resolution, making them a powerful tool for digital objects within a trust framework. The architecture of data schemas (feature-by-feature vs. attribute-by-attribute) has implications for governance, versioning, and the application of derived identifiers to schema components. Integrating decentralized identity and verifiable credentials concepts (like OCA) into existing research infrastructure can enhance discoverability, interoperability, and trust in scientific data. The Semantic Engine provides a practical example of building user-friendly tools to generate machine-readable metadata, addressing the challenge of widespread adoption of such standards.

For more details, including the meeting transcript, please see our wiki 2025-05-01 Agri-food Data Canada – Carly Huitema – Home – Confluence

https://www.linkedin.com/in/carly-huitema-27727011/ https://www.semanticengine.org/

The post EGWG 2025-05-01 Agri-food Data Canada – Carly Huitema appeared first on Trust Over IP.

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-03-20_-Richard-Whitt-GliaNET-1.wav

This document and podcast were generated by Google’s NotebookLM. They provide information about Richard Whitt‘s vision for a more human-centric internet built on trust, as presented to the Ecosystem & Governance Working Group (EGWG) of the Trust over IP Foundation on March 20, 2025. It also draws from materials related to the GLIA Foundation and the GliaNet Alliance, founded by Richard Whitt.

The current state of the web is characterized by surveillance capitalism, where companies prioritize data extraction and manipulation, leading to a lack of trust. Richard Whitt argues that this undermines human agency and necessitates a shift towards a web built on trustworthy intermediaries.

His proposed solution centers around the concept of Net Fiduciaries, a new category of entities that would prioritize users’ interests through the application of fiduciary duties like care and loyalty, similar to professionals in medicine and law. This would be a voluntary approach, driven by ethical considerations and good business practices, rather than imposed regulations on existing platforms.

The GliaNet Alliance is a coalition of companies and organizations committed to this vision. Its goal is to build a “web worthy of trust” by fostering ethical technology practices and using transformative governance principles. The alliance operates as a community of practice, with working groups focusing on areas like business models, policies, practices, and standards.

Key concepts discussed include:

The SEAMS cycle (Surveillance, Extraction, Analysis, Manipulation), which describes the problematic data practices prevalent on the web. Glea, the ancient Greek word for glue, symbolizing trust as the social glue. A multi-layered approach to change, encompassing governance, markets, technology (edge tech), and public policy. The importance of authentic personal AI agents that operate on behalf of the user, contrasting with the “double agent” nature of current AI assistants that primarily serve platform interests. The distinction between agenticity (capability) and agentiality (acting on behalf of) in AI systems. The potential for interoperability between AI agents across different platforms.

The alliance is exploring ways to demonstrate trust to the public, potentially through analogies (like a “doctor for your web life”), marketing that emphasizes fiduciary duties, and clear communication about data handling practices. They are also considering mechanisms for recourse in case of breaches.

Richard Whitt’s book, “Reweaving the Web,” further elaborates on these ideas, outlining the problems with the current web and proposing practical steps to create a more user-centric digital future. The book has received positive testimonials from prominent figures in the tech and policy fields.

The GliaNet Alliance is in its early stages, focused on building its community, establishing governance structures, and exploring business models that align with its ethical principles. They are also engaging with policymakers and exploring potential collaborations, including with the Trust over IP Foundation. Consumer Reports is an anchor member and is exploring branding its AI agent as a GliaNet project. Kwaai.ai, an open-source LLM project, is also part of the alliance, aiming to build a platform with fiduciary duties to developers and agents.

For more details, including the meeting transcript, please see our wiki 2025-03-20 GliaNet – Home – Confluence.

https://www.linkedin.com/in/richardwhitt/ https://www.glia.net/

The post EGWG 2025-03-20: Richard Whitt, GliaNET appeared first on Trust Over IP.

This content is password protected. To view it please enter your password below:

Password:

The post Protected: EGWG 2025-04-03: Stephan Wolf, Verifiable Trade Foundation appeared first on Trust Over IP.

As blockchain ecosystems evolve, interoperability between networks is becoming increasingly vital. During the 2023 Hyperledger Mentorship Program, I had the opportunity to contribute to this vision by developing a Polkadot connector for Hyperledger Cacti, a platform now hosted by LF Decentralized Trust that facilitates interactions across heterogeneous distributed ledgers.

The National Cyber Security Centre said moving to digital passkeys to log on to Gov.UK was a vital step in making the tech more ubiquitous.

The Government has announced plans to replace passwords as the way to access Gov.UK, its digital services platform for the public.

In contrast to using a password and then an additional text message or code sent to a user’s trusted device – known as two-factor authentication – passkeys are unique digital keys tied to a specific device that proves the user’s identity when they log in without requiring them to input any further codes.

At the 2025 RSAC Conference in San Francisco, our team met with dozens of industry experts, cybersecurity professionals, and investors to find out more about the biggest security technologies and trends that are impacting your business. 

Tech-Specific Innovation

While AI was one of the hottest topics at the show, it wasn’t the only topic of discussion; we also heard a lot about the evolving ransomware ecosystem and what organizations need to be doing today to prepare for the arrival of “Q-Day”. 

But perhaps the second-biggest discussion piece was around identity and access security. 

With the rise of AI-powered deepfakes and fraud attempts, we’re seeing more need than ever before for organizations to make the switch from passwords to more secure methods of authentication, such as Passkeys—and many experts were optimistic that this space will see a lot of adoption over the next year. 

Key Insights:

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance: “We’re going to see Passkey deployment continue to grow in regulated industries. That’s really important, because addressing the higher assurance use cases and taking passwords out of play there will give greater confidence for more and more companies to deploy Passkeys at scale, which will further accelerate our journey towards putting passwords fully in the rear-view mirror.”

Microsoft has officially shifted to passkeys, such as facial recognition, fingerprint scans, and PINs, as the default sign-in method for all new accounts beginning this month, marking its most significant step yet toward a password-free future, according to TechRepublic.

The move coincides with World Password Day and aligns with the tech giant’s broader commitment to the Passkey Pledge, an industry initiative to eliminate passwords in favor of more secure, phishing-resistant login methods. In a blog post, Microsoft executives Joy Chik and Vasu Jakkal emphasized that passkey users are three times more likely to log in successfully than those using passwords. Although existing account holders can still use passwords, Microsoft is nudging them toward using biometrics or PINs by default. Nearly all Windows users already rely on Windows Hello, and the shift is backed by support from industry partners, including Apple and Google, who are also rolling out FIDO-compliant passkey systems across their platforms. The change promises to streamline security and user experience across the board.

FIDO-Based Authentication to Replace SMS-Based Verification, Says UK NCSC

The U.K. government is set to replace SMS-based verification systems for digital services with passkeys this year in a bid to shore up cyber defenses.

The initiative will be rolled out by the U.K. National Cybersecurity Center using the open authentication standard Fast IDentity Online, or FIDO, as a more “secure and cost-effective solution.”

“The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale,” the NCSC said. “In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password and SMS code,” the agency said.

Zug, Switzerland (May 6, 2025) — Umanitek AG, a Swiss-based AI company combating harmful content and the risks of artificial intelligence, today announces the launch of their first product umanitek Guardian.

Umanitek’s mission is to fight against harmful content and the risks of AI by developing and deploying technology that serves the greater good of humanity.

Umanitek’s first product is an AI agent, umanitek Guardian, that uses the Decentralized Knowledge Graph (DKG), a decentralized, trusted network for organizing and tracking immutable data and allows participating organizations to keep ownership and control of their data while supporting database queries on a need-to-know basis — allowing collaboration without compromising privacy.

The first user of umanitek Guardian will be Aylo, who will leverage the agent to allow law enforcement agents to query 7 million hashes of its verified content using natural language through an AI agent.

“Umanitek acts as the bridge. Through Decentralized Knowledge Graph (DKG) decentralized infrastructure, we can integrate advanced Internet safety technologies directly with data. Umanitek Guardian will enable companies, law enforcement, NGOs and individuals to collaborate by uploading and querying “fingerprints” of images and videos to a decentralized directory. This system will help large technology platforms track, identify and prevent the distribution of harmful content. We are committed to developing human-centric AI solutions that promote trust, protect privacy and help make internet safety the standard in the age of AI.”

– Chris Rynning, umanitek Chairman

About umanitek

Making internet safety the standard in the age of AI.

Umanitek AG is a Swiss-based AI company combating harmful content and the risks of artificial intelligence. We develop human-centric AI solutions that promote trust, protect privacy and make internet safety the standard in the age of AI.

Our founders bring deep expertise in building reliable, trusted AI systems and are connected to global networks working to reduce internet harm, and are committed to raising awareness about the importance of education and digital responsibility in the age of AI.

Umanitek’s AI infrastructure is safe by design, open by principle and trustworthy by default. With a focus on ethical innovation, umanitek is setting the standards for transparency, accountability and harm reduction in artificial intelligence.

For more information about umanitek, umanitek’s founders and products, visit www.umanitek.ai.

Contacts

For media inquiries, please contact:

Umanitek Communication

media@umanitek.ai

umanitek launches umanitek Guardian AI agent was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

We are thrilled to announce that OwnYourData has been honored with the MyData Award 2025 in the Technology category by MyData Global. This recognition celebrates our commitment to developing human-centric data solutions that empower individuals and organisations with greater control over their information, enabling them to manage, share, and benefit from their data in transparent and ethical ways.

The MyData Awards acknowledge organizations and individuals making significant strides in ethical personal data practices across various domains, including technology, business, governance, and thought leadership. This year, over 400 nominations were evaluated, highlighting the growing global emphasis on data rights and individual empowerment.

Our award in the Technology category underscores our efforts in creating interoperable and privacy-focused tools that align with the principles of the MyData Declaration. We are especially honored that both the organisation OwnYourData and our chairperson, Christoph Fabianek, were recognized with MyData Awards. This dual recognition highlights not only our collective impact as a team but also Christoph’s individual leadership and long-standing commitment to building a fair, sustainable, and prosperous digital society.

For more details on the MyData Awards and the list of 2025 recipients, visit the official MyData Awards page.

 

Der Beitrag MyData Award 2025 erschien zuerst auf www.ownyourdata.eu.

The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.

What does it take to grow a brand on Amazon today?

The rules have changed, and Amazon is now less of a storefront and more of a dynamic ad and data platform.

In this episode, Jason Boyce, Founder and CEO of Avenue7Media, joins host Reid Jackson to share what he’s learned over 22 years in the e-commerce world. From selling as a reseller to building a brand and leading an agency, Jayson explains why success now depends on feeding the algorithm, not pitching to buyers.

He breaks down how streaming TV is driving direct Amazon sales, the problem with locked attributes and UPCs, and why attribution is finally catching up to the promise of connected TV.

In this episode, you’ll learn:

Why traditional retail rules don’t apply to Amazon

How Connected TV can accelerate brand growth

What makes Amazon profitable when compared to DTC

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:53) From failed consulting to full-service agency

(06:26) Fixing locked attributes and bad UPC data

(09:59) Streaming ads that convert like e-commerce

(13:56) Selling to algorithms, not people

(16:34) Comparing Amazon to direct-to-consumer

(20:44) Why CTV is outperforming display ads

(26:48) How AI will change the way we shop

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Jason Boyce on LinkedInCheck out Avenue7Media

Internet Safety Labs’ Executive Director Lisa LeVasseur testified before the Maine Judiciary Committee in support of LD 1822, the Maine Online Data Privacy Act, while highlighting concerns. Informed by ISL’s 2022 K-12 Edtech safety benchmark and ongoing research, our testimony underscores the need to curb widespread commercial surveillance and risky data practices. LD 1822’s restrictions on sensitive data collection and sales are vital, yet we advocate for stronger protections, particularly for FERPA-covered data, non-profits, and medical apps. The written testimony is available to view in the pdf below:

Open PDF

 

The post Internet Safety Labs Provides Testimony in Support of LD 1822, An Act to Enact the Maine Online Data Privacy Act appeared first on Internet Safety Labs.

EdgeCon Spring 2026

Date: April 16, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49

Event Location:
The College of New Jersey

More information coming soon!

The post EdgeCon Spring 2026 appeared first on NJEdge Inc.

The FIDO Alliance announced today the launch of a new Payments Working Group (PWG) focused on developing and implementing FIDO authentication solutions specifically for payment use cases. This initiative marks a significant expansion of the organization’s efforts to eliminate password dependencies in critical digital transactions.

The new working group emerges at a time of growing momentum for passwordless authentication in the payments sector. Last year, Visa implemented passkeys for online payments, allowing customers to authorize transactions using biometric authentication rather than traditional passwords.

The Alliance, which now comprises over 250 members, has been steadily expanding its influence across various sectors of digital authentication.

World Password Day is no longer. The annual day to promote secure password practices has run its course, and the FIDO Alliance (whose stated mission, to be fair, is to bring the world beyond passwords) has rebranded World Password Day as World Passkey Day – an occasion to celebrate the encrypted FIDO credentials that combine data you possess (a digital key or credential) with a biometric trait (something you are, usually a face or fingerprint).

Anyone setting up a new Microsoft account will soon find they’re encouraged to use a passkey during the sign-up process.

Microsoft introduced passkey support across most of its consumer apps last year, allowing users to sign into their accounts without the need for 2FA methods or remembering long passwords. A year later, it’s removing passwords as the default and encouraging all new signups to use passkeys.

PCMag attempted to sign up for a new Microsoft account on May 2, but it still asked for a password at the time of publication. Microsoft hasn’t shared an exact timeframe for when the change will take place, but you should expect it to happen in the coming days.

This is the first time a new account can be entirely passwordless. Previously, it had to have one alongside your passkey.

In a blog post, Microsoft says 98% of passkey attempts to log in are successful, while passwords are only at 32%. Microsoft is also introducing what it calls a “streamlined” sign-in experience for all accounts that “prioritizes passwordless methods for sign-in and sign-up.” It means some UX design changes to highlight passkey functionality.

We’re excited to announce a new partnership with Puentes, an organization dedicated to strengthening the narrative power of social justice movements in Latin America

The post Empowering narratives, strengthening ecosystems: A partnership for digital resilience appeared first on The Engine Room.

Reviewing the landscape and sharing our approach

WAO is currently working on a project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. Our focus is on AI Literacy for 14–19 year olds and you can read more context in our project kick-off blog post.

One of the deliverables for this project is to review AI Literacy frameworks, with a view to either making a recommendation, or coming up with a new one. It’s not just a case of choosing one with a pretty diagram!

Frameworks are a way in which an individual or organisation can indicate what is worth paying attention to in a given situation. Just as the definition of ‘AI Literacy’ varies by context, the usefulness of a framework depends on the situation. In this post, we share the judgements we made using criteria we developed and share our process in case it is useful for your own work.

Narrowing down the list

While there can be some commonality and overlaps between frameworks for different contexts, the diversity of possible situations is huge. There can never be a single ‘perfect’ framework suitable for every situation. For example, just imagine what ‘AI Literacy’ might look like for (adult) engineers and developers compared with children of primary school age. As with our work at Mozilla you can define what a ‘map’ of new literacies might look like, but it can only ever be one of many that describe the overall ‘territory’.

With our work on this project, we had to bear in mind our audience (14–19 year olds) and the mission of the BBC. There is a long history of Critical Media Literacy which is particularly relevant to our research here, and which was one of the factors when reviewing frameworks.

With a relatively short project timeline of three months, we needed a way to quickly classify approximately forty frameworks and related documents we have collected. We shared relevant details with Perplexity AI (using the Claude 3.7 Sonnet model) over multiple conversations. This helped us reduce our initial list of around 40 frameworks to a more manageable 25.

Coming up with criteria

Next, we came up with some criteria by which to judge them. These criteria were informed by our own work in the area for 15+ years, along with either interviews or surveys with over 35 experts in the field. While these criteria are meant as a heuristic for this project, they are also a useful starting point for asking questions about any project relating to new literacies.

Definition of AI — ensures everyone has the same starting point Development process — adds transparency and credibility Target audience — helps match the framework to its users Real-world relevance — shows how ideas work in practice AI safety and ethics — addresses both risks and responsible use Skills and competencies listed — clarifies what learners should be able to do Reputable source — increases trust in the framework

We included both safety and ethics because both are needed for using AI in a responsible and trustworthy way.

Categorising the most relevant frameworks

We used a traffic light (red/yellow/green) categorisation system to score each framework on the above criteria. Only one of the frameworks we reviewed, the OECD Framework for Classifying AI Systems, meets all criteria with a ‘green’ rating.

There are several other frameworks which we judge as meeting the criteria as ‘green’ except for one criterion (‘yellow’). Listed alphabetically by organisation, these are:

Artificial Intelligence in Education (Digital Promise) AI Literacy in Teaching and Learning: A Durable Framework for Higher Education (EDUCAUSE) Digital Competence Framework for Citizens (European Commission) Developing AI Literacy With People Who Have Low Or No Digital Skills (Good Things Foundation) AI competency framework for students (UNESCO)

There are other frameworks which we have decided to include which included two or more criterion as ‘yellow’. For example, the Open University’s Critical AI Literacy Framework, Ng, et al’s article, and Prof. Maha Bali’s blog post linked from her framework all do a good job of defining Critical AI Literacies. We would also note that the Digital Education Council’s list of skills and competencies relating to AI Literacy is useful to pair with those from EDUCAUSE, UNESCO, and the European Commission.

Next steps

As mentioned earlier, our brief for this project involves either making an informed recommendation of a framework, or to come up with our own. We’re currently leaning toward the latter, but either choice will be the subject of a future blog post.

If you have questions, concerns, comments, or indeed a particularly useful resource which you think would be useful for this project, please do get in touch. You can leave a comment here, or use the contact details on our main website to get in touch!

What makes for a good AI Literacy framework? was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

Blockchain should be transforming industries. Yet most organizations struggle with its complexity, especially in the early stages of development and deployment.

After supporting passwordless Windows logins for years and even allowing users to delete passwords from their accounts, Microsoft is making its biggest move yet toward a future with no passwords. Now it will ask people signing up for new accounts to only use more secure methods like passkeys, push notifications, and security keys instead, by default.

The new no-password initiative by Microsoft is accompanied by its recently launched, optimized sign-in window design with reordered steps that flow better for a passwordless and passkey-first experience.

Although current accounts won’t have to shed their passwords, new ones will try and leave them behind by not prompting you to create a password at all:

As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be “passwordless by default.” New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.

With today’s changes, Microsoft is renaming “World Password Day” to “World Passkey Day” instead and pledges to continue its work implementing passkeys over the coming year. This time last year, the company implemented passkeys into consumer accounts. Microsoft says it’s seeing “nearly a million passkeys registered every day,” and that passkey users have a 98 percent success rate of signing in versus 32 percent for password-based accounts.

As you’ll already know, today is World Passkey Day and the FIDO Alliance has released an independent study of over 1,300 consumers across the US, UK, China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved.

The results are encouraging, they find 74 percent of consumers are aware of passkeys and 69 percent have enabled passkeys on at least one of their accounts.

Among those who have used passkeys, 38 percent report enabling them whenever possible. More than half of consumers now believe passkeys are both more secure (53 percent) and more convenient (54 percent) than passwords.

This increase in passkey adoption is likely driven by the shortcomings of passwords. Last year, over 35 percent of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47 percent of consumers will abandon purchases if they have forgotten their password for that particular account.

To further encourage organizations to embrace the shift to passkeys, the FIDO Alliance has also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” says Andrew Shikiar, executive director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

The full report is available from the FIDO Alliance site.

As the first-ever World Passkey Day replaces the traditional World Password Day, Microsoft joins the FIDO Alliance in celebrating a milestone achievement: over 15 billion online accounts now have access to passwordless authentication through passkeys.

This significant shift marks a turning point in digital security as the tech industry moves decisively away from vulnerable password-based systems.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. 

Microsoft is on a mission to delete passwords for a billion users, given that “the password era is ending.” The Windows-maker warns users that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” And those attacks are now making headlines weekly.

The answer is passkeys, which link your account security to your physical device security, which means unless an attacker has access to your hardware and unlock method — biometric or PIN, they can’t bypass a password to login.

More than others, Microsoft is not just promoting passkeys but also password deletion: “If a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”

The FIDO Alliance, the organization charged with promoting passkeys has taken to the internet airwaves this time around to “launch a Passkey Pledge to further accelerate [the] global movement away from passwords.”

Its latest research found that “over 35% of people had at least one of their accounts compromised due to password vulnerabilities, [and] 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.”

FIDO has welcomed Microsoft’s password deletion as industry leading. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts,” its CEO Andrew Shikiar told me, “who can now instead leverage user-friendly, phishing-resistant passkeys. Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”

Moving past passwords is improving brand trust

The FIDO Alliance has also recently invited companies to participate in the World Passkey Pledge to create a more secure future, and move past the vulnerability and hassle of passwords.

Simon McNally, Cybersecurity Expert at Thales said, “Passwords have long been a weak link in digital security, forcing consumers and businesses into a frustrating cycle of password resets and potential breaches. We welcome the FIDO Alliance’s commitment to World Passkey Day and its push for a passwordless future. Passkeys provide a seamless and secure authentication experience, eliminating the risks and frustrations associated with traditional passwords.

Passkeys are automatically generated and securely stored, removing the burden of creating and managing complex passwords. They also enhance privacy by allowing authentication without sharing sensitive data, reducing the risk of breaches. As trust in digital security becomes more critical, businesses must prioritise passwordless solutions to protect users and build brand confidence.”

The Passkey Pledge for a Passwordless Future

To commemorate World Password Day (or at it will henceforth be known, World Passkey Day), the FIDO Alliance has released a survey on the usage of passkeys which found that 74% of consumers are aware of passkeys, meaning that consumers are aware of the potential value a passkey login experience can bring. To support this, the survey also found that 69% of consumers have enabled passkeys on at least one of their accounts.

Furthermore, for those who have used passkeys, 38% report enabling them whenever possible suggesting that some consumers already see the added user experience and security benefits passkeys bring. In fact, more than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. Many businesses and organizations have already signed the Passkey Pledge, including Amazon, Apple, Google, Microsoft, Samsung, and many more!

A pivotal moment

Andrew Shikiar, executive director and CEO of the FIDO Alliance, commented on both the recent survey, and the Passkey Pledge:

“This year’s World Passkey Day comes at a pivotal moment for user authentication around the world – with a rapidly growing number of service providers (including nearly half of the world’s top 100 websites) offering billions of user accounts the option to sign in with passkeys instead of passwords. Well over 100 organizations have taken the Passkey Pledge, indicating their commitment towards a future free from the risk and burdens of passwords.

Consumers are not only increasingly aware of passkeys, they’re using them more frequently: 69% of respondents to our recent survey are enabling them on at least one account, and 38% are now enabling them whenever possible.

Passkeys are so intuitive to use that once users integrate passkeys, they rarely go back. This is good for consumers who are frustrated by password reliant sign-in processes — 35% of whom said they experienced account compromises as a result of password vulnerabilities last year — and e-commerce retailers alike.

This shift isn’t just about innovation or bottom lines; it’s about rebuilding digital trust and creating a safer, more efficient internet for everyone.”

NEWARK, NJ, May 2, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, Chair of Broadening the Reach Working Group for the Ecosystem for Research Networking (ERN), and ERN Steering Committee member, welcomed an esteemed group of scientific and cyberinfrastructure researchers as co-chair of this year’s ERN Summit.

The Ecosystem for Research Networking Summit provides the scientific and cyberinfrastructure research community an opportunity to come together and discuss ERN mission and accomplishments, hear from domain researchers and CI professionals at smaller institutions about the successes and challenges related to leveraging local, regional, and national resources for projects, and learn about funding resources and partnership opportunities, as well as regional and national communities.

The Summit was a virtual event held on April 23, 2025, and reflected a shared commitment to building bridges across scientific and cyberinfrastructure communities and exploring the timely topics of advanced technologies, artificial intelligence (AI), quantum, and workforce development. Attendees heard from thought leaders who are driving AI and quantum initiatives, shaping curriculum innovation, and expanding opportunities across institutions of all sizes. Panel discussions examined the unique constraints and opportunities facing non-R1 institutions, along with the curricular innovations and partnerships shaping the future quantum workforce.

“The ERN Summit sparked dynamic conversations and showcased the perspectives of vital contributors to our national research ecosystem, including leading institutions, regional hubs, industry partners, and smaller colleges. We hope the Summit inspired new collaborations, actionable ideas, and lasting connections throughout the research and education community.”

– Dr. Forough Ghahramani
Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge
Chair of Broadening the Reach Working Group, ERN
Steering Committee Member, ERN

Keynote speaker, Dan Stanzione, Ph.D., Associate Vice President for Research, Executive Director, Texas Advanced Computer Center (TACC), led the topic, AI and HPC, or AI Ends HPC? where he discussed the evolving balance between AI and high-performance computing in future system designs. Dr. Stanzione argued that rather than replacing HPC, AI is transforming it, requiring the community to rethink architecture, software, workforce strategy, and environmental impact.

The Summit’s three panels provided insights from leading institutions, regional hubs, industry partners, and smaller institutions, including:

How regional economic and workforce initiatives are taking shape in AI and Quantum; How industry-academic partnerships are preparing the next-generation quantum workforce, and; What unique strengths and challenges are faced by non-R1 and smaller institutions in this landscape.

“It was wonderful seeing the strong attendance across all panels. The discussions addressed pressing issues relevant to research and education communities in universities and colleges nationwide and internationally as we collectively tackle the challenges of AI and emerging quantum technologies. We will continue these discussions over the next year, leading to solutions that will be reported on during our next summit,” Barr von Oehsen, Ph.D., Director Pittsburgh Supercomputing Center and Chair of the ERN Steering Committee.

The Summit closed with rich dialogue on how the ERN can continue to build a thriving, inclusive community that supports institutions of all sizes and types. The energy and ideas shared set a clear path for future action! The ERN community is energized to keep the momentum going! Additional information is available at https://ern.ci.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

The post Ecosystem for Research Networking (ERN) Summit 2025 appeared first on NJEdge Inc.

We recently updated the MyData White Paper. Unlike previous editions that stated “this is the way it should be,” this fourth edition asks questions about how MyData’s vision, principles, and […]

EdgeCon Winter 2026

Date: January 15, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49

Event Location:
Princeton University

Accommodations

For those requiring overnight accommodations while attending EdgeCon Winter 2025, a Group Rate has been arranged for attendees at: Nassau Inn »

10 Palmer Square, Princeton, NJ 08542

Secure your room here »

Or, for Attendees who want to make reservations over the phone, please call the Nassau Inn Reservation Desk directly at 609-921-7500 and reference the booking #4766909 in order to receive the group rate. This rate is only valid until 12/14/25.

More information coming soon!

The post EdgeCon Winter 2026 appeared first on NJEdge Inc.

Hyperledger Fabric has long been a cornerstone of enterprise blockchain, effectively addressing the deficiencies and governance challenges of public blockchain systems. Designed for modularity, scalability, and effective governance, it laid the groundwork for enterprise blockchain applications where trust, compliance, and performance are paramount.

May 1, 2025

In recognition of World Passkey Day (formerly World Password Day), the FIDO Alliance is putting the spotlight on real-world passkey deployments from leading organizations around the globe. Read on for highlights of the successes companies in various industries are seeing from delivering faster, easier, and more secure sign-ins with passkeys—showcasing the global commitment to move away from passwords.

The FIDO Alliance also released today an independent study of consumers to understand how passkey usage and consumer attitudes towards authentication have evolved. The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. The full report is available here.

ABANCA’s mobile app serves over 1,200,000 customers a month, serving as the bank’s largest branch. Today, more than 42% of its mobile customers are using passkeys via the bank’s ABANCA Key product. As a result, more than 11,000,000 high-risk transactions have been protected without technical or service incidents, and due to the prioritization of UX, they have managed a Customer Effort Score (CES) of 4.7. 

Aflac was the first major insurance company to adopt passkeys in the U.S. Aflac partnered with Transmit Security to launch their passkey authentication initiative Today, only the first phase of the project is complete and yet more than 500,000 Aflac customers have enrolled a passkey, resulting in a 32% reduction in password recovery requests. This has yielded 30,000 fewer calls per month to the call center for identity issues. Aflac reports that the highest enrollment rates occur at the point of registration, reinforcing the FIDO Alliance’s Design Guidelines recommendation to prompt customers during account-related tasks. The steady, organic adoption of passkeys by Aflac customers continues to grow daily and directly contributes to measurable improvements in cost reduction and customer experience.

KDDI now has more than 13.6 million au ID customers that use FIDO and has seen a dramatic decrease (down nearly 35%) in calls to their customer support center as a result. KDDI manages FIDO adoption carefully for both subscribers and non-subscribers. 

LY Corporation property Yahoo! JAPAN ID now has 28 million active passkeys users. Approximately 50% of user authentication on smartphones now uses passkeys. LY Corporation said that passkeys have a higher success rate and are 2.6 times faster than SMS OTP.

Mercari has seen 9 million users enroll with passkeys, and is enforcing passkey login for users who have enrolled with synced passkeys. Notably, there have been zero phishing incidents at Mercari Shop and Mercoin (a Mercari subsidiary) since March 2023.

Microsoft began rolling out passkeys for Microsoft consumer account in 2024. They now see nearly one million passkeys registered every day. Microsoft has found that users signing in with passkeys are three times more successful at getting into their account than password users (about 98% versus 32%), passkey sign-ins are eight times faster than traditional password + MFA flows, and passwordless-preferred UX has reduced password use by over 20%. 

Nikkei rolled out passkeys in February and is already seeing thousands of customers using passkeys. Additionally, they are seeing almost no inquiries about how to use passkeys at the support desk.

NTT DOCOMO has increased its passkey enrollments and now passkeys are used for more than 50% of authentication by d ACCOUNT users. NTT DOCOMO notably reports significant decreases in successful phishing attempts and there have been no unrecognized payments at the docomo Online Shop since September 2022 where NTT DOCOMO continuously improved UX, including increasing the number of other passkey-enabled services.

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols. Due to ease of use, speed, compatibility across services, and status as an industry standard made passkeys a compelling choice for Samsung Electronics.

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. Within the first weeks of deployment with its passkey vendor Corbado, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security. The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including reduced authentication-related support tickets, lower SMS OTP costs and improved user experience and security.

Zoho Corporation has rolled out passkeys to its 100+ million zoho.com customers and has seen a resulting 30% increase month over month in passkey adoption and a 10% drop in password reset queries. As a next step, the company will begin its rollout to Zoho Vault customers in May.

Read the full case studies from ABANCA, Microsoft, Nikkei, Samsung Electronics, VicRoads and Zoho Corporation to learn more about how these companies are discovering the benefits of passkey adoption. To learn more about passkey implementation through other documented case studies, visit the FIDO Alliance’s resource library. Have a case study to share? Contact us!

New global survey: More than two thirds of users familiar with passkeys turn to them for simpler, safer sign-ins as password pain persists

MOUNTAIN VIEW, Calif., May 1, 2025 – With digital security more critical than ever, the FIDO Alliance is commemorating World Passkey Day 2025 with the release of an independent study of consumers across the U.S., U.K., China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved. 

The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. 

World Passkey Day serves as the FIDO Alliance’s annual call to action for individuals and organizations to adopt passkey sign-ins, making the web safer and more accessible.

Highlights from the research show consumer passkey awareness is on the rise and outlines several key trends in adoption among those who are aware of passkeys, including:

74% of consumers are aware of passkeys. 69% of consumers have enabled passkeys on at least one of their accounts. Among those who have used passkeys, 38% report enabling them whenever possible. More than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. 

The survey report is available at https://fidoalliance.org/wpd-report-2025-consumer-password-passkey-trends/, which includes additional insights on how passkey adoption is trending with consumers and organizations to improve global digital access, authentication, and security.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

To further encourage organizations to embrace the shift away toward passkeys, the FIDO Alliance also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys. The passkey pledge has received commitments from over 100 organizations in just over 20 days. A full list of companies that have taken the passkey pledge can be found here.

The availability of passkeys has steadily increased with implementation reaching 48% of the world’s top 100 websites as enterprises and service providers collectively seek to embrace a new era of faster sign-ins, higher success rates, fewer account takeovers, lower support costs, and reduced cart abandonment.

To learn how to start your organization’s passwordless journey, or to begin using passkeys today, visit: https://www.passkeycentral.org/home. 

Notes to editors: This SurveyMonkey online poll was conducted from April 13-14, 2025, among a global sample of 1,389 adults ages 18 and up. Respondents for this survey were selected from the nearly 3 million people who take surveys on the SurveyMonkey platform each day. Data for this survey has been weighted for age, race, sex, education, and geography to adequately reflect the demographic composition of the United States, United Kingdom, China, South Korea and Japan. The modeled error estimate for this survey is plus or minus 3.5 percentage points. To calculate the proportion of the world’s top websites and services that support passkeys, the FIDO Alliance combined publicly available information with its own data on passkey deployments.  About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

It’s our birthday, so we took the day off! Image CC BY-ND Visual Thinkery for WAO

It feels fitting and yes, admittedly somewhat contrived, that our birthday falls on May 1st. It’s a moment when people around the world celebrate the power of collective action and the achievements of workers everywhere.

This year, our anniversary feels even more special. We’ve had our share of triumphs and certainly challenges, but nine years in (which is a long time in internet years!) we’re still here.

2025 has been named the United Nations International Year of Co-operatives, with the theme “Co-operatives Build a Better World.” The global co-operative movement deserves this spotlight, showing how co-ops like ours are making a difference by putting people and planet before profit.

https://ica.coop/en/cooperatives/facts-and-figures

At We Are Open, we believe in doing business differently. We’re a worker-owned co-op, which means we make decisions together, share responsibility, and support each other to do meaningful work. Over the past nine years, we’ve learned (and re-learned!) that openness, collaboration, and trust are at the heart of what makes co-ops so important.

So today, we’ll down tools and raise a glass to our members, clients, friends, comrades in CoTech and workers.coop and the wider co-op community. Thanks for being part of our journey so far.

Solidarity and celebration from all of us at We Are Open! If you’d like to wish us happy birthday, or have a problem we may be able to help with, email us without delay at hello@weareopen.coop

We Are Nine was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

May 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Labs Beta Cohort 2 RFP is here!

Exciting news for identity innovators! DIF Labs has just announced their request for proposals for Beta Cohort 2, focused on driving high-leverage work at the intersection of identity, trust, and emerging technologies. The program seeks proposals from builders and researchers in five key focus areas: Personhood Credentials, Content Authenticity and Assertions, Applied Cryptography, Verifiable AI, and Industry-Aligned Applications. Project leads must be DIF members, with proposals due by May 20, 2025. Selected projects will receive mentorship, ecosystem support, and collaboration opportunities over a 2-3 month development period. For complete details on submission requirements, evaluation criteria, and the application process, visit the full announcement on the DIF Labs website.

DIF Hospitality & Travel Working Group is Live

The Decentralized Identity Foundation (DIF) has launched a new Hospitality & Travel Working Group focused on developing standards for self-sovereign data exchange in the travel industry. This initiative will create frameworks allowing travelers to control their personal information while enabling seamless interactions with service providers. Led by chair Douglas Rice, the group will address traveler profiles, data portability, and interoperability across the travel ecosystem. For more details, see DIF's announcement:

DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group The Decentralized Identity Foundation (DIF) has officially launched its Hospitality & Travel Working Group, evolving from the ongoing H&T Special Interest Group (SIG). This new working group will focus on developing standards, schemas, processes, and documentation to support the self-sovereign exchange of data between travelers, services, intermediaries in the hospitality Decentralized Identity Foundation - BlogDecentralized Identity Foundation Algorand Releases the Universal Chess Passport

Algorand has partnered with World Chess to develop a "Universal Chess Passport" using blockchain-based digital identity and verifiable credentials technology. This innovative system will allow chess players to maintain portable digital identities and credentials across platforms, enabling them to seamlessly transfer their achievements, rankings, and records between online platforms and in-person tournaments. The proposal aims to address fragmentation in the chess ecosystem while maintaining privacy and security through decentralized identifiers (DIDs). A live discussion about the initiative will be held on May 6th featuring representatives from Algorand, World Chess, and the Decentralized Identity Foundation. For more details, visit Algorand's announcement page:

Algorand x World Chess - Universal Chess Passport Tired of rebuilding your chess identity across every platform? A new blockchain-based system from Algorand and World Chess proposes portable, verifiable credentials for chess players—bringing fairness, reputation, and rewards into one unified ecosystem. Universal Chess PassportAlgorand Foundation 🛠️ Working Group Updates

Browse our working groups here

Hospitality & Travel Working Group

The newly-launched Hospitality & Travel Working Group started strong. They discussed their draft implementation guide and schema development, exploring the complexities of travel stages and verifiable data. They refined key terms in their glossary, including standardizing on the term "HATPro" (hospitality and travel profile). The team aims to have a substantial portion of the schema ready to announce at the HITEC Conference in mid-June.

👉 Learn more and get involved

Creator Assertions Working Group

The Creator Assertions Working Group held productive meetings in both Americas/EU and APAC time zones this month. Discussions focused on identity claims, trust profiles, and collaboration with external groups including the JPEG Trust Group and Project Origin. The group is preparing three assertion specs for approval and considering integrating first-person credentials. The group will soon hold an election for co-chairs, with Scott Perry and Alex Tweeddale as candidates.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group finalized the DIF recommended methods process, agreeing to use "DIF Recommended" consistently throughout their documentation. They heard a detailed presentation on DID Peer version 4, exploring its features and advantages over other methods. The group also decided to dedicate full sessions to DID method deep dives as practice runs for their evaluation process.

👉 Learn more and get involved

Identifiers and Discovery Working Group

The DID Traits team is preparing to release version 1.0 of their specification, focusing on making traits enable easier assessment. They're adding new traits including key validation and long-term availability, while improving terminology for clarity. The team removed software trade references due to complexity and expressed satisfaction with their progress toward the 1.0 milestone.

The did:webvh team is finalizing their 1.0 specification, including updates to examples and clarification of terminology. They addressed concerns about performance with large logs, cryptographic agility, and improving DID availability through watchers. The team is developing a JSON schema for data model validation and planning a test suite, while seeking acknowledgement from the DIF Technical Steering Committee for the 1.0 release.

👉 Learn more and get involved

🪪 Claims & Credentials Working Group

The Credential Schemas team developed a new schema directory structure with community schemas, draft schemas, and recommended schemas folders to better organize their work. They refined the proof of age schema, including improvements to boolean threshold indicators and simplifying schema names for clarity and reuse. The team welcomed new members and discussed potential synergy with the Oasis working group.

👉 Learn more and get involved

Applied Crypto Working Group

The BBS+ team focused on pseudonym implementations and designing approaches for everlasting unlinkability in credential systems. They considered trade-offs between post-quantum security and privacy, concluding that their baseline approach with pseudonyms offers preferable privacy protections. Team members are exploring the potential of using Rust instead of C++ for implementation and plan to interact more with the CFRG to advance the project.

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs has launched its RFP for Beta Cohort 2. Read more here

👉 Learn more and get involved

DIDComm Working Group

The DIDComm team discussed implementing binary encoding in the next version, proposing either a DIDComm version 3 with built-in binary encoding or adding optional seabore envelopes in version 2.2. They welcomed new member SwissSafe who expressed interest in contributing to standardizing CBOR for DIDcomm messaging. The team agreed to implement a flag designator in the header for different encodings.

👉 Learn more and get involved

If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Hospitality & Travel SIG

The H&T SIG held multiple productive sessions in April. One meeting featured representatives from the European Digital Identity Wallet Consortium who presented on the EUDI wallet's development and potential applications in travel and hospitality. Another session discussed food model development, trip profile components, and context-specific preferences for travelers. The team continues refining their implementation guide and developing a comprehensive strategy for travel wallets that support personalization, with plans to showcase their schema at the HITEC Conference in mid-June.

👉 Learn more and get involved

DIF China SIG

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN call featured a presentation on the Verifiable Legal Entity Identifier (vLEI) and its relation to the Global Legal Entity Identifier Foundation. Steering Committee member Catherine Nabbala of Finema, a qualified vLEI issuer, detailed the vLEI ecosystem governance framework and verification processes. The group discussed implementation challenges including key management, wallet technologies, and potential applications in various industries. Participants showed particular interest in how vLEI could be integrated with traditional SSI architecture using did:webs

👉 Learn more and get involved

DIF Africa SIG

The DIF Africa SIG hosted a presentation by Karla McKenna on the Global Legal Entity Identifier Foundation (GLEIF) and Verifiable Legal Entity Identifier (vLEI). Karla discussed organizational identity in the digital world and potential applications of vLEI in various sectors. The meeting explored the process of becoming a qualified vLEI issuer and how such technology could benefit government and public services. Participants expressed interest in applying these concepts to streamline business processes, particularly in Africa.

👉 Learn more and get involved

DIF Japan SIG

The Japan SIG discussed NodeX's migration from Sidetree to the did:webvh method due to concerns about content-addressable storage stability, Bitcoin network performance, and Sidetree maintenance status. Technical discussions included DID structure, the resolve process, did:webvh method advantages, and IoT device authentication and trust. The team also explored global deployment strategies and trust framework implementation, particularly for IoT devices in critical infrastructure and energy sectors.

👉 Learn more and get involved

DIF Korea SIG

👉 Learn more and get involved

📖 DIF User Group Updates
DIDComm User Group

The DIDComm User Group explored Colton's WebRTC project that enabled browser-to-browser voice communication over DIDComm. Members discussed binary encoding implementation options for DIDComm messages, focusing on CBOR while keeping the door open to other encodings. The group also demonstrated a chat system using DIDComm's mediator capabilities for seamless communication between users, even when offline. Future discussions will focus on use case documentation templates and integrating with AI-related protocols like the Model Context Protocol.

👉 Learn more and get involved

Veramo User Group

👉 Learn more and get involved

📢 Announcements at DIF

Conference season is kicking into high gear. Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.

🗓️ ️DIF Members

👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.

🆔 Join DIF!

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

Follow us on Twitter/X

Join us on GitHub

Subscribe on YouTube

🔍

Read the DIF blog

New Member Orientations

If you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.

Passkeys are no longer just a concept: The future of sign-in is here and consumers are ready. Built on the open authentication standards developed by theFIDO Alliance, passkeys are quickly gaining momentum among global service providers. Why? Because they offer africtionless, phishing-resistant, passwordless sign-in experience that is redefining digital security and user convenience.

Ahead of World Passkey Day 2025, the FIDO Alliance commissioned an independent survey of1,389 peopleacross theU.S., U.K., China, South Korea, and Japan to provide additional insights into how authentication preferences are evolving in real time.

The research shows people continue to struggle with traditional passwords:

36%of respondents said they’ve had at least one account compromised due to weak or stolen passwords. 48%admitted they’ve abandoned an online purchase simply because they forgot their password.

Read the full results of the survey in this eBook.

Download the Report Read the Press Release

April 29, 2025 – The FIDO Alliance has launched a Payments Working Group (PWG) to define and drive FIDO solutions for payment use cases. The PWG will also act as subject matter experts and internal advisors within the FIDO Alliance on issues affecting the use of FIDO solutions for payment use cases. The PWG is co-chaired by Henna Kapur of Visa and Jonathan Grossar of Mastercard, with other FIDO Alliance member company participants including American Express; Cartes Bancaires; Futurae; Infineon; OneSpan; PayPal; Royal Bank of Canada – Solution Acceleration & Innovation; and Thales

The PWG will focus on three areas:

Identify and evaluate specific requirements for payment authentication. Requirements will include those in the area of UX, security and regulation unique to payments;. Identify and evaluate existing and emerging solutions to address payment authentication requirements; and Guidelines for use of passkeys and/or proposed FIDO solutions along with existing payment technologies such as EMV® 3-D Secure or EMV® EMVCo SRC.

The PWG will also work on associated projects relating to the use of FIDO solutions for payments including: collecting and publishing deployment case studies, documenting challenges and potential solutions to issues; and working with FIDO Alliance liaison partners to drive education and adoption.

Join the Payments Working Group

Organizations interested in taking part in the PWG and driving the adoption of passkeys for payments can inquire today. Participation in the PWG is open to all Board, Sponsor, and Government level members of the FIDO Alliance. Non-member organizations interested in participating should contact the FIDO Alliance to become a member; learn more by visiting https://fidoalliance.org/members/become-a-member/.

NEWARK, NJ, May 1, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, and Vice President for Research and Collaborations, New Jersey Big Data Alliance (NJBDA), will join the 12th annual NJBDA Symposium at William Paterson University of New Jersey on May 16, 2025. This annual event is New Jersey’s premier conference for big data and advanced computing and attracts over two hundred attendees from industry, government, and academia.

This year’s theme, Empowered by AI: Innovation and the Rise of the Augmented Workforce, will allow attendees to explore the transformative power of AI and how this technology can empower workers to reach new levels of innovation and creativity. The full-day event will feature an industry panel discussing the impact of AI across multiple sectors, a workforce development panel on advanced technologies, a hands-on student workshop, and networking opportunities.

Breakout sessions include a Research Track Program led by Research Track Chair, Dr. Ghahramani, and will feature presentations on current applied research in Big Data, AI, and Machine Learning. The research session, AI Methods & LLM Innovation, will explore cutting-edge AI techniques including generative models, graph networks, and real-time Natural Language Processing (NLP) and will highlight the technical advancements driving the next wave of intelligent systems.

The session, AI in Health, Education, and Society, will explore how AI is shaping healthcare, education, and social systems, with a focus on inclusive, human-centered technologies that promote well-being and equity. In a separate session, AI in Industry, Infrastructure, and the Environment, attendees will engage with real-world examples of how AI is driving innovation in business operations, public infrastructure, and environmental sustainability.

“As we stand at the intersection of AI innovation and workforce transformation, this year’s NJBDA Symposium provides a vital forum to advance collaborative research, inform policy, and shape inclusive pathways for talent development. The research track will highlight groundbreaking work in generative AI, machine learning, and real-time analytics, showcasing the talent and innovation emerging across New Jersey’s academic institutions and their relevance to pressing societal and industry challenges.”

— Dr. Forough Ghahramani
Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge
Vice President for Research and Collaborations, NJBDA

Three student externship teams will also share insights from the Data Science Curriculum Alignment and Articulation Agreement Pathways Project, a joint effort led by the Rutgers Master of Business and Science (MBS) Externship Program, the New Jersey Big Data Alliance, and NJ Pathways. The group investigated how data science programs at New Jersey community colleges align with those at four-year universities and explored ways to make the credit transfer process more seamless for students moving from associate to bachelor’s degree programs. Following the presentation, attendees can join a Q&A panel to further explore the students’ findings and experiences.

For event information and registration, please visit the NJBDA Symposium website and explore the opportunity to collaborate, expand your knowledge, and gain insights into the evolving role of intelligent technologies in shaping our future.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

The post Dr. Forough Ghahramani to lead the Research Track at the 12th Annual NJBDA Symposium appeared first on NJEdge Inc.

Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and Others Support New Guidance to Effectively Manage Product Lifecycles Across the Software Supply Chain

Boston, MA USA; 29 April 2025 — As organizations grapple with increasing cybersecurity risks linked to unsupported software and hardware, the need for timely, standardized End-of-Life (EoL) and End-of-Support (EoS) information is more critical than ever. In response, OASIS Open, the global open source and standards consortium, announced the publication of the OpenEoX White Paper. Developed by the OpenEoX Technical Committee (TC), the paper identifies major use cases for EoL security data, outlines current industry pain points, and introduces a roadmap for a standardized, machine-readable format for EoL disclosures. 

“Knowing when software and hardware support ends shouldn’t be a guessing game. Managing product lifecycles effectively requires collaboration across the entire ecosystem, from commercial vendors to open-source maintainers,” said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer. “OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of End-of-Life (EoL) and End-of-Security-Support (EoSSec) data that enables transparency and efficiency.”

Developed by a global coalition of cybersecurity leaders from organizations including Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others, the white paper defines the scope and architecture for an OpenEoX data model and lays the foundation for future technical specifications. These will support integration with the Common Security Advisory Framework (CSAF), Software Bill of Materials (SBOMs), and other widely adopted cybersecurity standards.

“Standardizing how end of life, end of security support, and end of sales is handled for hardware and software makes the software supply chain more secure and efficient. This is especially important for developing and deploying AI systems securely,” said Brendan Burns, Microsoft Corporate Vice President and General Manager, Azure Cloud Native and Management Platform. “We’re pleased to contribute to this effort, increasing transparency, efficiency, and trust through better-informed consumers.”

The OpenEoX TC aims to standardize and promote OpenEoX, a unified, machine-readable approach to managing and sharing EoL/EoS information for both commercial and open source software and hardware. This approach helps vendors, consumers, and the broader security ecosystem reduce risks and improve operational resilience.

The TC encourages participation from product vendors, open source communities, security researchers, government agencies, and any organization managing EoL products. New members are welcome and participation in the TC is open to all through membership in OASIS. 

Media Inquiries:
communications@oasis-open.org

The post OASIS Members Publish White Paper to Advance Global Framework for Coordinated Product End-of-Life Security Disclosures appeared first on OASIS Open.

As we kick off the second quarter of 2025, it's a good time to reflect on the incredible progress we've made together at LF Decentralized Trust (LFDT). LFDT was launched last fall to support a fast-evolving decentralized future through open source collaboration, with a focus on digital trust, interoperability, identity, and decentralized infrastructure. We hit the ground running, making 2024 a landmark year. And now 2025 is off to a fast start across our industry and certainly within the LF Decentralized Trust global community!

Kia ora,

Welcome to the April edition of the DINZ newsletter. As we navigate this period of transition, our commitment to advancing digital trust in Aotearoa remains unwavering. This month brings exciting updates on upcoming events, new members, and important industry developments.

Last Chance: DISTF Survey Closing Soon!

Don’t miss your opportunity to help shape the future of Digital Identity in New Zealand. Our Digital Identity Services Trust Framework (DISTF) survey closes next Monday, 5 May. Your insights will guide the DINZ DISTF Working Group’s priorities and advocacy efforts. This survey is open to both DINZ members and non-members. Your input is important as we work to maximise the benefits of this framework for all New Zealanders.

Take five minutes to complete the survey.

Digital Trust Hui Taumata Update

Planning for our landmark event is progressing well, with speakers now confirmed including Ministers Judith Collins and Scott Simpson, along with Deputy Privacy Commissioner Liz MacPherson. Additionally, we are well advanced with two terrific international keynote speakers thanks to DINZ member sponsors. We’re pleased to report that sponsorship commitments are tracking positively, reflecting the growing importance of digital trust in our national conversation.

Mark your calendars (12 August 2025, Te Papa, Wellington) for this premier industry gathering that will bring together leaders and innovators in the digital trust space. Register your interest here.

Member News

Kudos to MyMahi’s Stefan Charsley for his prestigious Kim Cameron award enabling him to attend IIW 40 earlier this month, wonderfully reported on by co-founder Phil Windley here. As a regular attendee on DINZ’s Coffee Chats, we hope he’ll be able to share his knowledge and perspectives gained. While on the subject of awards it was great to see MinterEllisonRuddWatts honoured in Best Lawyers.

RNZ reports that the Department of Internal Affairs has issued a tender for a “new genuine face capture solution”, and notably its Trust Framework Authority issued an RFI for digital ID services accreditation infrastructure writes Biometric Update. 

Our DINZ community continues to grow! We’re delighted to welcome Cybercure, LuminPDF and just in, OriginID and BeyondTrust. 

See all organisation members here.

Policy and Submissions

The DISTF Working Group coordinated our response to PaymentsNZ’s Next Generation Payments consultation, highlighting the critical role of digital identity in future payment ecosystems. The working group also submitted feedback on the DISTF Rules revision last week, continuing our advocacy for pragmatic and effective trust frameworks.

DINZ’s reputation for thoughtful high quality submissions continues to grow and these two above are no exception. View our submissions here.

International Engagement

We were fortunate to welcome back Zygma’s Richard Wilsher during his brief visit to New Zealand this month – two years since he delivered this highly thoughtful webinar. Richard met with both the DISTF Working Group and the Trust Framework Authority, sharing his valuable international perspectives and expertise. 

Ministerial Engagement

As part of a FinTechNZ delegation that included DINZ member Middleware, our outgoing Executive Director Colin Wallis met with Minister of Commerce and Consumer Affairs Scott Simpson. Smooth accessible digital identification is a crucial enabler for fintech innovation and the upcoming Customer Product and Data Act.

International News

International ID Day (9 April) saw attendance from several New Zealand organisations. If you missed it, catch up here. UK Digital Identity Developments: The saga currently playing out in the UK may prove the adage once again that ‘Trust Takes Years To Build, Seconds To Break And Forever To Repair’. First it was Industry stakeholders expressing concerns over the government’s digital wallet approach, which saw the Digital Identity and Attributes Trust Framework (DIATF) community advocating for alternative approaches. Then came Government facing claims of serious cyber security and data protection issues in One Login digital ID system extended by The Telegraph including commentary from DINZ Coffee Chat attendee Mark King.

Executive Director Search Update

The DINZ Executive Council is currently interviewing the candidate shortlist with an announcement expected shortly. We appreciate your patience during this transition period. 

We value your continued support and engagement as we work together to advance digital trust in Aotearoa New Zealand.

Ngā mihi nui,

The team at Digital Identity NZ

Upcoming events, new members, and industry developments.
Read full news here: Moving Forward Together

SUBSCRIBE FOR MORE

The post Moving Forward Together appeared first on Digital Identity New Zealand.

“Cypherpunks wouldn’t just critique the surveillance state—they’d also call out us technologists for enabling it. We were supposed to resist, not retrofit.”

Christopher Allen recently talked with Tereza Bízková in an interview that was published to the front page of Hackernoon. It was headlined “The Co-Writer of TLS Says We’ve Lost the Privacy Plot”. In it, Christopher talks about what privacy means to him, what he thinks about recent privacy efforts, how centralization has become a problem, and how all of this connects to work done by the cypherpunks in the ’90s.

Perhaps most importantly, Christopher answers the question: what would be non-negotiable for a new privacy-first system today? His answer unsurprisingly reflects our vision here at Blockchain Commons, built on data minimization, progressive trust, and limited scale.

Privacy is one of the fundamental Gordian Principles, but probably the one we talk about the least, as so much of our focus is on resilience (such as #SmartCustody) or on independence and openness (as reflected in our attention to interoperability). Read “The Co-Writer of TLS Says We’ve Lost the Privacy Plot” for much more on why privacy is important and what exactly it is!

Describe your service/platform/product and how it’s using FIDO authentication.

Microsoft Account (MSA) powers consumer-facing experiences across services like Xbox, Microsoft 365, Copilot, and more. In 2023, Microsoft began rolling out passkey support across these services, allowing users to sign in with a face, fingerprint, or device PIN instead of a password. By integrating FIDO credentials, we made it easier, faster, and significantly more secure for over a billion users accessing their Microsoft accounts, by removing the need for passwords.

What were the challenges you were trying to overcome?

We set out to solve three major challenges:

Security: Passwords are inherently insecure and highly vulnerable to phishing and brute force attacks. In 2024, we observed more than 7,000 password attacks per second.

User experience: Passwords are frustrating—users forget them, reuse them, or mistype them. We wanted a sign-in experience that users could succeed at the first time, every time.

Adoption at scale: We needed a solution that could work across devices and platforms while meeting high usability expectations for a global user base.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO credentials offer the ideal combination of security, usability, and interoperability. They are resistant to phishing and credential theft, and they eliminate the need for shared secrets like passwords. FIDO credentials also enable seamless cross-device and cross-platform experiences—critical for consumer use cases. In testing, we found that passkeys delivered both improved security and a dramatically better user experience. 

Describe your roll out of FIDO authentication.

Microsoft took a phased approach. We started by enabling passkeys for MSA sign-ins across consumer services like Xbox and Copilot. From there, we made UX changes to prioritize passwordless options. New Microsoft Accounts are now passwordless by default, and existing users are guided to enroll a passkey during or after sign-in. Throughout this process, we have worked closely with platform partners like Apple and Google, and continued our long-standing collaboration with the FIDO Alliance to ensure our approach aligns with industry standards. For a more detailed look at our approach, refer to Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security.

What data points can you share that show the impact FIDO authentication has had?

The impact has been significant:

We now see over one million passkeys registered every day. Users signing in with passkeys are three times more successful (95% success rate vs. 30% for passwords). Passkey sign-ins are eight times faster than traditional password + MFA flows. Our passwordless-preferred UX has already reduced password use by over 20%.

These results confirm that FIDO authentication improves security, boosts user satisfaction, and reduces operational burdens like password resets and support calls.

Read more in the Microsoft blog.

Describe your service/platform/product and how it’s using FIDO authentication.

Nikkei Inc. and the Nikkei Group pursues its mission “to be the most trusted, independent provider of quality journalism to a global community, helping our customers make better decisions.” We offer various media services, including the Nikkei, which serves as the cornerstone of our role as a news organization. The integrated ID platform supporting the Nikkei Group’s digital services, including our core service, the Nikkei Online Edition, is “Nikkei ID.”

Nikkei ID, which offers a wide range of services, has long faced the challenge of balancing security and usability. While we have implemented measures such as improving the login experience with OpenID Connect and introducing two-factor authentication and CAPTCHA (*1) to reduce the risk of unauthorized access, addressing security risks associated with password leaks and reuse, as well as countering increasingly sophisticated attacks, has been difficult.

(*1)A security authentication method to verify that a user is human.

In this context, as FIDO authentication has evolved and the threshold for introducing passkeys to services has lowered, Nikkei ID has proceeded with consideration and implementation with high expectations. Currently, we are expanding functionality to support not only web services but also mobile apps, and aiming to promote the adoption of passkeys through increased user awareness via internal and external blog posts, presentations, and guidance at the Nikkei ID Lounge Help Center.

What were the challenges you were trying to overcome?

The primary goal is to balance security and user experience. Many Nikkei ID users are not accustomed to digital services, so simply enhancing security is not enough. For example, while the introduction of CAPTCHA can prevent brute-force password attacks, it can also become a barrier for users who cannot pass the Turing test (*2), leading to increased support inquiries and added burden on customer service.

(*2) A test to determine whether something is ‘human-like’.

However, FIDO authentication (passkeys) achieves high security and user experience through integration with OS and platforms as a standard. This allows us to replace security measures that reduce risks associated with password authentication but negatively impact UX with passkeys.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

The following two options were considered as alternatives to FIDO authentication (passkeys):

Mandatory implementation of two-factor authentication such as TOTP or email verification Social login using other ID platforms

As a result of comparing these options, we believe FIDO authentication (passkeys) offers the following advantages:

It allows for gradual transition by adding authentication on top of existing password authentication  It enables the use of higher UX authentication methods such as biometric authentication  It fundamentally resolves the risks associated with passwords

When it came to actual implementation, the aspect of “additional authentication” was particularly significant. In other words, it allows for implementation in a loosely coupled and highly cohesive manner without disrupting the existing ID model. The WebAuthn specification provides simple interface libraries and APIs for both backend and frontend on each platform, making secure implementation easy. Additionally, since existing authentication methods can be retained, the advantage of not significantly increasing support workload was also substantial.

Describe your roll out of FIDO authentication.

We implemented our own solution using the open-source backend library WebAuthn4J for FIDO authentication. We chose WebAuthn4J not only for its clear data model but also because it passed the FIDO2 Test Tools provided by the FIDO Alliance. For the frontend, we developed our own implementation that directly interacts with the WebAuthn API. Additionally, we created a test library to emulate FIDO authentication, enabling 24-hour automated testing as a comprehensive test of these implementations.

The rollout of FIDO authentication (passkeys) was carried out in the following steps:

Internal beta testing to gather feedback and monitor usage White-box and black-box testing by external security companies Public release to all users

What data points can you share that show the impact FIDO authentication has had?

Since it was just released in February this year, we cannot provide detailed numbers yet, but thousands of users are already using passkeys. Additionally, we have heard that there have been almost no inquiries about how to use passkeys at the support desk, and we recognize that passkeys are being used smoothly.

Resources

The test library that emulates FIDO authentication, mentioned in the implementation section, is publicly available as Nikkei’s open-source software. You can obtain it from the following https://github.com/Nikkei/nid-webauthn-emulator

For authorization after completing FIDO authentication (passkeys), we use Authlete, an OpenID Connect platform. In this case study, we express our enthusiasm for the introduction of FIDO authentication (passkeys). (At the time of this presentation in 2023, passkeys were still under consideration) https://www.authlete.com/ja/resources/videos/20231212/02/

Technical blog article during the consideration stage of implementation: https://hack.nikkei.com/blog/advent20241221/

VicRoads achieves up to 80% industry-leading passkey activation rate for nearly 5 million users with Corbado

Background: VicRoads

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. 

Operating as a joint venture between the Victorian State Government, Aware Super, Australian Retirement Trust, and Macquarie Asset Management, VicRoads is a critical provider of public services in the state.

Challenge: seamless and cost-effective authentication for government services 

VicRoads aims to become Australia’s most trusted digital government service providers by delivering secure, frictionless services to millions of people. 

Given the importance of the data that VicRoads holds on behalf of its customers, security has always been a primary consideration. 

In the past, to support protection of customer data, VicRoads mandated multi-factor authentication (MFA) for all user accounts via SMS one-time passwords (OTPs) and authenticator apps. 

Passkeys leverage biometrics, facial recognition, a PIN or a swipe pattern in the sign-in process. Unlike traditional MFA, passkeys require both the device storing the private key and local authentication, meaning they are both phishing-resistant and cost-effective.

Solution: Corbado provides a no-risk, passkey-first solution with minimal integration effort

 VicRoads worked with passkey vendor Corbado, prioritizing a proven approach rather than building a solution from scratch.

Corbado’s deep understanding of both customer experience and the latest authentication technology gave VicRoads confidence that customers would find using passkeys easy.  

Corbado also provided in-depth technical guidance on passkey-specific challenges, including browser compatibility, recovery flows and user experience optimizations – further solidifying VicRoads’ confidence.

“We selected Corbado because it could integrate passkey functionality into our existing infrastructure without disruption to our customers and operations”, said Crispin Blackall, Chief Technology Officer, VicRoads.

Implementation: pre-built, passkey-optimized components & SDKs enable quick integration

Corbado Connect seamlessly integrated with VicRoads’ existing infrastructure and CIAM, which is deeply embedded within the organization’s enterprise stack. This passkey enablement was achieved without requiring a migration of user data or authentication methods, ensuring a smooth and efficient transition for millions of users.

By layering passkey functionality on top of VicRoads’ current authentication system, Corbado enabled a frictionless deployment while preserving all existing user credentials. This approach eliminated the disruption and risks often associated with introducing new technology.

To ensure a smooth transition, VicRoads implemented passkeys in a phased rollout, beginning with personal customers. This gradual deployment, supported by Corbado Connect’s rollout controls, enabled VicRoads to monitor performance, address potential issues and optimize the user experience before seamlessly extending passkey authentication to partner and business customers.

Results: customers love passkeys, with up to 80% passkey activation rate in the first weeks

Within the first weeks of deployment, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security.

The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including:

Reduced authentication-related support tickets Lower SMS OTP costs Improved user experience and security.

So far, VicRoads has successfully rolled out passkeys on its web portal. The next step is to integrate passkeys into its native apps – myVicRoads and myLearners – allowing users to leverage their existing passkeys without additional setup. Ultimately, once passkeys are fully implemented across all digital platforms, VicRoads aims to eliminate passwords entirely, maximizing security and fully embracing a passwordless future.

“Passkeys are easy to use, without compromising on security. We’re excited to give our customers a simpler, more secure way to handle their registration and licensing services,” said Crispin Blackall, Chief Technology Officer, VicRoads.

Opportunity: setting a new standard for government authentication 

With one of the largest public sector passkey deployments globally, VicRoads has established itself as a digital leader in authentication modernization for government applications. 

Achieving high adoption rates without disruption, VicRoads has proven that large-scale organisations can enhance security and improve user experience simultaneously. This success positions VicRoads as a benchmark for other government agencies looking to modernize their authentication strategies.

“Passkeys represent a paradigm shift in how we authenticate users to digital identity services,” said Andrew Shikiar, Chief Executive Officer of the FIDO Alliance. “VicRoads’ adoption of passkeys showcases how government agencies can leverage this industry-wide innovation to protect people’s data while simplifying access to critical services. This is a significant step towards a more secure and efficient digital future for Victoria and beyond.”

Next Steps: developing next generation authentication

VicRoads’ ongoing partnership with Corbado ensures it remains at the forefront of authentication innovation while maintaining a seamless user experience for its expanding digital service base. A key advantage of Corbado’s managed passkey service is its built-in adoption-enhancing optimisations, ensuring continuous improvements and seamless WebAuthn conformity with all future WebAuthn updates.

With this initiative, VicRoads has paved the way for broader adoption of passkeys in the government and public sector, proving that secure, frictionless authentication at scale is achievable.

About Corbado

Corbado is a leading provider of passkey solutions, enabling enterprises and government agencies to deploy passkey authentication seamlessly, without user migration. Corbado’s focus is on maximizing adoption in large-scale deployments. As a FIDO Alliance member, Corbado’s solutions ensure high adoption rates, enhanced security, and a frictionless user experience. Visit https://www.corbado.com/.

Describe your service/platform/product and how it’s using FIDO authentication.

With over 55 apps across nearly every major business category, Zoho Corporation is one of the world’s most prolific technology companies. Headquartered in Chennai, India, Zoho is privately held and profitable, employing more than 18,000 people worldwide. Zoho is committed to user privacy and does not rely on an ad-revenue business model. The company owns and operates its data centres, providing full oversight of customer data privacy and security. Over 100 million users globally—across hundreds of thousands of companies—trust Zoho to run their businesses, including Zoho itself. For more information, visit zoho.com.

What were the challenges you were trying to overcome? 

Secure and easy log in instead of traditional authentication methods. 

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Improved security, supporting documents and community.

Describe your roll out of FIDO authentication. 

We rolled it ourselves via our IAM team. 

We first rolled out passkey authentication for zoho.com (100mn + users)

Rolling out passkey management in our password manager Zoho Vault in May, 2025

What data points can you share that show the impact FIDO authentication has had?  

30% increase MoM in passkey adoption

10% drop in password reset queries 

Resources

https://help.zoho.com/portal/en/kb/accounts/sign-in-za/articles/passkey https://www.zoho.com/vault/features/passkeys.html

Describe your service/platform/product and how it’s using FIDO authentication.

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols.

What were the challenges you were trying to overcome?

FIDO-based passkeys are transforming the way users access websites and apps by eliminating the need for traditional usernames and passwords. Instead of being stored on a server where they could be exposed, passkeys are securely stored on the Galaxy device, enabling quick and secure sign-ins using biometric authentication.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO enables secure authentication without transmitting users’ biometric data outside the device. Its ease of use, speed, compatibility across services, and status as an industry standard made it a compelling choice for Samsung Electronics.

Describe your roll out of FIDO authentication.

We have integrated FIDO authentication directly into our devices, enabling users to access it out-of-the-box. We continue to expand FIDO support across more Galaxy models and software updates.

Resources 

https://www.samsung.com/levant/support/apps-services/how-to-create-and-use-a-passkey/ https://www.samsung.com/ca/support/apps-services/how-to-create-and-use-a-passkey/ https://news.samsung.com/in/the-knox-journals-the-passwordless-future-of-security

Describe your service/platform/product and how it’s using FIDO authentication.

Our mobile banking app is our bank’s largest branch, serving over 1,200,000 customers each month. These customers require the best protection against identity theft attacks, and we provide the most robust and innovative solutions, always prioritizing the best user experience. ABANCA Key is a new identity verification service based on FIDO standards. It was launched after years of research by leading players to prevent identity theft attacks. Using passkeys, ABANCA Key provides the highest level of protection. It is impossible to guess or reuse them, so they protect our customers’ private information from attackers. 

What were the challenges you were trying to overcome?

On one hand, there’s the security challenge. The rise of phishing through calls and SMS messages in Spain has become a plague and a real problem for administrations, mobile operators, and financial institutions but on the other hand, there was the need to maintain the best user experience with the least friction. Passkeys give us a framework for interoperability and standardization, which provides us with ease of implementation and deployment. However, above all, and for the first time in the security industry, it provides a framework of homogeneity to achieve a frictionless user experience.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

We chose FIDO for many reasons: for its future strategy, as it allows us to follow many ways, including MFA and passwordless, for trust, as the FIDO Alliance includes leading players in security, operating systems, infrastructure, and mobile ecosystem; and for the standardization and homogenization what it give us, which reduces implementation, deployment and roll out times.

Describe your roll out of FIDO authentication.

To deliver the best user experience, we’re committed to having the deepest possible understanding of the technology. This enables us to effectively identify and resolve issues, and to better understand user behavior. We became our own partner by developing our own platform based on the FIDO standard and certifying it as if it were a provider.

We rolled out the deployment in phases. In under five months, we had the development of both server and  front-end (iOS and Android) ready, and we began the rollout in an initial phase with our employees, and subsequently to end customers in batches. In just seven months, we were already in a general roll out to all customers.

What data points can you share that show the impact FIDO authentication has had?

More than 42% of our customers are already using ABANCA Key More than 11,000,000 high-risk transactions has been protected with ABANCA Key without technical or service incidents  Customer roll out ran without technical or service incidents, and most importantly, with our customer journey UX to sign in ABANCA Key and to use it, we’ve managed a Customer Effort Score (CES) of 4.7. 

Please provide any links or resources that you feel would be useful in developing this case study.

https://comunicacion.abanca.com/es/noticias/abanca-primer-banco-espanol-en-implantar-la-tecnologia-de-llaves-de-acceso-en-la-banca-movil-para-reforzar-la-seguridad-de-sus-clientes/ https://www.abanca.com/es/banca-a-distancia/llave-abanca/

Out of the blue, I received a text from my father asking me, “What’s the difference between a password and a passkey?” 

Somewhere, in his daily online journey, he was prompted by a website or application — a “relying party” in authentication lingo — to create a passkey. But the benefit wasn’t clear to him. Nor did there seem to be any urgency. He figured I’d know what passkeys are and what to do the next time he gets a nudge to set one up. I told him, “Let’s talk before you do anything.”

Your phone, computer and tablet is now at risk, as the nightmare of AI-powered attacks comes true. There are now multiple warnings into the use of mainstream AI platforms to design, develop and even execute attacks that are almost impossible to detect.

To add to recent reports from Symantec and Cofense, Guardio also now warns that “with the rise of Generative AI, even total beginners can now launch sophisticated phishing scams — no coding skills needed. Just a few prompts and a few minutes.”

And Microsoft has just told users the same. “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate… AI-powered fraud attacks are happening globally.”

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. By: Ronni K. Gothard […]

Apple’s new Passwords app (introduced with iOS 18, iPadOS 18, and macOS Sequoia) is a big leap forward in making password management simple and user-friendly for Apple users, even if it’s not as robust as other password managers. If you’ve ever fumbled through Safari settings to find a saved login or toggled through iCloud Keychain menus to edit credentials, the Passwords app is for you. It’s designed to give you a dedicated home for all your saved login credentials, passkeys, Wi-Fi passwords and two-factor authentication codes, all in one secure, easy-to-navigate interface.

ABANCA has achieved international FIDO certification for the Llave ABANCA service, the digital identity verification technology solution developed by the bank that allows customers to validate mobile banking transactions securely and quickly by unlocking their phone.

The FIDO ( Fast IDentity Online ) certification has been granted by the FIDO Alliance, the leading international association promoting digital authentication standards that are more robust and simpler than passwords or one-time codes. This consortium is made up of the world’s leading technology companies—Google, Apple, Microsoft, Amazon, and Visa, among others—who have joined forces to promote more robust and user-friendly digital identity methods. With the FIDO certification of Llave ABANCA, this global alliance accredits that the solution implemented by the bank meets the highest standards of online identity verification.

Poznań, Porto, Bruges, Budapest—Today, the European community of Linux Foundation Decentralized Trust announced the launch of its European Chapter. Our goal is to create a vibrant and inclusive community that contributes to LF Decentralized Trust projects. We aim to serve as the regional center for LF Decentralized Trust project development by offering mentorship, support, and a platform for promoting decentralized technologies, including distributed ledger technologies, tokenization, stablecoins, and digital identity.

Going passwordless is difficult for a lot of companies, even the ones with “security” in the name.

Jim Taylor, chief product and technology officer (and resident IT professional) at RSA Security, spoke with IT Brew about lessons learned as he led the deployment of passkeys, biometrics, and other non-password implementations across the organization. Two major keys to passwordless success, he said, included having lots of options and lots of patience.

“There’s no big switch. I wish there was a big red button that you could just press and go, ‘Ta-da!’ with passwordless, right? It doesn’t work like that,” Taylor told IT Brew.

Inverid has joined the FIDO Alliance. A release from the Dutch identity verification firm says it will bring expertise in document authenticity verification to FIDO users of DocAuth document authenticity specifications.

We’re excited to welcome Oír Más as one of our new Matchbox partners. Oír Más is a radio collective dedicated to amplifying the voices of diverse communities through radio experimentation.

The post From memory to action: Radio as a tool for a healthier information ecosystem appeared first on The Engine Room.

Ecosystem-Orchestrator für die Deutsche EUDI-Wallet

Die Einführung der EUDI-Wallet in Deutschland, basierend auf der novellierten eIDAS-Verordnung, stellt eine zentrale Herausforderung dar, um bis 2026 eine sichere, digitale Identitätslösung für Bürger bereitzustellen. Ziel ist es, ein umfassendes Ökosystem zu schaffen, das öffentliche Institutionen, privatwirtschaftliche Akteure und Regulierungsbehörden integriert. Dieses Ökosystem soll nicht nur technische Standards und Prozesse etablieren, sondern auch die Akzeptanz der Bürger fördern und die rechtlichen Rahmenbedingungen gewährleisten.

Die Autoren dieses Whitepapers schlagen eine Public-Private-Partnerschaft in Form einer Genossenschaft als neutralen Ecosystem-Orchestrator vor. Diese Genossenschaft soll:

Demokratische Governance bieten, mit transparenter Kontrolle und Einflussmöglichkeiten für alle Mitglieder. Kostendeckendes Finanzierungsmodell durch Mitgliedsbeiträge und Sonderzuwendungen implementieren. Zentrale Aufgaben wie Zertifizierung von Wallets, Registrierung von Verifizierungsstellen und Förderung der Kommunikation zwischen Akteuren übernehmen. Herausforderungen für die neue Bundesregierung

Die Bundesregierung ist durch die Verordnung [(EU) 2024/1183] dazu verpflichtet, bis Ende 2026 eine EUDI-Wallet für alle Bürger bereitzustellen, in der Ausweisdaten in elektronischer Form sicher gespeichert werden können. Die vollständige Umsetzung des EUDI-Wallet Ökosystem hat bis 2027 zu erfolgen. Das Bundesinnenministerium bereitet seit Mai 2023 die Konzeptionierung und Umsetzung der deutschen Wallet-Lösung federführend vor. Um die Akzeptanz bei den Bürgerinnen und Bürgern zu fördern, ist es nicht nur erforderlich, die technische Infrastruktur bereitzustellen, sondern auch ein umfassendes Ökosystem aufzubauen. In diesem Ökosystem interagieren privatwirtschaftliche Akzeptanzstellen, zertifizierte Vertrauensdienste, öffentliche Einrichtungen aus Bund und Ländern sowie Regulierungsbehörden und Zertifizierungsstellen miteinander. Der Aufbau eines solchen Ökosystems stellt eine hochkomplexe Aufgabe dar. Sie erfordert die Etablierung von Standards und Prozessen, die von allen beteiligten Privatunternehmen und öffentlichen Institutionen geteilt und umgesetzt werden können. Dabei steht die Berücksichtigung der Interessen der Bürgerinnen und Bürger im Vordergrund. Zudem müssen alle rechtlichen Rahmenbedingungen eingehalten, die missbräuchliche Nutzung persönlicher Daten verhindert und ein attraktives Investitionsumfeld für die Unternehmen der Privatwirtschaft geschaffen werden.

Aufbau des EUDI-Wallet Ökosystems als Public-Private Partnership mit neutraler Governance

Die Autoren dieses Whitepapers plädieren für eine Public-Private-Partnerschaft als Ecosystem Orchestrator, die sich in einer Genossenschaft organisiert. Die Genossenschaft hat den Zweck, die Interessen aller Genossenschaftsmitglieder – also aller Akteure im EUDI-Wallet Ökosystem – gleichermaßen zu fördern. Die Genossenschaft benötigt eine demokratische Governance, die Einfluss, Kontrolle und Transparenz ggü. den Mitgliedern ermöglicht. Sofern die Genossenschaft selbst keine Investitionen tätigt, sollte ihre Satzung eine not-for-profit Klausel beinhalten, sodass lediglich die Kosten gedeckt werden müssen, die sich am Bedarf der Mitglieder orientieren. 

Die Genossenschaft sollte durch die nachstehenden Organe gesteuert werden.

Generalversammlung: Bildet das höchste Entscheidungsgremium der Genossenschaft. Jedes Mitglied erhält ein Stimmrecht. Die Summe der Stimmen von Nicht-Europäischen bzw. investierenden Mitgliedern darf 25% nicht überschreiten. Vorstand: Führt das Tagesgeschäft und übernimmt die Verantwortung für die Umsetzung der Governance und der Strategie. Aufsichtsrat: Bildet das Kontrollorgan des Vorstands. Ecosystem Coach: Stabstelle als Mediator zwischen den Akteuren zur Offenlegung und Management von Interessenskonflikten.

Öffentliche Institutionen sollten die Genossenschaft gründen, ein Regelwerk in Form einer Satzung definieren und den Beitritt von Akteuren der Privatwirtschaft ermöglichen. Es sind dabei sämtliche Akteure der Rollen aus der eIDAS-Novelle wie bspw. PID-Provider, Pub-EAA-Provider, (Qualified) Trust Service Provider, Wallet Provider und Trust List Provider einzubinden.

Finanzierungskonzept: DieFinanzierung der Betriebskosten erfolgt durch Mitgliedsbeiträge. Werden temporärMittel für bestimmte Zwecke benötigt, kann eine Finanzierung in Form von Sonderzuwendungen der Mitglieder erfolgen.

Aufgaben: Interessen der Mitglieder fördern, Kommunikation zwischen den Mitgliedern erleichtern, Wallets zertifizieren, Verifizierungsstellen registrieren, rechtliche Fragestellungen klären, öffentliche Kommunikation bündeln, Durchdringung der EUDI-Wallet messbar machen, Schnittstellen bereitstellen, etc.

Opt-Out: Die Mitgliedschaft kann ordentlich gekündigt werden. Erkenntnisse aus einer Risikoanalyse zu Opt-Out Szenarien sollten bei der Erstellung der Satzung berücksichtigt werden.

Fazit

Um das Ökosystem für die deutsche EUDI-Wallet aufzubauen ist ein neutraler Ecosystem-Orchestrator erforderlich, der gemeinsam mit öffentlichen und privatwirtschaftlichen Organisationen ein Ökosystem für die deutsche EUDI-Wallet aufbaut. Dies kann, wie vorliegend aufgezeigt, durch eine Genossenschaft abgebildet werden, in der alle Akteure des Ökosystems kartellrechtskonform und strukturiert kooperieren.

Über die Autoren

Die IDunion SCE mbH ist die Nachfolgeorganisation eines vom BMWK-geförderten Konsortiums im Programm „Schaufenster sichere digitale Identitäten“. Die Europäische Genossenschaft wurde durch ihre Mitgliedsunternehmen mit dem Betrieb eines digitalen Vertrauensankers beauftragt.

Over the past three years, a dedicated research team from IDunion has been working intensively on the Digital Product Passport (DPP).  

In the last two years, our focus shifted from theory ( a joint publication with key partners [→ read the paper here]) to hands-on implementation resulting in a Demo –  DPP solution that is:

Data Carrier Agnostic: The product link can be embedded into any data carrier listet in Landscape of Digital Product Passport Standards | StandICT.eu 2026. Product Agnostic: Our DPP works with any type of product, whether batch-based, lot-based or individual instances. Automatic Identification of the Requester: The solution aligns with #eIDAS2.0 by supporting decentralized identification of individuals and organizations. Technology Stack Independent: The DPP can be accessed without downloading a additional app and lowers the threshold for adoption and enhances usability. Lightweight & Semantically Rich: Information is delivered  through Verifiable Credentials (VCs) and semantic data schemas, ensuring seamless interoperability. Additionally, we use W3C Decentralized Identifiers (DIDs) to guarantee unique, globally resolvable product IDs. Cryptographically Verifiable: All data within the DPP is cryptographically signed, enabling validation of authenticity and trust without central intermediaries. Trust Infrastructure Support: Establishing trust over the data and integration with Digital Identity Trust Anchors is possible, ex by using the eIDAS 2.0 mechanism and the EU Trust infrastructure proposed for natural and legal entities. Demonstration: Digital Product Passport System for Battery

Our final demo phase featured a live demonstration of a DPP tied to a battery cell used in an electric scooter.

The goal was to simulate how a real-world DPP can accompany a product through its entire lifecycle — from raw material extraction to end-of-life recycling.

We explored the perspectives and requirements of key stakeholders, including: Miners, Battery pack manufacturers, Economic operators, Consumer, Recyclers and Government and public interest organizations

Through interactive demonstrations, we answered key questions in real time, illustrating how a decentralized, interoperable, and trustworthy DPP can benefit every actor along the value chain.

For more detailed insights and demo material, check out the links below:

German: https://idunion.org/piloten/sichere-digitale-identitaeten-fuer-produkte/ English: https://idunion.org/piloten/en/sichere-digitale-identitaeten-fuer-produkte/ A Huge Thank You to Our Partners

his project would not have been possible without the creativity, technical expertise, and dedication of our fantastic partners.

Dr. Andreas Füßler (GS1 Germany), Florin Coptil ( Robert Bosch GmbH), Werner Folkendt (Robert Bosch GmbH), Dominic Hurni (SBB),  Cornelia Schalch (SBB), Johannes Ebert (Spherity GmbH) , Sebastian Schmittner (European EPC Competence Center GmbH) , Christian Fries (European EPC Competence Center GmbH), Paulina Drott (GS1 Germany), Dr. Susanne Guth-Orlowski, Ralph Troeger (GS1 Germany), Roman Winter (GS1 Germany)

Thank you for your ongoing commitment to shaping the future of product transparency and digital trust.

What’s Next?

With all project goals achieved and deliverables submitted, the DPP demo project is now officially closed.

We’re incredibly proud of what we’ve accomplished and are eager to apply these insights to future initiatives that further the digitization of sustainable and circular value chains.

How accurate is your inventory?

For many retailers, answering that question is more difficult than it appears—especially when inventory counts are only conducted once or twice a year.

In this episode, Dean Frew, President, RFID Solutions Division, SML IIS, sits down with hosts Reid Jackson and Liz Sertl to explore how RFID solves one of retail’s biggest challenges. Dean shares how real-time data at the item level drives results from return fraud to buying online and pick up in store.

He also discusses what it takes to make RFID work at scale, how adoption has changed post-COVID, and why distribution centers are the next frontier.

 

In this episode, you’ll learn:

How RFID improves inventory accuracy

Where retailers are seeing the most significant ROI

New use cases beyond the sales floor

 

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:20) Dean’s background and RFID journey

(06:35) Improving inventory accuracy with RFID

(12:13) Reducing returns fraud with item-level data

(18:07) How BOPIS impacts inventory and sales

(23:01) Boosting inbound accuracy at distribution centers

(26:14) RFID in checkout and fitting room experiences

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Dean Frew on LinkedInCheck out SML Group

In early 2025, Blockchain Commons architected and engineered a major project for the Zcash blockchain: the ZeWIF specification that allows all of its wallets to interoperate.

Interoperability is something that I consider vitally important for a technological ecosystem, so I was thrilled that Blockchain Commons could improve interoperability for Zcash. Here’s a bit more on why, what Blockchain Commons did for Zcash, and what I’d like to do for other technological communities.

The Limits of Interop

Obviously, some level of interop is necessary for any ecosystem, or it just wouldn’t work. There was a white paper and there are BIPs for Bitcoin; without them, no one could agree on how the blockchain works. We similarly have specifications, RFCs, and standards for everything from email to graphics file formats.

Unfortunately, there are limits to interop. Standards tend to cover the things that are required for the broadest level of intercommunication within an ecosystem. But when companies begin to work on their own apps, their work often turns proprietary—sometimes aggressively so—and that limits a technological ecosystem’s ability to continue to grow.

As an example, email has standards such as RFC 5322 for how mail servers communicate with each other. When mailers begin storing their mail, things become somewhat more balkanized: you might use a classic mbox format or a single-message eml format or a proprietary format such as Microsoft Outlook’s msg. Finally, there’s no consistency at all for how mailers might algorithmically filter messages: it’s hard to control whether a message ends up in the “Important”, “Everything Else”, or even “Spam” category of Gmail, even if a mailer adopts newer standards such as DKIM, DMARC, and SPF.

Yet, all of these types of interactions are important. If a mail ends up in a Spam folder, that’s almost as bad as it not being delivered at all; if mail can’t be restored from a proprietary mailbox, it’s lost as well. That’s why interop is important.

The Power of Interop

I developed four core architectural fundamentals for Blockchain Commons that I call the Gordian Principles. Of them, Privacy is only peripherally related to the question of interoperability, but the other three highlight why interop is important for the health of any technological ecosystem.

Independence is a user-focused principle. It says that users should be free from external control. This is the heart of my ideas of self-sovereign identity, and it’s the heart of interoperability too. With the ability to export or exchange data in an interoperable way, users don’t get locked into a single platform. Instead, they can choose among a variety of options to find an application, service, or pricing structure that meets their precise needs. Resilience is a data-focused principle. It says that data should be protected from loss. When data output and exchange formats are standardized for interoperability, they become widely used and widely understood. That ensures that they can be recovered far into the future. If you’ve ever tried to recover an old ClarisWorks or WordStar file, you’ve seen how much a non-interoperated file format can damage resilience. In comparison, .rtf files will never be lost and even .docx is pretty good—both because Microsoft Word has an enormous install base and because it’s an XML-based output format. Openness is a creator-focused principle. It says that infrastructure should be open so that new creators can join the ecosystem. When communication is standardized, anyone can develop in accordance with the standards, including newcomers. But, this isn’t just beneficial to creators, it’s also beneficial to users. Without new entrants, an ecosystem can become staid and stagnant. With new entrants, an ecosystem is constantly innovating and expanding. It creates an atmosphere of coopetition: members of the ecosystem cooperate to interoperate, but then compete to offer the best products within those standards.

In other words, interoperability is beneficial for the vast majority of members of the ecosystem: users get more options, more innovations, and freedom of choice; creators get the ability to fairly participate and compete; and data gets strong protections far into the future.

What We Did for Zcash

I was thrilled when members of the Zcash community started talking with me about their needs, because it showed a strong, ecosystem-wide understanding of the need for inteoperability.

But there was also a strong inciting incident that led to the Zcash work: the older zcashd server was being deprecated and so there was a need to migrate digital-asset data from its wallet to others. This also reflected a longer-term issue. Digital assets had sometimes been lost during previous migrations due to differences or even bugs in different wallets.

Obviously, a one-off migrator could have been created, likely linking zcashd with its replacement wallet, zallet. But I approached things from an architectural point of view: I wanted to create an extensible Wallet Interchange Format (that’s the “eWIF” in “ZeWIF”) that would not just enable the zcashd migration, but also allow any migration from one wallet to another within the Zcash ecosystem. I wanted to take the immediate needs and political will and turn it into something that could benefit the community for years to come.

That was the ZeWIF proposal that we put forth. It called for one month of studying Zcash wallet data as it currently exists, then another two months of developing the spec and writing libraries to convert among different wallets using that spec. (That timeline turned out to be a bit ambitious, but we’re closing out the initial design with a fourth month of work.)

As the above diagram shows, the zewif Rust crate lies at the center of the ZeWIF system. It creates in-memory representations of data from a variety of inputs and can output that abstracted data in a numbers of forms. Obviously, it can accept input from ZeWIF files and it can output to ZeWIF files. However, that’s just part of the process. Individual developers can also choose to use create front ends that import data from their wallets to zewif and back ends that export the data from zewif to their wallets.

As we release ZeWIF into the ecosystem, we should see advancements in accordance with the Gordian principles:

Independence. Users will be able to move their funds easily among Zcash wallets. Resilience. Translation of keys and seeds should be more reliable, and if conversion is done using our best practices, there should be clear warnings if anything wansn’t converted. Openness. New wallets can join the ecosystem. If they have innovative features, they can easily pick up new users if they support ZeWIF as an import format.

I’ve been thrilled to have strong support from wallet makers in the Zcash community. That type of buy-in is required to make interoperability work. Zingo Labs, the makers of the Zingo wallet, introduced us to the opportunity and have worked closely with us to fulfill our vision. Meanwhile, ECC has been our next testbed, since they’re using ZeWIF to manage conversions between zcashd and zallet. Other principals have been involved as well, and just as importantly we didn’t receive any pushback from anyone who refused to use the format. (Not everyone has adopted it yet, but we’re just finalizing the complete ZeWIF draft at this point.)

We were fortunate, because that’s not always the case.

What We Did for Bitcoin

This isn’t Blockchain Commons’ first rodeo. Creating interoperability has been Blockchain Commons’ goal since the start, and we’ve done most of our interop work to date with Bitcoin.

Our two biggest successes for Bitcoin have been Animated QRs and SSKR. Animated QRs are a standardized way to move large files across airgaps. That’s the exact sort of intercommunication that has always required interoperability. SSKR is a standardized way to shard a secret, currently focused on Shamir’s Secret Sharing. Because it isn’t just about intercommunication, getting a variety of companies to use it was a bigger victory, because it ensures those secrets will remain accessible and resilient into the far future. Both technologies are integrated with our Uniform Resources, which have been implemented by more than a dozen companies, offering true interoperability.

But these successes have unfortunately been piecemeal. There’s just one company that I’m aware of that’s adopted a pretty wide swath of Blockchain Commons’ Gordian specifications, and that’s our long-time sponsor, Foundation. We most recently worked with them to support QuantumLink, a Post-Quantum-Cryptopgraphy (PQC) method of Bluetooth communication that’s in their new Passport Prime device, but they’ve also implemented URs, Animated QRs, SSKR, and other Blockchain Commons interop specs. As a result, they’ve got well-studied, mature specifications that they didn’t roll themselves and that should be resilient and reliable far into the future. I think that adding in a variety of linked interop specs like this has a multiplicative effect.

I’d love to see more of this in the Bitcoin community, but a lot of people are resistant.

Why People Fight Interoperability

The primary reason that we see people fight interoperability is market dominance. The Bitcoin ecosystem has grown large enough that some of the bigger players have stepped back from inteoperability

I was sad to see ColdCard go this way, after they themselves built on Trezor and other open-source libraries. At least they’ve remained source-verifiable (meaning you can view their code in their repo), at least until you get now to the proprietary chip, but they were once one of maybe three hardware wallets that were fully open-source,and so fully interoperable.

But I think the recent release of Ledger Recover was even more of a tragedy. Here they were offering a big innovation: a way to recover seeds by splitting them up and distributing them off device, similar to Blockchain Commons’ own Collaborative Seed Recovery (CSR). But by keeping their protocol for distributing and recovering seed shares non-interoperable, they kept anyone else from offering seed vaults of their own, instead locking their users into their choices—which were very unpopular due to privacy-busting requirements for KYC information.

The exact opposite approach is taken by another of Blockchain Commons’ long-time developer partners, Craig Raw of the Sparrow wallet. He’s working hard to make Sparrow compatible with everything out there, but the difficulty he faces underlines the issues with the semi-interoperable state of most blockchains. He has to make NASCAR-like lists of otherwise incompatible products and introduce secret sauce to interoperate with each of them. We’re very luck to have the Sparrow wallet working with all of these different devices, but it’s something that would never happen if there weren’t someone as dedicated as Craig working on the project.

For smaller companies, interoperability is a way in. Obviously, you should do it!

For bigger companies, interoperability means both trusting your engineers to provide the best experience and trusting your customers to recognize it. That’s a leap of faith, but one that I’d hope to see most companies make in our industry. After all the idea of personal control is likely one of the reasons that your customers are working with digital assets in the first place!

The Potential for Other Blockchains

I hope that our work with Zcash (and before that with Bitcoin) is just a first step. I’d like to take that experience to other blockchains and offer new interoperability to grow those ecosystems as well.

Even after the work we’ve already done, Bitcoin may still need this sort of work the most, because it’s gotten so big. How could we make migration between wallets easier? Or just the migration of seeds or keys? How could we more widely standardize the backup of seeds with a methodology like Ledger Recover or our own CSR? How could we inteoperate third-party services such as pricing and fee lookups? Every one of these elements of interoperability would improve the ecosystem, but they require a dedication to inteoperability itself.

The same is true for other ecosystems that have gotten large enough to see multiple companies working on projects. Big changes could be the incentive for this, such as Monero’s move to Seraphis. But even without big changes on the horizon, big ecosystems grow to the point where interoperability becomes a requirement: Ethereum has a huge infrastructure built around WalletConnect, but we’ve talked with people in the ecosystem who think there’s real room for improvement. I hope that many chains (and other ecosystems) beyond Monero and Ethereum will see the advantages of improving interoperability for all the reasons I’ve laid out here, particular independence for users, resilience for data, and openness for developers.

Are you a leader working in a digital-asset ecosystem? Would you like to work with me to take lessons learned from the Zcash project to create interoperable wallet formats, data-exchange formats, service formats, or something else? Drop me a line at team@blockchaincommons.com. I’d love to talk about how we can expand your ecosystem as well.

On April 10, EdgeCon Spring 2025 brought together educators, technologists, and institutional leaders at Seton Hall University to explore the evolving landscape of digital teaching and learning. This premier event focused on the powerful intersection of EdTech, innovative pedagogy, and the administrative technologies that support institutional performance and drive student success. With forward-thinking sessions and collaborative discussions, attendees gave  the event an overall 4.7 favorable rating (out of 5) and gained fresh insights into how technology continues to shape the future of education.

Connecting with Graduate Students in the Digital Learning Era

The day’s events kicked off with the breakout session, Connecting with Graduate Students in the Digital Learning Era, presented by Georgian Court University’s Denise Furlong, Assistant Professor, and Janine Ataide, Educator and Graduate Student. As more graduate programs provide online options to meet the needs of working adults, universities must consider different ways to engage these students as valued members of the community even though they may never see the physical campus. Some students report that they feel a sense of belonging and strong collaboration within their program and others feel a sense of isolation in their learning experience. This session explored the different aspects of programs and courses that are important in engaging and empowering graduate students as truly part of the university community, as well as how course design, faculty collaboration, and peer connections can contribute to fostering a sense of belonging among online graduate students.

Navigating the Use of Generative AI in Online Classrooms

As generative AI tools become increasingly prevalent, educators face unique challenges and opportunities in the online classroom. Carol Smith-Cuevas, Associate Director, Learning Engagement & Development, Kean University, discussed effective strategies for responding to students’ use of generative AI in Navigating the Use of Generative AI in Online Classrooms. Attendees explored this topic from a professor’s perspective and learned practical approaches to integrating AI tools into coursework, setting clear guidelines, and promoting ethical use. Smith-Cuevas also explained different ways to design assignments that encourage critical thinking and originality, how to utilize AI detection tools, and resources that can help students to understand the implications of AI-generated content. Attendees left equipped with actionable practices to create a fair, engaging, and academically rigorous online classroom.

Integrating Free AI Training and Micro-Credentials into Learning Environments

Professors John Shannon, Seton Hall University, and Susan O’Sullivan-Gavin, Rider University, led the session, Unlocking the Future of Learning: Integrating Free AI Training & Micro-Credentials into Learning Environments, and explored how educators can seamlessly integrate free, high-quality AI training programs and micro-credentialing opportunities from platforms like MIT OpenCourseWare, Harvard Online, LinkedIn Learning, Google, and others into their courses. Attendees learned how to identify and incorporate free AI training and certification programs that align with course objectives, and strategies for scaffolding these resources into curriculum design to enhance student engagement and skill development. Shannon and O’Sullivan-Gavin also shared helpful methods for leveraging micro-credentials to increase student employability and lifelong learning pathways.

Demystifying AI Literacy

Attendees joined NJIT/NJII’s Learning & Development Initiative to explore critical AI literacy standards for education and beyond. Led by Stefanie Toye, Project Manager, NJIT & NJII, and Dr. Teresa Keeler, Project Manager at The Learning & Development Initiative, NJIT, this presentation shared why these standards are essential, who needs them, and how to implement them effectively. They shared specific ideas about how these standards can be constructed and adopted, and why AI literacy is crucial for K-12 and higher ed educators and administrators.

Advancing Accessible Digital Education at Hudson County Community College

Callie Martin, Senior Instructional Designer, Hudson County Community College, and Joshua M. Gaul, Ed.D., Associate Vice President & Chief Digital Learning Officer, Edge, led the presentation, Building an Inclusive Future: Advancing Accessible Digital Education at Hudson County Community College (HCCC). This breakout session highlighted HCCC’s collaborative efforts with Edge to build a more inclusive and accessible digital learning environment. Through this partnership, HCCC has embraced Universal Design for Learning (UDL) principles to remove barriers and create equitable educational experiences for all students. The session showcased how the college, supported by Edge’s expertise and resources, has implemented student-centered strategies that prioritize accessibility, engagement, and success. Attendees will learn practical approaches to designing inclusive courses and hear firsthand how institutional collaboration can drive meaningful change in digital education.

“I enjoyed the morning presentation that I attended and the Panel Session. NJEdge always does such a great job with these conferences!” Carol Smith-Cuevas
Associate Director, Kean University The Digital and Data-Driven Center for Teaching and Learning

The day continued with the second round of breakout sessions, including The Digital and Data-Driven Center for Teaching and Learning led by John Baldino, OFS, Director, Center for Teaching and Learning, Lackawanna College. He shared best practices for using communication technology, digital content and marketing platforms, artificial intelligence, and collected data to create a sustainable Center for Teaching and Learning model that can help empower CTLs to support faculty in their academic success.

Crafting Collaborative Conversations

Curiosity Catalysts: Crafting Collaborative Conversations, led by Adelphi University’s Karen Kolb, Director, Faculty Center for Professional Excellence, Jennifer Southard, Instructional Designer, and Marilena Orfanos, Instructional Designer, examined research-backed, low-effort strategies that enhance online discussions and collaboration without adding to instructor workload. Participants learned how to design thought-provoking prompts that ignite curiosity, integrate AI and digital tools to support interaction, and implement alternative discussion formats—such as multimedia responses and collaborative annotation—to foster deeper engagement. This session also covered effective ways to maintain instructor presence without micromanaging, and gave attendees ready-to-use techniques to create more engaging, inclusive, and meaningful online discussions.

Supporting Persistence in STEM Learners

Natalya Voloshchuk, Assistant Teaching Professor, and Karen Harris, Senior Instructional Designer and Assessment Specialist, from Rutgers University led the session A Learning Outcomes Strategy for Supporting Persistence in STEM Learners to demonstrate how assessment and feedback can aid in developing self-directed learners by examining an implementation of a deliberate data collection Rubric. They discussed how the Rubric is used to help students identify their strengths alongside the areas to work on toward improvement, while also offering the instructor valuable insights for supporting persistence in STEM courses. Harris and Voloshchuk shared some course-level learning data and reflected on how it might impact learning across a STEM curriculum. They also considered how incorporating learning outcomes in rubrics can help students make connections to work skills they are developing that will support them in internships and research settings. 

The Implications of AI for Next-Generation Education

Steven D’Agustino, Senior Director for Online Programs, Fordham University, joined EdgeCon to explore the transformative impact of AI on education. He began by defining key AI terms such as Machine Learning (ML), Natural Language Processing (NLP), and Neural Networks, and discussed the growing use of AI tools like ChatGPT among students for academic tasks. The presentation highlighted the challenges and opportunities of integrating technology into education, categorizing adoption methods as intentional, accidental, or unilateral, and how the COVID-19 pandemic accelerated unilateral adoption due to necessity. D’Agustino raised concerns about AI’s potential to depersonalize learning, leading to cognitive de-skilling, and creating a sense of futility among students and educators. However, he also outlined four essential tasks for educators in the AI era: curating, contextualizing, creating, and collaborating. The presentation underscored the importance of equity in AI integration and how educators must focus on humanistic ends to ensure that AI is used deliberately and equitably to benefit all students.

A Blueprint for Excellence in Short Course Development and Design

In the session, Beyond the Badge: A Blueprint for Excellence in Short Course Development and Design, Molloy University’s Dr. Amy Gaimaro, Dean of Innovative Delivery Methods, and Susan Watters, Associate Director of Blended and Online Learning, examined the blueprint development of high-quality short courses while embedding quality course design badges. Participants learned how to identify quality criteria for designing courses, establish clear learning objectives and outcomes that align with industry standards and learner needs, and how to address regular and substantive interactions in online asynchronous short courses.

This session was ideal for instructional designers, online administrators, training managers, and educators who were looking to enhance the quality and impact of their short course offerings. Attendees gained strategies for incorporating quality assurance throughout the course development lifecycle, best practices for designing and implementing effective quality badge systems, and actionable steps to improve learner engagement and course effectiveness.

Visions for Online Learning: Evolving Strategies and Institutional Growth

As online learning continues to evolve, institutions must adapt their strategies to meet shifting student expectations, market demands, and technological advancements.  EdgeCon panel discussion, Visions for Online Learning: Evolving Strategies & Institutional Growth, brought together higher education leaders to explore innovative approaches to online learning that drive institutional growth and long-term success. Panelists, Michael Ciocco, Ph.D., Associate Vice President of Online Learning, Rowan University, John F. O’Callaghan, Jr., Vice President for Transformational Learning & Chief Online Officer, Kean University, and Joshua M. Gaul, Ed.D., AVP & Chief Digital Learning Officer, Edge, discussed emerging trends, the role of data and AI in shaping digital learning experiences, strategies for scaling programs sustainably, and the balance between quality, accessibility, and financial viability. Attendees gained valuable insights into how institutions are redefining their online learning strategies to expand access, improve student outcomes, and remain competitive in an evolving educational landscape.

The Rise of Non-Degree Credentials

Afternoon sessions kicked off with The Rise of Non-Degree Credentials–The Future of Higher Education led Michael Edmondson, Associate Provost, NJIT. He shared how traditional higher education is struggling to keep pace with workforce demands and a growing number of companies now favor skills-based hiring over degree-based credentials, with 70% of job skills expected to change by 2030 due to AI and automation. Employers increasingly prefer hiring candidates with business-oriented or technical microcredentials that provide real-world experience and rapid upskilling. Attendees learned how microcredentials can offer a solution by closing the workforce gap, aligning learning with employer needs, and fostering lifelong learning. As businesses prioritize AI, data analytics, and soft skills, microcredentials are emerging as the future of education, providing professionals with the flexibility to adapt and thrive in an evolving job market.

The Growth of Online Education at Rowan University

Mike Sunderhauf, Director of Instructional Design, and William McCool, Online Course Operations Coordinator, from Rowan University led the breakout session, Shaping the Future: The Growth of Online Education at Rowan University, where they shared how Rowan University is undergoing a transformation in its approach to online education, shifting focus from traditional on-campus programs to scalable online offerings. The session explored how Rowan University is reshaping online education through a combination of strategic collaboration, program design, and faculty empowerment, ultimately fostering an engaging and dynamic learning environment for students and instructors alike. Sunderhauf and McCool shared how their learning strategy aligns with a flexible model, allowing instructors to follow a standardized framework while being empowered to update and adapt their courses to meet the needs and interests of each learner group. They showed how this balance between consistency and adaptability fosters both reliability and innovation in the learning process.

 Integrating Virtual Reality into Higher Education

Joining EdgeCon from Seton Hall University, Renee Cicchino, Director of Instructional Design and Training, and Riad Twal, Senior Instructional Designer, gave a closer look into how the University has been experimenting with Virtual Reality since the release of the Google Cardboard Viewer in 2014. In 2024, they acquired a number of Meta Quest Pro devices, allowing for an entire class to participate in a virtual experience at the same time. During the 2024 Fall semester, Seton Hall launched a pilot program examining how they can best facilitate Virtual Reality experiences for graduate and undergraduate classes.  These experiences are informing the development of a Virtual Reality Showcase to formally introduce this technology to their faculty, along with examples of how this technology can be incorporated into various course topics.

This session focused on the instructional designer’s perspective of evolving VR Technology, the introduction of the Quest for Business device management software, initial faculty and student experiences with the Meta Quest Pro devices, future plans for expanded access and utilization, and suggestions for implementation at other institutions.

“Excellent topics and sessions.” Charles Wachira
Senior Director for Teaching & Learning, John Hopkins Carey Business School Using AI in the Math Classroom for English Language Learners

Grace E. Cook, Ph.D., Program Area Lead of Computer and Mathematical Sciences, Montclair State University, has seen an increase in the number of English Language Learners (ELL) in her classroom, particularly students whose primary language is Spanish. By incorporating the use of ChatGPT and Google Notebook into the daily functions of the class, she has been able to make mathematics more accessible. In this session, Cook shared her experiences with teaching in English and Spanish with the assistance of AI and discussed the pros and cons of their uses and what her ELL students list as the positives and negatives of each resource.

Podcasting to Create Interdepartmental Collaboration

In Podcasting to Create Interdepartmental Collaboration and Showcase Faculty Innovation, Seton Hall University presenters, Kate Sierra, Instructional Designer, Teaching, Learning, and Technology Center, and Ann Oro, Senior Instructional Designer, explored how the Teaching, Learning, and Technology Center (TLTC) at Seton Hall launched a podcast series called Innovate and Educate to explore the intersection of technology and teaching. They highlighted how topics such as technology integration, accessibility tools, and other innovations are transforming learning, improving student outcomes, and addressing classroom challenges.

Attendees gained insights into the process of developing and sustaining a podcast, including identifying relevant resources, building an audience, and maintaining engagement. They also learned how this initiative has strengthened institutional resiliency by fostering a culture of innovation and shared learning. Participants were encouraged to consider how podcasting could serve as a scalable, cost-effective strategy for their own institutions to spotlight success stories and support strategic goals.

Creating an Institutional Culture of Accessibility

Many institutions approach accessibility in silos and rely on specialized offices rather than embedding responsibility across the entire campus. In Creating an Institutional Culture of Accessibility, Laura M. Romeo, Ph.D., Director of Learning Innovation, Development, and Scholarship, Edge, shared strategies for shifting to an integrated, institution-wide approach. The discussion looked at governance structures, training models, and change management strategies that can empower all departments to play a role in accessibility. Attendees gained practical insights on overcoming implementation barriers, methods to measure cultural progress in institutional accessibility efforts, and how to foster a culture that moves beyond compliance to true inclusivity.

Celebrating Achievements and Contributions

At this spring event, Edge celebrated the exceptional work of higher education institutions across the region by presenting a series of awards to recognize their impressive impact and accomplishments.

The Preserving Education Through Change Award was presented to Montclair State University (MSU) and accepted by the University’s President, Jonathan Koppell, to recognize the significant vision and leadership by one of New Jerseys signature public universities. As the educational community navigates unprecedented change, it is vital that institutions seek opportunities for collaboration and support. MSU has been a primary example of this kind of support and stewardship in recent years. As MSU itself continues to grow, the institution has also shown a capacity for significant leadership, leading a merger with the former Bloomfield College, now Bloomfield College of Montclair State University. By preserving continuity and quality of educational opportunities at an institution noted for serving first-generation students and those from diverse backgrounds, MSU has strengthened New Jersey’s educational system and the college experience for their students.

In pursuit of educational and operational excellence, institutions across the country are working tirelessly to modernize systems and processes to better serve their communities. As funding and staffing challenges continue to affect institutions of all kinds, the effort to transform the educational experience can be difficult. The Member Technology Transformation Award was given to Felician University to recognize their transformative efforts in modernization through growing engagement with Edge and the member community, as well as a dedicated strategic focus on improvements in university infrastructure, digital experience, and excellence in the delivery of diverse educational offerings. The award was accepted on Felician’s behalf by Deanna Valente, Dean of the Center for Information Systems and Technology & Learning Development.

To recognize the remarkable commitment to expanding and innovating online education, Kean University was presented with the Online Learning Growth Award. As one of New Jersey’s fastest-growing institutions in digital learning, Kean University has demonstrated strategic leadership in developing flexible, high-quality online programs that meet the evolving needs of today’s learners. Through a forward-thinking approach and investment in instructional design, technology, and student support, Kean has significantly broadened access to education for diverse student populations across the region and beyond. The award was accepted on Kean’s behalf by Jay O’Callaghan, VP for Transformational Learning & Chief Online Officer.

Through the visionary leadership of their Center for Online Learning, Hudson County Community College (HCCC) has embedded accessibility and Universal Design for Learning into the foundation of its online course development. By proactively prioritizing inclusivity, leveraging data-informed strategies, and fostering a campus-wide culture of digital equity, HCCC has created a truly inclusive online learning environment. Their work not only meets ADA Title II compliance but sets a powerful example for institutions state-and-nationwide. To celebrate this innovation, dedication, and transformative impact on student success and educational access, HCCC was given the Accessibility in Digital Education Award, which was accepted on their behalf by Executive Director, Center for Online Learning, Matthew LaBrake.

By fostering meaningful dialogue and showcasing innovative practices, EdgeCon Spring 2025 not only sparked new ideas but also strengthened the connections that can help drive higher education forward. As institutions navigate a rapidly changing landscape, the shared insights and partnerships formed at EdgeCon play a vital role in shaping a more connected, resilient, and student-centered future.

VIP Sponsors Exhibitor Sponsors

The post EdgeCon Spring 2025 appeared first on NJEdge Inc.

Panel 4 on Law and Policy for the Attention Crisis, featuring Alex Roberts (moderator), Dick Daynard, Leah Plunkett, Woody Hartzog and Zephyr Teachout.

Last Friday, April 11, three of us, Elettra Bietti, Aileen Nielsen, Laura Aade, co-organized a workshop titled “The Battle for Our Attention: Empirical, Philosophical and Legal Questions” which took place at Northeastern University School of Law, and benefited from the support of CLIC, Northeastern’s Center for Law, Information and Creativity, and the involvement of Harvard’s Berkman Klein Center community of fellows and faculty. The event brought together leading legal scholars, policymakers, economists, medical scientists, computer scientists, media scholars, and technologists to address the pressing issue of how today’s digital technologies are transforming the understanding, use, and allocation of human attention, including implications for how we spend our time and what information we consume.

The discussion was wide-ranging, interdisciplinary, and deeply enlightening. We discussed whether attention “actually exists”, how it works, the history and business models of attention capture, the challenges and findings that arise from empirical studies of attention and attention markets, the relation between attention, intimacy, convenience and the law of trademarks, possible analogies with tobacco and gambling litigation, and the policymaking associated with regulating engagement and children’s use of social media.

The event began with a panel on the political economy of attention. Yochai Benkler kicked off the discussion with an overview of the capitalist drive to capture and instrumentalize attention over time, beginning with the 19th century press and culminating in today’s digital technologies. He argued that markets won’t solve attention problems and could exacerbate attention harms, in contrast with Marshall Van Alstyne’s suggestion that a Coasean model of attention rights could help platform owners manage misinformation and reduce incentives to share inaccurate or false information. Where Benkler advocated for the decommodification of attentional experiences, Van Alstyne advocated for a market regime of incentives and individual rights to speak and listen. David Lazer, for his part, adopted a middle ground position, presenting several findings on the slow but steady decoupling of content from its sources. He showed that information has become less traceable to sources, and discussed chatbots’ role in producing knowledge that is increasingly divorced from reliable reference to authors and media sources.

The second morning panel addressed the empirics of attention. Michael Esterman discussed some of his clinical work, showing that attention is a fluctuating, fragile process deeply shaped by cognitive and environmental factors. Sustaining attention for long periods of time and across contexts remains a phenomenon that is not well understood, and Esterman presented results showing that blocking a population’s mobile phone access for two weeks could improve participants’ attention, as well as their mental health and well-being. Esterman also pointed to the need for increasing measurements outside of laboratory settings to better understand the external validity of fundamental psychological results related to attention. Elena Glassmann then approached attention from the perspective of an interface designer, emphasizing that platforms actively shape how users direct their attention — often without users realizing it. Glassmann highlighted the danger of decontextualisation, where AI-driven tools summarize content by stripping away critical context and leaving users unaware of biases or omissions, and suggested ways to help people build reality-grounded mental models that provide access to contextual information, rather than hiding complexity. Christo Wilson concluded the panel with an overview of empirical approaches to studying attention platform business models, highlighting his role with David Lazer in creating and hosting the National Internet Observatory at Northeastern, a center that offers tools for researchers to study how people behave online in response to particular design features and platform strategies over long periods of time.

During the lunch keynote, FTC Commissioner and Law Professor Alvaro Bedoya spoke of his effort building a team of doctors and psychologists at the FTC whose focus and expertise includes children’s mental health and well-being. He also spoke of his work advocating for children’s privacy under COPPA and of the analogies and differences between tobacco, sports gambling and addiction to technological devices and products. Commissioner Bedoya suggested that more research needs to be done to better understand which products, platforms and specific technological features cause addiction and other mental health disorders.

The afternoon began with a third panel on media and communication systems for attention capture. Nick Seaver presented a spirited argument that attention may, in fact, not exist at all. While holding and waving a mouse jiggler, Seaver showed that attention is primarily defined or constructed by the way it is measured. Measurement, in turn, serves primarily as a managerial tool of control. While they might appear to be measuring participation, platform designers are in reality disciplining, tracking and controlling populations. Bridget Todd spoke of her work in the podcasting world, emphasizing the relation between intimacy and attention: audiences pay attention based on proximity to particular types of content and the emotions that content generates for them. Her view is that the current digital economy prioritizes profitable outrage over thoughtful storytelling, but that we should always push for the latter. Emily West presented some of her research on Amazon through the lens of convenience. Attention and addiction to digital products are promoted by appealing to convenience: platforms engineer frictionless experiences to generate user dependencies, producing a culture of learned passivity and inattention that quietly erodes agency. Rebecca Tushnet spoke of the law of advertising and the doctrines of dilution and confusion under trademarks law, explaining that the law simultaneously invokes but misunderstands the science of, or empirical realities of, human attention, protecting only those parts of attention that can be owned under intellectual property regimes. Similar to Seaver’s argument that attention is effectively what we can measure, Tushnet’s presentation highlighted that we live in an economy of signals and containers of attention.

The day ended with a panel discussion on legal and policymaking efforts in the attention space. Richard Daynard shared key takeaways from his litigation experience fighting tobacco and gambling companies. He explained that these industries intentionally engineer their products to addict users while funding research that shows the exact opposite, namely that their products are not addictive and individuals who engage in excessive use are the ones to blame. He added that these companies often lose in product liability litigation, where strict liability regardless of intention is the standard. Zephyr Teachout then offered an overview of the evolving Supreme Court jurisprudence on the First Amendment, arguing that current shifts in the court’s composition and caselaw are opening the door to possible legislation and reform in the attention space, something that until recently seemed largely implausible. Leah Plunkett discussed state social media laws and described them as providing financial compensation, privacy safeguards for children and workplace protections. She focused on a recent Utah law that allows children to sue their parents for compensation when their image is used in their parents’ social media feed for profit and described her involvement in drafting a model law on this theme for the Uniform Law Commission. Woody Hartzog concluded the panel presentations, discussing his work with Neil Richards on wrongful engagement, a tort which would allow individuals to sue digital companies for profiting from their addiction and engagement while neglecting users’ well being.

The event ended with participants discussing potential research overlaps, future collaborations and potential for advocacy across US regions. In the words of CLIC Director Alex Roberts, who moderated the last panel, “[i]f an interdisciplinary field of “attention studies” wasn’t already a thing, it is now.”

This event would not have been possible without support and assistance from Northeastern’s CLIC, Alexandra Roberts, Jennifer Huer, Walaa Al Awad, Natalia Pifferer, Brad Whitmarsh, and Jacob Bouvier. We also thank Harvard Law’s Laura Zeng, and BKC’s Bey Woodward and Jonathan Zittrain for additional enthusiasm and assistance.

We hope to continue this important conversation in the months and years to come with all of you. If you would like to join future conversations, we have created a regional mailing list which you can sign up to here.

Reporting from “The Battle for Our Attention” Workshop @ Northeastern, April 11, 2025 was originally published in Berkman Klein Center Collection on Medium, where people are continuing the conversation by highlighting and responding to this story.

Today, we’re sharing important news about the future of Ceramic.

With the rapid rise of agents as the new critical user and interface to the web, it’s increasingly clear that supporting a healthy, trustless, decentralized model for AI is essential. Our team, part of Recall Labs after our merge with Textile, is shifting our primary focus to Recall: a platform where AI agents prove themselves, improve themselves, and earn for their intelligence.

As part of this, we’ll be repurposing parts of Ceramic, deprecating others, and introducing a standalone open source version for the community. We want to openly communicate what this means for you and your applications built on Ceramic, as well as outline the path forward.

From Ceramic to Recall

Over the years, Ceramic has been pivotal in helping us understand decentralized data, composability, and robust synchronization. It’s been the leading technology for dozens of applications and networks in need of scalable, edge-centric, verifiable data storage and replication. We spent more than five years developing and iterating on Ceramic and are immensely proud of the advancements and technology we’ve shipped.

Even more than that, we are so thankful for your partnership. Our customers and community have relentlessly innovated on brand new tech, helped us move from prototypes to stable networks, and been the driving force for our continued commitment to open, decentralized data. Thank you for all of your support, and all you’ve helped us learn.

One of the persistent challenges we’ve faced with Ceramic has been the UX of decentralized data systems: managing keys and signing data, novel access control flows, and counterintuitive patterns for data flow have been challenges for many users and developers. Interestingly, all these properties are native and intuitive for the internet’s new class of users: agents.

Recall is a cryptoeconomic platform for AI agents to prove, improve, and earn based on their intelligence. It builds heavily on the technology we’ve built previously, but is a new platform and demands our full commitment.

What This Means for Ceramic Users

We deeply appreciate the trust and investment you’ve made in Ceramic. While our priority is Recall, we remain committed to setting Ceramic users up for success as we sunset certain parts of Ceramic.Here’s exactly what you need to know:

Introducing ceramic-one

Ceramic-one is the most performant, stable, and decentralized implementation of Ceramic. There is a new client SDK for reading/writing to ceramic-one: https://github.com/ceramicnetwork/rust-ceramic/tree/main/sdk

Ceramic-one introduces Recon, enabling reliable synchronization and historical data syncing across nodes. All existing data from ComposeDB remains fully accessible and readable through ceramic-one.

Ceramic-one will continue to function independently, with no dependency on our infrastructure or any other centralized authority. Further, Ceramic-one is under an MIT license, so anyone who wants to fork it and continue developing it on their own is welcome to do so.

Anchoring and Conflict Resolution on Ceramic-one

We’re committed to completing one final critical feature for ceramic-one: self-anchoring to Recall. This allows fully decentralized timestamping without relying on our centralized CAS or Ethereum L1, making ceramic-one truly self-sufficient. This will be implemented sometime after the mainnet release of Recall.

Manual conflict resolution is currently possible through ceramic-one by exposing all stream HEADs, allowing applications to apply their own business logic to select which branch(s) of the stream's history they wish to use. We’re also considering building automated conflict resolution (based on anchor timestamps)—the only remaining functionality from js-ceramic not yet implemented in ceramic-one. If this feature is important to your use case, please reach out, as your feedback will influence our decision.

After these improvements, ceramic-one will reach a feature-complete MVP. At that point, we will only prioritize critical bug fixes. ceramic-one will continue to exist as stable software under an open MIT license—fully available for anyone who wishes to fork, improve, or independently evolve it.

Deprecation of js-ceramic and ComposeDB

Effective immediately, we’re deprecating js-ceramic and ComposeDB. We recommend migration to ceramic-one, the streamlined, performant successor, as soon as possible.

Migration Steps:

A new client SDK for ceramic-one is now available here: ceramic-one SDK Step-by-step migration guidance is provided in our upgrade guides: Migration Guide on Ceramic Blog Detailed Upgrade Instructions on GitHub

Timeline and Support

ComposeDB and the Ceramic Anchor Service (CAS) will be completely shut down at least one month after Recall’s Mainnet launch. (Exact date TBD, but expected in mid-2025.). After that date, ComposeDB-dependent apps will break if not migrated to ceramic-one.

Recall: The Future of Decentralized Intelligence

Ceramic’s legacy and your contributions have directly influenced our development of Recall. Many of Ceramic’s strengths—openness, transparency, and decentralization—live on and evolve within Recall’s cryptoeconomic framework.

Recall aims to become a vibrant ecosystem for AI builders and developers. We warmly invite Ceramic users to explore the opportunities Recall offers: building intelligent agents, participating in verifiable competitions, and earning from proven performance.

We’re grateful for your support of Ceramic and excited about this next chapter with Recall. Our team remains available to assist your migration and ensure your continued success. If you have questions related to Ceramic, please reach out to us here. If you’re interested in learning more about Recall, find us on Twitter!

Warm regards,
The Recall Labs Team

Internet Safety Labs testified in support of the Massachusetts Consumer Data Privacy Act (H78) and Massachusetts Data Privacy Act (H104), advocating for strong data minimization, restrictions on sensitive data sales, and robust enforcement to protect residents’ privacy. We’re grateful to the Massachusetts Legislature for hearing our testimony. The written testimony is available to view, along with a video of the testimony below:

Open PDF

 

The post Internet Safety Labs Provides Testimony for Massachusetts Data Privacy Acts appeared first on Internet Safety Labs.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. The future is knocking, […]

The Compliance Symposium has been postponed. We invite you to learn more about our upcoming flagship conference, EdgeCon Autumn 2025! Learn More » About the Symposium:

As regulations evolve and technology advances, education institutions face increasing pressure to ensure compliance across:

Technologies such as AI, data analytics models, and more are reshaping compliance. This symposium brings together experts and institutional leaders to explore:

Attendees will gain practical insights to:

Strengthen institutional compliance

Protect sensitive data

Foster a secure, inclusive digital environment while navigating the complexities of modern education.

Topics to be explored during the Symposium include, but are not limited to:

Data Privacy & Governance

Digital Accessibility & Inclusive Design

Regulatory Compliance & Legal Frameworks

Regulatory Cybersecurity Compliance (GLBA, PCI, NIST, and more)

Compliance and Cyberinsurance

AI, Automation, and Risk

Institutional Risk Management & Resilience

Vendor & Third-Party Risk Compliance

Culture of Compliance: Training & Leadership

Emerging Threats & Future-Proofing Compliance

Case Studies in Compliance Success

Who should attend the Symposium

Cabinet Level Leaders

Provosts & Academic VPs

CIOs

CISOs

Compliance Officers

Risk Management Officers

Directors of Online Learning

Directors of Centers for Teaching and Learning

Register Now » Vendor/Sponsorship Opportunities

Exhibitor Sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price.

Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.

Download the Sponsor Prospectus Now » Call for Proposals

Submit your presentation topic for the upcoming Compliance in Education Symposium, presented by Edge and Stockton University!

Submit Proposal » More information coming soon!

The post Compliance in Education Symposium appeared first on NJEdge Inc.

Date: October 9, 2025
Location: Rider University
Time: 9 a.m.-5 p.m.
Attendee Ticket: $49

Event Location:
Rider University

REGISTER TODAY » Call for Proposals

Submit your presentation topic for the upcoming EdgeCon Autumn 2025 conference! This year’s conference will focus on accelerating modernization efforts for cybersecurity, campus networks, cloud strategy, student support applications, and more.

The call for proposals will be open until July 24th, with presenters being notified if their session was selected by July 31st. Submit Proposal » Vendor/Sponsorship Opportunities at EdgeCon

Exhibitor Sponsorship and Branding/Conference Meal sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price of $250.

Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.

Download the Sponsor Prospectus Now » Accommodations

Hilton Garden Inn Princeton Lawrenceville
1300 Lenox Drive
Lawrenceville, NJ 08648

BOOK YOUR ROOM TODAY »

You may also reserve a room, by contacting the hotel directly via 609-895-9200. Be sure to mention that you’d like your reservation under the “EdgeCon Group Block” to obtain the conference rate.

Details of Conference Proceedings and Submissions Form are now available »

The post EdgeCon Autumn 2025 appeared first on NJEdge Inc.

Six months ago, Hyperledger Indy on Besu officially joined the did:indy method with the introduction of the did:indy:besu identifier. This milestone brought Hyperledger Indy, an LF Decentralized Trust project, closer to becoming a key player in Self-Sovereign Identity (SSI) frameworks, with the potential to be a Trusted List Provider in the European Digital Identity Wallet (EUDI Wallet) under eIDAS 2.0. By aligning with W3C Verifiable Credentials (VC) and Decentralized Identifiers (DID) standards, Indy on Besu enhances interoperability, scalability, and usability for digital identity solutions.

Blockchain Commons focused on the ZeWIF project for the Zcash blockchain during the first quarter of 2025, but that didn’t stopped us from also advancing a few other priorities, including the initial release of our long-incubating Open Integrity project. Here’s what all we’ve been working on.

ZeWIF Specification:

Why It’s Important The ZeWIF Meetings What We’ve Released So Far What’s Still to Come

Post-Quantum Commons:

Why It’s Important PQC Meeting QuantumLink What We’ve Released So Far

Open Integrity:

Why It’s Important What We’ve Released So Far

New Articles:

The Right to Transact SSI Orbit Podcast

New Dev Docs:

SSKR Pages UR Pages Meetings Pages Improved Crate Docs

New Ports:

Lifehash to Rust

New Research:

Provenance Marks Provenance References ZeWIF Specification

The Zcash extensible Wallet Interchange Format (ZeWIF) has been Blockchain Commons’ main priority since the Zcash Community Grants program approved our proposal at the end of the year.

Why It’s Important. Blockchain Commons talks a lot about interoperability, and that’s what ZeWIF is: it’s a way to freely exchange data between Zcash wallets in a standardized form. What we don’t talk about as often is why interoperability is important.

It goes back to our Gordian principles. Interoperability supports at least three of them.

It supports independence because any user can freely move their data among the interoperable software systems. It supports openness because any developer can easily join the ecosystem by adopting a mature, well-understood specification. This creates an environment of coopetition (cooperative competition) that leads to advances in technology and usability. It supports resilience because the interoperable format makes data less likely to be lost: it’ll be in a form that will be understood and therefore accessible, well in the future.

For a wallet ecosystem, interoperability means that users will have the freedom to move their digital assets among Zcash wallets. That’s the precise independence we want users to have, which is why it’s been worth spending a few months of time on this project.

The ZeWIF Meetings. To support the ZeWIF project, Blockchain Commons held three meetings in the first quarter: on the initial wallet survey, on the first demo of the zmigrate tool, and on ZeWIF data abstractions. Meeting with developers to ensure that specifications serve everyone’s needs has always been a bedrock policy for Blockchain Commons, so we’ve of course extended it here. (At least one more meeting is planned, for April 16th, to demo the data file format.)

#1: Wallet Survey: #2: Zmigrate demo: #3: Abstraction Discussion:

What We’ve Released So Far. The ZeWIF project is built around the zewif library, which stores Zcash wallet data in an in-memory format. We’ve also written zewif-zcashd and zewif-zingo to demonstrate the import of data from those wallets to ZeWIF, while our partners at Zingo Labs have produced “zewif-zecwallet” for importing zecwallet data (though that PR hasn’t been merged yet). Finally, we authored zmigrate, which is a demo CLI for importing zcashd content. With these demos and libraries in hand, other wallet developers can start working to interchange their own data via the ZeWIF format.

What’s Still to Come. With our releases so far, data can be interchanged between different Zcash wallets as long as it’s all done on the same machine: you just import into the in-memory ZeWIF format from one wallet, then export to another. But we expect most use cases will instead involve at least two different machines. That’s where the ZeWIF file format comes into play. Building on Gordian Envelope, it translates the ZeWIF in-memory storage into a fixed file that can then be moved to a different machine. We expect to demo the Envelope ZeWIF format at that upcoming April 16th meeeting.

Post-Quantum Commons

Is Post-Quantum Cryptography (PQC) the next big thing? We were able to support our friends at Foundation with some PQC work just as we got the ZeWIF project going at the start of the year.

Why It’s Important. Quantum Computers are starting to appear, and though they’re far, far from what would be needed to break cryptography at the moment, there’s no telling when there’s going to be a sudden “quantum” leap. Though today’s cryptography might not need PQC, if you’re working on something that might be around for 5 or 10 years, you should be thinking about it!

PQC Meeting. Our March Gordian meeting contained all the details of our PQC work, including what Quantum Computing is.

QuantumLink. The highlight of the meeting was a discussion of QuantumLink from our friends at Foundation. This is a quantum-resistant protocol for Bluetooth communication that is a critical component of their new Passport Prime wallet. It allows them to use Bluetooth with high security and for that security to remain strong 5 or 10 years in the future, in case Quantum Computing does make those big strides forward.

What We’ve Released So Far. The QuantumLink technology was enabled by new PQC support that Blockchain Commons incorporated into its libraries. You can now use the PQC algorithms ML-DSA and ML-KEM in our Rust stack, from bc-componenents on up.

Open Integrity

We had one other big release in Q1: Open Integrity, a system for increasing the trust of software being developed in Git. Well, technically it was released on April 7th, the 20th anniversary of Git’s release, but this is something that Blockchain Commons Architect Christopher Allen has been working on for about a year, so we’re thrilled to get the word out.

Why It’s Important. We wrote a whole article discussing why Open Integrity is important. But, in short: Git repos are growing increasingly important for the deployment of critical software, and Git doesn’t actually provide a high-level of trust for those repos, despite the ability to sign commits. Open Integrity bridges the gap betwen what Git offers and what online software distribution needs.

What We’ve Released So Far. The Open Integrity project is now available in an early form at GitHub. A Problem Statement offers details on the issues we’re trying to solve and our solutions. We’ve also got a number of tools and scripts, the most import of which creates an inception commit on a repo. This inception commit is the root of trust that lays the foundation for ensuring that you always know who’s in control of a repo.

If you want to try out Open Integrity, see the Open Integrity Snippets file, which has complete instructions on how to get that inception-commit script running, plus many examples that will allow you to experiment with Open Integrity.

That’s it for our big Q1 projects, but we had a number of smaller releases over the course of the quarter as well.

New Articles

The Right to Transact. We think the right to transact should be an international freedom. Read more in Christopher’s recent article, “The Case for an International Right to Freedom to Transact”, which builds on his 2024 musing, “How My Values Inform Design”.

SSI Orbit Podcast. Christopher also was interviewed for the SSI Orbit Podcast. It’s been nine years since he wrote the foundational “Path to Self-Sovereign Identity”. Where do things stand today?

New Dev Docs

SSKR Pages. We updated our SSKR dev pages with the big focus being differentiating SSKR URs (where you split up a key) and SSKR Envelopes (where you protect the entire contents of an Envelope by creating and splitting up a key). The test vectors also now demonstrate both cases.

UR Pages. We similarly did some big updates to our UR dev pages. Here the issue was that URs had seen some changes over the years, especially as we locked down CBOR tag registration, and our examples were no longer up-to-date. Now, every page and every test vector should be correct. There’s also a new page on URs for Gordian Envelope.

Meetings Pages. All of Blockchain Commons’ meetings are now documented on a new meetings page, which also includes subpages with videos and slides (and usually transcripts) of everything from the last few years!

Improved Crate Docs. Finally, we’ve used some lessons learned from the documentation of ZeWIF to improve the documentation of our Rust stack. As a result, docs.rs now has improved docs for bc-dcbor, bc-components, and bc-envelope

New Ports

Lifehash to Rust. Lifehash is now available in a new Rust Implementation courtesy of Ken Griggs. Lifehash is a critical element of the object identity block, which can help users to recognize seeds and keys. We hope this will allow for more deployment.

New Research

Provenance Marks. One of our newest innovations, courtesy of Blockchain Commons Lead Researcher Wolf McNally, is the provenance mark. The provenance mark is a cryptographically secure chain of marks that facilitates the easy verification of authenticity. We’ll have more on them in the months ahead, but in the meantime, you can read Wolf’s research paper on the topic!

Provenance References. If you want to start playing with provenance marks right now, we’ve already released a series of reference apps and libraries. They include our original Swift implementation, our newer Rust implementation, and a CLI that can be used to create and manage marks!

That’s it for the moment. For the next quarter, we’ll be closing out our initial work on ZeWIF in April, and we’ll be offering more looks at Provenance Marks in the months ahead.

If you’d like to work with us on these or other topics, drop us a line about becoming a Blockchain Commons partner.

A research project with the Responsible Innovation Centre at the BBC Cartoon by @visualthinkery is licensed under CC-BY-SA. Remix by Doug Belshaw.

We Are Open Co-op (WAO) is a collective of individuals who share a commitment to ethical, inclusive, and sustainable practices in all aspects of our work, including AI literacy. Our approach to this area is grounded in the belief that AI is an extension of digital literacies, not a separate field. We aim to demystify AI, helping people recognise that the digital literacy skills they already possess are directly applicable to AI.

AI’s societal impacts are significant and well-documented, but the public often struggles to grasp its opportunities and risks. A trusted guide is needed to balance optimism with caution, particularly given AI’s potential effects on jobs, culture, and other critical areas.

The project

We are delighted to have started work on a new project with the Responsible Innovation Centre for Public Media Futures, hosted by the BBC. As an institution with a long and valued history in delivering high quality educational initiatives that help audiences understand and navigate new technologies, we believe the BBC is well placed to help public understanding and engagement with emerging technologies such as AI.

Our focus is research and analysis which aims to find gaps in provision for younger audiences. Over the next few months we’ll be interviewing experts, reviewing resources, and scrutinising frameworks. We will be using this research to create a report along with a framework and guide which will ultimately help the BBC create policies and content for young people. We’ll be sharing an open version of what we create, so look for those in the summer.

Our approach

Starting with desk research, and building on the work we’ve already curated, we’re creating a library of interesting definitions, frameworks, and resources that can help us understand what other people are exploring when it comes to AI Literacy in combination with public media.

As with our work with Friends of the Earth where we researched AI and environmental justice, we will bring together a variety of experts to give feedback and sense check what falls out of some of the research.

Along the way, we’ll share updates based on our findings, so if you know of a person, organisation, initiative, framework, or resource that we should take a look at, please let us know! We’ll also be updating ailiteracy.fyi, our one-stop-shop for all things related to this important topic.

What does AI Literacy look like for young people aged 14–19? was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

1. What is the mission and vision of Paays?

Building the foundation of trust in Auto Finance. Empowering Dealers and Lenders to serve their customers better, faster and more securely.

2. Why is trustworthy digital identity critical for existing and emerging markets?

Auto Finance and the Automotive Sector more generally, relies on trustworthy digital identity verification to ensure that people are who they say there, and the information being provided is authentic.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

Paays is enabling thousands of Auto Dealers in Canada with the technology to perform digital identity verification, protect their businesses and employees, and reduce or eliminate criminal opportunities for fraud.

4. What role does Canada have to play as a leader in this space?

Canada has a significant opportunity to be a leader in digital identity and trust services, across many industries, including Auto Finance.

5. Why did your organization join the DIACC?

Paays joined DIACC to partner with a leading organization and it’s members, focused on bringing digital identity and trust services to the Canadian marketplace.

6. What else should we know about your organization?

Paays has a singular, laser-focused approach to building the foundation of trust in Auto Finance!

The Decentralized Identity Foundation (DIF) has officially launched its Hospitality & Travel Working Group, evolving from the ongoing H&T Special Interest Group (SIG). This new working group will focus on developing standards, schemas, processes, and documentation to support the self-sovereign exchange of data between travelers, services, intermediaries in the hospitality and travel industry, and their AI agents.

Mission and Focus

The primary goal of the working group is to enable travelers to maintain ownership and control over their personal data while allowing for seamless interactions with travel service providers. The group will address critical aspects of traveler profiles, focusing on data portability, privacy, and interoperability across the travel ecosystem.

Meeting Schedule

The working group will convene twice weekly:

Tuesdays at 10:00 AM Eastern Time Fridays at 10:00 AM Eastern Time

These regular meetings will facilitate ongoing collaboration among industry stakeholders, technology providers, and standards bodies.

Leadership Perspectives

"We are enormously proud that the hard work of our dedicated Hospitality & Travel SIG has led to a Working Group that will develop key specifications. From sharing boarding passes and hotel preferences to loyalty programs and dietary requirements, travelers constantly provide the same information to different companies throughout their journey.

"Travelers need to share, and overshare, the broadest range of personal data on their voyage, ranging from seat or dietary preferences, to government identities or passports, across multiple service providers who may not have the best data handling practices. This working group will develop standards that allow travelers to control exactly what data they share, with whom, and for how long - eliminating both unnecessary data exposure and the frustration of repeatedly entering the same information," said Kim Hamilton Duffy, Executive Director of the DIF.

Douglas Rice, industry veteran and Hospitality & Travel Working Group chair added: "The travel ecosystem has long struggled with fragmented approaches to customer data and identity management. This working group will help establish the technical foundations needed for travelers to maintain control of their data while enabling the personalized experiences they expect. We're building toward a future where your travel preferences, loyalty information, and credentials can move with you seamlessly across your journey—all while maintaining the highest standards of privacy and security, and enabling AI agents to act on verified information about the traveler.”

Next Steps

The working group will initially focus on defining standardized schemas for travelers or their digital agents to present profiles, establishing protocols for secure data exchange, and developing guidelines for implementation across various travel touchpoints. Industry participants are encouraged to join the working group to contribute their expertise and perspectives.

For more information about participating in the DIF Hospitality & Travel Working Group, visit the Decentralized Identity Foundation website.

1. What is the mission and vision of Keyless?

Our vision is for a safer, more private world. Keyless is on a mission to redefine how the world authenticates – enabling people to securely access services with a simple look, without compromising their biometric data.

2. Why is trustworthy digital identity critical for existing and emerging markets?

We can answer this with a simple example: mule accounts. Fraudsters will pay people to open bank or crypto accounts using their real ID, then take over and use those accounts to launder money. On paper, the account looks legitimate – but the person using it isn’t who the bank thinks it is.

This kind of fraud is only possible when identity assurance is weak. With trustworthy digital identity, this can be stopped by verifying who is really behind the screen not just at sign-up, but every time they log in, send a payment, or change account details.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

Digital identity is the foundation for secure online interactions. It drives inclusion, cuts costs, and reduces fraud. When companies can trust their users, they grow faster and more confidently.

Keyless sits within consumer apps – often in banking and fintech, but also in government and university portals. Whenever a user performs a sensitive action, like logging in or approving a payment, Keyless triggers an authentication selfie using the device’s camera. Unlike text messages, call centers, or even FaceID, this process actually proves who the user is – not just that they have access to a device or mobile number.

4. What role does Canada have to play as a leader in this space?

Canada is already taking significant steps toward becoming a global leader in digital identity. The government is actively developing a nationwide digital ID program designed to make accessing both public and private services faster and more secure.

By continuing to invest in public-private collaboration, Canada can lead the way in building trusted, inclusive digital ecosystems that other countries look to for guidance.

5. Why did your organization join the DIACC?

We joined DIACC to help shape the future of digital identity in a way that’s secure, user-friendly, and preserves citizen privacy. We believe in collaboration and are excited to contribute our expertise in biometric authentication and privacy-preserving technologies.

6. What else should we know about your organization?

Within the biometric authentication space, Keyless is known for its privacy-preserving approach. Uniquely, we authenticate users without storing their facial biometric data anywhere – keeping their biometric information completely private.

On March 18, 2025, the FIDO Alliance convened its APAC regional members and key stakeholders at the Telecommunications Technology Association (TTA) Auditorium in Seongnam, South Korea, for a full-day meetup and workshop. The event focused on advancing simpler, stronger authentication across the region and served as a vital platform for technical updates, regional progress, and real-world implementation insights around passkeys.

Among the 70+ participants on-site, we were honored to welcome six FIDO Alliance Board members representing Samsung Electronics, NTT Docomo, Lenovo, RaonSecure, Egis Technology, and Mercari—underscoring the global engagement and strategic importance of this gathering.

Before the main program, international attendees were invited to a special TTA Lab Tour, offering a behind-the-scenes look at Korea’s testing and standards infrastructure supporting FIDO and other telecommunications technologies.

Showcasing Technical Leadership and Regional Collaboration

The day featured an exciting lineup of expert speakers and educational sessions, reflecting the expanding role of passkeys as a trusted, phishing-resistant, and user-friendly authentication solution for both public and private sectors.

The event opened with an inspiring keynote by Dr. Koichi Moriyama (Chair, FIDO Japan WG; W3C Advisory Board Member), who emphasized the importance of global collaboration in setting interoperable, secure technology standards. David Turner, Senior Technical Director at FIDO Alliance, shared in-depth updates on passkey advancements and highlighted future areas of focus, including developer support, user experience, and broader international engagement. Wei-Chung Hwang of ITRI presented a thoughtful comparison of passkeys and PKI, outlining how the two can coexist and complement each other within modern authentication architectures. Ki-Eun Shin, Principal Software Engineer and FKWG Vice Chair, offered a practical guide for developers building scalable and secure passkey systems, covering implementation, testing, and UX considerations. Dovlet Tekeyev from AirCuve introduced Korea’s updated Zero Trust Guideline 2.0, walking the audience through key principles, recommendations, and how FIDO solutions align with national cybersecurity strategies. Eugene Lee, Vice President at RaonSecure, shared cross-industry deployment experiences of FIDO-based biometric authentication, highlighting its adaptability to diverse sectors including finance and telecom. Jong-Su Kim, Principal Security Engineer at Samsung Electronics, concluded the technical sessions by sharing Samsung’s vision of simplifying cybersecurity for all users through FIDO-driven innovation.

Regional Insights and Shared Momentum

The day closed with regional updates featuring representatives from Japan (Naohisa Ichihara, FJWG Co-Vice Chair and CISO at Mercari), China (Henry Chai, FCWG Chair and CEO at GMRZ Technology, Subsidiary of Lenovo), Taiwan (Karen Chang, FTF Forum Chair and VP at Egis Technology), Malaysia (Sea Chong Seak, CTO at Securemetric), and Vietnam (Simon Trac Do, CEO & Founder at VinCSS), each presenting local updates on passkey deployment. Speakers shared technical challenges, user adoption, and the growing importance of cross-border cooperation to accelerate the passwordless future across APAC.

Moving Passwordless Forward Together

The FIDO APAC Regional Member Meetup & Workshop reaffirmed our collective commitment to advancing phishing-resistant passwordless authentication across the region. Thanks to all the speakers, sponsors, and attendees who contributed to this energizing and forward-looking event.

Stay tuned for more cross-regional collaborative events in the APAC and updates from the FIDO Alliance as we continue to make online authentication simpler and stronger together.

Webinar
March 27, 2025
10:00 AM ET

Join us for an insightful session on the successful implementation of the Zoom Phone project at Stevens Institute of Technology. This initiative aimed to modernize the campus communication infrastructure by transitioning from traditional phone systems to the innovative Zoom Phone service. The project involved meticulous planning, procurement, and deployment phases, ensuring a seamless transition for all departments.

We will delve into the change management strategies employed to facilitate this significant shift, including comprehensive user training, stakeholder engagement, and continuous support. The project management efforts were pivotal in coordinating the migration of facilities phones, decommissioning outdated systems, and ensuring compliance with new regulations such as the Ray Baum Act and Kari’s Law.

Discover how the collaborative efforts of the IT team with institutional stakeholders led to the project’s success. We will share key insights, challenges faced, and the remarkable outcomes achieved, including enhanced remote work capabilities, improved emergency calling services, and significant cost savings.

This session will provide valuable lessons for institutions looking to upgrade their communication systems and navigate the complexities of large-scale IT projects.

Presenters:

Maryam Mirza, Senior Director for IT, Client Experience and Strategic Initiatives, Stevens Institute of Technology

Hammad Ali, Senior Director of Infrastructure Services, Stevens Institute of Technology

Luis Quispe, Associate Director of Network and Telecom Engineering, Stevens Institute of Technology

Complete the Form Below to Access Webinar Recording [contact-form-7]

The post Transforming Communication: The Zoom Phone Project at Stevens Institute of Technology appeared first on NJEdge Inc.

Building Bridges for Human Rights with Amnesty International UK cc-by-nd Bryan Mathers for WAO

Let’s be honest. The world feels…complicated right now. The news is relentless, anxieties are high, and it’s easy to feel isolated. But be assured, there are people, even now, who get up every day and try to make the world a little better. As ever, we’re pleased to work with such people to try and build deeper, more resilient communities — and to remember that we’re not alone.

Building Open Communities cc-by-nd Bryan Mathers for WAO

We Are Open Co-op is working in collaboration with Amnesty International UK (AIUK) on a project focused on a new platform for activists. This is built on a shared fundamental belief that the most impactful change comes from strong, engaged communities.

Like many of the organisations we work with, AIUK has a vibrant and diverse network of activists. Communities and networks are complex and come with common challenges. There can be confusion, discomfort, and the feeling that things aren’t really resulting in meaningful action. There are so many people and activities it can be hard to create cohesion and connection. Understanding who people are, what drives them and listening to them is at the core of this project.

Our Community Platform project with AIUK is a place where we can put our deep understanding of how communities thrive to good use.

What are we doing? Starting with empathy: We know that understanding different perspectives and experiences is hugely important for building healthy communities. Our collaboration will be rooted in actively listening to and valuing the insights of people committed to AIUK’s mission. Spurring collaboration: We are new to the AIUK community, so we are looking forward to collaborating with people with diverse voices and new approaches. We are pleased that we’ll be collaborating with AIUK staff, educators, activists and Torchbox, an agency helping with Amnesty International UK’s digital transformation. Showing up: We love to step outside of our comfort zones, to experiment with new ways of working, and to be open to the possibility of failure — because learning from mistakes is kind of great. No, what are you actually doing?

Oh, ok, we’ll if you want to be really specific:

Carrying out user research to better understand the AIUK community and how a community platform can help AIUK better support them Collaborating with the DDaT team and AIUK’s new Community manager to create new processes and policies which will help eliminate frustrations and problem areas Creating missions to help playtest a number of candidate community platforms that have the potential to help AIUK’s activists connect, learn and thrive The Power of the Network

We’re not just isolated individuals pursuing our own interests. We’re part of a larger, interconnected web. People tend to be members of multiple communities, so insights from those overlapping experiences are valuable. This crossover, this overlapping of passions and interests, is a vital strength, but it also needs intentional nurturing.

cc-by-nd Bryan Mathers for WAO Moving Forward

We’re committed to building healthy communities, and that means planned, moderated, and actively cared for communities. We’re going to, as we do, work openly with Amnesty International UK, and are, as ever, always excited for your engagement and feedback.

We have some spare capacity on top of this work, so if you have a problem, if no one else can help, get in touch!

Strengthening Community was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

Organizations are encouraged to take the Passkey Pledge ahead of World Passkey Day on May 1 

MOUNTAIN VIEW, Calif., April 9, 2025 – The FIDO Alliance is inviting organizations around the world to take the Passkey Pledge, a voluntary commitment to increase awareness and adoption of passkey sign-ins to make the web safer and more accessible.

Since passkeys were introduced to the world in 2022, hundreds of service providers have embraced the greater security and usability that passkeys bring to users. Over 15 billion user accounts are now equipped with the option to use a passkey instead of relying on passwords, which are easy to steal and reuse for account takeovers and fraud. Organizations that deploy passkeys are consistently finding that a greater percentage of their users are able to sign into services in far less time – which helps generate added revenue and/or employee productivity while also reducing fraud and account takeovers.

To further advance and promote the use of passkeys, the first Thursday in May each year is now recognized as World Passkey Day (previously World Password Day). Companies can take the Passkey Pledge in advance of World Passkey Day and commit to making a good-faith effort to achieve the following goals throughout the year:

For service providers that have an active implementation of passkeys for sign-in – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys by users when signing into the company’s services. For service providers that are in the process of implementing passkeys for sign-in – Within one year of signing the pledge, demonstrate measurable actions taken to enable passkeys for signing into the company’s services. For vendors with a FIDO-based products and/or service – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys through adoption of the company’s products and/or services. For vendors developing FIDO-based products and/or services – Within one year of signing the pledge, demonstrate measurable actions to FIDO certify its products and launch a product or service with passkey sign-in support. For industry associations and standards organizations – Within one year of signing the pledge, demonstrate actions to increase the visibility and benefits of passkey sign-ins.

Organizations that take the pledge will receive assets to support their involvement and will have the opportunity to take part in activities and announcements planned for World Passkey Day on May 1, 2025.

More details on the pledge, including the sign-up form, can be found at https://fidoalliance.org/passkeypledge/. 

Taking Action: Resources to Help Organizations to Fulfill the Pledge

The FIDO Alliance has resources and best practices for Passkey Pledge organizations to take action, including:

Sharing their commitment to the Passkey Pledge via external communications channels Leveraging the guidance on passkeycentral.org to plan, implement and expand their passkey rollouts Implementing the FIDO Design Guidelines, data-driven UX best practices for passkey rollouts Getting their products FIDO Certified to demonstrate that their products are compliant, interoperable and secure Releasing case studies on their or their customers behalf to share implementation journeys and business outcomes. Organizations can reach out to info@fidoalliance.org to submit case studies directly to the FIDO Alliance Taking part in the FIDO Alliance member activities and working groups to further drive passkey optimization and adoption  Planning and/or taking steps to remove passwords as a sign-in option. About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

Did you know that the first coupon dates back to the 1800s?

 It hasn't changed much for something that's been around that long, and how shoppers redeemed coupons stayed the same…until now.

In this episode, Brett Watson, CEO of The Coupon Bureau, joins hosts Reid Jackson and Liz Sertl to talk about how the world of coupons is finally catching up. With digital formats, real-time validation, and built-in fraud prevention, coupons are evolving for the modern retail experience. 

Brett explains what it takes to bring an old system into the digital age, why coupon fraud has become such a costly issue, and how these changes are unlocking new opportunities for both brands and consumers.

 

In this episode, you’ll learn:

How couponing has evolved over the years

The role of coupons in marketing and media

The future of coupon technology

 

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(03:31) History of couponing 

(09:45) The scale of coupon fraud in the industry

(14:56) The new coupon standard

(18:54) Different innovations and applications of coupons

(23:23) Brett’s favorite tech she can’t live without

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Brett Watson on LinkedIn

Check out The Coupon Bureau

Current Landscape

Governments worldwide are accelerating their digital transformation efforts to meet the growing expectations of citizens and businesses. Canada is no exception, with public sector services increasingly moving online to improve efficiency, accessibility, and security. However, this shift brings significant challenges, including data privacy concerns, cybersecurity threats, and the need for seamless, interoperable services across jurisdictions.

When DIACC was established in 2012, its mission was to create a secure digital ecosystem. Today, this goal is even more critical for modernizing government services while ensuring security, privacy, and usability. DIACC has evolved from research to certifying real-world digital trust solutions, setting audit standards, shaping policies, and connecting businesses and government to strengthen Canada’s digital economy.

Digital trust—which empowers individuals, businesses, and government agencies to engage online securely and transparently—is essential for delivering reliable public services. Without it, citizens may lack confidence in digital government initiatives, limiting their adoption and effectiveness.

By prioritizing digital trust, Canada can strengthen its public service infrastructure, enhance citizen confidence, and improve service delivery. Interoperable frameworks such as the DIACC Pan-Canadian Trust Framework™ (PCTF) ensure that digital services remain secure, adaptable, and trusted while protecting personal electronic information between government agencies and service providers.

Advancing Digital Trust to Modernize Government Services 1. Driving Efficiencies, Cost Savings, and Economic Growth

Governments can leverage DIACC, the PCTF, and PCTF certification along with technical standards to help streamline processes, reduce costs, and create economic opportunities through:

Reducing Implementation Costs: Standardized digital trust solutions lower costs associated with developing, integrating, and maintaining digital trust capabilities. Enhancing Service Efficiencies: Digital credentials and interoperable frameworks minimize redundancies and enable faster, more secure service delivery. Unlocking Interprovincial Trade: A unified digital trust framework will enable seamless service delivery to Canadians across Canada, regardless of province of residence.  Facilitating Labour Mobility: Efforts to reduce interprovincial trade across Canada mean the importance of secure and portable digital credentials has never been greater. Reducing bureaucratic licensing and certification verification barriers will ensure workers can move between provinces more efficiently. Boosting Public-Private Collaboration: By aligning digital trust standards with industry best practices, governments can foster innovation and attract investment in secure digital services. 2. Strengthening Public Confidence in Digital Services

For government digital services to succeed, citizens must trust them. Implementing robust digital trust solutions allows governments to:

Ensure secure and seamless access to online services Protect citizens’ data from fraud and misuse Increase adoption of digital services by providing verifiable trust measures Improve operational efficiency by reducing manual verification processes 3. Enhancing Trust Through the DIACC PCTF

The DIACC PCTF provides a framework for governments to:

Strengthen identity verification in digital government services Improve efficiency in service delivery by reducing reliance on physical documents Enhance interoperability across departments and jurisdictions Ensure compliance with privacy and security standards through auditable criteria 4. Protecting Citizens from Fraud and Identity Theft

Fraud prevention is a top priority for digital government services. To mitigate risks, governments should:

Implement secure identity verification measures for accessing digital services Use verifiable credentials for social benefits, permits, and tax filings Ensure public education initiatives on digital trust and security best practices 5. Enabling Seamless Intergovernmental Collaboration

All federal, provincial, and municipal governments must collaborate to support a trustworthy digital ecosystem. Digital trust frameworks like the PCTF facilitate:

Secure data exchange across agencies while maintaining privacy Interoperable digital identity solutions for seamless citizen experiences Compliance with national and international regulatory requirements 6. Leveraging Digital Trust for Innovation in Public Services

Governments can harness digital trust to:

Develop secure digital identities for all citizens and businesses Improve emergency response coordination through trusted data-sharing networks Support AI-driven public service applications with built-in trust safeguards Best Practices and the Way Forward 1. Adopt Existing and Emerging Digital Trust Technologies to Address Pain Points

Government agencies should leverage trusted digital trust, verification, and credentialing solutions aligned with the PCTF. Implementing PCTF-certified solutions will enhance security, efficiency, and trust in digital service delivery. While whole-of-government modernization is needed, our stakeholders recommend rapidly unlocking digital driver’s licences, passports, permanent resident cards and verified income to address the economic urgency. 

2. Collaborate for Consistency and Interoperability

DIACC fosters collaboration between governments, technology providers, and industry stakeholders to promote consistent digital trust practices, using standards and certifications to ensure security and privacy across public services.

3. Educate and Empower Citizens and Public Sector Leaders

DIACC is committed to advancing digital trust in government through:

Public awareness campaigns on the benefits and security of digital services Training and resources for government officials on digital trust implementation Policy recommendations to support the adoption of digital trust frameworks Conclusion

Modernizing government services requires a foundation of digital trust. By recognizing frameworks like the PCTF, governments can enhance service delivery, protect citizens’ data, and foster trust in digital public services.

Together, we can build a future where government services are more efficient, secure, and accessible to all Canadians while reinforcing Canada’s leadership in digital trust and innovation.

Download the paper here.

DIACC-Position-Advancing-Digital-Trust-for-Government-Service-Modernization_ENG

The post Learn & Work Ecosystem Library Glossary appeared first on Velocity.

A New Era for Sustainable Computing

Demand for computing power is exploding as AI models, cloud services, and decentralized applications consume ever-greater amounts of energy. But not all energy is created equal. In some regions, a data center might be drawing power from a coal-heavy grid, while elsewhere excess wind or solar power goes unused. For the past decade, tech giants addressed this by buying renewable energy or improving efficiency. But what if we could take a more dynamic approach — shifting computational workloads across location and time to maximize use of clean energy?

Enter Carbon-Aware Nomination, a groundbreaking mechanism from Energy Web that does exactly that. It ensures computational tasks run where and when they have the lowest carbon intensity. This isn’t a standard cloud feature or a typical blockchain project, but a fusion of both: it connects decentralized computing networks with real-time carbon intensity data from WattTime and the Green Software Foundation’s Carbon-Aware SDK. And the best part — it’s going open-source, inviting the entire industry to build a greener digital future together.

The Carbon Cost of Computing: Why It Matters

Computing today has a massive carbon cost. Data centers account for around 1–2% of global electricity use (on par with the airline industry), and that share is rising fast. Some forecasts warn that with the AI boom, data center energy demand could hit double-digit percentages of global consumption by 2030. In short, if we don’t make computing more sustainable, it will hinder global climate goals. Today’s solutions to decarbonize workloads rarely have real-time “carbon awareness.” This means a lot of flexible computing — like batch processing or AI training jobs — might be running at the worst possible times for the planet. Carbon-Aware Nomination changes that paradigm by intelligently routing workloads to times and places where electricity is greenest.

Why Carbon-Aware Nomination Is a Game-Changer

Carbon-aware computing isn’t an entirely new idea, but no one has implemented it the way we have. Existing approaches have serious limitations:

Blind Spots in Conventional Cloud Sustainability: Major cloud platforms have introduced sustainability dashboards and efficiency tools to help customers estimate carbon footprints. However, these proprietary solutions require you to trust their reporting. There’s no independent way to verify if a given workload actually ran on low-carbon energy. In other words, you might see carbon-saving claims, but you can’t prove them. While Carbon-Aware Nomination is built for decentralized compute networks, its methodology could be adapted for cloud orchestration. However, the current implementation is blockchain-native, ensuring verifiable, tamper-proof sustainability claims. Decentralized Compute Lacks Climate Intelligence: Emerging networks like iExec, Golem, and Akash distribute workloads across many nodes, leveraging blockchain for compute marketplaces. Yet, they schedule jobs without considering the carbon intensity of those nodes. A task might just as easily run on a coal-powered node as on a solar-powered one. Until now, no decentralized computing platform has integrated real-time carbon optimization into its scheduling logic.

This is where Carbon-Aware Nomination stands apart. It combines decentralized computing with live carbon-intensity data for the first time. By doing so, it delivers several unique benefits that neither traditional clouds nor existing blockchain compute projects offer:

Decentralized & Trustless Architecture: Built on the Energy Web X blockchain, every decision and claim is transparent. There’s no single company controlling the process, and sustainability claims are tamper-proof and verifiable by anyone. This brings a new level of trust to green computing — auditors or stakeholders can confirm, via the public ledger, that a workload ran at a time of low grid emissions. Real-Time Carbon Intelligence: The system taps into WattTime’s API and the GSF Carbon-Aware SDK to get live and forecasted grid emissions data. Workloads are continuously matched to the cleanest energy times in real time. If wind picks up in Region A or solar output surges in Region B, the scheduler knows and can route tasks accordingly. We’re not offsetting carbon with credits or averaging it annually; we’re actively avoiding emissions as they happen. Hybrid Public/Enterprise Nodes: Flexibility is built in. Organizations can nominate workloads to run on public decentralized nodes or their own infrastructure — whichever meets the carbon criteria. For example, an enterprise could use its private servers when they’re running on green power, or tap into a public pool of nodes in another region when local power is dirty. Carbon-Aware Nomination isn’t “all or nothing” — it’s a smart overlay that finds the greenest option across a mix of resources. Verifiable ESG Reporting: Every workload handled through this system generates a digital proof of its execution with associated carbon data. Think of it like an eco-receipt. This proof can feed directly into ESG reports or sustainability audits, backed by blockchain records. Instead of saying “we think our computations were low-carbon,” organizations can cryptographically demonstrate it. This level of accountability is increasingly crucial as investors and regulators demand hard evidence of climate action. Open-Source Collaboration: Unlike proprietary cloud solutions, Carbon-Aware Nomination is being released as open-source software. This invites an entire community — from researchers to startups — to use it, audit it, and improve it. By sharing the code, Energy Web ensures transparency of the algorithm and accelerates innovation. Anyone will be able to plug into the system or even contribute new features (for example, supporting new types of workloads or integrating additional data sources). We believe an open approach is the fastest way to standardize carbon-aware computing across the world. How It Works (In Simple Terms): Checks Carbon Data: A group of computers (nominators) analyze real-time electricity grid data to find where energy is greenest. Finds the Best Spot: The nominators select and agree on the cleanest available computing resources to execute the workload and qualify for rewards. Runs & Verifies: The selected computers can accept and execute the workload, and the blockchain records proof of completion, ensuring eligibility for rewards. How It Works (In detail): The Carbon-Aware Nomination Pool

So, how does the system actually orchestrate a “greener” workload? Rather than a central scheduler deciding where tasks run, Carbon-Aware Nomination uses a decentralized pool of worker nodes and nominators that collectively determine the optimal execution plan. Here’s a high-level look at the process:

Live Carbon Data Feeds: Using the Carbon Aware SDK, the system continuously pulls real-time and forecasted carbon intensity data from WattTime’s service. This data covers different regions and grids, updating as conditions change (like when a big solar farm comes online in the afternoon or when a coal plant ramps up at night). Normalized Comparison: Because “100 gCO₂/kWh” means different things on different grids, the scheduler normalizes carbon intensity across regions. This prevents it from always favoring the same region and ensures a fair comparison. In essence, the algorithm knows what “clean” means for each location and time — a form of smart context. Energy Web X Worker Registry: All participating compute nodes (whether run by individuals, companies, or data centers) register on the Energy Web X blockchain registry. They publish metadata about their location, hardware, and efficiency. This on-chain registry is like a directory of available computing resources, with info crucial for carbon-aware decisions. It’s also transparent — anyone can see which nodes are available and where they are. Green Nomination Process: When a workload needs scheduling, a separate group of decentralized nominators, independent from the compute nodes themselves, evaluates the available options. These nominators analyze live carbon intensity data (from step 1), assess each node’s performance and capacity, and rank them based on sustainability. Essentially, the nodes compete, but not on price or speed alone, on verifiable carbon performance. The system then nominates the best-suited, lowest-carbon node to execute the task, ensuring a trustless and tamper-proof selection process. Workload Execution & Proof: The chosen node runs the computation. During and after execution, it logs the energy used and the carbon intensity at that time. This information is reported back and recorded (for example, as an attestation on Energy Web X). The result is a verifiable proof that “Task X was executed at Time Y in Region Z with carbon intensity Q gCO₂/kWh.” If someone doubts the claim, the proof is on the blockchain for anyone to verify.

Continuous Optimization: Over time, the system can employ incentives to improve efficiency. For instance, node operators who consistently provide low-carbon compute (by perhaps adding their own renewable energy or load-shifting) could be rewarded. Likewise, if the network notices certain regions becoming cleaner (say a new wind farm installed), it will naturally start shifting more workloads there. The feedback loop encourages the whole ecosystem to move towards cleaner operations, as sustainable nodes get more business.

In practice, this means a company using Carbon-Aware Nomination could submit a batch job and know that the job will run at the best possible time (perhaps an hour later when a green energy surge comes) and in the best location (maybe on a server one country over where it’s a windy night), all without manual intervention. The heavy lifting of “when and where to compute” is handled by the decentralized logic in a transparent way.

How Carbon-Aware Nomination Fits into Energy Web X

Carbon-Aware Nomination is a component of the broader Energy Web X (EWX) ecosystem. EWX is Energy Web’s new architecture for decentralized solutions, and it supports multiple “nomination” methods (i.e., scheduling and matching mechanisms) for every single compute workload of their solutions. Carbon awareness is one powerful approach, but not the only one — some applications might optimize purely on cost or latency, for example. Within EWX:

Solutions can opt-in to Carbon-Aware Nomination if minimizing emissions is a priority, or choose other nomination modules better suited to their needs. This flexible architecture means EWX can cater to different preferences (greenest vs. fastest vs. cheapest, etc.), and Carbon-Aware Nomination is available for any solution that cares about sustainability. Even for applications that prioritize performance, Carbon-Aware Nomination can run in the background or as a secondary filter. For instance, if two nodes are equally capable, why not pick the one on cleaner energy? In this way, the carbon-aware mechanism can enhance other scheduling strategies by adding a sustainability lens. All of this happens while leveraging the security and transparency of Energy Web’s blockchain. The nominations (scheduling decisions) and the resulting proofs are recorded on-chain, which aligns with Energy Web’s mission to use open digital infrastructure for the clean energy transition. EWX provides the trust layer that makes Carbon-Aware Nomination’s claims audit-proof. Decentralized Nomination: Trustless, Transparent, and Resilient

Unlike a traditional cloud scheduler (where one company’s software decides where your job runs), Carbon-Aware Nomination operates without a single controlling entity. The decision process is distributed among many participants and governed by open algorithms. This decentralized approach brings several advantages:

Trustless operations: You don’t have to trust Energy Web or any cloud provider’s claims — you can verify the outcomes yourself on-chain. If a workload was supposed to run on green power, anyone can check the records and confirm it did. This is crucial for companies that need to report emissions reductions to regulators or want to avoid greenwashing. Transparency: Every step, from the carbon data used to the final selection of a node, can be made transparent. Community members could even watch a dashboard of live nominations happening, seeing in real time how the system is chasing the lowest-carbon resources. This level of openness is unheard of in proprietary cloud scheduling. Resilience: Decentralization also means there’s no single point of failure. The nomination process can continue even if one node or one data feed goes down. Multiple nodes participate in making decisions, and the blockchain ensures a canonical record. It’s much harder to corrupt or game the system — doing so would require attacking a broad, global network of participants.

For users, this simply translates to peace of mind. You get a robust service that not only optimizes for sustainability but is also inherently reliable and tamper-proof.

Why Open Source Matters

Energy Web is committed to open-sourcing the entire Carbon-Aware Nomination system. By making it freely available to developers, enterprises, and even competitors, we aim to set a new industry standard for carbon-aware computing. Transparency is a core value here — anyone can inspect the code to understand how decisions are made and suggest improvements. Open source also accelerates innovation: a global community can adapt the tool for new use cases (imagine carbon-aware scheduling for edge devices or for other batch processes like rendering and scientific computing). We’re releasing this under an open license so that this carbon-aware logic can proliferate everywhere, not just within Energy Web’s ecosystem.

Ultimately, climate change is a shared challenge. We believe that by open-sourcing this solution, we enable network effects — more contributions, more adoption, and more emissions saved. No single company can decarbonize IT on its own, but together, we can make carbon-aware computing the “new normal” for all data centers and devices.

Join the Movement

Carbon-aware computing is the future. Whether you’re an enterprise managing thousands of servers, a blockchain enthusiast, or a developer hacking on weekends, you can start integrating Carbon-Aware Nomination into your workflows to make a tangible impact. This isn’t just an Energy Web project — it’s a call to all cloud providers, decentralized network operators, and software platforms: join us in running workloads on clean energy. Imagine a world where every AI training, every render job, every transaction validation automatically seeks out the greenest energy available. That’s what we’re building, and we invite you to build it with us.

The code will be open-sourced on Energy Web’s GitHub (and accessible through our developer portal). We’ll be hosting community calls and tutorials for those who want to implement it or contribute. By working together, we can ensure that the digital infrastructure of the future not only powers our economies — but also heals our planet. It’s time to decarbonize the cloud, one workload at a time.

Carbon-Aware Nomination System for Decentralized Computing is now live was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

A Vision for the Future of Microcredentials Image CC BY-ND Visual Thinkery for WAO

This is the final post in a series drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and their potential to reshape education and professional development.

This post draws on the insights explored so far to outline a vision for the future of microcredentials. By focusing on inclusivity, open standards, and meaningful recognition, microcredentials can be a transformative tool for education and professional development. Here, we propose actionable steps for organisations to harness their potential and create systems that truly empower learners.

Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing Part 6 — Challenges and Risks in Microcredentialing Part 7 — A Vision for the Future of Microcredentials (this post) Open Recognition as a Guiding Principle

A key aspect of the future of microcredentials is the principle of Open Recognition, which values learning in all its forms, whether formal, informal, or experiential. By embracing this approach, organisations can ensure microcredentials acknowledge diverse achievements and highlight contributions that might otherwise be overlooked.

For instance microcredentials can help:

Charities — Recognise the skills gained through volunteering, advocacy, and community projects, offering participants portable evidence of their contributions. NGOs — Validate the efforts of community workers, promoting inclusion and recognising the expertise developed in challenging environments. Co-ops — Highlight collaborative and informal learning within member-driven structures, supporting collective progress and innovation. Businesses — Align microcredentials with organisational priorities, such as sustainability or diversity, to strengthen employee development and retention. Higher Education — Create stackable credentials that integrate with degree programmes and reflect industry partnerships, enabling more flexible and relevant learning pathways. The Responsible Use of Technology

Technology plays a critical role in delivering effective microcredentialing systems. Tools like Open Badges and Verifiable Credentials ensure transparency, portability, and security. Digital wallets give learners control over their achievements, while AI can assist in mapping skills and recommending pathways.

However, implementing these tools requires careful consideration. Equity, accessibility, and data privacy must be central to their design to avoid excluding certain groups or compromising trust. By prioritising interoperability and avoiding proprietary systems, organisations can ensure credentials remain functional across platforms and contexts.

Encouraging Cross-Sector Collaboration

The development of impactful microcredentialing systems relies on partnerships across education providers, employers, policymakers, and technology developers. Collaboration can:

Align microcredentials with societal goals and workforce needs. Establish shared quality assurance frameworks to build trust. Pool resources and expertise to address challenges like accessibility and cost.

Such partnerships help ensure that microcredentials are not only useful but also widely recognised and respected.

Embedding Inclusivity and Equity

For microcredentialing systems to achieve their full potential, inclusivity must be at their core. This means designing platforms that are accessible to people with diverse needs, reducing financial barriers, and proactively engaging marginalised communities. Embedding these values ensures microcredentials contribute meaningfully to social equity and support lifelong learning opportunities.

Taking the Next Step

Microcredentials have the potential to celebrate diverse learning experiences, allowing individuals to present their skills and achievements in ways that matter. Whether your organisation is considering a pilot project or a larger-scale initiative, We Are Open Co-op can provide the expertise you need. From strategic planning to technological implementation, we ensure your microcredentialing projects are impactful and learner-focused.

👋 Get in touch with us today to explore how we can support your journey toward a more inclusive and forward-thinking approach to credentialing.

Reframing Recognition: Part 7 was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Driving Value through Innovation: Verified Credential Insights from Cisive PreCheck appeared first on Velocity.

When can you trust a software release? How do you know that a software repo is safe, that it represents the intent of its creators? On the 20th anniversary of Git, these questions are more important than ever.

Obviously, Git lays the foundation for trust in software releases with its ability to sign commits, but the trust of the system is unfortunately shallow. Untrusted content can be merged into a trusted repo, commit histories can be rewritten, and trust can’t be reliably extended into the future. These are crucial issues to solve if we are trusting software that originates in Git … and some pretty crucial software originates with Git, from Microsoft’s vscode or the OpenSSL project to the vue.js framework. Which is what led me to the design of the Open Integrity system. Though Git may look like to the average user like it offers a strong level of trust, it’s a dangerous mirage. Open Integrity makes repo trust a reality.

Open Integrity is still built with Git, meaning that it can be used on GitHub, GitLab, or whatever other Git tool that you prefer. There are no additions required other than the Open Integrity scripts themselves. However, Open Integrity makes trust the default rather than an add-on, establishing a root of trust when a repo is created, defending it against inappropriate additions, and extending that trust to new users and new keys as a project evolves.

Beyond that, Open Integrity’s root of trust can also be used as a DID (decentralized identifier) identity, supporting self-sovereign identity for a user or a project. But taking advantage of that might be the next step. For the moment, let me dive a bit further into the problems of Git’s current trust framework and how I designed the architecture of Open Integrity to resolve them.

A Problem of Trust

The foundation of trust in Git is signing commits with a signing key that is registered with a Git account, but that turns out to be a fragile level of trust because it leaves a number of loopholes.

Signing isn’t required. Even if an account has a legitimate signing key, use of that key isn’t required. Even if a Git hosting service enforces commit signing, unsigned commits can typically still be merged from branches.

Merging doesn’t guarantee signatures. Generally, merging offers one of the biggest gaps in signing security. It’s not just that merged commits can be unsigned, but that a branch can be deleted after merging, leaving no trace as to whether its commits were signed or not.

Things don’t necessarily get better when signing actually occurs.

Repo origin can’t be verified. Though you can verify signed commits belong to the person who currently controls a repo, there’s no way to verify that they haven’t illegitimately taken over the repo since its inception.

Chain of trust functionality is non-existant. On the flipside, there’s no way to show a legitimate transfer of authority between a repo’s originator and its current controller.

Key revocation is weak. Though keys can be manually revoked, there’s no way to automatically do so, and there are no warnings if a revoked key was used for signing.

History can be rewritten. Finally, Git includes a purposeful tool to allow you to rewrite commit history: editing commit messages, rebasing at a large scale, and even removing or changing files! This will change SHA-1 checksums, but as with other dangers here, there’s inadequate messaging to warn of this issue.

Solving the Problems

Solving Git’s trust issues are relatively easy in theory:

Repo ownership needs to be cryptographically provable back to a repo’s origin. Signing needs to be required for commits and merges alike. Commit history needs to be irrevocable. Strong warnings are needed when these conditions aren’t met.

However, nothing is ever that simple in practice. To practically solve the problems required designing an Open Integrity architecture that resolved each of the highlighted problems:

Problem Solution Unverified Origin Inception Commit Unverified Transfer Trust Transition Commit Key Revocation Trust Transition Commit
Improved Logging Signing Not Required Scripted Functions
Defined Settings Merging Issues Scripted Functions
Data Preservation
Defined Settings History Issues Improved Logging
Defined Settings

Here’s how each of these architectural elements work:

Inception Commit. An inception commit is the first commit made to a repo. It locks the repo’s inception (initial) key with an empty commit, and so secures the repo with both the SSH signature and a SHA-1 hash that’s hard to purposefully collide because of the minimalism of the commit.

Trust Transition Commit. Any authorized key can be used to generate a trust transition commit, which is another zero-sized commit. Additional, trusted keys can be added, and keys can also be revoked. This allows both keys and team members to change over the course of a project, which is crucial for an open-source or large-scale project. The first trust transition commit is done with the inception key; after that any authorized key can be used.

Improved Logging. Many of the protections of Open Integrity arise from scripts that incorporate extensive logging, ensuring that users can see that all security measures are being met. This is done with Git commit messages and with git note.

As an example, here is what the commit logging looks like for an inception commit, a trust transition commit, and a key revocation:

Inception Commit:

🔹 Commit: #a3306ef [🏁 Inception Commit] (Signed ✅) ├─ Message: "Initialize repository and establish a SHA-1 root of trust" ├─ Signed by: @a61TkTtL... (🏁 Alice using Device 1 <alice@example.com>) ├─ Empty: true (no files added) ├─ SHA-1 Protection: Constrained content + SSH signature └─ Verification: Platform-independent

Trust Transition Commit:

🔹 Commit: #b24d9c1 [🔑 New Allowed Commit Signers File] (Signed ✅) ├─ Message: "Added second device key for Alice" ├─ Signed by: @a61TkTtL... (🏁 Alice using Device 1 <alice@example.com>) └─ New Authorized Commit Signers: - 🏁 Inception Key explicitly not included for future commits - + @a61TkTtL... (Alice using Device 1 <alice@example.com>) - + @f84PmWnY... (Alice using Device 2 <alice@example.com>)

Key Revocation:

🔹 Commit: #c3d7f12 [🔄 Key Rotation: Removed Alice's Second Device] (Signed ✅) ├─ Message: "Revoked second device key" ├─ Signed by: @f84PmWnY... (Alice using Device 2 <alice@example.com>) ├─ Authorized Commit Signers changed: - 🗑️ @f84PmWnY... (Alice using Device 1 <alice@example.com>) is no longer authorized. - @f84PmWnY... (Alice using Device 2 <alice@example.com>) - @b73RkKpQ... (Bob using Work Laptop <bob@example.com>) - @c58XmWpL... (Charlie using Home PC <charlie@example.com>)

The commits also clearly show when something is done that violates the basic precepts of Open Integrity. For example:

├─ 🚨 ERROR: Commit was signed using a previously revoked key!

Scripted Functions. Logging and the other protections of Open Integrity are available through scripts and one-line “snippet” scripts that can run from aliases. They replace the bare git functions with ones that ensure that each commit or merge meets all the Open Integrity requirements. For example, here’s a git merge alias:

git merge feature-branch --verify-signatures \ --require-author-signature \ --require-committer-authorization

Defined Settings. Git allows settings for repos and workflows; securing these settings can improve the security of repos. “Enforcing Signed Commits and Pull Request Requirements in GitHub” describes how GitHub makes use of these settings; similar functionality is available elsewhere in the Git ecosystem.

Data Preservation. Logging, aliases, and settings together ensure the preservation of some data related to a merge. As the following commit shows, information such as an author’s key is preserved when a merge occurs, along with information that the committer verified the original signature.

🔹 Commit: #fa34d76 [🔀 Merge Commit with Verified Author] (Signed ✅) ├─ Message: "Merge feature-branch: Added authentication layer" ├─ Committer: @c58XmWpL... (Charlie using Home PC <charlie@example.com>) ├─ Author: @e83TkLqM... (Eve using Dev Machine <eve@example.com>) ├─ Author Signature: Verified ✓ (signed 2024-02-10T15:30:00Z) ├─ Committer Authorization: Verified ✓ (in allowed_signers since 2024-01-15) └─ Signatures stored: ./config/verification/signatures

The original author’s signature is not currently preserved due to the complexity of doing so. Working to preserve the signature without having to keep the branch around forever remains on the TODO list for Open Integrity.

Using Open Integrity Now

Open Integrity is available at the OpenIntegrityProject repo. Though it’s still in development, you can get started with it right now.

You should do so if you have a use case for Open Integrity such as:

You’re developing or releasing software through Git that holds sensitive information (such as a digital-asset wallet, a healthcare app, or even a web browser). You’re developing or releasing software through Git that might be used by people or companies that also hold sensitive data (such as financial or medical companies), even if your app does not. You’re developing or releasing software that requires any level of trust from its users. You have a team of developers that changes over time.

The docs at the Open Integrity repo include a more extensive Problem Statement that goes beyond what’s in this article, but the most important file might be the setup_git_inception_repo.sh script, which will create a new Open Integrity repository for you. If you want to better understand how it works under the hood, see One Liners, which also documents step-by-step how to setup and use an Open Integrity repo. Future plans can be found in the Project Roadmap.

Give it a try, and if you have questions, please feel free to open an issue or start a conversation.

I’ve been working on Open Integrity for about a year now. I started this work because I thought the promise of trust implicit in Git was extremely important for software design and release, but that it needed improvement. I hope you’ll agree and find the improvements worthwhile!

IEEE P7012, nicknamed MyTerms—much as IEEE 802.11 is nicknamed Wi-Fi—is a standard we expect to go from draft to done later this year.

But that should not stop us from developing for it. Because what it specifies is laid out plainly in its PAR (Project Authorization Request):

This draft standard covers contractual interactions and agreements between individuals and the service providers they engage on a network, including websites.

It describes how individuals, acting as first parties, can proffer their privacy requirements as contractual terms and arrive at agreements recorded and kept by both sides.

These terms shall be chosen from a collection of standard-form agreements in a roster kept by an independent and neutral non-business entity.

Computing devices and software performing as agents for both first and second parties shall engage using any protocol that serves the purpose.

The first party shall point to a preferred agreement, or a set of agreements, from which the second party shall accept one.

Party-to-party negotiations over terms in any of these contracts or other agreements are outside the scope of this standard. If both parties agree, the chosen contract or agreement shall be signed electronically by both parties or their agents.

A matching record shall be kept by both sides in a form that can be retrieved, audited, or disputed, if necessary, at some later time–and which is available to do so easily.*

MyTerms does not specify what tech to use. It just says what needs to happen. This is to leave development as open as possible.

The main thing is that MyTerms obsolesces cookie notices by putting individuals in charge of their privacy requirements—and putting those requirements in the form of contracts, which individuals proffer as first parties.

Never mind that this hardly seems thinkable to the status quo. The same was once said of the Internet, the Web, email, and other free and open graces we take for granted today.

Putting each of us in charge of our privacy online is what makes MyTerms the most important standard in development today. But only if we make it so.

That’s what we’ll be working on tomorrow at VRM Day—and through the following three days at IIW. VRM Day is free, and IIW is cheap as conferences go (and extremely leveraged). Both are at the Computer History Museum in Silicon Valley.

See you there.

*Shall is  IEEE-speak for will or must. The purpose is to make clear that it does not mean should, could, or any other modal auxiliary verb.

Google is developing a new feature that will allow secure passkey transfers between Android devices through its Google Password Manager service. The functionality, which is currently under development, aims to simplify the process of moving authentication credentials across devices while maintaining security standards. The development follows Google’s recent enhancements to its Password Manager, including improved security features and user interface updates.

The passkey transfer capability is being integrated into Google Password Manager, with recent releases of Google Play Services containing direct references to passkey export and import tools. These developments are part of Google’s broader effort to enhance authentication security and usability on Android platforms. The initiative comes as enterprise adoption of passkeys continues to grow, according to recent FIDO Alliance research.

Just days after Google confirmed it is bringing its next AI upgrade to Gmail, with major privacy implications, there’s more good and bad news for the 3 billion users relying on Google to deliver secure, spam-free email to their phones and computers. It turns out that a dangerous email attack has operated under the radar for years — until now.

First to the good news. Google’s tightening restrictions on the mass delivery of spam emails to your inbox is working and it’s having a devastating impact on the industry spawned to plague you with marketing messages. “Over the last year,” website MarTech says the industry has seen “engagement rates (open and click rates, especially) drop considerably. Their emails only show up in the inboxes of people already engaging with the brand. For most subscribers, the emails are getting flagged as spam.”

Google’s password manager may soon allow you to transfer your passkeys to a new phone, making their use as a login tool even easier.

An APK teardown by AndroidAuthority has found that Google might be working on a potential update that would allow you to export passkeys from one device to another.

Password export and import is already a key feature of many of the best password managers, but the same functionality for passkeys would be a huge step forward.

Challenges and Risks in Microcredentialing Image CC BY-ND Visual Thinkery for WAO

This is the sixth in a series of blog posts drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and the opportunities they present for reshaping education and professional development.

While microcredentials present exciting opportunities, their implementation comes with challenges that require careful consideration. Issues such as equity, quality assurance, and unintended consequences must be addressed to ensure these systems benefit learners, organisations, and society as a whole. WAO uses the lens of Open Recognition to help address some of these challenges.

Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing Part 6 — Challenges and Risks in Microcredentialing (this post) Part 7 — A Vision for the Future of Microcredentials Equity and Accessibility

Microcredentials have the potential to widen participation in education, but they must be designed to include all learners. Organisations need to ensure their systems are accessible to users with diverse needs, including those with disabilities, limited digital literacies, or restricted access to technology.

Financial barriers also pose a challenge. For learners in marginalised communities, the cost of earning and using microcredentials could limit their accessibility. Subsidised or open-access credentialing models can help bridge this gap and make microcredentials a tool for inclusion rather than exclusivity. As can credentialing existing knowledge, skills, and behaviours, in accordance with Recognition of Prior Learning.

Quality Assurance and Trust

One of the most pressing challenges is ensuring that microcredentials maintain credibility and rigour. Open Badges provide a robust digital framework that ensures credentials can be verified and trusted, embedding metadata that describes the skills achieved, the criteria met, and the issuing organisation. This transparency builds trust among stakeholders, enabling credentials to be portable and interoperable across different platforms and contexts.

Image CC BY-ND Visual Thinkery for WAO

However, quality assurance ultimately rests with the issuing organisation. It is their responsibility to ensure that criteria for earning the credential are clear, the evidence supporting the achievement is credible, and the learning experience is both meaningful and relevant. Aligning credentials with recognised national or international standards further enhances their credibility and utility, ensuring they meet the expectations of both learners and employers.

Avoiding Vendor Lock-In

The reliance on proprietary platforms for issuing and managing microcredentials can create significant risks. As mentioned in a prior post, vendor lock-in limits portability and learner control, undermining the principles of openness and inclusivity.

Adopting open standards, such as Open Badges and Verifiable Credentials, ensures that microcredentials are interoperable across systems. This not only protects learners but also encourages innovation by encouraging collaboration between organisations and technology providers.

Data Privacy and Security

Microcredentialing systems rely on digital platforms to issue, store, and share credentials, making data privacy and security critical concerns. Protecting the personal information of learners is both a legal and ethical responsibility.

Open Badges v3 offers solutions by enabling credentials to be controlled directly by learners. Features such as selective sharing ensure that individuals can decide what information to share and with whom. However, care must be taken to avoid systems that lock learners into proprietary platforms, restricting the portability of their achievements.

Unintended Consequences

Microcredentials can create new opportunities for recognition, but poorly designed systems may have unintended effects:

Overloading learners with excessive or narrowly focused credentials can lead to “credential fatigue,” where the value of individual achievements is diminished. Issuing credentials for specific skills or behaviours might inadvertently disadvantage those without them, regardless of their actual capabilities. Systems that favour those with more resources, digital literacy, or prior access to credentialing risk perpetuating inequalities rather than addressing them.

To avoid these pitfalls, microcredentialing systems should adopt Open Recognition principles, which aim to value diverse experiences and learning pathways. Recognising informal, community-based, and lived experiences alongside formal achievements can help ensure inclusivity.

Sector-Specific Challenges

Different sectors face unique challenges when adopting microcredentials:

Charities — Struggle with limited resources to implement digital credentialing systems that are both accessible and effective. NGOs — Face difficulties in ensuring that microcredentials are inclusive for the communities they serve, particularly in low-resource environments. Co-ops — Need to balance member-driven governance models with the technical requirements of interoperable credentialing systems. Businesses — Risk prioritising microcredentials that align only with short-term goals, neglecting broader workforce development needs. Higher Education — Must address resistance from academic departments that may view microcredentials as a threat to traditional degree programmes.

Each of these sectors brings its own priorities and constraints to the table, but many of the challenges share common threads. Limited resources, resistance to change, and technical hurdles can all undermine the successful implementation of microcredentials if not carefully managed. Recognising these shared difficulties can help inform more effective, cross-sector strategies.

Practical Steps for Addressing Challenges

To overcome these challenges, organisations need to adopt thoughtful and inclusive approaches that address both technical and systemic barriers.

Collaborate on shared frameworks that not only ensure technical validity but also assess the clarity of criteria, credibility of evidence, and relevance of learning experiences. These frameworks build trust across institutions and sectors, making microcredentials more valuable and credible. Use open standards like Open Badges and Verifiable Credentials to ensure that microcredentials are portable, secure, and learner-centred. These standards allow credentials to be recognised across platforms and contexts, giving learners more control over their achievements. Focus on recognising diverse forms of learning, including informal, community-based, and experiential achievements. This approach ensures inclusivity and acknowledges the broad spectrum of skills and contributions individuals bring. Continuously evaluate systems for equity and accessibility, addressing barriers such as financial constraints, digital literacy gaps, and platform design issues. By identifying and mitigating these challenges, organisations can expand participation and make microcredentials more inclusive. Looking Ahead

Addressing these challenges requires thoughtful design, collaboration, and a commitment to inclusivity. By developing systems that prioritise accessibility, quality, and openness, organisations can harness the potential of microcredentials to empower learners and drive meaningful change.

In the final post of this series, we will explore a vision for the future of microcredentials, outlining actionable steps for organisations to integrate them into their strategies effectively.

Reframing Recognition: Part 6 was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

Energy Web, WattTime, and Green Software Foundation Unveil Open-Source Carbon-Aware Nomination to Green Decentralized Computing

Zug, Switzerland & Oakland, CA — April 3, 2025 — Energy Web, a global nonprofit building open-source Web3 technologies for the energy transition, WattTime, an environmental tech nonprofit providing real-time grid emissions data, and the Green Software Foundation (GSF) today announced the launch of Carbon-Aware Nomination, an open-source system for scheduling computing workloads based on electricity carbon-intensity. This first-of-its-kind solution leverages GSF’s Carbon-Aware SDK, blockchain technology, and live emissions data from WattTime to ensure that applications run when and where power is cleanest, drastically reducing the carbon intensity of computing workloads.

A New Standard for Carbon-Aware Compute

Carbon-Aware Nomination combines Energy Web’s decentralized computing platform with WattTime’s Automated Emissions Reduction (AER) data feeds and GSF’s Carbon-Aware SDK, allowing any batch job or flexible workload to automatically “chase” the lowest-carbon energy available. Instead of running immediately or in a fixed location, a task can be delayed or relocated — for example, executing at night in a region with abundant wind energy — with the entire decision process orchestrated and verified on the Energy Web X blockchain. Unlike traditional cloud computing tools, this system provides cryptographic proof of the carbon emissions caused, giving enterprises and developers unprecedented transparency into the sustainability of their IT operations.

“Our community has been looking for ways to cut IT emissions without sacrificing performance or trust,” said Mani Hagh Sefat, CTO of Energy Web. “Carbon-Aware Nomination delivers that by leveraging decentralization. By partnering with WattTime and integrating GSF’s Carbon-Aware SDK, we’re injecting the best real-time data into an open, trustless network of computing resources. The result is a game-changer — any organization can now ensure its workloads run with the lowest possible carbon impact, and they can prove it. We’re excited to open-source this tool and work with others to scale it up; this is about creating a new norm for green computing across the industry.”

Collaboration Across Climate-Tech Innovators

WattTime’s leadership echoed the significance of this collaboration.

“This partnership demonstrates how data and technology can come together to fight climate change in new domains,” said Gavin McCormick, WattTime co-founder and Executive Director. “Energy Web’s innovative use of our emissions intelligence, coupled with the Green Software Foundation’s Carbon-Aware SDK, ensures that even computing workloads can automatically prioritize clean energy. We’re thrilled to see Automated Emissions Reduction principles expanding into cloud and blockchain infrastructure. By giving organizations the power to run tasks when renewables are abundant, Carbon-Aware Nomination turns climate intention into action.”

The Green Software Foundation (GSF), which has been advancing sustainability in software development, also sees this as an important milestone. “GSF’s mission is to reduce the environmental impact of software, and integrating our Carbon-Aware SDK into decentralized compute systems represents a major step toward that goal,” said Asim Hussain, Executive Director of Green Software Foundation. “By working with Energy Web and WattTime, we’re proving that sustainability can be a core part of modern computing — measurable, verifiable, and open-source.”

An Open-Source Future for Climate-Smart Computing

The Carbon-Aware Nomination system is fully open-source, with documentation and developer tools provided by Energy Web. Companies and developers can integrate it into cloud workflows, decentralized applications, or scheduling software to begin reducing the carbon emissions of their operations. Because the solution runs on a public blockchain, any sustainability claims are transparent and auditable by third parties.

This initiative also aligns with broader efforts by the tech sector to cut emissions: recent studies estimate that data centers and networks account for over 1% of global electricity use, and industry leaders are keen to mitigate this impact.

By launching Carbon-Aware Nomination in collaboration with WattTime and the Green Software Foundation, Energy Web aims to foster an ecosystem of climate-smart computing. The three organizations plan to engage cloud providers, enterprises, and researchers in adopting the approach. This joint effort showcases the power of cross-sector partnerships, bringing together blockchain-based decentralization, real-time environmental intelligence, and software-driven carbon-aware scheduling.

Energy Web, WattTime, and GSF invite interested partners to join the initiative, contribute to the open-source codebase, and collectively drive a new era of sustainable digital infrastructure.

About Energy Web

Energy Web is a software company developing open-source technologies to accelerate the energy transition. Its decentralized solutions leverage blockchain to create innovative market mechanisms, empowering energy companies, grid operators, and businesses worldwide. (www.energyweb.org)

About WattTime

WattTime is an environmental tech nonprofit that empowers all people, companies, policymakers, and countries to slash emissions and choose cleaner energy. Founded by UC Berkeley researchers, we develop data-driven tools and policies that increase environmental and social good. During the energy transition from a fossil-fueled past to a zero-carbon future, WattTime ‘bends the curve’ of emissions reductions to realize deeper, faster benefits for people and planet. Learn more at www.WattTime.org.

The Green Software Foundation (GSF) is a nonprofit organization under the Linux Foundation. It aims to create a trusted ecosystem of people, standards, tooling, and best practices for building green software and hardware. Members of the GSF represent a balanced mix of for-profits, nonprofits, and academia from around the globe and include several Fortune Global 500 firms. The Foundation operates by consensus.

Three Working Groups, including Software Standards, Hardware Standards, and Policy, and two Committees, Green AI and Developer Relations, currently oversee the Foundation’s ongoing projects. (www.greensoftware.foundation)

Energy Web, WattTime, and Green Software Foundation Unveil Open-Source Carbon-Aware Nomination to… was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

April 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News Global Digital Collaboration Summit Announced: Registration Now Open for July Geneva Conference

The Global Digital Collaboration, a new partnership of intergovernmental, standards, and open source organizations, has launched its official member registration websites to advance public-private cooperation on digital infrastructure following the Global Digital Compact. The inaugural conference will be held July 1-2 in Geneva with space for 1,750 attendees.

Register your interest in attending as a DIF community member. We expect to finalize the attendees by May 1.

Those who pre-registered will be automatically migrated to the new site without needing to complete the registration form again.

GC25 Tickets via DIF · Luma Join the Global Digital Collaboration on Wallets & Credentials Be part of a landmark multistakeholder initiative convened by IGOs, SDOs, OSOs, and NGOs to… Kim Duffy It's a Wrap for DIF Labs Beta Cohort

DIF Labs concluded its inaugural Beta Cohort program with a showcase featuring three groundbreaking decentralized identity projects tackling pressing challenges at the intersection of privacy, trust, and digital authenticity. The standout projects included Veranon (enabling private personhood verification), Linked Claims (building trust networks for credentials in an AI-dominated world), and Ordinals Plus (connecting Bitcoin ordinals with decentralized identity). With Beta Cohort 2 applications opening in late April and the program kicking off May 20, DIF Labs continues its mission of supporting human-centric identity solutions that preserve authenticity in our digital landscape.

DIF Labs Beta Cohort Show & Tell Conclusion | DIF Labs science DIF Labs DIDComm and Cloud Data Encryption

The DIDComm Working Group recently published a timely solution for personal data protection in light of Apple's decision to stop offering end-to-end encrypted iCloud storage in the UK. Their article explains how users can maintain privacy by implementing DIDComm encryption before uploading files to cloud services, effectively creating a user-controlled security layer that even cloud providers cannot access. The post highlights practical implementation methods and resources for those interested in this open-source approach to data sovereignty.

Read more:

How to keep user data private while storing it in the cloud By layering End-to-End Encryption (E2EE) on cloud storage services ourselves, we can ensure that our data is protected from unwanted access, even from the storage services themselves. Decentralized Identity Foundation - BlogWorking Groups

🛠️ Working Group Updates

Browse our working groups here

Creator Assertions Working Group

The group discussed the evolution of their work with institutional news media and individual content creators, focusing on the identity claims aggregator model. They explored challenges in documenting assurance levels for identity signals and considered a version of the specification for content creators with autonomous credentials.

👉 Learn more and get involved

DID Methods Working Group

The group conducted a deep dive on the DID Key specification, discussing its maturity, supported key types, and potential improvements. They are working on establishing criteria for recommending certain DID methods and implementing a review process to evaluate which methods are mature enough for standardization, with particular attention to interoperability and adherence to DID core standards.

👉 Learn more and get involved

Identifiers and Discovery Working Group

The team focused on two main areas: implementing a well-known DID configuration for DIF to link DIDs to domain names, and finalizing version 1.0 of the did:webvh specification. They made progress on implementing watcher features for long-lasting DIDs and resolved issues related to metadata, error codes, and DNS-based identity verification systems. The specification will soon be released as version 1.0.

👉 Learn more and get involved

🪪 Claims & Credentials Working Group

The group worked on developing a standardized repository for credential schemas in the decentralized identity space. They explored aspects like key validation, long-term availability of DID documents, and URL operations. They're creating comparative tools for different schema approaches and building a structured organization with community drafts, working group approved, and DIF recommended categories.

👉 Learn more and get involved

Applied Crypto Working Group

The team made progress on several cryptographic aspects of BBS+, including pseudonym generation and Sigma protocols. They discussed the potential adoption of their specification by CFRG, exploring issues around privacy concerns and encoding formats. The European wallets definition now includes a section on zero-knowledge proofs that references BBS and BBS+ signatures, representing significant adoption of their work.

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs is preparing for its next cohort.

👉 Learn more and get involved

DIDComm Working Group

Discussions centered around the Trust Spanning Protocol, potential improvements to DIDComm, and the pros and cons of different encoding methods like CBOR. The team also explored ideas for a user-friendly notification system and addressed issues with connection reuse, concluding with plans for future meetings to further discuss these topics.

👉 Learn more and get involved

If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Hospitality & Travel SIG

The H&T SIG has made substantial progress on their HATPro traveler profile specification, focusing on standardization for names across different cultures and languages while addressing challenges in data transfer protocols. The group refined their implementation guide to include digital wallets and agent interactions, and explored decentralized identity concepts with guest presenters from Condatis showcasing practical applications. Work continues on schema development and integrating verifiable credentials terminology, with thoughtful discussions on balancing legacy systems compatibility with modern data sovereignty principles.

👉 Learn more and get involved

DIF China SIG

👉 Learn more and get involved

APAC/ASEAN Discussion Group

Achraf and Subash from OCBC Bank's blockchain team presented their experience with blockchain, self-sovereign identity, and verifiable credentials. They demonstrated the implementation of a cross-authentication system for multiple bank tenants and the creation of a publicly verifiable claims system using Verifiable Credentials technology. The presentation highlighted a practical financial industry application of decentralized identity technologies.

👉 Learn more and get involved

DIF Africa SIG

The monthly gathering featured a presentation by Anushka Soma-Patel on decentralized identity, digital trust ecosystems, and the Ayra network. The discussion covered data privacy challenges, verifiable credentials, and governance in digital trust systems. The Ayra network was presented as a platform to enable safe, secure, interoperable, and sustainable digital trust ecosystems.

👉 Learn more and get involved

DIF Japan SIG

The group held a session on KERI (Key Event Receipt Infrastructure), an open-source decentralized identity system that offers a blockchain-independent autonomous model. The presentation included a demonstration of verifiable credential issuance using KERI, explaining its key event logs, witness system, and ACDC credential format. Members discussed potential applications and the current maturity of development tools.

👉 Learn more and get involved

DIF Korea SIG

👉 Learn more and get involved

📖 DIF User Group Updates
DIDComm User Group

The group explored enhancing DIDComm with two-factor authentication for SSH, discussing technical implementations and user experience. They proposed improvements to the routing protocol notification system and debated the use of lower trust keys for user-friendly notifications. The team also addressed connection reuse challenges and evaluated encoding methods like Sibor versus Caesar for future versions of DIDComm.

👉 Learn more and get involved

Veramo User Group

👉 Learn more and get involved

📢 Announcements at DIF

Conference season is kicking into high gear, and Internet Identity Workshop 40 is next week! Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.

🗓️ ️DIF Members

👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.

🆔 Join DIF!

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

Follow us on Twitter/X

Join us on GitHub

Subscribe on YouTube

🔍

Read the DIF blog

New Member Orientations

If you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.

The Role of Technology in Microcredentialing Image CC BY-ND Visual Thinkery for WAO

This is the fifth in a series of blog posts drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and the opportunities they present for reshaping education and professional development in line with the concept of Open Recognition.

Technology plays a key role in the development and delivery of microcredentials, enabling their portability, transparency, and scalability. By making use of digital tools built on open standards, organisations can ensure that microcredentials are secure, meaningful, and accessible to learners across sectors.

Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing (this post) Part 6 — Challenges and Risks in Microcredentialing Part 7 — A Vision for the Future of Microcredentials Open Standards: Making Credentials Portable and Trusted

One of the key technological foundations for microcredentials is the use of open standards. Open standards ensure that credentials can be shared and recognised across different systems, making them more portable and trustworthy.

Open Badges, first introduced in 2011, set the stage for this revolution. These digital credentials provide important information, such as what the learner achieved, who issued the badge, and the criteria they met. The latest version, Open Badges v3, goes even further by aligning with a global framework called Verifiable Credentials.

This update brings several improvements:

Learner Control — Credentials can now be managed by the individual rather than being tied to a single institution or platform. No Mandatory Image — While the badge image remains a useful visual, the most important feature is the detailed information embedded in the credential, which helps employers and others verify it easily. Rich Information — Microcredentials can now include deeper context about what was achieved, such as specific skills, the learning process, and connections to recognised frameworks or standards.

These advancements make microcredentials more meaningful and usable, not just in local settings but internationally as well.

Digital Wallets: Empowering Learners

Digital wallets, sometimes referred to as ‘credential management’ apps, are a transformative tool for managing microcredentials. By storing credentials in a secure, user-controlled environment on their mobile device, learners gain full ownership of their achievements. This flexibility allows individuals to share only the information needed for specific opportunities, such as job applications or further study, while maintaining privacy.

For example, a learner could use their digital wallet to share a single credential with a potential employer, without needing to reveal unrelated personal details such as their age or gender. This approach protects privacy and gives learners greater control over how their achievements are presented.

Digital wallets also facilitate the portability of microcredentials, ensuring that they can be recognised across different contexts. For organisations, adopting digital wallet-compatible credentials demonstrates a commitment to learner-centric practices and enhances the usability of their offerings.

Sector-Specific Applications

Technology enables microcredentials to meet the unique needs of different sectors, enhancing their impact and relevance:

Charities — Use digital badges to recognise volunteer contributions, fundraising efforts, and advocacy skills, providing participants with evidence of their impact. NGOs — Leverage open standards to validate community workers’ skills and promote inclusivity in recognition practices. Co-ops — Employ interoperable credentials to highlight informal learning and collaborative problem-solving within member-driven environments. Businesses — Integrate microcredentials with existing professional development platforms to enhance employee upskilling and retention, focusing on sustainability or diversity goals. Higher Education — Adopt technologies like digital wallets to make credentials earned through co-curricular activities or industry collaborations more accessible and portable for students. Balancing Innovation with Responsibility

Technology offers new possibilities for recognising and showcasing skills, but its use must be carefully planned to avoid potential pitfalls. Challenges such as over-reliance on specific vendors, risks to data security, and barriers to access can undermine the effectiveness and fairness of microcredentialing systems.

To address these concerns:

Adopt open-source and interoperable solutions — These reduce the risk of being locked into a single provider’s platform, ensuring flexibility and long-term sustainability. Focus on accessibility — Systems should be designed to include users with a wide range of needs, enabling participation from all, regardless of ability or circumstance. Prioritise data security and privacy — Organisations must implement robust measures to protect sensitive user information, ensuring compliance with relevant regulations and building trust among learners and stakeholders.

By taking a responsible approach, organisations can ensure that their microcredentialing efforts are not only innovative but also equitable, secure, and adaptable for the future.

Looking Ahead

Technology is more than just a way to expand microcredentials — it is reshaping how learning is recognised and valued. By using approaches built on open standards, organisations can create microcredentialing systems that are secure, accessible to everyone, and focused on the needs of learners.

In the next post, we will explore the challenges and risks associated with microcredentialing, including how to address equity, quality assurance, and unintended consequences.

Reframing Recognition: Part 5 was originally published in We Are Open Co-op on Medium, where people are continuing the conversation by highlighting and responding to this story.

Specialists from different fields in the digital identity ecosystem have shed light on what it takes to be accredited for New Zealand’s Digital Identity Services Trust Framework (DISTF). They shared their thoughts during a webinar on March 26 moderated by the Executive Director of Digital Identity New Zealand, Colin Wallis, during which they also explained details about the process and the benefits that come with the accreditation.

The DISTF in New Zealand is a legal framework designed to regulate digital identity services as the country looks to expand its digital ID services. New rules and accreditation system of the DISTF took effect last November.

The objective of the webinar dubbed “DISTF Evaluators Showcase” was to provide an opportunity for those considering a DISTF accreditation to have an understanding of its advantages for small and large scale entities, organizational roles, costs and time frames, and the preparation process for the evaluation of compliance with standards which precedes the accreditation application.

Discussants included security consultant at Middleware Group, Tom Norcliffe; Director of Cyber, Privacy and Resilience at Deloitte which is an accredited evaluator, Marcus Bossert; and Founder of Cianaa Technologies, Rizwan Ahmad, who are all Digital Identity New Zealand members. There was also the Regulatory Practice Manager of New Zealand’s Department of Internal Affairs, Deanne Myers.

The first three speakers took time off to make an introduction of their companies, highlighting their services and key projects across the domains of digital identity and cybersecurity. They also mentioned some of their projects in New Zealand and the institutions they work with.

Bossert, for a start, explained the work Deloitte as a consultancy services firm is doing in the digital security assessment space. He mentioned that the firm offers services in cyber strategy, transformation, digital privacy, trust, and enterprise security, application cloud security, emerging technology solutions, threat detection and response, as well as operational security services. He also said that they have worked extensively on digital identity projects.

He said evaluation for the DISTF accreditation process looks at several factors including enterprise security, cloud security, security and resilience mechanisms, and threat detection and response, among others. The official also explained that the firm plays a significant role in guiding organizations through the accreditation process, helping them to align their cybersecurity and privacy expertise in order to ensure successful transactions.

Accreditation not a mere compliance formality

The accreditation, he insisted, is not just for the purposes of compliances but is something that enables entities demonstrate robust security practices which are vital for building confidence and trust among stakeholders such as boards, customers, and even regulators.

“If you think about why you want to get accredited, you’ve got to think about the stakeholders that are involved in this. But fundamentally, you have to think about it from a more practical and operational perspective as well,” Bossert said.

“Security, privacy, development and operations teams are really interested in knowing that you have solid security practices built in. It is quite valuable for them to understand and have clarity on what the control measures are. So, I see the accreditation process as a mechanism to build confidence that your stakeholders need,” he stated.

“[Thanks to] the work that we do, our knowledge and global network, we can help you accelerate readiness and navigate the shortest path to success, so that we help you focus on those things that really matter, get your accreditation and accelerate operational readiness.”

For his part, Norcliffe from Middleware Group emphasized the importance of the digital ID trust framework, saying it is crucial for most of the work they are doing with government entities and the private sector in New Zealand.

Taking the floor, Ahmad said Cianaa Technologies has a framework on which their team of independent security evaluators offer services which include penetration testing, privacy, and GDPR compliance.

“We assess organizations based on this [framework]. We see whether you’re keeping the information confidential, whether you have the integrity intact, whether your services are available, whether it has non-repetition, and if it has the proper authentication authorization,” he said.

“Now, when we assess your organization based on that, it actually automatically gives up to the right assessment, because if something is missing, then there’s something missing in security.”

Overview of accreditation application process

Myers said the team she manages is responsible for basically all aspects of the accreditation process. She gave an overview of components of the application process required by the Trust Framework Authority (TFA), noting that the entire process is transparent.

“We receive and assess applications for accreditation as a trust framework provider. We monitor ongoing compliance with the requirements of accreditation, assess applications for renewal, and obviously deal with any issues that arise in the course of these processes.”

She explained that a part of the application process requires results of an independent evaluation undertaken by independent evaluators, including a conformance assessment against the New Zealand identification standards. “Those outputs or deliverables will be submitted as part of an application,” she stated.

“There are currently 15 independent security evaluators who have been appointed and three privacy independent evaluators. However, we are currently undertaking an expression of interest process, calling for interest from other agencies who are able and who meet the criteria to be appointed as either a privacy or security evaluator, or both.”

Myers also shared important links and resources which can help those seeking accreditation to better understand what is required of them and how they can go through the process successfully. She also said the application would need to be submitted within 12 months of the standards compliance evaluation.

Understand what you need

The speakers also noted the place of AI in the trust framework evaluation process. Ahmad said while the technology can make a positive contribution to the process, it can also bring about challenges that effect these assessments.

Bossert added that those applying for accreditation must clearly understand what they need, and often, they expect the process to be as quick, painless and cost-effective as possible.

“If you’ve ever done something like an ISO accreditation, you would understand or know that it is very useful to be clear on the scope of accreditation that you’re looking for. So don’t apply for accreditation for areas that you don’t need. For example, if you’re not going to be providing personal information, then don’t sign up for accreditation for that,” he advised.

He also said for evaluators to have their work made easy, those seeking to provide trust services must take certain key factors into consideration, including having the right control and risk management mechanisms in place.

“I would suggest that you have a look at your solution and do a proper risk assessment early on so that you’ve got visibility of those risks and that you can start building in the necessary controls. In terms of risks, if you can demonstrate that you’re actively managing them and you have visibility and control, then that certainly helps to give the confidence needed.”

The aspect of pricing for the evaluation process was also addressed, with the speakers saying the process can range, approximately, from between $10,000 and $50,000, depending on the scope and the level of preparedness of the entity to be evaluated.

Source: biometricupdate.com

The post Experts highlight advantages of New Zealand’s Digital ID Services Trust Framework accreditation appeared first on Digital Identity New Zealand.

Join our community call on April 15th where we will discuss how to strengthen cybersecurity for civil society organizations.

The post Community Call: How to approach cybersecurity in turbulent times appeared first on The Engine Room.

The post Transforming Communications: The Zoom Phone Project at Stevens Institute of Technology appeared first on NJEdge Inc.

HYPR, an Identity Assurance Company, has released the fifth edition of its ‘State of Passwordless Identity Assurance Report.’

The report reveals an increasing misalignment between real-world security risks and outdated authentication methods.

It also highlights the growing risks associated with outdated authentication methods and the rise of new generative AI-related attacks.

However, the report signals a potential turning point in the fight against identity-based attacks, with phishing-resistant authentication methods like FIDO passkeys poised to become the dominant solution within the next two years.

The company states that this is a first in the report’s five-year history.

This device-independent, FIDO Alliance-certified biometric authentication solution helps organizations mitigate the risk of one of workforce security’s most crucial concerns: account takeover.

iProov today launched iProov Workforce MFA. 

This device-independent, FIDO Alliance-certified biometric authentication solution helps organizations mitigate the risk of one of workforce security’s most crucial concerns: account takeover.

All change for Microsoft. The company has suddenly confirmed a major update “for over 1 billion end users,” as the deletion of passwords for all users becomes real. Your Microsoft password, it warns, “could be easily forgotten or guessed by an attacker,” and it’s now time “to completely remove the password from your account.”

“The password era is ending,” Microsoft warned in December. “Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” With “7,000 attacks on passwords [blocked] per second… almost double from a year ago,” the company is on a mission to “convince a billion users to love passkeys.”

A passkey replaces password and two-factor authentication (2FA) codes with account authentication linked to your hardware devices or devices and secured by the same security that unlocks that device, most likely your fingerprint or your face. Unlike passwords, this means a passkey cannot leak or be stolen as it requires that physical hardware device. And unlike 2FA, it cannot be intercepted or bypassed.

First Web3 Global Battery Passport Implementation for Current and Future Regulatory Compliance

Phase I of the Global Battery Passport System Demonstrated Product Traceability with Privacy-Preserving Capabilities and Selective Data Disclosure

Los Angeles—31 March 2025: MOBI, a nonprofit Web3 consortium of global industry leaders, announces the successful completion of the first year in its three-year initiative to build the Global Battery Passport System (GBPS). This milestone marks a significant step in creating a secure, Self-Sovereign Identity and Data framework for seamless data spaces interoperability and digital product passports. MOBI is actively demonstrating data spaces interoperability with other global consortia such as Gaia-X. While the GBPS initiative focuses on battery data exchange as its use case, the underlying technology is agnostic and can be leveraged to enhance trust, compliance, and operational efficiency for all digital transactions and traceability.

MOBI GBPS initiative is being spearheaded by members of the Circular Economy and the Global Battery Passport (CE-GBP) Working Group, including Anritsu, DENSO, HIOKI, Honda, Mazda, Nissan, Orico, Suzuki, and TradeLog.

During Phase I, which took place from January to December 2024, working group members concentrated on evaluating global battery regulatory requirements and developing use cases aligned with Web3 technology for secure data exchange and management. Critically, implementers successfully launched and ran nodes on the federated Integrated Trust Network (ITN), a member-built and operated registry for World Wide Web Consortium (W3C) Decentralized Identifiers (DIDs). The ITN provides the core trust services of governance, authority, identity, and assurance to enable verifiable transactions between Self-Sovereign Digital Twins (user agents) whose DIDs are anchored in the ITN.

Building on the success of Phase I, MOBI and its partners are now advancing to Phase II. In Phase II, implementers will leverage ITN core services to test transactions within the Citopia Decentralized Marketplace (DM). Anticipated technical achievements in Phase II include Web3 ecosystem onboarding, asset ownership traceability, secure data exchange, and Apps building with Citopia DM.

The GBPS shall operate as a specialized user-controlled application within Citopia DM, which supports secure communication, transactions, and data sharing across industries with zero-knowledge proofs. Citopia DM provides the interoperability and data sovereignty that Web3 ecosystems and value chains require. Through this setup, the GBPS shall offer a privacy-focused solution that protects proprietary information and promotes circularity in line with current and future regulations, while serving as a robust foundation for use-case-specific applications rooted in trusted and verifiable battery data, such as:

management of battery passports, used electric vehicle (EV) pricing, green financing and carbon credits, charging management, and more.

While most battery passport solutions focus on public data disclosure, Citopia GBPS emphasizes secure sharing of proprietary data. The GBPS leverages zero trust architecture and selective data disclosure, where only relevant information is shared with intended recipients. This privacy-centric design facilitates regulatory compliance while safeguarding sensitive data, reducing the need for intermediaries and enhancing trust across value chains, creating a Web3 system for data spaces interoperability across borders and stakeholders.

“As current and future regulations develop, solutions like the ITN and Citopia DM are essential for addressing industry and regulatory needs. MOBI is proud to work with our members in developing a solution that is agnostic to existing data spaces along with Web2<>Web3 interoperability to support business objectives in creating a more secure digital future and meeting circular economy goals,” said Tram Vo, CEO and Co-founder of MOBI.

“A global battery passport system has the potential to unlock new levels of traceability, transparency and security in battery-related applications, supporting our efforts to contribute to greener and safer mobility,” said Roger Berg, vice president of North America Research and Development at DENSO. “While that’s an important goal for our team, this solution also represents more than that. It’s a great example of how MOBI and our fellow members are working together to support a more circular economy and sustainable world.”

“The second stage of Phase I has provided further valuable insights to CE-GBP WG partners. In Stage 1, the basic data sharing environment was established. In Stage 2, the first business-related technical capabilities were explored, such as the ownership management of a DID-based asset and the selective disclosure of data between two organizations,” said Christian Köbel of Honda. “These successful learnings have encouraged us to further explore the potential of a self-sovereign data ecosystem to address future challenges of the circular economy.”

“The functionality of DIDs and Verifiable Credentials for reliable data federation among implementing companies has been successfully verified, utilizing the Integrated Trust Network. This endeavor not only demonstrates the potential of these technologies to enhance data federation but also emphasizes the constructive and agile collaboration achieved among implementers within the cooperative framework.” said Yusuke Zushi, Senior Manager at Nissan.

“In Phase 1 of the Global Battery Passport (GBP) system demonstration, we learned that the MOBI GBP can be used to exchange highly confidential information. We want to thank everyone involved in Phase 1,” said implementers at Mazda Motor Corporation.

Said Hisashi Matsumoto of Anritsu, “MOBI’s activities have led to the successful completion of Phase I, moving towards building an ecosystem that enables reliable and secure information exchange. We are grateful to have participated in the verification of use cases with practical operations. We hope that MOBI’s efforts will continue to contribute to a more sustainable circular economy.”

“We are very proud of the great results of Phase I which we have achieved based on our strong relationships with major OEMs, Tier 1 suppliers, and more. It has been an exciting and interesting experience to work with such talented people. We will continue to take on challenges in Phase II in the name of collaboration,” said Alvin Ishiguro, Project Coordination at TradeLog, Inc.

MOBI and its members are committed to driving a future where collaborative, decentralized technologies foster innovation and transparency across industries.

About MOBI

MOBI is a global nonprofit Web3 consortium. We are creating standards for trusted Self-Sovereign Data and Identities (e.g. vehicles, people, businesses, things), verifiable credentials, and data spaces interoperability. Our goal is to make the digital economy more efficient, equitable, decentralized, and circular while preserving data privacy for users and providers alike. For additional information about joining MOBI, please visit www.dlt.mobi.

Media Contact: Grace Pulliam, MOBI Communications Manager

Email: grace@dlt.mobi | Twitter: twitter.com/dltmobi | Linkedin: MOBI

###

The post MOBI Members Lead the Way for Web3 Digital Product Passports and Data Spaces Interoperability first appeared on MOBI | The New Economy of Movement.

In this episode, privacy advocate Zach Edwards returns, joined by ISL’s technology director Irene Knapp, to discuss the real-time bidding data broker supply network. Join us as we get geeky looking at two data brokers in the news–Gravy Analytics and Eskimi–and how adtech entities “listen” to the real-time bidstream protocol, to collect and sell personal information, including location data.

 

The post “Unsafe at Any Click” – Episode 6 appeared first on Internet Safety Labs.

60 Day Public Review - ends May 27th

OASIS and the Topology and Orchestration Specification for Cloud Applications (TOSCA) TC [1] are pleased to announce that TOSCA Version 2.0 CS01 is now available for public review and comment.

TOSCA provides a language for describing application components and their relationships by means of a service topology, and for specifying the lifecycle management procedures for creation or modification of services using orchestration processes. The combination of topology and orchestration enables not only the automation of deployment but also the automation of the complete service lifecycle management. The TOSCA specification promotes a model-driven approach, whereby information embedded in the model structure (the dependencies, connections, compositions) drives the automated processes.

The TC received three Statements of Use from Ericsson, Tal Liron, and Chris Lauwers [3].

The candidate specification and related files are available here:

TOSCA Version 2.0 

Committee Specification 01 

5 December 2024 

https://docs.oasis-open.org/tosca/TOSCA/v2.0/cs01/TOSCA-v2.0-cs01.md (Authoritative)

https://docs.oasis-open.org/tosca/TOSCA/v2.0/cs01/TOSCA-v2.0-cs01.html

https://docs.oasis-open.org/tosca/TOSCA/v2.0/cs01/TOSCA-v2.0-cs01.pdf

For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file at:

https://docs.oasis-open.org/tosca/TOSCA/v2.0/cs01/TOSCA-v2.0-cs01.zip

Members of the TOSCA TC approved this specification by Special Majority Vote [2]. The specification had been released for public review as required by the TC Process.

Public Review Period

The 60-day public review is now open and ends 27 May 2025 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. Members of the TC should submit feedback directly to the TC’s members-only mailing list. All others should follow the instructions listed here.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review  we call your attention to the OASIS IPR Policy [4] applicable especially [5] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

========== Additional references:

[1] OASIS TOSCA TC

[2] Approval ballot

[3] Links to Statements of Use

Ericsson: https://groups.oasis-open.org/higherlogic/ws/public/document?document_id=72612&wg_id=f9412cf3-297d-4642-8598-018dc7d3f409 Tal Liron: https://groups.oasis-open.org/higherlogic/ws/public/document?document_id=72634&wg_id=f9412cf3-297d-4642-8598-018dc7d3f409 Chris Lauwers: https://groups.oasis-open.org/higherlogic/ws/public/document?document_id=72635&wg_id=f9412cf3-297d-4642-8598-018dc7d3f409

[4] https://www.oasis-open.org/policies-guidelines/ipr/

[5] https://www.oasis-open.org/committees/tosca/ipr.php

Intellectual Property Rights (IPR) Policy

The post Invitation to comment on TOSCA Version 2.0 before call for consent as OASIS Standard appeared first on OASIS Open.

This white paper is part of a three-part series on preventing phishing attacks through passkey deployment:

Part 1: Overview – Introduces the concepts of a passkey journey toward phishing prevention. Part 2: Partial prevention – Details strategies for enforcing passkeys in specific scenarios. Part 3: Full prevention – Explains how to achieve comprehensive phishing resistance.

Making your services phishing-resistant takes more than one day because you are not just adopting a new phishing-resistant authentication method. It is a journey with multiple stages where you improve security by strengthening account login and recovery processes. This paper outlines the passkey journey and defines the authentication and recovery requirements for each stage.

Audience

Relying parties and developers who want to protect their applications from phishing attacks by adopting passkeys.

You can read the white papers on Passkey Central or use the following buttons to download PDF versions.

Part 1: Overview

Introduces the concepts of a passkey
journey toward phishing prevention.

Download Part 1. Overview Part 2: Partial Prevention

Details strategies for enforcing passkeys
in specific scenarios.

Download Part 2. Partial Prevention Part 3: Full Prevention

Explains how to achieve comprehensive
phishing resistance.

Download Part 3. Full Prevention

The post Digital Credentials: Enhancing Trust, Expanding Opportunity, Enabling Mobility appeared first on Velocity.

public review ends April 28th

 OASIS and the OpenC2 TC are pleased to announce that OpenC2 JSON Abstract Data Notation (JADN) Version 2.0 is now available for public review and comment. 

JSON Abstract DataNotation (JADN) is an information modeling language based on Unified Modeling Language (UML) logicalDataTypes, used to both express the meaning of data items at a conceptual level and formally define andvalidate instances of those types. JADN uses information theory to define logical equivalence, which

enables representation of essential content in a wide range of formats and ensures translation among representations without loss.

The documents and all related files are available here:

OpenC2 JSON Abstract Data Notation (JADN) Version 2.0

Committee Specification Draft 01

19 February 2025

Editable source:

https://docs.oasis-open.org/openc2/jadn/v2.0/csd01/jadn-v2.0-csd01.md (Authoritative)

HTML:

https://docs.oasis-open.org/openc2/jadn/v2.0/csd01/jadn-v2.0-csd01.html

PDF:

https://docs.oasis-open.org/openc2/jadn/v2.0/csd01/jadn-v2.0-csd01.pdf

For your convenience, OASIS provides a complete package of the specification document and any related files in a ZIP distribution file. You can download the ZIP file at:

https://docs.oasis-open.org/openc2/jadn/v2.0/csd01/jadn-v2.0-csd01.zip

How to Provide Feedback

OASIS and the OpenC2 TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

The public review is now open and ends April 28, 2025 at 23:59 UTC.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. Members of the TC should submit feedback directly to the TC’s members-only mailing list. All others should follow the instructions listed here. 

Please note, you must log in or create a free account to see the material. Please contact the TC Administrator (tc-admin@oasis-open.org) if you have any questions regarding how to submit a comment.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the OpenC2 TC’s can be found at the TC’s public home page: https://www.oasis-open.org/committees/openc2/

Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] http://www.oasis-open.org/committees/openc2/ipr.php

Intellectual Property Rights (IPR) Policy

The post OpenC2 JSON Abstract Data Notation (JADN) Version 2.0 CSD01 – Available for comment appeared first on OASIS Open.

The post Verifiable Credentials – Bringing Trust and Truth to Talent Acquisition appeared first on Velocity.

Kia ora,

A Farewell Message

This is the final DINZ newsletter under my watch, but if the writing style seems familiar in April’s newsletter you’ll know that AI has been deployed or my successor hasn’t been fully onboarded .

It’s been a blast, it really has! I’m satisfied with DINZ’s development under my tenure. No regrets. DINZ has punched way above its weight with minimal resources – only made possible by larger organisations whose support enabled volunteer members and supporters from organisations of all sizes to dedicate time and expertise to deliver our mahi on its mission. You know who you are, so thank you! 

Thanks also to the DINZ Executive Councils I have served over the years. It’s a largely unheralded gig, but governance in emerging ecosystems is crucial.

DINZ Updates

The DINZ Biometrics Special Interest Group submitted again on the Biometrics Code of Practice this month. Neither DINZ or NZTech are supportive of the code at this time, instead advocating for expert prepared Guidance to improve biometrics implementation best practice for all stakeholders, including privacy specialists who may not necessarily be biometric experts. By the time you read this, our webinar ‘Meet the DISTF Evaluators’ will be underway with over 100 registrations – the first educational session on this aspect of the regime as DINZ members enter the final week of free access to InformDI’s 7 Chapters DISTF online education suite.    DINZ members please complete the DISTF survey emailed to you by 14 April. The Next Gen Payments Consultation from DINZ member PaymentsNZ is due this Friday, so get yours in today!         

Industry Insights

There are some ‘green shoots’ appearing in Aotearoa New Zealand’s digital identity space, but we have years of catch-up ahead to regain our global leadership. We have to be more nimble, smart and collegial in all dimensions (detailed examples too much for the newsletter’s word count), but suffice to say that it’s Kiwi companies like MATTR, Authsignal, JNCTN, APLYiD, MyMahi and others that keep us on the map globally.

While taking more leisure time, I’m open to some advisory work leveraging my decades of knowledge, experience and contact networks in both local and international settings not often possible in this role. 

What’s Happening Around the Globe

As always, I’m sharing links to global news that resonated with me.

Passkey adoption is growing globally – no surprise to Authsignal who have secured business on nearly all continents in the past few weeks. This article argues the case for local biometrics software testing and resonates exactly with DINZ’s Kiwi faces dataset project that requires stakeholder support before it can proceed. DINZ member NEC takes top score in the offshore tests that are available. I found recent pundit Jamie Smith’s post on the fraud market quite thought provoking, although I don’t fully agree with him that Organisational Identity has been under a shadow. In NZ it’s not helped by agency responsibilities being split between MBIE and DIA. OI forms a major plank of Get Verified in the payments world but there are other worlds of course. That brings me to another Jamie Smith post on Edeleman’s Trust Barometer (in the comments) where Aotearoa’s own Āhau gets a mention.   And for those technical and following mDL this link and this link show just how quickly this space is evolving and maturing.

Final Thoughts

That’s it! Make sure you do something ‘identiful’ in April or attend the regional virtual catch ups on Identity Management Day and I’ll see you all soon out there in cyber.

Ngā mihi,

Colin Wallis
Executive Director, Digital Identity NZ

Farewells, new beginnings and the constant that is change

Read full news here: Farewells, new beginnings and the constant that is change

SUBSCRIBE FOR MORE

The post Farewells, new beginnings and the constant that is change appeared first on Digital Identity New Zealand.

New TC aims to implement consistent tagging and metadata frameworks across data ecosystems—down to database, table, and column levels—to provide comprehensive data lineage and collection details tracking and support responsible data use, privacy, and compliance across all industries.

A new OASIS TC is being formed. The Data Provenance Standards (DPS) TC has been proposed by Cisco, the Data & Trust Alliance, IBM, Intel, Microsoft, Red Hat, and others listed in the charter below. The public TC homepage is here.

All interested parties are welcome to join this TC. The eligibility requirements for becoming a participant in the TC at the first meeting are:

You must be an employee or designee of an OASIS member organization or an individual member of OASIS, and You must join the TC, which members may do by using the Roster “join group” link on the TC’s web page or by clicking here.

To be considered a voting member at the first meeting:

You must join the TC at least 7 days prior to the first meeting on or before April 1, 2025; and You must attend the first meeting of the TC on April 8, 2025. Note: no work, including technical discussions or contributions, may occur prior to the first TC meeting.

Participants also may join the TC at a later time.

If your employer is already on the OASIS TC member roster, you may participate in DPS TC (or any of our TCs) at no additional cost. Find out how.

If your employer is not a member, we’re happy to help you join OASIS. Contact us to discuss your options for TC membership.

Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage and welcome your participation.

CALL FOR PARTICIPATION

OASIS Data Provenance Standard Technical Committee Charter

The charter for this TC is as follows:

Section 1: TC Charter1.a. TC Name
Data Provenance Standards Technical Committee (DPS TC)1.b. Statement of Purpose
Provenance matters. We understand the sources of food, water, medicine, and capital-essential in our society to gauge quality and trust-and must now work to understand data, the fuel of our increasingly knowledge- and AI-centric world. For the purposes of this document and related TC efforts, provenance, pedigree, and lineage are recognized as distinct but interconnected concepts. The TC will prioritize early efforts to define how these terms-ranging from origin and history to granularity at the geographic, organizational, and individual levels-are scoped and applied to benefit all stakeholders. This will ensure comprehensive, practical, and actionable standards while mitigating ambiguity and scope constraints. 

Of course, building trust in data starts with transparency of provenance-assessing where data comes from, how it’s created, and whether it can be used legally. Yet, the ecosystem still needs a common language to provide that transparency. Establishing shared provenance standards is foundational to fostering trust in data and AI-driven systems. 

Over the past 18 months, the Data & Trust Alliance, in collaboration with industry organizations such as the EDM Council and AI Alliance, has worked to normalize and map its data provenance standards to existing initiatives while identifying practical adoption paths. For example, based on recommendations from the AI Alliance, the Data & Trust Alliance’s metadata framework has been integrated into Hugging Face model cards to promote provenance transparency in AI development. 

Using Version 1.0.0 of the Data Provenance Standards, defined by a working group of industry leaders from the Data & Trust Alliance, the OASIS Data Provenance Standards Technical Committee aims to advance data transparency, accountability, and trust by solidifying provenance standards into a universal data governance norm. 

This initiative will focus on implementing consistent tagging and metadata frameworks across data ecosystems-down to database, table, and column levels-to provide comprehensive data lineage and collection details tracking and support responsible data use, privacy, and compliance across all industries. The Committee will consider trust in data, ensuring that provenance, lineage, pedigree, and ultimately transparency support trust-building efforts in AI and data ecosystems. The Committee will consider existing trust models where relevant, ensuring alignment with industry best practices while remaining focused on provenance as a key enabler of trust. 

By establishing these standards, the Committee will enhance data life-cycle management, facilitate regulatory adherence, and reinforce trust in AI-driven and data-dependent applications. The Committee will also explore opportunities for integrating automated tools to generate and validate metadata, ensuring scalability and ease of adoption while maintaining trust and compliance. 

The goal is to create actionable standards that deliver measurable business value, such as enhanced operational efficiency and trust in AI systems, and to encourage adoption by demonstrating clear ROI for both data providers and consumers.1.c. Business Benefits 
It is expected that these standards will benefit all data and AI stakeholders, including:
-data suppliers (e.g., data producers, technology companies)-who will be able to deliver clear and consistent data lineage information, making their datasets more valuable and trustworthy. Compliance can combat piracy and misuse.
-data acquirers (e.g., data-driven organizations, regulatory bodies)-who will benefit from greater transparency and being better able to assess the reliability and intended usage of datasets and to request changes or reject data sets when necessary. Higher performing AI tools can be a direct outcome.
-end-users (consumers)-who will gain insight into how their data is managed and protected, and thus become more trusting in representative/non-biased data-driven solutions. 

These standards will:
-enable data suppliers to provide standardized, consistent metadata on data lineage and provenance
-support data acquirers in managing compliance and mitigating risks associated with data privacy, security, and intellectual property rights
-help end-users by ensuring transparency in data handling and increasing trust in digital services. 

The standards will be relevant to professionals across various domains, including: 
-data governance professionals (including legal and compliance stewards)
-IT and compliance officers
-AI and data scientists
-business and industry professionals who rely on trusted data for decision-making. 

Adoption will be driven by enterprise demand for metadata-tagged datasets that offer faster access, reduced compliance risks, and improved decision-making. The availability of automated tools for metadata tagging and validation will significantly lower adoption barriers and costs for data providers.1.d. Scope
The TC will develop cross-industry standards for defining data provenance, pedigree, lineage, and metadata-tagging frameworks. These will support tags at the database, table, and column levels, as well as metadata for graph databases, NoSQL databases, and data exchanged via APIs and other non-database structures. 

The scope includes creating guidelines and schemas for managing the data life cycle and tracking provenance, pedigree, and lineage across diverse data architectures and transmission methods. While highly domain-specific adaptations may require additional tailoring by industry groups, these standards are intended to provide a flexible foundation that is applicable across multiple sectors. 

Additionally, provenance-related geolocation metadata will encompass latitude/longitude, political/geographical boundaries, organizational context, and person-based attributes where relevant, supporting trust assessments based on data origin. 

The TC will also provide guidance on the development and integration of tools for automating metadata tagging, validation, and transformation, to ensure accuracy and compliance. The scope of these standards does not include tagging for misinformation, disinformation, or malinformation (“mis/dis/mal”); rather, such determinations are beyond provenance and are expected to be derived by users (e.g., AI/ML systems) externally to these specifications. 

The TC will prioritize datasets that are critical for AI/ML applications and enterprise use cases, balancing comprehensive tagging with practical implementation considerations.1.e. Deliverables 
Expected deliverables include: 
-Committee specifications for standardized data provenance tags
-Committee notes and/or guides on how to implement the standards
-supporting documentation such as glossaries, UML models, and metadata requirements documents
-guidelines for integrating tools to automate metadata tagging, validation, and life-cycle management
-additional deliverables as determined by the Technical Committee, such as reference implementations, case studies, interoperability frameworks, based on ongoing needs and industry developments, or a study on how the standards align and enable compliance (for AI providers) with transparency regulation in the AI space as well as the benefits of the standards to data providers. 

The Technical Committee aims to release initial drafts by mid-2025. This will be followed by public feedback phases and iterative refinements, with the goal of finalizing and publishing the standards by late 2025. Timelines may be adjusted based on industry input and the progress of Committee discussions.1.f. IPR Mode
Non-assertion1.g. Audience
Participants will include AI ethics and privacy specialists, data governance and compliance professionals, IT managers, and regulatory advisors from various industries, particularly finance, healthcare, and retail.1.h. Language
English(Optional References for Section 1)
Data & Trust Alliance website detailing work to date on data provenance standards 
GitHub repository with technical specifications
Standards Executive Briefing
IBM’s IBV report with results of data provenance standards testing – 58% reduction in data clearance processing time for third-party data and a 62% reduction in data clearance processing time for IBM-owned or generated data
Use cases –four key areas of practice to help with understanding and sharing the standards
Section 2: Additional Information2.a. Identification of Similar Work
Similar or related work includes: 
-NIST (https://www.nist.gov/itl/ai-risk-management-framework)
-EDM Council (https://edmcouncil.org/frameworks/cdmc/) with which the Data & Trust Alliance has collaborated and mapped to the CDMC; in the upcoming CDMC refresh we will have full alignment in our metadata
-MIT Media Lab (https://www.media.mit.edu/projects/data-provenance-for-ai/overview/) with which the Data & Trust Alliance has coordinated and determined that there are synergies but no duplication of effort
-W3C (https://www.w3.org/TR/prov-dm/) which is focused on web provenance; the Data & Trust Alliance has mapped its metadata to components of PROV, demonstrating minimal overlap
-complementary initiatives including the ISO standards for data management, the FAIR principles, and other industry-specific data governance frameworks
– the AI Alliance having adopted the standards for its definition of data trust
-OSIM (Open Supplychain Information Modeling (https://www.oasis-open.org/tc-osim/)-the framework for structuring and exchanging supply chain data, enabling interoperability, transparency, and efficiency across industries
-DAD-CDM (Common Data Model for Defending Against Deception, https://github.com/DAD-CDM) which provides a standardized data model for AI and data development, thus enhancing interoperability, consistency, and efficiency across diverse data ecosystems
-COSAI (https://www.coalitionforsecureai.org/) which is focused on developing and promoting security standards, best practices, and policies to ensure the safe and responsible development and deployment of AI technologies
-Apache Atlas (https://atlas.apache.org/) which provides metadata management and governance capabilities that align with the data provenance standards by enabling structured metadata tagging and lineage tracking across enterprise data ecosystems
-OpenLineage (https://openlineage.io/) which offers an open framework for capturing and standardizing data lineage, complementing the data provenance standards by ensuring transparency and traceability in data workflows
-Community Data License Agreement (CDLA) (https://cdla.dev) which offers collaborative licenses designed to facilitate the open sharing, access, and use of data among individuals and organizations.

The DPS TC will differentiate itself by creating a cross-industry standard that focuses on comprehensive data provenance, pedigree, and lineage tracking, responsible (from an IP and privacy perspective) AI use, and regulatory compliance support, filling a gap for generalizable and adaptable provenance standards.2.b. First TC Meeting
April 8, 2025 @ 1pm ET, via a virtual format2.c. Ongoing Meeting Schedule
Meetings will be held monthly.2.d. TC Proposers
Lisa Bobbitt, Cisco, lbobbitt@cisco.com
Kristina Podnar, Data & Trust Alliance kpodnar@dataandtrustalliance.org
Saira Jesani, Data & Trust Alliance sjesani@dataandtrustalliance.org
Asmae Mhassni, Intel, asmae.mhassni@intel.com
Kelsey Schulte, Intel, kelsey.schulte@intel.com
Mic Bowman, Intel, mic.bowman@intel.com
Peter Koen, Microsoft, jaywhite@microsoft.com
Babak Jahromi, Microsoft, babakj@microsoft.com
Jay White, Microsoft, jaywhite@microsoft.com
Stefan Hagen, Individual, stefan@hagen.link
Janaye Minter, NSA, vjminte@uwe.nsa.gov
Duncan Sparrell, SFractal, duncan@sfractal.com
Roman Zhukov, RedHat, rzhukov@redhat.com
Lee Cox, IBM, Lee.Cox@uk.ibm.com2.e. Primary Representatives’ Support 
I, Omar Santos, as OASIS primary representative for Cisco, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Kristina Podnar, as OASIS primary representative for Data & Trust Alliance, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Jeffrey Borek, as OASIS primary representative for IBM, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Dhinesh Manoharan, as OASIS primary representative for Intel, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Jay White, as OASIS primary representative for Microsoft, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Vincent Boyle, as OASIS primary representative for National Security Agency, confirm our support for the Data Provenance Standard TC and our participants listed above.
I, Mark Little, as OASIS primary representative for RedHat, confirm our support for the Data Provenance Standard TC and our participants listed above.2.f. TC Convener    
Kristina Podnar, Data & Trust Alliance, kpodnar@dataandtrustalliance.org2.g.  Anticipated Contributions
Standards Executive Briefing
GitHub repository with technical data provenance standards specifications, code snippets, documentation for standards adoption
Use cases – four key areas of practice to help with understanding and sharing the standards
Metadata generator – the TC will assess the feasibility of existing prototypes, such as the metadata generator, and recommend enhancements to align with the standards

The standards may serve as a precursor to broader frameworks like AI Bills of Materials (AI BOMs), enhancing traceability and compliance.2.h. FAQ Document
https://dataandtrustalliance.org/work/data-provenance-standards2.i.  Work Product Titles and Acronyms
Data Provenance Metadata Specification
Data Lineage Standard for AI Compliance
Data Transparency and Accountability Standards

The post Call for Participation: Data Provenance Standards Technical Committee (DPS TC) appeared first on OASIS Open.

Beginning in 2025 The Engine Room will be hosting and maintaining the Cybersecurity Assessment Tool (CAT) in our support programming.

The post Re-homing the Cybersecurity Assessment Tool (CAT) appeared first on The Engine Room.

The media release is an official statement by the Swiss Federal Government announcing the strategic direction and implementation steps for digital identity and trust infrastructure.

On 21 January 2025, the Swiss Federal Office of Justice (FOJ), in collaboration with the Federal Chancellery and the Federal Office of Information Technology and Telecommunications (FOITT), published an important statement on the future of digital identity and trust infrastructure.

As DIDAS – the Swiss association for digital trust – we are proud to have actively contributed to this milestone. Through constructive consultation, cross-sector collaboration and the sharing of insights from our community, we helped shape the direction of this foundational work. A special thank you goes to our co-authors and all those who support this joint effort.

Digital trust infrastructure – such as the E-ID, verifiable credentials, and interoperable wallets – is essential for the digital resilience and competitiveness of Switzerland. These are not just technological building blocks, but key enablers of a sovereign, secure and citizen-centric digital society.

This milestone also directly connects with the recently published vision by FIND and the State Secretariat for International Finance (SIF):
👉 Pathway 2035: Unlocking Financial Innovation for Switzerland

The message is clear: Switzerland’s ability to lead in financial innovation depends on a trusted digital foundation. At DIDAS, we are committed to enabling this foundation – bringing together policy, technology, and ecosystem actors to reduce friction, build interoperability, and establish trust by design.

Because in the end, Digital Trust is not a nice-to-have – it is a strategic imperative for Switzerland’s future.

Digital Trust is now firmly positioned on Switzerland’s strategic, political, and economic agenda.

#DigitalTrust #EID #TrustInfrastructure #Switzerland #SIF #FIND #Pathway2035 #FinancialInnovation #DIDAS

Do you ever think about food safety when you sit down for a meal? It’s easy to take for granted, but behind every meal, strict standards and practices ensure the food we consume is safe.

In this replay episode, we revisit our conversation with Darin Detwiler, Founder and CEO of Detwiler Consulting Group. Darin’s path to food safety is deeply personal, driven by the tragic loss of his son to E. coli.

Darin shares how the food safety industry is adapting to technological advancements like data analytics, AI, and digital solutions while meeting the ongoing demand for consistent production. If you've ever wondered about the efforts behind keeping food safe, this episode provides an inside look at the evolving food safety landscape and how we can continue protecting consumers in a rapidly changing environment.

 

In this episode, you’ll learn:

How digital solutions like data analytics and blockchain balance long-term and short-term food safety goals

The need for courage in food safety leadership to proactively manage and prevent crises

The power of social media to help improve food safety and transparency

 

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(00:45) What led Darin into the food safety industry

(04:05) What Detwiler Consulting Company offers

(09:20) New technology and trends in the food safety industry

(14:08) How Darin and his team use AI and evolve it

(16:39) Big failures that have taken place in the food safety industry

(23:47) Darin’s favorite technology at the moment

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Darin Detwiler on LinkedIn

Check out Detwiler Consulting Group

The post As we drive the adoption of globally mobile digital credentials, it’s critical to distinguish between Trust and Quality – two distinct but equally important challenges. appeared first on Velocity.

This document is intended to highlight areas where FIDO offers the best value to address U.S. Government use cases as an enhancement of existing infrastructure, while minimizing rework as U.S. Government Agencies advance their zero trust strategies with phishing-resistant authentication tied to enterprise identity as the foundation.

For any questions or comments, please contact feedback@fidoalliance.org.

Note this white paper has been revised – March 2025.

DOWNLOAD THE WHITE PAPER

At ISL we pride ourselves on being dispassionate truth-seekers when it comes to assessing risky behaviors in technology. But this moment in history requires expressing our passion for truth and our core values more openly.

What’s currently happening in the US is, by design, disruptive, disorienting, and discouraging for many. The calculated dehumanizing of trans people and immigrants coupled with the TESCREAL eugenics AI agenda elucidated by Timnit Gebru1 foretells a worrying, broader dehumanization campaign ahead. As does the ongoing systematic removal and censorship of any kind of diversity, trans rights or related language on government sites. These actions inexorably lead to the detention and removal of targeted people, which, sadly, has begun.

This moment calls for pausing, ignoring the external chaos and looking within, to our own guiding north stars and speaking out for the values within us that reflect deep truths. Deep truths such as: love and celebration of diversity being vital for both humankind’s and the planet’s survival; it’s certainly vital for the work that we do every day at ISL.

Diversity, equity, and inclusivity are the way. Any other exclusionary, reductive, oppressive, dehumanizing way is antithetical to the truths of human kinship and interdependence and denies the reality that healthy ecosystems need diversity to sustain and thrive.

ISL exposes safety risks inherent in tech when used as intended. In other words, we’ve been establishing reasonable safety standards for the behavior of software-driven products and services. But how can we contemplate “safety” without the necessary question: “for whom?”

Many people think that ISL is solely focused on the safety of tech used by children. It may surprise you to know that that’s not our mission. It’s the brunt of our currently funded work, but our corporate vision is:

“A world where all digital products are safe for humans and humankind.”

In other words, safety for all.

I take this moment to reaffirm ISL’s commitment to prioritizing and fostering conditions to create a truly diverse, inclusive, and equitable organization.

Footnotes:

https://firstmonday.org/ojs/index.php/fm/article/view/13636/11599

The post The Tao of Diversity, Equity, and Inclusivity appeared first on Internet Safety Labs.

Recent developments in the UK have once again highlighted the importance of user-controlled encryption for protecting personal data. Due to government demands in the United Kingdom, Apple has recently announced that they have stopped offering end-to-end encrypted iCloud storage, Advanced Data Protection (ADP), to new users, and will disable the feature to all users in the country at an unknown point in the future.

What does this mean for you? 

In the short term it means that UK user data is less protected, and potentially vulnerable to misuse or breaches. Without end-to-end encryption (E2EE), data stored in iCloud is accessible to Apple and, by extension, potentially to government agencies and bad actors. In the long term it sets a dangerous precedent that Apple can turn off this crucial security feature for any group of users at any time, raising concerns about digital privacy worldwide.

What can we do about it?

The answer is relatively simple, we need to encrypt our own data. 

Relying on a third party to keep our personal data safe — even big names like Apple, Amazon, or Microsoft — will always carry risk. Policies change, and external governmental pressures can force providers to weaken security measures, leaving the user exposed.

By layering End-to-End Encryption (E2EE) on cloud storage services ourselves, we can ensure that our data is protected from unwanted access, even from the storage services themselves (in case they want to mine the content of our data).

And the best part? We can do it for free by using DIDComm!

What is DIDComm?

One powerful and open-source solution for encrypting data before cloud storage is the DIDComm protocol. Hosted by the Decentralized Identity Foundation (DIF), DIDComm provides a secure, private communication methodology built on Decentralized Identifiers (DIDs). 

When used to establish an end-to-end encrypted channel, DIDComm ensures that only essential delivery metadata remains in plaintext, while everything else — including the body, attachments, etc — is encrypted for intended recipients only. In practice, this means that we can use the DIDComm message format to encrypt files as they are prepared to be synchronized from a local folder to the cloud storage service and ensures that only the intended recipient (you) can access them.

How to use DIDComm for cloud encryption

Steve McCown, Chief Architect at Anonyome Labs, was the first to create a practical method for encrypting files with DIDComm before storing them into the cloud. His recent GitHub release provides a thorough breakdown of how it all works and offers a step-by-step guide.  

For those looking to dive deeper, 

Join one of our upcoming DIDComm user group calls Join the discussion on DIF’s Discord in the #didcomm-user-group channel

New figures reveal that over 200,000 users of myGov password stopped using passwords in favour of exclusively using passkeys as their login method by the end of last year.

VicRoads, Victoria’s road transport authority, has implemented a passkeys authentication system as part of its digital security enhancement initiative, marking a significant step in Australia’s broader transition toward advanced digital identity solutions. The new system moves away from traditional password-based authentication methods toward a more secure passwordless approach, following similar changes by major technology providers like Microsoft in recent months.

Fime’s testing laboratories in both EMEA and Taiwan have obtained full accreditation under the FIDO Alliance Identity Verification (IDV) Certification Programme.

This certification allows the company to assess and validate identity verification vendors’ Document Authenticity and Face Verification solutions, contributing to fraud prevention efforts while ensuring compliance with industry standards.

Growing concerns over deepfakes drive standardisation 

The introduction of FIDO’s IDV Programme comes in the context of increasing concerns about AI-driven fraud. According to the official press release, despite over 70 billion digital identity verification checks conducted in 2024, more than half of users remain worried about the risks posed by deepfakes and other fraudulent activities. The programme establishes a unified accreditation process to ensure remote identity verification solutions are secure and resistant to manipulation. 

A representative from Fime stated that remote identity verification is essential for sectors such as banking and digital ID enrolment, given the rapid advancements in deepfake technology. The official highlighted the importance of FIDO IDV Certification in helping service providers ensure that their vendors deliver reliable, validated solutions capable of protecting users and mitigating risk. 

Officials from the FIDO Alliance emphasised that the certification programme is designed to strengthen security during onboarding and enrolment processes. They noted that, alongside biometric component certification, this initiative aims to reduce reliance on traditional passwords while enhancing security and user experience.

87% of companies have, or are in the midst of, rolling out passkeys with goals tied to improved user experience, enhanced security, and compliance, according to the FIDO Alliance.

Key findings

Enterprises understand the value of passkeys for workforce sign-ins. Most decision makers (87%) report deploying passkeys at their companies. Of these, 47% report rolling out a mix of device-bound passkeys (on physical security keys and/or cards) and synced passkeys (synced securely across the user’s devices).

Organizations are prioritizing passkey rollouts to users with access to sensitive data and applications, including the three most commonly cited priority groups: Those requiring access to IP (39%), users with admin accounts (39%), and users at the executive level (34%). Organizations leverage communication, training, and documentation within these deployments to increase adoption.

Passkey deployments are linked to significant security and business benefits. Respondents report moderate to strong positive impacts on user experience (82%), security (90%), help center call reduction (77%), productivity (73%), and digital transformation goals (83%).

Groups that do not have active passkey projects cite complexity (43%), costs (33%), and lack of clarity (29%) about implementation as reasons. This signals a need for increased education for enterprises on rollout strategies to reduce concerns, as there is a correlation between these perceived challenges and the proven benefits of passkeys.

In this episode, Jenna Barron interviews Andrew Shikiar, CEO and executive director of FIDO Alliance. They discuss the state of passkey adoption in the industry today and how organizations can prepare for adopting them.

Key talking points include:

Why passkeys are more secure than passwords How widespread their adoption is  Ways organizations can prepare for broader passkey adoption

Visit Passkey Central for more resources on passkeys: https://www.passkeycentral.org/home 

Submitted by: Joni Brennan, President

List of recommendations

Recommendation 1: That the government prioritize digital trust in four areas critical to Canada’s leadership and the privacy, security and protection of our people and industries, including:

Digital Trust in Small and Medium Sized Businesses (SMBs) and E-Commerce; Digital Trust in Finance and Regulatory; Digital Trust in Public Sector Modernization and Citizen Services; and Digital Trust in Public Safety.

Recommendation 2: That the government recognize the necessity of embracing and prioritizing verification and authentication tools as part of its AI strategy.

Recommendation 3: That the government allocate the funding needed to support the adoption of digital trust tools to the benefit of government, businesses, and citizens alike.

Introduction

In today’s geopolitical and economic climate, Canada needs to urgently act to maximize economic security, growth and productivity — all of which depend on a foundation of trust. In an era where digital transactions drive commerce, investment, and public services, ensuring the authenticity of identities, data, and financial interactions is essential for stability and long-term success.

Without secure and privacy-respecting verification, businesses face higher fraud risks, increased compliance costs, and reduced consumer confidence. Investors and trading partners demand transparent, verifiable transactions and economic resilience, which depend on our ability to safeguard financial systems, facilitate secure trade, and unlock the full potential of AI-driven innovation. Strong verification systems are also key to removing barriers to interprovincial and international trade, ensuring Canadian businesses can compete in global markets with trusted credentials.

Yet, new threats to economic stability are emerging at an unprecedented pace. The spread of misinformation, AI-generated fraud, and identity theft undermines business operations, weakens consumer confidence, and creates vulnerabilities in financial markets. AI enables the rapid manipulation of information and identities, making it more difficult for organizations to verify legitimacy and protect against fraud.

Without urgent action, these challenges will erode trust, slow economic growth, disrupt financial systems, and weaken Canada’s competitive position. Labour mobility is also at risk—without trusted digital credentials, skilled professionals such as doctors, engineers, and tradespeople face delays in moving where needed most, affecting both businesses and public services.

Canada can drive economic security, labour mobility and digital trust by strengthening identity verification, authentication, and fraud prevention measures. By prioritizing trust as a national asset, we can enhance economic competitiveness, attract investment, and build a future where innovation thrives in a secure and resilient digital environment.

About DIACC

The Digital Identification and Authentication Council of Canada (DIACC) was created following the federal government’s Task Force for the Payments System Review, with a goal to bring together public and private sector partners in developing a safe and secure digital ecosystem.

DIACC is committed to accelerating digital trust adoption and reducing information authenticity uncertainty by certifying services against its Pan-Canadian Trust Framework — a risk mitigation and assurance framework developed collaboratively by public and private sector experts that signals trustworthy design rooted in security, privacy, inclusivity, accessibility, and accountability.

Recommendations

Against this backdrop, DIACC offers three recommendations for the federal government:

Recommendation 1: That the government prioritize digital trust in four areas critical to Canada’s leadership and the privacy, security and protection of our people and industries, including:

Digital Trust in Small and Medium Sized Businesses (SMBs) and E-Commerce; Digital Trust in Finance and Regulatory; Digital Trust in Public Sector Modernization and Citizen Services; and Digital Trust in Public Safety.

Digital Trust in Small and Medium Sized Businesses (SMBs) and E-Commerce

Canada’s e-commerce sector is growing faster than ever due to emerging technology and changing customer habits. While this creates significant opportunities, it also presents challenges for small and medium businesses (SMBs), their partners, and customers. With a significant amount of business happening online, SMBs must navigate a growing competitive landscape of online security risks and earn customer trust to help unlock interprovincial and international growth opportunities. By prioritizing digital trust, Canada can foster a robust e-commerce environment that empowers SMBs, enhances consumer confidence, and boosts economic growth. Interoperable frameworks such as the DIACC Pan-Canadian Trust Framework (PCTF) foster digital trust by protecting personal electronic information as it travels across an organization, ensuring that e-commerce systems remain secure, adaptable, and trusted.

By prioritizing digital trust and implementing authentication and verification tools, the government can help drive the following benefits:

enhanced customer trust and loyalty; streamlined business processes by automating identity verification and reducing the need for manual checks; faster, more efficient operations and reduced administrative costs, allowing businesses to allocate resources more effectively; data minimization and the secure handling of personal information, increasing customer confidence; a competitive advantage for Canada’s SMBs by helping them innovate and offer their customers new, secure digital services; and a reduction in incidents of fraud, resulting in significant cost savings for businesses. These savings can be reinvested into other business areas, driving growth and innovation and improving overall business performance.

Digital Trust in Finance and Regulatory

The finance and regulatory sector is undergoing rapid digital transformation. While the industry pioneers new technology and moves away from conventional platforms, it faces rising fraud, privacy breaches, and growing consumer skepticism fueled by misinformation, disinformation, and challenges verifying information in an AI-driven world. As a result, the government is encouraged to build on the existing regulatory framework and develop new regulations to facilitate secure digital transactions, including compliance with anti-money laundering (AML) and know-your-customer (KYC) regulations.

Further, digital trust and verification services will be critical as the government moves forward with its commitments to open-banking, with interoperability also being paramount as the federal framework and existing provincial frameworks work together. Similarly, the government has committed to reducing incidents of mortgage fraud and strengthening proof of borrower and title insurance, and digital trust and verification services can and should play a critical role in making that commitment a reality.

By prioritizing digital trust, Canada can secure its financial systems and enhance competitiveness in the global economy. Interoperable frameworks like the DIACC Pan-Canadian Trust Framework (PCTF) ensure systems remain resilient, adaptable, and trusted.

Digital Trust in Public Sector Modernization and Citizen Services

Public services are undergoing rapid digital transformation, adopting new technologies to improve efficiency and accessibility. At the same time, they face significant challenges and barriers including data security risks, privacy concerns, and public skepticism fueled by misinformation.

As public services continue to move online, digital trust and verification services will be critical for ensuring that services are secure and accessible. From online healthcare consultations to digital government services, these technologies provide the necessary security infrastructure to protect public interactions and data.

By implementing digital trust solutions, the federal government will be able to provide secure, user-friendly online access to services; streamline identity verification for faster service delivery; facilitate seamless data sharing between agencies; reduce administrative burdens and operational costs; and improve service delivery times and citizen satisfaction.

Digital Trust in Public Safety

The public safety sector is undergoing rapid digital transformation, embracing new technologies to enhance emergency response, law enforcement, and disaster management. However, this shift also brings challenges such as data security risks, privacy concerns, and the need for reliable information verification in critical situations.

Implementing robust digital trust solutions can significantly improve emergency response by enabling secure, real-time data sharing between agencies; verifying the authenticity of emergency communications; and facilitating rapid and accurate identification of individuals in crisis situations.

Public safety agencies are encouraged to leverage technologies such as AI and blockchain to enhance their digital trust capabilities and improve emergency response. AI can be used for real-time data analysis and decision-making, while blockchain can ensure the integrity and immutability of critical information.

DIACC encourages collaboration between public safety agencies, technology providers, and other stakeholders to develop standardized digital trust practices, and interoperable frameworks like the DIACC Pan-Canadian Trust Framework (PCTF) ensure that public safety systems remain secure, adaptable, and trusted.

Together we can create a public safety ecosystem that leverages digital trust to protect citizens, respects privacy, and solidifies Canada’s position as a secure and effective emergency management leader.

Recommendation 2: That the government recognize the necessity of embracing and prioritizing verification and authentication tools as part of its AI strategy.

In today’s world, where AI is becoming smarter every day, and information can be generated and manipulated at unprecedented speed and scale, ensuring the accuracy and trustworthiness of information is critical. It is vital to maximize the benefits of an AI and Artificial General Intelligence (AGI)-fueled data ecosystem for Canada while also fostering citizen trust and protecting their safety.

To effectively address the challenges we’re facing while realizing the benefits of AI, the federal government should prioritize verification and authentication tools as part of its broader AI strategy. Prioritization must include funding, collaboration, and urgent action to support the development, adoption and certification of tools that verify information authenticity while protecting privacy and empowering Canadians. Governments, banks, telcos, tech companies, media organizations, and civil society must work together to deploy open, standards-based solutions and services to verify the authenticity of information.

The economic imperative of investing in these capabilities is clear. According to a study by Deloitte, the Canadian economy could unlock an additional 7 per cent (CAD $7 trillion) in economic value through AI and AGI technologies. People and organizations can only realize this potential for the good of society by investing in tools, processes, and policies that support verifying the authenticity of the information generated and processed by AI and AGI technologies.

Recommendation 3: That the government allocate the funding needed to support the adoption of digital trust tools to the benefit of government, businesses, and citizens alike.

Today, solutions can signal verified trust by getting certified against a technology-neutral risk and assurance framework like DIACC’s Pan-Canadian Trust Framework, developed collaboratively by public and private sector experts.

Verifiable information authenticity relies on critical principles, including provenance and traceability: provenance establishes the origin and history of information, ensuring it comes from a reliable source, while traceability allows for audibility of the flow of information, enabling people, businesses, and governments to verify its accuracy and authenticity. These principles are essential in combating the spread of misinformation and disinformation, which can have far-reaching consequences in an AI-fueled world.

Provenance and traceability are potent information authenticity tools that can help:

businesses and professionals reduce liabilities and meet obligations to verify information about their clients and their operations; citizens and residents interact securely and efficiently with governments; customers and clients transact with privacy and security anywhere, anytime; industries manage decision-making and securely supply chains using trusted data; producers verify essential data related to environmental, safety, and operational goals and creators track intellectual property to ensure fair payment and cultural protection.

Conclusion

A proactive approach—rooted in collaboration between government, industry, and technology leaders—will ensure that Canada remains a trusted hub for global trade, seamless labour mobility, and secure financial transactions. We can unlock new economic opportunities, strengthen international partnerships, and fuel long-term prosperity by enabling frictionless and verifiable trade, business, and employment interactions.

Thank you once again for the opportunity to provide our input in advance of Budget 2025 and as we collectively move forward on the path to a digitally and economically prosperous Canada.

Fime has achieved full  FIDO Alliance Identity Verification (IDV) Certification Program accreditation across multiple regions. Both the Fime EMEA and Fime Taiwan testing laboratories can now support identity verification vendors in certifying their Document Authenticity and Face Verification solutions, helping combat fraud while enhancing the user experience.

With over 70 billion digital identity verification checks conducted in 2024, a reported 52% of people are still concerned about deepfakes and AI-driven fraud. To address this, FIDO introduced the IDV Program, providing a standardized accreditation that ensures remote digital identity verification solutions are secure, reliable, and fraud resistant. 

The apparel industry is working to be more sustainable, but verifying those claims is complicated. With over 70 certifications and no standardized way to share data, brands and retailers struggle to track sustainability efforts efficiently.

In this episode, Amy Reiter, Senior Director of Customer Success for the Apparel and General Merchandise Initiative at GS1 US, joins hosts Reid Jackson and Liz Sertl for a conversation on the challenges of sustainability certifications in apparel. Many companies still rely on PDFs and spreadsheets to verify organic cotton claims and responsible manufacturing. GS1 US is working to change that by improving data-sharing processes and exploring how GTINs (Global Trade Item Numbers) can streamline certification tracking.

Tune in to learn how the industry is tackling sustainability verification and what it means for brands, retailers, and consumers alike.

 

In this episode, you’ll learn:

Why GTINs are critical for accurate sustainability claims

How brands and retailers can replace inefficient certification tracking

The growing role of machine-readable data in product transparency

 

Jump into the conversation:

(00:00) Sustainability Journey at GS1 US

(03:16) Streamlining Textile Certification Data

(06:51) GTIN Certification Process Overview

(10:22) Gen Z Drives Eco-Label Awareness

(13:04) Seamless Machine-Readable Data Sharing

(18:28) Sustainability Practices in Business

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Amy Reiter on LinkedIn

Current Landscape

Canada’s e-commerce sector is growing faster than ever due to emerging technology and changing customer habits. While this creates significant opportunities, it also presents challenges for small and medium businesses (SMBs), their partners, and customers. With significant business happening online, SMBs must navigate a growing competitive landscape of online security risks and earn customer trust to help unlock interprovincial and international growth opportunities.

When DIACC was established in 2012, its mission was to create a secure digital ecosystem. Today, this goal has become even more critical for the e-commerce sector, particularly for SMBs striving to scale up and remain competitive in a global market.

Digital trust, which empowers individuals, governments, and businesses with secure and transparent ways to engage online confidently, has become critical for businesses that want to assure customers that their interactions and personal data are secure.

By prioritizing digital trust, Canada can foster a robust e-commerce environment that empowers SMBs, enhances consumer confidence, and boosts economic growth. Interoperable frameworks such as the DIACC Pan-Canadian Trust Framework™ (PCTF) foster digital trust by protecting personal electronic information as it travels across an organization, ensuring that e-commerce systems remain secure, adaptable, and trusted.

Advancing Digital Trust to Fuel E-Commerce Growth and Empower SMBs 1. Strengthening SMB Competitiveness and Growth

Implementing robust digital trust solutions is crucial for SMBs to compete in e-commerce. By adopting these technologies, SMBs can:

Enhance customer trust and loyalty Reduce fraud-related losses Streamline operations and reduce costs Expand into new markets more confidently 2. Enhancing Trust Through the DIACC PCTF

DIACC encourages e-commerce businesses to adopt the PCTF as a tool to:

Implement secure and efficient customer onboarding processes Authenticate identities to reduce fraud in online transactions Improve supply chain management through verified digital credentials 3. Fostering Consumer Confidence

To address consumer skepticism and promote trust in e-commerce platforms, we recommend:

Implementing clear, user-friendly privacy policies Adopting visible trust signals, such as PCTF certification badges Providing transparent data handling practices 4. Enabling Seamless Cross-Border Transactions

Digital trust frameworks can help SMBs expand into other Canadian provinces and internationally by:

Facilitating secure cross-border identity verification Ensuring compliance with various regional regulations Building trust with customers and partners across Canada and internationally 5. Leveraging Digital Trust for Innovation

SMBs can use digital trust solutions to:

Implement personalized shopping experiences that are secure and privacy-respecting Develop trusted AI-powered customer service tools Create innovative loyalty programs based on verified identity information Best Practices and the Way Forward 1. Adopt Existing and Emerging Technologies

SMBs should leverage existing and emerging digital trust solutions that align with the PCTF. PCTF certification fosters verified trust across smart devices, digital credentials, wallets, and information-sharing networks. It will enhance their capabilities and ensure their competitiveness.

2. Collaborate for Standardization

DIACC encourages collaboration between SMBs, larger enterprises, and regulators to establish standardized digital trust practices in e-commerce.

3. Educate and Empower

DIACC is committed to educating SMBs and consumers about digital trust through:

Hosting sector-specific workshops and certifications to promote best practices in digital trust Real-world case studies demonstrating the benefits of digital trust in e-commerce Advocacy for regulations that support SMBs in implementing digital trust solutions Conclusion

The e-commerce sector, particularly SMBs, urgently needs robust digital trust solutions to thrive in the digital economy. By adopting frameworks like the PCTF, SMBs can enhance their competitiveness, build consumer trust, and drive innovation.

Together, we can create an e-commerce ecosystem that empowers SMBs, protects consumers, and solidifies Canada’s position as a leader in the global digital marketplace.

Download available here.

DIACC-Position-Digital-Trust-to-Fuel-E-Commerce-Growth-and-Empower-SMBs-ENG

Major technology companies Microsoft, Google, and Apple are driving widespread adoption of passkeys as an alternative to traditional passwords, leveraging biometric authentication methods like facial recognition and fingerprint scanning for enhanced security and user convenience. The initiative builds on the FIDO Alliance standards that these companies have been developing since 2019.

The initiative, which began with a joint announcement by the three tech giants in 2022, has now reached full implementation across all major platforms. Users can access passkey functionality through their devices’ built-in biometric systems, enabling seamless authentication across various services and applications. Microsoft has recently announced plans to implement passkeys for over one billion users in response to a 200 percent increase in cyberattacks.

 FIDO as the Future of Authentication: Traditional password-based systems are vulnerable to phishing, credential stuffing, and other cyberattacks. FIDO (Fast Identity Online) uses public key cryptography to deliver phishing-resistant, passwordless authentication. Implementation Roadmap: Organizations should assess current authentication methods, educate stakeholders, select FIDO-compatible solutions, and roll out the technology gradually to maximize security and user adoption. Security Meets Usability: FIDO enhances security and simplifies the user experience with biometrics, hardware tokens, and multi-device passkeys, offering both protection and convenience.

Do you think your trusty 8-character password is safe? In the age of AI, that might be wishful thinking. Recent advances in artificial intelligence are giving hackers superpowers to crack and steal account credentials. Researchers have demonstrated that AI can accurately guess passwords just by listening to your keystrokes. By analyzing the sound of typing over Zoom, the system achieved over 90% accuracy in some cases.

And AI-driven password cracking tools can run millions of guess attempts lightning-fast, often defeating weak passwords in minutes. It is no surprise, then, that stolen or weak passwords contribute to about 80% of breaches​.

The old password model has outlived its usefulness. As cyber threats get smarter, it is time for consumers to do the same.

Google has announced plans to phase out SMS-based authentication for Gmail accounts in favor of more secure methods like QR code verification and passkeys. The change follows similar moves by other tech giants like Microsoft and Apple to strengthen authentication methods as part of the company’s broader security enhancement initiatives.

A new report from the FIDO Alliance aims to understand the state of passkey deployments by enterprises in the U.S. and UK, including methods for deploying FIDO passkeys, total employees enrolled and perceived barriers to deployment.

Based on a survey of 400 IT professionals (200 from each country), the report says passkey adoption for employee sign-ins is a high or critical priority for two thirds of respondents, and that the majority of enterprises have “either deployed or are in the midst of deploying passkeys with goals tied to improved user experience, enhanced security and standards/regulatory compliance.”

The FIDO Alliance along with underwriters Axiad, HID, and Thales today released its State of Passkey Deployment in the Enterprise report, finding that 87% of surveyed companies have, or are in the midst of, rolling out passkeys with goals tied to improved user experience, enhanced security, and compliance.

By Omar Santos, Distinguished Engineer, Cisco

On March 25, 2025, the EU Cyber Acts Conference in Brussels will bring together cybersecurity professionals, policy-makers, and industry leaders to discuss one of the most pressing challenges of our time—securing artificial intelligence. Several members of the Coalition for Secure AI (CoSAI) will be participating and presenting at the conference. A key highlight of the conference is the “AI Cyber Day” track, which zeroes in on the global evolution of cybersecurity certification frameworks tailored for AI systems.

Securing AI Applications and Agentic Systems

I’m truly honored to be among such a distinguished lineup of speakers, presenting “Securing AI: Navigating Security Challenges in Modern AI Implementations.” I am excited to share insights on the evolving threats and best practices for securing AI systems! In this session, we will unpack the layered security considerations inherent to today’s AI implementations. Attendees will be guided through the best practices surrounding AI operations (AI Ops), model development, fine-tuning, and deployment of AI applications. Emphasis will be placed on well-known techniques such as Retrieval Augmented Generation (RAG) and how to secure innovative agentic systems (methods that represent the forefront of modern AI security strategies).

The session also introduces the Coalition for Secure AI (CoSAI), an open project that is bringing experts from industry-leading organizations dedicated to sharing best practices for secure AI.  

CoSAI’s focus is to better equip the community to fortify the AI supply chain, equip defenders for emerging threats, secure agentic AI systems, and promote robust security risk governance frameworks. As the digital ecosystem evolves, CoSAI will help organizations of all sizes to secure their AI implementations.

Both the EU and the US are spearheading efforts to create harmonized regulatory frameworks that set common frameworks, methodologies, and promote innovation. There is a common realization that we all need to have a balance that doesn’t hinder innovation. During AI Cyber Day, experts will discuss:

The current state of regulatory development in both regions. Future outlooks for AI security regulation. Best practices for robust risk management and promoting innovation. Collaborative Panel Discussion: Charting the Future of AI Security

Complementing the technical presentations, the conference will feature a panel discussion titled “Collaborative Efforts to Secure AI and AI Applications and Services.” In this session, my colleague Piotr Ciepiela, from EY, will highlight the role of CoSAI in advancing secure AI practices.

This session will bring together influential voices from governments, industry, and academia to share insights on building a safer AI ecosystem. The discussion will focus on:

Developing and sharing best practices and tools for secure AI deployment. Collaborative strategies to navigate the challenges of securing AI applications. The role of CoSAI in uniting diverse stakeholders under a common mission of enhanced AI security.

The panel includes a distinguished lineup of speakers:

(Moderator) Matthias Intemann, Head of Digitisation, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany Franziska Weindauer, CEO of TÜV AI.Lab, TÜV-Verband, Germany Piotr Ciepiela, Partner and EMEIA Cybersecurity Leader at EY, Poland Ezi Ozoani, Representative to GPAI Code of Practice at Applied AI Institute for Europe GmbH, Ireland           . Looking Forward to the Discussion

The spotlight on AI security is more intense than ever. With evolving threats and rapid technological advancements, the EU Cyber Acts Conference offers invaluable insights for anyone involved in the AI space.

Whether you’re an industry veteran, a policymaker, or simply curious about the future of AI, these presentations are set to provide great insights to what’s new in AI and cybersecurity. Mark your calendars for March 25-26, 2025, and join the conversation on securing the future of AI.

Additional Exciting News

CoSAI is part of the OASIS Open ecosystem where many other related technical initiatives are happening. A new one worth noting is the Data Provenance Standards (DPS) Technical Committee which links to a shared focus on ensuring trust and security of AI systems, as well as great business outcomes. DPS will develop a standardized metadata framework for tracking data origins, transformations, and compliance, helping organizations establish clearer governance practices. Visit the OASIS Open website to learn more about this new initiative and others.

The post EU Cyber Acts Conference 2025: A Deep Dive into Securing AI appeared first on OASIS Open.

Public review -- ends March 23

OASIS and the Energy Interoperability TC are pleased to announce that Energy Interoperation Common Transactive Services (CTS) Version 1.0 CSD05 is now available for public review and comment. 

Common Transactive Services (CTS) permits energy consumers and producers to interact through energy markets by simplifying actor interaction with any market. CTS is a streamlined and simplified profile of the OASIS Energy Interoperation (EI) specification, which describes an information and communication model to coordinate the exchange of energy between any two Parties that consume or supply energy, such as energy suppliers and customers, markets and service providers.

The TC is specifically requesting comments on the following sections:

Section 2.4 (Responses)  Section 9 (Negotiation Facet)  Section 13 (Market Structure and Reference Data) Section 14 (Conformance)

Energy Interoperation Common Transactive Services (CTS) Version 1.0
Committee Specification Draft 05
17 February 2025

Editable Source: PDF: https://docs.oasis-open.org/energyinterop/ei-cts/v1.0/csd05/ei-cts-v1.0-csd05.pd (Authoritative) 

HTML: https://docs.oasis-open.org/energyinterop/ei-cts/v1.0/csd05/ei-cts-v1.0-csd05.html

DOCX: https://docs.oasis-open.org/energyinterop/ei-cts/v1.0/csd05/ei-cts-v1.0-csd05.docx

For your convenience, OASIS provides a complete package of the specification document and any related files in a ZIP distribution file. You can download the ZIP file at:  

https://docs.oasis-open.org/energyinterop/ei-cts/v1.0/csd05/ei-cts-v1.0-csd05.zip

How to Provide Feedback

OASIS and the Energy Interoperability TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

The public review is now open and ends March 23, 2024 at 23:59 UTC.

Comments from TC members should be sent directly to the TC’s mailing list. Comments may be submitted to the project by any other person through the use of the project’s Comment Facility: https://groups.oasis-open.org/communities/community-home?CommunityKey=70a647c6-d0e6-434c-8b30-018dce25fd35

Comments submitted for this work by non-members are publicly archived and can be viewed by using the link above and clicking the “Discussions” tab.

Please note, you must log in or create a free account to see the material. Please contact the TC Administrator (tc-admin@oasis-open.org) if you have any questions regarding how to submit a comment.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the Energy Interoperability TC’s can be found at the TC’s public home page: https://www.oasis-open.org/committees/energyinterop/

Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] https://www.oasis-open.org/committees/energyinterop/ipr.php

The post Invitation to comment on Energy Interoperation Common Transactive Services (CTS) v1.0 CSD05 appeared first on OASIS Open.

Today, artificial intelligence (AI) is rapidly reshaping the Internet, driving a historic transformation in how we engage, work, and communicate online.

However, the rise of generative AI has also led to an explosion of deepfakes, hallucinating language models, and the rapid creation of untrustworthy content — threatening the foundation of authentic communication and learning. AI-generated content now dominates the internet, making it increasingly difficult to distinguish reality from fabrication.

While AI unlocks significant advancements, it also introduces equally substantial risks, from intellectual property infringements to illegal content, such as child sexual abuse materials.

It is for this reason, we founded umanitek.

At umanitek, our mission is to fight against harmful content and the risks of AI by promoting technology that serves the greater good of humanity.

Our founders, Trace Labs, Ethical Capital Partners and AMYP Ventures AG (part of a Piëch/Porsche Family Office) bring together their capabilities in building reliable and trusted AI systems, their connection to networks that fight for the removal of internet harm, and their ability to raise awareness of the importance of knowledge and education in the age of AI.

But this is too big of a challenge to go at it alone. Recognizing the magnitude of this issue, we actively seek partnerships with institutions and individuals dedicated to ethical AI development. We want to partner with investors who are focused on “tech for good” solutions where societal impact is of equal importance to commercial success and to work with tech leaders, policymakers, and law enforcement to make internet safety the standard in the age of AI.

Balancing innovation with responsibility in the age of AI.

Our vision is to leverage umanitek’s technology to enable corporations and individuals to control their data, technology, and resources without compromising security, privacy, or intellectual property.

Here’s but one quick example of how umanitek will work.

Far too many people are concerned about the non-consensual sharing of their personal images or those of their children. Umanitek will enable companies, law enforcement, NGOs, and individuals to upload “fingerprints” of personal photos to a decentralized directory. This system will help large technology platforms identify and prevent the distribution of such content.

In the potential next step, it also significantly streamlines the prosecution of offenders by collaborating with law enforcement while reducing the cost and complexity of legal action related to copyright infringements.

When organizations and individuals can choose what to share and how to share it in a secure and verifiable way, all internet users benefit. Protecting legitimate content and preventing large language models from training on non-consensual data are integral to harm reduction online. We believe this is an important step to making internet safety the standard in the age of AI, reducing harmful content, and enabling trusted AI solutions.

Fighting the good fight.

“We invested in OriginTrail to drive transparency and trust for real-world assets. Now, we’ve co-founded umanitek to combat harmful content, IP infringements, and fake news — leveraging OriginTrail technology across internet platforms.”

— Chris Rynning, AMYP Ventures AG (part of a Piëch/Porsche Family Office)

An unprecedented alliance for ethical AI.

Umanitek stands out by combining the expertise of three leaders in their fields:

Trace Labs (core developers of OriginTrail) — The pioneers of neuro-symbolic AI, building trusted and verifiable AI systems. They are the developers behind the OriginTrail Decentralized Knowledge Graph (DKG), a technology that enhances trust in AI, supply chains, and global data ecosystems.

Ethical Capital Partners (ECP) — A private equity firm seeking out investment and advisory opportunities in industries that require principled ethical leadership. Founded in 2022 by a multi-disciplinary team with legal, regulatory, law enforcement, public engagement, and finance experience, ECP’s philosophy is rooted in identifying companies amenable to a responsible investment approach and working collaboratively with management teams in order to develop strategies to create value and drive growth.

AMYP Ventures AG (part of a Piëch/Porsche Family Office) — A venture capital group backing game-changing AI and Web3 initiatives with the potential for global impact.

This is a collaboration that combines the knowledge of AI, cutting-edge research, and technology with ethical investment strategies to create the standard for internet safety in the age of AI — an AI solution that will serve humanity.

Subscribe for updates at umanitek.ai to stay in touch and be among the first to learn about cofounders, contributors, and partners of umanitek, as well as reserve a spot to test-drive umanitek’s products at their release.

Web | Twitter | LinkedIn

UMANITEK: Setting the standard for internet safety was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

Cisco, IBM, Intel, Microsoft, Red Hat, and Others Unite to Promote Cross-Industry Standards for Traditional Data and AI Applications

Boston, MA, and New York, NY, USA; 6 March 2025 – OASIS Open, a global open source and standards organization, and the Data & Trust Alliance, a consortium dedicated to developing data and AI practices that create business value and earn trust, announced the upcoming launch of the OASIS Data Provenance Standards Technical Committee (DPS TC). Building on version 1.0.0 of the Data Provenance Standards created by the Data & Trust Alliance’s cross-industry Working Group, the TC will bring more enterprises to the table to create de jure technical standards that aim to advance data transparency, accountability, and trust. Founding sponsors include Cisco, IBM, Intel, Microsoft, and Red Hat. 

“The Data & Trust Alliance has done exceptional work in developing the Data Provenance Standards, and OASIS is privileged to partner with them to expand the community actively developing and implementing these standards,” said Jim Cabral, Interim Executive Director of OASIS Open. “By advancing these standards in our open, consensus-driven environment, we ensure their continued evolution, interoperability, and adaptability to meet evolving industry demands.”

With AI and data-driven decision-making now central to business operations, organizations require robust mechanisms to verify data lineage, transformations, and compliance. The DPS TC will develop a standardized metadata framework for tracking data origins, transformations, and compliance, helping businesses establish clearer governance practices. The TC will also define metadata models that span databases, tables, and data pipelines to ensure interoperability and reliability across different platforms. 

“For AI to create value for business and society, the data that trains and feeds models must be trustworthy. Launching the Data Provenance Standard Technical Committee marks a milestone in fostering greater transparency and trust of AI-driven data,” said Saira Jesani, Executive Director, Data & Trust Alliance. “We look forward to bringing the TC’s expertise to bear to not only refine these standards but also bridge the gap between standards and implementation, as we drive towards industry-wide adoption.” 

The standards will enable data producers to deliver clear and consistent data lineage information; support companies in managing compliance and mitigating risks associated with data privacy, security, and intellectual property rights; provide data acquirers with transparency around the data they aim to acquire and a mechanism to determine whether to trust and use the data on offer, request changes to the data set, or reject its use; and help end-users by providing transparency into how their data is managed and protected, fostering trust in data-driven solutions. 

The DPS TC’s first meeting will be held on 8 April 2025. Participation in the DPS TC is open to all through membership in OASIS. Organizations, industry leaders, and experts are encouraged to join and actively contribute to these data provenance standards that will shape the future of transparent and trusted data governance. For more information, please visit the DPC TC’s homepage.

About OASIS Open
One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement. 

About Data & Trust Alliance
The Data & Trust Alliance was founded as a not-for-profit consortium to bring together leading businesses and institutions across multiple industries to learn, develop, and adopt responsible data and AI practices. Data & Trust Alliance member companies span 15 industries, operate in more than 175 countries, and generate more than $1.6 trillion in annual revenues.

Media Inquiries:
OASIS Open: communications@oasis-open.org
Data & Trust Alliance: inquiries@dataandtrustalliance.org

Additional Information:
DPS TC Project Charter

Support for the Data Provenance Standards Technical Committee:  

Cisco: 

“I applaud the OASIS community for its forward-thinking creation of the Data Provenance Standards TC. By creating standardized descriptors at the point of data creation, we are forging a path that empowers organizations to safeguard data integrity, security, and privacy throughout its entire lifecycle. This is essential for both AI-driven and traditional applications. These standards will not only enhance transparency and accountability, but also lay the foundation for robust, cross-industry data governance.” 

–Omar Santos, Distinguished Engineer at Cisco, OASIS Board Member

IBM:

“IBM is proud to build on its partnership with the Data & Trust Alliance to become a founding member of the OASIS Data Provenance Standards Technical Committee. As a contributor to the Data & Trust Alliance’s Data Provenance Standards, we are pleased that the DPS TC will evolve the critical work of advancing data transparency started by the Data & Trust Alliance. We look forward to helping organizations accelerate the business impact of AI through trust in our work with the DPS TC.”

–Christina Montgomery, Vice President and Chief Privacy & Trust Officer, IBM

Microsoft:

“Security and Trust remain at the top of mind while Microsoft executes its mission of empowerment. We promote and demand this ethos while developing operationally efficient and trustworthy AI systems. To do this successfully, we believe that full transparency into the data used including where it comes from, how it’s created, and whether it can be used legally is of extreme importance. As a founding member of the Data Provenance Standard Technical Committee (DPS TC), Microsoft will partner with similarly committed organizations towards creating industry standards for ensuring that AI systems are built with transparency, accountability, and trust through establishing data provenance standards as a foundation for improved data governance. Through membership and partnership in the DPS TC, Microsoft continues its commitment to empower every person and every organization on the planet to do more…securely.” 

–Raghu Ramakrishnan, CTO for DATA, Technical Fellow, R&D Azure Data, Microsoft

Red Hat:  

“Red Hat is proud to join the OASIS Data Provenance Standard Technical Committee. With AI rapidly evolving, it’s crucial we address the provenance challenge, together as a community, to help maintain data integrity and user trust. Red Hat is eager to collaborate on keeping security and compliance measures at the forefront of AI development, and we look forward to how this initiative will help unify our efforts toward an open and trusted AI ecosystem.”

–Vincent Danen, VP, Product Security, Red Hat

The post OASIS to Advance Global Adoption of Data & Trust Alliance’s Data Provenance Standards appeared first on OASIS Open.

March 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News Creator Assertions Working Group Joins DIF

DIF welcomes the Creator Assertions Working Group (CAWG) as its newest working group! CAWG builds upon C2PA's work by defining additional assertions allowing content creators to express intent about their content and bind their online identity to what they produce. This collaboration with ToIP will be chaired by Eric Scouten from Adobe, with meetings beginning March 10.

To participate, join DIF!

Welcoming Creator Assertions Working Group to DIF DIF is excited to welcome the Creator Assertions Working Group (CAWG) as a new working group of DIF. About CAWG CAWG builds upon the work of the Coalition for Content Provenance and Authenticity (C2PA) by defining additional assertions that allow content creators to express individual and organizational intent about their Decentralized Identity Foundation - BlogWorking Groups DIDComm User Group Expands!

The DIDComm User Group offers developers an open forum to learn about and implement DIDComm protocol. Colton Wolkins highlights three compelling reasons to join:

Seeing real-world demonstrations from implementers Getting help with technical challenges Learning about DIDComm adoption across industries and regions.

The group meets regularly to accommodate global participants.

3 reasons why you should join the DIDComm User Group Meeting Guest Blog By Colton Wolkins The DIDComm User Group Meeting is open to anyone interested in using and implementing DIDComm. This is a great place for developers to learn, ask questions, and share experiences! DIDComm (Decentralized Identity Communication) is rapidly becoming a fundamental protocol for secure, private, and interoperable messaging Decentralized Identity Foundation - BlogWorking Groups Cryptographic Pseudonyms: A Short History

Following IETF/IRTF's adoption of BBS Blind Signatures and BBS per-Verifier Linkability specifications, this comprehensive piece by Greg Bernstein, Dave Longley, Manu Sporny, and Kim Hamilton Duffy explores the evolution of cryptographic pseudonyms and their privacy features. The article examines how BBS signatures provide protections against credential fraud.

Cryptographic Pseudonyms: A Short History Guest blog by Greg Bernstein, Dave Longley, Manu Sporny, and Kim Hamilton Duffy Following the IETF/IRTF Crypto Forum Research Group’s adoption of the BBS Blind Signatures and BBS per Verifier Linkability (“BBS Pseudonym”) specifications, this blog describes historical context and details of cryptographic pseudonyms, as well as the Decentralized Identity Foundation - BlogWorking Groups DIF Hackathon 2024 Winners Wrap Up

The DIF Hackathon 2024 showcased remarkable innovation across multiple tracks including education and workforce solutions, reusable identity, and privacy-preserving authentication. Standout projects included ZKP implementations, verifiable credentials powering next-gen job boards, seamless hotel check-ins, and digital identity solutions for expats. See the full list of winners and their groundbreaking projects.

🚀 Celebrating Innovation: Winners of the DIF Hackathon 2024 The DIF Hackathon 2024 brought together builders from around the world to tackle some of the biggest challenges in decentralized identity. Across multiple tracks—including education and workforce solutions, reusable identity, and privacy-preserving authentication—participants developed creative applications that redefine how digital identity is used and trusted in the real Decentralized Identity Foundation - BlogLimari Navarrete 🛠️ Working Group Updates DID Methods Working Group

The group discussed categorization of DID methods, blockchain-based DID methods, the need for standardization in web-based methods and decentralized methods for government use cases, and the proposal for a new charter for the W3C Working Group. The group agreed on the need for further refinement and discussion before a vote could be held.

DID Methods meets bi-weekly at 9am PT/ noon ET/ 6pm CET Wednesdays

Identifiers and Discovery Working Group

The Identifiers & Discovery group discussed various work items, including Linked VPs and DID:webvh method, as well as open source code projects like the Universal Resolver. The group also explored the potential of biometric technology to create a private key directly from a person's face without storing any biometric data or involving a server, and considered the possibility of generating DIDs from biometric data.

Identifiers and Discovery meets bi-weekly at 11am PT/ 2pm ET/ 8pm CET Mondays

🪪 Claims & Credentials Working Group

DIF recently hosted a special Credential Schemas workshop focused on privacy-preserving age verification solutions. Led by Otto Mora (Privado ID) and Valerio Camiani (Crossmint), participants explored innovative approaches beyond traditional verification methods, including AI-based age estimation while maintaining strong privacy protections.

DIF Workshop Highlights Progress on Privacy-Preserving Age Verification Standards DIF recently hosted a special session of its Credential Schemas workshop focused on developing privacy-preserving solutions for age verification. Led by Otto Mora, Standards Architect at Privado ID, and Valerio Camiani, Software Engineer at Crossmint, the session explored the growing need for standardized age verification. The workshop addressed the increasing Decentralized Identity Foundation - BlogWorking Groups

Credential Schemas work item meets bi-weekly at 10am PT/ 1pm ET/ 7pm CET Tuesdays

Applied Crypto Working Group

The general Applied Crypto Working Group has finished a draft for a general trust model for ZKP self-attestations, and working through feedback. It's a great time to get involved.

The Crypto BBS+ Work Item group is addressing feedback from the CFRG Crypto Panel review.

BBS+ work item meets weekly at 11am PT/ 2pm ET/ 8pm CET Mondays
Applied Crypto Working Group meets bi-weekly at 7am PT/ 10am ET/ 4pm CET Thursdays

DIF Labs Working Group

The DIF Labs Show and Tell event was held on February 18, featuring three groundbreaking projects from the DIF Labs Beta Cohort. After three months of development and refinement, these projects demonstrated cutting-edge innovation in decentralized identity with real-world applications.

The featured projects included:

Ordinals Plus: Brian Richter presented a framework for implementing verifiable credentials on Bitcoin using Ordinal inscriptions. Linked Claims: Golda Velez, Agnes Koinange, and Phil Long demonstrated their system that combines attestations to build progressive trust. VerAnon: Alex Hache showcased a protocol for anonymous personhood verification using Semaphore and zero-knowledge proofs.

The event provided attendees the opportunity to engage directly with project creators, offer feedback, and network with industry leaders driving the future of identity. As the Beta program concludes, DIF Labs is now preparing for its next cohort and invites builders, startups, and innovators passionate about decentralized identity to get involved.

Read about DIF Labs here

DIF Labs meets on the 3rd Tuesday of the month at 8am PT/ 11am ET/ 5pm CET

DIDComm Working Group

The DIDComm WG is discussing the Trust Spanning Protocol (TSP) and its potential integration with DIDComm to leverage the best of both protocols.

DIDComm Working Group meets the first Monday of each month noon PT/ 3pm ET/ 9pm CET

If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.

🌎 DIF Special Interest Group Updates
DIF Hospitality & Travel SIG

The H&T group featured presentations from The Camino Network Foundation, Customer Futures, and Indicio. The group is discussing a Glossary project, as well as formation of a DIF working group for specification development.

Meetings take place weekly on Thursdays at 10am EST. Click here for more details

DIF China SIG

Click here for more details

APAC/ASEAN Discussion Group

The group discussed progress of their healthcare project, the development of a platform for verifying yellow fever vaccination cards, and the introduction of a new system for verifying the legitimacy and identity of businesses and individuals. They discussed the concept of a foundational identity and the importance of government involvement.

This group is seeking more participants in their calls, so please join!

The DIF APAC call takes place Monthly on the 4th Thursday of the month. Please see the DIF calendar for updated timing.

DIF Africa SIG

The DIF Africa SIG discussed DID:UNCONF Africa and plan to aggregate and publish the Book of Proceedings from the DID:UNCONF sessions on the event website.

Meetings take place Monthly on the 3rd Wednesday at 1pm SAST. Click here for more details

DIF Japan SIG

Meetings take place on the last Friday of each month 8am JST. Click here for more details

📖 DIF User Group Updates
DIDComm User Group

There are two meeting series to accommodate different time zones, each taking place every Monday except the first week of the month (which is reserved for DIDComm Working Group). Click here for more details.

Veramo User Group

Meetings take place weekly on Thursdays, alternating between Noon EST / 18.00 CET and 09.00 EST / 15.00 CET. Click here for more details

📢 Announcements at DIF

Conference season is kicking into high gear. Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.

🗓️ ️DIF Members Dr. Carsten Stöcker Appointed DIF Ambassador

DIF has appointed Dr. Carsten Stöcker, founder and CEO of Spherity GmbH, as DIF Ambassador. Dr. Stöcker brings extensive experience implementing decentralized identity across industrial ecosystems, with expertise in Verifiable Digital Product Passports for regulated industries and bridging European Digital Identity initiatives with Industry 4.0 applications.

Announcing Dr. Carsten Stöcker as DIF Ambassador Announcing Dr. Carsten Stöcker as DIF Ambassador Decentralized Identity Foundation - BlogFoundation

👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.

🆔 Join DIF!

If you would like to get in touch with us or become a member of the DIF community:

Join DIF: https://identity.foundation/join/ Visit our website to learn more Follow our channels:

Follow us on Twitter/X

Join us on GitHub

Subscribe on YouTube

🔍

Read the DIF blog

New Member Orientations

If you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.

Our Executive Director, Lisa LeVasseur, gave a presentation at this year’s Global Shield Online Conference on “Measuring Unavoidable Risks in Technology”. The entirety of the presentation can be viewed in the video below:

The post Global Shield Online Conference: Measuring Unavoidable Risks in Technology [VIDEO] appeared first on Internet Safety Labs.

Toronto, March 4, 2025 – DIACC proudly announces that Outlier Solutions Inc. (Outlier Compliance Group) has achieved accreditation as an official auditor. This milestone underscores Outlier’s commitment to enhancing the safety and consistency of Canada’s digital identity ecosystem.

Outlier underwent a thorough evaluation based on ISO 17020 requirements as part of a rigorous accreditation process. This demonstrated its qualifications to conduct comprehensive Pan-Canadian Trust Framework™ (PCTF) audits. This accreditation empowers Outlier to deliver independent and impartial assessments, which are crucial for maintaining the integrity and trustworthiness of digital identity solutions. 

“Independent, high-quality assessments are essential to building a secure and trustworthy digital identity ecosystem,” said Joni Brennan, DIACC President. “Outlier’s accreditation as a DIACC auditor marks an important step toward ensuring that digital identity solutions meet rigorous, transparent standards. Their expertise will help organizations demonstrate compliance while strengthening confidence in the digital economy.”

By providing reliable third-party assessments, Outlier promotes a culture of compliance across the digital space. This reflects its dedication to fostering transparency and creating a robust digital ecosystem. Outlier’s commitment to high-quality, impartial assessments aligns with DIACC’s mission to enhance confidence in digital services while tackling emerging risks associated with fraud and misinformation.

“Outlier Compliance Group is thrilled to become the first Canadian compliance consulting firm accredited as a DIACC auditor. This momentous step aligns with our dedication to providing top-tier compliance-related services and highlights our commitment to upholding the highest standards (as opposed to check-the-box compliance)”, said David Vijan, Co-Founder and CEO of Outlier. “We believe certifications such as the PCTF will shape the future of Canada’s digital identity ecosystem and foster greater trust, protection, innovation, and industry collaboration.” 

For more information about DIACC certification, which enhances trust and security in the digital landscape, please email us at voila@diacc.ca 

About Outlier Compliance Group

Founded in 2013, Outlier is a Canadian-born, boutique compliance consulting firm helping companies in both established and emerging sectors navigate increasingly complex Canadian regulatory requirements.

Outlier core staff members have over ten thousand hours of deep industry experience in heavily regulated industries working as in-house compliance practitioners before moving into the world of consulting.

Outlier believes that good compliance is good business.

About DIACC 

Founded in 2012, DIACC is a non-profit organization that unites public and private sector members to enhance participation in the global digital economy by leveraging digital trust services. By promoting vital design principles and PCTF adoption, DIACC champions privacy, security, and people-first design approaches. For more information, please visit https://diacc.ca

DIF is excited to welcome the Creator Assertions Working Group (CAWG) as a new working group of DIF.

About CAWG

CAWG builds upon the work of the Coalition for Content Provenance and Authenticity (C2PA) by defining additional assertions that allow content creators to express individual and organizational intent about their content. CAWG defines an identity assertion that allows content creators to bind their online identity to the content that the content that they produce.

A Collaboration with ToIP and CAWG

This new working group will be a joint collaboration with members of DIF, Trust Over IP Foundation (ToIP), and the existing members of CAWG welcomed to participate. And of course, new members are welcome to join.

This group will be chaired by Eric Scouten, Identity Standards Architect at Adobe, and additional co-chairs to be named soon.

Get Involved

CAWG meetings will be held every other week starting Monday, 10 March at the following times:

Americas / European Time Zones: 8am PST / 1500 UTC APAC Time Zones: 6pm PST / 0100 Tuesday UTC

To get involved, see https://cawg.io/

As global electricity demand soars and renewable energy expands, the IEA highlights the urgent need for digital solutions to optimize grid flexibility. Here’s how Energy Web’s Digital Spine can help

The International Energy Agency recently released two reports: its annual Electricity 2025 analysis and a discussion of current challenges in grid investment. These documents describe two key aspects of the global energy transition: global demand for electricity is increasing, and new renewables (including distributed energy resources) are expected to be the greatest contributor to new supply that meets it. If you dig a bit deeper, you can also see why the electricity system needs a Digital Spine, Energy Web’s solution to optimize grid flexibility and unlock the potential of DERs.

The energy transition continues

The IEA forecasts “soaring” electricity demand over the next three years. Most of this increase will occur in developing economies, but advanced economies are expected to see increasing demand as well, driven by electric vehicle adoption, new air conditioners, heat pumps, and (especially in the U.S.) new data centers.

This new demand will be met by new low-carbon generation. The IEA expects fully half of the new demand to be met by solar PV, the cost of which continues to decline.

But progress increases complexity

It is undoubtedly excellent news that low-carbon generation will meet new demand, but the IEA cautions that power systems need to further adapt to the changing fuel mix on our grids. A combination of traditional thermal plants that are relatively inflexible, new renewable generation that is variable, and new demand patterns (e.g., more air conditioning demand on hot days and more electric vehicle charging on workday evenings) result in higher volatility in power markets.

We already see these impacts. The Electricity 2025 report describes the increasing incidence of negative prices in wholesale electricity markets, which occurs when supply outsizes demand so significantly that market-clearing prices fall below zero. This can happen for any number of reasons, but as the energy transition continues we would expect to see it happen more frequently in areas where afternoon solar generation could far exceed air conditioning demand (think massive amounts of rooftop and utility-scale solar) or overnight wind generation is greater than nearby transmission capacity.

Negative pricing events are most common in the regions of the world that are furthest along the energy transition, including Australia, California, and Texas (three places with very high solar PV or Wind penetration).

Percentage of negative hourly wholesale electricity prices in selected regions, 2019–2024 (IEA)

Negative price events are not in themselves a problem; however, they are noteworthy because they suggest real challenges in power system operations, which will only increase as the energy transition continues.

Physical infrastructure improvements will be insufficient

One strategy to address these challenges is to increase investments in electric grids. This means increasing transmission capacity and upgrading other physical infrastructure in order to reduce constraints that contribute to negative pricing: if one location has more power supply than demand, simply ship the excess to a location that can use it (yes, we recognize that this simplified description glosses over the complexities of constrained dispatch, but it remains true that increasing capacity in an appropriately-planned way will reduce the impacts of system constraints).

Unfortunately, the IEA does not think such new investments will be sufficient, or at least not sufficiently fast:

Around 1.5 million kilometres of new transmission lines have been built worldwide over the last decade, but inadequate transmission remains major constraint on power system development, electrification and energy security. Among other issues, grid infrastructure has struggled to keep pace with the rate at which new renewable sources are entering the system.

Their report describes several reasons for this, including supply chain bottlenecks and permitting delays — problems that are unlikely to recede in an era of increasing trade protectionism.

Managing power systems requires new ways to provide flexibility

So if new transmission is insufficient, what is the solution? The IEA offers its perspective: “Optimising the use of existing grid infrastructure through digital technologies enhances efficiency and maximises the use of existing assets, providing a safety valve for networks and supply chains”

This is precisely what our Digital Spine solution does: facilitate integration of DERs to allow grid operators and market participants to efficiently, fairly, and securely operate the grid. It can wring cost savings out of existing operational processes or even allow new market configurations that until now have not been feasible.

As an example of the latter, we implemented our Digital Spine solution in Australia as part of the Australian Energy Market Operator (AEMO)’s Project Edge. In that project, AEMO and market participants demonstrated a new approach to integrating DERs into both transmission- and distribution-level operations: a two-sided market based on dynamic operating envelopes. An independent cost-benefit analysis found that implementing this approach could save consumers AU$5–6 billion over twenty years, and that the savings would accrue to both consumers with DERs and those without them. A separate independent technology and cybersecurity assessment found that the Digital Spine as the underlying data exchange was more scalable, stable, resilient, flexible, and secure than traditional point-to-point or centralized approaches.

If you or your organization are looking to increase your network’s efficiency and unlock the full potential of DERs, please see our Digital Spine webpage for more information or to contact us.

Why the Grid Needs a Digital Spine: Insights from the International Energy Agency was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

1. Overview

In 2024, Internet Safety Labs (ISL) added 3rd parties observed in app network traffic to our app Safety Labels viewable in AppMicroscope.org. Recently, we reviewed the network traffic of the original 1541 apps, looking for data brokers and the results were clear: 16% apps that were recommended or required in schools were sending student data to registered data brokers. Every state (and District of Columbia) had at least three or more schools with apps communicating with data brokers. In total, 442 of the 663 (or 67%) studied schools had apps with data broker traffic.  

Importantly, “registered” data brokers don’t count apps sending data to platforms destined for data brokers, nor does it include entities that should be registered data brokers but aren’t. 

This report details our findings and analysis on Edtech apps observed communicating with data brokers, as well as our recommendations for educators and app developers.  

1.1 The Inadequacy of “Data Broker” Legal Definitions 

This analysis counts only registered data brokers found in either the California Data Broker Registry or the Vermont Data Broker Registry.1 Readers should be aware that the legal definition of “data broker” in the US fails to properly account for and hold responsible the full data supply chain feeding data brokers. Specifically, it fails to include: 

First parties who sell personal information, such as mobile carriers who were found as recently as last year to be selling some of the most sensitive of personal information, location data2.  Entities who sell or share personal in bulk for marketing and advertising purposes, including identity resolution platforms (IDRPs) and  customer data platforms (CDPs), both designed to ingest and synthesize personal data from a multitude of services/platforms
a. This also includes adtech entities including Supply Side Platforms (SSPs), ad exchanges, Demand Side Platforms (DSPs), and Data Management Platforms (DMPs). These entities aggregate personal data shared via the real-time bidding (RTB) messages (aka “bidstream”). Note that these entities figured prominently in the recent Gravy Analytics analysis3.  

Thus, we must assume that the volume of student data making its way into data brokers is substantially larger than this analysis conveys. 

1.2 Methodology 

In 2022, ISL conducted a privacy audit on recommended and required technologies for students in a representative sample of K-12 schools across the US. In total, ISL examined 1541 mobile apps, including analysis of the network traffic between the app, the first party, and all third-party servers.   

Next, ISL researchers determined the corporate owner of every subdomain that appeared in the network traffic collected for the apps.   

Finally, we determined if the corporate owner was a registered data broker by matching against companies in the California and Vermont data broker registries; note that this reflects data broker registries as of 2024.   

2. Findings
2.1   Overall

243 apps or 15.8% of tested apps sent data to registered data brokers. The 243 apps sending data to data brokers communicated with a shocking 6.7 data brokers on average. This means that when children use these apps, their information will be sent to several data brokers.  

The top app categories sending data to data brokers were: 

News apps (77% of audited news apps)  Reference apps (37%)  Sports apps (32%), and   Community Engagement Platform (CEP) apps (26%).  

News, reference and sports apps are not surprising; news apps are known to be rife with adtech and martech. See Figure 7 for all category counts. 

As noted in all three previously published findings reports, Community Engagement Platform apps were among the leakiest apps observed. The CEP developers with apps found to be communicating with data brokers are shown in Table 1.

Table 1: CEP app developers with app accounts CEP App Developer total # of apps # apps with data broker traffic % with data brokers  Apptegy  129  16  12%  Filament Essential Services  5  1  20%  Finalsite  122  42  34%  Focus School Software  6  1  17%  From NowOn  4  1  25%  Heather Hanks  2  2  100%  Intrado Corporation  42  8  19%  Mascot Media  10  2  20%  SchooInfoApp  14  2  14%  SchoolPointe  8  2  25%  Straxis  2  1  50% 

Of the larger CEP developers (Apptegy, Finalsite, and Intrado), it’s clear that the apps’ configurability is influencing the presence of data brokers since not all of the apps were found to be communicating with data brokers. Finalsite, for example, provides an administrative dashboard that allows school districts to edit the URLs opened by the app. In 2021, ISL spoke with Blackboard (Anthology), then-owner of the Finalsite apps, and learned that the platform performed no checking on the domains entered by school administrators. We suggested that they add guardrails, checking for things like dangling or malicious domains, at a bare minimum. Finalsite acquired Anthology from Blackboard in September 2022.  

The Palm Beach County School District Android app (a CEP app) by Intrado included the most data brokers, at a whopping 31. (See also the Safety Label for the app here: https://appmicroscope.org/app/1579/) The app is no longer available on the Google Play store. 

Table 2 shows the five apps with the most data brokers from 2022 and from a recent retesting. Two of the apps have been removed from the store, but the other three are the same or worse with respect to the number of data brokers. 

Table 2: Top Five Apps – Most Data Brokers App Name  Developer  # of Data Brokers (2022)  # of Data Brokers (2025)  Palm Beach County School District (Android)  Intrado Corp.  31  App removed from store SBLive Sports (Android)  SB Live Sports  27  28  AllSides – Balanced News (iOS)  AllSides  27  28  Montgomery Public Schools (Android)  Finalsite  27  App removed from store Westover Christian Academy (Android)  Apptegy  25  34 
2.2   EdTech 

As discussed in Findings Report 1, the majority of apps from the benchmark weren’t strictly edtech apps; the benchmark included a surprising number of non-edtech, general use apps. Isolating edtech categories, we find that only 6 apps (2.0%) of the strictly edtech apps had observed traffic to data brokers. While this is substantially better than the overall sample rate, for these kinds of services, there should be no data brokers receiving data from the apps.  

Table 3: Edtech apps with data broker traffic    Classroom Messaging Software
(n = 30)  Digital Learning Platform
(n = 27)  Safety Platform
(n = 67)  School Management Software
(n = 61)  Single Sign On
(n = 5)  Student Information System
(n = 47)  Study Tools
(n = 28)  Virtual Classroom Software
(n = 12)  Grand Total
(n = 296)  # apps with data broker traffic  1  3.3%  0  0.0%  0  0.0%  3  4.9%  0  0.0%  1  2.1%  0  0.0%  1  8.3%  6  2.0% 

 

The following are the EdTech apps communicating with data brokers:

Classroom Messaging Software apps:  FAMILIES | TalkingPoints (iOS) School Management Software apps: Choicelunch (Android)  Choicelunch (iOS)  WebMenus by ISITE Software (Android)  Student Information System  k12 (Android)  Virtual Classroom Software  ZOOM Cloud Meetings (Android) 2.3   Most Common Data Brokers

The three most frequently observed data brokers in the network traffic were PubMatic, LiveRamp, and Magnite (Table 4).  

Table 4: Top 25 Data Brokers Found in Network Traffic  Data Broker  # Apps in K12 Benchmark  PubMatic  110  LiveRamp  100  Magnite  98  Lotame  78  OpenX  78  Freewheel  76  Taboola  72  Oracle  71  Nielsen Marketing  69  Tapad  65  LiveIntent  59  ID5  58  Neustar  57  PulsePoint  50  Outbrain  45  StackAdapt  45  Merkle Marketing  42  Media.net  41  Intent IQ  38  33Across  29  Wunderkind  29  BounceX  24  GumGum  24  Zeta Global  22  Bombora  21 
2.4   State-based Observations

Data brokers were found in apps in every state and the District of Columbia. That is, every state sample of 13 schools had at least one school with at least one app with data broker traffic. Figure 1 shows how many schools from the 2022 benchmark had apps that were sending traffic to data brokers. 13 schools were sampled in each state, so the heatmap reflects up to 100% (i.e. all 13 schools) having apps with traffic to data brokers. Texas, Wisconsin and Louisiana each had apps with data brokers in all 13 studied schools.

Figure 1: Number of schools in state sample with at least one app with data broker traffic (13 schools max per state)

Figure 2 shows the total number of apps with data broker traffic for each state sample of 13 schools. The states with the most apps with data broker traffic were Maryland, Kansas, and Minnesota. 

Figure 2: Total number of apps with data broker traffic

We hypothesize that the likelihood of apps with data broker traffic is mainly related to the sampled schools’ propensity to recommend a higher number of technologies to students. The correlation between the number apps with data brokers and the total number of apps was moderately strong at .69. Figure 3, the heatmap showing the total number of apps recommended by the 13 sampled schools in each state, indeed shows similarities (Texas, Minnesota, Wisconsin and Maryland, in particular).  

Figure 3: Total number of apps per state

We were interested to see if there was any obvious correlation between state privacy laws and the number of data brokers observed. Figure 4 shows states with student data privacy laws. Indeed, three of the nine states that don’t have student data laws, Minnesota, Wisconsin, and Maryland, each had high numbers of apps with data broker traffic, and all 13 schools in Wisconsin had apps with data broker traffic. While inconclusive with respect to causation, the correlation warrants future study. It’s also possible that the absence of a state student data privacy law encourages a higher number of technologies being recommended to students in schools.  

Figure 4: States with student data privacy laws
https://studentprivacycompass.org/state-laws/

There was no obvious correlation between states with children’s privacy laws and the number of apps with data broker traffic (Figure 5). 

Figure 5: States with children’s privacy laws
https://www.huschblackwell.com/2024-state-childrens-privacy-law-tracker

3. Recommendations 1) App developers: Apps or websites used by children should never send data to data brokers. They should also not send user data to customer data repositories a) Community Engagement Platform App Developers ISL is calling on the community engagement app developers shown in Table 1 to immediately update all of their apps to remove all data brokers. We also call upon CEP app developers to install better guardrails in the administrative portal, minimally performing automated checking for dangling and malicious domains. Ideally, also disallowing or flagging any commercial sites with trackers (like MaxPreps), alerting school administrators of the risks of such sites with respect to student data sharing. ISL recommends that schools not use CEP apps until they have demonstrated significant improvement in dangerous data sharing. 2) Schools, Educators, and Concerned Parents: While it’s 100% the responsibility of the app developer to ensure that their apps and websites are safe for children, schools may need to be the ones demanding removal of data brokers. To help you do this, we’ve updated our app safety labels to clearly identify the number of data brokers in the app (Figure 6). Educators, school IT personnel and concerned parents can look up the app safety label for any app that they’re recommending to students. If it includes data brokers, stay away from the app.             Can’t find your app? Contact us and we’ll be happy to audit a new app or re-audit an existing app.

Figure 6: Updated app safety label https://appmicroscope.org/app/1579/

Figure 7: Apps with data broker traffic by app category

 

Table 3: Apps with Data Broker Traffic by State State # of schools in state with at least one app with data broker traffic (13 schools sampled per state) % of schools in state using at least one app with data broker traffic total # apps with data broker traffic total # unique apps State children’s privacy law? State Student Data Privacy Law? Alabama 10 77% 22 15 Alaska 3 23% 5 5 Arizona 6 46% 8 7 Y Arkansas 11 85% 21 13 Y California 9 69% 14 12 Y Y Colorado 5 38% 7 5 Y Y Connecticut 12 92% 30 17 Y Y Delaware 11 85% 28 13 Y Washington, D.C. 9 69% 18 6 Y Florida 9 69% 36 23 Y Y Georgia 12 92% 30 16 Y Hawaii 4 31% 6 5 Y Idaho 7 54% 10 6 Y Illinois 9 69% 24 14 Indiana 9 69% 25 13 P Y Iowa 5 38% 18 18 Y Kansas 12 92% 39 24 Y Kentucky 8 62% 21 16 Y Louisiana 13 100% 27 9 Y Maine 11 85% 26 14 Y Maryland 11 85% 47 28 Y Massachusetts 11 85% 27 10 Y Michigan 9 69% 21 11 Y Minnesota 9 69% 39 23 Mississippi 10 77% 24 17 Y Missouri 8 62% 34 23 Y Montana 10 77% 17 12 Y Nebraska 9 69% 20 17 Y Nevada 4 31% 7 6 Y New Hampshire 11 85% 18 5 Y New Jersey 9 69% 17 11 New Mexico 3 23% 3 3 Y New York 6 46% 12 6 Y Y North Carolina 7 54% 9 4 Y North Dakota 8 62% 24 19 Ohio 7 54% 14 10 Y Oklahoma 10 77% 26 12 Y Oregon 5 38% 6 3 Pennsylvania 8 62% 11 8 Y Rhode Island 12 92% 29 10 Y South Carolina 10 77% 15 4 Y South Dakota 8 62% 23 17 Y Tennessee 11 85% 28 16 P Y Texas 13 100% 34 15 Y Utah 7 54% 9 5 Y Y Vermont 11 85% 15 6 Y Virginia 8 62% 18 13 Y Y Washington 3 23% 4 4 Y West Virginia 9 69% 18 14 Y Wisconsin 13 100% 36 15 Wyoming 7 54% 9 5 Y

 

Footnotes: ISL is updating the database with both Texas and Oregon data broker registries.   https://www.fcc.gov/document/fcc-fines-largest-wireless-carriers-sharing-location-data.  https://www.wired.com/story/gravy-location-data-app-leak-rtb/.

The post Data Broker Presence in 2022 US K-12 Benchmark Apps appeared first on Internet Safety Labs.

The post Jim Owens Re-Elected as Chairman of the Board appeared first on Velocity.

Kia ora,

2025 is well underway with a healthy mix of activity, excitement and opportunity, Digital Trust included.

We are seeing a major shift in this space as acceptance networks drive up digital identity adoption at the expense of ‘great in theory, hard to implement’ ideas like SSI (Self-Sovereign Identity), or the (hotly debated) need for digital identity itself. 

Member News

The final list of participants in Australia’s Age Assurance trial were recently announced and it’s great to see Digital Identity NZ members General Identity Protocol, GBG and MyMahi amongst them!

It’s terrific to welcome CentrifAI Ltd and welcome back Westpac, making it a ‘big four’ clean sweep, plus the Co-operative Bank (the only NZ owned bank member). See all member organisations here.

DINZ has available one Corporate seat and one further seat on the Executive Council to help with our diversity, equity and inclusion policy. If your organisation is not a member, join and lead.

Free access to InformDI’s 7 Chapters of DISTF, sponsored by NEC and DINZ, ends on 31 March. Register now and join the 100+ that have already taken the course. Want to sponsor? Get in touch. 

What’s Happening Around the Globe  

Australia: Banks are driving easy digital identity adoption across the ditch. UK: Government has announced plans for its own digital wallet to mainly hold mDLs (Mobile Driver’s License) and similar government held official data, according to industry comment.  NZ: Global media pick up NZ news too (hat tip to Biometric Update and Inidsol UK).

DINZ Updates

DINZ joined the Minister, FinTechNZ, agencies, and industry participants at the fourth FinTech Innovation Roundtable as we seek to remove obstacles to competition and increase service choice for New Zealanders. While Chatham House Rules apply to proceedings, DINZ has published the paper distributed before and tabled at the meeting addressing two digital identity related challenges.  Protecting people from online harm is at the heart of everything we do. So, if you attended Andrew Hughes’ DNZ webinar on Deepfakes and ID Verification last month, you’ll be interested in this post as well as mDL (Mobile Driver’s License) with DINZ members Visa and MATTR highlighted here.      If you missed DINZ’s webinar with Payments NZ on its strategic paper currently out for consultation, ‘Payments for the next generation’, you can watch the recording here.

A Personal Note

As members already know (and later from social media), after three and a half years as DINZ’s longest serving Executive Director, I’m stepping down in the next couple of months to move towards my original intention when returning from Europe – more downtime alongside some digital identity advisory that uses my 20+ years of knowledge and experience in this space. As my time as Executive Director comes to an end, DINZ Executive Council welcomes your suggestions on the following by getting in touch. 

 1. What Digital Trust related project ideas you have in mind to lead this year so that it can be considered in DINZ’s plans. Sponsor that work in DINZ or sponsor projects remaining from 2024.

2. Are you (or do you know of anyone who would be) interested in the role of Executive Director of Digital Identity NZ? Get in touch. 

Upcoming Events

4 March, 10am: DINZ Virtual Coffee Chat. Bring your digital identity ideation along to discuss.  4 March, 12pm: Worldline, hosted by DINZ, will reveal how it is revolutionising New Zealand’s payment landscape by integrating digital identity credentials into daily transactions. Register here.
  25 March, 12pm: Save the Date Now! ‘Meet the DISTF evaluators’ (those that are DINZ members at least). Considering DISTF accreditation? This is unmissable. Registration is coming soon. 8 April, Identity Management Day 2025: Up for an early start? Join IDSA 12pm – 9am NZ

DIA Training Schedule Confirmed

Identification management plays a core role in our work, and members should have a foundational level of understanding about what it is and how it impacts your customers. Good identification management helps reduce and/or prevent fraud, loss of privacy and identity theft, by applying good practices and processes. 

Topics covered in DIA Training Courses:

Identification Essentials (G1) Entity Information – Names and other Information (G2) Introduction to Identification Standards (G3) Biometrics 101 (G4)

FREE online learning at your own pace. Learn more. 

For any enquiries relating to Identification Management training email identity@dia.govt.nz

Ngā mihi,
Colin Wallis
Executive Director, Digital Identity NZ

Member news, global trends, upcoming events and more.
Read full news here: More momentum, greater choice – Digital Trust is getting real

SUBSCRIBE FOR MORE

The post More momentum, greater choice – Digital Trust is getting real appeared first on Digital Identity New Zealand.

A Snapshot of Passkey Deployments for Employee Sign-ins in the U.S. and UK

Key findings Enterprises understand the value of passkeys and the majority are rolling out passkeys for workforce sign-ins: The majority have either deployed or are in the midst of deploying passkeys with goals tied to improved user experience, enhanced security, and standards/regulatory compliance. Those that are deploying are rolling out a mix of device-bound and synced passkeys.  Enterprises are prioritizing passkey rollouts to users with access to sensitive data and applications, and are leveraging communication, training and documentation to increase adoption. Enterprises are reporting significant security and business benefits after rolling out passkeys: they report positive impacts on user experience, security, cost reduction, productivity and digital transformation goals — and are seeing declines in usage of legacy authentication methods. Interestingly, these benefits directly correlate with what businesses who aren’t yet using passkeys dislike most about their current authentication methods: that they can be compromised, are costly, and difficult to use.   Organizations that do not have active passkey projects cite complexity, costs and overall lack of clarity about implementation as reasons, signaling a need for increased education to enterprises on rollout strategies to reduce concerns. Read the Full Report Read the Press Release

Registrants can watch the webinar on demand.

Watch On Demand

Respondents report positive impacts on user experience, security, productivity, and cost reduction from deploying a mix of device-bound and synced passkeys

February 26, 2025 — The FIDO Alliance along with underwriters Axiad, HID, and Thales today released its State of Passkey Deployment in the Enterprise report, finding that 87% of surveyed companies have, or are in the midst of, rolling out passkeys with goals tied to improved user experience, enhanced security, and compliance. 

The report is the result of an independent survey commissioned in September 2024 by the FIDO Alliance Enterprise Deployment Working Group, with underwriting support from Axiad, HID, and Thales, to understand the state of passkey deployments in the U.S. and UK; the methods used to deploy passkeys and enroll employees; and the perceived barriers to deployment. Read the report at https://fidoalliance.org/research-state-of-passkey-deployment-in-the-enterprise-a-snapshot-of-deployments-employee-sign-ins-us-uk.

The survey revealed four key findings:

Enterprises understand the value of passkeys for workforce sign-ins. A majority of decision makers (87%) report deploying passkeys at their companies. Of these, 47% report rolling out a mix of device-bound passkeys (on physical security keys and/or cards) and synced passkeys (synced securely across the user’s devices). Organizations are prioritizing passkey rollouts to users with access to sensitive data and applications, including the three most commonly cited priority groups: Those requiring access to IP (39%), users with admin accounts (39%) and users at the executive level (34%). Within these deployments, organizations are leveraging communication, training, and documentation to increase adoption. Passkey deployments are linked to significant security and business benefits. Respondents report moderate to strong positive impacts on user experience (82%), security (90%), help-center call reduction (77%), productivity (73%), and digital transformation goals (83%).  Groups that do not have active passkey projects cite complexity (43%), costs (33%), and lack of clarity (29%) about implementation as reasons. This signals a need for increased education for enterprises on rollout strategies to reduce concerns, as there is a correlation between these perceived challenges and the proven benefits of passkeys.

“This study is equally encouraging and illuminating as it points to strong willingness and commitment to deploy passkeys to employees – and also is informative in helping FIDO shape resources that we can deliver to help enterprises around the world more quickly and effectively implement their FIDO authentication strategies,” said Andrew Shikiar, CEO and executive director of the FIDO Alliance. “Passkeys can stop AI-generated social engineering attacks in their tracks while also increasing employee productivity and reducing costs associated with help desk support and security breaches. FIDO Alliance is committed to helping more companies around the world realize these benefits by providing actionable passkey implementation guidance and best practices, which this data will help define.”

New phishing and fraud attempts are being used every day, driven in particular by widespread generative AI use. As reflected in the report, enterprise leaders are becoming aware of the limitations of compromisable passwords, and seeing the value of deploying the most secure and user-friendly authentication methods possible. These insights will be leveraged to further remove the perceived and/or real barriers around passkey adoption so more enterprises can experience their benefits on a global scale. 

Learn More During FIDO’s March 6 Webcast 

The FIDO Alliance will host a webcast on March 6, 2025 at 8am PST to provide further insights into the report methodology, the findings and next steps. The webcast will feature Michael Thelander, senior director of product marketing at Axiad; Katie Björk, director of communications and solution marketing at HID; and Sarah Lefavrais, Authentication devices product marketing director at Thales, along with Megan Shamas, chief marketing officer of the FIDO Alliance. Register here.

Michael Thelander, Axiad’s director of product marketing, thinks the survey results will deliver not just interesting data, but will also provide a path for FIDO2 to become a first class citizen alongside other forms of PKI-based authentication in the enterprise. “Passkey technology has not only matured, but this survey reveals how identity practitioners and strategists are beginning to integrate passkeys with their other workforce authentication methods, across different platforms and device types, to deliver what identity architects and users both want: strong authentication that doesn’t place a ‘friction ‘tax’ on the last step of accessing systems and networks.” 

“HID, in collaboration with fellow FIDO Alliance members, launched this survey to gain insights into the priorities of enterprise and security leaders that drive successful passkey implementation. We also aimed to identify the challenges other organizations encounter when integrating FIDO technology into their authentication strategies. HID’s overarching goal is to empower organizations to meet their business objectives by eliminating one of their most significant obstacles: user experience and security challenges linked to passwords,” says Katie Björk, Director of Communications and Solution Marketing.

“Thales is excited to collaborate with the FIDO Alliance for this research, which underscores the growing adoption of passkeys for employee sign-ins,” said Haider Iqbal, Director Product Marketing IAM at Thales. “We’re seeing similar interest from our customers, who recognize the benefits of FIDO authentication for both security and productivity. Thales is committed to enabling organizations to migrate their workforce and customers to passkeys, helping them stay ahead of the curve with secure, seamless and frictionless digital journeys for all users.”

Survey Methodology:

The survey was conducted among 400 decision makers who would be / are involved in passkey deployment in companies with 500+ employees across the UK and the US. The interviews were conducted online by Sapio Research in September 2024 using an email invitation and an online survey. At an overall level results are accurate to ± 4.9% at 95% confidence limits assuming a result of 50%. The survey was produced by the FIDO Alliance Enterprise Deployment Working Group, with underwriting support from Axiad, HID, and Thales.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Axiad

Axiad is an identity security company whose products make authentication and identity risk management simple, effective and real. Our credential management systems make MFA defensible, manageable and usable. Our cutting-edge risk solutions help customers identify and quantify risk and fortify their systems against a barrage of new attacks. Learn more at www.axiad.com.

About HID

HID powers the trusted identities of the world’s people, places and things. We make it possible for people to transact safely, work productively and travel freely. Our trusted identity solutions give people convenient access to physical and digital places and connect things that can be identified, verified and tracked digitally. Millions of people around the world use HID’s products and services to navigate their everyday lives, and billions of things are connected through HID’s technology. We work with governments, educational institutions, hospitals, financial institutions, industrial businesses and some of the most innovative companies on the planet. Headquartered in Austin, Texas, HID has over 4,500 employees worldwide and operates international offices that support more than 100 countries. HID is an ASSA ABLOY Group brand. For more information, visit www.hidglobal.com.

About Thales Cybersecurity Products

In today’s digital landscape, organizations rely on Thales to protect what matters most – applications, data, identities, and software. Trusted globally, Thales safeguards organizations against cyber threats and secures sensitive information and all paths to it — in the cloud, data centers, and across networks. Thales offers platforms that reduce the risks and complexities of protecting applications, data, identities and software, all aimed at empowering organizations to operate securely in the digital landscape. By leveraging Thales’s solutions, businesses can transition to the cloud with confidence, meet compliance requirements, optimize software usage, and deliver exceptional digital experiences to their users worldwide.

More on Thales Cybersecurity Products: https://cpl.thalesgroup.com/

More on Thales Group: www.thalesgroup.com

Contact
press@fidoalliance.org 

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. Wallets offer opportunities for […]

Guest Blog By Colton Wolkins

The DIDComm User Group Meeting is open to anyone interested in using and implementing DIDComm. This is a great place for developers to learn, ask questions, and share experiences!

DIDComm (Decentralized Identity Communication) is rapidly becoming a fundamental protocol for secure, private, and interoperable messaging in decentralized identity systems. As adoption grows, developers and organizations worldwide are implementing DIDComm to enable seamless, trustable communication between digital identities. But navigating the technical landscape can be challenging—this is where the DIDComm User Group comes in.

Different from the DIDComm Working group, composed of DIF members actively contributing to the DIDComm Specification, the DIDComm User Group is an open forum for anyone interested in implementing and using the DIDComm protocol to connect with others, share experiences, and get answers to your questions. 

1. See Demonstrations and Presentations from Other DIDComm Implementers

Learn from real-world implementations! The User Group meetings often feature demonstrations and presentations from developers who are actively working with DIDComm. These sessions provide insights into how others are tackling challenges, designing solutions, and deploying DIDComm in various environments.

Recently, a demonstration involving a Raspberry Pi showcased how DIDComm can be used to send messages back and forth with another device privately, securely, and even when both devices are on different networks. Following the demonstration, a short Q&A session was held, leading into a discussion about how DIDComm can mitigate many of the issues that the industry has with IoT devices.

2. Receive Help with Your DIDComm Implementation

Are you facing technical issues while integrating DIDComm? Do you have questions about the DIDComm specification? The User Group meetings offer a collaborative space where developers can ask questions and receive support from peers and experts. Whether it’s debugging a problem, discussing best practices, or understanding implementation nuances, the User Group is an excellent place to get practical guidance from those who have been there before.

Just this last week, the Credo project reached out to the User Group due to a UI/UX concern that they had. After some discussion, the group came up with a better solution than the one proposed, and is coordinating follow-up.

3. Learn About DIDComm Adoption Across Industries and Regions

DIDComm is being adopted across industries, from finance and healthcare to travel and enterprise security. By attending these meetings, you gain insight into how organizations worldwide are leveraging DIDComm to enhance security and privacy in digital communications. Understanding the breadth of adoption can help you identify potential partnerships, new use cases, and emerging trends that may influence your own projects.

Read more about DIDComm and deployment examples from around the world.

Take Action: Join the Next Meeting User Group meeting

Join us and be part of the conversation shaping the future of decentralized identity communication! To accommodate a global audience, there are two meeting times—one convenient for North American participants and another scheduled for APAC-friendly time zones. 

DIF DIDComm User Group meeting (US Time Zones) DIF DIDComm User Group meeting (APAC/EU Time Zones)

Interested in shaping the DIDComm standard? Contact DIF about becoming a member and contributing to the DIDComm Working Group.

To stay updated on upcoming meetings and receive invitations, check the DIF events calendar or subscribe to the DIF newsletter.

The Digital Future of Consumer Packaged Goods (CPG)

Privacy-Preserving Traceability with Digital Product Passports & Data Spaces Interoperability

The Consumer Packaged Goods (CPG) industry is undergoing a rapid transformation. Consumers demand accountability and sustainability—over 70% want detailed product information—while new regulations like the EU’s Ecodesign for Sustainable Products Regulation (ESPR) and the Uyghur Forced Labor Protection Act (UFLPA) reshape the landscape. Big data leaks and supply chain disruptions have become the norm. As regulations grow increasingly stringent, consumer trust falters, and operational costs skyrocket, a paradigm shift is essential. The industry needs verifiable, trusted data seamlessly integrated — and a system that enables seamless, permissioned data exchange across the value chain.

Digital Product Passports (DPPs) are a key component of this transformation. A DPP is a secure, globally unique digital record that stores verifiable information about a product throughout its lifecycle—from raw materials to disposal. Widespread adoption of DPPs is critical for building trust, strengthening value chain resilience, and ensuring regulatory compliance. According to the EU, which now requires DPPs for nearly all products sold in the EU, “the DPP is designed to close the gap between consumer demands for transparency and the current lack of reliable product data.”

However, DPPs alone are not enough. To truly unlock their potential, we need a standardized framework for data spaces interoperability—a system that enables direct, seamless transactions between participants across industries. Modern value chains involve collaboration among thousands of stakeholders, including enterprises, regulators, and consumers. When these value chains function efficiently, they improve product quality, optimize resource allocation, and lower costs. Yet, despite technological advancements, achieving this level of coordination remains a challenge.

Introduction to MOBI’s Web3 Infrastructure

Today, many organizations rely on third-party platforms and proprietary applications for data exchange, resulting in fragmented, siloed systems. This lack of interoperability limits collaboration and hinders critical processes, from ensuring product safety and ethical sourcing to enabling proper recycling and end-of-life management. Recognizing this, MOBI was formed in 2018 as a neutral convener for organizations to develop standards and infrastructure for DPPs and data spaces interoperability. MOBI’s Web3 Infrastructure, comprising Citopia Decentralized Marketplace (DM) and the Integrated Trust Network (ITN), offers a secure, decentralized marketplace framework with standardized communication protocols. Think of it as a private internet, wherein entities can engage in secure, autonomous, encrypted transactions.

Citopia DM and the ITN are built for Self-Sovereign Data and Identity (SSDI). Each participant owns and manages their own Self-Sovereign Digital Twin (SSDT), which stores two things:

a globally-unique Decentralized Identifier (DID), which is anchored and validated in the ITN Verifiable Credentials (VCs) used for transactions in Citopia DM

This SSDT allows participants to engage in standardized, secure, and compliant transactions on Citopia DM with selective disclosure (data only goes to intended recipients). Both Citopia and ITN are system and cloud-agnostic, meaning stakeholders can seamlessly communicate while retaining their existing systems and web services. This removes the need for costly one-off integrations and eliminates prohibitive onboarding/maintenance costs, providing a robust foundation for data spaces interoperability.

Citopia DM unlocks new possibilities for DPPs by enabling direct peer-to-peer transactions between value chain participants. Removing reliance on third-party intermediaries lowers costs, increases traceability, and drives compliance with emerging regulatory requirements. Companies leveraging MOBI’s infrastructure can streamline operations, reduce data silos, and improve their ability to meet evolving consumer and regulatory demands. For regulators and consumers of CPGs, Citopia DM offers easy access to trusted DPPs issued by companies. For regulators, this makes it easy to verify compliance claims. For consumers, access to DPPs can inspire confident purchasing decisions and boost brand loyalty.

Laying the Foundation for Generative AI Applications

MOBI is going to take this one important step further. The robust infrastructure it has built not only addresses the critical need for tracebility and data exchange but also lays the foundation for powerful generative AI applications. By leveraging the rich, contextual data housed within DPPs and the seamless data flow facilitated by Citopia and SSDTs between rich data spaces, generative AI can move beyond generic analyses to provide participant-specific value. Imagine a scenario where:

Consumers can interact with generative AI agents to understand the complete lifecycle of a product they are considering purchasing. These agents, equipped with DPP data accessed through Citopia, can answer nuanced questions about a product’s sustainability footprint, ethical sourcing, or even detailed ingredient breakdowns, generating responses tailored to the individual consumer’s values and concerns. For example, a consumer with specific dietary restrictions or sustainability preferences could ask a generative AI agent: “Show me the carbon footprint and allergen information for the ingredients in this cereal, and suggest alternatives with lower environmental impact and no nuts.” The agent, accessing the DPP via Citopia, can generate a personalized, privacy-preserving response, drawing from verified data and offering actionable recommendations. CPG Companies can utilize generative AI to optimize their operations and gain deeper market understanding. Generative AI agents can analyze aggregated and anonymized DPP data from across the value chain within Citopia to identify supply chain inefficiencies, predict potential disruptions, or personalize marketing campaigns with unprecedented precision. For instance, a generative AI agent could analyze DPP data to recommend optimal sourcing strategies based on real-time insights into material availability, ethical considerations, and environmental impact, while ensuring compliance with regulations like UFLPA. Furthermore, generative AI can assist in generating customized sustainability reports or proactively flag potential regulatory compliance issues based on DPP data, streamlining operations and reducing risks. Regulators can employ generative AI agents to efficiently monitor and verify compliance with evolving regulations like the ESPR. These agents can be granted permissioned access to DPP data within Citopia, enabling them to automatically audit product information against regulatory requirements and identify potential non-compliance issues at scale. Generative AI can generate summaries of compliance status across product categories or highlight specific areas needing further investigation, significantly enhancing regulatory oversight and consumer protection.

The key to enabling these generative AI applications lies in the architecture of MOBI’s Web3 infrastructure. SSDTs with secure identities backed by the ITN ensure that each participant retains control over their data, can choose what data to disclose (and to whom), and can securely exchange verifiable data in a regulatory-mandated Zero Trust Architecture.

Generative AI agents operating within this framework can be designed to access and process data in a privacy-preserving manner. For example, they can utilize techniques like differential privacy or federated learning to generate insights from aggregated DPP data without needing to access or expose the raw, sensitive data of individual participants. Selective disclosure of VCs ensures that only authorized agents receive the necessary data points, minimizing the risk of data breaches or misuse.

Conclusion

This means that the combination of DPPs and interoperable data spaces facilitated by MOBI’s infrastructure and generative AI represents an entirely new business phase for the CPG industry. It moves beyond basic traceability to enable a future where data becomes a dynamic tool for generating participant-specific value, fostering deeper consumer trust, optimizing business operations, and ensuring robust regulatory compliance – all within a secure and privacy-respecting ecosystem.

MOBI’s Web3 infrastructure is, therefore, a game-changer for the CPG industry, offering a scalable, decentralized approach to data verification and interoperability while enabling participant-specific insights and recommendations using generative AI. As consumer expectations evolve and regulatory landscapes shift, embracing decentralized, self-sovereign solutions will be the key to sustainable growth and competitive advantage. The future of CPG lies in verifiable, trusted data, and MOBI is leading the way in building the infrastructure to support it.

The post The Digital Future of Consumer Packaged Goods (CPG): Embracing Transparency and Insights with Digital Product Passports and Data Spaces Interoperability first appeared on MOBI | The New Economy of Movement.

Biometrics are connecting with payment credentials, whether through numberless credit cards and banking apps or passkeys, as the concrete steps towards linking digital identity and payment systems shows up as a major theme in the week’s most-read stories on Biometric Update. Mastercard announced it will ditch the familiar credit card number in favor of on-device biometrics and tokenization, while everyone in digital wallets, from the EUDI Wallet Consortium to Fime and Mattr to Apple is looking at how to bring together identity and payments, and Visa arguing for the role of passkeys in a converged digital ID and payments ecosystem.

Passkey authentication replaces traditional passwords with a pair of cryptographic keys—public and private. The private key stays on the user’s device, while the public key sits on the server. During login, the server issues a challenge that only the private key can solve, and the response gets verified using the public key. No passwords are transmitted or stored, which reduces the attack surface significantly. Password leaks and brute-force attempts become non-issues because there is no static secret to steal or guess.

FIDO2 is a joint initiative by the FIDO Alliance and the World Wide Web Consortium (W3C) aimed at delivering streamlined, strong authentication without relying on passwords. It defines a set of technical components: WebAuthn and CTAP2 (Client to Authenticator Protocol). WebAuthn standardizes how a web application interacts with an authenticator—often a platform feature like a secure enclave on a phone or a hardware security key. CTAP2 governs how that authenticator communicates with the client device, such as a laptop or smartphone.

Username and password authentication is a fixture in healthcare but one that continues to hinder operations and put patient privacy – and care – at risk. In just the first three months of 2024, there were over 116 data breaches in the healthcare industry, allowing cybercriminals to access private patient data, medications, clinical records, Social Security numbers, and more by employing tactics like phishing emails and malware.

As a result, passwordless authentication is steadily gaining traction, enabling healthcare facilities to implement more secure user verification and streamline access management.

The transition to passwordless won’t happen overnight. However, we can expect continued adoption of passwordless methods over the next decade, as the challenges of traditional passwords become too glaring to ignore in this mission-critical industry.

Traditional username and password authentication remains a standard practice in healthcare, but it increasingly compromises operational efficiency, patient privacy and care quality. In the first quarter of 2024 alone, over 116 data breaches exposed sensitive patient data, including medications, clinical records and Social Security numbers. Cybercriminals use tactics like phishing and malware to exploit these vulnerabilities, underscoring the need for stronger authentication measures. As a response, passwordless authentication is gaining traction, offering a more secure and streamlined approach to access management. Although the transition will take time, the next decade will likely see widespread adoption of passwordless solutions as the limitations of passwords become too costly to ignore.

Navigating Passkeys: A Deep Dive into FIDO Authentication in Australia Overview

The FIDO Alliance recently held a pivotal one-day seminar exploring the transformative power of passkey authentication in Australia and beyond.

This dynamic event attracted 150-200 influential leaders and decision-makers from government, consumer, and enterprise sectors to explore the future of secure online identity in Australia, New Zealand, and overseas. The agenda covered use cases, case studies, and the latest data and collaboration happening to implement passkeys for consumers, workers, and governments regionally and around the world.

View the presentations below:

FIDO Alliance – Simpler Stronger Authentication.pptx from FIDO Alliance

From Authentication to Assurance – Managing risk in passkeys and beyond.pptx from FIDO Alliance

From Requirements to Rollout – VicRoads’ Experience with Passeys.pptx from FIDO Alliance

How to Simplify and Accelerate Passkey Adoption.pptx from FIDO Alliance

IdentityVerification IDV + Passkeys.pptx from FIDO Alliance

Insights from Large-Scale B2C Passkey Deployments.pptx from FIDO Alliance

Passkeys – Why Moving Now Makes Sense.pptx from FIDO Alliance

FIDO and Government:How Policymakers and Regulators are Thinking About Authentication.pptx from FIDO Alliance

Public Review - ends March 24th

OASIS and the LVCSP TC are pleased to announce that Lightweight Verifiable Schema Credential v1.0 CSD01 is now available for public review and comment. 

This document defines a lightweight schema for Verifiable Credentials to support digital (also known as electronic) “Know Your Customer” (eKYC) processes, based on the W3C Verifiable Credential (VC) standards. Through adoption of this standard, individuals are able to share their verified identity claims across different digital platforms and services. This standard is referred to as a “Lightweight Verifiable Credential Schema,” abbreviated as LVCS, because it provides a basic schema and format, without significant options or conditions.

The documents and all related files are available here:

Lightweight Verifiable Credential Schema Version 1.0

Committee Specification Draft 01

10 February 2025

Editable source:

https://docs.oasis-open.org/lvcsp/lvcs/v1.0/csd01/lvcs-v1.0-csd01.docx (Authoritative)

HTML:

https://docs.oasis-open.org/lvcsp/lvcs/v1.0/csd01/lvcs-v1.0-csd01.html

PDF:

https://docs.oasis-open.org/lvcsp/lvcs/v1.0/csd01/lvcs-v1.0-csd01.pdf

For your convenience, OASIS provides a complete package of the specification document and any related files in a ZIP distribution file. You can download the ZIP file at:

https://docs.oasis-open.org/lvcsp/lvcs/v1.0/csd01/lvcs-v1.0-csd01.zip

How to Provide Feedback

OASIS and the LVCSP TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

The public review starts 21 February 2025 and ends 24 March 2025 at 23:59 UTC. 

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. TC members may submit comments directly to the TC’s mailing list. All others can submit comments by following the instructions listed on this page. 

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the LVCSP TC can be found at the TC’s public home page located here.

Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] http://www.oasis-open.org/committees/lvcsp/ipr.php

Intellectual Property Rights (IPR) Policy

The post Invitation to comment on Lightweight Verifiable Schema Credential v1.0 appeared first on OASIS Open.

The Human Colossus Foundation (HCF) recently participated in the 2025 Geneva Winter Summit, a global gathering of AI experts, policymakers, and innovators hosted by the AI for Developing Countries Forum (AIFOD) at United Nation office at Geneva. The summit focused on AI’s potential for developing countries to drive equitable digital development, culminating in the AIFOD Geneva Winter Summit Declaration 2025, which charts a path for inclusive AI progress.

At the core of HCF’s contribution were two topics:

The importance of access to accurate data and its provenance in AI training especially for small and less digitalize nations.

The role of distributed governance in fostering ethical AI Agents ecosystems which can give the edge for developing countries without need to build massive data centers for huge AI models.

The Power of Accurate Data and Provenance in AI Training

For AI to serve communities effectively, it require access to massive data sets, best localize to avoid biases and misinformation. Unfortunately a lot of developing countries does not have such access, in many cases digital transformation just starting. This allows them to better prepare for upcoming needs of the data, they can start already shaping digital policies and strategies to invest from day one towards more accurate data ecosystems which could give them the edge relaying more on quality then quantity. AI models trained on verifiable, and well-documented data would be more accurate in their functions. Data provenance—the ability to trace data back to its source—is essential for ensuring AI models are transparent, reliable, and compliant with global data standards but as well allowing citizens and countries to verify potential bias and misinformation in AI-generated insights.

At the summit, HCF emphasized how Dynamic Data Economy (DDE) principles enable organizations to structure and verify data origins, ensuring AI models are trained on high-quality, trustworthy inputs.

Why does data provenance matter?

Enables to build trust and accountability in AI decision-making

Helps organizations comply with data protection regulations (e.g., GDPR, HIPAA)

Prevents bias and misinformation in AI-generated insights

HCF advocates for data-oriented architectures, where individuals and businesses can validate their data before it is used to train AI, ensuring a more transparent and responsible ecosystem.

Distributed Governance: The Key to Ethical and Sustainable AI

Governance models must evolve to keep pace with AI’s rapid growth. Traditional centralized governance structures often struggle to provide the inclusivity and adaptability needed for cross-border AI systems.

At the summit, HCF promoted distributed governance model to help with classification standards, cross-jurisdictional ethical alignment, and enhanced data transparency. A meta-governance framework would equip stakeholders with accurate, verifiable, and accessible information, enabling informed AI adoption that aligns with local regulations and ethical values. By promoting fairness, transparency, and accountability, this framework supports a responsible, sustainable AI-driven digital economy.

How can distributed governance benefit AI ecosystems?

Inclusive decision-making – Empowering communities, businesses, and policymakers to shape AI’s future

Enhanced accountability – Avoiding centralized control that can lead to bias or exploitation

Interoperability across jurisdictions – Helping AI operate ethically across borders without conflicting regulations

Through distributed governance models, AI can serve global communities fairly, ensuring that technological advancements reflect a shared ethical and socio-economic vision.

The 2025 AIFOD Declaration: A Commitment to Inclusive AI

The Geneva Winter Summit Declaration 2025 serves as a blueprint for AI governance, highlighting the need for:

Equitable access to AI advancements for developing nations

A balance between regulation and innovation

Stronger international collaboration to ensure ethical AI deployment

HCF stands committed to advancing these goals through the Dynamic Data Economy, ensuring AI serves all communities equally, ethically, and sustainably.

Looking Ahead: HCF’s Vision for Ethical AI Development

The Human Colossus Foundation will continue advocating for accurate data management, distributed governance, and responsible AI adoption. Through collaboration with global stakeholders, we aim to shape AI ecosystems that prioritize transparency, inclusivity, and sustainability.

Digitale Nachweise und Identitäten – die Zeit ist reif!

26. November 2024

Im Change Hub Berlin

Hardenbergstraße 32, 10623 Berlin

Am 26. November fand die Zweite Digital Society Conference (DSC2) im Change Hub in Berlin statt. Am 27. November fand im Rahmen der DSC2 ein Workshop zum Thema Organisationsidentitäten statt.

Wie im vergangenen Jahr lag der Schwerpunkt der DSC auf dem Thema Digitale Nachweise und Identitäten. In Keynote, Panels und interaktiven Worksessions wurden am 26.11.24 Genese und Rahmenbedingungen der europäischen digitalen Identitätslösung und der EUDI-Wallet erläutert und Fakten vermittelt. Auch sind wir der Frage nachgegangen, wie sich diese europäische Lösung im internationalen Kontext einordnet und was uns als Gesellschaft in den kommenden Jahren konkret erwartet. Denn die hoheitliche eID ist erst der Beginn einer schnellen und anspruchsvollen Entwicklung, in deren Folge auch Unternehmen eine digitale ID erhalten werden, um den Austausch von Daten und die Sicherheit der Identifikation von Entitäten zu gewährleisten.

An dieser Stelle danken wir den Referierenden, Panelisten und insbesondere unseren Förderern, ohne die wir die DSC2 nicht hätten realisieren können. 

DSC2 – Workshop 26.11.24

Digitale Nachweise und Identitäten – sind Sie bereit? 

Jörg Fischer, Bundesdruckerei

Download Keynote

Zu folgenden Themen bildeten sich Worksessions:

Anbindung von Kommunen und kleinen Unternehmen Wiki Data /Organisationsidentitäten / Definition ID-Diebstahl / Betrug Geschäftsmodelle / Payment Integration SDI-Initiativen außerhalb der EU / Interoperabilität Killer-Applikationen für Europäische Wallet (EUDI-Wallet) Und dann gab es noch eine Worksession unter dem augenzwinkernden Header „Dackel-Club“: Hier wurden Nutzungen und Anwendungen digitaler Identitäten diskutiert, die keine hoheitliche Identität benötigen. Zum Beispiel die Mitgliedschaft im Dackel-Club. Dies mag kurios klingen, doch wenn bedacht wird, dass mehr als 37 % der Bevölkerung der Bundesrepublik in Vereinen engagiert ist, so erscheint dieses Anwendungsfeld durchaus interessant, um Adaption und den Umgang mit Wallets voranzubringen.

Handout Wegweiser:

Schließlich wurde der Wegweiser Digitale Identitäten und Nachweise vorgestellt. Dieser ist Produkt der Zusammenarbeit innerhalb der Forschungsprojekte Sichere digitale Identitäten des BMWK (SDI) und steht nun zum Download zur Verfügung. Ziel des Wegweisers ist es, einen niederschwelligen Einstieg in die Begriffswelt digitaler Nachweise zu finden. Erläutert sind die Begriffe Wallet, digitale Identität, digitaler Nachweis, Signatur. Die Nutzung des Wegweisers ist frei. 

Download

DSC2 – Workshop 27.11.24

Am zweiten Tag der DSC2 fand ein Fachworkshop statt, der ganz dem Thema Organisationsidentitäten (OrgID) gewidmet war. Zunächst wurde in Vorträgen der aktuelle Sachstand präsentiert.  Dieser diente als Grundlage für die anschließende Arbeit in zwei großen Fachgruppen, deren Ziel es war, insbesondere die offenen Fragen und Punkte zu den Themenkreisen Zugang, Datenaustausch und technische Ausgestaltung weiter zu spezifizieren.  

EUID_Wallets_KYS

20241120_EUDI_Wallet_Architecture

The Food Safety Modernization Act (FSMA) compliance deadline is approaching quickly, giving companies less than a year to meet new food safety and traceability requirements. But beyond compliance, why does traceability matter?

In this episode, Wiggs Civitillo, Founder & CEO of Starfish,  joins hosts Reid Jackson and Liz Sertl to discuss how product traceability can streamline recalls, reduce food waste, and build consumer trust. Inconsistent data and lack of interoperability are some of the biggest challenges companies face in food traceability. Starfish addresses these challenges by enabling secure, seamless data sharing across the supply chain.

Tune in to hear FSMA 204 explained and discover solutions to help companies stay compliant.

In this episode, you’ll learn:

Practical solutions to meet FSMA 204 requirements efficiently

The impact of real-time data on food safety monitoring

How companies can use traceability to build consumer trust

 

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(01:41) Challenges and lessons from the IBM Food Trust

(05:25) How Starfish connects supply chains

(13:58) Recalls, food safety, and consumer trust

(19:19) Understanding FSMA 204 and compliance

(25:06) Benefits of product traceability

(30:39) Wiggs’ favorite tech tool

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Wiggs Civitillo on LinkedIn

Check out Starfish

Guest blog by Greg Bernstein, Dave Longley, Manu Sporny, and Kim Hamilton Duffy

Following the IETF/IRTF Crypto Forum Research Group’s adoption of the BBS Blind Signatures and BBS per Verifier Linkability (“BBS Pseudonym”) specifications, this blog describes historical context and details of cryptographic pseudonyms, as well as the privacy features they enable.

The discussion of cryptographic pseudonyms for privacy preservation has a long history, with Chaum’s 1985 popular article “Security without identification: transaction systems to make big brother obsolete” (Chaum1985) addressing many of the features of such systems such as unlinkability and constraints on their use such as one pseudonym per organization and accountability for pseudonym use. Although Chaum’s proposal makes use of different cryptographic primitives than we will use here, one can see similarities in the use of both secret and “public” information being combined to create a cryptographic pseudonym.

Lysyanskaya’s 2000 paper (Lysya2000) also addresses the unlinkable aspects of pseudonyms but also provides protections against dishonest users. In addition they provide practical constructions similar to those used in our draft based on discrete logarithm and sigma protocol based ZKPs. Finally as part of the ABC4Trust project three flavors of pseudonyms were defined:

Verifiable pseudonyms are pseudonyms derived from an underlying secret key. Certified pseudonyms are certified pseudonyms derived from a secret key that also underlies an issued credential. Scope-exclusive pseudonyms are verifiable pseudonyms that are guaranteed to be unique per scope string and per secret key. Figure 1: Types of Pseudonyms

The BBS based pseudonyms in our draft are aimed primarily at providing the functionality of the pseudonym flavors 2 and 3 above.

How BBS is Fundamentally Better for Solving Dishonest Holder Fraud

Beyond the usual anti-forgery and tamper-evident protections that digital signatures provide, there are two different types of credential fraud that unlinkable credentials need to mitigate: third-party fraud and first-party fraud.

Third-party fraud is when one party uses another party's credentials without their knowledge or approval. This involves the theft of an honest holder's credentials.

First-party fraud is when a legitimate credential holder intentionally allows other parties to covertly use their credentials. This involves not the theft of credentials, but rather, a dishonest holder.

BBS signatures provides two different security features, one to address each of these cases:

1. Holder Multifactor Authentication

This security feature binds a BBS credential to a particular secret that only the holder knows and that an honest holder will not share access to nor use of. When a holder presents a BBS credential, a verifier can require that the holder prove use of this secret, thereby enforcing this protection on the holder's behalf. This is an anti-theft mechanism for mitigating third-party fraud.

Note: This feature is sometimes called "holder binding", but it might be more accurately understood as "Holder Multifactor Authentication". This is because the holder is not themselves bound to the credential and it is not a mitigation for first-party fraud. It instead works like another MFA device does when performing authentication. If a dishonest holder shares that MFA device or an API to use it, then someone else can unlinkably present their credential (with the holder's approval -- perhaps even for a fee). Stopping dishonest holders from doing this is a significant challenge that involves locking down users' hardware and software – and a single failure in this scheme could potentially result in an unlimited number of unlinkable, fraudulent presentations. This feature is therefore not a protection for verifiers, but rather one for honest holders against theft. With this in mind, it can be implemented such that a holder is free to use software or hardware of their choice to provide the protection, without requiring specific approval from the issuer.

2. Pseudonyms

This security feature binds a BBS credential to a secret that is constructed from inputs from both the holder and the issuer. When a holder presents a BBS credential, a verifier can require that the holder present a pseudonym that is based on this secret and a contextual identifier. Each time the same BBS credential is presented using the same contextual identifier, the pseudonym will be the same. This prevents a dishonest holder from covertly enabling an unlimited number of unlinkable presentations of their credential by any parties they authorize. It is an anti-cloning mechanism for mitigating first-party fraud.

Contextual identifiers can be any value, but need to be agreed upon between the verifier and the holder for a given use case. To give some examples for the presentation of credentials on the Web, a contextual identifier could be a URL like a Web origin (e.g., "https://website.example"), a Web origin with a certain path (e.g., "https://website.example/groups/wind-surfing"), or protocol-defined combination of a URL and a time range, allowing for pseudonyms to be "forgotten" or "rotated" after sufficient time has passed.

Note: Other credential schemes aim to mitigate first-party fraud by limiting the device and software that a holder chooses to engage with, sometimes referred to as "holder binding". With this approach, the holder's own device and software are trusted to be leveraged against them to constrain their behavior. This approach requires device and software allow lists, trust framework management, significant additional protocol security considerations, and ultimately means that the issuer chooses the holder's device and software (or provides them with a list of acceptable options from which they may choose). This has additional side effects, such as centralizing and vendor lock-in effects on the marketplace of devices and software. Finally, with this approach, it also only takes a single dishonest holder to thwart the protections of the device or software (that they have physical access to) to re-enable an unlimited number of unlinkable fraudulent presentations of a valid credential in the ecosystem. Catching this behavior after the fact logically requires being able to link presentations once again, one way or another, which would defeat the privacy aims of the scheme.

Overview: BBS Signature Bound Pseudonyms

The BBS signature scheme, the foundation for BBS Pseudonyms, is based on a three-party model:

Signer (also known as issuer): Issues credentials  Prover (also known as holder or user): Receives credentials  Verifier: Validates proofs

A prover obtains a BBS signature from a signer over a list of BBS messages and presents a BBS proof (a proof of possession of a BBS signature) along with a selectively disclosed subset of the BBS messages to a verifier.

Figure 2: Example of BBS Signature Flow

Each BBS proof generated is unlinkable to other BBS proofs derived from the same signature and from the BBS signature itself. If the disclosed subset of BBS messages are not linkable then they cannot be linked by their cryptographic presentation alone.

Note: the language used in this section is intentionally informal; for a more precise explanation of phrases like “…cannot be linked by their cryptographic presentation alone”, please see Lysya2000.

BBS pseudonyms extend the BBS signature scheme to “bind” a “cryptographic pseudonym” to a BBS signature retaining all the properties of the BBS signature scheme:

 A short signature over multiple messages Selective disclosure of a subset of messages from prover to verifier Unlinkable proofs.

In addition BBS pseudonyms provide for:

An essentially unique identifier bound to a signature/proof of signature whose linkability is under the control of the prover in conjunction with a verifier or group of verifiers. Such a pseudonym can be used when a prover revisits a verifier to allow a verifier to recognize the prover when they return or for the prover to assert their pseudonymous identity when visiting a verifier Assurance of per-signer uniqueness, i.e., the signer assures that the pseudonyms that will be guaranteed by the signature have not been used with any other signature issued by the signer (unless a signature is intentionally reissued). The signer cannot track the prover presentations to verifiers based on pseudonym values. Verifiers in separate “pseudonym groups” cannot track prover presentations. How BBS Pseudonyms Work Overview

To realize the above feature set we embed a two part pseudonym capability into the BBS signature scheme. The pseudonym’s cryptographic value will be computed from a secret part, which we call the nym_secret and a part that is public or at least shared between the prover and one or more verifiers. The public part we call the context_id. 

A simplified overview of this flow is shown in Figure 3:

Figure 3: Simplified overview of BBS Pseudonym flow Issuance

To bind a pseudonym to a BBS signature we have the signer utilize Blind BBS signatures and essentially sign over a commitment to the nym_secret. Hence only a prover that knows the nym_secret can generate a BBS proof from the signature (and also generate the pseudonym proof).

The prover chooses their (random) prover_nym and commits to it. They then send the commitment along with a ZKP proof that the prover_nym makes this commitment. The signer verifies the commitment to the prover_nym then generates the signer_nym_entropy and “adds” it to the prover_nym during the signature process. Note that this can be done since we sign over the commitment and we know the generator for the commitment.

Figure 4: Credential Issuance detailed flow

As in Lysya2000 we are concerned with the possibility of a dishonest user and hence require that that nym_secret = prover_nym + signer_nym_entropy be the sum of two parts where the prover_nym is a prover's secret and only sent to the signer in a blinding and hiding commitment. The signer_nym_entropy is “added” in by the signer during the signing procedure and sent back to the prover along with the signature. 

Verification

The pseudonym is calculated from nym_secret and context_id using discrete exponentiation.

nym_secret: A two-part secret combining: prover_nym: Generated and known only by the prover signer_nym_entropy: Contributed by the signer during signature context_id: A public identifier that is shared between the prover and one or more verifiers

This is similar to the computations in Lysya2000 and ABC2014. The pseudonym is presented to the verifier along with a ZKP that the prover knows the nym_secret and uses it and the context_id to compute the pseudonym value. A similar proof mechanism was used in Lysya2000. See chapter 19 of BS2023 for an exposition on these types of ZKPs.

Figure 5: BBS Pseudonym verification flow

See the appendix for a detailed diagram showing the complete BBS pseudonym issuance and verification flow.

BBS Pseudonym Example Applications Certifiable Pseudonyms

Certifiable pseudonyms work as follows:  the prover creates unique pseudonyms based on context_ids they choose. While the nym_secret is guaranteed unique to and by the issuer, the issuer never learns its value. 

When using the pseudonym, the prover presents both the context_id and pseudonym to identify themselves, along with any attributes (messages) they choose to reveal. No one else without the nym_secret and signature can produce a proof that they “own” the pseudonym. The prover can create as many different, unlinkable pseudonyms by coming up with different values for the context_id. 

Figure 6: In this example of Certifiable Pseudonyms, the prover chooses different a context_id per service they interact with Scope Exclusive Pseudonyms

With scope exclusive pseudonyms, the verifier or group of verifiers require the use of a specific context_id. This allows the verifier (or group of verifiers) to track visits by the prover using this credential/pseudonym. A verifier can limit data collection, i.e. data retention minimization, by periodically changing the context_id since the pseudonyms produced using different context_ids cannot be linked. For example a context_id like “mywebsite.com/17Nov2024” that changes daily means the verifier could only track visits daily.

Figure 7: Scope exclusive pseudonyms where verifiers, or groups of verifiers, require a specific context_id. In this example, scope is set a per-day level

Scope Exclusive Pseudonyms with Monitoring

Scope exclusive pseudonyms with monitoring enable regulated privacy in scenarios requiring third-party oversight. Consider a system for purchasing controlled chemicals: A prover with appropriate credentials uses a different pseudonym with each vendor. This prevents vendors from colluding on prices or learning secret formulas by tracking a prover's complete purchase history across different vendors. At the same time, for regulatory compliance and public safety, vendors must report all purchases to a monitor, including the pseudonym used and their vendor-specific context_id. The prover shares their nym_secret only with the monitor, allowing the monitor to link different pseudonyms to the same prover when necessary. This separation between nym_secrets and other credential-binding secrets is crucial - it enables regulatory oversight without introducing additional cross-tracking by vendors.

Figure 8: In this example, scope exclusive pseudonyms with monitoring are used to enable regulatory compliance while not reusing pseudonyms across vendors A Short Selection of References [Chaum1985] D. Chaum, “Security without identification: transaction systems to make big brother obsolete,” Commun. ACM, vol. 28, no. 10, pp. 1030–1044, Oct. 1985, doi: 10.1145/4372.4373. [Lysya2000] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf, “Pseudonym Systems,” in Selected Areas in Cryptography, vol. 1758, H. Heys and C. Adams, Eds., Lecture Notes in Computer Science, vol. 1758, Berlin, Heidelberg: Springer Berlin Heidelberg, 2000, pp. 184–199, doi: 10.1007/3-540-46513-8_14. [ABC2014] P. Bichsel et al., “D2.2 – Architecture for Attribute-based Credential Technologies – Final Version,” Aug. 2014. [Online]. Available: https://abc4trust.eu/download/Deliverable_D2.2.pdf. [Accessed: Feb. 10, 2025]. [BS2023] D. Boneh and V. Shoup, “A Graduate Course in Applied Cryptography,” Version 0.6. [Online]. Available: https://toc.cryptobook.us/book.pdf. [Accessed: Feb. 10, 2025]. [IETF-BBSblind-00] Internet Engineering Task Force, “BBS Blind Signatures – draft-irtf-cfrg-bbs-blind-signatures-00,” [Online]. Available: https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-blind-signatures-00.html#. [Accessed: Feb. 10, 2025]. [IETF-BBSlink-00] Internet Engineering Task Force, “BBS Per-Verifier Linkability – draft-irtf-cfrg-bbs-per-verifier-linkability-00,” [Online]. Available: https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-per-verifier-linkability-00.html#. [Accessed: Feb. 10, 2025]. Appendix: Complete BBS Pseudonym Flow (Issuance & Verification) Next Steps

Dive deeper into the BBS Blind and Per Verifier Linkability specifications: 

Review bbs-blind-signatures and bbs-per-verifier-linkability

Consider implementing the specifications to further evaluate the specs

Provide feedback in the IETF Crypto Forum Research Group

Join DIF’s Applied Crypto Working Group for ongoing meetings

Contribute to W3C Data Integrity Specification Development:

To evaluate how BBS can be used in the context of W3C Verifiable Credentials, join the W3C VC Data Integrity Community Group

Stay up to date: 

Subscribe to the DIF blog to receive updates

Thales has unveiled a new solution designed to streamline the deployment and management of FIDO security passkeys for large-scale implementations. The OneWelcome FIDO Key Lifecycle Management solution enables organizations to efficiently manage the complete lifecycle of FIDO keys while transitioning to passwordless authentication systems. The launch follows Thales’ previous efforts in passwordless authentication, expanding their enterprise security portfolio.

The solution provides IT teams with comprehensive control over FIDO key management, from initial enrollment through to eventual revocation. By allowing IT departments to pre-register keys and handle lifecycle management tasks, the platform helps reduce the burden on end users while maintaining security standards. The approach supports recent FIDO Alliance guidelines for enterprise passkey implementation, which emphasize the importance of streamlined deployment processes.

A key feature of the solution is its integration with Microsoft Entra ID through FIDO2 provisioning APIs, enabling organizations to pre-register Thales FIDO keys for their users. The integration is particularly relevant for enterprises using Microsoft 365, providing secure authentication capabilities from initial deployment. The feature arrives as Microsoft implements mandatory multi-factor authentication across its enterprise platforms.

We’re excited to welcome two partners to our Matchbox Program this year: Trans Youth Initiative-Uganda (TYI-Uganda) and TechHer.

The post Announcing our two new Matchbox partners appeared first on The Engine Room.

Fifteen years ago, The Onion published this story:

Study Finds Paint Aisle At Lowe’s Best Place To Have Complete Meltdown

Now it’s the vitamin aisle at CVS:

Enshittification at work.

When Cory Doctorow coined enshittification, he was talking about how online platforms such as Google, Amazon, and TikTok get shitty over time. Well, the same disease also afflicts many big retail operations, especially ones that flood their zones with discounts and other gimmicks, enshittifying what marketers call “the customer experience” (aka CX).

Take the vitamin aisle, above. The only people who will ever get down on all fours to read the yellow tags near the floor are the cursed employees who have to creep the length of the aisle putting them there.

For customers, the main cost of shopping at CVS is cognitive overhead. Think about—

All those yellow stickies All the slow-downs at check-out when you wave your barcode at a reader, punch your phone number into a terminal, or have a CVS worker to do the same All the conditionalities in every discount or “free” offer that  isn’t All the yard-long receipts, such as this one:

And the app!

OMFG,  all we really need the damned app for is the one CVS function our life depends on: the pharmacy.

To be fair, the app doesn’t suck at the basics (list of meds, what needs to be refilled, etc.). But it does suck at helping you take advantage of CVS’s greatest strength: that there are so many of them. Specifically,

While that’s down a bit from the peak in 2021, CVS is still the Starbucks of pharmacies. And while they are busy laying off people while investing in tech, you’d think they would at least make it easy to move your prescription from one store to another, using the app.  But noooo.

What the app is best for is promotional crap. For example, this:

Look at the small gray type in the red oval: 198 coupons!

After I scroll down past the six Extrabucks Rewards (including the two above), I get these:

First, who wants a full-priced item when it seems damn near everything is discounted?

Second, you’d think after all these years of checking out with my Extracare barcode, and the app shows me (under “Buy It Again”) all the stuff I’ve purchased recently, that CVS would know I am a standard-issue dude with no interest in cosmetics. So why top the list of coupons with that shit? I suppose it’s to make me scroll down through the other 178 coupons to find other stuff I might want at a cheaper price.

I just did that and found nothing. Why? Because most of the coupons are for health products I already bought or don’t need. (I’m not sick right now.) Also, almost all of the coupons (as you see) expire three days from now.

Now think about the cognitive and operational overhead required to maintain that whole program at CVS. Good gawd.

And is it necessary? At all? When you’re the Starbucks of pharmacies?

Without exception, all loyalty programs like this one are coercive. They are about trapping and milking customers.

But do stores need them? Do customers? Does CVS?  Really? When its customers are already biased by convenience.

Pro Tip: Real loyalty is earned, not coerced.

Want your store, or your chain, to be loved? Take some lessons from the most loved chain in the country: Trader Joe’s. In a chapter of The Intention Economy called “The Dance,” I list some reasons why TJ’s is loved by its customers. My main source for that list is Doug Rauch, the retired president of TJ’s, where he worked for 31 years. Here are the top few:

They never use the word “consumer.” They call us “customers,” “persons,” or “individuals.” They have none of what Doug calls “gimmicks.” No loyalty programs, ads, promotions, or anything else that manipulates customers, raises cognitive overhead or insults anyone’s intelligence. In other words, none of what marketing obsesses about. “Those things are a huge part of retailing today, and have huge hidden costs,” Doug says. (I think the company’s biggest marketing expense is its float in the Rose Parade.) They never discount anything, or say anything is “on sale.” Those kinds of signals add more cognitive overhead. TJ’s wants customers not just to assume, but to know. A single price takes care of that. They have less than no interest in industry fashion. TJ’s goes to no retail industry meetings or conferences, belongs to no associations, and avoids all settings where the talk is about gaming customers. That’s not TJ’s style because that’s not its substance. They believe, along with Cluetrain, that markets are conversations—with customers. Doug told me his main job, as president of the company, was “shopping along with customers.” That’s how he spent most of his time. “We believe in honesty and directness between human beings…We do this by engaging with the whole person, rather than just with the part that ‘consumes….We’ll even open packages with customers to taste and talk about the goods.” As a result, “There’s nothing sold at Trader Joe’s that customers haven’t improved.”

Then there’s what Walmart CEO Lee Scott told me in 2000 (at this event) when I asked him “What happened to K-Mart?” From The Intention Economy:

His answer, in a word, was “Coupons.” As Lee explained it, K-Mart overdid it with coupons, which became too big a hunk of their overhead, while also narrowing their customer base toward coupon-clippers. They had other problems, he said, but that was a big one. By contrast, Wal-Mart minimized that kind of thing, focusing instead on promising “everyday low prices,” which was a line of Sam Walton’s from way back. The overhead for that policy rounded to zero.

Which brings me to trust.

We trust Trader Joe’s and Walmart to be what they are. In simple and fundamental ways, they haven’t changed. The ghosts of Joe Coloumbe and Sam Walton still run Trader Joe’s and Walmart. TJ’s is still the “irreverent but affordable” grocery store Joe built for what (in his book) Joe called “the overeducated and underpaid,” and based in Los Angeles. Walmart is still Sam’s five-and-dime from Bentonville, Arkansas. (Lee Scott told me that.)

CVS’s equivalent to Joe and Sam was Ralph Hoagland, a good friend of good friends of ours in Santa Barbara. All of us also shared history around Harvard and Cambridge, where Ralph lived when he co-founded CVS, which stood for Consumer Value Store, in 1963. In those days CVS mostly sold health and beauty products, cheaply. I remember Ralph saying the store’s main virtue was just good prices on good products. Hence the name.

CVS can do a much better job of signaling bargain prices by just making them as low as possible, on the model of Trader Joe’s and Walmart.

I think there is also a good Health position for CVS: one that bridges its health & beauty origins and its eminence as the leading pharmacy chain in the U.S. And it could rest on trust.

I’m thinking now about tech. Specifically, FPCs, for First-Person Credentials. Read what Jamie Smith says about them in his Customer Futures newsletter under the headline The most important credentials you’ve never heard of. Also check out—

What I wrote last year about Identity as Root What DIF is doing What Ayra is doing Other stuff you’ll be hearing about first-person credentials (but isn’t published yet) when you come to the next IIW (April 8-10). What you’ll be learning soon about re-basing everything (meaning every SKU, as well as every person) on a new framework that is far more worthy of trust than any of the separate collections of records, databases, and namespaces that currently divides a digital world that desperately needs unity and interop—especially around health. And::: MyTerms, which is the new name for IEEE P7012, the upcoming standard (for which I am the working group chair) that should become official later this year, though nothing prevents anyone from putting its simple approach to work.

MyTerms can be huge and world-changing because it flips around the opt-out consent mechanisms that have been pro forma since industry won the industrial revolution and metastasized in the Digital Age. With MyTerms, the sites and services of the world agree to your terms, not the other way around. With MyTerms, truly trusting relationships can be established between customers and companies. This is why I immodestly call it the most important standard in development today.

So I have five simple recommendations for CVS, all to de-enshittify corporate operations and customer experiences:

Drop the whole loyalty thing. Completely. Cold turkey. Hell, fire the marketing department. Put the savings into employees you incentivize to engage productively (not promotionally) with customers. And publicize the hell out of it. Should be fun. Confine your research to what your human employees learn directly from their human customers. Be the best version of what you are: a great pharmacy/convenience store chain that’s still long in health and beauty products. Simplify the app by eliminating all the promotional shit, and by making it as easy as possible for customers to move prescriptions from one  CVS store to another. Watch what’s happening with first-person credentials and MyTerms. Getting on board with those will make CVS a leader, rather than a follower.

Coupon-clipping addicts may feel some pain at first, but if you market the new direction well—making clear that you have “everyday low prices” rather than annoying and labor-intensive discounts (many of which expire in three days), customers will come to love you.

Global payments orchestrator Yuno is launching the Mastercard Payment Passkey Service across Latin America, enabling merchants in the region to streamline online checkout processes and enhance fraud protection.

Following the launch by Yuno, merchants in Brazil, Argentina, and Chile can replace increasingly vulnerable traditional authentication methods, such as one-time passwords, with Mastercard Payment Passkey Service, which uses device-based biometrics, such as fingerprints and facial recognition already available on smartphones, to authenticate purchases.

Mastercard Payment Passkey Service also leverages tokenisation technology to ensure that sensitive data is never shared with third parties and remains useless to fraudsters in the event of a data breach, making transactions even more secure.

This technology promises to not only boost the security of online transactions, but also to significantly reduce cart abandonment rates by increasing convenience for merchants’ customers.

Changes are on the way for online shopping and e-commerce. The traditional way of paying for items online by typing in your credit card details (card number and CVV security code) will soon be a thing of the past.

Mastercard and other card payment companies will be introducing a one-click button that will work on any online platform.

One of the reasons why services will be moving to a one-click system is to deter hackers who target merchant sites to steal consumer card information. According to a 2023 study by Juniper Research, merchant losses from online payment fraud will exceed $362 billion globally between 2023 to 2028, with losses of $91 billion alone in 2028.

The one-click system will protect consumers and their online data.

We are excited to announce OwnYourData’s involvement in the groundbreaking PACE-DPP project: Promoting Accelerated Circular Economy through Digital Product Passports, spearheaded by Virtual Vehicle. As a key consortium partner, OwnYourData is leading the crucial work focused on Data Intermediaries in the work package 4 DPP Data Ecosystem.

PACE-DPP  is motivated by providing guardrails and solution bricks for tackling the basic technological and regulatory challenges for a smooth instantiation of DPP-based Ecosystems. Industrial relevant applications from supply-chains in electronics and wood/pulp/paper industries provide a solid basis for use-case driven experimentation with key enabling digital technologies like Data Spaces and Digital Twins. The essential result will represent the provision of lightweight accessible DPP services for unleashing the hidden potential of innovative circular economy business models, within the context of the European Green Deal.

OwnYourData plays a critical role in the PACE-DPP project by providing essential expertise in self-sovereign identity (SSI) and data governance for the emerging Digital Product Passport (DPP) ecosystem. We contribute to the semantic annotation of data structures to ensure interoperability within the DPP data ecosystem. Additionally, OwnYourData supplies technical building blocks for decentralized identifiers (DIDs), Verifiable Credentials (VCs), and Verifiable Presentations (VPs), supporting attestations and authentication mechanisms in compliance with OpenID specifications (OID4VC, OID4VCI, OID4VP). By implementing these SSI components, OwnYourData enhances trust and security in data sharing processes, fostering a scalable and privacy-preserving digital infrastructure for product traceability.

Beyond its technical contributions, OwnYourData actively works to integrate a neutral data intermediary (https://intermediary.at) that facilitates the secure storage and controlled exchange of product-related information. The intermediary serves as key enablers in supply chain processes, ensuring that product data remains accessible and verifiable while respecting privacy and compliance requirements. In addition we engage with stakeholders and disseminates human-centric aspects of digital product passports through collaborations with initiatives such as MyData, promoting transparency and user empowerment in data ecosystems.

The OwnYourData team in the PACE-DPP project consists of experts in data governance, self-sovereign identity, and semantic technologies. Dr. Christoph Fabianek, an authority in data exchange and SSI frameworks, leads the team’s contributions to decentralized identity solutions and Verifiable Credentials. Dr. Fajar J. Ekaputra brings expertise in semantic web technologies, ensuring structured and interoperable data representation. Gulsen Guler, MSc, specializes in data literacy and human-centric solutions, supporting accessibility and usability of digital product passport implementations. DI(FH) Markus Heimhilcher provides expertise in system operations, database management, and Kubernetes maintenance, ensuring a scalable and secure infrastructure. Paul Feichtenschlager contributes skills in data modeling, statistics, and software development, strengthening the technical foundation of OwnYourData’s role in the project.

We look forward to contributing our expertise to this transformative project and collaborating with other consortium members to establish a secure, interoperable, and privacy-preserving Digital Product Passport ecosystem. Stay tuned for more updates on our journey with PACE-DPP! For more information about the project, visit DPP-Austria.at.

 

This Lighthouse Project has been made possible by financial contributions from the Austrian Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK), supported by the Austrian Research Promotion Agency (FFG) under grant number 917177, as well as from the German Federal Ministry for Economic Affairs and Climate Action (BMWK), supported by the German Research Promotion Agency (DLR-PT).

Der Beitrag Empowering Digital Product Passports: OwnYourData’s Role in Secure and Interoperable Data Ecosystems erschien zuerst auf www.ownyourdata.eu.

Solving energy challenges through collaboration, innovation, and industry driven solutions

The energy industry is at a turning point. With decentralization on the rise, evolving regulatory demands, and an urgent push for sustainability, industry leaders must innovate together. That’s why Energy Web is excited to launch Energy Web Circles — a new initiative that brings together enterprises, regulators, and technology providers to create software solutions for today’s energy challenges.

A New Model for Collaboration

Energy Web Circles are designed to cut through traditional silos by focusing on key issues faced by the energy sector. Each Circle zeroes in on a specific challenge or opportunity, ranging from decentralized identity management, zero carbon electric vehicle charging, to carbon-aware computing and advanced grid management. These groups offer structured, flexible environments where participants can create solutions, share insights, and help shape emerging industry standards.

Introducing the First Circle: Universal Energy ID

Our inaugural Circle, Universal Energy ID, sets the stage for a more secure and interoperable energy ecosystem. As energy markets become increasingly decentralized, the need for a transparent and standardized identity framework grows. The Universal Energy ID isn’t just an identity solution — it’s a trust layer for the decentralized energy economy. It enables secure, seamless, and interoperable transactions that are essential for modern energy systems.

What is the Universal Energy ID Circle?

The Universal Energy ID Circle is a collaborative initiative aimed at developing and deploying a decentralized identity and credentialing system for the energy sector. The primary goal is to create a trusted and verifiable identity infrastructure that enables seamless transactions, regulatory compliance, and secure access control across the energy ecosystem. The Circle is designed to foster the development and integration of the EnergyID framework to enable Digital Product Passports (DPPs), e.g. to manage the lifecycle of batteries. For a DPP, this means that information about a product can be stored and updated across a network of various participants (manufacturers, suppliers, distributors, consumers, regulators) without relying on a central entity, making it resistant to censorship and single points of failure. By implementing DPPs, enterprises can drive innovation in electric mobility, enable circular economy practices, and comply with evolving regulatory requirements.

What Does the Solution Look Like?

At the core of this initiative is the EnergyID DID method, a W3C-compliant Decentralized Identifier (DID) specifically tailored for energy applications. This method provides a secure, tamper-proof way to authenticate energy-related assets, organizations, and individuals. This framework empowers electric mobility providers, distributed energy resource (DER) operators, and digital product passport managers to build trust and security into their transactions, setting a new standard for the industry.

The solution comprises:

Universal EnergyID Wallet — A digital identity wallet that allows energy stakeholders (such as utilities, DER owners, and EV users) to store and manage their decentralized identifiers and verifiable credentials. Verifiable Credentials (VCs) — These digital attestations enable secure proof of identity, asset ownership, and regulatory compliance in energy transactions. Interoperability Layer — Designed to integrate with existing identity management systems and ensure compatibility with global standards such as eIDAS 2.0. Trust and Governance Framework — A decentralized governance structure ensuring that credential issuance and verification are secure, reliable, and universally accepted.

How It Works in Practice

For Electric Vehicle Charging: EV owners can use their Universal EnergyID to authenticate at any charging station, ensuring trusted, frictionless access without relying on siloed authentication systems. For Distributed Energy Resources (DERs): A solar panel or battery storage unit can have a unique, verifiable identity that allows grid operators to authenticate its participation in energy markets. For Energy Data Sovereignty: Consumers can control who has access to their energy data, ensuring privacy and security while enabling seamless energy transactions. For Regulatory Compliance: Businesses and energy providers can automatically prove adherence to compliance standards through digitally signed verifiable credentials.

Key Benefits of Universal Energy ID

Unified Identity Management: It provides a single standard for managing identities across energy, electric mobility, and beyond, eliminating fragmentation. Proven Adoption: Major enterprises and OEMs are already adopting this framework, demonstrating real-world traction. Regulatory Alignment: Built to align with standards like eIDAS and Digital Product Passports, it ensures both compliance and scalability. Open and Interoperable: The solution is integrated with leading open-source identity frameworks, including OWF and ACA-Py, making it adaptable to various use cases. Secure Communication: Worker nodes in Energy Web act as DIDComm mediators and relayers, ensuring secure, reliable communication in decentralized identity ecosystems. Automated Billing: The system supports automated and trustworthy billing for energy consumed and produced, reducing administrative friction

Join the Movement
Energy Web Circles are open to all businesses interested in advancing digitization and decarbonization in the energy sector. Whether you’re an existing Energy Web member or a new partner, your expertise is welcome. By joining a Circle, you will:

Shape Emerging Standards: Play a direct role in developing the technologies and protocols that will define the future of energy. Access Exclusive Insights: Gain early access to research, reports, and discussions that keep you at the cutting edge. Collaborate Globally: Work alongside leaders in energy, sustainability, and technology to drive innovation and change. Call to Action: Join the Universal Energy ID Circle or create your own Circle

If digital identity, verifiable credentials, and seamless interoperability in energy can create value for your business, the Universal Energy ID Circle is for you. Whether you’re an enterprise ready to integrate decentralized identity solutions or a regulator committed to enhancing compliance mechanisms, now is the time to get involved. Or do you have a compelling use case or a challenge that could benefit from industry-wide collaboration?

The future of energy is collaborative, decentralized, and digital. With Energy Web Circles, you have the opportunity to drive that future — today. To learn more about our initiative and discover how you can participate, visit Energy Web or reach out to katy.lohmann@energyweb.org

Join the Universal Energy ID Circle today by contacting: commercial@energyweb.org

Unlocking the Future of Energy with Energy Web Circles was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

Current Landscape

The finance and regulatory sectors are undergoing rapid digital transformation. While the industry pioneers new technology and moves away from conventional platforms, it faces rising fraud, privacy breaches, and growing consumer skepticism fueled by misinformation, disinformation, and challenges verifying information in an AI-driven world.

When Finance Canada’s Electronic Task Force for Payments System Review created DIACC in 2012, its goal was to unite public and private sector partners to develop a secure digital ecosystem. This goal remains, but the need to support a future-focused ecosystem underpinned by verification and authentication is more urgent than ever.

By prioritizing digital trust, Canada can secure its financial systems and enhance competitiveness in the global economy. Interoperable frameworks like the DIACC Pan-Canadian Trust Framework™ (PCTF) ensure systems remain resilient, adaptable, and trusted.

Advancing and Evolving Digital Trust in the Finance and Regulatory Sectors Strengthening Economic Competitiveness and Growth

Preventing fraud and building consumer trust are economic imperatives. Fraud costs taxpayers and businesses millions annually, and to ensure Canada remains competitive, we must adopt robust digital trust solutions to reduce fraud’s financial and operational impact. Adopting the right measures will also help Canada attract international investment, foster innovation in financial services, drive growth, and create jobs.

Enhancing Trust Through the DIACC PCTF to Complement KYC and AML

DIACC encourages its members in finance and payments to adopt the PCTF as a tool to:

Complement Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations by enhancing remote customer onboarding; Authenticate identities with trusted verification systems to reduce fraud in online transactions, digital wallets, and mobile banking; and Improve regulatory reporting efficiencies by using verifiable credentials for entity identification.

The PCTF is a critical resource for advancing interoperability, which supports trusted cross-institutional collaboration and strengthens the financial ecosystem.

Fostering Consumer Autonomy and Addressing Misinformation

Public skepticism fueled by misinformation and disinformation creates friction in adopting digital financial platforms. To tackle this, we can do the following:

Respect consumer autonomy: DIACC advocates for voluntary digital solutions that preserve traditional verification methods while offering enhanced, secure options. Promote digital literacy: Educational campaigns can strengthen consumer confidence by helping Canadians identify trustworthy institutions. Use “trust signals”: Institutions should adopt trust signals, such as verified logos or PCTF certification badges, to reassure customers of secure practices.

These efforts respect the diverse preferences of Canadians while promoting confidence in digital services.

Proactive Fraud Prevention and Responsible Innovation

Fraud prevention is not just about mitigation—it’s about staying ahead. To reduce incidents such as mortgage fraud and title insurance scams, we must:

Adopt an approach that complements existing client identification methods and includes verifiable credentials, mobile driver licenses and trust registries; financial institutions should integrate DIACC PCTF-aligned solutions to strengthen borrower identification and secure digital proof of ownership. Leverage responsible AI for risk detection — fraud prevention measures must include responsible AI and real-time analytics to detect anomalies, mitigate risks, and reduce operational costs.
Open Banking and the Future of Finance

The government’s commitment to open banking presents opportunities for financial innovation and introduces risks without secure digital trust frameworks. DIACC’s members are encouraged to:

Use the PCTF to establish interoperable risk management practices, ensuring trusted data sharing across institutions. Mitigate risks in consumer-permissioned data sharing by implementing robust verification systems that prioritize data privacy and transparency. Align with global open banking standards to ensure Canadian institutions remain competitive and attract international investment.

Open banking offers an opportunity to empower Canadian consumers and small businesses while strengthening the role of domestic innovation on the global stage.

Best Practices and the Way Forward Enhance Digital Trust with Emerging Technologies

Canada must adopt emerging technologies to stay globally competitive. Financial institutions can use verifiable data and responsible AI to enhance fraud detection, wallets, credentialing, and compliance.

Collaborate for Global Competitiveness

Collaboration with international regulators and organizations is essential for aligning Canadian frameworks with global norms, enabling secure cross-border transactions and strengthening Canada’s financial ecosystem.

Educate and Empower Through Advocacy and Metrics

DIACC is committed to educating Canadians on digital literacy and trust while addressing inclusivity challenges, including:

Hosting sector-specific workshops and certifications to promote best practices in digital trust. Amplifying simple, real-world use cases to demonstrate the benefits of digital trust solutions, such as fraud reduction and consumer empowerment. Advocating for enhanced regulations prioritizing secure transactions and privacy while preserving consumer choice. Publishing annual metrics on fraud prevention and consumer trust improvements to ensure transparency and accountability. Conclusion

The finance and regulatory sectors urgently need services with interoperable assurance and trust to meet the growing demands of digital transformation.

By working together, we can:

Educate citizens to strengthen digital literacy while addressing inclusivity challenges. Amplify the role of governments and domestic and world banks in strengthening trust. Determine how governments and organizations can best leverage the DIACC Pan-Canadian Trust Framework to complement KYC and AML regulations, build assurance, and mitigate risks for the benefit of all Canadians.

Through education, collaboration, and the strategic use of trusted solutions, we can solidify Canada’s position as a global leader in the digital economy while safeguarding trust, privacy, and economic opportunity for all Canadians.

Download available here.

DIACC-Position-Digital-Trust-For-Finance-and-Regulatory-Sectors-ENG_v1.1

DIF recently hosted a special session of its Credential Schemas workshop focused on developing privacy-preserving solutions for age verification. Led by Otto Mora, Standards Architect at Privado ID, and Valerio Camiani, Software Engineer at Crossmint, the session explored the growing need for standardized age verification.

The workshop addressed the increasing regulatory requirements for age verification across the US, EU, and other regions. Rather than focusing solely on traditional document-based verification methods, the group discussed innovative approaches including AI-based age estimation and voice recognition technologies, while maintaining strong privacy protections.

A key focus of the discussion was the development of standardized proof of age credential schemas that would enable efficient interoperability between different systems and organizations. Schemas would need to handle a variety of elements like age ranges, verification methods used, and confidence levels aligned with ISO standards. 

Getting Involved with DIF

For those interested in contributing to this important work:

The working group meets every other week and welcomes new participants The group’s specifications are publicly available on GitHub, where interested parties can submit commits and issues

To learn more about DIF and its work on decentralized identity standards, visit https://identity.foundation or reach out to membership@identity.foundation.

I started reading BoiongBoing when it was a ‘zine back in the last millennium. I stopped when I began hitting this:

In fact I don’t block ads. I block tracking, specifically with Privacy Badger, from the EFF.

But BoingBoing, like countless other websites, confuses tracking protection with ad blocking. This is because they are in the surveillance-aimed advertising business, aka adtech.

It’s essential to know that adtech is descended from the junk mail business, euphemistically called “direct response marketing.” As I put it in Separating Advertising’s Wheat and Chaff,

Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.

As surveillance-based publications go, BoingBoing is especially bad. Here is a PageXray of BoingBoing.net:

And here is a PageXray of the same page’s URL, to which  tracking cruft from the email I opened was appended:

Look at that: 461 adserver requests, 426 tracking requests, and 199 other requests, which BoingBoing is glad to provide. (Pro tip: always strip tracking cruft from URLs that feature a “?” plus lots of alphanumeric jive after the final / of the URL itself. Take out the “?” and everything after it. )

Here is a close-up of one small part of that vast spread of routes down which data about you flows:

Some sites, such as FlightAware, interrupt your experience with a notice that kindly features an X in a corner, so you can make it go away:

Which I do.

But BoingBoing doesn’t. Its policy is “Subscribe or pay with lost privacy.”  So I go away.

Other sites use cookie notices that give you options such as these from a Disney company (I forget which):

Nice that you can Reject All. Which I do.

This one from imgur let’s you “manage” your “options.” Those, if they are kept anywhere (you can’t tell), are in some place you can’t reach or use to see what your setting was, or if they haven’t violated your privacy:

This one at Claude defaults to no tracking for marketing purposes (analytics and marketing switches are set to Off):

TED here also lets you Accept All or Reject All:

I’ve noticed that Reject All tends to be a much more prominent option lately. This makes me think a lot of these sites should be ready for IEEE P7012, nicknamed MyTerms, which we expect to become a working standard sometime this year. (I chair the working group.) I believe MyTerms is the most important standard in development today because it gets rid of this shit—at least for sites that respect the Reject All signal, plus the millions (perhaps billions?) of sites that don’t participate in the surveillance economy.

With MyTerms, sites and services agree to your terms—not the other way around. And it’s a contract. Also, both sides record the agreement, so either can audit compliance later.

Your agent (typically your browser, through an extension or a header) will choose to proffer one of a small list of contractual agreements maintained by a disinterested nonprofit. Customer Commons was created for this purpose (as a spin-off of ProjectVRM). It will be for your terms what Creative Commons is for your copyright licenses.

Customer Commons also welcomes help standing up the system—and, of course, getting it funded. If you’re interested in working on either or both, talk to me. I’m first name at last name dot com. Thanks!

 

The post Dr. Meagan Treadway joins Velocity’s board appeared first on Velocity.

The DIF Hackathon 2024 brought together builders from around the world to tackle some of the biggest challenges in decentralized identity. Across multiple tracks—including education and workforce solutions, reusable identity, and privacy-preserving authentication—participants developed creative applications that redefine how digital identity is used and trusted in the real world.

One of the standout challenges? The ZKP in SSI track, sponsored by Privacy & Scaling Explorations (PSE) from the Ethereum Foundation. Teams explored how to innovate with Zero-Knowledge Proofs (ZKPs), Multi-Party Computation (MPC), and Fully Homomorphic Encryption (FHE)—leveraging programmable cryptography to enhance privacy, security, and interoperability in SSI systems.

Beyond ZKPs, this year’s hackathon saw verifiable credentials powering next-gen job boards, seamless hotel check-ins, streamlined digital identity solutions for expats, and groundbreaking innovations in decentralized file storage.

Check out the inspiring discussion featuring the hackathon winners which took place on Dec 19th on Spaces: https://x.com/DecentralizedID/status/1869819527170797972

Let’s dive into the full list of hackathon winners and the impactful projects that emerged from DIF Hackathon 2024. 👇

Future of Education and the Workforce Track

Sponsored by Jobs for the Future (JFF) and the Digital Credentials Consortium (DCC)

1st Place: Challenge 1 

VCV 

VCV revolutionizes the CV, It allows for you to create verifiable and clean CVs where an employer can upload them and instantly verify them and view their individual verifiable credentials which combine to make the CV.

VCV VCV revolutionizes the CV, making it verifiable and creating verifiable experiences. DevpostMerul Dhiman

2nd Place: Challenge 1 

VeriDID Futures Credential Job Board

A job board that matches job seekers and potential employers using verifiable learning and employment record credentials.

https://devpost.com/software/veridid-futures

1st Place: Challenge 2b

Crediview Job Board

Instantly view and verify credentials with our sleek browser extension. Drag, drop, or paste – our smart detector does the rest. Streamline workflow and boost confidence in credential verification.

CrediView Instantly view and verify credentials with our sleek browser extension. Drag, drop, or paste – our smart detector does the rest. Streamline workflow and boost confidence in credential verification. DevpostBolaji Mubarak ZKP in SSI Track Sponsored by the Ethereum Foundation Privacy Scaling Explorations (PSE)

1st Place

Decentralised Credentials Issuer

Decentralising credentials issuance with Multiparty computation based threshold signatures

Decentralised Credentials Issuer Decentralising credentials issuance with Multiparty computation based threshold signatures Devpostanishsapkota Sapkota

2nd Place

VC Notary

Converting web service account data into verifiable credentials using TLSNotary

https://difhackathon2024.devpost.com/submissions/570986-vc-notary

3rd Place

ZK Firma Digital 

The project aims to create a zero-knowledge proof infrastructure solution for enhancing Costa Rica's digital identity system. It's a protocol that allows you  to prove identity in a privacy preserving way.

https://difhackathon2024.devpost.com/submissions/559470-zk-firma-digital

Reusable Identity Track Pinata 

Pinata Best Overall/ Pinata Proof of Personhood Credentials Winner

Vouch This Art

Vouch This Art is a Chrome extension that allows users to 'vouch' for images on the web by liking them or leaving messages, enabling interaction with images hosted anywhere online.

Vouch This Art Vouch This Art is a web chrome extension that “Vouch” images, allowing users to interact with images hosted anywhere on the web, whether by simply liking them or leaving messages. DevpostTotoro Gendut

Pinata Verifiable File Storage Winner

PinaVault

Access private IPFS files securely with PinaVault! Leverage Pinata's FilesAPI and W3C credentials to manage, share, and access files within organizations Credential-based access ensures user privacy.

https://difhackathon2024.devpost.com/submissions/574219-pinavault/

Pinata Identity-Based Access Controls For Private Files Winner

Expatriate

Streamlining the complex process of settling as an expat in Amsterdam through DIF verifiable credentials and wallets.

https://difhackathon2024.devpost.com/submissions/575933-expatriate

Pinata Honorable Mentions 

ChainVid

ChainVid is a decentralized platfrom to store and share videos online.

https://difhackathon2024.devpost.com/submissions/570136-chainvid

LookMate – Your virtual fashion companion.

Try Before You Buy: Revolutionizing Online Shopping with Realistic Virtual Fitting Rooms.

https://difhackathon2024.devpost.com/submissions/577364-lookmate-your-virtual-fashion-companion

PatentBots.AI - Securing Inventor Rights w/ Pinata Identity

PatentBots.AI decentralized system designed to help SME's to fully capitalize on, defend, commercialize and monetize their parents using the power memes and credentialed of persona identities (AIs).

https://difhackathon2024.devpost.com/submissions/575293-patentbots-ai-securing-inventor-rights-w-pinata-identity

Truvity

1st Place: Challenge 1 & Challenge 2

Miko's Journey

A comprehensive digital identity solution that transforms the complex expat documentation process into a streamlined, secure journey.

Devpost

2nd Place: Challenge 1 

Expatriate

Streamlining the complex process of settling as an expat in Amsterdam through DIF verifiable credentials and wallets.

https://difhackathon2024.devpost.com/submissions/575933-expatriate

3rd Place: Challenge 1 

CredEase

Digital Identity Wallet with a guided to-do list that helps expats collect, link, and submit VCs for tasks like employment, visa application, municipal registration, bank account opening, and housing.

https://difhackathon2024.devpost.com/submissions/577563-credease/judging

ArcBlock

1st Place

BM9000

A blockchain-powered beat maker by Bass Money Productions. Log in, get instant sounds, make patterns, build songs, and upload your own sounds—securely stored in your DID space.

BM9000 BM-9000: A blockchain-powered beat maker by Bass Money Productions. Log in, get instant sounds, make patterns, build songs, and upload your own sounds—securely stored in your DID space. Devpost12 inch

2nd Place

didmail

Decentralized encrypted mail Based on ArcBlock DID/NFT technology

https://devpost.com/software/didmail

3rd Place

Todai

Enables seamless registration and authentication without usernames, passwords, or third-party oversight, using blockchain and advanced digital identity solutions.

https://devpost.com/software/todai

ArcBlock Honorable Mentions

Titan Care

TitanCare leverages multi-agent AI to enhance data security, privacy, and user control, addressing real-world health sector challenges with innovative solutions.

https://devpost.com/software/titancare

FlexiLeave

This solution uses ArcBlock's Blocklet SDK to manage employee portable leave with DIDs and VCs via DID Wallet, enabling identity creation, credential issuance, verification, and file integration with Pinata.

https://difhackathon2024.devpost.com/submissions/577693-flexileave

TBD (Block)

1st Place

DIF TBD KCC

Leverages Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) to create a secure and privacy-preserving solution for Known Customer Credentials (KCC).

DIF TBD KCC Level Up Digital Identity with TBD DWN DevpostAditya Birangal

2nd Place

KCC TBD Hackathon

https://difhackathon2024.devpost.com/submissions/577640-kcc-tbd-hackathon

https://difhackathon2024.devpost.com/submissions/577640-kcc-tbd-hackathon

3rd Place

kcc-tbdex

A simple backend application written in javascript that records VC JWT in Alice's DWN and gets the record Id.

https://difhackathon2024.devpost.com/submissions/567335-kcc-tbdex

Ontology 

1st Place

CrediLink connect

CrediLink Connect, a browser extension built with indy-bex-connector, uses Verifiable Credentials and DIDs to combat LinkedIn scams by enabling wallet creation, VC management, and proof verification.

CrediLink connect Credilink connect is a browser extension for receiving verifying and proving verifiable credentials DevpostEren Akyıldız

2nd Place

Enhanced Privacy VC Wallet: Implementing Issuer Hiding

A VC Wallet app enabling users to present VPs with enhanced privacy through Issuer Hiding, concealing the VC issuer's identity.

https://difhackathon2024.devpost.com/submissions/577411-enhanced-privacy-vc-wallet-implementing-issuer-hiding

3rd Place

Blockchain Whatsup Application

Seamlessly secure, blockchain-based chat for the decentralized future.

https://difhackathon2024.devpost.com/submissions/577550-blockchain-whatsup-application

Crossmint

1st Place

Idenfy

IDENFY is a reusable identity solution leveraging biometrics and verifiable digital credentials to streamline secure eKYC across sectors with simplicity and speed.

Idenfy Empowering Trust with Reusable Identity and Seamless eKYC. DevpostSai Ranjit Tummalapalli Anonyome Labs

1st Place

Decentralized PHC Credentials in the Future AI Era.

Providing a way for a person to prove their human identity in the future using PHC personhood credentials with VC, DID, and ZKP, supported by powerful infrastructure.

Decentralized PHC Credentials in the Future AI Era. Providing a way for a person to prove their human identity in the future using PHC personhood credentials with VC, DID, and ZKP, supported by powerful infrastructure. DevpostData Fusion

2nd Place

VAI

VAI is an AI chatbot that brings transparency and accountability to large language model interactions by issuing VCs that show the provenance of the inputs, outputs, and the specific model being used.

https://difhackathon2024.devpost.com/submissions/575691-vai

3rd Place

VerifiEd

VerifiEd uses self-sovereign identity (SSI) to provide an interactive, module-based learning platform where users earn Verifiable Credentials (VCs) while mastering SSI principles.

https://difhackathon2024.devpost.com/submissions/562649-verified

Cheqd

1st Place

VAI

VAI VAI is an AI chatbot that brings transparency and accountability to large language model interactions by issuing VCs that show the provenance of the inputs, outputs, and the specific model being used. DevpostBrian Richter Extrimian 

1st Place

The Grand Aviary Hotel

The Grand Aviary Hotel offers a seamless stay with digital room access via Verifiable Credentials. Guests unlock rooms with a secure mobile credential, enhancing convenience, and security.

https://devpost.com/software/the-grand-aviary-hotel

NetSys - Hospitality and Travel

1st Place 

Journease

Elevate travel with leading digital travel companion, unlocking full potential of portable identity and data, by pulling diverse capabilities together to deliver end-2-end seamless travel experiences

Journease Elevate travel with leading digital travel companion, unlocking full potential of portable identity and data, by pulling diverse capabilities together to deliver end-2-end seamless travel experiences DevpostAndrea Sanchez Fresneda

2nd Place

Personalised Dining Offers Using AI & Travel Preferences

Imagine booking a hotel with on-site restaurant & receiving a personalised dining offer based on what you eat. If you want a burger or vegetarian, you got it! Better for consumers, better for venues

https://difhackathon2024.devpost.com/submissions/577306-personalised-dining-offers-using-ai-travel-preferences

3rd Place

OwnID

IOwnID is an offline-first app leveraging decentralized identity (DID) and Bluetooth to enable secure, private, and internet-free digital identity management and communication.

https://difhackathon2024.devpost.com/submissions/574224-ownid