At the request of today's meeting I create this addendum and would like
feedback from the team on it prior to use. ..tom
Effect of AI on User Agent Wallets
Most user agents, like browsers and wallets, are already offering users
assistance is setting preferences and saving passwords or pass keys. As AIs
grow in capabilities on the user mobile devices, they will be more involved
in user convenience, privacy and safety. This section focuses on the means
to ensure that privacy enhancing choices are made for the benefit of the
user.
Both the existing practice with the Driver’s license card as well as the
early example of mobile verification apps enable the verifier to acquire
more of the user’s data than is needed for the purposes of the transaction.
In order for the user, or the user’s agent to make informed decisions about
the data needed the purpose and the verifiable identifier of the
organization requesting the data must be supplied. This will allow a
real-time evaluation of the request against the typical request for such a
transaction beyond what the user would normally understand. Similarly, dark
patterns from verifiers could be detected and the user warned. As new dark
patterns are discovered in attacks against user privacy and security, these
can be presented to any AI agent to improve the user’s experience. Here we
focus on a request made to an unknown user by the verifier as well as the
issuer since they also verify the user before issuing any credential to
them.
The Verifier may make any number of different requests in their query to
the user’s agent that will help the agent make good decision for the user.
Some of those requests will be to understand what wallet is used and the
level of protection provided by the wallet, including proof of presence and
proof of continued liveness of the certificate holder or the holder’s
delegated representative. In these circumstances the agent is not permitted
to act for the holder but must honor the request of the verifier. Where the
agent does act on behalf of the holder, it is important for the wallet or
other agent code to be identified to the verifier. Any agent instance
identification can itself be personally identifiable information about the
user and must be treated as such by the verifier.
The information on Purpose and the Identity of the Verifier is critical to
the user or the user’s agent when acting on their behalf. It is to be
expected that strong trust ecosystems for these as well as other data
supplied by the verification are in place. The adoption of AI agents,
wallets and other mobile applications depends on such a trust relationship.
One other use case where an AI user agent could help is where the user
wishes to select a credential to provide to the verifier before the
verifier sends any information to the user. This type of transaction is
high risk as the user can only rely on the physical context and has no
other control over who actually acquires the presented credentials. The AI
agent can try to understand the context by any means available and help to
guide the user into a safe choice.
