Companies across the globe are grappling with reopening their physical places of business in the coronavirus era. Businesses and governments have taken to location tracking, thermal recognition, and temperature checks to identify individuals potentially sickened with the coronavirus.
These surveillance methods have implications for individuals’ privacy and may be regulated by privacy laws such as the California Consumer Privacy Act (CCPA), which counts thermal information as protected private information.
Big technology companies such as Google and Facebook and various governments have also launched coronavirus tracking apps. These apps use Bluetooth technology in mobile devices to conduct contact tracing with the goal to identify the source of coronavirus infection spread. But these are generally optional, require users to own mobile devices, have end-user privacy implications, and can be riddled with false positive and negative errors.
Is there a more accurate, consent-given way for companies to grant access to physical spaces in the era of coronavirus?
Using self-sovereign identity (SSI) to manage COVID-19 “immunity passports”
One proposal to allow business and commerce to continue, while mitigating the risks of coronavirus infection spread, is to require individuals to present a COVID-19 “immunity passport” to gain entry to physical spaces.
A consortium of more than 60 identity solutions competitors--some of whom offer traditional identity and access management (IAM) software--have teamed up to do exactly that as part of the COVID-19 Credentials Initiative. The initiative aims to deploy verifiable, trusted credentials proving a person’s COVID-19 status using self-sovereign identity (SSI) solutions.
How would an “immunity passport” work?
Imagine that in order to gain access to an office building, an employee must first check in with the building’s front desk staff to verify that she is coronavirus-free. The front desk staff is required to verify that the employee has undergone a recent COVID-19 test from a trusted medical provider and that the test results are negative.
To achieve this, the staffer asks the employee to scan a QR code using her mobile phone app. Upon scanning the QR code, the employee is presented with the question, “Do you want to allow Office Building Management to access your COVID-19 credential?” and she selects “yes.” The employee’s coronavirus credential, which is stored in her “immunity passport” or other digital wallet on her mobile device, allows access to this credential information. The front desk staffer’s tablet app receives the employee’s COVID-19 credential information, shows a green color noting that they were recently tested for coronavirus by a trusted medical institution, and that the test results were negative. The employee is then granted access to the office building.
The example above includes the following parties:
- Credential issuer: A trusted medical institution that conducted a COVID-19 test on the employee, provided her a digital credential with test results, and stored proof of the transaction (not the test result) on a public blockchain for verification.
- Credential owner: The individual (in this case, the employee) who took the COVID-19 test and received a digital credential from a trusted issuer to use on her mobile device.
- Credential verifier: The office building management staffer who verifies that the credential on the employee’s mobile device is from a medical institute that the company accepts credentials from and shows a negative test result.
It is important to note that the employee’s personal information, such as her test result, is stored only in her “immunity passport” or digital wallet on her mobile device, not on the publicly accessible blockchain. The blockchain only stores information that the credential issuer has issued the credential on a specific date and time.
Of course, the above example is a simplified version of how SSI works to explain business use cases involving such solutions. In reality, the technology supporting SSI is quite involved.
What is “self-sovereign identity”?
Self-Sovereign Identity (SSI)
Sometimes known as decentralized identity (DID) or blockchain identity, SSI is a concept that gives the user control over their identity, personal data, and credentials. This is achieved by storing a person’s information in their own devices, like a mobile phone, rather than a searchable, centralized database, such as a third party credit bureau.
SSI digital wallets are akin to having a real-world wallet that stores driver’s licenses, driver’s insurance cards, health insurance cards, and other identifying information. With SSI, these items stored in a digital wallet are called “verifiable credentials.”
Similar to a real-world wallet, if the user loses her mobile device, she would have to rebuild her digital wallet by going to the DMV for a replacement driver license credential, her health insurance provider for a replacement health insurance credential, and so on. Again, similar to the real world, a user is able to choose with whom she shares her personal credentials and data when other people or entities want to validate her identity. Using SSI, there is no centralized database, such as a credit reporting bureau for other people or entities to validate her identity without her permission. This, in theory, helps protect a person’s privacy.
It should be noted that SSI is not self-certification, but rather requires information from a trusted third party. It is possible that untrustworthy institutions issue credentials; it is the credential verifier’s responsibility to choose which institutions to trust. Similar to the physical world, many companies require government-issued IDs like a state-issued driver’s license as a proof of identity; this is because the person verifying another person’s identity trusts the government-issued ID. If a person tries to verify their identity or age by bringing in a copy of their high school yearbook as proof, it is understandable that this won’t be considered an acceptable form of identity; anyone could fake a high-school yearbook. The same concept applies to digital credential issuers.
What business problem does SSI solve?
Using this SSI method, businesses can verify people’s coronavirus infection status without storing any individual’s personally identifiable information (PII), thus reducing a cyberattack threat vector and protecting an individual’s privacy. The method is also paperless, contactless, and verifiable on a public blockchain.
Since coronavirus is impacting nearly every country in the world, globally-accepted SSI credentials may be a way to safely resume global travel. Technical standards for SSI are beginning to form. For example, the World Wide Web Consortium (WC3) published an industry standard in November 2019 called “Verifiable Credentials,” which provides a way for credentials to be “cryptographically secure, privacy respecting, and machine-verifiable.”
Other business use cases for SSI
The COVID-19 credential, or “immunity passport,” is one of many use cases for self-sovereign identity (SSI) solutions. SSI can be applied in the banking, retail, healthcare, and the public sector industries. However, SSI as a solution has been mostly conceptual. Some companies are working on proof of concepts thus far, not actual deployments. Although SSI is not widely adopted yet, some industries have had successful deployments of SSI; most involve financial institutions using the KYC “Know Your Customer” verification methods to prevent fraud.
SSI limitations and controversy
There are limitations with SSI solutions, however. Presently, SSI is not universally accepted so it has limited applicability for both businesses and end users. Trusting credential issuers can be problematic without a way to certify the certifiers. Additionally, how do companies prevent synthetic identity use? The fastest-growing type of ID fraud, synthetic identity use, is surpassing “true-name” identity fraud, per Dawid Jacobs, a prominent identity management specialist. Also, despite being deemed “hack-proof,” blockchains can indeed be hacked (although generally through social engineering). Public blockchains may not provide the privacy that end users expect.
What some people in the digital identity conversation argue for are laws and regulations to support user privacy. One group, the Trust over IP Foundation, aims to not only promote global technical standards, but policy standards to add more layers of trust to digital identities, reduce fraud, and prevent privacy breaches.
Others are calling for full data portability, where the end users have control of all of their data, including identities. Data portability would allow users to access, copy, or port (transfer) the data a company or entity maintains about them in a machine-readable, common format. Limited data portability is currently afforded under some privacy laws, such as the GDPR and CCPA.
Promoting further policies and adopting regulations to provide individuals’ rights to data portability will be heated. On one side, consumer and privacy advocates support people being in control of their data and the data collected about them. On the other side, a swarm of big tech businesses that have built their fortunes processing data will undoubtedly push back.
What’s next for SSI?
In normal circumstances, we could argue that SSI is a futuristic technology solution that enterprises don’t need to make a line item for in their budgets for some years to come. However, given the global nature of coronavirus spread, paired with the desire to reopen businesses safely while protecting individual’s privacy, more companies and governments may seriously consider SSI technology for “immunity passports” as a solution. For this reason, we must remain open minded about SSI adoption rates and should watch to see how this technology is used in the marketplace.