Protecting your identity and privacy amidst the COVID-19 pandemic
YOUR identity, YOUR data, under YOUR control. How to prove your health status in a secure and privacy-preserving manner.
Current processes in today’s world are heavily reliant on paper-based documentation. This is evident in situations of proving your identity through documents such as identity or passport books as well as drivers licence disks. The instances whereby paper-based records are required are abundantly clear. For example, a paper-based passport presented to an immigration officer in order to obtain access rights to a country. Additionally, a laminated paper-based drivers license presented to a traffic control officer to illustrate eligibility to drive on public roads.
Another example of the traditional paper-based processes employed is the International Certificate of Vaccination, also known as Carte Jaune or Yellow Fever card — an archaic form of tracking a virus. In light of the COVID-19 pandemic, it seems relevant to mention how previous health status mechanisms were put in place. However, what remains constant is the need to prove health status and vaccination (when available) to facilitate a variety of functions including travel, business, entrance to shopping venues, and more.
According to the Western Cape government, upon arrival in South Africa without a valid Yellow Fever Certificate, entrance to the country can be denied and mandatory quarantine is a legal possibility (until a valid certificate can be proved).
Moving to current events, it is highly likely that the World Health Organisation (WHO) will enforce ‘Proof of Immunisation’ to COVID-19 before entering certain jurisdictions. Certain measures have already taken place across South African airports with both local citizens and foreigners being subjected to screening tests upon landing. However, even these tests themselves are recorded via paper-based forms.
Current mechanisms cause significant friction when it comes to completing processes, given that society is living in a digital age. This results in the prolonging of transactions or checks, opens up the possibility of human error and fraudulent activities, and can result in loss due to damage or theft. Therefore, one of the key challenges in addressing paper-based documentation, in terms of credentials, is how to seamlessly move these processes to a digital manner.
Society is moving towards digitisation and requires new approaches for the issuance and verification of identification credentials. In turn, this can assist in expediting the processes required to prove immunisation against viruses such as yellow fever and COVID-19.
A key factor also relates to the data and privacy that we are foregoing with current methods. As seen in China during this pandemic, the government is using centralised systems to track and trace their citizens’ health status. And as a result, people are losing their identity.
To us, this poses the following questions, is it possible to create a digital equivalent identification system that is secure and privacy preserving? Furthermore, can this be used to illustrate one’s health status during times of pandemics?
Foundational Identity
Various sovereign states issue citizens with identity documents as part of national identity schemes. These are formally known as ‘Foundational’ Identity documents and typically include a form of biometric capture and verification procedures.
Functional Identity
Moving onwards from foundational identity documents, ‘Functional’ identities empowers the public and private sector with the ability to verify foundational identity documents across a myriad of use cases, including digital channels.
For instance, opening a bank account, applying for a home loan or travelling abroad will all require the exchange of paper-based identity documentation. A fundamental problem with this approach is that it is cumbersome and inefficient due to the reliance on an array of paper-based credentials coupled with the digital world in which we live. The transition and conversion of getting these documents into a digitally verified manner takes away valuable time that could be added elsewhere by skilled individuals.
Continuous scanning, copying, uploading and emailing of identity documents in order to bring them up to date with digital processes is not practical. What’s more is that this process is often repeated multiple times, depending on the nature of business (setting up a bank account, buying a car, renting a house, etc.) which results in duplicated information across multiple organisations, stored in siloed databases. These large siloed databases of identity information are a lucrative target for hackers who can make significant amounts of revenue by selling identity information marketing corporations.
As identity holders, individuals lose complete control of their identity information. This information is also brokered for profit, used for marketing purposes and monetised, without the individuals knowledge or consent.
It is for these reasons that the concept of data democratisation has been such a hot topic of conversation over the last couple of years. Ever since the famous Cambridge Analytica saga with Facebook’s CEO, Mark Zuckerberg, the world has been awakened with respect to data privacy. Many people believe that their identity information should primarily belong to them.
As society enters the fourth industrial revolution, characterised by emerging technologies such as blockchain as well as the rise of the FinTech sector and cryptocurrencies, the concept of digital identities has emerged. Through blockchain technology, self-sovereign identities (SSI) are made possible. SSI represents a new set of standards and technology which allows individuals to take control of our digital identities in a privacy-preserving manner.
Self-Sovereign Identity
Self-sovereign identity (SSI) can be defined as the concept of being the exclusive owner of one’s identity (and its metadata). It is a digital equivalent of traditional paper-based identities that we know and use. However, it brings with it high levels of trust and verifiability in a privacy-preserving peer to peer manner. By utilising blockchain technology, SSI permits for decentralisation when it comes to a user’s identity information.
SSIs are typically created and made possible via self-sovereign identification management systems that are layered onto a blockchain network. Examples of these include Through blockchain, self-sovereign identification management (SSIDM) systems enable individuals and/or entities to manage and control their own identity and any attributes it may possess. The discussion below illustrates the journey of how SSI can be utilised by society and sovereign states in order to provide proof of vaccination for COVID-19.
A user with accessibility to a smartphone and data connectivity
Sam hears about the Covi-ID mobile application and through his smartphone, is able to download it. Through Covi-ID, an SSI wallet can be created in which he is able to store all information, under his control. Through privacy-preserving tracking and tracing Sam is alerted that he might have been in contact with a person who had tested positive for COVID-19 during the last two weeks and he is therefore advised to go into self-isolation.
Following this, Sam begins to show symptoms of the virus. To confirm his symptoms, he visits the nearest hospital and gets tested. Upon completion, and issuance of his results, the medical practitioner allows Sam to connect his SSI wallet with the SSI wallet of the specific testing laboratory.
The lab then issues a COVID-19 credential to Sam’s SSI wallet which displays his health status in respect of COVID-19. His results will either be green (poses no health risk), amber (advised to social distance) or red (self-isolation required). This can now be used by Sam to display proof of status relating to his identity.
This can all be done without compromising his privacy and giving away his personal details. This is known as a ‘zero-knowledge proof’, the ability to prove something without providing intricate personal information.
This will be used as Sam is wanting to enter public places or places whereby he is in close proximity with someone else. For example, as Sam enters an Uber, the driver is able to scan Sam’s QR code generated from his SSI wallet in order to verify his status, peer to peer.
A user with no accessibility to a smartphone or data connectivity
Joe begins to feel ill and travels to the nearest mobile clinic where testing is being conducted. During triage, medics will determine whether or not Joe’s symptoms match that of the virus and ultimately whether he has the virus or not. The medical practitioner will then create an SSI wallet for Joe whereby the laboratory will issue his COVID-19 status. This wallet will then be handed over to Joe in the form of a printed and laminate QR code disk. This disk can be carried around just as the QR code on one’s phone and it can be used to prove health status. The supermarket security guard, taxi and employer can use a mobile application to scan Joe’s QR code and cryptographically verify his status in a privacy-preserving manner.
Why is SSI important for COVID-19?
Let’s evaluate a scenario whereby centralised solutions are employed to track and trace COVID-19 status by sovereign states. As mentioned, this is happening in China whereby the government is tracking the health status of its citizens. Once a COVID-19 status credential is issued to an individual, it will be verified through a centralised solution. This will allow government entities to conduct mass surveillance on citizens, which is made legal due to the fight against Coronavirus, but this information lasts long beyond the pandemic.
In terms of the fight against data privacy, society is at a pivotal moment. The options are either to remain accepting of traditional mechanisms and thus lose control of the privacy of our data, or to resist these mechanisms and put forth self-sovereign solutions that are now technologically plausible.
How does a SSI system look like and what benefits does it provide?
With blockchain and SSI, it means that peer to peer verifications can occur in seconds, without a central party monitoring an individual’s every move. It permits a privacy-preserving approach. Today, a global public ledger of information that is utilised to verify records and ‘transactions’ is permissible. This removes the reliance on centralised parties acting as trusted actors. Therefore shifting trust to a global public ledger that can be used by anyone.
In this sytem, the reliance is no longer on centralised parties, but in mathematical and scientific proof. This means digital identities are controlled by individuals, enabling them to securely interact peer to peer with high levels of trust and privacy.
SSI does not intend to alter regulations or change identification laws. Instead, it is changing the way that society interacts with one another and putting the right of data privacy into the hands of whom the data belongs to. The process is very similar to the paper-based process that is commonly used but instead, digital representations of the same information are applied and are safeguarded by cryptography and digital signatures.
Due to manipulation and fraudulent possibilities, paper-based information is vulnerable and therefore results in low-trust. Adding to this, often is the case whereby an individual can get a witness to co-sign an incorrect document, confirming the contents are accurate and factual.
However, a digital approach offers increased safety. The trust will increase depending who the witness is, for instance, a bank signing as a witness will have more weight than your neighbour. These signed pieces of paper are kept in a digital wallet that can be reused as proof, as in the case of COVID test results. The signatures are verified against the public ledger of witnesses in order to verify the authenticity of the claim. This doesn’t completely remove the breadcrumb trail of information but it does so in a way to add increased privacy to individuals data.
No matter what country or continent, if all these initiatives are firmly grounded in technology and standards such as SSI, society will be able to achieve global interoperability. Covi-ID does not promote exclusion, but rather supports inclusion by attempting to save lives and allow economic activity to continue while respecting rights to identity data.
Special thanks to Lohan Spies for writing this article, and to Jack Tilbury and Kungela Mzuku who helped with edits.
