COVID passes, ‘self-sovereign identity’ and the future of medical data

BulletArticle
COVID passes, ‘self-sovereign identity’ and the future of medical data

Key to returning the world to normal in the COVID era is to have an agreed means of confirming that those who wish to move around have tested negative, been vaccinated, or fulfill whatever criteria authorities decide allow for safe passage. While there are dozens of solutions being explored and piloted, debate still revolves about how this information will be shared, stored, and tied to other parts of our identity.

For decades, we have used paper documents demonstrating test results or vaccine records for other diseases without too much of an issue. But this time it’s a bit different. Paper is too easy to fake, and without an easy way to verify and authenticate, unlikely to pass muster.

New digital health pass solutions show promise, but need to balance a number of elements to stand a chance of widespread adoption. They need to be simple enough to be useful. They need to be verifiable and flexible enough to match varying requirements of what vaccinations, lab results, and other information are recognised. And they also need to be conscious of the user’s privacy.

It’s the privacy part that might prove the trickiest. COVID has raised questions about how we marry our identity data—age, nationality, gender—with our health data. Do we want to allow those two kinds of data to merge, and be accessible by others, without safeguards?

The ‘self-sovereign identity’ movement

A solution presented by some is not to have to hand over all one’s information, but only what you have to, or want to. So rather than presenting an ID (be it a passport, driving license, or whatever), you pass over just those credentials that tells a gatekeeper no more than they need to know. To get into an event during COVID, for example, you may only need to show you’ve recently been tested, or vaccinated, or whatever the criteria are. You don’t need to, and shouldn’t have to, show them other information that might be on your driving license or passport.

The most popular implementation of this idea is something called self-sovereign identity, or SSI, and it’s got a lot of support in the tech and privacy community. You are your sovereign self, with control over who knows what about you. Others may issue the credentials, but you decide what and how much you can present when required. Doc Searls describes it thus [1]: “Nothing I know has more promise to give individuals leverage for dealing with the organizations of the world, especially in business.”

For this to work, the person verifying the information needs to be able to confirm that it’s accurate, authentic, and refers to you, the person presenting the information. This is where the second part of the SSI puzzle comes in: the verifiable credential. There needs to be a system that is sufficient to match the requirements of the verifier—whether it’s a bouncer or an immigration officer—and doesn’t compromise the principle behind the SSI, namely that information you don’t want to share leaks out in the process.

The World Wide Web Consortium, or W3C, published the ‘verifiable credential’ as a standard in late 2019, which it said provided a way for credentials to be ‘cryptographically secure, privacy respecting and machine-verifiable’. But while there was some interest pre-COVID in this approach, particularly in finance, it’s only with the pandemic that interest has entered the mainstream.

SSI has found most traction among those exploring use of blockchain, the distributed ledger technology underpinning cryptocurrencies like Bitcoin. This has proven the most popular way SSI is deployed for ‘COVID passports’—the IATA Travel Pass, for example, uses SSI and blockchain. Central to blockchain is the notion of being ‘distributed’, meaning that no third-party individual or organisation holds the data, and there is no need for a centralised authority to manage, authenticate, and store the data passing between individual and entity.

Each credential, or decentralised identifier, can be digitally signed by other entities to become a verifiable credential, which can then be presented to a third party. Say, for example, if an event requires proof of age, that credential, digitally signed by the government, can be presented out of the user’s ‘digital wallet’ of credentials. The event is able to verify that the credential is authentic because it is stored on a blockchain, a tamper-resistant record.

The key here is that these exchanges take place outside someone else’s administrative system. Participants, at least in theory, interact as peers in an autonomous system.

In a world where people feel less and less in control of their own data, this notion has significant appeal. Not only would individuals have more control over what information held by central authorities they share, but also they should, in theory, be able to collect disparate credentials for which there is currently no central repository, like certificates, awards, and qualifications. As Michel Kilzi, a data expert who works in trade finance, wrote recently [2]: “Without a radical rethink about the next generation of customer sovereignty, we risk the continual erosion of our digital rights.”

SSI and the future of medical data

Those pushing this approach see this as the beginning of a much larger shift to decentralised identifier, or DID, where SSI can be deployed to driving licenses, finance—and even the medical world.

A study by Brazilian academics [3], for example, published in April looked at how SSI might be applied to healthcare, and in particular medical records. Because a patient consults many practitioners over a lifetime, their data is often spread across several healthcare providers, creating siloed databases that “are useless for application outside those silos.” The data collected from wearable devices is creating even more patient-generated data silos. SSI could allow individuals to share their data more easily, having implications for patient monitoring, insurance payments, and controls over prescription drugs.

As another example, a doctor with the National Health Service in the UK has implemented an SSI solution [4] to prevent unqualified physicians from slipping through the net. In the pilot, the General Medical Council issues a ‘licence to practice’ credential to digital SSI wallets controlled by medical staff. Staff could present the credential to participating hospitals which would, in turn, issue a ‘sign-in’ credential which the staff member could use to log into clinical systems. Since COVID hit the pilot has been expanded to some 84 NHS organisations.

Not everyone thinks these types of use cases are necessary, at least for now. One paper published last May [5] concluded that “even if decentralisation is ‘en vogue’ at the moment in both, the governance debate as well as amongst blockchain advocates, it is by no means a panacea for all old ailments.”

Indeed, some feel that trying to deploy new technologies, most of which are untested at a global scale and where the governance framework is still being defined, is trying to do too much, too soon. After all, these solutions will rise or fall depending on how easy they are for end-users to grapple with, and history is littered with examples of failure. Microsoft, for example, pushed an identity wallet called CardSpace before abandoning it in 2011. There are options, critics say, which offer the same degree of privacy and verifiability, without requiring blockchains and DID.

Indeed, SSI is not mentioned in the World Health Organisation’s guidance [6] for developing smart vaccination certificates, which instead opts for a more traditional public key infrastructure, or PKI, to build a trust framework to ensure any documents issued can be checked for authenticity. Signatures would be issued through the PKI, with the WHO playing the role of trust broker on behalf of member states.

What is clear is that there is a pressing need for a credible, internationally-recognised system, or combination of systems, to allow COVID vaccination records and test results to be recorded and shared in a simple way so that those who are eligible to travel can do so. That in itself is likely to usher in new kinds of data, and new ways of recording, sharing, and verifying data.

References:

[1] “What SSI needs”, Project VRM

[2] “The Anatomy of Personal Data Sovereignty”, Forbes

[3] “Blockchains and Self-Sovereign Identities  Apploied to Healthcare Solutions: A Systematic Review”

[4] “Building an SSI Ecosystem: Digital Staff Passports at the NHS”, Technometria

[5] Zwitter, A.J., et al., 2020. Digital Identity and the Blockchain: Universal Identity Management and the Concept of the “Self-Sovereign” Individual. Frontiers in Blockchain,3,pp.26.

[6] World Health Organisation Interim guidance for developing a Smart Vaccination Certificate

More on same topic

Recommended topics

SequencingRED 2020Rare Diseases
Next Read
Scroll to Top