The devilish details of digital health passes in an atmosphere of urgency, uncertainty

The world is coming to terms with the likelihood that thousands of people will die of COVID-19 each month for the rest of 2021 and well into 2022, at least. Restrictions on what people can do remain a part of life in many places, but increasingly based on vaccination or test status. Digital health passes are being adopted and standardized, as expected. Consensus is emerging among digital identity technology providers, along with key questions about the details of how health status sharing can be usable, trustworthy, and privacy preserving.

Even months ago, Aware CTO Mohamed Lazzouni identified interoperability, oversight and data minimization as regulatory priorities for whatever kind of vaccination credentials or digital health passes we end up with.

In a conversation with Biometric Update near the beginning of 2021, Lazzouni noted that the basic premise was to digitize the yellow pass, a project that actually began years before COVID-19 with work related to a SARS vaccine.

Evernym Strategic Engagement Director Jamie Smith told Biometric Update in an interview that his company had already been working on the basic challenge of private information sharing for a long time. This meant it had to face the hard questions that suddenly are being asked of many other companies contributing technology to solutions combining health data and digital identity.

Health data already has special status, invoking regulations like the United States’ Healthcare Insurance Portability and Accountability Act’s (HIPAA’s) privacy and security rules. Health data, Smith points out, is treated “like toxic waste” by companies that do not have to store it. Those entities that have experience handling health data do not have systems in place to share it with others, like nursing homes or concert venues, that may now require it.

SecureKey Founder and CEO Greg Wolfond emphasizes the need for a variety of solutions to meet a wider range of workplace and event needs.

Know your role

Legacy tools for healthcare data-sharing and identity proofing are generally not fit for purpose, Wolfond points out, as digital health passes take on both the privacy requirements of health data and the trust requirements of international travel documents.

Smith juxtaposes the perspective of healthcare companies used to HIPAA with that of many identity providers, who have assumed they know how to deal with personal data, so now healthcare data is simply added into the mix. Then there is the government perspective, in which trade-offs are part of everyday work, and the economy and public health take precedence.

“Evernym’s perspective is those three options aren’t tolerable,” he says.

Evernym and SecureKey are both part of the Good Health Pass Collaborative. They are also both companies active in the self-sovereign identity (SSI) space.

Lazzouni sees a potential place for SSI in the ecosystem of health passes, but notes that the digital wallet as a concept also “requires empowerment and common sense at the user level.”

Regulation needs to cover interoperability, oversight, and data minimization, in Lazzouni’s assessment, which brings another stakeholder group in addition to health data providers and digital identity providers. Then there are the relying parties.

“Madison Square Garden doesn’t want to know,” about people’s healthcare data, Smith points out.

But the trustworthiness of the claim the document makes is entirely dependent on the identity binding piece.

“Before you are allowed to decode that in the public or write into the barcode what you need, the biometric is what used in order to authenticate the session,” Lazzouni explains. “So when I go to some authority, the authority needs to encode my status for vaccine and testing, and the way I’m going to open up that application so they can write to it must be biometrics-based. I believe that that’s the method that makes common sense, and it is the best design to make sure that what you have put in that token can be trusted and tied to a person uniquely.”

No big bang

Wolfond sees smaller industry players working together on a more pressing problem, which is that for many businesses that want to restart something like normal operations, they need tools.  They may to be able to notify people, in a privacy-preserving way, when there is an outbreak at their workplace.

“If we want to restart the economy these are the kinds of tools we’re going to need,” he says. “It’s not going to be this grandiose, federal government going to buy from some big international company.”

Wolfond notes that national health passes have been turned on and off in Israel and the UK, and the U.S. “is never going there.”  The longer-term need for economic recovery will motivate different kinds of organizations to set their own mandates, expanding the market for credentials outside of international travel, such as for offices, public spaces and event venues.

The EU Digital COVID Certificate (DCC) is already being used in some countries for purposes beyond international travel, however, in what may be a series of extensions of national and regional-scale digital health pass systems.

Wolfond also points out that all of the scenarios share in common the same bottom-line concern: “This is all about consented sharing of data.”

To the extent that large-scale solutions will be adopted, they have probably already been developed. It is not at all clear that the same approaches, let alone individual solutions, will be appropriate for the still-emerging applications for digital health passes and other digital identity-driven tools.

“It’s not really a market-making exercise, it is more of a fulfillment exercise,” Lazzouni assessed, back in early 2021.

That exercise is fraught with varying degrees of acceptance and different regulatory environments for different countries, states, and even industries. Convincing people that their privacy is protected has long been one of digital identity’s major hurdles, and making health passes or credentials widely adoptable will require standardization, even in cases where interoperability does not.

The rewards for navigating these obstacles are potentially transformative. Smith sees an opportunity to “reimagine and reconfigure the digital economy much more broadly,” leaving behind infrastructure which is privacy-preserving, scalable, secure and useful as emergency health requirements recede.

Health data was highly valuable long before the pandemic, and enabling it to be safely shared remains a largely-unfilled market opportunity.

Wide open standards

Wolfond notes that Europe is using a ICAO-style PKI system, and says he sees travel between the U.S. and Canada involving a paper record and an attestation. SecureKey, which built VerifyMe before the verifiable credentials standard was established, is aligned with the W3C and the approach of the Good Health Pass.

Smith notes the importance of the details in the infrastructure being built around verifiable credentials.

“They have so far recommended a data format, not a data standard; meaning that you can implement W3C verifiable credentials in three different ways, and they will not be interoperable.” Each of these, he points out, produces very different outcomes, in terms of user privacy.

SecureKey is trying to support the Microsoft-supported Decentralized Identity Foundation and W3C’s VCs, and thinks they will eventually come together.

“The same thing you have with PKD on vaccine passports you’re going to have with ID,” Wolfond predicts, “and part of this is that the mDL has some really good concepts in it, but verifiable credentials has a better way of sharing. And I think some of these specs and standards are going to merge over the next few years, to bring this together.”

The recommendation in favor of the use of open standards like VCs in the Good Health Pass’ Interoperability Blueprint lends further weight to the inclusion of the W3C standard, but the flexibility the recommendations are intended to allow provides little in the way of detail about what version or versions, exactly, we are likely to see in production.

From the biometrics provider’s perspective, Lazzouni says the market will be there regardless of how credentials are shared, or how many different versions of digital health passes are used.

“The biometric will be key enabler with which the person will either unlock the phone and unlock the session or lock the phone and lock the transaction,” he argues. “That’s how its likely to play out as we move further in the next few months and years to come.”

Indeed, since Biometric Update spoke to Lazzouni, biometrics-based digital health passes have gained market traction.

Over a year and a half into the pandemic, the market continues to evolve. Dynamics of deepening social divisions and fourth-wave anxiety seem likely to ensure both the continued use of digital health passes, and the hardening of barriers to universal, over-arching solutions.

“You need a bunch of companies to come play with this; to get the consented data going to make it work,” Wolfond argues. “And that’s going to be more politically expedient too.”

Article Topics

Aware  |  biometrics  |  credentials  |  digital ID  |  digital identity  |  Evernym  |  health passes  |  identity verification  |  interoperability  |  privacy  |  regulation  |  SecureKey  |  standards  |  verifiable credentials