Table of Contents

1. Government Responses to COVID-19
2. Addressing Security and Privacy
3. Will Both Security and Privacy Ever Be Possible?

---

Immunity credentials and contact tracing are currently being explored by governments as potential solutions to reopen the economy amid the worldwide COVID-19 pandemic.

These credentials are given to individuals who are assumed to be immune to the COVID-19 virus and would give them a set of rights and privileges that other community members do not have. This can include daily in-person routines, travel or going back to work, theoretically proving that they are a low-risk of both infection and transmission. An addition to these credentials is contact tracing to find and follow up with people who have been exposed to someone who has tested positive to COVID-19. This can help to mitigate the spread of the virus by warning and getting connected contacts into quarantine.

Some of the features of both immunity credentials and contact tracing could include the ability to share results remotely, interoperability across systems, proof of authenticity and the potential for individuals to have full ownership over their health data.

Government Responses to COVID-19

Countries such as South Korea and Germany have implemented contact tracing programs, with promising results in suppressing new cases. Within days of detecting its first case on January 20, South Korea rolled out wide-scale virus testing, followed by an extensive contact tracing program.

“It’s a great tool for bringing an epidemic into the suppression or containment phase,” says special pathogens expert Syra Madad of NYC Health + Hospitals, which leads New York City’s Test & Trace Corps contact-tracing program.

By contrast, tracing efforts have lagged in the U.S. While governments are hard-pressed to find fast acting solutions, many experts have raised concerns about the long-term ramifications of a government system that tracks an individual’s private health data. In the US, the idea of national monitoring has been deemed by some as a breach to human rights, an act that could put secure information at risk through potential hacks and heighten social inequities through the unequal access to immunity credentials. Furthermore, many are concerned that this is a step too far before any vaccine or medical solution is even approved. The Electronic Frontier Foundation, a digital rights group, recently opposed a California bill that would authorize the use of digital verifiable credentials.

However, the concept itself not only presents medical and technological hurdles, but ethical ones as well. There are concerns over little evidence that these tactics can help to mitigate the spread of COVID-19, as there are currently only antibody tests. In addition, until a vaccine is available, these certificates can disproportionately affect those in low-income communities who most likely have health issues or hazardous work conditions, potentially denying them access to work and their sources of income if these credentials were implemented.

“What we cannot allow [COVID-19] to do is serve as an excuse to expand surveillance on a permanent basis,” said Dr. Ann Cavoukian in a keynote event at the Nonconformist Innovation Summit.

Under emergency powers in privacy laws, governments are permitted to collect additional information because of an emergency situation like this pandemic. But according to Dr. Cavoukian, these emergency situations have to come with firm end dates that establish when governments can no longer collect information.

“You also have to ensure that once the pandemic is over, privacy returns full force and is under our control. Not the state, and not the government.”

Addressing Security and Privacy

Regardless, both governments and identity providers are finding solutions to immunity credentials that also strategically respect the privacy of its users. 

“We all share an obligation to protect public health, but doing so should not mean giving up our right to privacy,” said ID2020 Executive Director Dakota Gruener. “Proven technologies can be redeployed to protect society from a resurgence of the disease, but this approach must be pursued cautiously, with acknowledgement of the risks and detailed plans to mitigate them.”

With the advent of decentralized identity technologies and new consumer privacy-protecting models, it’s possible to deploy systems that address the health pandemic and also protect consumer privacy. But technology is not the sole solution, as public trust and legislation must be accompanied to ensure an effective solution. These are the ethical nuances that alliances, governments and businesses must take into consideration when releasing and implementing immunity products for public use.

For example, alliances such as the COVID Credentials Initiative (CCI) are seeking to deploy privacy-preserving verifiable credential projects using W3C digital credentials standards. Organizations like these include key identity players such as Evernym, uPort and Microsoft. The CCI also contains four work streams that focus on different aspects and issues of verifiable credentials: use cases, rules and governance, tools and technology and communications.

“It can be used, the parts that are relevant, for any particular local project that’s actually producing credentials, anything where there’s issuers and holders and verifiers of a specific population, or trust community is the term they use, that will be using it,” said Drummond Reed, Chief Trust Officer at Evernym. “And that relationship is with local projects that basically reach out to or intersect with CCI and can take advantage of the different CCI workstreams as they need to.”

Will Both Security and Privacy Ever Be Possible?

With new worldwide offerings from identity players, the desire for both security and privacy remains a question. In a white paper written by ID2020 Executive Director Dakota Gruener titled Immunity Certificates: If We Must Have Them, We Must Do It Right, preserving public health does not have to compromise personal rights.

“Proactive adaptation of existing, purpose-built, privacy-preserving technology, grounded in respect for equity and human rights, offers a means to protect society from a resurgence of the disease, while safeguarding individual privacy and civil liberties. To protect individuals from surveillance, discrimination, fraud, or exclusion, we must ensure that systems developed to serve these purposes are private, secure, and accessible—and are developed using open-source technology and open standards for interoperability and universal access.”

In a section titled “Architecting for Privacy,” Gruener notes that a centralized credentialing program where governments collect data on who has been tested and their test results could leave its citizens exposed to privacy violations. However, a carefully designed and decentralized approach to immunity credentials could meet the same goals while protecting privacy. This must include features such as:

1. Privacy Protection: A user’s personal data should be stored in his or her device and can be recorded only with the consent of the user. It should be cryptographically signed as verifiable, adhere to industry best practices such as privacy-by-design, and support the selective disclosure of information such as sharing your age without your birthdate.
2. Portability: The credentials should be interoperable across systems and has to be widely adopted in order to be effective and usable.
3. Trustworthy: Using cryptography, data should be secured to prove that the issuer approved the issuing of the credential and when they issued it.

New frontiers are being crossed in digital identity that may change the future of private health data and security. With the need to open the economy, the identity industry is in full force designing solutions that give hope toward returning to life before the pandemic. But as these technologies are being developed and implemented, the field has to instate both privacy and security in its model as a way to preserve the freedom, equalities and civil liberties of the public from here and beyond.