ID4Africa debates digital health passes: more collaboration, clarity needed
The challenge for governments standing up digital health pass systems is not whether the appropriate technology exists, it is sorting through the many available options to select the most appropriate one for confirming the health status of individuals in various situations without leaking their digital identity data, attendees of the second part in ID4Africa’s three-part livecast event heard.
While systems like ICAO’s PKI framework enables offline verification of the credential-bearer, including with biometrics, it may be too heavy to include on a paper document, and effectiveness at preserving privacy is debated within the community. QR codes, on the other hand, can enable paper-based credentials that meet the World Health Organization’s specification for continuing care, they cannot encode a biometric, and therefore pose problems for verifying the individual’s identity in off-line scenarios.
Part of the danger is that countries perceived to have dubious test results having borders shut to them, an alarming concern which is revisited throughout the series.
“ID4Africa cannot add value to COVAX, but we can help minimize the impact of vaccine inequity on Africa’s potential isolation,” states ID4Africa Executive Chairman Dr. Joseph Atick.
During the conclusion of the series, Dr. Atick announced that ID4Africa’s annual in-person meeting for 2021 will be postponed until 2022, following consultation with host country Morocco.
The livecast trilogy has three objectives: ID4Africa wants to make sure the global community takes into account the impact of digital health passes on development agenda; call on African authorities to strengthen accreditation of testing labs; and inform stakeholders across Africa on range of solutions for status management that are currently available. The second point is examined in further detail in the third webinar.
The initial episode of the series explored the risks and rewards at stake, and what government can do to begin engaging with digital health passes.
The second and third part were each divided into three segments, and considered a range of technologies, concerns and issues from the perspectives of international experts and members of the African digital identity community.
Part 2 of the series, on ‘COVID Passes: National & Private Sector Initiatives,’ was divided into National Initiatives, The Good Health Pass Collaborative, and Enabling Innovative Technologies segments. The event featured Chief Aadhaar Architect Dr. Pramod Varma, Charles Walton of Mastercard, Franziska Muschik of Veridos, Tony Rose of Proof Market, Tamer Shafeek of GET Group, Steven Koh of Govtech Singapore, Dele Atanda of metaMe, Gilles Barre of Otentik, Jim St. Clair of Lumedic, and Professor David Chadwick of Verifiable Credentials.
Varma presented the Open-Source Digital Infrastructure for Vaccination Open Credentials (DIVOC) platform, which is intended to be a multinational solution based on World Health Organization guidelines and W3C verifiable credential specifications. The system does not rely on internet connectivity or smartphone ownership, and India is expecting to issue 10 million vaccination certificates per day in June. Because of the use of VCs, the India certificate can be imported into digital wallets like IATA Health Pass and CommonPass, Varma says.
In conversation with Atick, Varma said that it would not be practical for the system to use blockchain because the transaction volume is too high, but in countries without stable or trustable central systems, blockchain may have a role.
Koh described Singapore’s system for decentralized testing and issuance of HealthCerts, which are then notarized by the government, and then integrated with various travel apps. The system is based on one previously developed by Singapore for educational credentials, called OpenCerts.
Atanda presented a Hyperledger Aries-based smart credentials self-sovereign identity (SSI) system which collects health data through the user’s phone, and encodes private data in ‘Mpods’ to preserve privacy.
Shafeek outlined GET Group’s VACCEMA, which he calls a holistic approach to automated vaccination management, which provides a centralized system in Egypt. The issue of interoperability was raised, as instead of an ICAO-style international PKI structure, Egypt is working on government bilateral agreements so QR codes issued through VACCEMA can direct verifiers to a secure Ministry of Health-hosted portal to confirm travelers’ status.
This online process, Atick noted, raises concerns around privacy and security.
In a poll, 86 percent of the event’s attendees said COVID health passes are the government’s responsibility, rather than something the private sector should take the lead on.
The event then considered what is likely the largest private sector collaboration on digital health passes.
Walton, St. Clair and Rose each spoke about their own organizations, and collectively about the Good Health Pass, which their organizations are part of.
That initiative has been covered extensively by Biometric Update, and the representatives noted that its paper on interoperability challenges was published in March, ahead of the planned May release of its draft recommendations. Those are currently being composed by groups each dealing with one of ten topics, with Linux foundation rules through the Trust over IP foundation.
When asked how Good Health Pass is positioned relative to WHO and ICAO, and why participants have not just put their energy behind those initiatives, Walton said harmonizing those frameworks and providing guidance for public and private sector implementations is crucial work not being addressed elsewhere. St. Clair argued that other solutions tend to meet some but not all of the important features in terms of security, privacy and interoperability that will ensure they function as “Good ID.”
With an increased focus on collaboration, they say, credentials like New York’s Excelsior Pass could be accepted for international travel and other uses.
Off-line authentication, privacy hurdles remain
Another poll asked attendees their level of concern for data privacy with vaccine passport schemes: 54 percent said their concern is very high, 34 percent expressed moderate concern, and 12 percent have no concerns on the issue.
Chadwick spoke about how the Verifiable Credentials scheme brings together W3C Web Authn (FIDO2), W3C Verifiable Credentials, and X.509 standards, and uses OpenID Connect, to provide digital health pass capabilities based on trusted, established foundations. X.509 is the public key certificate that powers the web, and that the WHO and EU Green Pass have chosen for their trust infrastructure.
Chadwick took issue with an earlier characterization of some ICAO-style centralized and federated PKI systems as non-GDPR compliant, as “we require the verifier to state what its policy is in a public repository,” which the wallet grabs from the repository to selectively mint the verifiable credential with minimum disclosure. He also and said that integrating the credentials with an API from Fraunhofer allows verifiers to use a Trust Scheme instead of individual PKIs and PKCs.
Barre shared Otentik’s ‘smart VDS’ (visible digital seal) technology, which is being considered for adoption in multiple West African countries. The open standards-based solution uses an ISO standard similar to the ICAO PKI, and includes a GDPR-compliant document reader, he says.
The modular set-up of Veridos’ VeriGo TrueSeal was explained by Muschik, and deployments ranging from minimal integrations of VDS technology into existing government back-end systems to full-blown end-to-end solutions.
How to verify certificates through technologies like off-line QR codes remains a challenge, Muschik states, and Veridos is watching to see what the leading PKD environment will be before deciding how exactly to meet that challenge.
As with many ID4Africa events, community participation through questions posed live to speakers and debates in the chat section built throughout the proceedings, and highlighted some of the remaining divides among Africans and the global community on how digital health passes should be architected and implemented.
Part 3, ‘COVID Passes: Harmonization, Standardization & Differentiation,’ delved into the low number of accredited testing labs in Africa, and how a chain of trust from the point of testing or vaccination to verification of health status can be built and preserved.