From ‘no-tech’ to biometrics, Good Health Pass specifies varying levels of assurance
The Good Health Pass Collaborative has released its draft Interoperability Blueprint Outline to provide guidance for the implementation of digital health passes ahead of the G7 Summit opening this week in the UK. The group sent a letter to the G7 urging support for interoperable health passes last month.
The blueprint includes specific recommendations about the role of biometrics in digital health passes.
The announcement notes that the World Travel & Tourism Council estimates more than 60 million jobs related to tourism have been lost to the COVID-19 pandemic, with the sector’s contributions to global GDP falling by nearly half, a loss of $4.5 trillion.
The Interoperability Blueprint sets out nine technical and interoperability challenges the group says require global consensus to provide trusted, interoperable and rights-preserving health credentials. The areas covered by the paper include design principles; consistent user experiences; data models and elements; credential formats, signatures, and exchange protocols; security, privacy and data protection; trust registries; rules engines; identity binding; and governance. They were composed by nine drafting groups drawn from the 120 companies and organizations that have partnered with the Good Health Pass initiative.
The 181-page document is broken down into sections on how the blueprint fits into the industry, overall, credential, and operational infrastructure recommendations, with an extensive glossary and references. It deals explicitly with both paper and digital versions of health passes, and places the blueprint within the context of work done on W3C Verifiable Credentials, and by Linux Foundation projects the Trust Over IP Foundation and the COVID-19 Credentials Initiative. The ICAO, Airports Council International and the CARIN Alliance are among stakeholders working to harmonize their efforts with the Good Health Pass Blueprint.
The document provides a model breaking the passenger journey into three ‘zones,’ with a test or vaccination comprising Zone 1, the issuance and receipt of a credential as Zone 2, and the presentation of the credential as Zone 3. The operating principle throughout for identity authentication is level of assurance, with the ecosystem including a range of degrees of certainty that the person presenting the credential is the person it was issued to.
The sensitivity of biometric data, and the need for consent when it is used, are emphasized in multiple parts of the blueprint. The section on identity binding dictates that the Good Health Pass ecosystem must accommodate a full range of binding strength for Zone 1, from none at all to strong biometric binding to an extensive electronic health record. Credentials must be issued after identity authentication, with the level of assurance the authentication provides noted directly on the issued credential. Acceptance of the credential is then based on the level of assurance provided meeting the criteria of the verifying party. The ecosystem must also accommodate low-tech or no-tech identity binding, the document states, which is identified as a potential problem area for identity binding, along with integration with existing healthcare systems and the need for globally agreed-on standards for confidence levels in identity binding.
“In short, GHP-compliant credentials MUST be able to describe any level of identity proofing at the time of testing – from none to fully verified biometrics,” the section concludes.
For authenticating a pass-holder to receive a service, the document specifies that a relatively high level of assurance, which means in person or remotely-supervised authentication processes that may involve biometrics.
The blueprint also notes that “Health pass providers MAY (sic) need to support facial biometric binding to the individual where the technology requirements allow to include those without provable identity,” to make test results acceptable.
When credentials are issued, identity authentication is recommended to include identity document information, to enable trusted risk assessments on presentation of the credential. It may also be desirable to add biometric information to the credential for authentication in Zone 3. The blueprint also notes that technologies like biometrics which provide high levels of assurance may face implementation challenges in the form of varying access to technology and possible requirements for remote and self-administered testing.
The blueprint also recommends that Good Health Passes should not ‘phone home’ for verification, which could enable tracking or surveillance, and should use zero-knowledge proof cryptography to support selective disclosure of the information. Critically, the recommendation against phoning home may prevent the use of biometrics on paper-based credentials, which otherwise could provide a link to a biometric database.
ID2020 Executive Director Dakota Gruener says the proposed standards make global interoperability and trusted, convenient travel experiences for individuals and stakeholders possible.
“This draft blueprint is historic, both in its depth and breadth of proposed standards, as well as the number of expert volunteers who contributed their time to its development,” states Gruener. “When we partnered with the Trust Over IP Foundation, we committed to an open and inclusive process. Releasing the draft for public comment today takes that commitment a step further. We felt this was incredibly important, given the range of public and private entities expected to play a role in the issuance and acceptance of digital health passes and the need to build public trust and support their adoption.”
Gruener told Biometric Update earlier this year that a trust framework will also be issued soon.
A public comment and stakeholder consultation period for the draft will be open for three weeks.
Blair Institute urges policy changes to reduce restrictions on vaccinated people
Former UK Prime Minister Tony Blair notes the importance of limiting the spread of COVID-19 variants to the safe resumption of international travel in the announcement.
The Tony Blair Institute, meanwhile, launched a report titled ‘Less Risk, More Freedom’ urging the UK government to take vaccination status into account in the country’s pandemic restrictions. The use of digital health passes by vaccinated people could allow people and businesses to safely operate under different conditions by admitting only those who have been vaccinated.
The report examines findings about the safety of vaccinated people in Israel, where the process is far enough along for substantial data to be collected, and reviews the progress towards vaccinating the UK population.
Reducing domestic restrictions on vaccinated individuals could ease the social and economic costs of those restriction, the report authors write.
The paper recommends that health passes support test results and vaccination status, that they should be available to organizations seeking to use them to restrict access, that more detailed guidance on them should be provided, and that the UK should use the G7 opportunity to coordinate their universal recognition, and support the Good Health Pass Collaborative.
authentication | biometric data | biometrics | credentials | data protection | digital identity | Good Health Pass Collaborative | health passes | identity verification | interoperability | travel and tourism