Good Health Pass guidance proposes privacy protections for proof of COVID-19 status
The Good Health Pass Interoperability Blueprint has been launched to propose a privacy-preserving alternative to vaccination certificates to meet international travel requirements. The place of biometrics for binding the credential to the individual is discussed in some detail, along with the protections which are necessary if biometrics are involved.
The 178-page document makes 9 recommendations, provides examples of workflows for obtaining a digital health pass and grounding it in a trusted source of information, and outlines next steps to take following the blueprint’s issuance. The document is the result of collaborative work by more than 125 organizations from the private sector and civil society, and follows on its previously-released Principles and the Blueprint’s draft Outline.
The World Health Organization released technical specifications and implementation guidance for COVID-19 vaccination certificates in late-July, and the Good Health Pass Collaborative’s guidance is meant to compliment the WHO’s to engender widespread trust and adoption.
“When we are asking individuals to verify health-related information, it’s critical to right-size that request to meet the need and intent of the disclosure—no more, no less,” says ID2020 Executive Director Dakota Gruener. “Data minimization, which limits the amount of data included in certificates, is critical. The Blueprint goes a step further to ensure that health passes don’t include more information than verifiers, such as airlines, need or want.”
The key concepts proposed by the group include the use of open standards like W3C Verifiable Credentials and a common governance framework, along with selective disclosure, Overlays Capture Architecture (OCA), and an international trust framework. The recommendations are based on a decentralized approach the document claims is necessary for global security and scalability.
Credential issuance should include identity authentication to a sufficient level of assurance (LOA), according to the guidance, and the LOA achieved should be explicitly stated in the credential itself. The use of face biometrics to issue credentials to individuals without provable identity is noted as an option, and the Collaborative advises that “Consideration should be given to the use of biometric technology. While biometric authentication is readily available for individuals with smartphones, additional technology investments might be required for individuals with little or limited access to smartphones.”
Non-biometric options must also be provided, however, to meet a range of potential circumstances, including no-tech issuance and verification.
The nine challenges that give rise to the central recommendations are around design principles; consistent user experiences; standard data models and elements; credential formats, signatures, and exchange protocols; security, privacy and data protection; trust registries; rules engines; identity binding; and governance.
“The travel industry is facing challenges that require global-scale digital trust,” states Trust Over IP Foundation Executive Director John Jordan. “To meet these challenges the Trust Over IP Foundation was uniquely positioned to bring people together to create the Good Health Pass Blueprint for Interoperability, and we’ve been honored by the opportunity to do so. Collaboration and cooperation were hallmarks of what we achieved in record time, with contributors spanning industries and governments worldwide. We now look forward to helping make the Blueprint’s recommendations operational, so people can identify themselves, share information, and travel with confidence.”
Digital health pass rollouts continue
Canada is planning to issue government documents to enable vaccinated people in the country to prove their status for international travel, The National Post reports.
The government has previously suggested it would take the step of issuing credentials, and now says they will be ready by “early fall,” in both digital and paper-based forms. The health pass is not designed specifically for domestic use, but will be available to provinces to implement.
Travelers to Canada can upload vaccination status to the ArriveCAN app, allowing then to skip otherwise-mandatory quarantine rules.
Partners Liquid Avatar, blockchain company Indicio and Ontario’s Vector Laboratories have launched a decentralized digital identity solution for issuing and verifying COVID test results. The companies say the solution, based on the Liquid Avatar Verifiable Credential Ecosystem (LAVCE), is the first of its kind in Canada.
The solution is secured within a digital wallet through face biometrics, and can also support vaccination credentials.
Liquid Avatar Technologies is part of the Good Health Pass Collaborative, and says the new solution aligns with the group’s recommendations.
ID.me is not part of the GHPC, but has likewise expanded its digital wallet to include COVID-19 vaccination status to serve the 55 million members of its digital identity network.
The app allows organizations to chose from self-asserted status, document-based evidence and confirmation against an issuing or authoritative source, as well as different levels of identity verification.
“Our economic recovery depends on a safe return to work and to gathering in public places to live our lives to the fullest,” says Blake Hall, founder and CEO of ID.me. “The Delta variant has introduced a new paradigm to the war against COVID-19. As the largest identity network by far in the United States of America, we will help the country rise to this challenge and defeat it.”