Blockchain-Based mostly Immunity Passes Don't Resolve Key Privateness Points: Report
Existing decentralized standards for digital identity are prone to compromise and essentially have no privacy: This is the central argument of a new paper that Harry Halpin, visiting professor at the research university KU Leuven, presented at the Security Standardization Research conference (SSR20) hosted by Mozilla. .
Proposals for vaccination or immunity passports that would tie a person's movements to their COVID-19 immunity status have resurfaced with promising news about vaccines. The International Air Transport Association (IATA) announced that it is "in the final stages of development" of a digital passport app intended to receive and check if someone has received a COVID-19 vaccine. The app would supposedly use blockchain technology to authenticate data without centrally storing it. In the meantime, the World Health Organization is looking into possible "e-vaccination certificates" for travel.
"Identity systems based on globally unique identifiers are inherently anti-privacy, and adding them to a blockchain doesn't change this fundamental dichotomy," said Halpin, author of the paper "Vision: A Critique of Immunity Passports and Decentralized W3C Identifiers "the CEO of NYM, a data protection startup developing a Mixnet.
"In fact, putting this data on a blockchain makes privacy issues worse, and it's not clear that waving your hand over knowledge-free evidence really changes the situation."
Vaccination or immunity passports
The idea of immunity passes has been around for months. The idea is that someone who had COVID-19 would be immune for a period of time and could check their status digitally. Concerns about such proposals are numerous, including how such sensitive information is stored, how it is reviewed, and how it restricts or harms people's rights.
Countries like Chile and El Salvador have actually pursued such measures. For example, Chile's ID cards are exempt from quarantine if they have recovered from COVID-19 or test positive for the presence of antibodies, so they can go back to work, according to the Washington Post. Residents of Chile could apply for these passports if they have not shown symptoms for the disease and are ready to be tested.
The ID2020 Alliance, a public-private partnership with partners such as Microsoft, Accenture and Hyperledger, has already begun to certify some ID proposals as “good ID” to be offered to governments. Certification means that the technology meets 41 technical requirements of ID2020.
Continue reading: Declared Immunity Cards: Should We Worry About Privacy?
The COVID-19 Credentials Initiative (CCI) is another group of more than 300 people from 100 organizations who “provide privacy-proof verifiable credentials and / or want to help curb the spread of COVID-19 and strengthen our societies and economies. “The project is looking for cases where Verifiable Credentials (VC), the digital equivalent of a driver's license, could be used to address the public health crisis. At its core, VCs display the minimum amount of information an entity may need, for example to allow them to access a workspace during a pandemic, while also restricting what other types of information are shared.
Vaccines offer both a new opportunity and new privacy and sensitivity issues when it comes to any form of passport. But, as Halpin notes in the paper, "the most popular immunity passport programs included a stack of little-known standards, such as the World Wide Web Consortium (W3C) decentralized identifiers (DIDs) and verifiable credentials (VCs)."
Halpin argues that immunity cards "are potentially dangerous as immunity card holders could become an" immunity elite "with an increasing social stratification of those without certificates, which in many countries violates existing laws on discrimination."
For example, it is not difficult to imagine that affluent populations would be the first to have access to newly approved vaccines, receive immunity passports or certificates, and thus gain access to travel, work, and other benefits that would result from them.
Remote identifiers, verifiable credentials and W3C
The World Wide Web Consortium (W3C), a member-led standards body, has set the standards for DIDs and VCs on which many of these privacy proposals are based. The body is also known for standards such as the early versions of HTML. Halpin claims these standards are flawed when they claim they protect privacy.
In general, a digital identity is viewed as a unique identifier associated with a number of variables such as a person's name, citizenship, or in this case immunity status. A goal of many companies in the blockchain space is to create a "self-sovereign identity" that enables people to control how others can access their identifiers without revealing their personal identity or information relying on a centralized government or company .
Continue reading: From Australia to Norway, contact tracing is struggling to meet expectations
Think of this a bit as a bitcoin wallet address that a user can use to pay you without having to know your name, for example. Compare this transaction to sending money to someone else's bank account: the bank needs to know who you are and who you are sending money to.
A key part of solving this problem was that it appeared that a central database was needed to fix or verify these unique identifiers. Blockchain technology apparently solved this need by allowing information to be stored in a decentralized manner and, together with W3C, resulted in a revival of interest in setting standards for this idea.
VCs and DIDs: Mainly about data integration
At the center of Halpin's criticism of VCs is that they are intended for data integration rather than data protection. The standards can be based on the Semantic Web (an extension of the Internet based on the standards set by the W3C) with the aim of making data readable for machines.
The details of the argument are quite technical, but make a few important points. For one, W3C VCs are basically just signed digital documents. They use serialization, or the process by which code and data are converted into a form in which they can be transmitted, the only use of which is data fusion. In data fusion, data from several sources are integrated.
In other words, on a technical level, the standard data model is not built with data protection at its center. Instead, it's an optional add-on.
"The Semantic Web is useful for data fusion between databases, which is useful for open public data," said Halpin. “When you combine the Semantic Web with personal data and globally unique identifiers such as DIDs, it can potentially be used in use cases such as the search for immigrants by the (US) Department of Homeland Security. I honestly can't see any reason why corona test results are appended to a DID, and the only answer that seems plausible is governments' dangerous data fusion with other sensitive data. "
Continue reading: COVID-19 “Immunity Pass” brings together 60 companies as part of a Self-Sovereign ID project
DHS hired Digital Bazaar to work on the W3C standards for digital identity.
Halpin writes that this data integration-based model can be exploited through attacks to exclude and replace signatures. In such an attack, a bad actor removes the signature of a signed message or digital document and replaces it with another signature, thereby tricking a reviewer into accepting the invalid message as valid.
This means that VCs could be tricked into showing that they have been checked if they have not. In the case of an immunity passport or certificate of immunity, this means that someone could have such a document verified as correct if it could be incorrect or even completely produced.
Elizabeth Renieris is a privacy attorney and a Technology and Human Rights Fellow at the Carr Center for Human Rights Policy at Harvard Kennedy School in Cambridge, Massachusetts. She previously co-authored a paper on ethical, social and technical issues related to COVID-19 immunity passports and resigned from ID2020's technical advisory board due to concerns about the direction of the organization.
According to Renieris, the biggest problem with the DID specifications is that it is just a data format that is poorly understood by the community and for-profit companies that drive this narrative.
"There are no security protocols or access controls embedded, and there is no way to prove that a PoE holder is the subject of that PoE," she said in an email. "This opens the door to massive fraud."
Halpin argues that DIDs inherently contradict privacy as well. The link between an entity and an action is at the heart of the arguments about data protection. When an adversary's goal is to identify you, assigning a globally unique identifier that is reused makes it much easier to uncover your identity.
Continue reading: ‘Decentralized ID at all costs’: Consultant ends ID2020 via blockchain fixation
"If you're not using a Global Unique Identifier (GUID), you can still connect to your actions online. Only a GUID makes it easy," Halpin said in a message. “A cookie in a browser like Google is a unique identifier that Google assigns you to link your actions across websites. With DIDs, you've just given a cookie that any company can use. This is fine for some use cases, but probably not for sensitive medical data. "
Blockchain doesn't fix this
According to Renieris, the arguments in favor of decentralization and the advantages of blockchain also diverge at the seams if one takes into account the permitted ledgers and centralized servers.
The attraction of blockchain technology lies in its decentralization, immutability and pseudonymous hashes.
In practical use cases, however, according to Halpin, no errors are corrected with the underlying DID and VC standards. Instead, additional complexities and weak points are introduced.
In a paper published in June 2020, for example, a specific proposal for immunity passports with the title "COVID-19 antibody test / vaccination certification: There is an app for this" was presented. It describes a distributed ledger called OpenEthereum, a fork of the Open University's Ethereum operated by a consortium.
“In contrast to Ethereum, but similar to other DID-based chains like Sovrin, it is based on a“ proof of authority ”(i.e. an approved blockchain in which any validator or quorum of validators can write to the chain, but no other actors like User), ”writes Halpin.
Users of the proposed app can choose where to store their data, allegedly revoke and delete their data if they so choose, and store personal information in a hash.
Halpin points out a number of ways in which these claims leave something to be desired. If users can choose where to store their data, they can put it on insecure devices like their smartphones. There is no guarantee that data will not be copied from other systems. Finally, according to Halpin, the system's data structure creates problems with scaling.
“The most concrete proposal for an immunity passport brings the hash of personal data dangerously onto the blockchain. Even using blockchain technology by specifying the resolution of an on-chain mapping of an identifier to a key in systems like Sovrin ultimately leads to a redirect to centralized servers, undermining the blockchain's claim that encourages decentralization, "Halpin wrote .
"Since the use of blockchain technology does not appear to be required for the goals of immunity passports and is likely to hinder rather than support privacy, immunity passports – and more generally both W3C DIDs and VCs – use blockchain for the sake of blockchain."
Data protection needs to be at the core of such systems, not an optional afterthought, he said.