Technologists building blockchain-based self-sovereign identity (SSI) tools are collaborating on an “immunity passport” to help stop the spread of COVID-19 without compromising the privacy of users. Proving some level of immunity would help individuals return to everyday life.

The COVID-19 Credentials Initiative (CCI) is working on a digital certificate, using the recently approved World Wide Web Consortium (W3C) Verifiable Credentials standard. The certificate lets individuals prove (and request proof from others) they’ve recovered from the novel coronavirus, have tested positive for antibodies or have received a vaccination, once one is available.

Over 60 organizations in the SSI space are participating, such as Evernym, Streetcred, esatus, TNO, Georgetown University and others. The initiative also has a global spread including Consulcesi in Italy, DIDx in South Africa, TrustNet in Pakistan and Northern Block in Canada.

These digital certificates would be issued by health care institutions but controlled by the user and shared in a peer-to-peer manner. (A common misconception is that self-sovereign means self-attested, which removes the need for governments and other authorities; trust in the issuer of the credential is critical, said a spokesman for Evernym.)

The tech world agrees on the need for some kind of digital certificate. Self-sovereign identity mavens were buoyed by former Microsoft boss Bill Gates asking for digital test certificates during a Reddit AMA last month: “Eventually we will have some digital certificates to show who has recovered or been tested recently or when we have a vaccine who has received it,” said Gates.

‘Human-centric’

There have been a slew of COVID-19 solutions purporting to use blockchain to protect users’ privacy. These have been spurred by surveillance measures enacted in places such as China, including things like thermal facial-recognition cameras, temperature checkpoints and location tracking. While these measures may be effective in slowing the spread of COVID-19 – which has so far claimed at least 115,000 lives worldwide – there are legitimate fears of surveillance overreach.

In the U.K., for example, the technology arm of the National Health Service, NHSX, is working with big data and AI companies like Palantir and Faculty. Though lawyers for those companies said patient data will be anonymized, a report by the Guardian on Sunday cited an unnamed government official voicing concerns the confidential health data was being processed with “insufficient regard for privacy, ethics or data protection.”

SSI may provide an alternate path with less-fraught trade-offs.

“The technology we have been building is human-centric,” said Jamie Smith, Evernym’s strategic engagement director. “It’s really the polar opposite of surveillance-focused solutions we have seen in places like China. Very government-centric solutions have serious implications for ongoing privacy.”

The appropriate approach, said Smith, must be an open ecosystem where there are multiple solutions that are interoperable, a common framework across many regions.

However, this may also lead to intellectual property (IP) disputes, a possibility CCI says it is working to address.

“The CCI is currently in conversations with the Decentralized Identity Foundation (DIF) about the potential to establish a DIF Working Group to provide any necessary intellectual property rights protections for schemas and specifications resulting from the community-driven CCI effort,” an Evernym spokesman said in a statement.

‘Thin’ blockchain layer

SSI builder Evernym uses the Linux-related Hyperledger Indy blockchain protocol, but the CCI project itself is “ledger-agnostic.” SSI and Verifiable Credentials create a triangle of trust between the issuer of a credential (think of a digital version of a tangible document like a driver’s license, passport, birth certificate, car title, plane ticket, etc.), the holder of that credential and a verifier.

It’s a system that puts the holder at the center of things, rather than (an often tedious) back-and-forth directly between the issuer and verifier. It also gives the holder power to choose what they want to share and with whom.

At the core, it’s a decentralized DLT architecture, but one that doesn’t involve running lots of data on blockchains.

“It’s a very thin-layer usage of blockchain just for cryptographic infrastructure. All the credentials are exchanged off-chain, peer-to-peer. The role of blockchain is super-important, but it’s thin,” said Drummond Reed, Evernym’s chief trust officer.

Another way to understand how this blockchain layer operates is by looking at the way the internet itself is designed, allowing users to do e-commerce transactions, for example, using public and private keys.

“The hard part of public key infrastructure (PKI) is how do you actually prove it’s someone’s public key,” said Reed. “The solution has always been centralized service providers called certificate authorities.”

In this case, the blockchain acts as a decentralized directory of public keys rather than relying on a centralized service, which helps return control back to the user.

Looking beyond the immediate need for COVID-19 test credentials, Evernym VP of Revenue Nick Ris said the concept of “trust at a distance” should highlight the need for other SSI applications.