A Corona Credential?

April 1, 2020

Tests that detect Covid-19 antibodies are becoming available. This allows authorities to test whether people already contracted the virus, and therefore are now immune and no longer a carrier of the virus. Once tested, such people could be exempted from certain restrictions (like staying inside or working from home), or could volunteer to help vulnerable people that stay in quarantine. The question is: how do you reliably prove that you have tested positive for such an antibody test, while protecting the privacy of people being tested. After all, we do not know yet what the long term health effect is of having been infected by the virus. It may be a perk and a badge of honour now, but it may be a stain in your health dossier in the years to come.

For this reason people have been proposing digital credentials, and especially privacy friendly attribute based credentials, to solve this problem. Such a credential can be selectively disclosed (meaning that the bearer can reveal to be Covid-19 immune in cases where this matters, while hiding this fact in all other contexts). Moreover, such credentials are stored and managed by the user on his or own device (e.g. their smartphone), meaning that there is no need to maintain a central database registering all people tested Covid-19 immune (although it is certainly possible and even desirable to track anonymous statistics concerning Covid-19 immunity). It goes without saying that such a credential cannot be forged.

But there is a problem. A credential saying that the bearer is immune for Covid-19 is extremely valuable, given the freedoms and perks it offers. It should be very strongly tied to the actual person to whom it pertains, to prevent it from being forged or deliberately being shared with someone in need. And essentially all forms of digital identity management, including those implementing attribute based credentials, have a problem ensuring a strong binding between digital credentials and the person they belong to. Forging such credentials, or stealing them from someone can quite easily be prevented. But it is much harder to prevent a person from sharing his or her credential with someone else, especially in fully virtual, online, environments.

But context matters, and in this particular case we are not really considering virtual use cases, but rather real-life use cases where people can use such a credential to prove that they are free to leave home or enter a quarantined area, for example. In fact, in terms of functionality we would like to have a kind of 'corona immunity stamp' in our passports, that we can selectively disclose (or not), and that automatically vanishes after say six months (if that happens to be the period for which immunity can be guaranteed).

Can we design a 'corona credential' that functions like such a 'corona immunity stamp', given that they are only relevant in real-life use cases where we can rely on physical inspection to verify the binding between the person and the credential being presented?

Perhaps we can, if we rely on biometrics to strengthen the binding. It should be stressed that the use of biometrics comes with all kinds of caveats concerning false-reject and false-accept ratios, that depend for example on age and genetic dispositions. In other words: certain groups may be favoured over other groups when relying on this approach.

Consider for example the following setup, using facial scans as the biometric.

People can install an app on their smartphone that allows them to manage all kinds of attribute based credentials. We in Nijmegen have for example been working on IRMA for quite some time now.

After being tested positive for Covid-19 antibodies, the accredited testing station can issue a credential stating this. To tie this credential to the person just tested, the testing station needs to take a picture of the person tested, derive a so-called biometric template from this picture, and store this template together with the (positive) test result in the credential. The credential is issued to the smartphone of the user, and only stored there. The testing station destroys any information about the person and the picture it took, and only records the test result (without any identifying information) for statistical purposes.

To prove immunity for Coivd-19, people can choose to reveal this credential. They can only do so when this credential was issued to their phone. To prevent someone from using someone else's phone, people revealing the credential are asked to also reveal the facial template stored in there. So if someone wishes to enter a quarantined area using such a credential, someone present at the entrance should take a picture and match that with the biometric facial template contained in the credential. Again, the picture should be discarded immediately after the credential is verified.

There are issues with such an approach, for example the fact that it normalises camera surveillance. More fundamentally observe that for privacy it relies on destroying pictures both at the testing station and any check point. This reliance on operating procedures to protect privacy seems inherent to this particular case, given that we somehow need to physically verify the binding between a person and his or her credentials. The decision to use such an app should therefore not be taken lightly.

My main interest here was the more fundamental question whether a digital, privacy friendly, credential could be used to solve this problem given the fact that in general digital identities are only weakly bound to their bearers. My initial thought was that this was not possible. Interestingly enough, given the particular 'physical' aspects of this case, the answer turns out to be somewhat more nuanced, given the caveats mentioned above.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Gilles Ampt
, 2020-04-02 15:03:50

Beste Jaap-Henk, Goed dat je nu al aandacht vraagt voor het onderwerp hoe burgers straks kunnen gaan aantonen dat er onafhankelijk is vastgesteld dat zij immuniteit hebben opgebouwd tegen het corona-virus en geen gevaar meer vormen voor de gezondheid van mensen in hun directe omgeving. Ik begrijp je belangstelling om de mogelijkheden van digital credentials te onderzoeken in deze. De eerste vraag die mij opkomt is of het niet veel simpeler kan. Kan dit niet opgelost worden met het ouderwetse vaccinatie-boekje of een gewaarmerkt individueel testrapport? Waar het mij allereerst om gaat is dat de randvoorwaarden goed op een rij worden gezet. Ja, er zal sprake zijn van fraudegevoeligheid, ervan uitgaande dat dragers van immuniteit voor een aantal maanden meer (bewegings)vrijheden zullen hebben. Een papieren boekje of gewaarmerkt testrapport zal daarom gekoppeld moeten worden aan zowel een sterk (wettelijk) identificatiemiddel als ook aan een centrale registratie van individuele testrapporten en/of corona-vaccinaties. Die centrale registratie is inderdaad niet nodig bij een geavanceerde digitale oplossing. Al met al voorzie ik dat er nog een grondige afweging is te maken tussen de mogelijke oplossingen waarbij ook andere criteria in mee genomen moeten worden (zoals betrouwbaarheid, gebruiksgemak, kosten, sociale inclusie en privacy).

, 2020-04-02 15:16:19

Jazeker, een vaccinatieboekje kan ook - als die maar sterk gebonden is aan jou persoon en van voldoende echtheidskenmerken is voorzien. De reden om deze post te schijven was niet om gebruik van digitale credentials of identiteit hiervoor te promoten. Integendeel. Het was een reactie op online discussies waarin dit als een soort wondermiddel werd gepresenteerd.

Sven Türpe
, 2020-04-19 11:36:26

Your primary concern seems to be how such a credential could be implemented. Before we set out to answer that question I would love to see some reflection on the question whether such a credential should exist or not. Which side effects and incentives should we expect when introducing a serological credential?

Spanish experts – preventive health experts, not technology experts – recently reminded everyone that we use to keep health information private for good reasons: https://elpais.com/sociedad/2020-04-10/los-especialistas-en-medicina-preventiva-se-posicionan-contra-el-pasaporte-serologico.html. Publishing and certifying health data instead through a credential would be more than a single step in the opposite direction. The Spanish experts also emphasize the incentives a credential would create. As you have noticed, a serological credential would be very valuable. Given a reasonable chance of survival, a credential may tempt people to infect themselves.

Even if there were a coronavirus vaccine, one would still have to consider negative consequences of a serological credential as some people will probably have to abstain from vaccination for medical reasons.

While I share your fascination with technology I wish everyone, especially everyone with a background in IT and CS, would pay more attention to the socio-technical and application aspects of their work.

, 2020-04-19 11:45:04

Couldn’t agree more. I am totally aware of this, but (being mainly a technologist) I mostly study these type of questions from a technological perspective. Here I was nerding out on the technical possibilities and limitations, as input to this much wider discussion we should definitely be having.

Sven Türpe
, 2020-04-19 15:38:35

That’s fair, technological feasibility and limitations are certainly an important part of the equation and I appreciate contributions to the debate regardless of their particular focus. After all, we need to figure out what to do. It is really the wider discussion and not your particular analysis that concerns me a bit as it seems skewed toward technical minutiae while downplaying application requirements.