A member of the ID2020 Alliance, which aims to bring digital identities to billions of people who don’t have them, has resigned over the organization’s direction on digital immunity passes and COVID-19.
In her resignation email last Friday, Elizabeth Renieris cited ID2020’s opacity, “techno-solutionism,” and corporate influence along with the risks of applying blockchain to immunity passes.
Renieris (an occasional CoinDesk contributor) was one of six members of ID2020’s technical advisory committee. She is a fellow at the Berkman Klein Center for Internet and Society at Harvard University and an expert in cross-border data protection and privacy issues. She was previously in-house counsel at two digital identity startups.
Her concerns, which highlight the tradeoffs between health and privacy during the pandemic, are spelled out in a white paper published in mid-May. She says the introduction of immunity passes could interfere with people’s privacy, freedom of association, assembly, and movement.
“Blockchain-enabled ‘immunity certificates’ or ‘immunity passports’ for COVID-19, if implemented by public authorities, would have serious consequences for our fundamental human rights and civil liberties,” she writes.
Immunity passports or certificates are digital or physical documents that individuals would receive if they had tested positive for COVID-19 antibodies. Traditionally, development of antibodies after a disease offers some level of immunity, though scientists are still working to sort out whether this is the case, or how long such immunity might last, when it comes to COVID-19. Potentially, immunity passports allow people to return to work and have greater freedom of movement.
See also: Immunity Passes Explained: Should We Worry About Privacy?
In late April, the World Health Organization warned against the idea of immunity passports, and said that there was “no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.” But countries such as Chile said they would move ahead with such passes, despite the WHO’s warning.
The ID2020 Alliance is a public-private partnership, with partners including Microsoft, Accenture and Hyperledger. It hopes to develop a global model for the design, funding, and implementation of “digital ID solutions and technologies,” according to the website.
ID2020 published a white paper in April urging policymakers, technology providers, and civil society groups to collaborate to ensure that digital health credentials or “immunity certificates,” if implemented, are designed to protect privacy and civil liberties.
According to Renieris, the paper initially cited the Covid Credentials Initiative (which is advocating for immunity passes based in part on blockchain) and Microsoft’s work with blockchain. It said these are potential solutions for privacy and identity questions around immunity passes. But when Renieris queried their inclusion, the section was dropped, because, says Renieris, ID2020 did not want to deal with the tech problems those initiatives would raise.
The initiative neglects to acknowledge any technology-specific risks of a blockchain based approach, instead highlighting generic risks that could apply to any technological solution, said Renieris. While she says she was told the paper would be published as Executive Director Dakota Gruener’s personal view, the press release that was put out around the paper framed it as an ID2020 paper.
Gruener said technology solutions are not a panacea when it comes to the pandemic and must be accompanied by robust, fit-for-purpose trust frameworks and legislative and regulatory actions to ensure their ethical implementation and transparency. ID2020 has sought feedback from civil liberties and digital privacy groups to ensure that these considerations are built into the technical architecture of any digital health certificate system.
“The stakes are high and we have one chance to get this right,” said Gruener. “Even with these safeguards in place, digital health certificates may still be insufficient to meet the current challenge. However, absent such safeguards, we can be assured that they will do more harm than good.”
As CoinDesk has reported previously, a number of organizations and companies are actively exploring the idea of immunity passes based on blockchain technology.
Renieris wrote the paper with global health researcher Dr. Sherri Bucher of Indiana University School of Medicine, and Christian Smith, CEO of Stranger Labs, which researches, develops, and designs advanced technologies that enhance privacy and security.
In it, they criticize the CCI initiative which ID2020 had initially touted, a World Wide Web Consortium (W3C) standard for Verifiable Credentials (VCs), and non-standard decentralized identifiers (DIDs) and DLT. They say the W3C is a product of premature standardization, experimental technologies, and speculative requirements. Using such a method, rather than what they call existing and battle tested solutions, leads them to question whether they are adequate to support such a critical role in public safety as immunity passes.
They also criticize the lack of a proven method of private key management for end users, especially in offline instances, which digital immunity passports would likely have to include and say the VC specification merely “provides a data model, not a complete protocol or end-to-end solution”.
The discord within ID2020 hints at larger debates around where to use DLT, and where it may create more problems than it solves. But when it comes to the issue of immunity passes, the stakes seem higher.
Renieris worries about how the influence of corporations like Microsoft may influence the development of these systems. Kim Cameron, Architect of Identity at Microsoft, sits on ID2020’s board, and Kim Gagne, newly appointed as Board Chair, also worked at Microsoft.
“Who is doing the building here is a critical vulnerability, as critical as any technical challenge,” said Renieris. “This is 100% a hammer looking for a nail.”
