Elizabeth M. Renieris, a Harvard lawyer on the ID2020 technical advisory committee, has resigned from the ID2020 Alliance. The organization aims to enable digital identity for those that lack one, and is especially active with refugees and marginalized groups. Renieris’ resignation was driven by concerns that the organization will get involved in COVID-19 immunity passports, as Coindesk first reported.
The ID2020 Alliance was founded by Accenture, Microsoft, Gavi, Rockefeller Foundation and IDEO. Partners include Mastercard, which joined last week, as well as NGOs and UN agencies.
ID2020’s Executive Director, Dakota Gruener, recently wrote a Harvard whitepaper about privacy preserving COVID-19 immunity certificates. The paper was published in her personal capacity. A statement from Gruener is appended.
Renieris believes immunity passports could potentially infringe privacy rights for tests that are unproven and that the identity and blockchain standards are still a work in progress.
She was previously on the Global Policy Counsel of Evernym, the self sovereign identity organization that founded Sovrin and Hyperledger Indy. It’s also one of the 60 plus organizations backing the COVID Credentials Initiative (CCI). Renieris’ arguments apply to the CCI of which she is also somewhat critical.
ID2020 has also been the subject of one of the many COVID-19 conspiracy theories related to Bill Gates. The anti-vaccine movement has woven a story that nanoparticles or microchips could be injected into people as a Coronavirus vaccination that becomes a global surveillance scheme. While the conspiracy theory has been debunked, a Yahoo / YouGov poll found that 28% of U.S. adults believe the story and a further 32% aren’t sure.
And Renieris’ arguments carry more weight than a conspiracy theory. She outlined her points in a 4,000-word blog post penned together with Notre Dame medical doctor Sherri Bucher and Christian Smith.
It clarifies that for many illnesses, vaccines are enormously effective. This is where a core part of ID2020’s work is so important, outside of the Coronavirus. However, Renieris makes strong arguments about why immunity passports for COVID-19 may be premature.
The fact that both Evernym and ID2020 have privacy advocates such as Renieris goes to the core of both organizations’ purpose, which is to provide identity in a privacy preserving manner. However, there is no doubt that for some sectors, COVID-19 presents a window of opportunity. And identity is certainly one of them.
The blog post written ten days ago did not refer to ID2020 but does mention the COVID Credentials Initiative, which it says “is led by for-profit companies eager for a use case for their as-yet unadopted technologies. Notably, participants do not include any public health experts.”
So the big question is whether there should be immunity passports at all. And that’s the core of Renieris’ argument.
The legal hurdle
On the legal front, the blog post cites how in China, individuals have to demonstrate a green QR code of health status to access public transport and work. To wave fundamental rights of freedom of assembly, movement, work, and more, it’s argued there is a need to satisfy a three part test. The interference must be in accordance with the law, necessary to achieve a certain aim and proportionate to the aim pursued. And to suspend civil liberties, it should be evidence-based.
“At this time, we know of no specific or general legal frameworks which would provide individuals with sufficient clarity and precision as to how any data processed in connection with such blockchain-enabled immunity credentials would be governed or processed, or that could provide individuals with sufficient safeguards or protections in respect of their use,” the blog post states.
The medical uncertainties
The question marks in the medical area are even more compelling. Coronavirus antibody tests have proven unreliable, and it’s also unclear whether or for how long antibodies provide immunity to infection. A COVID-19 vaccine is a long way off, so why the rush for immunity passports. The blog post also argues that the only immunity certificate supported by the WHO is for Yellow Fever and states it’s a poor comparison to COVID-19.
“A poorly executed immunity certification effort, particularly when not grounded in an established scientific and public health knowledge base, and when tied to the ability of people to economically support themselves and their families, is often rife with corruption, desperation, and perverse incentives, such as intentional self-infection with a potentially deadly disease.”
What the blog post does not address, and what is already happening, is health certificates. This is where someone has a test that says they don’t currently have COVID-19, for example, to go on holiday. This is the current plan in Cyprus for holidaymakers from some jurisdictions. But between taking the test and arriving at the destination, the tourist could have contracted the virus.
Is the technology too immature?
Next, the blog post explores the technology, specifically the W3C standards for verifiable credentials and decentralized identities (DID) as well as blockchain. It argues they are an “excessive and disproportionate technical means of achieving any limited public health outcomes.” The argument is that the technologies are still experimental and there’s a concern over premature standardization that could inhibit future innovation.
One of the most compelling arguments is that verifiable credentials require an internet connection and are not designed to be used offline. Second is the ongoing issue of how users safely manage private keys. Thirdly the blog authors claim that some APIs for verifiable credentials leave the subject authentication as optional. In other words, it may be feasible for someone to impersonate a vaccinated person.
However, what Renieris’ arguments do not consider is the alternative. At Ledger Insights, we’ve reported multiple COVID-19 projects and some do not adhere to W3C decentralized identity (DID) standards. So if there have to be immunity certificates, there are far worse routes that could be followed. That’s the rationale given by ID2020’s Dakota Gruener in her Harvard paper and the purpose of the COVID Credentials Initiative.
Renieris’ blog post concludes on what is the key point: “we remain unconvinced that ‘immunity passports’ or even immunity certificates are possible, let alone desirable.”
Statement from ID2020
We are grateful to Elizabeth Renieris for her service over the past year as a member of the ID2020 Technical Advisory Committee. We applaud and share her commitment to human rights in the context of digital identity. Her feedback has always been thoughtful and was particularly formative to the development of my recent white paper on “immunity certificates”.
We have been consistent in our assertion that technology must not be viewed as a panacea when it comes to addressing this pandemic. Technology solutions must be accompanied by robust, fit-for-purpose trust frameworks and legislative and regulatory actions to ensure their ethical implementation and transparency. These should be developed through an open and inclusive public process that includes elected officials, public health officials, technologists, employers, and social justice and digital privacy advocates.
At every step, we have sought feedback from civil liberties and digital privacy groups to ensure that these considerations are not an afterthought, but rather are built into the technical architecture of any digital health certificate system.
The stakes are high and we have one chance to get this right. Even with these safeguards in place, digital health certificates may still be insufficient to meet the current challenge. Absent such safeguards, we can be assured that they will do more harm than good.
Update: the statement from ID2020 was added.