Digital credentials and privacy in the time of COVID-19

The COVID-19 pandemic has amplified the debate around how much personal data we want or need to share to contribute to the continued health of our communities. Heather Dahl describes how privacy-preserving digital security technologies can help us to respect public health and safety measures while protecting our privacy.

Efforts to mitigate the spread of COVID-19 have impacted all industries, with the financial and payments industries being no exception. Prior to the pandemic, central banks were moving towards digitalisation of their national currencies as a way to exploit advances in financial technology, and to mitigate the rising threat of global private currencies that have emerged over the past decade in the form of permissionless cryptocurrencies and stablecoins. Central banks have leveraged technology throughout their history to address issues such as inefficiency, traceability, and counterfeiting, and to augment their monetary policy toolset. Today, these institutions are once again evaluating the ever-evolving technological landscape to determine the technology and policy strategies that will help them better achieve their mandate and respond to a post pandemic world where digitalisation takes on new importance in the context of health.

How much personal data do we need or want to share in order to protect the health of our communities? Recent stories converge on fears of surveillance states, mass tracking and tracing, the ethical debate over what personally identifiable information is necessary to manage a public health crisis like COVID-19, and whether those doing the collecting of data will ever relinquish control.

What’s not making it into the wider policy debate is an alternative solution – one which fulfils the requirements of the current state of emergency, satisfies the need to serve public health and safety, but which also protects our privacy. The solution is a decentralised identity in the form of a verifiable digital credential.

How do digital identity credentials work?

When we need to prove our identity, we usually have to present a set of credentials. The set may consist of a birth certificate, passport, employee identifications, amongst others. A digital identity works exactly the same way, and when we speak of “a digital identity” what we really mean is a set of digital credentials that compose our identity. A digital credential is simply a trusted digital version of a credential you might possess in the analogue world. For example, a diploma or a driver’s licence will be backed up by something else that you trust, in this case the university, or the government that issued the credential. As in your physical world where your driver’s licence proves your age, residence, and right to drive a car, it is trusted, not because we know the person holding it, but because it’s backed by the government agency who issued the licence. A digital credential does exactly the same thing and, unlike a photo or PDF of a document, it cannot be altered except by the trusted creator of the credential. This enables contactless, trusted sharing between any two entities instantaneously and, most importantly, does not reveal anything unnecessary to the verifier of the credential.

A digital credential can be issued by any organisation, and read by any other organisation, but the credential holder gets to choose exactly what information gets read. For example, with a digital credential, you could prove your age and address when applying for social welfare benefits, without having to use a driver’s licence which might reveal supplementary personal information that you do not need to share. You could share a negative test result for COVID-19 (or a vaccination status when one becomes available), that allows you to travel or attend a conference without revealing other personal data typically associated with any medical document. And it doesn’t have to be stored in a centralised database with all of the privacy and security risks that accompany that outdated information-sharing model.

Critically, a digital credential is not simply a new version of a traditional identity card or document. Using the permanence inherent in blockchain technology, a digital credential becomes permanently trustworthy if the issuer of the credential is trusted. Additionally, a digital identity credential cannot be used to correlate or triangulate other data and trace it back to you. The data is held by you, the data owner, and only shared with permission. What’s more, only the data pertinent to the service being offered needs to be shared.

COVID-19 and the potential of digital identity credentials

Digital identity credentials are powerful. Using the trust and immutability that comes with blockchain technology, we can now build a credential that proves almost anything, as long as you trust the person or entity backing up the claim. Think about it: proof of vaccination, issued by a healthcare provider, and instantly available on your smartphone in conjunction with its built-in biometric access. Your employer can trust you to come back to work. Shop owners can trust you to come into their store to buy their products. A stadium can trust you to come and watch a football game. You can board a plane for an international flight and the destination country can verify your COVID-19 status before your arrival. Not because they trust you, but because they trust the healthcare provider who issued your credential. Just like that, life can start to become somewhat normal again while your privacy is protected . Unlike a centralised system where one entity stores, witnesses, and acts as a hub for every data transaction, a distributed system keeps the data with the creator, or issuer of the document, and the data owner (identity credential holder). Data can be transmitted from point-to-point only when needed and can be trusted with a cryptographic proof of its provenance.

How can the OECD help to unlock the power of digital identity?

The OECD’s Global Blockchain Policy Centre has assembled a group of global technology experts to share their perspectives on the latest developments in distributed ledger technologies and to consider their policy implications. This multi-stakeholder group provides discuss policy implications of distributed ledger technology and advise on high-level guidance to help DLT stakeholders meet the challenges of a new paradigm in information and value sharing and transmission.

The power of a digital identity credential is vast as this credential forms the critical layer of trust that can empower all other applications. The business use cases are wide-ranging, and simultaneously improve trust and efficiency while reducing risk. A digital credential gives anyone the ability to prove something about themselves instantly, without person-to-person contact, and in a verifiable way. From healthcare to banking to trusted online voting, a digital credential makes the world a safer place for you and for those around you.

Heather C. Dahl is a member of the OECD Blockchain Expert Policy Advisory Board (BEPAB). She is a widely-respected thought leader in digital identity technology and news media, with over 25 years of strategic leadership experience in newsrooms, multinational corporations and high-tech companies. As the CEO of the professional services firm, Heather brings with her a deep knowledge of decentralised and self-sovereign identity and business strategy from her time as CEO of the Sovrin Foundation. With graduate degrees from Columbia University and Johns Hopkins Business School, she is a committed advocate for privacy-preserving digital security technologies.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s