Earlier this summer, millions of people began using new technology that could reshape how we manage, share and use our data.
This technology is central to the European Union’s Digital COVID Certificate (sometimes mistakenly referred to as Europe’s ‘vaccination passport’).
In just a few months, this technology—distributed identity (or ‘decentralized identity’) and specifically verifiable credentials—was made available to nearly everyone in the EU. By contrast, it took about a decade for Identity Federation or Federated Identity—the method for enforcing identity standards and authentication protocols—to establish itself as a cybersecurity best practice.
Despite the fact that millions of people are using these technologies to help control the spread of COVID, many people—even many identity experts—are new to distributed identity and verifiable credentials. That’s why I was so excited to discuss these innovations in a keynote at last week’s KuppingerCole’s European and Identity and Cloud Conference.
Because as important as distributed identity and verifiable credentials are for the EU’s Digital COVID Certificate, the truth is that we haven’t come close to realizing their potential.
Distributed identity helps solve a problem that’s nearly as old as the internet: how can a user securely share certain (maybe sensitive) information with specific viewers?
It’s a problem that’s taken on greater urgency as the web has continued to grow: today, our data and identities tend to be under the control of the Big Tech firms that operate centralized apps and services. That data tends to be bought, sold and used without our knowledge or permission and has led to significant concerns and new regulations. Tim Berners-Lee, who is often credited as the inventor of the internet, has “lamented the state of the web and how it’s steadily diverged from his original vision of a digital space with freedom and equality.”
Distributed identity changes that dynamic. It allows users to specify what information they want to share and whom they want to share it with.
The EU’s Digital COVID Certificate uses distributed identity to share a digital proof that a person has either been vaccinated against COVID-19, received a negative test result or recovered from COVID-19.
Importantly, distributed identity allows the user to only share their Certificate, and to only share it with specified users. The user—and only the user—decides who can see what.
Distributed identity helps users gain control of their data and share it however and with whomever they like. In the case of the EU’s Digital COVID Certificate, it allows EU citizens to digitally claim that they have been vaccinated, received a negative test or recovered from COVID-19.
But in this case, controlling the use of our information alone isn’t sufficient. We also have to verify the accuracy of a claim.
Verifiable credentials specifically are the technology powering the EU’s Digital COVID Certificate. When I use distributed identity to make a claim that I’ve been vaccinated and share that information with someone else, verifiable credentials allow me to make that claim.
Establishing the trust model for this is fairly simple and follows the classic Public Key Infrastructure (PKI) model: the system allows a few authorized issues—such as government agencies—to issue the credentials.
For instance, in Germany, the Robert Koch Institut (roughly the equivalent to the Centers for Disease Control in the U.S.) issues the verifiable credential for my Certificate. The following condensed (and fictional) verified credential shows the type of information that would be in a Certificate: the claim (I received two rounds of the Coronavirus vaccine); who the claim is about (me); who issued the claim (the Robert Koch Institut); and a ‘signature’ (proof) that prevents anyone else from modifying or creating the claim.
I can add this claim to a digital wallet app and display it when needed via my smartphone. I could even print out the QR code and carry it with me on paper
This is what a verified credential would look like as a QR Code proving that I’ve been vaccinated against COVID-19:
RSA and Janeiro Digital have used similar instances of this technology before, including in a major pilot at the UK’s National Health Service (NHS). There, we’ve used distributed identity and verifiable credentials to help patients with dementia, their caregivers and hospital systems link and share patient records.
Should we just use blockchain as the basis for making a claim that I’ve received the Coronavirus vaccination? In short: no.
Distributed identity can work on blockchain. In fact, the EU originally tried using several overlapping and interdependent blockchains as the basis of the trust model. But for something like a COVID vaccination Certificate, it’s better and far simpler to use the classic PKI model. Doing so allows you to restrict who is and isn’t allowed to issue a verified record: health agencies can but individuals can’t. That same model could apply to other documentation, like passports, drivers’ licenses or other certificates.
I’ve ignored a few fundamental problems in describing distributed identity and verifiable credentials. Suffice it to say that no system is inherently perfect: there are ways that this process can go wrong, usually as a result of user error. I’ve encountered those errors myself, usually when somebody asks me to show my vaccination certificate QR code but fails to actually scan it with an app that can validate the vaccination certificate. I’m not sure about your QR code reading skills, but no matter how hard I try I cannot decode a QR code and check the proof’s digital signature in my head.
The other typical mistake is to not check if the vaccination certificate is in fact about the person that makes the claim. When I use my QR code, I also have to show some identification (like a passport) to establish that the claim about the vaccine applies to me. The person checking my QR code and passport must verify that the certificate indeed belongs to the individual standing in front of them.
But there’s real value in having so many people use distributed identity and verifiable credentials: they demonstrate that there’s a new way for users to control and share their data, that we don’t need to settle for ‘walled gardens’ of the past and that we can build some level of trust into the internet. They indicate changing attitudes about who should be allowed to control, use and share our information.
Most importantly, they reveal that identity isn’t static—and instead, that identity continues to evolve.