COVID-19 Passporting

We are in a Catch-22 situation. If we relax the lockdown, we risk reinfecting the population. But we day we are in lockdown our economy…

COVID-19 Passporting

We are in a Catch-22 situation. If we relax the lockdown, we risk reinfecting the population. But we day we are in lockdown our economy crumble one bit more, and is likely to get to a point that it could collapse completely. So, politicians are looking to the turning point of the curve, and then aiming to relax some of the lockdown conditions. But what then? Should each country test at the border? How do we make sure we can safely get people back to work? Well testing and passporting could be one solution, but it takes a bit of effort from politicians to do it in a correct manner, and a way which protects the rights of privacy for citizens. No scheme will ever be perfect, but a digital passport for COVID-19 may allow us a way to build a world of digital certainty, and replace our paper-based approaches.

In order to properly define trust within the attestations around COVID-19, we need to define a trusted network of testers, and for each of these testers to sign a digital attestation of COVID-19 (either positive, clear or undetermined). Each of the testers thus can provide Alice with the digital attestation with her credentials, or where it could be stored in a trusted location:

When Alice reaches a checking entity — such as border control — which provides the attestation for the test, and the entity checks the validity. This confirmation can then be passed onto the Health Authority (HA) within the country. The would then be no need for the entity to keep a record of Alice’s COVID-19 status, as the health authority becomes the trusted source of this medical information.

But how do we keep track of all the identities involved, and who can the border control, the testers, Alice and the HA all prove themselves, and properly sign for Alice’s status? Well, we could use PKI (Public Key Infrastructure), and create digital certificates for all the entities involved, but this is complex, especially where we have so many possible signing entities involved. The solution is to use IBM Hyperledger, and where each entity registers their public keys within a permission ledger. The testers then register their public keys onto the ledger, and where all of the attestations are checked against these. If a tester is shown to produce incorrect results, their public key will be marked as being untrustworthy with a check:

In this case, all of the public keys within the permissioned ledger are registered, and where all the trusted entities can use their private keys to sign for transactions and attestations that they source. This part of the ledger can be shared by different countries, and all a trust network to be created. Each country may define their own trusted testers, but at least there would be a sharing of these across counties. Over time the trustworthiness of the testers could be proven through evidence, and where poor testers could be removed from the trusted list of testing signers. If we need to hide the details of the tester, we can create a ring signature or create a delegated signature on the attestation.

As part of the ledger, we can have more private areas, and where the HA could log the COVID-19 status of Alice, without revealing it to others. In this way, the privacy of Alice is not breached, and no other entity apart from the HA is allowed to log her status. In the best case, it is Alice who can carry the attestation on her mobile device, and then prove herself with multifactor authentication.

Conclusions

We have built a world with physical borders. While these are useful at the time, they are likely to play a major barrier in moving the current pandemic forward, and where nations of the world need to work together and build trust networks. Whether politicians want to do that is another matter.