A member of the ID2020 Alliance, which aims to bring digital identities to billions of people, has resigned over the organization’s direction on digital immunity passes and COVID-19.
In her resignation email Friday, Elizabeth Renieris cited ID2020’s opacity, “techno-solutionism” and corporate influence along with the risks of applying blockchain to immunity passes.
“At this stage, I can no longer even describe what ID2020’s mission is with any confidence,” wrote Renieris, who was one of six members of ID2020’s technical advisory committee. “All I can perceive is a desire to promote decentralized identity solutions at all costs.”
Renieris (an occasional CoinDesk contributor) is a fellow at the Berkman Klein Center for Internet and Society at Harvard University and an expert in cross-border data protection and privacy issues. She was previously in-house counsel at two digital identity startups.
Her concerns about the technology, which highlight the trade-offs between health and privacy during the pandemic, are spelled out in a white paper published in mid-May. She says the introduction of immunity passes could interfere with people’s privacy, freedom of association, assembly, and movement.
“Blockchain-enabled ‘immunity certificates’ or ‘immunity passports’ for COVID-19, if implemented by public authorities, would have serious consequences for our fundamental human rights and civil liberties,” she writes.
The discord within ID2020 hints at larger debates around where to use distributed ledger technology (DLT), and where it may create more problems than it solves. But when it comes to the issue of immunity passes, the stakes seem higher.
Renieris worries about how the influence of corporations like Microsoft may influence the development of these systems.
Kim Cameron, Architect of Identity at Microsoft, sits on ID2020’s board, and Kim Gagné, newly appointed as Board Chair, also worked at Microsoft.
“Who is doing the building here is a critical vulnerability, as critical as any technical challenge,” said Renieris. “This is 100% a hammer looking for a nail.”
Ticket to ride?
Immunity passports or certificates are digital or physical documents that individuals would receive if they had tested positive for COVID-19 antibodies. Traditionally, development of antibodies after a disease offers some level of immunity, though scientists are still working to sort out whether this is the case, or how long such immunity might last, when it comes to COVID-19. Potentially, immunity passports allow people to return to work and have greater freedom of movement.
In late April, the World Health Organization warned against the idea of immunity passports, and said there was “no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.” But countries such as Chile said they would move ahead with such passes, despite the WHO’s warning.
The ID2020 Alliance is a public-private partnership, with partners including Microsoft, Accenture and Hyperledger. It hopes to develop a global model for the design, funding, and implementation of “digital ID solutions and technologies,” according to the website.
ID2020 published a white paper in April urging policymakers, technology providers, and civil society groups to collaborate to ensure that digital health credentials or “immunity certificates,” if implemented, are designed to protect privacy and civil liberties.
This is 100% a hammer looking for a nail.
According to Renieris, the paper initially cited the Covid Credentials Initiative (which is advocating for immunity passes based in part on blockchain) and Microsoft’s work with blockchain. It said these are potential solutions for privacy and identity questions around immunity passes. But when Renieris queried their inclusion, the section was dropped because, says Renieris, ID2020 did not want to deal with the tech problems those initiatives would raise.
The initiative neglects to acknowledge any technology-specific risks of a blockchain based approach, instead highlighting generic risks that could apply to any technological solution, said Renieris. While she says she was told the paper would be published as Executive Director Dakota Gruener’s personal view, the press release that was put out around the paper framed it as an ID2020 paper.
“I cannot be part of an organization overly influenced by commercial interests that that only pays lip service to human rights,” she wrote in her resignation. “The stakes are simply too high at this stage.”
In a statement to CoinDesk, Gruener said technology solutions are not a panacea for the pandemic and must be accompanied by robust, fit-for-purpose trust frameworks and legislative and regulatory actions to ensure ethical implementation and transparency.
ID2020 has sought feedback from civil liberties and digital privacy groups to ensure that these considerations are built into the technical architecture of any digital health certificate system.
“The stakes are high and we have one chance to get this right,” said Gruener. “Even with these safeguards in place, digital health certificates may still be insufficient to meet the current challenge. However, absent such safeguards, we can be assured that they will do more harm than good.”
As CoinDesk has reported previously, a number of organizations and companies are actively exploring the idea of immunity passes based on blockchain technology.
Renieris wrote the paper published in May with global health researcher Sherri Bucher of Indiana University School of Medicine,and Christian Smith, CEO of Stranger Labs, which researches, develops, and designs advanced technologies that enhance privacy and security.
In it they criticize the CCI initiative ID2020 initially touted, which proposes combining a World Wide Web Consortium (W3C) standard for Verifiable Credentials (VCs) with non-standard decentralized identifiers (DIDs) and DLT. The architecture is a product of premature standardization, experimental technologies, and speculative requirements, the authors argue, questioning whether these solutions can support such a critical role in public safety as immunity passes.
They also criticize the lack of a proven method of private key management for end-users, especially in offline instances, which digital immunity passports would likely have to include, and say the VC specification merely “provides a data model, not a complete protocol or end-to-end solution.”
UPDATE (May 28, 03:50 UTC): This article has been updated with additional comments.