decentralized-id.github.io/identosphere-dump/real-world/covid-coronavirus.md
2023-01-15 01:30:53 -05:00

57 KiB
Raw Blame History

published
false

Just wanted to share this with those working on C19 vax certs:

From: https://www.infosecurity-magazine.com/news/scammers-sell-fake-covid19/

The security firm DomainTools claims to have seen authentic-looking CDC cards selling for as little as $20 each on domains like covid-19vaccinationcards[.]com, which features a Lets Encrypt TLS certificate. “Though selling a printed card is not necessarily illegal, the pricing, logo and cardstock of these vaccination records demonstrate a level of intent to pass as legitimate cards from the CDC,” explained DomainTools senior security researcher, Chad Anderson.

and

From: https://www.tomsguide.com/news/fake-covid-vaccination-cards

Israeli security firm Check Point reports that fake American and Russian vaccination certificates are being sold online for between $100 and $200. Fake COVID-19 negative test results cost as little as $25, while (likely fake) COVID-19 vaccine sells for about $500 per vial.

As some of you know, a few of the members in the W3C Credentials Community Group have been working on a Vaccination Certificate Vocabulary[1]. The World Health Organization has recently published a Release Candidate data model dictionary for Smart Vaccination Cards[2]. The CCG has also been working on a Verifiable Credentials HTTP API[3].

The WHO guidance covers 28 types of vaccines that we (as a global society)

depend on, including Measles, Smallpox, Polio, Yellow Fever, COVID-19, and

others. We (Digital Bazaar) thought it might be interesting to see if we could

create an interoperability test suite for the WHO Smart Vaccination Card work using the tools listed above.

...

  • A test suite containing 1,624 tests covering the

28 vaccine types in the WHO vocabulary.

  • 7 independent vendor implementations issuing and

verifying each others WHO Smart Vaccination Cards.

  • 1,623 passing tests demonstrating true

interoperability!

You can view the latest Vaccination Certificate test suite report here:

Covid

The Implementation Guide V1 provides a set of baseline recommendations to the CCI community of application and services developers, implementers with which to evaluate product designs. The requirements mentioned in this guide should be read along side (and not as a substitute to) the regulations applicable to the jurisdiction in which the applications and services will be made available

Tata Consulting Services a vision for how SSI can be used to re-open global travel with the reality of COVID-19.

SSI still requires market validation, and support for its implementation is currently limited to a relatively small group of technologists and enthusiasts. However, the implementation of SSI in the travel industry at a future point in time, especially once the standards and protocols are production ready and existing user experience challenges have been resolved, is something that all travel industry stakeholders should be watching, waiting and ready for.

Without transparent operational guidance, peoples privacy and personal freedoms may be compromised. By having a set of operational rules, decision makers will have the capacity to make better decisions that will enable the public to trust that the tools being implemented have been designed to respect their best interests.

Its quite important to outline the difference between #selfsovereignidentity and centralised solutions in the development of #covid #vaccinepassports.

The former requires zero trust on third parties, the latter is prone to hacking and abuse.

  • The EU Digital Green Certificate Program: Analysis & Comparison

    The EU approach does not support selective disclosure, i.e. allowing a subset of attributes from a credential to be used without revealing all the data in the credential.

  • Getting Privacy Right with Verifiable Health Credentials

    Verifiable health credentials have never been more important or more urgently needed. Yet, as an industry, we have a responsibility to ensure that the solutions we deploy today are held to the highest bar and set the right precedent for personal data privacy.

  • Coming Soon: The Vaccine Passport

    “The global passport system took 50 years to develop,” said Drummond Reed, chief trust officer for Evernym. “Even when they wanted to add biometrics to that to make it stronger, that took over a decade to agree on just how youre going to add a fingerprint or a facial biometric to be verified on a passport. Now, in a very short period of time, we need to produce a digital credential that can be as universally recognized as a passport and it needs an even greater level of privacy because its going to be digital.”

  • Digi.me creates first working UK vaccine passport capability

    Digi.mes health pass is built on the same principles as our existing secure data exchange platform, and can be displayed on demand on a users phone. It is verified fully private, secure and tamper-proof due to multiple robust security measures including encryption.

This health pass has been designed to be fully interoperable with other international standards, such as the UN Good Health Pass Collaborative, of which digi.me is a member.

  • Everything You Need to Know About “Vaccine Passports” IdentityWoman \ Mother Jones

    Andy Slavitt, a White House senior adviser for COVID response, specified at a March 29 briefing that “unlike other parts of the world, the government here is not viewing its role as the place to create a passport, nor a place to hold the data of citizens.”

  • WHO goes there? Vaccination Certificates Technology and Identity Stephen Wilson

    Based on experience building a mobile credentials wallet for the Department of Homeland Security, I argue the proper goal of a digital vaccination certificate should be confined to representing nothing more and nothing less than the fact that someone received their jab. Such a Verifiable Credential would include the place, date and time, the type of vaccine, and the medico who administered or witnessed the jab.

  • We dont need immunity passports, we need verifiable credentials

    Paper certificates, PDFs, wristbands and mobile apps have all been suggested — and the former director of the Centers for Disease Control, Tom Frieden, and international human rights attorney Aaron Schwid urged the adoption of digital “immunity passports” as a way to reopen the world.

In theory, their idea is great. In practice, its terrible. Or, as the Daily Beast put it: “Vaccine Passports Are Big Techs Latest Dystopian Nightmare.”

  • British Airways to trial Verifly digital health passport

    The trial begins on February 4 on all of the carriers transatlantic routes between London and the US (currently New York JFK, Los Angeles, San Francisco, Boston, Chicago, Dallas, Miami, Washington, Houston and Seattle).

It will be run in conjunction with joint business and Oneworld partner American Airlines, which is already using the technology on international routes to the US.

  1. Paper Based Credentials will define how a paper-based alternative can be created for any digital health pass so access will be available to all.
  2. Consistent User Experience will specify the common elements required so that individuals can easily, intuitively, and safely use digital health pass implementations.
  3. Standard Data Models and Elements will determine the core data items needed across all digital health pass implementations for both COVID-19 testing and vaccinations.
  4. Credential Formats, Signatures, and Exchange Protocols will specify the requirements for technical interoperability of Good Health Pass implementations.
  5. Security, Privacy, and Data Protection will define the safety requirements for Good Health Pass compliant implementations.
  6. Trust Registries will specify how verifiers can confirm that a digital health pass has been issued by an authorized issuer.
  7. Rules Engines will define how digital health pass apps can access different sources of policy information to determine what test or vaccination status is needed for a specific usage scenario.
  8. Identity Binding will specify the options for verifying that the holder of a digital health pass is the individual who received the test or vaccination credential.
  9. Governance Framework will define the overall set of policies that must be followed for an implementation to qualify as Good Health Pass compliant.

COVID, Verifiable Credentials, Biometrics, Privacy

Converting the COVID CDC Vaccination Card into a standardized digital credential is turning out to be harder than expected. The conversation has become prominent in the news and risks being politicized to the detriment of public health efforts around the world.

  1. [Eric] Continuing updates from the Thoughtful Biometrics workshop (Biometrics and DIDs - where next?

Session Slides: https://docs.google.com/presentation/d/11K027LlitWljJu_XNTztqc6BGvhsD8JBX5OkavLEEMA/

Current Open Proposals: We will host another session (Day 2 Session 14 2:30 pm PT) to talk about these proposals

COVID-19, Good Health Pass Collaborative, Rules Engines, Verifiable Presentation Requests

The transition from contemporary access controls to SSI will need a metalanguage for access control rules in order to allow verifiers and holders to trust the transaction.  Not everyone will know how to write the complex branching and contextual rules logic that make up real life access controls.

Solution assumption with the Good Health Pass is revoking is not necessary as VCs are short lived (solution to invalid credential). Issuers will re-issue vs. revoke

In many cases, labs are providing incorrect information in vaccination records, which need to be re-issued

·         Still need to notify the holder that their (current VC) is invalid and they need to take action to resolve

·         Issuers asking what if we make a mistake (re-issue)

·         Holders having problems findin there vaccination VC

·         Many of the unresolved issues are governance/policy related (for which the “health authorities”) have not worked out the details

·         Policy providers are applying the brakes through in-grained bureaucracy to produce a perfect standard for their jurisdiction vs. rapidly evolving a common standard and “usable solution” in the short term.

·         Unclear on how to get VC and underlying data into the hands of holders, particularly as holders dont have the technology and skills to manage their health data.

·         Data privacy is an issue across each of the implementers and users of the Issuer, Holder and Verifier roles. Lack of common understanding and agreement on how and who owns and controls the data

·         WHO standard will likely be adopted in the Global South (hemisphere)

·         GHP looking to paint a forward looking common picture, including interim solutions (iterate standards)

·         The number of players (and their levels of understanding/expertise and agreement with the current direction) alone makes consensus very difficult

·         Paper credentials have been getting consensus on interim solutions.

·         W3C and WHO are great candidates.

·         Affinidi is making a universal verifier application (https://www.affinidi.com/)

Trust registries primarily answer the question of how a verifier can trust that an issuer is authoritative to issue a particular type of verifiable credential under the policies of a particular governance framework.

The importance and need for an Ethical framework/standards for the delivery technology development and implementations in healthcare. Apply the biomedical ethics that exist in healthcare to technology specifically SSI & user sovereignty.

"The physician must ... have two special objects in view with regard to disease, namely, to do good or to do no harm.”

Hippocrates, Epidemics (book I, section. 11) c. 410 BC

Autonomy respect for the patients right to self-determination

Beneficence the duty to do good.

Non-Maleficence the duty to do no harm.

Justice to treat all people equally and equitably for the benefit of society.

4 principles of biomedical ethics

No more in my everyday life have these four pillars been so important to me as they have been over the past year.

I clutched on to these while delivering care to patients gasping for breath, clinging onto life and some sadly succumbing to COVID-19.

  • [...]

Do we need a Covid vaccine passport whether this is paper based or digital?

If there is or are contexts where a vaccine passport would be more beneficial than not, what are the technical principles, implementations and considerations that need to be met to ensure that they are implemented to comply with medical ethics and law?

After all this is personal health information and therefore should be treated as such.

What problem are we really trying to solve with a Covid Vaccine Passport, Covid Passport, Covid credential, digital green certificate, or any other named health pass solution?

To do this there needs to be a basic understanding of this infectious disease, what tools we have currently to deal with it and address assumptions that have been made, many of which may change or are yet unknown such is the dynamic nature of a pandemic.

Reviving trust in safe travel is possible using digital identity and immunity credentials.

  • Travel bans, quarantines and lockdowns have negatively impacted the travel industry
  • Restoring trust and safety is paramount for travel, tourism and hospitality industries to recover
  • Self-sovereign identity (SSI) built on distributed ledger technology (like blockchain) and cryptography could be used to reinvigorate travel by allowing individuals to easily and securely demonstrate their immunity status

Already today, credentials are being used in a wide variety of applications, such as a digital identity card, a work permit or a test certificate. We would like to explain the functionality and potential use cases for credentials by following our protagonist called Sam, who has just completed a Covid-19 rapid test.

we are proud to launch the Global COVID Certificate Network (GCCN), an initiative to enable interoperable and trustworthy verification of COVID certificates between jurisdictions for safe border reopening. GCCN will include a global directory of trust registries to enable cross-border certificate verification, and be a home for toolkits and community-managed support for those building and managing COVID certificate systems.

Paul Knowles, Head of the Advisory Council at the Human Colossus Foundation, co-led the Standard Data Models and Elements drafting group, one of the nine interconnected GHPC drafting groups, to spearhead group recommendations on data elements, common models for data exchange, and semantic harmonization. The recommendations of that drafting group will help to enable data interoperability without putting any undue burden on existing health systems and workflows

Apple Announces Support for VCI credentials at WWDC (Almost proper JSON-JWT but not quite)

The EU previously announced fully vaccinated Americans could travel this summer and regional EU travellers could potentially use an EU Digital COVID Certificate as early as July 1.

We are starting a new research project — and wed like you to join us on the journey. Over the course of 2021, Qhala and Caribou Digital, with the support of the Mastercard Foundation, will work to understand the impact of COVID-19 on young womens experiences working or selling through online platforms in Kenya.

This paper explores the five key challenges facing the industry and the IT investment priorities that have the greatest potential to support governments, airports, and airlines over the next 18 months to rebuild a strong and agile business.

This is the mailing list for the US subgroup of the Vaccine Credentials Focus Group. You can see the group charter here.

Participating and contributing in this group requires a CCI membership, open and free to all (organizations and individuals). If you are not a CCI member yet, please request a membership agreement at https://www.covidcreds.org/#Join.

Decentralized identity solutions offer an ideal solution to the data privacy and identity risks associated with COVID-19 passports and other verification methods.

Health passes, though, are much more flexible as they provide multiple options. They can still be used as proof of vaccination, if the user chooses to share their health information in this way.

But, importantly and in a crucial difference from vaccine passports, they can also be used to securely display a test result, such as a negative PCR or rapid antigen test (also known as lateral flow tests) today. Additionally, they are also future-proofed for options such as rapid antibody test results when those come into play on a large scale.

Defining the Future of IoT with Distributed Identity Management

Dylan realizes that the identified design requirements correspond to properties that are typically solved by means of cryptography. To embed cryptographic methods securely in their network, VirGo needs to identify both a network architecture and an identity management paradigm that fulfill the design principles when they interact.

Dylan has identified the requirements towards their IoT network and possible secure network architectures. Still, two challenges remain unsolved: the configuration effort required to setup device APIs and communication protocols, and the question of how to securely identify and authenticate the devices.

Interoperability is a fundamental property of tech systems that are generative and respect individual privacy and autonomy. And, as a bonus, it makes people's live easier!

Ever since the Covid pandemic started in 2020, various groups have seen verifiable credentials as a means for providing a secure, privacy-respecting system for health and travel data sharing. This post explores the ecosystem of ecosystems that is emerging as hundreds of organizations around the world rise to the challenge of implementing a globally interoperable system that also respects individual choice and privacy.

Version 1 of the Ontario COVID Vaccine Certificate is a cumbersome experience that needs some work

What I observed is NOT a user-friendly experience for either the customer or the business. For the experience to be improved it needs to be a single presentation operation of either a paper or digital certificate that the business can verify in one step.

The advantage of a paper and ID card presentation ritual is that it is difficult to hack. So if we are going to improve the presentation with a single credential as above, privacy and security MUST be protected.

  1. The thing just has to work — This may sound like a no-brainer, but from our experience, this can be often overlooked. Want broad adoption? Your application must be fast and functional. If it causes too much friction people either wont use it or theyll look for ways around it.

This article discusses areas of law that are developing rapidly [...] our goal is to address some of the legal considerations that health certificates raise with respect to, and in the context of, the development of a comprehensive system of digital identity management.

fixes the pain points of other testing processes especially as infectious and asymptomatic people can test without travelling is cheap, eminently scalable, and can be used as secure proof of Covid health status where needed.

Though we often get lost in technologies, frameworks, legislation, and economic models, its ultimately the human aspect that will define the future of the digital identity industry. Bearing this in mind can determine the heights we scale and how quickly we can get there.

This post explores the ecosystem of ecosystems that is emerging as hundreds of organizations around the world rise to the challenge of implementing a globally interoperable system that also respects individual choice and privacy.

Together SITA and Indicio.tech utilized Hyperledger Aries, Ursa, and Indy to create a secure travel credential that is accepted by airlines, hotels and hospitality partners without sharing private health information. In this panel discussion, SITA and Indicio.tech will share their journey of applying verifiable credentials in commercial aviation and travel/hospitality to make it easy for visitors entering a country to share a trusted traveler credential based on their health status, yet revealing no personal information or health data privately and securely on their mobile device.

Binding an identity to a Verifiable Credential remains valid beyond the point of verification by being able to match a real-time biometric data point with one which was logged at the point of verification

Based on what Biden has said generally about public health, Beck believes the new administration plans to make "a big commitment to health equity and improving public health systems broadly," he said.

  • Covid Vaccinations Data Donor Program – A Proposal for the Scottish Government

    “The Scottish Government must invest in data, digital and technology in health and social care to help Scotland recover from Covid-19. Closing the data gap in the sector could be worth £800m a year and deliver savings of £5.4bn to NHS Scotland. SCD said better data would help to build resilience against future public health challenges, which in turn will drive a healthy economy.” - Scottish Council for Development and Industry

Our solution provides a platform for achieving exactly this, both in terms of equipping Scotland with a powerful integrated data environment and also through a framework where developers can further build on this with other apps for a myriad of other use cases. It could be tied in with the vaccination scheduling system as an immediate step for example.

What if people can prove their COVID status to different entities, prove that they are authentic and prove they were intended for them, without having to reveal any of their personal information; not even their names?

“We envision a world where your VeriFLY digital wallet will provide access to the places you and your family want to visit. And the ability to accept a vaccine health credential will accelerate opportunities to resume activities weve all dearly missed.”  – Tom Grissen, CEO, Daon

  • IATAs digital health passport paves the way to a new biometric identity for travel

    As FTE has previously reported, a number of other solutions have entered the digital health passport space in the past few months from various suppliers, including AOKpass, CommonPass, Daons VeriFLY, CLEAR Health Pass and IBM Digital Health Pass, just to name a few. Despite the growing competition, IATA is clear that its aim is not to dominate the market, but to make sure that standards are established to create a secure and interoperable solution.

  • Working Together on What “Good” Looks Like - Hyperledger

    This initiative is intended to define, in the context of test results and vaccination records for opening up borders for travel and commerce, a high bar for implementations of identity and credentialing systems to meet with regards to privacy, ethics and portability. They will also work with the implementers of such systems to converge towards common standards and governance.

Immunity passports' could speed up return to work after Covid-19 https://www.theguardian.com/world/2020/mar/30/immunity-passports-could-speed-up-return-to-work-after-covid-19 * What are, in your opinion, the riskiest assumptions when writing an Software Development Kit? * For you, what are the most promising SSI projects or repos? * What do you believe are the bottlenecks for the cross-ledger SSI? How soon can we see cross-ledger credentials exchanges? * What are the upsides of using Zero MQ over a common HTTP Rest connection? * How hard would it be to replace the current Transport Layer Security architecture with SSI? * Why was Rust chosen to write Indy-SDK? * Specific roadblocks other people in this space should look out for? * What are the books you have recommended most to others?

Building on Lessons from Digital ID for the Digital Yellow Card

Covid Vaccination Certificate will be a formidable challenge, not only to international cooperation, but because it will need to be implemented in the course of mass vaccination campaigns across countries with very different health management systems and ID systems and with a constantly evolving situation.

This is a thread to keep an eye on. >> Anil John writes:

Because I believe that this is an important conversation, I figure I would put together some high level slideware that synthesizes and shares the answers I have provided directly to those who have asked.  I am not in the hearts and minds business, so consider this in the spirit of the quote from Bruce Lee - "Absorb what is useful, Discard what is not, Add what is uniquely your own."

Happy to chat to share our mistakes, so that you don't need to repeat them, with those who have a public interest focus in this area.

Until the time digital records for vaccination are as simple and do not require a second thought around wallet/app/credential format etc - we have a long way to go before they are inevitable.

If you havent already you might want to check out this google sheet

As our community continues to grow and the pandemic situation keeps evoloving, this CCI Knowledge Base serves as a repository of ongoing COVID-19-related news, topics, researches and resources which are deem relevant to our community and digital identity technology. It aims to provide an up-to-date database for our CCI members to access relevant information quickly in one place whenever they need it, e.g. doing market research, developing their projects or simply keeping themseleves updated on the news.

If you'd like to submit relevant news or articles for the database, please go to https://bit.ly/2JfKbpf.

Any Covid-19 vaccine passport scheme set up in the UK could easily turn out to be discriminatory and invasive, and open the door to worse abuses of privacy in future, say security experts and campaigners.

[Research] Vaccine passports and COVID status apps Ada Lovelace Inst.

Not to late to contribute to this Ada Lovelace Institute Project the due date is Feb 28th

An evidence review and expert deliberation of the practical and ethical issues around digital vaccine passports and COVID status apps

Highlights from Ping Identitys Andre Durand, and Richard Bird on an episode of Pings new podast Hello User

we explore how the pandemic has opened up an opportunity to shape the future of personal identity.

  • Takeaway #1: We digitized much of our economy during the pandemic but neglected one important aspect: identity.
  • Takeaway #2: Third parties have much more control over digital identity than individuals.
  • Takeaway #3: Were on the cusp of a tectonic shift in the notion of digital identity.
  • Takeaway #4: The pandemic has accelerated the changes needed to shape the future of digital identity security.
  • Takeaway #5: Moving control of digital identity to the individual will dramatically change our current identity and access management systems.

Zada

ZADA apps are all launched and our first digital ID a COVIDPASS is being issued by Pun Hlaing Hospitals to everyone who gets vaccinated.

LFPH

The DIVOC project is hosted and maintained by Indias eGov Foundation and is available as an MIT-licensed open source software package DIVOC is also supported by various multilateral funding institutions, as well as a community of software contributors and adopters in various geographies. DIVOCs verifiable COVID credentials have also been tested for interoperability with several consumer-health and locker applications globally; and DIVOCs certificates from the adopter countries can now be scanned/read/ingested by these domestic and international applications.

Excelsior Pass Plus, a result of the strategic partnership between New York State and VCI, will provide New Yorkers safe access to retrieve a secure, digital copy of their COVID-19 vaccination record using the SMART Health Cards Framework - making their interstate and international travel and commerce experiences safer, contact-less, and more seamless.

This is the Use Case Implementation Workstream of the COVID Credentials Initiative (CCI). This workstream identifies privacy-preserving verifiable credentials (VCs) that are most useful to the COVID-19 response and provides a forum and platform for those who are implementing COVID VCs to present their projects/solutions.

Good Health Pass Blueprint and the Global Covid Credentials Initiative by LFPH presented at the DIF Interop Working Group

As more and more governments adopt major COVID certificate standards to reopen borders, the travel industry is working hard to catch up on their technology to meet the evolving travel requirements. However, there is still no shortage of complaints from travelers about their cumbersome international travel experiences.

LFPH Calls for Coordination of Digital Vaccination Records Using Open Standards

The CCI community collaborated with Linux Foundation Public Health to write a letter to the Biden Administration about how Verifiable Credentials could be used to support re-opening the economy.

Some states and other countries have started to pilot this approach, as have various industries like film and aviation. But, the inconsistent use of standards and varying implementations have already led to confusion and public concern. An effort coordinated at the federal level would lead most quickly to uniform adoption and true inter-state and cross-domain interoperability.

LFPH and our partner organizations are ready to collaborate with you on this.