EFF opposes a California bill, A.B. 2004, that would authorize the issuers of COVID-19 test results to do so with digital verifiable credentials. This bill would take us a step towards national digital identification, create information security risks, exacerbate social inequities in access to smartphones and COVID-19 tests, endorse one solution to an evolving technological problem, and fail to limit who may view credentials of test results. The bill also would not effectively advance its stated goal of addressing the COVID-19 outbreak.
What This Bill Does
The official bill analysis for A.B. 2004 states that the “purpose of the bill” is to “authorize the use of blockchain-based technology to provide verifiable credentials for medical test results, including COVID-19 antibody tests …” The bill’s author wrote that such credentials could be used for “returning to work, travel or any other processes wherein verification of a COVID-19 test would be needed.” The analysis states these credentials could be used as “‘immunity certificates’ for antibody tests in order to resume economic activity,” and might encourage people to participate in automated contact tracing.
The text of A.B. 2004 proposes to do this by saying public entities and other issuers of “COVID-19 test results or other medical test results may use verifiable credentials, as defined by the World Wide Web Consortium (W3C), for the purpose of providing test results to individuals.” The bill also requires that such credentials must follow certain W3C specifications, specifically based on the “Verifiable Credentials Model” the W3C published in November 2019. This model identifies “distributed ledgers” as one example of “verifiable data registries.
A Worrying Step Towards National Digital Identification
EFF has long-opposed mandatory national identification systems. These schemes, as used today in numerous countries, typically assign an identification number to each person. Each individual must then use it for a broad range of identification purposes. Such schemes facilitate government surveillance of all occasions when people use their identification. Large amounts of personal information are linked to the identification number and stored in a centralized database. The requirement to produce identity cards or numbers on demand habituates people into participating in their own surveillance.
For these reasons, we oppose the federal “Real ID” law, which creates a vast federal database linking together state-issued identifications. Likewise, we are troubled by digital driver’s licenses, because they might be used to aggregate data about all the occasions when people use their driver’s license as identification.
Obviously, a system of blockchain verified credentials would have important differences from such national identification and digital driver’s license schemes, because blockchain is a decentralized public ledger. Still, blockchain verified credentials would make it a normal practice for people to present a digital token as a condition to entering a physical space, and for gatekeepers—such as security guards or law enforcement officers—to demand such digital tokens. Such a system could be expanded to document not just a medical test result, but also every occasion when the subject presented that result to a gatekeeper. It could also be expanded to serve as a verified credential of any other bit of personal information that might be relevant to a gatekeeper, such as age, pregnancy, or HIV status. And all of the personal information associated with a blockchain verified credential could be linked to other digital record-keeping systems.
Presenting Digital Credentials Creates New Information Security Risks
We have information security concerns surrounding the moment when a person presents their digital verifiable credential to a gatekeeper. If the digital credential is an image in the person’s phone, then the person must unlock their phone to show it to the gatekeeper. This creates inherent risk that the gatekeeper will physically seize the phone, and examine or even copy the personal information inside the unlocked phone. This risk is especially high if the gatekeeper is a police officer or other government official.
Alternatively, the verified credential might be electronically transmitted from the person’s phone to the gatekeeper’s device. But such transmission would create a new threat vector for adversaries to surveil or steal both the transmitted credential and other information inside the person’s phone.
Smartphone-Based Credentials Don’t Account for Broader Social Inequities
We have social equity concerns about a smartphone-based system of digital verified credentials of COVID-19 test results. About one-in-five people in the United States do not have a smartphone, according to a Pew Research Center study in 2019. The smartphone “have-nots” include 47% of people who are 65 or older, 34% of people who did not graduate from high school, 29% of people who earn less than $30,000 per year, and 29% of people living in rural areas. Moreover, there are racial and ethnic inequities in access to COVID-19 testing, among other inequities in access to COVID-19 health care.
Thus, if our society deploys smartphone-based verification credentials of COVID-19 test results as the primary system to control access to public spaces like offices and schools, that would aggravate existing inequities in access to both smartphones and COVID-19 testing.
A.B. 2004 Endorses A Single Way to Solve A Technological Problem
Technologies often change faster than laws, and unpredictably so. As a result, a rule that seems sensible today can easily become a security weak point tomorrow. So, it’s an EFF principle that legislators should avoid endorsing one technological approach while discouraging others.
Unfortunately, A.B. 2004 endorses one approach for developers in California who seek to build digital verified credentials of medical test results. Although the W3C’s Verifiable Credentials Data Model is not itself a limit on technological development, A.B. 2004 amounts to one, by singling out a particular verifiable-credential scheme as the favored approach. The bill thus disfavors other possible data delivery and storage solutions.
A.B. 2004 Has No Limits on Who May View a Verified Credential
A.B. 2004 authorizes the issuers of medical test results to do so with verifiable credentials. But it does not limit to whom such results may be issued, or upon who’s authority. It is not clear how the bill would interact with existing medical privacy laws like HIPAA and California’s Confidentiality of Medical Information Act. Also, according to the W3C Model on which the bill is built: “The persistence of digital information, and the ease with which disparate sources of digital data can be collected and correlated, comprise a privacy concern that the use of verifiable and easily machine-readable credentials threatens to make worse.”
Thus, the bill is a blank check to issuers to disseminate a verified credential, without first obtaining consent from the subject of that credential.
This Bill Would Not Effectively Advance Its Stated Goals
Finally, when government proposes to use a technology, in the name of solving a problem, in a way that burdens our freedoms, we must ask: has the government shown the technology would be effective at solving the problem? If not, the burdens on our freedoms are not justified. Here, the proponents of using digital verified credentials of COVID-19 test results have not shown that this technology would help address the outbreak in a manner recommended by the public health community.
First, there is an inherent problem with using verified credentials for the results of any medical test involving COVID-19: while the credentials might establish that a particular person received a particular result from a particular test, the credentials cannot establish the validity of the underlying test. Any negative test result for the presence of the virus can be a false negative, meaning the test subject has the virus but the test erroneously reports they do not. Some COVID-19 tests have a false negative rate of as high as 15%. A verified credential of a negative test result implies “this person does not have COVID-19,” but a negative test result actually means only “this person probably does not have it.”
Second, one of the bill’s stated goals is to establish digital verified credentials showing whether a person is immune from COVID-19. But no immunity test currently exists. As the World Health Organization recently concluded: “There is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.”
Third, one of the bill’s stated goals is to establish digital verified credentials for purposes of screening people for entry to public places, based on whether or not they present a health threat to others. But while digital verified credentials might be suited to facts that are highly static, such as whether a person is older than 21, they are poorly suited to facts that commonly change over time, such as whether a person is pregnant. Indeed, the abstract of the W3C’s Data Model provides use cases that are highly static: whether a person has obtained a driver’s license, a university degree, or a passport. Here, on the other hand, digital verified credentials of negative virus test results would only show non-infectiousness at an earlier point in time, potentially days or weeks before a person presents their credentials to a gatekeeper. In the meantime, the person might have been infected. Worse, the immutability of the blockchain might allow that person to continue to present gatekeepers with test results showing non-infectiousness—even after a subsequent test shows infectiousness.
Fourth, one of the bill’s stated goals is to encourage people to use contact tracing apps. But in the ascendant versions of such apps in the United States, such as the Apple-Google Bluetooth-based “exposure notification” system, people only share ephemeral identifiers with each other’s phones and sometimes with a shared server, and never share medical test results with either. Likewise, while a testing authority may give an infected person a credential that allows them to upload their ephemeral identifiers to the shared server, the testing authority does not share that person’s test results with anyone. In short, contact tracing apps in the United States should not and generally will not involve the transfer of medical test results. So, there is no reason that a new system of verified credentials of test results would encourage a person to download a contact tracing app.
Blockchain Verified Credentials Will Not Help End This Crisis
Blockchain holds promise to help solve some problems in a decentralized way, such as privacy-protective digital currencies. But the use of blockchain, or other digital verified credentials, to prove COVID-19 test results will not help address the current public health crisis. Instead, it will create new problems for data privacy, social equity, and technological innovation. Thus, EFF opposes California A.B. 2004.
You can read our opposition letter here, which is co-signed by the ACLU of California.
Wednesday 20th May 2020 9:11 pm