The purpose of this article is to review what could be the advantages and challenges of Digital Green Certificates.
A viable option to come out of the Covid-19 tunnel is the establishment of The “Digital Green Certificate,” which will enable safe and free movement as we, hopefully, move towards the end of the pandemic.
The European Commission has issued a legal proposal to build a shared and coordinated (trust) framework for the verification and acceptance of health certificates to use throughout the long and tortuous vaccination process.
All EU member states are involved, including Iceland, Liechtenstein, Norway and Switzerland.
The Digital Green Certificate – How it works
A Digital Green Certificate is a document that proves that a person:
- a) has been vaccinated against Covid-19; or
- b) has tested negative in the last couple of days; or
- c) has already recovered from the infection.
The certificate needs to have this basic information to be valid, but no other information is necessary.
It can be shown on paper or a smartphone, and it must be written in both English and the language of the issuing State.
Several questions still need to be answered:
- How can we ensure that the right to free movement in the EU is not trampled?
- How can we guarantee the security of personal and confidential data. In other words, can we help individuals return to everyday life without compromising their freedom and privacy?
This is a typical scenario where the concept of Digital Identity comes into play, as opposed to Self-Sovereign Identity (SSI).
Digital Identity can be multiple and potentially owned by countless Identity providers (IDP) which can control and password protect it. Self-Sovereign Identity does not require any central authority and could be advantageous for several reasons.
Any citizen can create a unique identity by themselves by attaching an asset of information and providing verifiable credentials using Distributed ledger technology.
This identity is composed of a set of claims that other legitimated institutions make about a user.
At the same time, it’s the citizen who has complete control of the identity. They decide what to do with it and choose when to show their credentials to a third party.For instance, when traveling or to prove they are of the legal age to buy alcohol.
The only information disclosed would be the person’s vaccination status, negative testing results, or recent recovery from the virus.
The main challenges for Tech companies and Israel’s experience.
The European Commission, on March 17, dictated only essential guidance for its Green Certificate to enable quarantine-free travel without specifying a particular app to support this process.
The Commission stated general rules for software developers, and that “it will build a gateway and help member states to develop a software for scan & check”,
To securely verify the certificate’s authenticity and validity, there will be a machine-readable QR code. This will allow the controller to access the user’s key data and digital signature.
This initiative has led to a global debate around privacy and ethical issues. Many European countries have raised concerns over privacy and social discrimination, so the success of the project will not be easy.
Israel’s experience, where a government’s “green pass” mobile app to access cinemas, theatres, hotels and gyms, has shown several security vulnerabilities within the app, did not encourage the other state members to follow the same path.
According to Orr Dunkelman, a computer science professor at the University of Haifa, the code was outdated. If an issue with the app was reported, the message would go to a personal email address of the employees of the Ministry of Health.
The challenges occurred because the app’s testing was too quick and the product was rushed to market.
Other systems, such as AOKpass and IBM’s Digital Health Pass, use firmer layers of Blockchain technology to address these problem.
Obviously, Self-Sovereign Identity can work only when there is the certainty that the entities which provide those claims can guarantee trustworthy, authentic details, and are actually allowed to release the information.
The mere adoption of a decentralised system does not necessarily guarantee that the information provided is reliable. This responsibility should be managed off-chain, requiring an agreement between all the bodies appointed to collect the data.