Pilot a health observation policy-case that serves the needs of efficiently managing people in conditions of health crises. The case should implement the specific, eventually “restrictive”, government policy applied in conditions of a public health crisis (such as the current COVID-19 crisis), while at the same time respecting the strict European personal data privacy requirements, and the right of users to information regarding the rules and functioning of the observation facility. As a first approximation, the case will develop a framework for informing the users about their health status, the potential health risk they might be facing,the necessary restriction measure they might be required to partake in, as well as help them gain access to protected locations. This will be achieved by combining the anonymized health status and geolocation history of the users with their PII data in a privacy preserving manner preventing possible correlations between the two datasets. The proposed framework will also provide policy-makers with tools to contain and mitigate health threats, as well as restrict the further diffusion of an epidemic, without compromising citizens’ privacy. The use case will implement a “dynamic color-coded policy” enabling: a) the differentiation of subjects in terms of their health status and, b) the detection of gatherings with a significant concentration of infected people (or people with a high probability of being infected), c) a posteriori assignment of health status based on new information to the system and finally d) the safeguarding of high contamination risk locations.
The case of the COVID-19 epidemic shows that applying a policy of real-time monitoring the health status and location of citizens can help in “flattening the diffusion curve”, by eventually restricting - for a limited period of time - the right to freedom of movement for people with high “contamination potential”. But a technical system implementing this policy may be authoritarian to the point of unreasonableness, and it could even undermine fundamental provisions of the European Convention on Human Rights. The challenge lies in operating efficiently in times of health crises, by leveraging the effectiveness of a sophisticated observation system, while respecting the rule of law and not compromising the rights to privacy of individuals.
A Health Status and Location Observation Facility is a clear challenge for the European values, the fundamental human rights and the democratic fight against “power politics”. It could however be feasible “under constraints”, with the use of Disposable Identities. Based on a Self-Sovereign Identity architecture and a dynamic location registry, these disposable identities are cryptographically unrelated to a person’s real identity, respecting in this way the constitutional right of citizens to privacy. This concept of disposable identity realizes a dynamic color coding system marking the health status of each citizen using Verifiable Credentials. The health status claim is associated with the citizen’s location data, both of which can be considered as parts of a unique “Disposable Yet Official Identity (DYOI)”. These Disposable identities are issued by the competent healthcare authorities, are managed by the identity subject through a mobile wallet application, and stored in the citizens’ phones in an encrypted form. Most importantly, although official, they are not explicitly connected to the subject’s personal identity information, or mobile ID; nevertheless, they can be anonymously verified (i.e cryptographically ensuring that a DYOI is effectively related to an existing identity of a real citizen, and eventually providing personal data such as age, country or city of residence etc. - but not personal identification data). Additionally, a user can at any given time prove ownership over these DYOI if required to.
A Disposable Yet Official Identity (DYOI) realizing the color coding monitoring system consists of three (3) Verifiable Credentials anchored on two different DIDs (Decentralized Identifiers):
- A Health DID which is used by Verifiable Credentials pointing to the health status and location of the subject
- A Personal Identity DID which is used by Verifiable Credentials pointing to the subject's PII data (always encrypted with a private key managed by the subject) - different from any previously issued DID for the purposes of other SSI applications (i.e. civic identity, passport, student identity etc.).
The Health DID can be stored in the databases of national Health Systems (eventually deleted after the end of the crisis cycle), while the Personal Identity DID can be stored only by the IdPs that provide identification services. These two DIDs are never presented simultaneously to any party, thus preventing possible correlations and ensuring the protection of the privacy of the users.
A subject registered with the Observation Facility will immediately become the owner of two Verifiable Credentials issued by different VC Issuers (and stored in the subject’s wallet):
- A Verifiable Credential (Identity VC) issued by an IdP - type of VC containing the subject’s personal identity information (the main data set of their national digital identity, or the eIDAS eID minimum data set) -, anchored in the subject’s Personal Identity DID
- A Verifiable Credential issued by a Health Provider (Health VC) containing the subject’s health status attribute represented - for the purposes of verification - by a colored barcode (green for healthy, yellow for recovered, orange for compromised, red for infected) - anchored in the subject’s Health DID. Additionally the users issue themselves a verifiable credential to the Observation Facility:
- A GDPR Consent Verifiable Credential (Consent VC). This VC is generated by the users wallet app (signed using a Health DID associated key) and contains the DID of the Observation Facility as its subject. This DID expresses the consent given by the user to the Observation Facility to process the users location data and associate them with their health status for as long as the crises lasts. If special circumstances arise (e.g. the user is marked as “immune” by the system) then the user might be able to revoke this consent.
Additionally the users issue themselves a verifiable credential to the Observation Facility: A GDPR Consent Verifiable Credential (Consent VC). This VC is generated by the users wallet app (signed using a Health DID associated key) and contains the DID of the Observation Facility as its subject. This DID expresses the consent given by the user to the Observation Facility to process the users location data and associate them with their health status for as long as the crises lasts. If special circumstances arise (e.g. the user is marked as “immune” by the system) then the user might be able to revoke this consent.
Finally, the Facility registers in a Dynamic Location Registry the various geographical locations visited by subjects (obtained by the connected sources), as well as the duration (entry and exit time) of their stay at each location etc. Location data are linked to the user through the Health DID. Here too, the existence of two separate DIDs ensures the anonymity of the location information, in the same way that preserves the anonymity of health status data.
- It is an emergency identity, and thus temporary, in the sense that it is meant to be discarded after the passing of the health crisis for which it was created
- it is anonymous, in the sense that the DYOI data are anonymized by design as they are contained in a different VC from the one containing the subject’s personal data (the monitoring of the users’ health status and location is necessary for the effective dealing with an epidemic, but this does not mean that the subject’s personal data have to be exposed)
- It is an official identity, in the sense it uniquely characterizes its possessor and is issued by an authoritative source
- It is dynamic, in the sense that the user’s health status and location are time stamped and, as a result, it reflects the evolution (in real-time) of a subject’s condition during a time of health crisis.