Today the Appropriations Committee of the California Assembly held another hearing on A.B. 2004, a bill that would add to state law a provision that:
An issuer, including an issuer that is a public entity, of COVID-19 test results or other medical test results may use verifiable credentials, as defined by the World Wide Web Consortium (W3C) for the purpose of providing test results to individuals.
What does this mean? Why does it matter? Is it part of a larger pattern?
Our friends at the Electronic Frontier Foundation have published a critique of A.B. 2004 in the EFF “Deeplinks” blog. The analysis of the bill prepared by the staff of the Assembly Privacy and Consumer Protection Committee summarizes additional objections by EFF and the ACLU, Center for Digital Democracy, and Privacy Rights Clearinghouse.
As the legislative analysis points out, it’s unclear how the process enivisaged by the bill would work or why any new legislation is needed to authorize it. But there’s somewhat more clarity about the intent of the bill’s sponsor in the Assembly, and the Blockchain Advocacy Council that appears to be the real instigator of the proposed legislation:
The stated goal of A.B. 2004 is to enable the issuance of “immunity certificates” by which individuals could present “gatekeepers” with “proof” of COVID-19 or other medical test results, where such proof is required as a condition of access or passage.
There are problems with every aspect of that concept.
As EFF and the ACLU noted in a joint letter to Califirnia Assembly members:
Blockchain verified credentials would habituate people to present a digital token as a condition precedent to obtaining access to a physical space, and habituate gatekeepers to demand such digital tokens.
Who would these “gatekeepers” be? What would the basis be for their demands for “proof” of test results as a condition of access? To what places or activities would they be entitled to decide whether to grant or deny access? What would their qualifications be for passing judgment on the sufficiency of evidence or proof? What would be the evidentiary and procedural standards for that process of judgment?
None of these things are spelled out in A.B. 2004, leaving all of them ripe for abuse. No current law requires or authorizes anybody in California to demand proof of any particular result of a medical test as a condition of access or passage.
Checkpoints are per se a threat to individuals’ rights. Once checkpoints are in place, regardless of their original purpose, they can be transformed almost instantly into intrumentalities of total control, for containment and/or exclusion, merely by changing the algorithms for who is, and who is not, allowed to pass through, or by replacing the gatekeepers. Checkpoints for “immunity passports” have the same potential for abuse and mission creep as any other checkpoints.
The Berlin Wall didn’t need to be built overnight, and wasn’t. What changed overnight were the rules for who was allowed to pass through the checkpoints that already existed between “sectors” of Berlin. The exisitence of the formerly innocuous-seeming checkpoints was what made the quick change possible. The Wall itself was built up afterward.
Despite widespread discussion of a hypothetical “immunity passport”, there is currently no test that provides any scientific evidence of immunity to COVID-19. There are experimental tests for antibodies to the novel coronavirus that causes COVID-19. But according to the latest FAQ provided by researchers at the University of Califiornia at San Francisco medical school to the subjects of the state’s first community testing trials:
Does an antibody positive result mean I am protected from getting COVID-19 again?
We do not yet know if having antibodies protects you from future infection. You should still follow all precautions currently recommended by public health officials to protect yourself and others.
At this point in the pandemic, there is not enough evidence about the effectiveness of antibody-mediated immunity to guarantee the accuracy of an “immunity passport” or “risk-free certificate.” People who assume that they are immune to a second infection because they have received a positive test result may ignore public health advice. The use of such certificates may therefore increase the risks of continued transmission.
So promoting the myth of an immunity passport isn’t just useless, but is — according to the leading experts in California and the world — medically contraindicated.
But that’s not all that’s wrong with this idea.
For what it’s worth, there’s already an international standard for how travelers can carry and provide information, such as records of innoculations, that might be relevant to admissibility to other countries.
It’s not possible to prove immunity to a disease, but it is possible to provide documentation of vaccinations. Some countries require that individuals arriving from, or who have recently visited, countries where specified diseases are currently prevalent show evidence of having been vaccinated for those diseases within a specified period of time.
The standard way of providing this evidence, as specified by international health regulations of the World Health Organization, is the International Certitficate of Vaccination or Prophylaxis, (ICV). The ICV, more commonly referred to as the “yellow card” or “yellow book”, is a passport-size document printed on yellow card stock. Medical personnel administering vaccinations can record the details in the yellow card for each individual. Each individual can carry their yellow card with their passport, or choose not to carry it if they don’t wish to, and can choose whether, when, or to whom to show it.
Both the version of the yellow card distributed by the WHO and the US version issued by the CDC have spaces for the bearer to write in their passport number by hand. But there is no link from the yellow card, in either the WHO or CDC versions, to any other identity credential, biometric data, or database.
Presumably, a digital credential would be useful as “proof” that a test of a particular person has produced a particular result only if that credential was linked to that person though some other identifier. It would make no sense to issue a “credential” certifying that, “the bearer of the smartphone on which this digital certificate is installed” has been tested.
It might be desirable for cryptocurrency certificates to be freely tranferable or payable to the “bearer” or to anyone who knows the passphrase for a digital wallet. But the whole point of a system for providing evidence or proof of medical test results would be to prevent those results from being transferred from one individual to another.
In light of this, a further key defect in A.B. 2004 is that it doesn’t specify how the digital certicates it authorizes would be linked to individuals, or what evidence an indiivdual would be expected or required to produce to show that the digital certificate they are presenting pertains to test results about themself, and not someone else. Would digital certficates link medical test results to some physical identity credential such as a driver’s license? Or to some external database of identifying information? Or to biometrics? Each of these systems of identification poses its own additional problems.
Is this just a blockchain solution in search of a problem? Or is it also an opportunistic attempt to lay the groundwork for mandatory use of biometric identification?
Both government agencies and the biometric industry have been using the COVID-19 pandemic as a pretext to push pre-existing biometric ID agendas, especially with respect to travel, movement, and access control.
The International Biometrics and Identity Associaiton (IBIA), an industry lobbyiong grpoup whose priorities include “Support for deployment of a national biometric exit program”, has put out a call for its members to suggest ways that biometric identification schemes can be justified on the basis of the pandemic, including a suggestion to “Use face recognition, iris-at-a-distance, and touchless fingerprint readers to facilitate stand-off identification and authentication”.
One IBIA member, Vision Box — whose role in building Orwell’s airport we’ve been chronicling for many years — has rushed out a new white paper marketing biometric identification systems (all of which the company was already selling) as a way to “prevent the introduction, transmission and spread of communicable diseases by eliminating the need to touch potentially infected clearance points or exchange travel documents between airport staff and travelers [and] reduce the transmission of infectious diseases in transport hubs.”
Of course, the “need” to touch or exchange ID documents could even more easily be eliminated by eliminating demands for inspection of ID documents, especially for domestic flights. Airline tickets are already electronic, so only ID checks involve physical papers. Eliminate requests for inspection of ID, and any potential for transmission of disease through handling of identity documents would also be eliminated.
Some insiders have come to the same conclusion we have: The pandemic is being used as an opportunistic pretext to advance preexisting digital ID agendas. Last week Elizabeth M. Renieris, formerly a member of the advisory committee of another digital ID consortioum, the ID2020 Aliance, resigned in protest at the alliance’s push for “immunity passports”.
According to one report of her resignation email, Ms. Renieris said that:
Blockchain-enabled “immunity certificates” or “immunity passports” for COVID-19, if implemented by public authorities, would have serious consequences for our fundamental human rights and civil liberties…. This is 100% a hammer looking for a nail….
I cannot be part of an organization overly influenced by commercial interests that that only pays lip service to human rights. The stakes are simply too high at this stage.
US government agencies, for their part, are also seizing on the pandemic as an opportunity and excuse to push through biometric ID proposals that had been held up by public opposition.
Last December, we called attention to an obscure regulatory filing by US Customs and Border Protection (CBP) giving notice that CBP planned to propose regulations mandating mug shots for all US citizens traveling internationally. Just three days later, CBP backed down and claimed the official notice was all a mistake.
But the CBP plans, as we suspected, had only been postponed, not cancelled. In an IBIA podcast last month, the CBP official in charge of the project said that CBP once again planned to issue a Notice of Proposed Rulemaking (NPRM) for mandatory facial recognition of international travelers before the end of this year.
The pandemic is serious, and calls for carefully considered responses. “Because the pandemic” should no more trump science or civil liberties today than “because terrorism” should have trumped science or civil liberties after September 11, 2001. This should be an opportunity to learn from the mistakes of past panics, not to repeat them.