1A/ Biometric COVID Verifiable Credential

From IIW

Biometric COVID Verifiable Credential

Tuesday 1A

Convener: Adrian Gropper / Eric Welton

Notes-taker(s): sankarshan, Neil Thomson (edits, additions)

Tags for the session - technology discussed/ideas considered:

COVID, Verifiable Credentials, Biometrics, Privacy

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Biometric Health Card (Adrian Gropper): bit.ly/biometricVC

[[File:]]

  1. [Eric] Continuing updates from the Thoughtful Biometrics workshop (Biometrics and DIDs - where next?)

    1. Vocabulary for understanding the last diagram in the above link

      1. IBV = initial biometric vector (stored during enrollment - raw or processed)

      2. CBV = candidate biometric vector (ephemeral material used during verification session for matching against IBV)

    2. Historical occurrence of the term ‘biometric’ in DID-Core specification (initially added in 05Nov2017 - about a way to authenticate to a DID); subsequently removed 01Dec2020 (PR#459)

    3. DIDs are effectively key centric (biometric control, biometric authentication are no longer part of the specification/code)

    4. ‘I am not a key, I am a person’ does not map well to a key based mapping and management

      1. Self-sovereignty based on who I choose to be

    5. Illusion of biometric control - originating from habit based trust around the everyday usage experience

      1. Biometrics as credentials? Can mathematical techniques be used safely to authenticate (instead of just limited to unlock a secured enclave)

      2. Alternatives (see slide) ; possible presentation from Finema (get rid of keys)

  2. [Adrian] Successfully recovered from a computer crash and joined the session :)

    1. The novel concept of how to deal with the severe privacy issues with any kind of COVID-19 credentials - purely about how the fraud and privacy issues can be dealt with.

    2. The approach is simple and based on the fact that people can recognize a face that might be put into the center of a QR code (as an example). Reliably hash the photo on the credential - and you don’t have to go back to any datastore. (see Biometric Health Card link above)

      1. [Robert M] is this about overall biometrics or limited to facial recognition?

        1. [Adrian] this would only apply to things which are human recognizable; but not for say, a signature

      2. [Dan Bachenheimer] Global Entry is fingerprint based transitioning to face recognition - face on receipt is for administrative purposes not for automated facial recognition

      3. [Michael Shea] https://www.researchgate.net/publication/283473746 : about constructed image that can potentially pass human and automated recognition [Dan B] photo morphing is a real and known problem in passports. Photo morphing is a KNOWN, REAL problem with passports today; specifically those where photos are sent to the passport agency (i.e., non live capture). NIST has proven that modern Face Recognition Technology (FRT) is more accurate at recognizing unfamiliar faces

    3. For the QR code to stand-alone without phone-home, you’ll need to embed the hash rather than the actual photograph

    4. 3 unique use cases to understand the rights and privacy aspect of this proposal (see document at the Biometric Health Card link above)

      1. Please add comments directly to the document

      2. [Robert] Eric mentioned that digital identity controlled by public/private key instead of biometrics is a friction around how individuals would prefer to manage their identities

      3. [Dan B] the photo is for a human to say that it ‘looks like the person’ while the hash provides the tamper-evident nature of the credential

        1. Is the photo sufficient for a human to be able to conclude definitively that the photo and the actual human are the same.

      4. This approach could address the topics arising from hesitancy around digital vaccination credentials

      5. [Hunter Cain] Should not the aim be taking out human verification altogether?

        1. [Adrian] Not ideal to move towards the direction such as CLEAR. It is needed to be very careful not to introduce a system of ambient surveillance (there is no law/regulation which prevents this in US and EU). A system that is ‘good enough for machine readability’ is going into FRT and is very likely to be prohibited by law.

        2. [Dan B] it is possible to have a handheld device that is not connected to the internet that can read and match with software installed on a kiosk

        3. [Adrian] This approach could be a way to bring the SSI and decentralized identity together to limit forgery in a privacy preserving way.

          1. [Dan B] for instance the presentation of a vaccination record does not need first name, last name or DoB etc. Having a photograph and the record is sufficient to establish the proof of vaccination

          2. [Adrian] will be running a session on HI of One on Day2

          3. [John C] solving a binding problem between the photo and the credentials. How do we also establish that the integrity of the credentials?

    5. [Mahesh Balan] use a accredited 3rd party (e.g., equivalent of a civil law notary (France, Quebec)) to create biometric (including photo, finger prints, retinal scan...) from capture to Verifiable Credential. This provides control of the VC process to the owner.

      1. [Adrian] this would apply if the issuer (lab) has used a separate VC (e.g., driver’s license) to validate you prior to a vaccination (certificate) being issued by the lab (which would be provided to the notary -> Verif Cred). This would preserve the chain of trust (in the VC)

      2. Could have an issuer who checks VCs, but doesn’t apply identifying information on the vaccination certificate

      3. Could use a separate DID for each certificate/VC

      4. Call for discussion on Policy with regards to this proposal (outside scope of this session)

      5. [Adrian] - Lots of people pushing business interests onto Good Health Pass (GHP) and other COVID related VCs, identity which is politicizing the issue

      6. [Robert Mitwicki] - can we talk about a VC (including biometric based) without being associated with a Holder (and their wallet)? A VC independent of any DID

      7. [Adrian] Not sufficient. The problem with more than low fidelity biometric information (as per the 512 byte image in QR code_ is adapting that to a VC using a QR code - size of data limitation.
        Industry looking for “do not need to call home” verification standard. What the Health Card industry (and GHP WG) is struggling to figure out

      8. Many organizations and public groups (incl. MIT) are unwilling to violate what they see as privacy issues

      9. [Terry Hayes] - concern with verifiability of pixelated images being shown as examples.

      10. [Notetaker addition]: there is an inherent problem with face colouration and lighting that either geometry or facial feature (human recognition) does not work well unless there is high contrast in the photo to pick out differentiating facial features.

More to follow in coming sessions

Retrieved from "https://iiw.idcommons.net/index.php?title=1A/_Biometric_COVID_Verifiable_Credential&oldid=23669"