Self Sovereign Identity Technology Demo and Ask Me Anything
Self Sovereign Technology Demo and Ask Me Anything (AMA)
Day/Session:Wednesday 4A
Convener:Doc Searls
Notes-taker(s): Doc Searls & Adrian Gropper
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Recapped the demo.
-3 components (3 GitHub repos)
-UMA AS (authorization servers)
-NOSH (new open source health)
-Trustee directory, a record locator and encounter time service.
-First two are self-sovereign to an individual and can attach themselves to one or more of the directories. The directories are self-sovereign in that each sets their bundle of policies such as how patients are discovered or monetized. There’s no central platform.
-Plus a uport component, doing digital signatures and authorization. Staying as close as possible to the DID spec. Open to Sovrin when it comes along as well and other DID / VC methods when they become available.
-Uport is a credential wallet and in that role it accepts credentials as well. It is also a method by which the wallet and the DID links to Ethereum for accountability of the credentialed users.
-The HIE of One Directory is one specific example. Provides a way for a patient to be discovered. View on screen is of patients, each with their HIE of One Trustee.
-Under trustee Authorization Server for Adrian, this is the doctor logging in to the patient's server. He or she scans a QR code with uPort Moble App. The doctor as an SS entity logs in to the patient's HIE. Dr. sees the patient's EHR (electronic health record). If the patient doesn't have his own domain a directory can provide a subdomain. Directories can also act as proxies with limited access to the patient’s personal data.
-From the patient's view, it's the same NOSH EHR screen but with a consent table button. The consent table is the embodiment of UMA, Oauth and OpenID Connect., with many choices provided by the different standards.
-There are four sections, or consent categories: Resource Sever, Invited User, Certifier and Directory, with a legend at the bottom. The patient can control permissions: all, read only, Allergies and Meds, Care Team List, and Custom Policy (under invited users).
-Under certifier, it's Read Only, Clinician, Family and Custom Role.
-This is all about delegation and capabilities to avoid the temptation to share identities.
-This is not a patient engagement thing. It's a view of the plumbing behind what the patient engages, which is the Navigator or some other trusted intermediary.
-What Adrian is looking for...
-How do we drive UMA rather than Oauth? UMA allows delegation so you're not stuck with sharing logins and passwords, ways of not scaling. But we are having trouble, for political and business reasons, getting institutions to come along.
-Financing. It's very hard to say something is self-sovereign if there's a walled garden. Such as Apple has. Who will pay for it? There will be a thing for the home to back up the server In the cloud. How do you finance and scale something like that? Can't sell equity. Might look like a utility token.
-Hard to sell insurance companies. They live and die by proprietary data.
-Could be a coop.
-This is most appealing to patients spending a lot of money out of pocket. No shortage of those.
-If you can solve the problems of reputation, matchmaking and support, you don't need the Uber or AirBnB of this, or something like it.
-The costs of systems controlled by large entities are immense.
-Question: "Sounds like Henrietta Lacks 2.0."
-"If you're sick with cancer and costing the system, it's not unreasonable to assume that it will cost $0.5 million to get best available care." "The way secrecy works in the business of medicine has to change."
-"What happens if the homeless guy loses his QR code?" "That's why you have the directory. The Navigator will have that."
-This is about having a bulletproof way to do delegation and recovery...
-SSI for the professionals will offer many ways to disintermediate their hospitals as “platforms”.
-Surveillance capitalism, the current system, takes no risk.
-There may have to be an UMA 3 to do multi-party delegation - in response to what AK wants in chained delegation / revocation.
-Locations for repos: hieofone.org.
-M: the UK situation is similar. Both have many Epics hired by the NHS.
-The issue is behavioral change. But the value of data is understood, and people want to hold it more closely.
-The $500k cost per individual situation is not unique to the U.S.
-India has no health record infrastructure. They have Aadhaar, and India Stack. What should we design against that?
-On one call to India: one from hospital interests, one from regional interests (euro model), one from Google, and Adrian saying "all you need to do is regulate the API to avoid centralized governance.
-“Health information exchange of one” was published as part of a draft policy by the Indian Government. But there are multiple ministries to navigate the coming implementation.
-UK is moving to open standards and open source. But the political influence of the bigs still stand.
-But regulatory capture persists. And Adrian is alone.
-Hope is simple: time is on our side. the value of aggregated data goes up exponentially while the technology cost of doing this goes down, and will include AI over time. Eventually economics drives this. In other words, this is waiting in the future for the economic case for it to become obvious and inevitable
-Much of this isn't written up for all audiences, because all of the audiences are separate.
-We've had decades of institutional incumbency that we're up against.
-Until the learned intermediaries, the profession of doctors, realize that they don't want to shift the governance of medicine to centralized institutions and corporate vendor AI, and that they need a balance of regulated vendors and licensed intermediaries, then they finally work the way an accountant or a lawyer might act as an agent of the client.
-We need the learned intermediary, the doctor, to be the fiduciary.
-100% of those who want to make this happen in the first wave are shrinks because they want a direct relationship with the patient and don’t yet use / trust institutional EHRs.