Verify the Verifier - Anti-coercion by Design; October 2020

A call for countermeasures against coercion of verifiable credentials in self-sovereign identity.

This position statement argues that we need countermeasures against coercion of verifiable credentials, especially COVID-19 credentials. We propose an initial set of countermeasures, which are an amalgamation of technical, governance and legal measures. Our implementation demonstrates the technical feasibility of one of the proposed countermeasures: technically enforced verification of the verifier.

Introduction: 800-pound gorilla asks your credentials

The concept of 'self-sovereign' identity presumes that parties are free to enter a transaction, to share personal and confidential information, and to walk away when requests by the other party are deemed unreasonable or even unlawful. In practice, this is often not the case: "What do you give an 800-pound gorilla?", answer: "Anything that it asks for". Examples of such 800-pound gorillas are some big-tech websites, immigration offices and uniformed individuals alleging to represent law-enforcement[1]. Also the typical client-server nature of web transactions reinforces this power imbalance, where the human party behind its client agent feels coerced into surrendering personal data as otherwise they are denied access to a product, service or location.

COVID-19 urgency: coercion of health credentials is bad for society

Much like in the aftermath of the September 11 attacks, the COVID-19 pandemic has made societies push for technological solutions that inherently carry the risk of violating individual freedoms.

In practice, the issue of countermeasures against coercion has so become more prominent and urgent in the context of the COVID-19 crisis. Here the 800-pound gorillas may be employers demanding health information that they are not entitled to, or even shops and restaurants, if the sharing of health data has become low friction thanks to verifiable credentials.

Efforts to mitigate the effects of the COVID-19 pandemic using identity technology therefore need strict legislation in order to uphold human rights and dignity. The awareness of this need is momentarily expressed broadly in societal organisations as well as in policy and law. A few examples are the following:

The UN High commissioner Human Rights recently urged the European Commission to “Enhance the availability, accessibility and effectiveness of redress mechanisms for unjustified decisions made by digital services”[2].

Early September this year, a California bill 'AB-2004 Medical test results: verification credentials' was proposed (and vetoed), requiring that “Verifiable credential models should not in any way compromise an individual’s right to privacy, including by means of tracking or reporting the individual’s usage of the verifiable health credential”[3].

In October 2020 the Dutch Senate approved a special temporary act regarding a notification-app for COVID-19, which makes it illegal to enforce the use of a covid-notification app or any other comparable digital means[4].

Countermeasures are governed by governance frameworks

Implementations of one or more potential countermeasures against different types of coercion may be certified within a governance framework. In case of a machine readable governance framework, countermeasures may be automatically enforced, safeguarding its user from being coerced into action by for example unauthorized parties. In case legislation against coercion is implemented, a verifiable proof or registration of an unlawful request that will stand up in court is needed. Different governance frameworks may choose different balances between full self-sovereignty and tight control, depending on the interests that are at play as well as applicable legislation.

Examples of countermeasures: combining technical, governance and legal

The following are examples of potential countermeasures against coercion[5]. The governance framework can stimulate or enforce that some verifiable credentials are only presented when the holder agent determines that certain requirements are satisfied. When a requirement is not fulfilled, the user is warned about the violation and the holder agent may refuse presentation of the requested verifiable credential.

  • Require authoritative verifier. Verifiers would need to be authorized within the applicable governance framework. A wallet application may technically enforce this governance policy.
  • Require evidence collection. Requests for presentation of verifiable credentials may hold up as evidence in court, if the electronic signature on the requests is linked to the verifier in a non-repudiable way.
  • Require enabling anonymous complaints. The above evidence collection may be compromised if the holder can be uniquely identified from the collected evidence. So a governance framework may require the blinding of holder information, as well as instance-identifiable information about the evidence itself.
  • Require remote/proxy verification. Verification has only value to a holder, if it results in a positive decision by the verifier. Hence a holder should preferably only surrender personal data if this warrants a positive decision. It would save travel, if the requested decision is access to a physical facility. It would in any case prevent unnecessary disclosure of personal data. Some verifiers may consider their decision criteria confidential. Hence, different governance frameworks may choose different balances between holder privacy and verifier confidentiality.
  • Require complying holder agent. Some rogue holder agents may surrender personal data against the policies of the governance framework associated with that data. Issuers of such data may require verification of compliance of the holder’s agent before issuing.

Demo PoC: 'Verify the Verifier'

Subsequent to the Working Group use case 'Verify the Verifier' COVID-19 Credentials Initiative[6], one of us (Bloqzone) has built a 'Verify-the-Verifier' PoC[7] . In this PoC, the doorman of a home-for-the-elderly requests a visitor to present specific credentials to gain access to the building. Before doing so however, the visitor ascertains whether the doorman has the proper authorization to ask for credentials by requesting his doorman for a credential in return, see Figure 1.

Figure 1: Visitor asks verification from Doorman before presenting a privacy-sensitive credential (still from Bloqzone demo)

Conclusion: Combine technical implementation with legal policy making

We need countermeasures against coercion of verifiable credentials, especially COVID-19 credentials. However, some of the countermeasures may only be effective with the appropriate legal precedence backing. For example, if the collected technical evidence is not accepted in court, it loses force against 800-pound gorillas. We call for a combined technical+governance+legal project to develop solutions and to assure the effectiveness of these in society.

Oskar van Deventer (TNO), Alexander Blom (Bloqzone), Line Kofoed (Bloqzone)
22 October 2020

References

[1] Oskar van Deventer et al, 'Self-Sovereign Identity - the good, the bad and the ugly', TNO, May 2019.

[2] UN High Commissioner for Human Rights, Michelle Bachelet, Letter in response to the public consultation on the EU’s Digital Services Act, 2020-09-07.

[3] Senator Hertzberg et al, 'AB-2004 Medical test results: verification credentials.', Bill Text - AB-2004 Medical test results: verification credentials.

[4] Tijdelijke wet notificatieapplicatie covid-19 (2020 6 October)

[5] Matthew Davie, Oskar van Deventer et al, '0289: The Trust Over IP Stack', Draft Hyperledger Aries RFC 0289, 2019-2020.

[6] COVID-19 Credentials Initiative and Use Case 11 – Verify-the-Verifier.

[7] Bloqzone, 'Who wants to know? Verifying the Verifier', demo PoC mandated verifier identification.

Blog
Contact

Dr. ir. Oskar van Deventer

  • Scientific Coordinator
E-mail