Covid-19 continues to teach us about our developing reliance on digital technologies, particularly the social impact of this transition. Current calls to develop vaccine passports, for example, offer a poignant illustration of the dynamics to be considered.
If introduced, vaccine passports will become a new form of functional identity that confirms privileges and rights of access to people. The potential fuelling current discussion ranges from the ability to board a flight to the freedom to book a table at a restaurant or attend a concert.
It is a concept that has evolved since the early days of the pandemic, when immunity passports were first mooted as an opportunity to manage risks to both health and the economy. They are controversial and evoke clear ethical concerns to be addressed if they are to be trusted and deliver on any promise. The systems for managing them must also be designed to be trustworthy, requiring anticipation of a complex array of factors for their design and deployment.
Consider current conventions that drive the collection of information. An online restaurant reservation system requiring personal details that includes passport information would represent a significant target. Resilience to security breaches or tampering would be no small task. The fact that someone attended an event or ate out may even become information that warrants new levels of protection because it communicates information that creates incentive for identity fraud.
The reliability of authentication presents another challenge. Anyone who buys a ticket and travels to a concert or a sports event, for example, will want to be confident in the system that confirms they can be given access.
Biometrics, particularly facial recognition linked to camera systems, are often seen as a way forward. However, the research community covering artificial intelligence is divided on facial recognition for many reasons, and our understanding of the associated risks remains immature. The risk of bias in algorithms, for example, can produce different levels of accuracy across genders and culturally diverse populations.
Vaccine passports are just one example of how identity systems may evolve in modern society. Given their sensitivity, they may also represent an opportunity to rethink how identity systems could be designed. It is an opportunity that is fuelling a rapidly advancing area of research.
As the UK’s national institute for data science, the Alan Turing Institute is exploring new techniques for encryption and privacy-enhancing data management, and refining algorithms that can monitor, anticipate and react to anomalies in the flow and use of personal data.
It is work that explores varied practical opportunities for advancing privacy by design for identity and many other systems, alongside some basic questions that can be overlooked in development environments that tend to be influenced by existing systems. Such questions include: How much information is needed to fulfil the purpose? Who needs access to it? And what agency could, or should, the individual be given?
Today, many organisations store and retrieve identity data, alongside transactional data and any other data or attributes that may be associated with its use. Social media profiles increasingly facilitate access to broader services, and the online sharing economy for holiday bookings accumulates information that can include a photo of a government-issued identity, such as a driving licence, to build mutual trust among members.
Vaccine passports add to the volumes of personal, and increasingly sensitive, data that could be routinely collected, willingly given and exchanged for an entitlement. As people’s lives are increasingly supported by this evolving ecosystem of data stores, networks and interfaces with organisations, we face a new imperative to understand and manage evolving risks to the people who are at the heart of the systems designed to support them.
To learn more, you can download a full report on the ambitions of the Alan Turing Institute’s research into digital identity. The Turing has also established a Trustworthy Digital Identity interest group open to members outside the institute.
Carsten Maple is a professor of cyber systems engineering, and principal investigator, trustworthy digital infrastructure for identity systems at the Alan Turing Institute.