There was a
post on Twitter in the midst of the coronavirus COV-19 pandemic news this
week, that caught my eye. It quoted an emergency room doctor in Los Angeles asking
for help from the technology community, saying “we need a platform for
frontline doctors to share information quickly and anonymously”. It went on to
state the obvious requirement that “I need a platform where doctors can join,
have their credentials validated and then ask questions of other frontline
doctors”.
This is an interesting requirement that tell us something about the kind of
digital identity that we should be building for the modern world instead of
trying to find ways to copy passport data around the web. The requirement, to
know what
someone is without knowing who
they are, is fundamental to the operation of a digital identity infrastructure
in the kind of open democracy that we (ie, the West) espouse. The information
sharing platform needs to know that the person answering a question has
relevant qualifications and experience. Who that person is, is not important.
Now, in the physical world this is an extremely difficult problem to solve.
Suppose there was a meeting of frontline doctors to discuss different
approaches and treatments but the doctors wanted to remain anonymous for
whatever reason (for example, they may not want to compromise the identity of
their patients). I suppose the doctors could all dress up as ghosts, cover
themselves in bedsheet and enter the room by presenting their hospital identity
cards (through a slit in the sheet) with their names covered up by black pen.
But then how would you know that the identity card belongs to the
“doctor” presenting it? After all the picture on every identity card
will be the same (someone dressed as a ghost) and you have no way of knowing
whether it was their ID cards or whether they were agents of foreign powers,
infiltrators hellbent on spreading false information to ensure the maximum number
of deaths. The real-world problem of demonstrating that you have some
particular credential or that you are the “owner” of a reputation
without disclosing personal information is a very difficult problem indeed.
(It also illustrates the difficulty of trying to create large-scale identity
infrastructure by using identification methods rather than authenticating to a
digital identity infrastructure. Consider the example of James Bond, one of my
favourite case studies. James Bond is masquerading as a COV-19 treatment
physician in order to obtain the very latest knowledge on the topic. He walks
up to the door of the hospital where the meeting is being held and puts his
finger on the fingerprint scanner at the door… at which point the door loudly
says “hello Mr Bond welcome back to the infectious diseases unit”.
Oooops.)
In the virtual world this is quite a straightforward problem to solve. Let’s
imagine I go to the doctors information sharing platform and attempt to login.
The system will demand to see some form of credential proving that I am a
doctor. So I take my digital hospital identity card out from my digital wallet
(this is a thought experiment remember, none of the things actually exist yet)
and send the relevant credential to the platform.
The credential is an attribute (in this case, IS_A_DOCTOR) together with an
identifier for the holder (in this case, a public key) together with the
digital signature of someone who can attest to the credential (in thsi case,
the hospital the employs the doctor). Now, the information sharing platform can
easily check the digital signature of the credential, because they have the
public keys of all of the hospital and can extract the relevant attribute.
But how do they know that this IS_A_DOCTOR attribute applies to me and that
I haven’t copied it from somebody else’s mobile phone? That’s also easy to
determine in the virtual world with the public key of the associated digital
identity. The platform can simply encrypt some data (anything will do) using
this public key and send it to me. Since the only person in the entire world
who can decrypt this message is the person with the corresponding private key,
which is in my mobile phone’s secure tamper resistant memory (eg, the SIM or
the Secure Enclave or Secure Element), I must be the person associated with the
attribute. The phone will not allow the private key to be used to decrypt this
message without strong authentication (in this case, let’s say it’s a
fingerprint or a facial biometric) so the whole process works smoothly and
almost invisibly: the doctor runs the information sharing platform app, the app
invisibly talks to the digital wallet app in order to get the credential, the
digital wallet app asks for the fingerprint, the doctor puts his or her finger
on the phone and away we go.
Now the platform knows that I am a doctor but does not have any personally
identifiable information about me and has no idea who I am. It does however
have the public key and since the hospital has signed a digital certificate
that contains this public key, if I should subsequently turn out to be engaged
in dangerous behaviour, giving out information that I know to be incorrect, or
whatever else doctors can do to get themselves disbarred from being doctors,
then a court order against the hospital will result in them disclosing who I
am. I can’t do bad stuff.
This is a good example of how cryptography can deliver some amazing but
counterintuitive solutions to serious real-world problems. I know from my
personal experience, and the experiences of colleagues at Consult Hyperion,
that it can sometimes be difficult to communicate just what can be done in the
world of digital identity by using what you might call counterintuitive
cryptography, but it’s what we will need to make a digital identity
infrastructure that works for everybody in the future. And, crucially, all of
the technology exists and is tried and tested so if you really want to solve
problems like this one, we can help right away.