How many vaccine certificates (not health passports) will citizens in Africa and elsewhere need to do anything?

This is a follow-up to my April 9 post, with a slight correction. I need to stop using the term “health passport,” and should instead use the term “vaccine certificate.” So starting now I’m doing that. Although I still think passports are cool, even if vaccine certificates aren’t passports.

An Ottoman passport (passavant) issued to Russian subject dated July 24, 1900. By FurkanYalcin3 – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=27699398

It’s also a follow-up to my February 16 post, which noted that there are a whole bunch of health pa- I mean vaccine certificates that are being marketed by various companies and organizations.

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed.

Obviously it takes a while to solve such issues, so you can’t expect that all of this would be resolved by April.

And you’re right.

As Chris Burt of FindBiometrics recently noted, the whole vaccine certificate issue was recently discussed by a panel at an ID4Africa webinar. Now even if you haven’t heard of the organization ID4Africa, you can reasonably conclude that the organization is in favor of…IDs for Africa.

And even they are a bit skittish about vaccine passports, at least for now.

Questions around how these digital health certificates should work, where and whether they should be used, and what can be done to mitigate the risks associated with them remain, and were explored by an international panel of experts representing major global organizations convened by ID4Africa. They found that too much remains unknown to inform final decisions…

The panel warned against rushing headlong into adoption of vaccine certificates without a better understanding of what they were, how they would work, and how individual information would be protected. And there are major questions all over the “how they would work” question, including the long-standing question of how vaccine certificates would be interoperable.

It quickly emerged that while several groups represented are working on similar projects, there are some key differences in goals.

The WHO is building specification which are intended to create digital records not for crossing borders or proving health status to any third party, but merely for continuity of care. Its working group also includes ICAO, IATA, and ISO, each of which have their own applications in mind for digital health credentials.

See the list above.

And even if you just look at the WHO’s project, it’s still not finalized. The present timeframe calls for a version 1.0 of its specification by the end of June, but timelines sometimes slip.

Chris Burt details many other issues in his article, but for purposes of my post, it’s relevant to say that it will be months if not years before we will see any sort of interoperability between vaccine certificates.

How many health passports will convention attendees need to revisit Las Vegas?

Two years ago, this picture wouldn’t look strange to me. Now it looks unusual.

I took this picture on the morning of April 5, 2017. I had just flown from Ontario, California to Las Vegas, Nevada to attend the ISC West show for a day, and would fly home that evening.

The idea of gathering thousands of businesspeople together in Las Vegas for a day obviously wasn’t unusual in 2017. While many think of Las Vegas as a playground, a lot of work goes on there also, and Las Vegas has superb facilities to host conventions and trade shows. So superb, in fact, that Oracle announced in late 2019 that it was moving its annual Oracle OpenWorld conference from San Francisco (up the road from Oracle’s headquarters) to Las Vegas.

But then 2020 happened.

One month after Oracle started planning for the Las Vegas debut of Oracle OpenWorld, the 2020 Consumer Electronics Show took place in Las Vegas. Unbeknownst to the 170,000 attendees at that show, they were unknowingly spreading a new illness, COVID-19. They did this by doing things that people always did at trade shows, including standing next to each other, shaking hands, and (in business-appropriate situations) embracing each other.

Of course, the CES attendees didn’t know that they were spreading coronavirus, and wouldn’t know this for a few months until after they had returned home to Santa Clara County, California and to other places all around the world. By the time that CES had been identified as a super spreader event, Las Vegas convention activities were already shutting down. The 2020 version of ISC West had already been postponed from March to July, was then re-postponed from July to October, and would eventually be cancelled entirely. Oracle OpenWorld’s September debut in Las Vegas was similarly cancelled. As other companies cancelled their Las Vegas conferences, the city went into a tailspin. (Anecdotally, one of my in-laws is a Teamster who works trade shows in Las Vegas and was directly affected by this.)

Today, one year after the economies of Las Vegas and other cities shut down, we in the United States are optimistically hoping that we have turned a corner. But it’s possible that we will not completely return to the way things were before 2020.

For example, before attending a convention in Las Vegas in the future, you might need to present a physical or digital “health passport” indicating a negative COVID-19 test and/or a COVID-19 vaccination. While governments may be reluctant to impose such requirements on private businesses, private businesses may choose to impose such requirements on themselves – in part, to reduce liability risk. After all, a convention organizer doesn’t want attendees to get sick at their conventions.

As I noted almost two months ago, there are a number of health passport options that are either available or being developed. This is both a good thing and a bad thing. It’s a bad thing for reasons that I noted in February:

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed….

But the wealth of health passports IS a problem if you’re a business. Imagine being at an airport gate and asking a traveler for a Clear Health Pass, and getting an angry reply from the traveler that he already has a VeriFLY pass and that the airline is infringing upon the traveler’s First and Second Amendment rights by demanding some other pass.

When I wrote this I wasn’t even thinking about convention attendance. In a worst-case scenario, Jane Conventioneer may need one health pass to board her flight, another health pass to enter her hotel, and a third health pass to get into the convention itself.

This could potentially be messier than I thought.

The importance of trust

I’m thinking about filing a patent application, but before I do so I want to bounce my idea off of you to see if it’s viable. (I assume that none of you will steal my idea from me.)

Basically, I would like to patent what I am going to call the Bredemarket Important Delivery Execution Technology, or BIDET for short. The purpose of BIDET is to deliver important items from one entity to another, where a sending or receiving entity can be a person, a business, or a government agency.

I have designed BIDET with the following features:

  • The BIDET “envelope” that contains the important item will include, in cleartext, both the origin of the envelope and the destination of the envelope in an easy-to-read, unencoded format.
  • BIDET envelopes themselves will be easy to open (within less than one second), and will include features that allow the envelopes to be opened and closed again BEFORE arriving at their destinations.
  • A group of people will be entrusted with the transmission of BIDET envelopes from their origins to their destinations. This group of people will number approximately 600,000, any one of whom will have the technical capability to fully interact with the BIDET envelopes.
  • The BIDET “envelope” that contains the important item will include, in cleartext, both the origin of the envelope and the destination of the envelope in an easy-to-read, unencoded format.
  • BIDET envelopes themselves will be easy to open (within less than one second), and will include features that allow the envelopes to be opened and closed again BEFORE arriving at their destinations.
  • A group of people will be entrusted with the transmission of BIDET envelopes from their origins to their destinations. This group of people will number approximately 600,000, any one of whom will have the technical capability to fully interact with the BIDET envelopes.

So, what do you think of my idea? Does it sound like a winner?

Or does it sound like an insurmountable privacy nightmare? I mean, who would want to entrust financial information to a delivery service that hundreds of thousands of people can easily violate in less than a second?

Well, if you’re not already ahead of me, it turns out that hundreds of millions of people would entrust financial information to such a delivery service. After all, we’ve been doing this since the days of Benjamin Franklin, since what I described is not a “new” patent idea, but the actual operational model for the U.S. Postal Service.

Screenshot of Cliff Clavin from “Please Mr. Postman (episode 158, 1989). By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=50708166

This thought occurred to me when I was reading this Valid LinkedIn post about its DMV@Home™ service that “gives residents the ability to perform safe, secure, and reliable digital transactions anytime, anywhere, and on a preferred device.”

And when I imagined the reaction of some people claiming that something like this would NEVER work.

Yet these same people receive all sorts of things by snail mail, including bank statements, credit cards (and credit offers), health records, voting registration information…and driver’s licenses.

But these people TRUST the U.S. Postal Service, or at least they trust the USPS more than they trust a smartphone app. Sure, there are the anecdotal stories of postal workers stealing mail, but that would never happen to me. Smartphone hacking, of course, definitely WOULD happen to me, because smartphones are mysterious things.

Now of course there ARE people who trust smartphone security more than they trust physical security. Without imposing a value judgement on one set of people over another, I can say that those who trust smartphone security feel that the risks of using smartphones are less than the risks of using physical methods.

So how long will it take until a supermajority of people TRUST digital delivery more than they trust physical delivery?

Fame, fortune, or both? Gradations of synthetic identity fraud, with a North Hollywood company as an example

In many cases, identity fraud is accomplished by a bad actor impersonating the identity of another person. Many people have found unauthorized credit or debit card transactions that they didn’t perform, and have had to shut down and re-open their cards as a result.

However, there are other cases in which the identity fraud is accomplished by inventing a “person” out of whole cloth. Or partial cloth; a real piece of identity, such as a legitimate U.S. social security number, is combined with fake information, such as non-existent addresses, stock photography headshots, and unverified social media accounts.

The process could be less rigorous, such as creating a Twitter bot to inflate followers (no government ID needed), or it could be more rigorous, in which the synthetic identity gains legitimate credentials such as passports (although this is becoming more difficult as facial recognition compares applicant faces to existing faces).

Synthetic identity fraud can be damaging. Henry Engler of Thomas Reuters cites a figure of $6 billion in losses to U.S. lenders from synthetic identity fraud.

But sometimes the fraud, while still fraudulent, is relatively innocuous.

Take the case of a particular web design company in North Hollywood, California. If you visit its website (which, oddly enough, is on the “org” domain), the only listed contact for the company is a guy named Eric.

It’s a whole different story on LinkedIn, however.

According to LinkedIn, the company has dozens of employees, including a vast number of co-founders, chief technology officers, and chief information officers. While some are based in Los Angeles, others are based in Chicago, Dallas, Maidenhead, Kyrgyzstan, and other exotic locations. Most remarkably, based upon some of the employee pictures, the company goes over and above in its attempts to attract female technologists. It’s a statistical anomaly!

Under normal circumstances, this remarkable string of oddities would have gone completely unnoticed. I have never interacted with any of these employees, and they don’t seem to be all that active on the LinkedIn platform. Well, with some exceptions; the Chicago-based CEO of the company has made a valuable contribution to the LinkedIn discussion.

Now most of this went under the radar, until a number of LinkedIn employees made connection requests to a particular individual. Unfortunately, this particular individual was Kris’ Rides, a cybersecurity specialist with Tiro Security.

(Before you ask whether Rides himself is a bot, I should note that he has received 40 recommendations on LinkedIn from people that appear to be real, and has amassed over 500 connections. So if Rides is a bot, he is a very effective one.)

When Rides received these connection requests (including two CTOs and two CIOs at the same company), they struck him as odd. So he shared his experience with his connections, which included other cybersecurity professionals, and people (such as me) who were connected to those other cybersecurity professionals. And they’re talking.

Pro tip: if you’re engaging in synthetic identity fraud, don’t reach out to a cybersecurity professional.

Now this story probably won’t be a trending topic on Twitter, even if the bots try to make it so, but it’s certainly gaining traction in the audience that counts: namely, technology experts who have the power to tell LinkedIn and others about questionable marketing techniques.

So what happens next? A mea culpa from Eric (or whatever his or her real name is)? Time will tell.

Is “social distancing” socially distant? It depends.

I’m attending a webinar, organized by The Economist and sponsored by Onfido. The webinar’s title is “A whole new (contactless) world: The rise of digital identity.”

The keynote interview just finished, and the interviewee was Anne Chow of AT&T Business.

In the course of the interview, Chow observed that she does not care for the term “social distancing,” and would prefer to use the term “physical distancing.” She noted that our social links are what are keeping us together as we are distant from each other.

However, this is more or less true depending upon who you are. Some people are just fine or mostly fine with electronic interactions with coworkers and others, while others are truly bothered by it.

For example, there are those who are comfortable with Zoom and Teams and Meet and WebEx and all of the other conferencing platforms, as well as asynchronous communications methods (including old fashioned email).

Then there are others. For example, some people refuse to use telehealth and insist on seeing physical doctors, and refuse to use phone trees and start pressing “0” the first chance they get. (And some of them don’t like absentee ballots, but that’s a different issue.)

And it doesn’t matter how good the technologies get, whether you’re talking about 5G (or 6G or 7G), Internet of Things, or Edge Computing. It won’t be the same.

So how do we construct a hybrid world that allows those who need physical interaction to co-exist with those who do not?

Identity assurance levels (IALs) and digital identity

There is more and more talk about digital identity, especially as COVID-19 accelerates the move to contactless and remote transactions. However, there are many types of digital identity, ranging from a Colorado, Louisiana, or Oklahoma digital driver’s license to your Facebook, Google, or Microsoft ID to the online equivalent of my old Radio Shack Battery Club card.

All of these different types of digital identities suggest that some identities are more rigorous than others. For example, I’ve lost track of how many digital identities I’ve created with Google over the years, but if California ever gets around to implementing a digital driver’s license, I’ll only have one of them. (And I won’t be able to get another license in Nevada.)

In this particular case, the government IS here to help.

The U.S. National Institute of Standards and Technology has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

Interestingly, the standard assumes that pseudonymous identity can be proofed…but this requires that SOMEONE know the actual identity.

And in practice, the “physical presence” requirement of IAL3 can be met by either being “in-person,” or in a “supervised remote” case. (This is needed to make sure that I don’t register with someone else’s face, for example.)

So when considering the robustness of any digital identity scheme, it’s necessary to ascertain whether the digital identity can reliably be mapped to a real life identity. This doesn’t necessarily mean that IAL1 is bad per se; in some cases, such as my old Radio Shack Battery Club example, a robust mapping to a real life identity is NOT necessary.

But in other cases, such as a need to gain entrance to a nuclear power plant, that reliable mapping IS essential.

Someone once said that I look like this guy. By US Embassy London – https://www.flickr.com/photos/usembassylondon/27595569992/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=49663171

Why I created a LinkedIn Showcase Page for Bredemarket

It was Sunday, and I was thinking about something that I wanted to communicate to a potential client in the coming week. The potential client performs work in multiple areas, and had inquired about my assisting in one of those areas.

As I thought about solutions for that one section of the potential client’s website, I began wondering how that material could be repurposed in other channels, including LinkedIn. One solution, I realized, was for the client to set up a special “showcase page” on LinkedIn that was dedicated to this one area. Content from the website could then be repurposed for the showcase page.

If you are unfamiliar with LinkedIn Showcase Pages, they “are extensions of your LinkedIn Page, designed to spotlight individual brands, business units and initiatives.”

A notable example of the use of showcase pages is Adobe. Adobe has a company page, but since Adobe provides a plethora of products and services, it would be a firehose to cover EVERYTHING on the main Adobe page. So Adobe established showcase pages, such as its page for Adobe Experience Cloud, that allowed the company to go into greater detail for that particular topic.

But this doesn’t explain why I just created a showcase page for a Bredemarket customer segment. Actually, there are two reasons.

  • While Bredemarket provides its services to identity firms, technology firms, general business, and nonprofits, it’s no secret that Bredemarket’s most extensive experience is in the identity industry. Because of my experience in biometrics and secure documents, I know the messages that identity firms need to communicate to their customers and to the public at large. Because of this, I thought I’d create a showcase page dedicated solely to the services that Bredemarket can provide to identity firms.
  • There’s another reason why I created the showcase page – the “eating your own dog food” reason. If I’m going to talk about the use of LinkedIn Showcase Pages, wouldn’t it make sense for me to create my own?

So on Sunday I created the Bredemarket Identity Firm Services page on LinkedIn; you can find it at the https://www.linkedin.com/showcase/bredemarket-identity-firm-services/ URL.

And if your interest is specifically in identity, be sure to click the Follow button.