There are plenty of privacy experts out there that can design a version of the system where you can’t be tracked. The system can see if you’re vaccinated, but it can’t tell who ‘you’ are while doing so, except to verify that the claim is legitimate.
I’m not a privacy expert. It’s not obvious to me how to design such a system. Can someone explain or link to a proposal? The ‘obvious’ way would be to give people tokens when vaccinating them, but it’s too late for that.
Also, do you mean “can’t be tracked by the system itself, including the app you’ve installed on your phone which provides QR codes”, or “can’t be tracked by everyone you show the QR codes to, even if they cooperate” (because they all get QR-verifying software from the same vendor, which phones home)?
ETA: you write both “I expect crypto people to have good answers to these problems” and “my assumption is it also probably won’t be that difficult to fake the passport”. This is contradictory. My comment responds to the first claim.
(Rewrote to better present the same argument, and removed some weaker arguments)
I don’t see how to accomplish the first (stronger) version. Since people weren’t given un-forgeable tokens when they were vaccinated, you need them to install an app and tell it who they are. Which lets the app track them; you’d need to trust the government, the software sub-contractor who actually wrote it, their software supply chain, and the server it talks to.
Suppose you do trust the app, or you only want to achieve the weaker kind of security, where the verifiers (who see your QR tokens) can’t identify or track you. That still leaves some issues:
How does the app know you’re vaccinated? Does the government already have a database / list of vaccinated people? Did people get magical pieces of paper when they were vaccinated? Based on your past posts about the distribution process, I would expect this info to be incomplete, inaccurate, and probably not yet centralized. And if it did exist, privacy advocates would probably be concerned about that.
If vetting people who install the app is taken seriously, there will probably be a lot of false negatives, which will justly upset people and get media attention. And any attempt to redress this will make it easier for un-vaccinated people to register.
How do you prove to the passport app that you’re you? If the system knows “John Doe” is vaccinated, what stops people from telling their phone they are John Doe? Maybe they need details like when and where John was vaccinated, but this is likely to leak for a bunch of people. On a smaller scale, vaccinated people can register on their unvaccinated friends’ and loved ones’ phones, to let them go places. Or just loan them their phones for a bit.
The system could show the verifier a photo of the real John Doe (but does the government have everyone’s photos?) That would mostly solve the problem, although using a single / ‘reference’ photo for each person would let verifiers link data and look that person up without resorting to image recognition or image search. (I’m assuming here verifiers can surreptitiously take a photo of you, but that it would be less convenient / useful than a ‘reference’ one.)
The system could enforce a reasonable limit of phones (installations) per person. That might enable griefing, if I can register in your name and prevent you from registering yourself. This might be an acceptable tradeoff. It would still let people register for 1-2 ‘extras’.
I think this assumes that the system needs to be more robust than the current system, by a lot, plus also gain privacy. What I’m saying is that (1) yes we could do both if we cared enough, in theory, because we have proof by example but also (2) we don’t need that level of robustness. We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
There’s a trade-off of security vs. privacy for sure, but right now the existing systems are lousy at best on both.
What’s the example you’re thinking of? I’m sorry if you mentioned it before and I missed it.
We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
If I understand correctly, you don’t want the QR code to prove that “John Doe, ID #123456789, is vaccinated” and then have the verifier ask to see a separate, pre-existing ID that shows you’re John Doe. Which is how the actual and proposed vaccination passports in Israel and some of the EU work. (Hence I don’t know what example you’re thinking of.)
Instead you want the QR code to prove that “the bearer of this code is vaccinated”. That implies the code must be secret and not trivially shareable between many different people. But copying images and taking screenshots is trivial. So the code must not be a single permanent QR per person, but generated by the application: either frequently replaced (like OTP) or on-demand (challenge-response protocol).
This could work if installing or activating the app required approval from a central database / service. This approach has difficulties I noted before, including proving to the app you’re you, and multiple activations. And it still lets the app owner track you, since the app stays active.
Interestingly in New York State it appears aren’t allowed to store anything about the verification per GBL 899-aa and 899-bb. That’s about as close to a “no warranty” statement as it gets.
I feel like there’s some sort of yet-to-be-articulated “impossibility theorem” here. Some sort of mash-up of the project management trilemma and Shannon’s theorem
I’m not a privacy expert. It’s not obvious to me how to design such a system. Can someone explain or link to a proposal? The ‘obvious’ way would be to give people tokens when vaccinating them, but it’s too late for that.
Also, do you mean “can’t be tracked by the system itself, including the app you’ve installed on your phone which provides QR codes”, or “can’t be tracked by everyone you show the QR codes to, even if they cooperate” (because they all get QR-verifying software from the same vendor, which phones home)?
ETA: you write both “I expect crypto people to have good answers to these problems” and “my assumption is it also probably won’t be that difficult to fake the passport”. This is contradictory. My comment responds to the first claim.
(Rewrote to better present the same argument, and removed some weaker arguments)
I don’t see how to accomplish the first (stronger) version. Since people weren’t given un-forgeable tokens when they were vaccinated, you need them to install an app and tell it who they are. Which lets the app track them; you’d need to trust the government, the software sub-contractor who actually wrote it, their software supply chain, and the server it talks to.
Suppose you do trust the app, or you only want to achieve the weaker kind of security, where the verifiers (who see your QR tokens) can’t identify or track you. That still leaves some issues:
How does the app know you’re vaccinated? Does the government already have a database / list of vaccinated people? Did people get magical pieces of paper when they were vaccinated? Based on your past posts about the distribution process, I would expect this info to be incomplete, inaccurate, and probably not yet centralized. And if it did exist, privacy advocates would probably be concerned about that.
If vetting people who install the app is taken seriously, there will probably be a lot of false negatives, which will justly upset people and get media attention. And any attempt to redress this will make it easier for un-vaccinated people to register.
How do you prove to the passport app that you’re you? If the system knows “John Doe” is vaccinated, what stops people from telling their phone they are John Doe? Maybe they need details like when and where John was vaccinated, but this is likely to leak for a bunch of people. On a smaller scale, vaccinated people can register on their unvaccinated friends’ and loved ones’ phones, to let them go places. Or just loan them their phones for a bit.
The system could show the verifier a photo of the real John Doe (but does the government have everyone’s photos?) That would mostly solve the problem, although using a single / ‘reference’ photo for each person would let verifiers link data and look that person up without resorting to image recognition or image search. (I’m assuming here verifiers can surreptitiously take a photo of you, but that it would be less convenient / useful than a ‘reference’ one.)
The system could enforce a reasonable limit of phones (installations) per person. That might enable griefing, if I can register in your name and prevent you from registering yourself. This might be an acceptable tradeoff. It would still let people register for 1-2 ‘extras’.
I think this assumes that the system needs to be more robust than the current system, by a lot, plus also gain privacy. What I’m saying is that (1) yes we could do both if we cared enough, in theory, because we have proof by example but also (2) we don’t need that level of robustness. We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
There’s a trade-off of security vs. privacy for sure, but right now the existing systems are lousy at best on both.
What’s the example you’re thinking of? I’m sorry if you mentioned it before and I missed it.
If I understand correctly, you don’t want the QR code to prove that “John Doe, ID #123456789, is vaccinated” and then have the verifier ask to see a separate, pre-existing ID that shows you’re John Doe. Which is how the actual and proposed vaccination passports in Israel and some of the EU work. (Hence I don’t know what example you’re thinking of.)
Instead you want the QR code to prove that “the bearer of this code is vaccinated”. That implies the code must be secret and not trivially shareable between many different people. But copying images and taking screenshots is trivial. So the code must not be a single permanent QR per person, but generated by the application: either frequently replaced (like OTP) or on-demand (challenge-response protocol).
This could work if installing or activating the app required approval from a central database / service. This approach has difficulties I noted before, including proving to the app you’re you, and multiple activations. And it still lets the app owner track you, since the app stays active.
What approach are you thinking of?
Interestingly in New York State it appears aren’t allowed to store anything about the verification per GBL 899-aa and 899-bb. That’s about as close to a “no warranty” statement as it gets.
I feel like there’s some sort of yet-to-be-articulated “impossibility theorem” here. Some sort of mash-up of the project management trilemma and Shannon’s theorem