Identity and Immunity

Technology can be better than the failing app solutionism; the question is whether we will be, or whether following the worst of the tech world will leave us in the database state.

Larry Brilliant is the American epidemiologist who, working for the World Health Organization, helped to successfully eradicate smallpox. He knows what he’s talking about.

Some governments – including our own – are suggesting the detection of antibodies to SARS-CoV-2, the virus that causes COVID-19, could provide the basis for an “immunity passport” or “immunity certificate” to allow individuals to travel, or return to work, on the assumption that they are protected against re-infection. But, as the WHO says:

There is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.

This is not a blog post about “following the science”; it’s pretty clear by now who is to be trusted on that, and who isn’t. This is a post about identity systems, and how – even once we understand COVID-19 immunity, and can reliably test for it – they will interact with any “immunity passport” proposal.

In general, all that ‘identity solutions’ really do is to confirm a small number of attributes for a real human being. So it’s not surprising that, right now, anyone with anything that they think is an identity product is sticking a “COVID-immune” item or feature into it, and offering it to anyone who might listen.

Tech vendors gotta sell tech, of course – but, despite the kernel of plausible utility, there are more fundamental considerations which undermine the entire approach. Not least that we’ve never had to ask routinely, “Have you had your flu vaccination?” or “Are you on PrEP?”

And, given past experience (e.g. HIV/AIDS), do we really want to start?

In practice, from an engineering perspective, one can either start with ID and then add immunity, or start with the immunity process (which for COVID does not currently exist) and add something to facilitate attribute exchange. And it must be very clear that what happens in close proximity should always be an exchange – unless one of the entities involved is wearing full face-protecting PPE (i.e. a mask and visor, or full head-covering helmet), etc.

So, presuming they can be built (which no-one’s disputing on a technical level), for whom are immunity solutions actually useful? There is one obvious sector, and another very obvious risk…

Health and Care

Clearly an indicator of immunity would be most useful for NHS staff and other care providers. Given the choice, most people would likely prefer to be treated by someone who has recovered from COVID than someone who hasn’t, for anything that involves even the slightest risk of infection – for exactly the same reasons we don’t put immunocompromised staff on to the measles ward.

And indeed, NHS staff already have a strong identity solution – the “NHS Staff Identity” credential; the evolving NHS smartcard that already carries lots of attributes, to which the NHS employers could add the verified results of antibody testing, when such a thing exists.

Staff in social care are less strongly identified, but they are already known to their employers and by the people for whom they provide care. (Similar may be true for NHS-owned parts of the NHS supply chain.)

Knowing the COVID-19 status of a patient is critical, which is why that flag was already added to health records on the NHS Spine back in March; and patients are already strongly identified to their health records, for obvious reasons.

Outside Health and Care

For anyone and everyone else, we must ask: who are they, and what do they need it for? (Boris and others in Number 10 and its vicinity might want a reason to evade the lockdown rules, but it’s not like he followed them anyway…)

Much as “immunity passports” will no doubt be presented in the most positive, glowing terms – the way out of lockdown, the way back to work, your patriotic ‘duty’ to save the economy – the bottom line remains: the only real reason to know immunity is to discriminate against those who don’t have it.

“Immunity passports” won’t help with prejudice against those who do have immunity but ‘look foreign’, and so are asked for ID again, and again, and again. (This is, of course, the long-term preference of the unreformed and ‘institutionally ignorant’ Home Office.)

Beyond who gets an ‘immunity get-out-of-jail-free card’, and for what purpose(s), must come the question: how long does it last? Solutions in a pandemic are one thing; solutions for an endemic ‘Fifth Flu’ will have wider consequences, and may facilitate all sorts of abuse.

Reality bites

As our experience of COVID apps thus far has shown, the digital fraction is embedded in a very real physical context with very real rules and, by and large, it is these which determine body count – not how ‘smart’ or centralised, ‘truthful’ or trustworthy your code is.

The. Virus. Doesn’t. Care.

So while TechBros™ issue draft ‘codes of practice’ according to which (surprise, surprise!) their own products come out on top, fundamental epidemiological, virological and public health principles – such as the requirement that anyone who “asks” for a show of immunity must first show their own state – risk being lost. Unfortunately, it has been true for quite some time now that Silicon Valley and the stubborn parts of Government take a rather self-interested view of user needs*

Here’s a practical suggestion: those performing authoritative tests could hand successful testees a single sheet of ‘cheapID’-style credentials that could be offered to someone when there is a clear and legitimate need, with the norm being that it is always an exchange of individuals making a free choice – much like hookups in a gay club. Anyone offering a solution then has to explain why their thing is better, and why it’s needed anyway beyond “It’s an app” (or, God forbid, a blockchain).

A ‘strong identity’ solution requires strong identity at every step of every use; so is this really the sort of world we want when we come out of this? (Given there are other options.)

Immunity passports won’t stop the racists being racist, nor the jumped-up little Hitlers and jobsworths from doing their thing. But neither would it institutionalise discrimination, nor would it hand yet more tools of totalitarianism to either Big Tech or the Database State.

When Heathrow finally reopens for business, do we want to be Great Britain again? Or China?

In the new-normal will we decide once more to be a beacon of liberal democracy; cooperating and contributing on the global stage, with a renewed and revived sovereign (mother-of-all) Parliaments under rule of law; championing the commonwealth, the commonhealth and human rights for all – or will we go down in the flames of ‘data firesales’, techsolutionism and secret trade deals, badged with a ‘biomedical expertise’ that’s leaching credibility with every new mortality statistic and resignation?

Tech can be better than this; and we must be.

So let’s listen to the epidemiologists, and engineer the right solutions – apps for the next pandemic, maybe? And for now, let’s keep demanding and following the evidence, and keep asking the questions – to which you are more than welcome to add.

This entry was posted in database state, identity, medical records, transparency, uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.