1 Privacy or convenience is a questionUnder the COVID-19 impact last year, in China, health codes have become the credentials we use frequently for general access and it does make life convenient for us. A health code is a QR code within Alipay or Wechat applied from verified data sources like mobile-phone carriers or health institutions etc, indicating the level of health risks. Because of the system isolation between different areas, a large amount of personal information, including names, ID numbers, contact information, and health status, etc. are repeatedly collected by local governments and used to authenticate independently later. Some of the information may not be useful for getting into places, but limited by technology, we cannot keep the balance between privacy and convenience. This reminds us that repeated authentication is often used because the personally identifiable information is distributed in different systems, and privacy breaches can occur.
This happens, not only in extreme situations like COVID-19, but also in everyday life and business activities. User privacy has been widely breached across the Internet. For example, Facebook granted Cambridge Analytica to access the personal information of 50 million users, and Equifax was hacked into disclosing the personal information of 147 million users. Both are infringed on user rights including the right to process data, the right to know, the right to be forgotten and data security commitment. User privacy data breaches not only affect individuals, but also result in huge fines to companies, and even spread the consequences into the entire society.
Figure 1 User privacy breaches
2 SSI is the answer to this questionWhat if we want to keep privacy and convenience in COVID-19? The SSI(self-sovereign identity) technology exactly fits in here.
The main part that constitutes SSI is the decentralized identifier(DIDs) system. DID is the unique ID of an individual in the digital world and cannot be revoked by any person or organization other than the individual. However, an identifier alone has no practical use. It needs to be complemented by another technology, verifiable credentials. Verifiable credentials are personal information statements associated with DIDs, which have been verified by a trusted third party to be authentic and valid, and can be verified in a digital way. For privacy purposes, verifiable credentials abide by the principle of minimal data disclosure, for example, a verifiable claim can only contain a "yes or no" assertion. If one wants to go to a bar, there is no need for him/her to show the full personal identity information upon arrival. Instead, if he/she presents a verifiable credential containing the assertion of "21 years old and above”, the establishment can determine whether to admit him/her after verifying its validity. With verifiable credentials, personal profiles created on DIDs can be gradually improved, and the power of SSI can be properly unleashed.