Might interest you to know the EU is wondering exactly how this tech will work... in several years’ time, when they’ve finished constructing it. Of course this is all a bit “blue sky” thinking but one protocol that I’ve seen in mock-up goes roughly like this:
1. Citizen installs app on phone, and links app to digital wallet. Like their online banking (which already uses the same regulatory principles), it’s bound to their device and their biometric, and ALL data they choose to share is stored in an encrypted file, locally, not uploaded to any central server.
2. Citizen opts into medical data sharing and specifies what can and cannot be shared with emergency responders.
3. Emergency workers have to register with a licensed provider of services - usually their employer. As part of mandatory employment checks, their identity has to be confirmed, along with their qualifications (this is Captain Obvious stuff - you don’t want someone with a fat jacket of criminal prosecutions who’s merely pretending to be a cop / paramedic / whatever, getting access to national and/or EU-wide and/or Interpol databases).
4. Once vetted, they are given access to an app. Just like the citizen one (and just like their own bank’s app already does), it needs THEIR biometric to be presented in order to use it.
5. In the event that you’re a victim of crime or in an accident, then no matter where you are in the EU, the emergency responders can nominate a person to lead the team. The apps then sync up so a team is created for that one “encounter”, and all named qualified attending personnel are added to the list.
6. Before they can do ANYTHING with ANY data, they need your consent. If you’re conscious they can just ask. If not - how can you give it? Simples - your app on your phone has your pre-approved “I’m happy for the emergency responders to identify me” rule enabled AS WELL AS the “even if I’m unconscious or dead” rule.
7. One nominated responder uses NFC to link their device to yours, all this does is ask your device for approval. Since you may have pre-approved that, it’ll say YES. If you didn’t pre-approve, it might ask you to swipe left for yes or right for no, subject to your fingerprint unlock.
8. At this point the back end of the responders’ app tells the backoffice that you’ve given your consent, and it then establishes a full audit trail for everything they do after that. If they ask for your blood group, it captures the team members, the encounter, who requested the blood group, and when they asked. It then requests the information from the phone.
9. Cleverly, the proposition also includes some provision for natural language translation, so if all your vital statistics have been captured in English and you’ve been involved in an accident in Slovakia, there’s not going to be any language barrier.
Now, this all sounds immensely complicated - and technology-wise it will be - but there’s nothing insurmountable. And the upshot of it is, we’re not talking about a system that’ll be here next year.
In 20 years’ time this will all come to pass, and crucially by the time it arrives the citizen and the emergency responder will have had 20 years to get the hang of it.
It’ll be far less complicated to any end user than trying to ask and answer a bunch of questions verbally while slipping in and out of consciousness.
If you think that sounds completely nuts, consider how completely effortlessly a ten year old “digital native” can navigate their way round computer tech that would’ve baffled a college graduate 20 years ago.
It’s the same as how, twenty years before that, many of my dad’s generation couldn’t even figure out how to set a VCR timer via the remote control, while I (even as a tender 7 year old) could do it blindfold without even reading the instruction book.
In twenty years’ time this technology will be so intuitive to any millennial that any argument that the old way of doing things was “simpler” will be simply laughed at.
Google “travel safely with your data” (in quotes) and you’ll see a link near the top from 11th February. “Nico is 56 years old...”
Very simply put, it’s a walkthrough showing how even a ton hatted privacy fiend who distrusts the state completely will provide explicit consent at every step when talking either to his cardiologist of choice, or getting cardiology support while in another country. What it doesn’t spell out, but in my view should spell out, is the inherent absurdity of the counterargument that this is totally unsafe and oppressive when it’s compared to having to carry bits of paper round on your person AND set up international phone calls between doctors AND get faxes sent between them for physical signing ... All to achieve the exact same result while exposing the week long faff of it to a multitude of “man in the middle” interception risks.
Now that’s just one consent-based scenario out of hundreds that are in the early planning stages.
I already test one such solution, it’s not a state supplied version but the underlying principles are nearly identical.
I decide what goes in my test wallet, I decide what to share from it, and when, and who with.
I don’t just give someone the information to keep, I let them view it for the duration of an “encounter” after which their system ends the session and ‘forgets’ the authentication evidence. Which is abstracted for the audit trail, not cloned.
Just like how a cash card transaction uses the information from card and PIN and certificate to verify a purchase, but BY LAW the merchant can’t hold onto the CVC and PIN. It’s used only by the device, then forgotten by the device.
Philosophically an agency could insist on me going through the process before letting me do something uncontroversial or buy something, but the free market consumer base will discourage practices that harm end user acceptance.
A restaurant that insists on checking your passport before finding you a table will soon find it has no customers, while the rival over the road that isn’t being silly in that way had queues around the block.
I’m not complacent about it, because no setup is perfectly safe and totally immune to state/corporate abuse.
But this is way, WAY less easy to abuse UNDETECTED than the ad-hoc, poorly documented, multi-actor, hands-dirty manual processes that people (for some totally irrational and inexplicable reason) think are “safer”.