John Phillips
John Phillips February 1, 2023 Digital Trust

Who Says You Can Do That Work Here?

Proving you have the right credentials to do a job, take up a role, or take up further studies can be difficult enough in the jurisdiction in which you have earned the credentials. Getting these credentials recognised in another jurisdiction is even harder.

Solving this problem in a trustworthy and privacy enhancing way has significant social and economic benefits for people, organisations and the countries in which they live.

While recognising that the problem isn’t “just” technical, this article explains how by solving the technical challenge using open-source, open-standards based technologies we can make “verifiable mutual recognition” possible.

Setting the scene

Some years ago I was in a cab in Wellington New Zealand chatting with the driver. They told me that they had recently brought their family to New Zealand and that they were a qualified doctor, but that until they sat and passed the relevant New Zealand exams they had to drive a taxi in their spare time to earn some money for their family. Fluent in several languages, highly regarded in the country they had left, and with sought after skills in New Zealand, they faced significant delay (and cost) before they could practise their core trade again, theirs is not a unique story.

It takes time and effort (and often talent and money) to qualify for many occupations. Having earned recognition in one jurisdiction, many people would like to travel with their credentials and have them recognised as equivalent in other jurisdictions in which they want to live and/or work. Some people choose to travel, some have no choice but to travel. Many economists welcome their initiative, seeing migration as an important way for jurisdictions to realise individual and national growth objectives and potentially to offset an ageing population. Note that even in these times of remote working (and potentially internationally remote working), the question of whether someone can ply their trade in other jurisdictions isn’t just a question of network access and quality, it can also be a question of law and liabilities. Just because you can digitally “zoom” in to another country or state, doesn’t mean that you’re legally allowed to perform work or provide a service.

There are understandable challenges in achieving recognition in a new jurisdiction. In some instances there are specific, local, skills and applications of each trade (not least of which are language, local laws and cultural norms). Sometimes, as in the case with medicine, these can be life or death differences. There may also be economic or socio/political reasons for proof of qualifications and demands for re-qualification, fees to be paid, memberships and registrations to be gained. These can serve to ensure that local standards are met, along with providing protections, recognised liabilities, guarantees and insurances.

We can think of this type of problem as a “recognition” problem. To enable the movement of people and labour we might seek a principle that, as far as possible and appropriate, we want “mutual recognition” of equivalent occupational registrations to enable the socio/economic benefits of the movement of labour for people and societies.

This article explores and shows how current technologies can be used to help solve key elements of this problem now and for the benefit of all.

Recent, Relevant Work Experience

During 2022 we worked on two examples of these problems: Automatic Mutual Recognition and Lifelong Personal Learner Profiles.

Automatic Mutual Recognition (AMR)

Our work on Automatic Mutual Recognition (AMR) was partially funded by an Australian Government grant. Having won a Business Research and Innovation Initiative (BRII) grant, Sezoo led a team consisting of Civic Ledger, RMIT University, and Trust Alliance looking at how the World Wide Web Consortium Verifiable Credential Data Model standard (W3C VC), together with decentralised interaction and trust models, could be used to validate information matching and exchange between jurisdictions to support the Australian (and New Zealand) government Mutual Recognition (MR) scheme, and in particular the Automated Mutual Recognition (AMR) part of that scheme. The aim was to study several key dependencies and to consider the overarching framing question: “how can we ensure trustworthiness of AMR information shared across jurisdictions?”.

Think of this as “How can a teacher from Victoria go to teach in Queensland?”

Lifelong Personal Learner Profile (LP2)

The second example was our work with the University of Canterbury in New Zealand (UC) on how these technologies might enable a lifelong personal learner passport, “LP2”, for their students. This involved looking at how Universities could provide their students with lifelong, verifiable, credentials and how the University might tackle “Credit for Prior Learning” or “Recognition of Prior Learning”, where a student wants to engage in a course at the university and has prior qualifications that are required and/or enable them to start the program at a more advanced stage.

Think of this as “how might an employer in Canada recognise a student with a UC masters course?” Or, “how might a graduate from an Australian University be recognised as a masters student applicant by UC?”

These are two examples of a problem that we believe is fundamental to many aspects of our personal and professional lives – we’ll call it “verifiable mutual recognition”, or “VMR” for short.

A simple mental model for VMR

We typically represent the issuance of a credential to someone, and its subsequent use by them and a third party, as a relationship between the issuer; the holder; and the verifier. Taking this example a little further, In the general case, the issuer has the authority to issue the credential because it meets the requirements of a governance framework. This then gives us a four-way relationship, which we can depict as shown below:

This model works well when we are talking about a single governance framework within a single legal jurisdiction. Here, however, we want to make sure we consider two separate jurisdictions, where the Holder receives a credential (or credentials) from an Issuer in one Jurisdiction and then travels to another Jurisdiction. 

This gives us something like the situation shown below (we’ve removed a few labels and the explicit reference to the governance framework to simplify the diagram):

We can extend this model further and consider how it has similar qualities to an international supply chain trust model where we have multiple governance frameworks across multiple participants. 

Here’s how we might represent that using the building blocks we’ve used above, with some realignment.

Here the inter-jurisdiction traveller isn’t a person and their credentials, but the goods and services together with their provenance and proof that they meet the requirements of each participant and the relevant governance framework(s) along the supply chain.

Solving for the simple case should allow us to solve for the more complicated case as it is made up of many “simple” cases. Returning to our diagram, we have some questions to answer as shown in the diagram below.

We’ll explore how we can answer these shortly, but first, let’s have a quick reality check…

Recognising our limits

Before we explore how technology can be applied to this problem, we should be realistic and recognise that it can only solve part of the problem. One way to illustrate this is with the phrase “recognition is in the eye of the beholder”: while someone might be able to prove that they have qualifications from an issuing organisation, it is up to the relying party to decide whether these qualifications meet their needs. 

The limits of regtech, and reg, and tech

We might on occasions be able to codify the rules by which recognition should work, this is the work that Civic Ledger explored with us in the AMR study. Done appropriately, this can be a good thing for all participants, increasing transparency and efficiency. However we won’t be able to codify all rules for all occupations and contexts, and the ultimate decision (and liability) tends to rest with the Verifier (aka relying party) no matter the tools provided.

Sometimes, as in the case of the MR/AMR Acts in Australia, we might have legislation that endeavours to ensure that “mutual recognition” of specific qualifications will occur. This can mean that the relying party has the legal right to accept (and no legal right to refuse) qualifications from recognised external sources.

Other times (as mentioned above), there may be additional requirements that need to be met before recognition can be completed. These may be as simple as local registration, or as complex as re-qualification. Sometimes they may be prohibitively complex or un-economic for the individual to overcome.

These rules are determined by sovereign jurisdictions (countries and states who define their own laws) and the peak bodies who represent the relevant occupation in their jurisdiction. It is their decision(s) as to whether they choose to recognise, or choose not to recognise, other jurisdictions and the qualifications of other peak bodies. Technology has little or no say in these matters.

This is not an end to our pursuit though. While we recognise its limits, solving the technical problem can provide significant benefits in removing unhelpful constraints and friction in the process, so let’s look at the technology that we can use to help us.

Standards are great 😀, there are so many to choose from 😟

First let’s acknowledge the role, and the limitation, that standards play here. Where occupations have internationally recognised qualifications, our work is made easier. Obvious examples might include trades whose practice requires international travel, maritime and airline captains and pilots, and commercial drivers for example. Examples of international standards for credentials include international passports, the WHO vaccination “yellow card”, and driving licences.

However not all occupations have international standards of accreditation, not all have digital representations, and not all international standards are recognised universally. Standardisation is generally a good thing, but we can’t expect every professional body and jurisdiction to standardise or even to use the same standards. 

Accepting that there will always be differences, what we can try and do is to represent the data about the credentials that people do have in a way that can be verified and understood universally, a container for verifiable data of any sort. [That is precisely what the W3C VC data model aims to achieve, but there are other examples]. 

Standardising at the data representation level is something of a minimal viable product approach, minimal but there are still technical challenges to solve. A consistent way to issue, hold and present verifiable data is a foundational building block, but isn’t all that we will need to make an end-to-end system work, we’ll need many other things such as defined processes, regulations, governance, interaction patterns and communication protocols as well. 

If we cannot presume to know all the uses and transaction patterns that a credential may be used for now or in the future, we can choose data standards for the credentials which have publicly accessible or open data definitions and which enable interpretation and interoperability.

While this may seem self-evidently true and beg the question “who would do anything else?” There are all too many instances where approaches for commercial and social systems are chosen that are closed, bespoke or proprietary, even if we know that these don’t lead to portability and interoperability now or in the future.

So how does existing technology make VMR possible?

Despite the explorative approach taken in this article, this is not a thought experiment or something to note down for future reference. Existing technologies can be used to help make VMR a practical reality now for real people, in real trades, working for real organisations across real jurisdictions. The economic and social business case(s) for this work are compelling for jurisdictions, organisations, and the people personally impacted.

For our explanation, we’ll focus on how we can use the capabilities provided by the W3C VC Data Model (and its associated verifiable presentation) and the work of the Trust over IP (ToIP) Governance Stack Working Group (ToIP GSWG). However it is important to realise that we are talking about long lived issues here. We need to think in terms of years, decades, and professional and personal lifetimes. This means that the current standards and methods (any current standards) will evolve and even be superseded and replaced during these time periods but the principles should still hold true whether we are using this technology stack or not.

Let’s revisit the diagram we produced earlier:

If we consider our diagram above, we have some obvious problems to resolve before the Verifier can decide if they can accept the holder’s credentials. We’ll focus on three of these problems:

  1. How can the Verifier “understand” the verifiable data presented?
  2. How can the Verifier check to see if they are allowed to accept credentials from this jurisdiction?
  3. How can the Verifier understand more about the processes and evidence used by the Issuer?

We’ll explore each of these problems and their potential resolution in the sections below.

Understanding data from somewhere, and someone, else

The problem of how to understand data across several different domains, and how to present in ways that verifiable and multi-purpose has been worked on for many years. Some of the current tools and approaches to solving this problem include:

  • Semantic technologies: Semantic technologies enable data to be linked and shared in a way that can be understood by people and by machines. They rely on standard data formats, such as RDF and OWL, and vocabularies, such as RDFS and SKOS, to provide a common language for describing data. 
  • Linked Data: Linked Data is a set of principles and best practices for publishing and linking data on the web. It allows data to be interlinked and reused, and enables the meaning of data to be understood in different contexts.
  • Schema.org: Schema.org provides a vocabulary that allows data to be described in a way that can be understood by search engines and other applications. It provides a common language for describing data, which makes it easier for machines to understand the meaning of the data.

This is something of a universal problem for all data that traverses disparate systems and use cases. For many years this was mostly of academic interest, however recently there has been significant investment in tools and techniques to satisfy the demands of global big data related activities.

Recognising other Governance Frameworks

Let’s zoom in a little on our problem and give an example of two relatively simple concepts can lead to a resolution of this specific issue:

  1. Governance Authorities can include and maintain a list of the other governance frameworks that they trust – see for example how the Trust over IP Governance Framework MetaModel specification has included this concept (https://wiki.trustoverip.org/display/HOME/ToIP+Governance+Metamodel+Specification#ToIPGovernanceMetamodelSpecification-Extensions)
  2. Making this list of recognised (“extended”) governance frameworks human and machine accessible through verifiable data registries. Here the Governance Authority publishes and maintains a list of the other Governance Frameworks (and/or their associated elements) that it “trusts” and can be used within its Governance Framework according to its rules. This list can be read (checked) by Verifiers who receive a proof from someone that refers to an external (to them) Governance Framework.

Declaring the processes and evidence used when issuing credentials

The W3C VC data model is a general model in that it allows us to define any structure for credential(s) within its rules. This means we can create definitions for anything from academic awards to tickets for the zoo. The data model anticipates several needs in terms of the things an Issuer might want to provide to help make sure that the Credentials they issue are considered trustworthy. Two examples are:

  1. The “metadata” areas in which the Issuer can describe any and all relevant aspects of the Credential, from the version number to the controlling organisation of the schema (if there is one).
  2. The “evidence” field, where the Issuer can provide a list of the evidence that they received/used as part of their qualification process before issuing the credential to the holder.

We can use these elements, and the general capability of the list of claims, to describe things such as:

  • Quality standards met/held by the Issuer
  • Formalised processes followed
  • Independent auditor(s) used
  • Governance Framework(s) adhered to
  • Licences held (relevant to the issuance of the credential)

What type of use cases can this work for?

So if we can solve these (and other) problems, what kind of use cases become deliverable? Subject to economic, political and social will, all occupations that have some form of registration, credentials and/or qualifications can be considered candidates for this approach, across all participating jurisdictions.

Importantly, while there needs to be recognised and managed relationships between some elements (such as governance authorities), these are not just about technology and we do not need to set up a complex or single centred infrastructure. Our basic building blocks of VCs, DIDs and Verifiable Data Registries can be used such that verification is decentralised (a privacy preserving and secure exchange between the Holder and Verifier with no “call home” to the original Issuer) and each party maintains their own, decoupled, infrastructure.

To put this more strongly: we do not need any mono or poly “digital deities”. We only need to enable existing authorities, organisations and people to participate using common standards.

This means that our use cases include people who wish to travel and ply their trade across sectors such as:

  • Medicine
  • Law
  • Architecture
  • Accounting
  • Trades (plumbing, electrical, carpentry, building etc.)
  • Teaching
  • Academic studies and research

And many others besides.

This means that technology solutions based on open-source and open-standards can be used to help solve problems from “credit for prior learning” for international students, to helping our travelling doctor restart their life in New Zealand.

So it’s doable now, how do you get started?

VMR programmes are already being started (such as the BRII and LP2 initiatives we mentioned in this article). Existing operational systems exist where verifiable credentials issued by one organisation can be verified and recognised by another. 

While there are compelling arguments for VMR, there is a need to consider the economic, governance and technical opportunities and challenges before starting a specific instance of a VMR initiative. 

If you think a VMR approach can address a need in your jurisdiction, we’d be happy to explore the potential with you.

Making VMR work can radically solve a problem of trust in digital interactions for the benefit of all, and that’s exactly the kind of thing we like to do.

About the Author
John Phillips
John Phillips John believes that there are better models for digital trust for people, organisations, and things on a global scale. He sees verifiable credentials, trustworthy communication, and trustworthy identifiers as a disruptive force for change for good, and wants to be a catalyst for that change, helping people and organisations navigate their way to a better future.

You may also find interesting...