28 January 2021
Vaccine passports: are you for or against?
For others, it brings too many political, legal, social and cultural concerns. Can my employer insist that I have the vaccine? Can airlines refuse me a ticket if I don’t have one? Why should I be turned away from events when I have no control over when I get the vaccine?
Data privacy, however, is one concern that iProov can address. We’ve been working with our partner, Mvine, on a digital vaccine certificate that puts the user’s data privacy front and center. Data privacy is a growing concern among consumers; in a survey we ran last week, 96% of respondents said that they care about their data privacy. 73% said “I care a lot”, with 25% saying that they cared but feared that they don’t have much control over it. Only 2% said they didn’t care at all.
The trial project of the Mvine-iProov passport is intended to enable the creation of an anonymous vaccination certificate. This would take place when an individual is vaccinated by a medical professional. The certificate would then be authenticated whenever that person needed to prove that they had been vaccinated.
Imagine you’re going for your vaccine. The medical professional administering your vaccination would create the online certificate using a mobile phone or tablet. They would take a picture of your face and add it to the electronic certificate, along with the date of the vaccination. That’s all that’s needed; your face and date. The certificate does not need to include your name, address, SSN or any other identifying information. The medical professional issues you with the digital certificate, using a QR code.
When you then need to present your certificate, you actively choose to show the QR code to the person or system that is asking for it. You then complete a simple face scan using a mobile device or tablet to verify that you are the holder of the certificate. An individual therefore cannot be verified without their knowledge and consent. Only the individual that was vaccinated can use the certificate – it can’t be shared, borrowed or stolen.
The key feature of the design is that apart from the certificate number and a face biometric, no other identity information is required or stored online. It also doesn’t discriminate against people based on the kind of smartphone they own, and there is also a route for people who do not possess smartphones – i.e., a card-based method. It puts privacy and inclusion at its heart.
So how does iProov protect the user’s face? Surely providing a picture of a face is giving up private data?
iProov’s technology uses a privacy firewall. Even in other situations – for example, where a bank needs to know a customer’s name and address as well as their face – the face is separated from the other data. iProov has no access to the other information apart from the face. The bank has no access to the biometric. There is a structural separation between the user identity and the user biometric, which is highly effective in safeguarding the privacy of the user.
Passwords are not secure. 74% of consumers have had to reset a password because of a data breach, which means that three quarters of the population could have had their data compromised. ‘Knowledge-based’ security, like passwords, can be shared, borrowed and stolen and that puts data privacy at risk.
Passwords are also not usable. Adding more complexity to passwords makes them harder to remember, which means people find workarounds – writing them down, or using the same password for everything. This makes them less secure.
iProov face verification solves both of these problems:
The vaccine certificate concept described above can be extended to numerous other use cases. The idea of a digital identity as a virtual dossier containing every single personal or private fact about you is outdated. The future lies in digital identity programs that give consumers more control over their data.
Data from our latest consumer survey, completed in January 2021: