Data Privacy Day: How does iProov assure data privacy?

Vaccine passports: are you for or against?

Some people love the idea of a vaccine certificate enabling them to travel, go to sports or music events or resume other activities post-COVID.

For others, it brings too many political, legal, social and cultural concerns. Can my employer insist that I have the vaccine? Can airlines refuse me a ticket if I don’t have one? Why should I be turned away from events when I have no control over when I get the vaccine?

Vaccine passports and data privacy

Data privacy, however, is one concern that iProov can address. We’ve been working with our partner, Mvine, on a digital vaccine certificate that puts the user’s data privacy front and center. Data privacy is a growing concern among consumers; in a survey we ran last week, 96% of respondents said that they care about their data privacy. 73% said “I care a lot”, with 25% saying that they cared but feared that they don’t have much control over it. Only 2% said they didn’t care at all.

How does the Mvine-iProov vaccine certificate work?

The trial project of the Mvine-iProov passport is intended to enable the creation of an anonymous vaccination certificate. This would take place when an individual is vaccinated by a medical professional. The certificate would then be authenticated whenever that person needed to prove that they had been vaccinated.

Imagine you’re going for your vaccine. The medical professional administering your vaccination would create the online certificate using a mobile phone or tablet. They would take a picture of your face and add it to the electronic certificate, along with the date of the vaccination. That’s all that’s needed; your face and date. The certificate does not need to include your name, address, SSN or any other identifying information. The medical professional issues you with the digital certificate, using a QR code.

When you then need to present your certificate, you actively choose to show the QR code to the person or system that is asking for it. You then complete a simple face scan using a mobile device or tablet to verify that you are the holder of the certificate. An individual therefore cannot be verified without their knowledge and consent. Only the individual that was vaccinated can use the certificate – it can’t be shared, borrowed or stolen.

The key feature of the design is that apart from the certificate number and a face biometric, no other identity information is required or stored online. It also doesn’t discriminate against people based on the kind of smartphone they own, and there is also a route for people who do not possess smartphones – i.e., a card-based method. It puts privacy and inclusion at its heart.

How does iProov enable data privacy?

So how does iProov protect the user’s face? Surely providing a picture of a face is giving up private data?

iProov’s technology uses a privacy firewall. Even in other situations – for example, where a bank needs to know a customer’s name and address as well as their face – the face is separated from the other data. iProov has no access to the other information apart from the face. The bank has no access to the biometric. There is a structural separation between the user identity and the user biometric, which is highly effective in safeguarding the privacy of the user.

Why use face biometrics at all? Why not use passwords?

Passwords are not secure. 74% of consumers have had to reset a password because of a data breach, which means that three quarters of the population could have had their data compromised. ‘Knowledge-based’ security, like passwords, can be shared, borrowed and stolen and that puts data privacy at risk.

Passwords are also not usable. Adding more complexity to passwords makes them harder to remember, which means people find workarounds – writing them down, or using the same password for everything. This makes them less secure.

iProov face verification solves both of these problems:

• iProov is secure – a brief face verification confirms that a user is the right person, a real person (and not a photograph or mask) and that they are authenticating right now. We offer both Genuine Presence Assurance and Liveness Assurance, allowing users to authenticate in a way that is fitting to the situation.
• iProov is effortless to use – the user simply holds the device to their face for a few seconds for authentication to take place. This makes it inclusive to all, from ages 16 to 106, on any smartphone, tablet or computer.

Face + Fact: the future of digital identity?

The vaccine certificate concept described above can be extended to numerous other use cases. The idea of a digital identity as a virtual dossier containing every single personal or private fact about you is outdated. The future lies in digital identity programs that give consumers more control over their data.

How do US citizens feel about data privacy?

Data from our latest consumer survey, completed in January 2021: