This startup wants to verify your ID without storing your personal data
As government and banking services move away from verifying identities in the real world, moving toward online ID verification, several companies have entered the market to solve this problem. A new startup from France is entering the market with a solution that, in theory, should protect people’s privacy.
ShareID spokesperson Eliana Daboul described the company in an email as “an Authentication-as-a-Service solution tied to government-issued IDs.”
The twist is that, unlike other similar companies, ShareID claims it doesn’t store any personal data. Instead, according to ShareID’s CEO Sara Sebti, the company asks users to submit a video to prove their “liveness” — a fancy word that means the user has to prove they are a real person in front of their phone’s camera and it’s not a pre-recorded video — and a picture of their government ID. But ShareID says it doesn’t store this data, it keeps it in memory on its servers and creates a hash — a unique ID — and then wipes the data, which effectively was never stored on the servers.
Other companies use a different approach.
In the United States, the controversial ID.me says on its official website that it “may retain your Biometric Information for up to thirty-six months,” and that includes “selfie images and the associated Biometric Information.” ID.me obtained government contracts — such as with the IRS — but was criticized by members of the U.S. Congress, who said the company misrepresented how its tech worked and inflated estimates about fraud to increase demand for its services. (The company denied these accusations.)
CLEAR, a biometric security company that is present in airports and stadiums across the United States, states in its privacy policy that it obtains information such as “government-issued identification information,” “digital images and videos (such as images from your mobile device camera)” and “biometric data (such as digital images of fingerprints, irises and face).
The company says that it retains that kind of information, in the case of users in California, for the life of the CLEAR account. In the case of Canadian users, the company says it “will retain biometric data and other personal information only until the occurrence of the first of the following: (a) the initial purpose for collecting or obtaining such data has been satisfied or (b) three years following your last interaction with CLEAR (unless you request to close your account earlier).”
ShareID, on the other hand, wants to retain as little information as possible, and for as short a time as possible.
“We issue reusable identities to our users, we get rid of all the personal data that we captured. We only generate this homomorphic hash and we use it to re-authenticate the person when they come back,” Sebti told TechCrunch, referring to an encryption technique that allows the creation of a unique value from a set of data, and makes it impossible to reverse it to get the original data.
In practice, Sebti explained, ShareID customers have access to an SDK and an API that allows them to embed the company’s technology on their website, as well as their Android or iOS app. Sebti said that the person who is trying to authenticate will have to submit a video showing the front of the document for three seconds, and the back of the document for another three seconds. Then, the website or app will capture a video of the person’s face, asking it to fulfill challenges to prove they are really recording it live, such as smiling, tilting their face to the left or right, and following a point on the screen, whose position is randomly generated.
“You have a random point that is run on your screen and you have to follow it with your eyes, and you have no clue where it will be. So you cannot prepare the video to get into it,” Sebti said.
At that point the service processes this data and creates a homomorphic hash that can be used to re-authenticate the user when they come back.
At least, that’s what ShareID claims. Sebti said France’s military police audited the company’s security, and that they monitor their own security by running penetration tests, or pentests, and “other live security monitorings.”