Can Privacy-based 'Identity Tokens’ Empower Users in the Digital Economy of the Future?
Not digital IDs, access credentials, or crypto tokens, but rather ‘privacy-enhancing identity tokens’ for your biometrics.
And new situations when you should consider (or ask for) tokenized biometric data to be utilized instead of images/photos or biometric templates.
Inspired by a recent discussion, and a spirited debate, with a co-founder of an identity document verification & biometrics firm, I wanted to share some thoughts and ideas on the use of Privacy-Enhancing Technologies (PET) to protect our most sensitive data: biometrics.
Your images of Face, Fingerprints, Palm, or Iris, once stolen/compromised, cannot be replaced. And while your Face may be public information at this point, your Fingerprints, your Palm, and your Iris certainly are not (nor should ever be). Anyone of 3.3 million people affected by the Office of Public Management hack in 2013-2015 knows that their actual Fingerprints are in possession of unauthorized actors. Present company included; so yes, this feels personal.
I estimate that a vast majority of identity verification companies today operate using photos & images only (as well as biometric templates). And there are some good reasons for it. Government agencies like border control need to be able to visually confirm a facial match. We may need to have a ‘human in the loop’ to help adjudicate issues or assist with an account recovery for someone who had lost their driver’s license or passport. A service provider needs to be able to match the right user to the right account.
Furthermore, biometric matching is based on probabilistic science, so it doesn’t always get things right. And we need to remedy that. We do have false positives (incorrectly verifying or identifying someone as another person) or false negatives (mistakenly rejecting or not matching the true right person). Depending on the use case, the impact and consequences can be quite harmful to the user(s). Having access to photos/images is often important, but not always important.
There are several use cases where deleting the photos/images and biometric templates is the best possible approach. It preserves user-privacy, promotes user control over most sensitive identity data, and enables use of biometrics in new areas previously off limits for biometric matching.
So, what is tokenized biometrics?
In short, due to human ingenuity, advances in computing, encryption, and machine learning, there are now ways to transform our most sensitive biometric markers like photos/images and biometric templates into unique ‘privacy-preserving’ identity tokens. And delete the image and biometric template forever.
Such identity tokens cannot be used to re-create your photo/image. They are irreversible and small in size (enough to fit into a QR code). They can be easily replaced with new tokens, if your current token is ever compromised or stolen. They can better protect against ‘Harvest Now, Decrypt Later’ attacks, which refers to collection of sensitive data (like biometrics) encrypted with today’s technologies (for decryption later). Two excellent resources on this topic are:
There has been more focus at the national level on privacy enhancing technologies over the last two years.
In June 2023, the House Science, Space, and Technology Subcommittee on Investigations and Oversight hosted a ‘Privacy in the Age of Biometrics’ hearing (YouTube link) (session overview + list of pros for PETs in biometrics). In March 2023, the White House released a National Strategy to Advance Privacy-Preserving Data Sharing and Analytics (link). In September, 2023, at the Identity Week conference in Washington D.C., the U.S. representative, Bill Foster, called on the industry to enable “exchange of biometrics without exchanging biometrics” at his riveting, but little noticed session by the private sector.
So far, the year 2024 promises to bring even more changes.
Recommended by LinkedIn
‘American Privacy Rights Act 2024’, if adopted by Congress, will establish a pilot program at the Federal Trade Commission for entities to deploy privacy-enhancing technologies. Here is a link to a great summary of APRA. In a related development, at the end of April, the U.S. House passed the ‘Privacy Enhancing Technology Research Act’ by a large majority, 354 to 36. That legislation, if adopted, will empower the National Science Foundation to pursue fundamental research to mitigate individuals’ privacy risks in data sets.
‘Privacy-enhancing Identity Tokens’ (new use cases)
(1) User Privacy – “I exist, I am here, and I am the same person” – This is, and should be, the core tenant of any social, commercial or voluntary engagement between people, businesses, and things. And if we have the option to use the most privacy-preserving method to demonstrate (prove) this statement, then we should absolutely do it.
(2) Data Security – Identity companies can increase data security posture by implementing ‘Hot’ vs ‘Cold’ data storage for biometrics. Instead of calling a centralized database of images 100% of the time, one could connect to a tokenized biometrics database first (‘hot storage’ = connected to the Internet) for 90% of the verification or identification requests, and – in case of any issues – make a 2nd call to the actual library of images for the remaining instances (‘cold’ storage = behind firewalls or offline). We can put the most sensitive data farther from threat actors and offer fewer chances for them to breach IT systems.
(3) Virtual Access – Unlike in the physical world, there is no human decision-maker online, in the metaverse or omniverse. And thus, there is no need for a human adjudicator to see and evaluate your image/photo or biometric template. So why not use just biometric tokens? Plus, which human being can consistently and correctly adjudicate one’s palms, fingerprints or irises…
(4) Decentralized Biometrics – In the world of empowered users, I can issue my own biometric-based identity tokens with my own unique secret, and share them with select service providers that I want to interact with. There is no need for a service provider to collect or hold onto my biometrics. We can have a trusted 3rd party do it. I can provide my biometrics and the service provider will utilize a unique secret to create an identity token that can only be used for me with only that service provider.
(5) Multi-Persona Verification – We can help to facilitate human interactions in the online world. What if you make a friend on one platform and want to make sure you are interacting with the same person on a different platform. What if someone turns into a digital stalker. You can create a trusted circle of friends and family. Exchange biometric tokens. Help transition from online to IRL (and vice versa) without jeopardizing your privacy. No one will be able to dox you (e.g., publish identifying information on the internet, typically with malicious intent).
(6) Artificial Intelligence – If there are no images to steal, there will be no images to re-use, replay, or manipulate. As a matter of fact, we could leverage a combination of Verifiable Credentials (cryptographically-secure and trusted digital statements) and ‘privacy-enhancing identity tokens’ to provide additional level of assurance and proof of humanity, which will need to accompany an image of you.
(7) Compliance/Regulatory – If I were a cybersecurity insurance company, you would get a 50% discount in your premium by using tokenized biometrics instead of actual images and/or biometric templates. No questions asked. We just need to be able to audit your cybersecurity practices.
(8) Remote & Offline Use – Because of their size and security features, privacy-enhancing identity tokens could be utilized in the areas and circumstances. Where either sending, sharing or storage of actual photographs and images was either not possible, cost prohibitive, or too risky. Just imagine being able to store millions of tokens on regular smart devices, embed identity tokens into QR codes for easy 1:1 verification (cheap and quick to issue), and use biometrics to finally augment service delivery at the last mile and in most remote areas. Enable offline usage.
In short, with ‘privacy preserving identity tokens’, we have an opportunity to:
There are tons of more use cases, and not enough space to write. Keep them coming. Share your ideas and questions.
Next time you are implementing (or using) a digital identity verification or identification system with biometrics, ask yourself… Could this be achieved with tokenized biometric data? If not all of it, then what part of it perhaps? Why – or even more importantly – why not?
Why not?
Vice President, Global Product Management, Identity & Data at Mastercard
4moExcellent post!!
FHE for all identity data including biometrics is a reality now. Exciting space to watch.
Entrepreneur | tech and business innovation | digital identity, cybersecurity, crypto, privacy, biometrics, AI leadership and expertise
4moHi Przemek, there are indeed several ways to convert biometric information into an non-invertible and unlinkable blob (and combining it with decentralization is a logical path). It all depends on the context whether it achieves or not the security/reliability/privacy requirements. The industry needs to change their habits and for instance ISO/IEC 24745 is describing several models to do so in order to help the industry and govs with guidelines. Nevertheless, there are also challenges with respect to the effective entropy when accounting for error rated. Feel free to reach if this is a topic you want to discuss.
Thought provoking indeed Przemek. Are the tokens pseudonymous like hashed data which, according to GDPR, is still personal data? Do these tokens degrade matching accuracy (i.e., increase Type I and Type II matching error rates) - as ISO interoperable templates do? Are the tokens proprietary (i.e., not interoperable)? How do you know that the presenter of the token is the natural person from which the token was generated?
Director at William & Mary Global Research Institute
4moTroy Wiipongwii, PhD, MPP, I thought of you when I read this. Przemek lives here in the Burg.