Additional information
In this section you can find additional information to guide you in your eID journey.
The Privacy Preserving Biometric Verifiability section talks about the privacy focused features of SensePrints and how they can be verified without storing biometrics.
The Principles of Privacy Preserving Face Verification section outlines the fundamental privacy by design goals that the system seeks to build on.
Finally, the Foundational vs Functional eID section highlights how SenseCrypt technology can fit within a bigger picture of a national ID framework having one foundational eID (SensePrint) and multiple privacy preserving functional eIDs (Face Certificates).
Why is SenseCrypt non-biometric in nature?
As we have seen in the previous section, traditional Face Recognition depends on generating and storing a biometric template during enrollment and then, subsequently, generating and comparing a new template during verification.
Since two generated feature vector / templates can be compared, then if one is stored in a database operated by company A, and the other is stored in a database operated by company B, a comparison can be made between them to determine if it is the same person.
This is despite the fact that company A and company B may be unrelated to each other. This violates the principle of Unlinkability in a Privacy by Design framework.
The ability to compare feature vectors / templates with one another in traditional biometrics is what makes the stored data biometric in nature.
To enable privacy preservation, a system should be able to generate any number of different data structures (akin to feature vectors / templates) from a single image. If it does so, then the data structures thus generated cannot be compared to one another.
Since there is no way to compare the data structures generated by a privacy preserving framework, if they were stored in separate databases, there would be no way to find out that the data structures correspond to the same person. This satisfies the principle of Unlinkability in a Privacy by Design framework. This is also what makes the data structures non-biometric in nature.
We have seen how two Privacy Preserving data structures generated from exactly the same data cannot be compared to each other to determine any kind of similarity.
But, given a Biometric Sample (such as a facial image), can it be determined that the Privacy Preserving data structure was generated from a similar biometric sample?
As it turns out, the above is made possible through the SenseCrypt algorithm.
Thus, even though the data structures (SensePrints) generated by SenseCrypt algorithm are non biometric in nature, they can be used for Biometric Verification.
How Face PKI enables functional eID
For an eID system, there should exist exactly one foundational eID for a person.
However, for privacy preservation, if that foundational eID is used across different systems, it makes the foundational eID linkable. As an example, if your passport number was stored in many different databases, it would make it easy to track all your interactions across those databases.
Functional eID solves this problem by facilitating a pairwise functional eID for an ID Holder and a particular verifier/service/purpose.
Functional eID is enabled through SenseCrypt's Face PKI features. The following steps decribe how this works:
Root Certificate - The issuer of the foundational ID has a root certificate that all verifiers can trust. All verifiers, first obtain the root certificate and cache it.
Foundational eID Issuance - After authenticating a prospective eID candidate, the ID issuer issues a SensePrint eID. This eID forms the foundation eID.
Face Certificate (functional eID) - When the eID holder interacts with a service, the service (verifier) needs to validate that the holder is real. To do so, the service requests the holder for a Face Certificate that is signed by the foundational eID's issuer. Such a Face Certificate contains a unique public key of the eID holder. The public key is, however, different for each verifier/service/purpose thus preserving privacy through unlinkability.
A Face Certificate is generated from a user's face, and their SensePrint eID. It is generated for a particular purpose ID. The same purpose ID must be specified while verifying the eID holder using a Face Certificate. Since the purpose ID is expected to be unique for every service that the user interacts with, the public key in the Face Certificate is pairwise and preserves privacy through unlinkability.
The verifier can trust the Face Certificate provided by an eID holder is authentic by verifying its signature using the trusted Root Certificate. The Face Ceritifcate can be cached by a verifier after a first functional eID verification performed in the step described below.
Functional eID Verification - When a user presents a Face Certificate to a verifier, the verifier only knows that the certificate is valid and has been issued by the foundational eID issuer. To verify that it is the actual eID holder who is presenting the certificate, the verifier presents a random challenge to the holder (e.g. a UUID). The eID holder must sign the challenge using an ephemeral private key that is generated from their face, their SensePrint eID, and for the specified service/purpose ID. The challenge is signed with the ephemeral private key and transmitted back to the verifier. The verifier can then verify the signature using the public key that is contained in the eID holder's Face Certificate.
A Face Certificate allows the verification of an eID holder using their face without a verifier having (or processing) the holder's face!
Privacy by Design principles for systems
In the previous section we have seen how SensePrints are data structures that are privacy preserving (it cannot be determined that two SensePrints, when compared to each other, were generated from the same person's face).
We have also seen how SensePrints have the property of Biometric Verifiability (given a person's face and a SensePrint, it is possible to verify that it was the same person for whom the SensePrint was generated earlier).
In this section, we highlight the Privacy by Design principles that should underscore any good system.
Unlinkability - Given two data structures (SensePrints) alone, it should be impossible to tell if they were generated from the same data (face + metadata) or from different data.
Irreversability - Given a SensePrint, it should be impossible to obtain the original face that was used to generate the SensePrint. This property is typically not satisfied by traditional Face Verification systems as they offer a similarity score between two templates. This similarity score makes traditional technology susceptible to Hill Climbing Attacks.
Revocability and Renewability - In traditional systems, it is possible to generate only one feature vector / template from a single image. Multiple SensePrints can be generated from the same person. While you can't change your face, you can change your SensePrint as needed.
If a SensePrint needs to be replaced, a new one can be generated from exactly the same image and data and such a SensePrint would be entirely different from the one being revoked.
