ShareID: This startup wants to verify your ID without storing your personal data

Illustration of a man on the left side walking, and reaching out, towards a large phone in front of him that displays a face with a face scanning grid over the face. On the right side is a woman sitting partially on a stool, holding an open envelope with the word PIN showing, and a large key in the other hand.

ShareID spokesperson Eliana Daboul described the company in an email as “an Authentication-as-a-Service solution tied to government-issued IDs.”

The twist is that, unlike other similar companies, ShareID claims it doesn’t store any personal data. Instead, according to ShareID’s CEO Sara Sebti, the company asks users to submit a video to prove their “liveness” — a fancy word that means the user has to prove they are a real person in front of their phone’s camera and it’s not a pre-recorded video — and a picture of their government ID. But ShareID says it doesn’t store this data, it keeps it in memory on its servers and creates a hash — a unique ID — and then wipes the data, which effectively was never stored on the servers.

Whether we like it or not, many government departments want to store copies of IDs, and I’ve also been finding the same now in South Africa with charities wanting ID numbers for income tax rebates. What we also know is that both of these types of entities are not the most secure to be doing this. It’s also been seen that hackers often target a soft 3rd party service looking for credentials. So, the whole wanting copies of IDs is becoming very problematic.

A best practice is certainly to encrypt any such documentation (at the very minimum), but I often find that big companies will encrypt when they send statements and other documentation to you, but just you try responding back to them with similarly encrypted documents, and they don’t seem to be geared for that. If documents are stored in an encrypted format, that is a lot better, though.

So, whether ShareID is the best solution or not, remains to be seen, but I do like that there are such solutions being proposed. Citizens can be secure and private as they want to be, but if their governments are not practising the same cautions, then it helps little. Fining a government department for negligence does zero to help any citizen who has had their data breached (the fine is anyway paid with taxpayer money, too). It probably helps to fine private organisations, but for government agencies that is really no deterrent.

See https://techcrunch.com/2023/09/27/this-startup-wants-to-verify-your-id-without-storing-your-personal-data/

Comments