In response to the shift of government and financial services towards online identity verification, numerous companies have emerged to address this evolving landscape. A fresh startup hailing from France is stepping into this market with a solution designed to safeguard individuals’ privacy.
Eliana Daboul, a spokesperson for ShareID, conveyed the company’s identity via email, describing it as an “Authentication-as-a-Service solution integrated with government-issued IDs.”
What sets ShareID apart from its counterparts is its bold claim of refraining from retaining any personal data. Instead, as articulated by ShareID’s CEO Sara Sebti, the company employs a distinctive approach. Users are requested to provide a video demonstration of their “liveness,” essentially verifying that they are genuine individuals in real-time, as opposed to using a pre-recorded video. Additionally, users are asked to submit a photo of their government ID. Crucially, ShareID asserts that it does not store this data. Instead, it temporarily holds it in memory on its servers, where it is transformed into a unique hash or ID, and subsequently, the data is promptly wiped. This process effectively ensures that the user’s data is never stored on ShareID’s servers.
Alternative companies adopt a distinct approach.
In the United States, the contentious company ID.me states on its official website that it “may retain your Biometric Information for up to thirty-six months,” encompassing “selfie images and the ID.me has entered into government contracts, including a notable partnership with the IRS, for its services involving “Biometric Information” and related data. However, it faced criticism from members of the U.S. Congress who alleged that the company misrepresented its technology and inflated fraud estimates to drive demand for its services. (The company refuted these allegations.)
CLEAR, a biometric security firm with a presence in U.S. airports and stadiums, outlines in its privacy policy that it collects data including “government-issued identification information,” “digital images and videos (such as images from your mobile device camera),” and This encompasses “biometric data,” including digital images of fingerprints, irises, and facial features.
Regarding data retention, the company specifies that for users in California, such information will be retained for the duration of the CLEAR account’s existence. In the case of Canadian users, CLEAR stipulates that it will retain “biometric data and other personal information” solely until the first of the following events occurs: (a) the fulfillment of the initial purpose for data collection, for collecting or obtaining such data has been satisfied or (b) three years following your last interaction with CLEAR (unless you request to close your account earlier).”
In contrast, ShareID aims to minimize data retention to the greatest extent possible, and for the shortest duration feasible.
Sara Sebti, when speaking with TechCrunch, explained, “We issue reusable identities to our users, we get rid of all the personal data that we captured. “We generate only this homomorphic hash and utilize it for re-authenticating individuals when they return,” she clarified. Sebti referred to a homomorphic hash as an encryption method characterized by its ability to generate a unique code from data, ensuring it cannot be reverse-engineered to reveal the original information. creates a unique value from a set of data, rendering it impossible to reverse-engineer and retrieve the original data.
In practice, ShareID offers its customers access to an SDK and an API, enabling them to seamlessly integrate the company’s technology into their websites, as well as their Android or iOS applications. According to Sebti, the authentication process involves the individual submitting a video capturing the front of their document for three seconds, followed by the back of the document for another three seconds. Subsequently, the website or app captures a video of the person’s face, prompting them to complete challenges that demonstrate live interaction. These challenges may include smiling, tilting their face to the left or right, and tracking a randomly generated on-screen point.
“You have a random point that is dynamically displayed on your screen, and you must track it with your eyes, with no prior knowledge of its location,” Sebti explained.
Subsequently, the system processes this data and generates a homomorphic hash, which serves as the basis for re-authenticating the user upon their return.
ShareID asserts these claims, emphasizing that their security measures have undergone scrutiny, with France’s military police conducting an audit. Additionally, the company actively monitors its own security through activities such as penetration tests (pen tests) and other real-time security assessments.
