Security and Privacy
Secure Permissions Checking
No personal data stored on the central platform
Personal data is only ever stored on the mobile device and will never be shared with the central platform. All activity data stored on the central platform reference s a unique Hashed User ID (HUID). Each HUID is a combination of a secret Digital-App-ID generated on the mobile device + 6-digit User Code. It is not an encryption mechanism, but rather it is a has hashing algorithm (SHA256) which is made even more secure by combining 2 separate elements.
As an enhanced protection , an individual can change their 6-digit User Code anytime. This will force a change of the HUID and all the historical data on central platform will be updated to reflect the new code.
The individual can also at any time request to ’forget me’ from their app and all previous activity data will be completely removed from the system.
For each check (e.g. travel permit check by a policeman) a unique QR-code is generated. This code is temporary and only useful for the specific check. A hashing algorithm generates the code by combining a server generated ‘noise’ (random code) + a mobile app generated ‘noise’ + a physical-ID code for the user (could be a number linked to any form of photo-ID (e.g. National-ID Card, Driving License, or other).
The checker (policeman) simply scans the QR-code from the individual’s phone and enters the physical-ID provided by the individual. This will trigger an action from the server which, after verifying the provided data (QR-code + Physical entered ID) will then send a use-once 2FA code to the individual’s phone.
Once the 2FA code is correctly entered the checker will see the result of the specific check on their mobile app (e.g. approved travel permit), without needing any personal identifiable information from the individual on the app. The server noise is regenerated after each check, so that each QR-code is useable only once.