Algorithmic transparency: Video identification to obtain the Mobile idCAT

 

Algorithmic transparency: Video identification to obtain the Mobile idCat

 

Overview

The remote identification service using the video identification procedure, hereafter video identification, is a service that allows the remote authentication of a person with security and privacy guarantees.

In the video identification service they apply facial and image recognition algorithms which provide evidence to the authentication process and provide it with greater robustness and reliability equivalent to physical presence.

use case 

  • Obtaining the mobile idCAT (electronic signature system)

The video identification service is used to facilitate and strengthen the online registration of idCAT Mobile, so that it is an easier, safer and more trusting process.

The system guarantees the matching of an official document with a photograph (the identification document of the person's country of origin or their passport) with a video 'selfie' that the person takes in the same process.

Once the video identification process is complete, an operator supervises it and, in accordance with the results of the checks and validations carried out by the system and after verifying the authenticity and validity of the identification document, if applicable, approves and gives register the person in the idCAT Mòbil identification and electronic signature system register.

Thanks to this system, anyone in the world (over the age of 16) can obtain a digital identity (eID) to deal with any Catalan administration with just a mobile phone, a passport or national identity document and without leaving home.

Status

implemented The video identification service to obtain the mobile idCat was launched in May 2020, at the beginning of the pandemic. At the time, having an eID was an essential matter of digital rights, which remains true today. Over the past 3 years, 110.000 digital identities have been issued, solving many problems faced by citizens who could not obtain a digital identity through ordinary processes.

Service Level Agreement 

  • The video identification service to obtain the mobile idCat is available 24×7 with an availability level of 99%.
  • The effective registration in the dCat Mòbil register is carried out within a maximum period of 48 hours, without taking into account public holidays.
    In practice, registrations are being made within 2 hours during working hours.

Main benefits of the service

  • Comfort: users can complete the entire video identification process from home in a few minutes, saving time and effort.
  • Inclusion: a lot has been invested in user experience to make the process remarkably simple for anyone, regardless of their digital skills.
  • Greater security: the facial and image recognition algorithm provided by VERIDAS has proven to have a high level of accuracy. The rejection rate is very low (5%). However, all video identification processes are supervised by public workers in order to eliminate risks such as, e.g. e.g., detect cases of coercion, or avoid misunderstandings in people who are not aware of the automated process.
  • Savings: improves efficiency by automating administrative tasks and reducing errors, resulting in significant cost savings: up to 80% per transaction compared to face-to-face methods.

Contact information 

Responsible body
Open Administration of Catalonia 

Contact team for inquiries
Innovation and Data Branch

Team email
innovacio@aoc.cat  

External supplier
DELOITTE ADVISORY, SL that provides the Deloitte OBA technology integrated with the VERIDAS solution  

Supplier email
deloitte@deloitte.es;
info@veridas.com

 

More detailed information about the service 

Familiarize yourself with the information used by the system, the operating logic of the algorithms and its governance. 

Data sets 

Two main sources of data are used: 

1) Identification data of the users. 

The personal data that is processed is always obtained from the person concerned.

  • Personal data collected through the initial form:
    • Name
    • Electronic correu
    • Mobile Phone

  • Data from the identity document that the person shows to the camera (extracted using character recognition (OCR) mechanisms)
    • No. of the identification document
    • First and last name
    • Sex
    • date of birth
    • address
    • Country of issue of the document in the case of foreigners
    • Expiration date of the identification document
    • Photo of the identity document
  • 'Selfie' photo of the person (pixelated to compare with the ID photo)
  • Video of the video identification process where another photo of the person is taken while making a gesture (proof of life)

2) Digital evidence generated by the trusted provider (Doyfe)  

Evidence is signed and time-stamped to ensure integrity and authenticity.

❗ Considerations about the data processing

  • The following are involved in the processing of information:
    • Generalitat de Catalunya as Data Controller and AOC as Data Controller.
    • Deloitte for maintenance reasons.
    • Amazon Web Services (AWS Europe) as infrastructure provider.
  • The collected data is stored during collection and custody in encrypted systems at rest to guarantee confidentiality and to be able to consult them in the event of an audit.
  • Obtaining the Mobile idCAT implies registering the contact data with the BDSEU (Generalitat de Catalunya) and that the AOC Consortium can process them for the purposes of identity validation and signature issuance. The data of the BDSEU and the rest of the data used in the registration process are NOT transferred to third parties. It is the same interested person who authorizes the transfer of their data to the Catalan public administrations when using idCat Mòbil.

❗ Considerations about the data conservation:

  • In accordance with the rule, the evidence of each video identification process is kept for 5 years in the event that the process does not end successfully, and 15 years in the event that a Mobile idCat ends up being generated (including the document in the form receipt).

Data processing 

The operational logic of automatic data processing and the reasoning carried out by the system is based on the following model and methodology: 

1) Capture of the official identification document

A document capture system is used that automatically recognizes and flattens the type of document (without the need for the person to select the type or version)

Through a guided process, the person shows the front and back of their identity document to the camera. The system allows the scanning of official documents of the Spanish state (DNI, TIE and passport) with mechanisms to control the veracity of the document and minimize the risks of impersonation or manipulation, including the extraction of the photograph of the person 

If the person is resident in Spain, it is validated that the data in the document matches the official register of the General Directorate of the Police.

2) Taking a 'selfie' photo of the person activated by a life test (smile) and with a detector of the quality of the photo taken.

(Alive Selfie: system that, after smile detection, launches an automatic photo capture).

3) Correlation of the photograph taken from the official identity document and the 'selfie'.

To make the correlation between photographs, a facial biometrics test is carried out that uses the facial recognition algorithm of VERIDAS.

Facial recognition is the automatic processing of digital images containing people's faces for the purposes of identification, authentication and verification or categorization (by age, sex, etc.) of these people. In the case of video identification to obtain the mobile idCat, it is an authentication procedure, not identification, since it is used to verify the person's identity and determine that that person is really who they say they are, not to recognize their identity.

4) Parallel, the whole operation is record on video as evidence to facilitate supervision, validation and control tasks. Another photograph is extracted from the video which also correlates with the photograph of the official document that the person shows.

5) Finally, one human operator supervises the entire video identification process and in accordance with the results of the checks and validations carried out by the system, and after verifying the authenticity and validity of the identity document, if applicable, approves and registers the person in the register of the idCat Mobile.

Service architecture 

Service in the form of software offered as SaaS, hosted on Amazon Web Services (AWS), within the European Community, and integrated via APIs.

The front-office application is responsive web and is available on the main operating systems. 

Algorithm performance 

The facial and image recognition algorithm is from VERIDAS and provided by the supplier DELOITTE.

This algorithm gives a 'scoring' of the degree of similarity between the two compared photographs and has proven to have a high level of accuracy:

  • La rejection rate (failure to enroll rate) is very low, at 5%, mainly due to technical problems of recording and lighting of the chambers.
  • La false negative rate (False non-match rate) is 2,91% for a value of false positives (false match rate) of 0,01%. With these results, the solution meets FIDO's requirements for facial biometric verification. Specifically, FIDO states that the false negative rate should be less than 3% for a false positive rate of 0,01%.

 [Data taken from the National Institute of Standards and Technology (NIST) “Test of Facial Recognition Providers (FRTE)” report. Latest FRTE report (PDF)]

For more information on the biometric algorithm used, see the VERIDAS website.

Human supervision 

Each identity verification process performed through the video identification service is supervised by a human agent.

The validation of the process is carried out by public employees adequately trained in digital certification practices. 

The solution has a management application for operators (back office) that facilitates the supervision or validation of idCAT Mobile registrations made with the video identification service.

The actions carried out by the operators are:

  • View the video and check that the person concerned has done the whole process without coercion, that he has done the process according to the established requirements (he does not wear a covered head, he does not wear sunglasses, his face can be seen, ...) and also check that the watermarks and authenticity holograms of the displayed document are visible.
  • Review the result of the documentation evaluation parameters that the system has automatically evaluated: percentage of matches between the photo of the identification document and the selfie photo, expiration date of the identification document, date of birth, document number and that be legible and contain watermarks.

Regulatory compliance of the system

The video identification service to obtain the idCATMòbil meets the requirements of the Spanish regulations for the issuance of qualified certificates and has the necessary certifications for its compliance. It is worth saying, however, that there are no specific regulations applicable to the Mobile idCat and that the aforementioned regulations are applied by the AOC on a voluntary basis.

The information systems associated with this service and the location of the data comply with current regulations, especially with regard to the protection of personal data in relation to the European and national legal framework. Specifically:

  • The system complies with the regulations in force regarding trusted electronic services (Llei 6 / 2020, of November 11) and remote video identification methods for the issuance of qualified electronic certificates (Order ETD/465/2021, of May 6), and is certified for compliance with sepblac.
  • The principles of the General Data Protection Regulation (RGPD) apply:
  • Principle of data minimization: only the necessary data is collected to fulfill the purpose of the system (sign up in the mobile idCat register)
  • Purpose limitation principle of the RGPD: the data collected is only used for the purpose communicated to the person concerned.
  • From a technical point of view, the solution complies with the requirements established by the National Security Scheme for security systems medium level.

This is a Automated Administrative Action (AAA)? No. In this case it is not subject to the legal obligation to publish the AAA linked to the service at the AOC headquarters, accompanied by a technical file (See article 11, letter i, of Royal Decree 203/2021, which approves the Regulation of performance and operation of the public sector by electronic means; which deploys Law 40/2015 on the Legal Regime of the Public Sector). The AOC publishes the technical data sheet of the service on the Transparency Portal voluntarily, as a good practice.

 

Risk management

Identified risks: Exclusion, bias, discrimination, stigmatization

Measures applied 

To ensure the digital inclusion of the service, a lot has been invested in user experience to make the video identification process remarkably simple for anyone, regardless of their digital skills.

  • The video identification service is a guided process
  • It has high usability throughout the process and can be done from any smart phone through a responsive website.
  • The responsive website is accessible from the main browsers (Chrome, Safari, IExplorer, Firefox)

To guarantee the right to non-discrimination:

  • The data with which the VERIDAS algorithm has been trained are inclusive and represent the different population groups.
  • To guarantee the impartiality of the algorithms applied, periodic quality tests are carried out that allow for the detection of inaccuracies, avoiding bias and discrimination on the basis of gender and ethnic group.
    • National Institute of Standards and Technology (NIST) facial recognition vendor test (PDF latest report, 22 / 1 / 2024)

To guarantee equality in the use of the service, it is available in Catalan, Spanish and English. The person can choose the language by clicking on the CAT – ES – EN options from the menu at the top right of the window.

Identified risks: Misuse of personal data by third parties*, threat to privacy and loss of freedom of choice.

*In this case, high risk to deal with biometric data (photo of the person, voice and video of the process) which are of a special category in accordance with the terminology of the RGPD.

Measures applied 

To identify and determine the necessary measures to control the risks of the Video identification processing operation associated with the Mobile idCAT registration, the Generalitat de Catalunya (Responsible for Treatment) carried out, on 17/12/2020, a impact assessment on data protection (AIPD) of the System.

To carry out the AIPD, the methodology of the Cybersecurity Agency of Catalonia was applied and, additionally, the PILAR tool was used, which applies the Magerit methodology (Systems Risk Analysis and Management Methodology of Information)

Main conclusions of the AIPD:

  • Resulting risk= HIGH 
  • It is considered that the treatment activity can be carried out, having analyzed the suitability criteria of the treatment and having passed the analysis of necessity and proportionality. Specifically: Data processing is necessary to fulfill a mission carried out in the public interest or of the interested person, such as benefiting from other services provided by the data controller, the granting of grants, etc.
  • Need the explicit consent of the interested person for the processing of the data.
  • Consent is obtained freely and in no case does video identification imply an imbalance of power between the interested person and the public administrations given that it is not an exclusive but optional procedure to go to a citizen attention office to register in the register.

Then, to guarantee the right to data protection and privacy:

  • The supplier has signed a Treatment Order. 
  • The location of the data is within the European Union.
  • The Data Controller (Generalitat de Catalunya) guarantees the ARCO rights (Access, Rectification, Cancellation and Opposition) of the data being processed.
  • Consent and cookies are managed in accordance with the AIPD.

To guarantee the right to freedom of choice:

  • The person concerned has alternative ways of obtaining a digital identity (eID) without having to share their biometric data. You can always go to a public assistance office to register in person. Therefore, the video identification process is an additional registration option, but not an obligation.

Identified risks: unavailability of the service, unauthorized access, data leakage, errors and inconsistencies in the idCat Mobile registration, impersonation.

Measures applied

To identify the risks associated with the availability and security of the system and to categorize the service according to the criticality of the data we will put in it, the AOC carried out, on 7/7/2020, a security analysis of the video identification service following the guidelines of the Catalan Cyber ​​Security Agency and the National Security Scheme (ENS).

The classification of the system according to the ENS methodology, which establishes 3 levels of categorization (High, Medium and Low), has turned out to be:

In accordance with this categorization, the main risks have been considered and a series of measures have been implemented to mitigate them.

The measures applied to mitigate the risks are:

  • To avoid system unavailability:
    • Within the contract with the supplier, Service Level Agreements (SLAs) have been established that must be complied with and reviewed periodically
    • The ANS compliance reports have a weekly frequency and include the aspects relating to the system's capacity, availability and incident management.
  • To avoid impersonation:
      • SMS OTP generation to verify the mobile phone number reported and validate that the person is in possession of the mobile phone: An OTP is generated (one time password or one-time key) and is sent by SMS to the phone number previously supplied by the user. The user enters it and the system validates that the number matches.
      • It is not allowed to upload a pre-recorded video or that is stored locally that is susceptible to manipulation.
      • A life test is made of the person doing the process, asking for a gesture or movement (smile)
      • In addition, all transactions are monitored by public employees.
  • To prevent forgery of the official identity document:
    • Validation of the authenticity of the document provided: the service has checks of the authenticity of the document used (MZ, watermarks, hologram, etc.) and non-manipulation control mechanisms.
    • If the person is resident in Spain, it is validated that the data in the document matches the official register of the General Directorate of the Police.
  • To avoid errors in the correlation of the photograph taken from the official identity document and the 'selfie':
    • In case of a low-quality "selfie" or out-of-focus photo, it is suggested to take a new photo.
    • The facial algorithm gives a 'scoring' of the degree of similarity between the two photographs (although an operator will do the final validation).
  • To avoid the registration of multiple idCat Mobile associated with the same person:
    • Verification of "already existing" users with the database of people from the Electronic Headquarters of the Generalitat de Catalunya.
 
D. Transparency and explainability

Identified risks: opacity, mistrust

Measures applied

  • Publication of the algorithmic transparency sheet on the AOC's Transparency Portal. The sheet contains clear information about:
    • Data used to train the algorithm
    • Type of algorithm used
    • Problem to which a solution is sought
    • How it has been implemented
    • Who is it aimed at
    • Identity and contact details of the algorithm provider
    • Body responsible for the service and contact email address for complaints, inquiries and suggestions.
  • Dissemination of the service through the web, social networks (posts, tweets, etc.), conferences and others. For example: Innovation sheet "Remote identification of citizens through video identification"

More information

Recommendations and guides

Regulation