Trusted ID for Foreign Visitors

As the world embraces digitalization, the public and private sectors offer services and products through various digital channels. Unfortunately, in most cases, they cater to citizens and long-time residents, and overlook a significant group of people and prospective customers – short-term foreign visitors. It is time that we include the latter into the local digital scene and give them the privilege to participate by provisioning them with Trusted IDs.

Secured Verifiable Credential
As digital services continue to expand, the need for secure and convenient online identity verification grows. By the same token, disparate digital services could lead to interoperability issues. One possible solution could be in the form of a highly secured verifiable QR code credential associated with a platform that is used to enable information gateway for government applications.

QR codes are two-dimensional barcodes that can be scanned using a smartphone or other mobile device. They can contain a variety of information, including text, URLs, and other data.

By using a secured verifiable QR code credential, we can provide visitors with a secure and convenient way to access online services and information. These credentials can be designed to contain a range of data, such as personal identification information, digital signatures, or other verifiable credentials. The credential can be stored in a mobile app or on a physical card; and can be scanned to access public- and private-sector applications and services quickly and securely. Typical applications could include full digitalization and simplification of SIM card registration, where visitors can register and activate their SIM cards; provide visitors with easy access to eGovernment services with online administrative procedures; convenient paperless medical prescriptions thus enabling visitors to have total control over who they wish to share their health data.

Thus, potential benefits of using secured verifiable QR code credentials for online applications can include:

• Improved security: By using digital signatures and other verification methods, secured verifiable QR code credentials can help prevent fraud and unauthorized access to sensitive data.
• Convenience: Secured verifiable QR code credentials can provide a fast and convenient way for citizens to access government applications and services, without the need for physical documents or long wait times.
• Reduced costs: By digitizing government applications and services, governments can reduce the costs of managing and processing paper-based applications and documents.
• Increased efficiency: By automating processes and reducing the need for manual data entry, secured verifiable QR code credentials can help governments streamline their operations and provide faster service to citizens.
• Improved user experience: By providing a seamless and intuitive way to access government applications and services, secured verifiable QR code credentials can improve the overall user experience for citizens.

Overall, secured verifiable QR code credentials can be a valuable tool for governments looking to improve their digital services and provide citizens with a secure and convenient way to access government applications and services.

Secured QR Code as Trusted ID
Typically, a secure verifiable QR Code credential contains a Unique ID, Public Data, and a digital signature, which can be used to identify its bearer and, thereafter, enable assorted services related to the individual.

Within the ID system, the visitor (Bearer) will be anonymously assigned and identified through a Unique ID number. As its name implies, the Universally Unique Identifier (UUID) is a unique combination of random characters that is not duplicated nor reused for another person.

The Public Data may contain static information about the visitor and his/her biographic data, such as name, date of birth, gender, passport number, and so forth. When scanned, the Public Data can be read off of the QR code and extracted for follow-up action. This allows users to obtain basic information about the visitor and Trusted ID for immediate verification against any physical printed ID document or the person to prove that they are what they claim to be. Two important advantages of this feature are: it can be performed within seconds; and it can be performed offline, such as in remote areas without a network connection.

Our trust in the secured QR code lies in its digital signature. By using public key infrastructure (PKI) technology, every QR code is checked and digitally signed by the document signer key stored on the hardware security module (HSM). This provides assurance that the UUID and Public Data in the QR code are as issued by the ID System and have not been altered or tampered with.

Harnessing the Power of the Internet
Coming from different countries, foreign visitors have a trove of information that they may want to share with service providers, but such data are stored in diverse databases which makes it difficult to access and to have adequate information altogether to act upon. On the other hand, we cannot centralize such data from various sources and jurisdictions as this has the disadvantage of presenting a single point of attack and raising privacy issues. Moreover, the ultimate question is how to share such data with the right audience.

An information switch or gateway can provide several advantages for providing confidential public and private sector data and services to targeted authorized users. This is not a new concept and has been used by financial payment systems for decades. Here are some potential benefits:

• Security: An information switch or gateway can help ensure that only authorized users have access to confidential data and services. It can provide secure authentication and access controls, preventing unauthorized access and reducing the risk of data breaches.
• Efficiency: An information switch or gateway can help streamline access to data and services, reducing the need for users to navigate multiple systems or interfaces. This can save time and increase efficiency for both users and service providers.
• Customization: An information switch or gateway can be tailored to meet the specific needs of different user groups, providing a more customized and user-friendly experience. It can also provide targeted information and services based on the user’s profile or preferences.
• Integration: An information switch or gateway can integrate with a variety of systems and data sources, providing a centralized platform for accessing multiple services and applications. This can help reduce duplication of effort and improve interoperability between different systems.
• Data quality: An information switch or gateway can help ensure that data is accurate and up to date, reducing errors and improving the quality of the information provided to users.
• Cost savings: An information switch or gateway can help reduce costs by centralizing access to data and services, eliminating the need for multiple systems or interfaces. It can also reduce the need for manual data entry and other time-consuming tasks.
• Analytics: Transactions can be analysed to create system alerts against abuse and misuse.

Overall, an information switch or gateway can provide several advantages for providing confidential public and private sector data and services to targeted authorized users, including improved security, efficiency, customization, integration, data quality, and cost savings. However, it is important to carefully design and implement an information switch or gateway to ensure that it meets the needs of users and service providers, while also maintaining the necessary security and privacy protections.

Information Gateway for Trusted IDs
The information gateway is a web-based system that elevates the secured QR code’s capability to that of a Trusted Digital ID. After the secured QR code has been created and provisioned, the Issuer can use the information gateway to configure the desired Actions to be taken and Rules to be applied when an ID document with the secured QR code is scanned on the field. In other words, the web system would act as a gateway to a range of information and services pertaining to a visitor.

Actions are instructions to be performed by the instruction gateway when it receives a request from the associated mobile app or web app. For better privacy and in observance of the Personal Data Protection Act (PDPA), the data should be stored on the source’s database, be it the service provider or the visitor. In this case, the visitor will configure the information gateway to direct authorised users to the source’s web application server that is ready to serve up the requested information through any standard browser interface:

• Biographic data or profile, including a photograph.
• Contact information in the Virtual Contact File (VCF) format (electronic business cards standard)
• Images of ID documents in JPEG, and PNG formats
• Documents, e.g., medical reports, and bank account information, in PDF format
• Web applications, e.g., profile updates, educational and professional certifications, access to healthcare, and so forth.
• Service authorization, i.e., obtaining visitor’s approval for subscription to services.
• User authentication, i.e., second-factor authentication via OTP, SMS, email, mobile app, etc.
• Biometric verification service (face, fingerprint, iris, finger vein).
  Next, Rules define the accessibility of the Actions. The ruleset comprises one or more of the following conditions. If no Rule was selected, the Action would be accessible to all users. The available Rules are as follows:
• Date and time – access is limited to certain dates and times only.
• User account – for the specified user account(s) only.
• User role – for a group of users categorised under the designated role(s) only.
• Location – access within a specified area, locality, or country.
• Scan option – limits the number of times data may be accessed.

By combining Actions and Rules, the visitor can target precisely who amongst its service providers, e.g., administrators, doctors, insurance providers, employers, banks, and others, are allowed access to his/her data.

Third-party Data Access
To access the information linked to a Trusted ID, users must scan the secured QR code printed on the ID document with a compatible mobile app or web application (Client App).

After scanning the secured QR Code, the Public Data can be extracted and displayed for immediate action or processed separately depending on what needs to be done.

Next, the Client App will send the QR Code data string to the information gateway where the following process takes place:

1. Verify the UUID, Public Data, and digital signature.
2. Retrieve the Actions and Rules associated with the UUID.
3. For each Action, perform an access rules check.
4. Return the list of permitted Actions to the App.

Upon receiving the reply from the information gateway, the Client App will display the list of information and services (Actions) available to the Client. Depending on which Action was selected, the Client may view and download associated files, or be redirected to a web address for further action.

Conclusion
As the world moves towards digital ID systems, organizations are using the ease of digital ID implementation to expand the reach of their systems to protect and serve their people and visitors on a scale that analogue systems never could. This also means that these IDs are becoming far more important than before.
As privacy rights advocates around the world push for greater transparency in the process of data collection, greater respect for the individual’s privacy, and protection of the personal data collected, governments around the world are responding favourably. Around the world, regulatory bodies are taking steps to enforce stricter rules around the methods of collecting, storing, and accessing personal data pertaining to digital IDs. This is a step in the right direction, given that the benefits of digital IDs far outweigh the risks. The ability of individuals to choose and control how their data and IDs are used is imperative because no one knows how the usage of these IDs will evolve, and what the future holds.