Let’s Talk About Digital Identity with Schehrezade Davidson, CEO of Tricerion.

In episode 41, Oscar and Schehrezade explore Tricerion’s immunity passport – ImmucheX. They discuss the challenges that immunity passports present – including privacy, trust and regulatory compliance – and how Tricerion is responding to those challenges.

[Scroll down for transcript]

“Fundamentally it’s about trust, it’s about accuracy. It’s complicated but there is a way forward.”

Schehrezade DavidsonSchehrezade Davidson is the CEO of Tricerion Limited, a company that owns novel patented mutual authentication software using image passwords. Find Schehrezade on LinkedIn.

This is Schehrezade’s second LTADI podcast appearance. Listen to her previous episode (26), describing Tricerion’s neurographic passwords solution, here – www.ubisecure.com/podcast/neurographic-passwords-tricerion-schehrezade-davidson/

Find out more about Tricerion’s ImmucheX solution at www.tricerion.com/immuchex.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining another episode of Let’s Talk About Digital Identity and in these days, if one goes to a newspaper or in some other media, we hear, we read about vaccination passports, immunity passports and similar terms and things that are already coming. But today we’re going to have a discussion specifically about these with one of our partners, a company that has been before here in the podcast and they are working on that, an immunity passport.

We’re going to hear what has been their experience and what type of solutions they are bringing. So let me welcome back again to Schehrezade Davidson. She is the CEO of Tricerion Limited, a company that owns novel patented mutual authentication software using image passwords. Hi Schehrezade.

Schehrezade Davidson: Hi Oscar. Lovely to be back again.

Oscar: Yes. A few months ago, a bit more than one year ago, we were having a conversation. We talked about a very innovative product, original product you have had for the last years that are neurographic passwords. So that’s a super interesting conversation we had. So we would like to hear first what happened on Tricerion, on the team, on the labs that you have there and since this month – since the last time we talked. So tell us a bit.

Schehrezade: Yeah, yeah. So really, I think for all of us who are working remotely, it’s about making connections with potential partners and end users. It’s about refining our message and positioning the company to leverage hopefully what will be a better 2021 compared to 2020. So yeah, we’re feeling very positive about our solution and obviously our other exciting projects, which we’re going to talk about today.

Oscar: Yeah, exactly. Then I didn’t know too much at that time when we talked last year but now I know that you have been working on this immunity passport even before that conversation. So that’s one of the main things we talk today. Please to make it go – start from the very, very basic. So what is an immunity passport?

Schehrezade: Yes. I think immunity passports, as people probably know, have been around for a long time whether it was to prove that you’d a disease and recovered from it, for example like smallpox, or whether you can prove that you’ve had a vaccine. So for example like yellow fever.

So the idea and concept of an immunity passport is not really new as we know. Where I think the stakes are slightly different to do with COVID is because we’re looking at something that is a global pandemic. So yeah, very happy to sort of talk a little bit about what we’ve been doing at Tricerion in this area. But just to make it perfectly clear, I think the world is only just beginning to talk about how an immunity passport for COVID would really work.

Oscar: OK. There has been a concept that has been all ready for a while as you said but I think nobody was talking about this. It was not in the mainstream at least, let’s say a bit more than one year ago. So now it came again and also I think you will tell me – you know more about this – that when people talk about immunity passport today, it’s more about a digital version of that. So if you start telling us what are these – for COVID particularly. Now of course that is the situation we are. What are the use cases of this immunity passport that we need today, that basically what are these different use cases of immunity passport that we need today?

Schehrezade: Sure, sure. So maybe if I may, if I go back to this time a year ago, which I’m sure for a lot of people feels like we’ve lived 10 years in the space of a year. In the UK, specifically, we haven’t even had the first lockdown. The first lockdown in the UK was 23rd of March. But what was fascinating is the UK government have got a grant scheme called Innovate UK and around this time, as we went into the first lockdown, they asked companies across the UK to put in for a grant for a solution to COVID and we didn’t really envisage what that meant.

The world was naïve. We hadn’t realised the impact this virus was going to bring and that sounds a bit glib. And even now I would say Oscar and you probably feel the same, there is so much still that we don’t know about the virus. We’re just at the beginning of understanding and that has nothing to do with me and the UK in particular but that’s just a global effort from scientists.

So we know a lot more than we did a year ago and there are a lot of different teams working globally and also in the UK to actually understand and quantify this disease. So that I think is a positive.

But in terms of where Tricerion fitted in, we put in for a digital vaccination passport and not because we knew that there would be any vaccines and that was the opportunity that we saw. We thought that if a vaccine – and we didn’t even know that there would be more than one vaccine and now there are several as you know. If a vaccine was available, what could an individual do with that knowledge if they had been vaccinated? And what I think is fascinating now is there are big debates about the use of vaccines/immunity passports and remember, your immunity might come from the fact that you’ve already had the disease and recovered.

Again, where it sits – it’s very much a changing target about how a digital vaccination will be used and what we have done as Tricerion with our solution is we’re part of the conversations that are being had by trade organisations such as Tech UK.

We are part of the conversation with people like the Ada Lovelace Institute who are putting together papers about how these both physical and digital documents will be used and remember, not all roads leads to a digital solution in a way. You’ve got to cater for some people who won’t be able to use digital. They might not have a smart phone.

So if you look at the backdrop of what people are trying to prove, they’re trying to prove immunity. They might be trying to prove negative-positive test status. They might be trying to prove that they’ve been vaccinated, and you can see how this straddles a wide variety of one would say moral or ethical issues, which actually frankly we’re not here to solve. We’ve just come up with a solution that could be adopted by different groups and organisations depending on what the use case is.

Oscar: And your project is called ImmucheX, correct?

Schehrezade: ImmucheX, ImmucheX. So yes – and would you like to probably know a little bit how that would work?

Oscar: Yes, please.

Schehrezade: Yeah. OK. So there are two things to think about in a way. Number one, obviously to prove something to do with your health, you need to have a good audit trail. The data will need to come from – in all probability, a government-mandated database. Different companies have got different sophisticated databases that app developers can access. Some countries don’t have a digital database. So again therein lies one particular issue.

Secondly, if you as a developer or an organisation that wants to use patient data, there are very specific rules around GDPR, HIPAA compliance, the audit trail about where the data is coming from. So that’s something that needs to be considered. And obviously one of the uses of a digital vaccination immunity passport is being able to prove you are who you say you are.

So there are a number of solutions out there which tie your health data to your digital identity and that’s not a bad thing. But using digital identity as the main hook is also complicated. So what we’ve done with ImmucheX is we’ve said our app allows you to prove that you as an individual have been vaccinated, as the really light touch privacy-first solution.

Secondly, we’ve said actually, there are lots of ways offline, so not digitally, that somebody can prove who they say they are by carrying a driving license, national ID card, a passport. So we’ve said at the very basic level, ImmucheX proves a person, say Oscar, has been vaccinated.

Now to prove your identity and to make it viable for real world situations, we’ve said you Oscar will also have to have another identifier that proves who you say you are with your ID card or with your driving license. So we’ve worked on the principle that less is more and we haven’t tried to do a combination with digital identity.

Now different solutions will require probably more in-depth identity checks and we understand that. So I would say that ImmucheX is – at the very least, you could maybe go to a festival or you could go to the cinema.

Now if we partner with some other people, you could say that our solution could be part of a travel pass and we can get into a little bit of more perhaps about some of the standards that are going to be out there and there are no standards at the moment. But our solution is meant to be quick, easy-to-use with a secondary piece of data that shows your identity.

Oscar: OK, yeah. You mentioned of course that yeah, it’s not going to be everywhere. These immunity passports are not going to be everywhere fully digital. That’s correct. It’s in our best interest from all the governments and companies to make digital but I think will have to coexist with both and depending where – it depends on the use cases and also it’s quite interesting the way you explain that yeah, put in the digital identity component into these immunity passport makes it of course much more complex.

So in this moment, you said that ImmucheX app will also require that the person will bring their ID. Let’s say at the entrance of a festival or concert. That’s one of the close use cases that are coming because I know that in summer here in the northern hemisphere, this coming in – obviously three months, let’s say. June, there will be festivals. Some of these festivals already are announcing – they’re selling tickets, et cetera. So the organisers assume that they’re at least going to be possible. So they are, I assume, the first interested in having such solutions. How would it work in – specifically in that case? Imagine just a festival organiser.

Schehrezade: So I think to put it in context, I think the vaccination- the production of vaccines was a very interesting combination of government, private sector and the public who were involved in the clinical trials across the world. So actually in some ways, the production of COVID vaccines was the best of all possible worlds where governments, business and the public came together and I think in that way, the use of vaccination passports or immunity passports or test passports will be the same.

If you want to go to a festival, you’re going to have to do certain things and one of those might be – it could be that you have to have a test and some festival owners will say, well actually, you’ve got to have a test between X days before. It has got to be negative. You’ve got to prove that. Or it could be – and these are where we straddle this to do the bigger picture issues – are you going to have entrance to a cinema or a festival for those who have had a vaccine? So vaccinated people days versus people who haven’t had a vaccine. So that’s also something to think about.

But at the very simplest level, the ImmucheX solution is, once you’ve registered on the app – by the way, you could also register children or your parents if they didn’t have a smart phone. You could register other people provided you have their permission and each individual has a unique QR code and again what I think is fascinating about COVID is the QR code that everybody said was maybe dead has come right back into the fore as a neat way to push someone and get data from the URL, right?

So I think that has been – the QR code has had a revival. So the neat thing about ImmucheX is you as Oscar proving your immunity or your vaccination status, you will download the app on your device and it can be either on an iOS or Android device and once you’ve registered, you will receive a unique QR code which is all about you and it will have your name above the QR code.

The way we’ve designed it very neatly is the verifier – so maybe it’s the person that’s allowing you into the festival at the gate. The verifier can download exactly the same app. They don’t need to register. All they use is the scan function within the app just like a closed loop system and that they then get verification once they’ve scanned your QR code that you’ve been vaccinated and that’s it.

Then that’s – you will show your ID or some other form of some identity proof that allows you to say yeah, I’ve – oh, so the verifier sees on their device your name and that you’ve been vaccinated and then they will look at your ID card and see that the picture matches you and that’s it.

Now if we manage to partner with the festival, we might say well, actually we will do all those checks beforehand and then you can produce it on some sort of wristband which is valid for the festival. So I think industry or different sectors want to see what’s the minimum proof they need to allow their event to go ahead and sitting next to someone in a restaurant is really different going to a festival.

So the use cases will I think dictate the detail of what’s needed and obviously travel is one that straddles airlines, governments, security. That will be taken care of by some of the big organisations involved in areas where governments have got a deep interest.

Not least from security perspective and not least from– we’ve seen how borders have been closed because you don’t want different variants to come in. I think one of the things we need to understand is – as I said, everything is still so new. We don’t understand so much about the disease. But as time goes by there’s a trade-off between keeping lockdowns and people’s freedoms and then the heavy lifting of the vaccine and what that does to people’s health if they catch the virus. And again, this is all evolving.

So at Tricerion with ImmucheX, we’ve been very flexible. We’re interested in partnering. We want to understand how we can add value to different industry groups and I think certainly hospitality is somewhere where we’re interested. I think places like cruise ships are fascinating if you can create a biosphere where passengers and crew have proven they’ve been vaccinated. Then in the reverse to what happened to all these poor people who were stuck on a cruise ship at the beginning of the pandemic and they were all getting coronavirus and all getting infected. This is kind of the reverse of that where you’ve created a good biosphere where everyone has been vaccinated and OK, you might still need to wear a mask if you’re getting off a ship and going around somewhere else.

But actually that gives us some opportunities to think innovatively about how this could work. Similarly, children aren’t being vaccinated at the moment. There’s no plan to vaccinate under 18-year-olds. But you could see how if you could incorporate something like a test, a negative test, you could create an app for kids and our app includes our picture password solution. So that would be again quite nice for maybe younger children to be able to use and prove they’ve had a negative test.

Again Oscar, I don’t think that one company can take on what essentially could be the moral arguments of “I haven’t had a vaccine. I choose not to be vaccinated. Therefore I’m being discriminated against” versus the uptake of vaccination in the UK is incredibly high.

Now that might be different for different countries. But we’re saying that there has to be some sort of solution that shows that you’re either negative – tested negatively, you’ve got immunity or you’ve been vaccinated. And I think most people who want to go back to a semblance of normality would want that.

So it’s putting that onto the individual to agree that they want their health data to be used. They trust the solution and that’s the other thing I think is really important is all the companies that are producing these sorts of solutions, it’s about trust.

Trust is at the heart of trusting the data. You as the individual proving you are who you say you are and what are the implications, the wider implications for society and those are big questions to answer. So we’re at the beginning of the journey. But I am sure there will be solutions that are digital that will help unlock various segments.

Oscar: Yeah. But you illustrate in this several use cases potential. Yeah. It shows that there will be whatever the number of providers that will have some solutions like the one you have of immunity passport. There will be so many possibilities of integration, very simple as you say.

You explained the case of the event organiser, the festival organiser who in that case could have a major integration with a solution like yours or can be even more complex. Yes, definitely and yeah, it also depends who is willing to try this first. You know, for instance in these events that come in the summer, are coming pretty soon. But there will be others who will wait. Some others that will be willing to take it immediately.

Schehrezade: Yes, and I’m putting it out there. If there are any festival organisers who want to contact us, then please do. We’re always happy to have an open discussion. But I think the other area that’s interesting is the mobile phone operators.

We could be part of their mobile phone app. Why not? We could partner with, I don’t know, some streaming services that go straight to your phone perhaps where they might want to sponsor something. There are opportunities here but it’s fundamentally – it’s about trust. It’s about accuracy. It’s complicated but I think there’s a way forward and always in life and especially in technology, in tech, you got to try things, right? You might not get the most optimal solution when you first start. But that’s the whole point. If you don’t try, you wouldn’t invent anything.

Oscar: Sure, sure. And something that some people might be already asking themselves, OK, I’m willing to use this app, of course, because I want to go to events or restaurants or travel, et cetera. I will be willing definitely to use these apps. But what about the most critical requirements such as privacy, security? Could you tell us more what would be the most essential requirements for this type of solutions?

Schehrezade: Sure. I think the main thing is depending on what your use case is, you don’t really want the very nice person at the night club door to know your intimate health details and they don’t need to. They just need to know that you are who you say you are and that you’ve been vaccinated or that you have immunity as deemed by the app and we talked a little bit about – we didn’t really talk about standards. But I think there are a number of organisations that are coming together to create a standard and that goes to your privacy and data question and that also goes to trust.

Organisations that are producing these apps, you don’t need to know everything about the individual. You just need to know certain pieces of information and therein lies a lot of people who are very negative about this concept to saying that this is the big state potentially creeping to get everything they know about you.

But the state probably knows quite a lot about your medical records anyway. As long as you trust that the data being taken is the minimum required, there shouldn’t be a problem. But this is all about education and understanding what you’re doing and in terms of understanding what rights you are giving the app to reach and that there are a whole load of regulations around HIPAA compliance.

So this is a well-trodden path. We know the use of medical data is probably very well-regulated. Very much more so than perhaps the data that you give away to social media companies. OK? So we’re already starting from a positive backdrop and that’s why standards are very important. So it could be that app developers who are producing these solutions say, “We adhere to X, Y, Z standard,” and that will cross over GDPR, HIPAA standards for immunity passports.

We know that Microsoft Salesforce, the CommonPass project, they’re very focused on producing a common standard and I think standards are great because then everybody can say we adhered to a standard. It’s like a Kitemark.

Again complicated but as long as the end user is confident that their data isn’t being used inappropriately, then that’s great. I mean governments are very good with the test-and-trace apps that have been produced by governments across the world. Some people are reluctant to take them on because they think that government is snooping on them for good reason in a way because they need to know if you’ve been infected.

But in some ways the vaccination immunity passport solution is that the individual is empowered. They are giving permission for the proof to be shown and I think that’s a different psychology and I also think keeping it separate from test-and-trace is also why people would not worry and they would use it.

Oscar: So there are some organisations, companies as well working on the standards of – it might be very early still but there’s this work already going on.

Schehrezade: Yes, yes, and in the UK, there’s the Ada Lovelace Institute that are writing a big paper on this and they are taking their time to produce something for government in the UK as well. This government minister Michael Gove has been tasked with understanding immunity passports, vaccination passports, because people want an answer.

I think that’s the other thing that there’s so much talk about it. I don’t think any of us can open a newspaper or go online without vaccination immunity passports being somewhere in the newspaper because people want to know. People want to know how it’s going to work and I think again who’s giving consent? Is it government-mandated? And it’s all about trust and privacy.

So some really major issues but I think our solution is we’ve tried to keep it very simple and that’s it. The more complexity you have, then the more hoops you have to jump through and we’ve said actually let’s just keep it really simple because then you can get utility and of course I mean international travel has got a different level of complexity.

So we’re pitching ours as a closed loop system. You want to go to a festival. You want to go on a cruise. You want to go to a series of restaurants. This is a way that it could work. We don’t know the final shape but I think industries, different industries and businesses want to have a solution as well.

Oscar: Yeah, absolutely, absolutely. OK. Very interesting to know all the work you have been doing about these vaccination passports and this ImmucheX project. Is it also possible to try it?

Schehrezade: Yeah, yeah. We’ve got a beta test. So do reach out. If you’ve got the TestFlight app, we can arrange for people to have a go and you could install it in two different iOS devices perhaps and then somebody could scan someone else and pretend to be the verifier and it works. I’ve actually used a QR code over Skype as a test and it works.

Oscar: Interesting. One last question and this may be a bit out of the main topic. But for a closing idea that you can share with anybody listening to this interview. For any business leader listening to us right now, what is this one actionable idea that you think they should write on their agendas today?

Schehrezade: I think it’s about communication, Oscar. It’s checking in with your staff, your customers, your family and giving yourself a little bit of a break and time off. I think remote working, there are pros and cons. But fundamentally, humans are personable people. We love to be with others, right? Not everyone is a hermit. There are some people who like it less than others. But we thrive on talking and laughing. I think that’s the other thing that the pandemic and working from home for a lot of us has been tough is that that human touch, the spontaneity that you can’t get on a Zoom call. And also the thing with the Zoom is like if everybody is talking at once, it’s just a bit of a nightmare. It’s very different when you’re in a room with someone.

But I think really it’s about communication and making sure if we still have to work from home for a while, just to take the time to check in with your staff in the leadership role just to see how people are feeling and it’s not about how many people have you rung and how’s your software development going and where is the project. It’s actually having that 10-minute conversation about what’s going on in their lives and that requires some effort on the part of leaders. But I think really especially during this time, it’s those things that will keep your staff happy and loyal and that’s what we want when we come out at the other end.

I think that’s the other thing. I think this will pass and that’s quite an emotional thing to say. The science has shown the world can cope with this. It’s tough and it’s going to be difficult but we have to have hope, right? That’s the key message I think.

Oscar: Yes. Yeah, thanks for that. I think it’s super important what you are saying about communication, checking in on people who are important for you, people you work with and all of your colleagues. If you are the leader of an organisation, well, make sure that you know they are well and also the personal level is important. People will be happy to hear from you to have some conversation, even unexpected.

Well, thanks a lot Schehrezade for bringing us all this very important topic today that is the vaccination immunity passports. Please let us know how people can learn more about your project or get in touch with you. What are the best ways?

Schehrezade: Sure. The website, there’s a contact form there. I will post this on LinkedIn. I’m on LinkedIn. You can find me there. Please reach out. We’ve got a lot of posts around what we’re doing. We just posted something today about Cruise Pass. So yeah, you can find me – I’m there in the ether.

Oscar: Tricerion.com, correct?

Schehrezade: Thank you, thank you, yes.

Oscar: Again, thanks a lot Schehrezade for this interview and all the best.

Schehrezade: Thank you, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter at @ubisecure and use the hashtag #LTADI. Until next time.

[End of transcript]