Simprints identifies cloud as foundation for biometrics-led healthcare

Late last year, Cambridge, UK-based Simprints announced it would be shipping 3,000 of its latest fingerprint scanner, the Vero 2.0, to projects in the developing world at the start 2020. To put that figure in context, that’s more scanners than the total number shipped since the non-profit organization started out some five years ago, and its founding team hope to be shipping even more devices later this year.

Once deployed in the field, these scanners will perform a simple but vital task: to enable aid workers to accurately identify the person standing in front of them and deliver the appropriate service, often healthcare-related, such as vaccinations or prenatal checks.

That’s important, because some 1 billion people worldwide lack formal identification, more than four out of five of them in sub-Saharan Africa and South Asia, according to the World Bank. This “identification gap” often leaves people struggling to access basic services. By bridging that gap, Simprints isn’t just enabling that access. It’s also helping non-government organizations (NGOs) such as the Bill & Melinda Gates Foundation and USAID, as well as country-specific ministries of health, get a more accurate view of their impact in terms of individual healthcare interventions. As Christine Kim, head of strategic partnerships at Simprints, explains:

Our mission is to transform the way the world fights poverty. We build technology to radically increase transparency and effectiveness in global development, making sure that every vaccine, every dollar, every public good reaches the people who need them most.

Technology stack

All this relies on a multi-tiered technology stack. Simprints builds the Vero scanners itself, along with an accompanying Android app running on healthcare workers’ mobile devices. Patients hold their finger to the scanner, and a unique string of data -  a ‘biometric template’ - is extracted from the image and transferred via Bluetooth to the mobile device. When the health worker next has network access, the data held on that mobile device is synched to Simprints’ cloud-based back end, which in turn shares data with the electronic medical records systems used by individual clinics and NGOs.

This back end is based on Google Cloud Platform (GCP) and it plays a vital role in enabling Simprints to handle some wildly ‘spikey’ traffic, which results when multiple healthcare workers return to base and connect their devices to Wi-Fi in order to synch data, according to the company’s CTO and co-founder Tristram Norman.

At that point, he says, many devices can connect to the cloud at the same time, each one synching data from dozens of individual sessions. In other words, traffic load can jump from nothing at all to several hundred sessions’ worth of data in a matter of minutes:

There’s no predictability to that. There will be days where our entire back end will receive zero requests from projects, because everyone’s out in the field with no connectivity. But suddenly, data starts moving - and it starts moving really quickly.

The choice of GCP makes a lot of sense, given that Simprints needs to integrate closely with its (Google) Android app here - but other GCP tools are vital in helping it handle these spiky traffic flows, Norman explains. These include the Firebase Realtime Database; the Cloud Functions event-driven serverless compute platform; and BigQuery, for fast querying of datasets. Says Norman:

It was vital for us that the infrastructure could scale [down] to zero, because that has a huge financial impact for us. Our back end basically needs to be offline sometimes, because nobody’s using it, but then all of a sudden, handle quite a lot of requests, so a scale-to-zero design was hugely important for us.

BigQuery, meanwhile, enables Simprints to share valuable insights into the impact of services with its partners - the number of individuals vaccinated, beneficiaries given payments, antenatal appointments conducted, and so on:

That involves huge volumes of data and BigQuery is shockingly fast, but because it follows the serverless design, when we’re not using it, we’re not paying for it. We’re just paying for the queries that we need to perform.

Ethical concerns?

Any use of biometrics, however, comes with both ethical concerns and data protection headaches. And, as Norman concedes, Simprints often works in countries where data protection laws are at best nascent. In the large majority of cases, they don’t exist at all, he says, which is why Simprints focuses on compliance with GDPR as its baseline, but typically seeks to exceed it:

We operate across the industries of biometrics/digital ID and international development. Since historically, both of them have repeatedly fallen short when it comes to privacy, we’re quite sensitive to the fact that biometrics, like any other technology, is not a silver bullet solution for all contexts. That’s the first step: We assess whether a potential client even needs biometrics to achieve their programme objectives - and sometimes they don’t - in multiple scoping calls.

But is this a case of the developing world being used as a ‘testing ground’ for technology that is often resisted in wealthier parts of the world? And what about safety in conflict situations, where the biometric data of vulnerable or persecuted groups could be leaked or hacked? Says Norman:

Sadly, this ‘testing ground’ habit has been a reality of the international development sector. We’re very much aware of this and therefore keep a strong focus on the end user - the beneficiaries of a particular program. We build for the specific context in which the technology will be deployed, which means conducting research and development in and with the communities we intend to work in. To do otherwise, like testing in a Western context and then trying to apply that to a low-resource, harsher environment, with a completely different population, would be unethical and irresponsible.As for conflict situations, we currently do not work in humanitarian crisis situations, largely because we’re aware of the heightened potential for risk here.”

He adds that Simprints conducts an extensive Data Protection Impact Assessment for every project where it acts as a ‘data controller’ - essentially a questionnaire of 140 questions that explores in-depth risks to personal privacy, which is discussed with the partner and published on Simprints’ website (see here for one from Malawi). It also uses 128-bit encryption between scanner and phone and SS/TLS encryption between the phone and its GCP-based platform.

For data storage, Simprints practices what Norman calls ‘data siloing’, which means it only stores and processes the biometric data on GCP - but not the personal data linked to each individual for the purposes of the project, such as their medical record or electronic vaccination card. Conversely, project partners store only the personal data but not the biometric data, and randomly generated globally-unique IDs (GUIDs) are used as the bridge between the two data sets. In this way, a breach of Simprints’ systems would only yield pseudo-anonymized numbers (the GUIDs) - of no value at all, without the connected beneficiary information stored elsewhere.

These issues aside, the impact that Simprints’ approach looks set to have is undeniable. According to Norman, it’s now contracted, via its partners, to reach over 4 million people by the end of next year: 

So for us, it’s about scaling: how can we empower larger projects, larger healthcare systems, while making sure that we keep our accuracy threshold very, very high - the right ID, at the right time, for the people who need it most?