The MyFace Biometric Sovereignty Standard Proposal

Executive Summary

MyFace Biometric Sovereignty Standard is a governance and transparency framework for biometric identity. Built on open blockchain architecture and administered through existing national identity infrastructure, it establishes a simple and enforceable principle: your biometric data belongs to you.

Every citizen is protected by default. Commercial access requires explicit, revocable citizen permission granted to registered entities who have demonstrated legitimate value. Government use for official purposes continues under existing legal frameworks.

MyFace Biometric Sovereignty Standard does not oppose facial recognition technology. It governs it. The sentiment is simple: we understand the benefit, but you are not doing enough to protect us.

The Problem

Facial recognition technology is deployed at scale in retail environments, public spaces, social media platforms and consumer devices. The people whose faces are captured, processed and monetised have no knowledge this is happening, no means to prevent it and no recourse when it occurs.

This is not a hypothetical future concern. It is happening now.

Commercial entities have operated in a governance vacuum. Self regulation has failed. Voluntary codes have been ignored. Fines have been absorbed as the cost of doing business.

Unlike a password, your face cannot be changed outside of massive trauma or great expense. Once compromised, always compromised. The stakes of inadequate governance are uniquely and permanently high. MyFace Biometric Sovereignty Standard closes this gap.

The Principle

Three practical implications:

• Default protection. Every citizen is protected from commercial biometric processing from the moment of registration. No action required.
• Explicit commercial consent. Commercial access requires explicit permission granted to specific entities for specific stated purposes. Revocable at any time.
• Registered commercial value. Entities must demonstrate legitimate value before requesting permission. Extractive uses cannot meet the bar.

MyFace Biometric Sovereignty Standard is not anti-technology. It is pro-citizen. It is the minimum acceptable standard.

The Architecture

Registration Infrastructure

MyFace Biometric Sovereignty Standard operates through existing national identity infrastructure via two primary pathways:

• Passport application and renewal — biometric capture already occurs. MyFace registration is incorporated at no additional cost.
• National Insurance registration — every UK citizen receives an NI number. MyFace registration is incorporated, ensuring coverage extends beyond passport holders.

A free online submission process allows voluntary self-registration. Children are registered at birth through birth certificate and NI allocation, protected by default until 18. No parent or guardian may grant commercial permissions on behalf of a minor.

The Data Structure

MyFace Biometric Sovereignty Standard stores the minimum data necessary. Raw biometric data is never stored. A one-way cryptographic hash is generated at capture — verifiable without ever reconstructing the original. Each record contains:

• uid — globally unique, jurisdiction-prefixed identifier
• biometric_hash — non-reversible cryptographic representation
• opt_status — default protected, or permissions granted
• permitted_entities — list of authorised commercial entities (64-char hex references)
• jurisdiction — national registry of record
• timestamp — date of last status update

Simplicity is a security feature. The less data held, the less there is to compromise.

The Blockchain Foundation

MyFace Biometric Sovereignty Standard operates on an open, permissioned blockchain. This provides:

• Immutability — records cannot be quietly altered. Every change creates a permanent auditable trail.
• Decentralisation — no single nation controls the registry. Integrity does not depend on trusting any single actor.
• Transparency — the protocol is open source. Anyone can audit the code.
• Interoperability — any nation can implement a compatible registry. Citizens of partner nations are protected wherever they travel.

The Permission Model

Commercial entities wishing to process biometric data must register, demonstrate legitimate value, integrate the MyFace API, check every biometric before processing, delete any protected result, provide clear permission management to citizens, and submit to annual compliance auditing.

Permission covers only the stated purpose. Scope creep is a violation. Processing a protected biometric is a criminal offence.

The Governance

MyFace Biometric Sovereignty Standard is administered by a dedicated statutory body — the MyFace Authority — operating under parliamentary mandate but independent of ministerial direction. Board composition includes an independently appointed chair, ICO/NCSC/HMRC representatives, independent technical experts, civil society representatives, and a citizen panel selected by sortition.

No board member may have held a senior position at a regulated entity within the previous five years. No board member may take such a position within three years of leaving. The revolving door closes here.

The Authority publishes the complete open source protocol, a public register of all registered entities, annual enforcement statistics, and all government requests to access registry data. The MyFace Authority reports to a dedicated parliamentary select committee with binding recommendation powers.

The International Framework

MyFace Biometric Sovereignty Standard is offered to the international community as an act of good faith. The United Kingdom does not claim ownership of the protocol — we claim authorship. Any nation can implement a compatible registry without depending on UK infrastructure.

Three-tier international structure:

• Full partners — nations implementing their own compatible registry, contributing blockchain nodes, extending mutual protection to each other's citizens.
• Observer nations — nations recognising the protocol and checking against partner registries without yet operating their own.
• Protocol signatories — nations formally endorsing MyFace principles and committing to not permitting commercial processing of protected individuals.

MyFace Biometric Sovereignty Standard proposes formal engagement with the United Nations Human Rights Council to establish biometric sovereignty as a recognised component of the right to privacy under Article 12 of the Universal Declaration of Human Rights.

Implementation Pathway

The Ask

MyFace Biometric Sovereignty Standard is a proposal, not a petition. It asks for action.

• To UK Parliament: Introduce primary legislation. Commission a feasibility study within six months. Establish a cross-party working group. Respond formally within ninety days.
• To the ICO: Issue formal guidance that commercial facial recognition without consent is incompatible with UK GDPR. Investigate and publish findings on the ten largest current deployments.
• To the UN Human Rights Council: Recognise biometric sovereignty under Article 12. Establish a working group using MyFace Biometric Sovereignty Standard as a reference implementation.
• To commercial entities: Engage constructively. The governance vacuum is closing. The question is whether you close it cooperatively or have it closed around you.
• To every citizen: Share this. Ask your MP. Ask the companies whose apps you use. Ask the retailers whose stores you enter. The technology exists because people built it. The governance exists when people demand it.