Hey @Chop
Those are some valid concerns. At this point in it’s development, the Spark only has a handful of uses. It has a unique identifier (UID) that can be registered in an access control system, just like the other NFC tags. You can also configure the redirect URL using the VivoKey app. It might seem like you’re not getting much out of it at the moment, but it’s certainly not a ploy to acquire data. The platform is growing with the eventual goal of supporting payments. If you’ve checked out the forums, you know that’s a HUGE hassle because of the way EMV operates.
The other NFC tag implants available on the site are Type 2 or Type 4, and use simple NDEF records that can be modified by the user (or anyone). Amal and several people on these forums have determined that truly securing those tags is next to impossible. The VivoKey Spark is a different type of tag (ICODE ISO15693 NFC Type 5 compliant chip.) See this thread for more info.
The reason the Spark always communicates with the VivoKey servers whenever it is scanned, is to authenticate that it is truly the specific Spark that it claims it is. The local tag is unable to protect it’s private security keys from malicious actors. The Spark is pre-configured to authenticate with VivoKey’s servers, so it can prove its identity without exposing it’s vulnerabilities.
The Flex One is another VivoKey product that is currently in private beta. It can be used to authenticate the user’s identity, like the Spark. It can also perform cryptographic functions internally and generate it’s own keys (no need to sync with the VivoKey servers.) This functionality will hopefully allow us to endear ourselves to the vengeful EMV cabal, and enable implanted payments. The VivoKey Spark will be able to piggyback on that success and hopefully allow payments with minimal effort or discomfort for the user.
If you’re talking about the privacy policy here:
https://www.vivokey.com/privacy
It says:
Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses
It seems to be covering the possibility that VivoKey will need to share some basic statistics on number of users with EMV and other groups to gain traction. Also, disclaimers like this are a goodwill gesture to users of the platform. Instead of just saying “we have 10 thousand users and growing!” and potentially alienating security concious users like us who don’t want to be counted, VivoKey is up front about it. Running a startup is hard, and you need every resource you can get to prove your validity, without taking advantage of your user base.