Modernising Digital-ID Systems: What Open Standards and Open-Source Software Really Mean
Debora Comparin, Chair of OSIA Initiative, SIA and Standardisation Expert, Thales
Thanks to co-author Yiannis Theodorou, Head of Digital ID, Tony Blair Institute for Global Change for his contribution to this commentary.
As governments continue to build inclusive digital-ID ecosystems to unlock the value of digital transformation for their people, many are facing the challenge of which related technology solutions to adopt.
In markets that encourage competition and innovation, it is common to see the creation of proprietary, closed and non-interoperable systems when a new industry is formed; remember the days when the phone you bought in Europe could not be used to make or receive calls in the United States? Eventually, though, the forces of supply and demand drive the industry towards harmonised, optimal solutions and common standards.
Today’s identity market is an environment of siloed foundational and functional ID systems, partly built on proprietary technologies. But, as the market matures, new tech solutions are drastically redefining the landscape. Mobile-ID solutions, sophisticated biometrics, cloud computing and other technologies have made it possible to develop integrated national ID ecosystems that are efficient, cost-effective and secure, without necessarily involving centralised databases.
Yet many countries still have a long way to go before they can realise this vision, and their ability to easily switch to new technology partners or providers is severely hampered by the complexity of existing systems or contractual arrangements. For example, if a newly procured digital-ID provider must deal with encrypted biometric templates in an existing database, it would need to access the raw biometric images captured and stored by the previous provider’s systems. If the unencrypted raw images are not available or reliable, the government will likely be forced to re-register the entire population.
Vendor lock-in constrains development because any change is subject to considerable costs and the risk of operational failures. At the same time, to benefit from the latest technologies, governments need to update, adapt and upgrade their legacy systems while having the freedom to choose the most appropriate solutions to meet their needs.
Two main approaches have emerged that offer governments the flexibility and freedom they need: open standards and open-source software.
What Are Open Standards and Open-Source Software?
Open standards provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. And while there is no globally agreed definition of the term “open”, the European Interoperability Framework describes the key characteristics, which include maintenance by a not-for-profit organisation, irrevocable availability of the intellectual property on a royalty-free basis and access to the specification document for free (or for a nominal fee), without constraints on reuse. Open standards are normally developed by industry consortia such as the W3C, OIDF and SIA (Secure Identity Alliance).
Open-source software (OSS) is software with source code that anyone can inspect, modify and enhance. As they do with proprietary software, users must accept the terms of a licence when they use OSS, but the legal terms differ significantly from those of proprietary licences. Open-source licences affect the way people can use, study, modify and distribute software.
Why Do Open Standards Matter for Building Strong Digital-ID Ecosystems?
As the World Bank puts it: “Government-service providers of social protection, health care, education and financial services could work seamlessly with a digital-ID system using the authentication services of a core OSS solution if it were built on open standards.” Similarly, by choosing hardware such as biometric scanners and smartcard readers based on open standards, governments could easily achieve interoperability among departments, both nationally but also across borders at regional or global levels. Furthermore, by choosing to replace specific legacy devices or selecting suppliers with ones that comply with the same standards, governments can increase market competitiveness.
There are several open standards driving developments in the digital-ID space, including: OpenID for Verifiable Credential Issuance, OpenID for Verifiable Presentations, W3C Verifiable Credentials Data Model, Decentralized Identifiers, FIDO2 and OSIA.
In Nigeria, OSIA has enabled interoperability between the National Identity Registry and the Mobile ID Ecosystem, which are deployed by different providers – one of which is local. Common Identity, an African software company and OSIA member, has developed Nigeria’s Identity Management Commission’s (NIMC) Mobile ID Ecosystem, allowing citizens to have their unique identity verified against the country’s registry almost instantly and securely via an OSIA interface. Launched in December 2020, the NIMC app has been downloaded 3.3 million times in 90 days.
Why Do Open-Source Solutions Matter?
Inspired by other countries, particularly the United Kingdom, France and the United States, the team behind the Canadian Digital Service eloquently explains why they made usage of – and contribution to – OSS one of their core principles: “Open-Source saves time and money, by making software easier to reuse and adapt.” Another key benefit of these solutions is that they can bring together contributors who can learn from and improve each other’s work while adding new features and capabilities.
Open-source approaches to digital ID include: OpenCRVS (proof of concept in Zambia), Modular Open Source Identification Platform (MOSIP, adopted in Morocco and the Philippines), X-Road (adopted in Estonia, Iceland and Finland), GovStack (launched in 2021) and OpenWallet Foundation (aims to launch at the end of 2022).
In Morocco, MOSIP allows the Moroccan government to own the source code of the solution as well as adapt or evolve it over time, independently of vendors. The new digital ID and National Population Registry (NPR) will underpin efforts to reform the social safety-net system and to introduce presence-less, paper-less and cash-less transactions. The NPR leverages MOSIP as its core technology solution and will provide a foundational platform upon which to accelerate inclusive growth of the digital economy.
What Does this Mean for Governments Looking to Build Digital-ID Ecosystems?
Open standards and OSS are collaborative tools underpinned by strong communities that add value to governments looking to build or upgrade their digital-ID ecosystems.
The two approaches are not mutually exclusive and, if properly procured, have the potential to thrive when coupled. While OSS offers governments the ability to own and modify the source code of their solution and pull resources from the community behind the code, open standards ensure interoperability and a certain level of product quality thanks to certification that is normally linked to the standard’s deployment.
Facilitating the implementation of OSS solutions based on open standards is also a key recommendation of the European Commission, as stated in its Open-Source Software Strategy. However, while there is positive momentum behind the OSS community in Europe, many low and middle-income countries (particularly across Africa) still have a long way to go before harnessing this potential. Despite the benefits of an OSS, it is not a ready-to-use application because it must be customised to meet each country’s needs and be maintained, which requires dedicated expertise. Countries lacking local expertise may need to contract a specialised service provider or systems integrator to maintain the system, leading indirectly to vendor lock-in issues. To mitigate such dependencies, governments may specifically require their suppliers to train local staff as part of their procurement contracts while nurturing local expertise by partnering with academic institutions to offer dedicated courses.
Since digital-ID systems are complex infrastructures, governments come to depend on their technology partners, often in a multi-provider environment. In this context, the OSS and open-standards communities offer governments the flexibility and freedom required to implement and manage their infrastructure without the dependencies that leave them vulnerable. However, caution is needed on two fronts: first, for OSS solutions to be compatible and therefore based on open standards, the recommended standard should be reflective of the proposed definition of “open”, specifically that any patents associated with the specification must be available under royalty-free terms; second, although initially dependent on system integrators, governments should consider putting in place local training to mitigate the capacity risks of OSS solutions. By considering these two recommendations, governments are more likely to futureproof their digital-ID systems in the most efficient manner.