Appropriate Roles of Actors

Research and Writing by Amber Sinha and
Shruti Trikanad

A factor that characterises a digital ID system is the actors that are involved in developing and managing it, and the role the State plays in this process. In this section, we discuss different roles assumed by States in ID systems around the world, the models of creation they have employed, and the policy consequences of these decisions. As part of this, we also address achieving interoperability through design of the system, and some common issues such as that of vendor-lock in.

A key policy issue that surrounds digital ID discourse is the role played by the state in the development, design and implementation of the digital ID system. This raises questions about what the appropriate role of the state is, to what extent must it intervene not just in regulation but also the development of identity systems, and how best to determine suitable sites of intervention. As opposed to private firms which invest in innovation with the expectation that this activity will generate profit for the company, states are meant to be driven by public interest motives.

A private firm will ordinarily focus on four primary questions:

  • Is the technology a solution, or a better solution, to a market need? (Right technology)
  • Is the market for the technology large enough? (Right market size)
  • Is the cost of bringing the technology to market sufficiently low? (Right cost of commercialization)
  • Is the technology performance, market, and commercialization cost certain enough? (Right market certainty)1.

On the other hand, appropriate roles for the government in deployment of technology include “any actions that will assist the private sector in meeting public good objectives that cannot be accomplished, or will not be accomplished, by the private sector alone without government participation or leadership.”2 Ensuring the above requires multiple steps, some of which are listed below:

  1. A consultative process to arrive at the definition of public good outcome. These need to be debated and decided by the legislative and executive branches and established as basic mission requirements of government agencies. Further, they need to involve significant public consultation and take into account views of different stakeholders. Within any democratic setup, a specific desired public good outcome is defined through adequate debate and consensus building.
  2. Legislative and executive branches should not arbitrarily eliminate specific deployment tools or mechanisms from consideration, but rather focus on ensuring broad stakeholder collaboration to select the appropriate tools for each circumstance and then insist on getting the desired results out of the tools used.
  3. Narrow down the set of steps that require the state’s intervention to meet the public good objectives, and restrict state intervention to only those steps.
  4. Ideally, the state should restrict itself to pre-competitive activities leaving competitive activities for the private sector, unless required otherwise by competition regulators.3
  5. Public funding must be evaluated appropriately for the following categories of activities:4
    • Technologies developed entirely for government use
    • Technology requirements imposed by regulatory agencies
    • Technologies having compelling societal benefits
    • Technologies that advance commerce

In the case of digital ID, arguments for state funding are often made on the basis of the third criteria above. While there are multiple factors at play in determining the societal benefits of identity technologies, it must be acknowledged that they have immense power, both in enabling constructive engagement between citizen and state, and as a potential tool to cause harm in the hands of the state.5 The fourth criterion of the potential of identity technologies to advance commerce is also provided, and this must be evaluated carefully to ensure that broad classes of consumers should benefit, directly or indirectly, from the deployment of the technology.

1

Roles of the State

Below we list some examples of roles assumed by the state.

1.1

The State as the single ID provider

In India, the digital ID project, Aadhaar, has a single identity provider, the Unique Identity Authority of India and falls within the “classic hierarchical, centralised, command-and-control paradigm6.” Such identity systems are marked by concentration of power in the hands of one entity controlled by the state. It is also marked by single points of failure and inadequate preparedness for contingencies. Several critical processes rely on the operability of the digital ID infrastructure, while some of the systems may rely on the ID exclusively. The result of such an approach is effectively a state-enforced market monopoly of identity providers, which leads to classic anti-competitive and anti-consumer outcomes.

1.2

The State as endorsing other ID providers

In Estonia, Smart ID and Mobile ID are provided by private entities.7 Mobile ID requires a special SIM card to be inserted into the user’s smartphone; and one needs a smartphone or tablet to use the Smart ID application.

Digilocker, a document storage service provided by the Indian government, adopted a mechanism to identify users and allow them to authenticate using the Facebook Login service.8,9 However, this option was later discontinued.

India’s Aadhaar ID system also relies heavily on the use of One-time Passwords (OTPs) to authenticate citizens. In this case, the cell service provider, which is usually a private entity, plays the role of ID provider, as individuals are identified by their phone numbers.

1.3

The State as broker of ID providers

In the UK and Canada, we see a model where the State acts as a broker of identity systems provided by multiple public and private entities.7 The role of the state is in providing standards for identity verification for different levels of identity assurance, and private identity providers validate residents’ identity and provide them login credentials for authentication. In order to maintain user privacy, identity providers do not know which government service the resident is attempting to access, and the government service does not know which identity provider has been used to verify residents’ identity. Moreover, different government services require varying levels of identity assurance, which allows residents who may not have all the required documentation to access a wider pool of services than if all government services demanded one single high standard of identity assurance.

2

Models of Creation

Even where the State is the provider of the digital ID, it typically utilises private services in building the ID system, through public-private partnerships. As digital ID systems are technically complex to build and require significant investment, many State ID providers are delegating some of the services involved in building, operating, or managing the ID system to private companies. This may also increase the State’s public service efficiency, as the expertise and services involved in operating an ID system are highly specialised, and therefore benefit from having partnerships between different actors.10 Perhaps the biggest advantage to using private services is that it removes the requirement of a big upfront investment by the government; costs are shouldered by the private investor, and typically managed over the contract period.11

The degree of private firm involvement varies, depending on the capacity of the State, private sector expertise and profitability. Amongst other things, the private actor can be involved in (1) designing and building identity infrastructure, (2) financing initial and ongoing capital investments, (3) key services in operating and maintaining digital IDs throughout their lifecycle, including registration, issuance or authentication.12 Public-private partnerships in the creation of an ID system can typically be categorised into one of the following:

2.1

Service agreement

Here, the government contracts with a private firm to undertake a specific role in one or more stages of the digital ID lifecycle. The firm may either receive payment from the government depending on its performance, or it may get revenue directly from consumers.

In Nigeria, the National Identity Management Commission (NIMC) is in charge of its National Identity Database, and ID card, but it partnered with financial service companies to issue a smartcard (used for authentication) that is also a payment card.

In Estonia, Finland, and Norway, the national digital ID system is operated by the State, but private entities offer and operate one mode of authentication through a mobile sim.

2.2

Build-Operate-Transfer/Concession agreement

These agreements are typically for a more significant role in the ID project, entailing higher risk and investment on the part of the private actor. Here, the private actor is almost solely in charge of designing, building and operating a project, usually for a fixed concession period. The public authority typically grants the private company the right to use its assets for a fixed period, and at the end of the contract the authority recovers its assets.

Chile: In 2013, in order to modernize its national identification system, Chile’s Registro Civil e Identificación (SRCeI) awarded a 10 year concession to a private firm, Morpho Chile, to upgrade, build, install, and maintain new hardware and software, integrate existing databases, train SRCeI staff, and personalize eID smartcards. The government continues to operate the system and manage the collected data, but it was the private firm that invested significant capital for the upgrade, and is paid a fee per document issued by the government.13

Albania: Pursuing similar goals of modernizing its national identification system, Albania’s Ministry of Interior Affairs awarded a full concession to a private firm, Aleat, to design, build, operate, and maintain an eID system. This model differed from the one seen in Chile; the firm was tasked with building an entirely new database, for which it enrolled citizens, collected and stored their data, and issued eIDs at a fee. A copy of the collected data was shared with the government, and they were also paid a portion of the fee collected.14

3

Vendor Lock-in and Interoperability

On building digital ID systems, a universal problem identified by governments has been that of inflexibility, caused by having to depend on select solution providers. This is often because while the identity solution uses the current best technology and is intended to meet the needs of the current population, it does not adapt to the growing needs or advancement in technology. Sometimes, these systems are developed in silos, on proprietary technologies from multiple technology partners, and struggle to operate with each other or be upgraded or replaced. In fact, the lack of provider and technology neutrality was identified by several bodies tasked with implementing national ID systems as a major concern, particularly by those countries in Africa that recently introduced digital ID systems.15 Thus, this is a major concern to consider when conceiving a digital ID system, to ensure easy upgrades at minimum cost and operational risk. For this, there are several factors to consider.

3.1

Interoperability

“Interoperability” can be seen as: a constantly shifting interconnection among ID users, ID providers, and ID consumers that permits the transmission of Digital ID information between them via a secure, privacy-protected channel.16 In this context, is the characteristic of a system whose interfaces are completely understood, to work with other products or systems, (present or future), without any restrictions.17

When viewed through the perspective of its major stakeholder groups, it looks like this18:

  1. Individuals (or users, subjects) – who want to be able to share aspects of their identity efficiently and securely regardless of the service or platform, with at least some level of ID portability;
  2. Relying parties (usually providers of services individuals want to use) – who want easy and secure access to accurate, timely, and relevant information about individuals from any source to maximize the value of their trust relationships and better serve their users, while limiting their own exposure to risks of a data breach;
  3. ID providers – who want effective and sustainable means to provide Digital ID services to any user and any relying party; and
  4. Society as a whole – to balance convenient and secure authentication and accreditation with other social needs such as privacy.

Interoperability is an important factor to consider here, as it directly influences flexibility and vendor lock-ins. Often, different components of an ID system (such as a civil registry, authentication system, etc) are incompatible with those made by a different provider, forcing the government to rely on the same vendor, often at some cost. Similarly, ID holders may want to be able to expand the scope of the access their ID gives them, but are unable to because different components of the system are unable to communicate with each other.19

3.2

Open standards approach

Building an identity platform using open standards may aid in ensuring interoperability and avoiding vendor lock-in. Open standards are simply a set of rules designed to do a specific job in technology. They comprise file formats, protocols and application interfaces that can be implemented by everyone since the specifications are available at no cost, and since their development and standardization is open and transparent.20

This approach uses these agreed upon standards to create a framework for developers by defining the components of a system and how they interact with each other; this allows the developer a variety of choices from the market in terms of components that can be substituted for each other.21 The fixed standards result in substitutable and compatible technical components, and the standardized interfaces (APIs) enable these components (and any new ones that are added later) interact with each other. Thus, through this model, governments can use existing modules and components from several existing ID technology providers, and are not limited by any one vendor or hardware.


India: Aadhaar

The Aadhaar program utilises the open standards approach in its largely centralised structure, with its single ID provider (the government) and its centralised data storage system. It does this for the dual purpose of encouraging interoperability, and reducing upfront infrastructural costs. Aadhaar uses an open standards-based interoperable platform to allow easy plug-and-play for various service delivery/support systems; this is supported by defined Application Programming Interface (APIs) and standards for ecosystem partners to leverage while building their solutions.22 This includes core authentication APIs (both biometric and OTP requests), and APIs for the plug-and-play services that can be added on. For its hardware, it has distributed commodity computing running Linux machines on open source fully parallelizable, such that processes happen concurrently on different nodes.23


Canada: PCIM

This approach has also been used in Canada, where the ID system is not centralised, with several ID providers, both public and private, and different credentials, authentication factors etc. The Pan-Canadian approach for identity management is an agreement of principles and standards to develop solutions for use by all Canadians. It has an overarching framework, the Pan Canadian Trust Framework (PCTF), that amongst other things, sets standards that allow different platforms, services, architectures, and technologies to work interoperably to create a digital ID ecosystem. The PCTF supports the acceptance of trusted digital IDs and relationships by defining a set of agreed-upon standardized trusted processes that can be mapped to existing business processes, independently assessed using conformance criteria, and certified to be trusted and interoperable within the many contexts that comprise the digital ecosystem. The standards it sets has 2 main purposes:

  1. Defining participant roles and associated identity-related functions within the ecosystem.
  2. Facilitating interactions within the ecosystem by defining requirements and guidelines that establish a level of trustworthiness for functions performed by ecosystem Participants.

3.3

Open source approach

Open source platforms, typically built with the use of open standards, is another approach to avoid the vendor lock in problem. Open source systems are designed to be publicly accessible, allowing any developer to inspect, modify or enhance them. With this, the government ID provider can build or use an existing (vendor neutral) open source platform concurrently with multiple vendors and service providers, allowing a flexible and scalable identification system.

The governments of Morocco and Philippines have been using the Modular Open Source Identity Platform (MOSIP) platform to build their foundational digital ID platforms.24 MOSIP is a modular, open source platform that countries (and other ID issuing organisations) can adopt and customise to their requirements.25 It is designed as a core foundational identity layer, with a set of modules that can be added as per the desired design, and is completely vendor neutral. As an open-source platform, service providers can be used interchangeably, avoiding vendor lock-in.26

Notes

 

1 Jon Pietruszkiewicz, “What are the Appropriate Roles for Government in Technology Deployment? A White Paper with Author’s Response to Comments”, NREL (1999), https://www.nrel.gov/docs/gen/fy00/26970.pdf
2 Jon Pietruszkiewicz, “What are the Appropriate Roles for Government in Technology Deployment? A White Paper with Author’s Response to Comments”, NREL (1999), https://www.nrel.gov/docs/gen/fy00/26970.pdf
3 Frist, B.; Domenici, P.; Lieberman, J.; Rockefeller, J. Letter Attachment Statement of Guiding Principles for the Science and Technology Caucus. Washington D. C.: United States Senate, January 28, 1998.
4 Environmental Engineering Division of the Council on Engineering of the American Society of Mechanical Engineers (ASME), “Position Statement on the Role of Federal Government in Environmental Technology Development.” in Jon Pietruszkiewicz, “What are the Appropriate Roles for Government in Technology Deployment?”, https://www.nrel.gov/docs/gen/fy00/26970.pdf
5 Kaliya Young, “Key Differences Between the U.S. Social Security System and India’s Aadhaar System”, New America, 2019, https://www.newamerica.org/fellows/reports/anthology-working-papers-new-americas-us-india-fellows/key-differences-between-the-us-social-security-system-and-indias-aadhaar-system-kaliya-young/
6 Sunil Abraham, “Building Trust: Lessons from Canada’s Approach to Digital Identity”, Observer Research Foundation, June 5, 2020, https://www.orfonline.org/research/building-trust-lessons-from-canadas-approach-to-digital-identity-67360/
7 “Smart-ID”, E-Identity, last accessed November 12, 2021. https://e-estonia.com/solutions/e-identity/smart-id
8 Digilocker User Manual, https://web.archive.org/web/20210408140853/https://digilocker.gov.in/assets/img/DigiLocker-User-Manual.pdf
9 “Facebook Login”, Facebook for Developers, last accessed November 12, 2021. https://developers.facebook.com/docs/facebook-login/
10 “Public private partnership models for national identity programs”, Thales, last accessed November 12, 2021. https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/public-private-partnerships
11 “Public private partnership models for national identity programs”, Thales, last accessed November 12, 2021. https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/public-private-partnerships
12 Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation (July 2016), https://documents1.worldbank.org/curated/en/600821469220400272/pdf/107201-WP-PUBLIC-WB-GSMA-SIADigitalIdentity-WEB.pdf . See pages 30-32 for more details.
13 Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation (July 2016),https://documents1.worldbank.org/curated/en/600821469220400272/pdf/107201-WP-PUBLIC-WB-GSMA-SIADigitalIdentity-WEB.pdf Page 36.
14 Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation (July 2016), https://documents1.worldbank.org/curated/en/600821469220400272/pdf/107201-WP-PUBLIC-WB-GSMA-SIADigitalIdentity-WEB.pdf Page 35.
15 Chris Burt, “Two ideas to break down vendor lock-in in foundational biometric ID systems launch at ID4Africa 2019”, Biometric Update, June 20, 2019, https://www.biometricupdate.com/201906/two-ideas-to-break-down-vendor-lock-in-in-foundational-biometric-id-systems-launch-at-id4africa-2019
16 John Palfrey and Urs Gasser, “Digital Identity Interoperability and eInnovation”, Berkman Publication Series (2007). https://cyber.harvard.edu/pubrelease/interop/pdfs/interop-digital-id.pdf
17 “Best Practices for Adopting Open Standards”, Open First Whitepaper: Open Standards, last accessed November 12, 2021. https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/open-source-software/open-first-whitepaper/open-first-whitepaper-standards.html#best-practices-for-adopting-open-standards
18 John Palfrey and Urs Gasser, “Digital Identity Interoperability and eInnovation”, Berkman Publication Series (2007). https://cyber.harvard.edu/pubrelease/interop/pdfs/interop-digital-id.pdf
19 Putting government back in control: Solving vendor lock-in with open standards (2019), https://www.id4africa.com/2019/almanac/SECURE-IDENTITY-ALLIANCE-SIA.pdf
20 Dr. Pramod Varma, “Big Data at Aadhaar”, July 31, 2012 (Presentation), https://www.slideshare.net/regunathbalasubramanian/aadhaar-at-5thelephantv3/10-Open_APIs_Aadhaar_Services_Core .; Ambika Choudhury, “The Birth Of Aadhaar To Address Problems Of Fraud And Duplication In Individual Identities: Aadhaar Chief Architect Dr Pramod Varma”, Analytics India Magazine, April 1, 2020, https://analyticsindiamag.com/the-birth-of-aadhaar-to-address-problems-of-fraud-and-duplication-in-individual-identities/
21 Chris Burt, “MOSIP open digital identity initiative partners up to enhance platform for developing countries”, Biometric Update, October 1, 2020, https://www.biometricupdate.com/202010/mosip-open-digital-identity-initiative-partners-up-to-enhance-platform-for-developing-countries
22 “Principles of Engagement”, MOSIP, April 2019, https://www.mosip.io/uploads/resources/5cc84b0a08284Country%20Engagement%20Principles_v2.pdf
23 Chris Burt, “Two ideas to break down vendor lock-in in foundational biometric ID systems launch at ID4Africa 2019”, Biometric Update, June 20, 2019, https://www.biometricupdate.com/201906/two-ideas-to-break-down-vendor-lock-in-in-foundational-biometric-id-systems-launch-at-id4africa-2019
24 Chris Burt, “MOSIP open digital identity initiative partners up to enhance platform for developing countries”, Biometric Update, October 1, 2020, https://www.biometricupdate.com/202010/mosip-open-digital-identity-initiative-partners-up-to-enhance-platform-for-developing-countries
25 “Principles of Engagement”, MOSIP, April 2019, MOSIP, April, 2019, https://www.mosip.io/uploads/resources/5cc84b0a08284Country%20Engagement%20Principles_v2.pdf
26 Chris Burt, “Two ideas to break down vendor lock-in in foundational biometric ID systems launch at ID4Africa 2019”, Biometric Update, June 20, 2019, https://www.biometricupdate.com/201906/two-ideas-to-break-down-vendor-lock-in-in-foundational-biometric-id-systems-launch-at-id4africa-2019