Roles of the State

Below we list some examples of roles assumed by the state.

The State as the single ID provider

In India, the digital ID project, Aadhaar, has a single identity provider, the Unique Identity Authority of India and falls within the “classic hierarchical, centralised, command-and-control paradigm⁶.” Such identity systems are marked by concentration of power in the hands of one entity controlled by the state. It is also marked by single points of failure and inadequate preparedness for contingencies. Several critical processes rely on the operability of the digital ID infrastructure, while some of the systems may rely on the ID exclusively. The result of such an approach is effectively a state-enforced market monopoly of identity providers, which leads to classic anti-competitive and anti-consumer outcomes.

The State as endorsing other ID providers

In Estonia, Smart ID and Mobile ID are provided by private entities.⁷ Mobile ID requires a special SIM card to be inserted into the user’s smartphone; and one needs a smartphone or tablet to use the Smart ID application.

Digilocker, a document storage service provided by the Indian government, adopted a mechanism to identify users and allow them to authenticate using the Facebook Login service.^8,9 However, this option was later discontinued.

India’s Aadhaar ID system also relies heavily on the use of One-time Passwords (OTPs) to authenticate citizens. In this case, the cell service provider, which is usually a private entity, plays the role of ID provider, as individuals are identified by their phone numbers.

The State as broker of ID providers

In the UK and Canada, we see a model where the State acts as a broker of identity systems provided by multiple public and private entities.⁷ The role of the state is in providing standards for identity verification for different levels of identity assurance, and private identity providers validate residents’ identity and provide them login credentials for authentication. In order to maintain user privacy, identity providers do not know which government service the resident is attempting to access, and the government service does not know which identity provider has been used to verify residents’ identity. Moreover, different government services require varying levels of identity assurance, which allows residents who may not have all the required documentation to access a wider pool of services than if all government services demanded one single high standard of identity assurance.

Models of Creation

Even where the State is the provider of the digital ID, it typically utilises private services in building the ID system, through public-private partnerships. As digital ID systems are technically complex to build and require significant investment, many State ID providers are delegating some of the services involved in building, operating, or managing the ID system to private companies. This may also increase the State’s public service efficiency, as the expertise and services involved in operating an ID system are highly specialised, and therefore benefit from having partnerships between different actors.¹⁰ Perhaps the biggest advantage to using private services is that it removes the requirement of a big upfront investment by the government; costs are shouldered by the private investor, and typically managed over the contract period.¹¹

The degree of private firm involvement varies, depending on the capacity of the State, private sector expertise and profitability. Amongst other things, the private actor can be involved in (1) designing and building identity infrastructure, (2) financing initial and ongoing capital investments, (3) key services in operating and maintaining digital IDs throughout their lifecycle, including registration, issuance or authentication.¹² Public-private partnerships in the creation of an ID system can typically be categorised into one of the following:

Service agreement

Here, the government contracts with a private firm to undertake a specific role in one or more stages of the digital ID lifecycle. The firm may either receive payment from the government depending on its performance, or it may get revenue directly from consumers.

In Nigeria, the National Identity Management Commission (NIMC) is in charge of its National Identity Database, and ID card, but it partnered with financial service companies to issue a smartcard (used for authentication) that is also a payment card.

In Estonia, Finland, and Norway, the national digital ID system is operated by the State, but private entities offer and operate one mode of authentication through a mobile sim.

Build-Operate-Transfer/Concession agreement

These agreements are typically for a more significant role in the ID project, entailing higher risk and investment on the part of the private actor. Here, the private actor is almost solely in charge of designing, building and operating a project, usually for a fixed concession period. The public authority typically grants the private company the right to use its assets for a fixed period, and at the end of the contract the authority recovers its assets.

Chile: In 2013, in order to modernize its national identification system, Chile’s Registro Civil e Identificación (SRCeI) awarded a 10 year concession to a private firm, Morpho Chile, to upgrade, build, install, and maintain new hardware and software, integrate existing databases, train SRCeI staff, and personalize eID smartcards. The government continues to operate the system and manage the collected data, but it was the private firm that invested significant capital for the upgrade, and is paid a fee per document issued by the government.¹³

Albania: Pursuing similar goals of modernizing its national identification system, Albania’s Ministry of Interior Affairs awarded a full concession to a private firm, Aleat, to design, build, operate, and maintain an eID system. This model differed from the one seen in Chile; the firm was tasked with building an entirely new database, for which it enrolled citizens, collected and stored their data, and issued eIDs at a fee. A copy of the collected data was shared with the government, and they were also paid a portion of the fee collected.¹⁴

Vendor Lock-in and Interoperability

On building digital ID systems, a universal problem identified by governments has been that of inflexibility, caused by having to depend on select solution providers. This is often because while the identity solution uses the current best technology and is intended to meet the needs of the current population, it does not adapt to the growing needs or advancement in technology. Sometimes, these systems are developed in silos, on proprietary technologies from multiple technology partners, and struggle to operate with each other or be upgraded or replaced. In fact, the lack of provider and technology neutrality was identified by several bodies tasked with implementing national ID systems as a major concern, particularly by those countries in Africa that recently introduced digital ID systems.¹⁵ Thus, this is a major concern to consider when conceiving a digital ID system, to ensure easy upgrades at minimum cost and operational risk. For this, there are several factors to consider.

Interoperability

“Interoperability” can be seen as: a constantly shifting interconnection among ID users, ID providers, and ID consumers that permits the transmission of Digital ID information between them via a secure, privacy-protected channel.¹⁶ In this context, is the characteristic of a system whose interfaces are completely understood, to work with other products or systems, (present or future), without any restrictions.¹⁷

When viewed through the perspective of its major stakeholder groups, it looks like this¹⁸:

1. Individuals (or users, subjects) – who want to be able to share aspects of their identity efficiently and securely regardless of the service or platform, with at least some level of ID portability;
2. Relying parties (usually providers of services individuals want to use) – who want easy and secure access to accurate, timely, and relevant information about individuals from any source to maximize the value of their trust relationships and better serve their users, while limiting their own exposure to risks of a data breach;
3. ID providers – who want effective and sustainable means to provide Digital ID services to any user and any relying party; and
4. Society as a whole – to balance convenient and secure authentication and accreditation with other social needs such as privacy.

Interoperability is an important factor to consider here, as it directly influences flexibility and vendor lock-ins. Often, different components of an ID system (such as a civil registry, authentication system, etc) are incompatible with those made by a different provider, forcing the government to rely on the same vendor, often at some cost. Similarly, ID holders may want to be able to expand the scope of the access their ID gives them, but are unable to because different components of the system are unable to communicate with each other.¹⁹

Open standards approach

Building an identity platform using open standards may aid in ensuring interoperability and avoiding vendor lock-in. Open standards are simply a set of rules designed to do a specific job in technology. They comprise file formats, protocols and application interfaces that can be implemented by everyone since the specifications are available at no cost, and since their development and standardization is open and transparent.²⁰

This approach uses these agreed upon standards to create a framework for developers by defining the components of a system and how they interact with each other; this allows the developer a variety of choices from the market in terms of components that can be substituted for each other.²¹ The fixed standards result in substitutable and compatible technical components, and the standardized interfaces (APIs) enable these components (and any new ones that are added later) interact with each other. Thus, through this model, governments can use existing modules and components from several existing ID technology providers, and are not limited by any one vendor or hardware.

India: Aadhaar

The Aadhaar program utilises the open standards approach in its largely centralised structure, with its single ID provider (the government) and its centralised data storage system. It does this for the dual purpose of encouraging interoperability, and reducing upfront infrastructural costs. Aadhaar uses an open standards-based interoperable platform to allow easy plug-and-play for various service delivery/support systems; this is supported by defined Application Programming Interface (APIs) and standards for ecosystem partners to leverage while building their solutions.²² This includes core authentication APIs (both biometric and OTP requests), and APIs for the plug-and-play services that can be added on. For its hardware, it has distributed commodity computing running Linux machines on open source fully parallelizable, such that processes happen concurrently on different nodes.²³

Canada: PCIM

This approach has also been used in Canada, where the ID system is not centralised, with several ID providers, both public and private, and different credentials, authentication factors etc. The Pan-Canadian approach for identity management is an agreement of principles and standards to develop solutions for use by all Canadians. It has an overarching framework, the Pan Canadian Trust Framework (PCTF), that amongst other things, sets standards that allow different platforms, services, architectures, and technologies to work interoperably to create a digital ID ecosystem. The PCTF supports the acceptance of trusted digital IDs and relationships by defining a set of agreed-upon standardized trusted processes that can be mapped to existing business processes, independently assessed using conformance criteria, and certified to be trusted and interoperable within the many contexts that comprise the digital ecosystem. The standards it sets has 2 main purposes:

1. Defining participant roles and associated identity-related functions within the ecosystem.
2. Facilitating interactions within the ecosystem by defining requirements and guidelines that establish a level of trustworthiness for functions performed by ecosystem Participants.

Open source approach

Open source platforms, typically built with the use of open standards, is another approach to avoid the vendor lock in problem. Open source systems are designed to be publicly accessible, allowing any developer to inspect, modify or enhance them. With this, the government ID provider can build or use an existing (vendor neutral) open source platform concurrently with multiple vendors and service providers, allowing a flexible and scalable identification system.

The governments of Morocco and Philippines have been using the Modular Open Source Identity Platform (MOSIP) platform to build their foundational digital ID platforms.²⁴ MOSIP is a modular, open source platform that countries (and other ID issuing organisations) can adopt and customise to their requirements.²⁵ It is designed as a core foundational identity layer, with a set of modules that can be added as per the desired design, and is completely vendor neutral. As an open-source platform, service providers can be used interchangeably, avoiding vendor lock-in.²⁶

Notes