ID systems analysed: MOSIP

Case Study
Id card dummy

This written piece is part of PI's wider research into the tech behind ID systems around the world. Click here to learn more.

Overview

The Modular Open Source Identity Platform (MOSIP) is an open source, open standards based foundational identity platform. MOSIP is an API first platform that can be used by user organisations such as Governments to build their own foundational national ID platforms. MOSIP offers ID life-cycle management features and identity verification capabilities out of the box. Being modular, MOSIP provides increased flexibility for these entities to implement and customise their foundation ID system. Besides being open soruce and modular, MOSIP is vendor neutral and interoperable.
MOSIP started being developed in late 2018 by the International Institute of Information Technology, Bangalore (IIIT-B) and it is funded by the Bill & Melinda Gates Foundation, Tata Trust and Omidyar Network.
The project is governed by an Executive Committee and a Technology Committee. The former advises and guides IIIT-B on matters of project governance, finances, intellectual property, etc. The latter is responsible for all technical decisions, including the product roadmap and open source community management.
MOSIP has also constituted an International Advisory Group to guide the project on its overall goals and direction, as well as to be consulted on on key strategic issues. We can find representatives of the following entities in MOSIP's International Advisory Group:

Infrastructure makeup

MOSIP relies on LDAP for user authentication. LDAP user authentication is the process of validating a username and password combination with a directory server - in this case Apache DS or OpenLDAP. LDAP directories are standard technology for storing user, group and permission information and serving that to applications in the enterprise.

Infrastructure overview. Source: MOSIP github repository

From the available documentation we can find some of MOSIP's key security design features.

  • Direct access to data stored in database not permitted - data accessed via APIs only.
  • Zero-Knowledge Administration principle used so administrators can manage data without seeing the actual data. Data can be accessed only via APIs
  • The integrity of each database row protected to prevent any malicious tampering like swapping identities, for instance.
  • Revocable Virtual IDs and Tokens used to thwart any attempt on profiling the users.
  • Access controls implemented on all APIs to ensure data privacy (who can see what).
  • All APIs support rate-limiting and are digitally signed.
  • All network channels assumed 'dirty'.
  • Every artifact (including JSON data sent over API) digitally signed.

Encryption used

From MOSIP's documentation we can get a grasp of the encryption algorithms used within the different components of the platform. All the protocols mentioned in the documentation are widely used and well documented.

De-duplication

MOSIP includes features such as demographic and optional biometric de-duplication.
Demographic de-duplication
In demographic de-duplication the MOSIP system compares some of the demographic data (i.e. Name, Date of Birth and Gender) of the resident against the data present in MOSIP System (the resident's those who have already registered in MOSIP). If any potential match is found, the MOSIP system sends the resident's biometrics to the ABIS system to confirm if the biometrics are also matching.
Biometric de-duplication
In biometric de-duplication the MOSIP system sends the biometrics of the resident to an ABIS System (Automated Biometrics Identification System). Here, the expectation from the ABIS system is to perform biometric de-duplication (1:N match) against all the records that it has stored earlier.
When biometric duplicates are found in ABIS, MOSIP system sends a request for Manual Adjudication to the Manual Adjudication System via a queue. The system integrator can build the Manual Adjudication System, which would be listening to the MOSIP-to-ManualAdjudication queue for any Manual Adjudication requests and send a response back in the ManualAdjudication-to-MOSIP system after verifying the data.
The data sent to the Manual Adjudication system is driven by a policy defined in MOSIP.
As mentioned in our overview of these national ID systems, biometric de-duplication is problematic. Not only from a potential data protection perspective, but also from a purely functional point of view. The larger the sample size of users, the more manual adjudications need to be performed and the more evident it becomes that the uniqueness of biometric identifiers cannot be guaranteed, therefore sabotaging the one principle that biometric de-duplication relies on.

Principles of Engagement

MOSIP was envisaged to provide an open source solution to tackle the problems related to digital identity systems, particularly that of closed, proprietary technology and consequent vendor lock-in. Being open source, it means that untested contributors cannot be individually legally targeted because of their contributions to this project.
MOSIP has been created as a core for foundational digital identity systems that aims to enable the issuer to accelerate progress towards inclusive, privacy-centric and secure digital economies. For a country to achieve such goals, MOSIP documentation also lays out which key enablers and safeguards must be in place:

  • A legal and governance framework for digital ID that must be designed to be inclusive and to prioritise users’ control over their information
  • Transparency and wide stakeholder participation in the decision-making process
  • Implement a system that prioritizes privacy and user control, is secure and uses open standards.

Where

Examples of Abuse

Even though MOSIP has established Principles of Engagement for countries making use of it, there are no guarantees that these Principles will be followed by governments. For instance, although 'inclusivity' is the first principle mentioned in MOSIP's documentation, there have been concerns regarding exclusion through language in Morocco's implementation of MOSIP. The General Directorate of National Security announced a new generation of identity cards in 2020, but according to a draft law the card would only be including Arabic - one of the two official languages of the country - and French - a foreign non-constitutional language -, leaving Tamazight - the second official language - behind. This goes directly against regulations aiming to gradually including Tamazight in Morocco’s public life and recommending the usage of Tamazight, alongside Arabic, in national identity cards, as well as other administrative documents.