Infrastructure overview. Source: MOSIP github repository
From the available documentation we can find some of MOSIP’s key security design features.
- Direct access to data stored in database not permitted – data accessed via APIs only.
- Zero-Knowledge Administration principle used so administrators can manage data without seeing the actual data. Data can be accessed only via APIs
- The integrity of each database row protected to prevent any malicious tampering like swapping identities, for instance.
- Revocable Virtual IDs and Tokens used to thwart any attempt on profiling the users.
- Access controls implemented on all APIs to ensure data privacy (who can see what).
- All APIs support rate-limiting and are digitally signed.
- All network channels assumed ‘dirty’.
- Every artifact (including JSON data sent over API) digitally signed.
From MOSIP’s documentation we can get a grasp of the encryption algorithms used within the different components of the platform. All the protocols mentioned in the documentation are widely used and well documented.
MOSIP includes features such as demographic and optional biometric de-duplication.
In demographic de-duplication the MOSIP system compares some of the demographic data (i.e. Name, Date of Birth and Gender) of the resident against the data present in MOSIP System (the resident’s those who have already registered in MOSIP). If any potential match is found, the MOSIP system sends the resident’s biometrics to the ABIS system to confirm if the biometrics are also matching.
In biometric de-duplication the MOSIP system sends the biometrics of the resident to an ABIS System (Automated Biometrics Identification System). Here, the expectation from the ABIS system is to perform biometric de-duplication (1:N match) against all the records that it has stored earlier.
When biometric duplicates are found in ABIS, MOSIP system sends a request for Manual Adjudication to the Manual Adjudication System via a queue. The system integrator can build the Manual Adjudication System, which would be listening to the MOSIP-to-ManualAdjudication queue for any Manual Adjudication requests and send a response back in the ManualAdjudication-to-MOSIP system after verifying the data.
The data sent to the Manual Adjudication system is driven by a policy defined in MOSIP.
As mentioned in our overview of these national ID systems, biometric de-duplication is problematic. Not only from a potential data protection perspective, but also from a purely functional point of view. The larger the sample size of users, the more manual adjudications need to be performed and the more evident it becomes that the uniqueness of biometric identifiers cannot be guaranteed, therefore sabotaging the one principle that biometric de-duplication relies on.
Principles of Engagement
MOSIP was envisaged to provide an open source solution to tackle the problems related to digital identity systems, particularly that of closed, proprietary technology and consequent vendor lock-in. Being open source, it means that untested contributors cannot be individually legally targeted because of their contributions to this project.
MOSIP has been created as a core for foundational digital identity systems that aims to enable the issuer to accelerate progress towards inclusive, privacy-centric and secure digital economies. For a country to achieve such goals, MOSIP documentation also lays out which key enablers and safeguards must be in place:
- A legal and governance framework for digital ID that must be designed to be inclusive and to prioritise users’ control over their information
- Transparency and wide stakeholder participation in the decision-making process
- Implement a system that prioritizes privacy and user control, is secure and uses open standards.
Examples of Abuse
Even though MOSIP has established Principles of Engagement for countries making use of it, there are no guarantees that these Principles will be followed by governments. For instance, although ‘inclusivity’ is the first principle mentioned in MOSIP’s documentation, there have been concerns regarding exclusion through language in Morocco’s implementation of MOSIP. The General Directorate of National Security announced a new generation of identity cards in 2020, but according to a draft law the card would only be including Arabic – one of the two official languages of the country – and French – a foreign non-constitutional language -, leaving Tamazight – the second official language – behind. This goes directly against regulations aiming to gradually including Tamazight in Morocco’s public life and recommending the usage of Tamazight, alongside Arabic, in national identity cards, as well as other administrative documents.