Sanjay Dharwadker, Senior Consultant, WCC Group, Utrecht, the Netherlands
Paper for the Hague Colloquium on the Future of Legal Identity, April 20-24, 2015
This is a paper written from the experiences of having participated in a number of national identification (NID) programs in various parts of the world, especially India and Africa. Unlike research papers written with academic rigour and clearly identified sources of information, this one is perhaps an unstructured re-collection of memories and observations but that could have a bearing on current as well as future NID initiatives.
The paper is in two parts, the first dealing with observations drawn from actual NID programs, identifying its principal elements, and the second with recommendations on the way forward. As the title suggests, it concerns itself primarily with technologies, services and resources that are available today on the supply-side of the industry.
II A Glimpse of how it started
It was around Christmas of 1998 in Ahmedabad – not far from the Sabarmati Ashram, from where Gandhi once galvanized millions of people into mass action like the Dandi March, is the city’s road transport office. The administration had announced the previous week that henceforth the state’s drivers’ license would be a smart card1. A photograph of each applicant would be taken on the spot, and so would be the fingerprints. The chief minister himself would receive the first smart card drivers’ license in India – some said in the world – and for this, on that day, the office bore a festive look, complete with a marquee and a makeshift stage. Technicians were performing last-minute checks, and camera persons looking for vantage positions to get the best shot. Outside the gate, a motley crowd were protesting – that it was illegal and immoral to fingerprint non-criminals, it would increase the workload of an already overburdened staff, it was a conspiracy against the people, and that the deal reeked of corruption.
Inside the office building, a long queue had already formed for those eager to be the first to be issued this new symbol of modern India. At the state secretariat, the officials were frantic, faced with a touch-and-go situation. Someone had gone to court demanding a stay order. An electronic chip could never replace a paper document, the affidavit claimed. However quick-thinking state lawyers had already sought a caveat from the court, and almost at that last moment, an executive order was finally passed, but that still had to be gazetted before the new machines and systems could be legally switched on and the first smart card drivers’ license in India (or was it the world!) could be issued.
Of course, it all ended well, and that afternoon, a little bit of history was made – and India was on its way into the world of digital identity. Every sales person knows well and often dreads the “moment of truth” – when a customer finally weighs his options and decides to buy or not. Government sales are notoriously slow, but this one was perhaps destined to happen, and the turning point came about because of an almost unconnected issue. The usual annual tender for plain plastic cards was up for renewal, but the bids came in absurdly high. Obviously a cartel had been formed and the bidders were not relenting despite clear warnings. An incensed bureaucrat observed that at this price, he could have the latest technology of smart cards and biometrics for the citizens, and the rest as they say, was history.
But there were other critical steps to follow, among them a rather far-sighted move initiated by the then central government information technology mandarins2. What would happen if the various state governments went in for incompatible technologies, meaning a card issued in one state could not be read in another? A simple national standard was thus put in place. This did take away a bit of the excitement that ensues when technologies and solutions compete, but soon after, states followed one another – not only with drivers’ licenses, but also with programs for health and welfare. The standards also ensured that there was a level playing field – leading to the easy entry of new players, rapid roll-outs and reasonable prices. Also, many projects, right from the beginning were taken up on a public-private partnership basis, thus freeing the government from making substantial investments in the capital cost. Suppliers were enthusiastic, as India’s large population provided an almost infinite demand, and Indian citizens were delighted for once, to be ahead of their counterparts from the more developed countries.
Part 1 – Elements of ID systems and their supply side
III Mass Enrolment, functional applications & social concerns
In a few years, there were dozens of companies that could mobilise thousands of enrollment stations, manned by trained staff, for data entry, document scans as well as the digital capture of signatures, fingerprints, photographs and later, even iris images. Often these were mobile units, carried in battery-operated suitcases, set up for the day in a village school. This was often the first encounter that many individuals had of having an identity record created for them.
This technology was even adapted for the national rural drinking water program by having a smart card for each of the deep-well hand-pump for reliably recording its maintenance. In March 2000, when President Bill Clinton visited India, one of the developmental projects show-cased was a women’s dairy cooperative smart card3. The technology could be deployed to address challenges such as those of a remote village economy and more important perhaps – gender empowerment.
All this, no doubt made it possible for successive Indian governments and their constituent political parties to think of programs such as Aadhaar – of which perhaps the most crucial step was the enrollment of large numbers often under extremely challenging conditions.
The next step was more removed from the people themselves, and that really came to age under the Aadhaar program that has captured multiple biometrics – fingerprints and iris, of which the latter is more appropriate for children, and subjecting these to “one-to-many” checks, ensuring at least theoretically, that each person is registered only once. Subsequently, the identity of a registered individual can be more easily verified using “one-to-one” checks. As such this is an expensive technology to deploy and sustain, but almost a necessary evil for all identity programs. In India again, the principle of “standards” was applied and multiple biometric vendors deployed, thus drastically bringing down costs involved with biometric identification and verification.
While it is difficult to visualize an NID program today without biometrics, issues pertaining to it are further discussed below.
V Electronic Documents
There is no doubt that many NID programs today opt for electronic documents. Despite costing more, these are more secure, can carry and process information offline, and can be in the possession of the citizen herself and thus address vital privacy concerns. Moreover these are more difficult to defraud or counterfeit. Such electronic documents are also the subject of “industry standards” and thus it is not difficult to induct more than one supplier, thus once again using this strategy to control costs. However, the electronics, plastic, printing and personalisation as well as the security of ID documents have many interesting features. Like technology in general, these constantly evolve and need systematic evaluation before a final selection is made. Recently, probably Bangladesh has been the most sizable developing country to have opted for chip cards.
VI Business model & deployment process
As already stated, while in many cases, governments make the full capital investment for the equipment, services and consumables, at the other end of the spectrum, governments also opt for PPP business models. One option is where the contracting consortium also finances the capital costs, and charges on the basis of “per card” issued. Another option that is emerging into the mainstream is charging on a “per transaction” basis, but which requires significant numbers (or value) of transactions, and this could then be the debit, credit or a special type of payment card. This requires yet other players to be part of the delivery mechanism, and often even more technologies and processes to be in place and work together. Among the issues involved is commensurate revenue sharing, which is being addressed in different ways in various situations and contexts at the present. Such models however also lead to issues of ownership and propriety that are yet to be comprehensively addressed.
VII Impact of the Internet
Recent discussions4 have highlighted that the internet itself has become a repository of millions of identities. These transcend national borders. How this could be constructively used alongside NID programs is a matter perhaps still to be explored. However, if transactional models become prevalent, linkage to the internet identity repositories might become relevant, as identity related transactions could be performed in this space. With connectivity available more widely through a variety of devices (desktop / laptop, tablet and mobile phone) – the demand for NID programs to be linked to these, and hence common definitions and norms for identification, might emerge sooner rather than later.
VIII Mobile Phone – almost everyone has one
At a recent mobile phone industry congress5, there was a presentation about the potential in India for the mobile phone to be an instrument of identity-based transactions, which would of course include both payments as well as eGovernment services. The presentation highlighted the fact that the country now has approximately 850 Million Aadhaar-based enrollments and almost a similar number of mobile phone connections, thus making it the single largest such ecosystem.
Suppliers often remind governments that the mobile phone, in many parts of the world, has reached closer and is more accessible to citizens, than any other state mechanism. The limits that both have reached is more apparent in some African countries. A recent example brought this phenomenon to the fore when a national government sought to prohibit any new connections unless the applicant produced bona fide documents to prove his or her identity. When the situation was further evaluated it was found that the most prevalent form, and in some cases the only form of identity in the country was a mobile phone connection. In some sense, the mobile connection had become the de facto national identification, or at least symbolic of it.
This then brought home another related issue. Mobile Network Operators (MNOs) provide two types of connections: post-paid, which are often linked to other identification documents, banks accounts, employment particulars, home address etc. But the pre-paid accounts just about have very tenuous ID documentation, even despite legislation stating otherwise, and individuals hold such connections, almost in near anonymity, and today their number is in excess of Five Billion (GSMA report), most of them spread over the developing countries. Therefore, issues like this will need to be addressed if the mobile phone is to become any kind of a de jure instrument for individual identification as part of NID programs.
Currently Aadhaar issues paper-based cards with a 2D barcode that is the potential interface to an application, with biometric-based identity verification – say a fingerprint. Whether it is a real possibility that this can be done using mobile phones remains to be seen, or rather how and when it can be deployed for the entire population. This would, for example also be a function of the type and model of the mobile phone in the possession of the individual.
It may be noted that the SIM card in a mobile phone is precisely the same technology (smart card) as is the chip inside an electronic document, though both follow entirely different set of operating systems and protocols. However, the suppliers for both are often the same, and hence a supplier-driven interest in this.
Part 2 – What can be done to strengthen existing and new National ID initiatives
Unlike the nineties, when digital identity was new to almost every part of the world, we now have a mix of first-time programs as well as those that are now transiting into a second generation, which is good for hindsight, but equally a nightmare as millions of data need to be carried forward from one system to another. Some of the older systems had little control and quality checks on biometrics, images as well as architecture. A glaring example recently was a decade-old system, with about one million citizen records in which no trace could be found of the original fingerprint images, and only the templates had survived. Fortunately in this particular case, the situation could be saved, though not comprehensively, but it could lead to serious consequences, and could have happened due to a variety of reasons: bad architecture, negligent database administrators, willful destruction of data, or even a supplier malpractice to force continuity of business.
Biometric templates do not map back to the original images, and in effect are only a limited subset. In case more biometric details are ever required, as might be the case in coming years or decades (please see below) – millions of individuals might need to be reached once again to obtain fresh biometrics, an expensive as well as time-consuming exercise that might again introduce other types of errors.
Another nightmare is the existence of duplicates. While biometrics are deployed to ensure uniqueness of each individual identity, it does not happen so in real life, primarily due to two reasons – poor quality and /or threshold matching levels, and employee complicity in enrolling people, that results in two anomalies: a single individual enrolled twice on the basis of two different biometrics, and conversely two individuals enrolled on a single biometric. Newer systems and multi-biometrics of course, are more robust on these accounts however legacy systems need to be thoroughly checked, so that such anomalies do not carry-forward to newer systems.
IX Need for continuous Audit
All this calls for continuous or frequent-enough audit of the systems, operations and data. Further, a thorough audit is called for at the end-of-life of a system. Inter alia this should mandatorily address de-duplication, quality check of biometrics, check that biometrics are correctly linked to individual identities, and also check on the tuning of the biometric systems (see below) as this could have far-reaching impact on the identification and verification processes.
X Build the rules of citizenship
It also seems to be time to refurbish the architecture surrounding the citizen databases. For example, it should be able to hold essential citizenship rules that are usually dependent on a variety of factors such as the date of birth and place of birth (in case of jus soli based citizen definition) and the dates and places of birth of parents (in case of jus sanguinis). It should be possible to link this to the rules set out in the related constitutional acts, amendments and statutes. Similarly, systems should be able to link child with mother and father for the purpose of unabridged birth certificates. A verifiable record of address is also useful to have, especially in developing countries.
In many countries financial inclusion is becoming increasingly linked to the foundational NID programs, like the newly launched Jan Dhan program that is being linked to Aadhaar in India. For the purpose of transferring cash subsidies to beneficiaries, about 140 Million new bank accounts have been opened and there are already issues pertaining to identifying related family members.
For building in such capabilities, systems need to move beyond biometrics and also have capabilities for what is referred to in generic terms as demographic matching, and may include specific sub-systems for advanced name-matching among others, given cultural and local variations in most contexts. For performing periodic audits, it may also be useful to have a powerful tool-box for matching even a wider range of variations, such as place names, addresses, vocations, employment etc.
XI Constructive use of Profiles
In general, profiling has been a bad word. When the first digital identification programs were launched, it was common for many to remark – so the big brother has arrived! However, as its use has proliferated to addressing issues of poverty and welfare, it almost seems like it could also be the big sister (or mother) – thus taking on a nurturing role. A similar role can be imagined for profiling – to address additional needs based on gender, age, income and a host of other factors. This could definitely be built into the architecture of NID programs, of course after a careful thought to privacy as well as socio-cultural and other factors.
XII Need for Social Audit
Both foundational as well as functional NID programs need careful and continuous social audit. This should include inter alia a check on whether any gender bias exists in enrolment operations. Unfortunately this is still widespread, and in some programs, it has been found to be as adverse as only two females registered for every eight males. Personally, my first experience of widespread gender bias was in a national immunization program, where only three female infants were being regularly vaccinated for every seven male infants.
One way is to introduce some form of data analytics that is specifically designed to run with identity data. This can help track variations and trends, not only in gender, but also age, region, socio-economic groups as well as other factors. Besides maintaining the required vigil on data of this nature, it can also provide constructive inputs for welfare and developmental programs.
Such analytics has also been instrumental in tracing malpractice and fraud in existing NID systems, which seems to stem from two principal factors: exploiting a loophole that has been detected by the operating staff, and simple connivance, often between authorities and operational staff. While this could be isolated and infrequent the very possibility is a matter of concern.
XIII Limits of biometrics
While newer biometric modes like face and iris are coming into mainstream use, fingerprint remains the oldest, most trusted and widely used biometric in NID programs. However, the more recently implemented electronic Passport has been responsible for the popularity of facial recognition in recent years, as it was prescribed as the primary biometric under the ICAO (9303) standards.
Fingerprint pattern recognition at best is an empirical science. First, there are the limitations like false acceptance, rejection and failure to enrol, which are already discussed in another paper, and while percentages are small, the absolute numbers of individuals affected are now turning out to be substantial.
Adequate care is taken these days by capturing an entire set of “ten-prints” for each individual, so as to have adequate matching points. However, some practitioners fear that someday even these might not be adequate. The reasons for this rest on the very method of comparison, which as we know is based on the extraction of minutiae consisting of ridge endings and bifurcations. In criminal systems till date – if twelve such points match, it was adequate for the judge to pronounce the individual guilty, and as was symbolically stated – enough to send a person to the gallows. Recent re-examinations have revealed that on expanding the number of match points, this has been found to be false, albeit in a few isolated cases.
In current civil identification systems, where the “one-to-many” searches may be against hundreds of millions of prints, no one can say for sure, if the good old empirical assumptions still hold.
There is also the problem of threshold levels and over-mechanization. At the operational level, if the matching threshold (equivalent to the number of points required to be matched) is set too high, the fingerprint matching often becomes a bottleneck. An expedient way to overcome this is to lower the threshold, which does speed up the queues, but unfortunately at the cost of increased false matching.
Setting of low threshold levels resulting in perennial high rates of false matching has been reported in many NID programs (as well as police systems), and can be attributed to over-mechanization, without adequate supervisory control.
Also, sundry examples of misuse are alarming. In many cases identity records residing in government records are rarely visited by the citizen herself, restricted usually for reporting a birth, marriage or death, or perhaps for the issuance of a lost or expired document. Knowing this, individual records are often “misused” by officials in many ways. One common way is to use the identity records of unmarried females to fictitiously marry them off to foreigners, thus providing them a basis for legal entry to a country. This practice is prevalent in many countries in Africa. It is only if and when the female really wants to get married, that she discovers that in the home ministry records she is already “married”.
When fingerprint records are matched and processed using prints on paper, a typical example being an application for checking his or her police record it is possible to manipulate by the switching of paper records to get an assured “no-match”.
Surely these are extreme cases that come to knowledge when working for the industry, but it seems important enough to be aware of such possibilities and build adequate safeguards, that at least make it difficult. Also many such cases can be detected or prevented by having more comprehensive search and match techniques at hand for regular monitoring as well as audit.
XIV Specifications, Budgeting and the Procurement Process
In some sense, how good a national ID system is, largely depends on the technical specifications, budgets and the procurement process itself. A typical seller’s strategy is to enhance technical specifications, so as to maximize budgets. A process of standardization, like in India helps to keep costs at reasonable levels and at the same time ensure that essential functional requirements were met. In Africa, however the situation is different, consisting of a large number of different nations, each with its own set of priorities and aspirations. Thus it would be difficult to attain the same economies of scale as in India.
In these circumstances, it would be a good strategy to separate out the procurement of enrollment services, biometrics and document issuance. It can be reasonably expected that for the first part – the enrollment – the large capacities created in India would offer services at reasonable cost in various parts of Africa, though there would be issues of language and culture that would need to be overcome, as the enrollment process needs intensive interaction with the local people.
The biometrics would need to be offered differently, as the smaller nations would have simpler needs. The electronic documents issuance would best be done in larger units in third countries, rather than nations attempting to set up their own units.
As briefly alluded earlier – the PPP model has been successful in India. Usually a local investor (belonging to the particular state) would typically take up partnership with the international technology companies, a happy mix of the global and the local. Given the economic levels in parts of Africa, this might not be feasible, and many countries would be dependent on developmental funding, or else alternate business models such as is being currently implemented in Nigeria – that is tying in with the debit / credit card majors. On the face of it, it is a happy coalition – as national banks backed by the international card brands participate along with the national government. However, the economics and financing may vary quite fundamentally from country to country, depending on its economy and more directly to the retail spending, as it is this that will defray the NID project cost.
Yet another option will be to have mobile network operators in the consortium too. They say Africa has directly leapfrogged into the smartphone generation. If this is so, this could be an equally attractive option. However, this also gives rise to the spectre of both the state and the market being too close to “all the citizens – all the time”. What would be the end-result of this, can best be left to one’s imagination for now.
XV Transparency, sustainability and dynamism
In all this, it is best to not lose focus of the original objectives of an NID program – legal identification available to every citizen in order to assert his rights, obtain services and facilitate social objectives such as gender empowerment. A digital identification system as described in parts of this paper can best achieve the required level of transparency – both for the citizen as well as the state. Sustainability can best be achieved when it is tied in to the economic mainstream, and dynamism, by ensuring that the ecosystem remains in constant use.
Like in the previous decade, when the MDGs (especially relating to health) proved to be a catalyst and many health related issues were made part of mainstream NID programs, it is expected that the SDG relating to “Identity for All with birth registration” not only remains an ideal, but can be evolved into a set of working rules.
Each nation will need to have its own analysis on which to base its decisions of a sustainable NID. However such a working document might serve the purpose of enabling all to incorporate some of the globally accepted principles and practices.
This can then be followed by putting together the appropriate business model and the winning consortium that will carry it to the citizens, and finally, not forgetting the safeguards as described above: continuous audit, comprehensive interface with citizenship rules, stronger social audit, constructive use of profiles, and dependence as much on the text in the databases as the biometrics, so that identity search, match, identification and verification can be on a wider set of parameters, and thus closer to how humans recognize one another.
April 2015, Utrecht
I am especially grateful to my existing employer – the WCC Group, Utrecht, the Netherlands – to have given the permission and resources to participate in the colloquium. I am also grateful to erstwhile employers as well as clients, as some of the observations here are based on the experience gained while working with them. Care has been taken not to use confidential or copyrighted material.
1. Refers to the first Gujarat smart card driving license project (1999 – 2004)
2. Refers to the SCOSTA (Smart Card Operating System for Transport Applications) standardization undertaken by the Government under the aegis of the NIC (National Informatics Centre) in collaboration with the industry and the academia
3. Refers to the Rajasthan Dairy Women’s Cooperative Smart Card Project, funded by the USAID
4. Refers to discussions of the Oracle Identity Management Group, redwood Shores CA USA
5. A presentation by the GSMA group on personal identity during the Mobile World Congress, March 2015 at Barcelona