Modular Open Source Identity Platform

The Modular Open Source Identity Platform (MOSIP) helps Governments and other user organizations implement a digital, foundational identity system in a cost effective way.

Website: https://mosip.io/

Type of Digital Public Good

1. Is it relevant to one of the Sustainable Development Goals?

2. Does it use an appropriate open license?

Yes, this project is licensed under the following license(s):

3. Is ownership clearly defined?

Is the ownership of the project and everything that the project produces clearly defined and documented?

Yes

If yes - please link to the relevant copyright, trademarks, or ownership documentation for the project.

https://www.mosip.io/resource/ip-policy-trademark-and-copyright

4. Does the license of libraries/dependencies undermine the openess of the project?

Does this open project have mandatory dependencies (i.e. libraries, hardware) that create more restrictions than the original license?

Yes

If yes - are the open source components able to demonstrate independence from the closed component(s) and/or are there functional, open alternatives?

Yes

If yes - please describe how the open source components are independent and/or list the open alternatives for the closed component:

For evey closed source software and hardware component that MOSIP interacts with, we provide standard interfaces for interaction. Either by using existing open standards (ex: For HSM we use JCE), or by defining standard interfaces for conformance (ex: MOSIP biometrics interfaces)

5. Is there documentation?

Does some documentation exist of the source code, use cases, and/or functional requirements. For software projects, this should be present as technical documentation that would allow a technical person unfamiliar with the project to launch and run the software. For data projects, this should be present as documentation that describes all the fields in the set, and provides context on how the data was collected and how it should be interpreted. For content, this should indicate any relevant compatible apps, software, hardware required to access the content and any instructions about how to use it.

Yes

If yes - please link to the relevant documentation:

  • docs.mosip.io

6. Is non PII data and/or content accessible?

Does this project collect or use non-personally identifiable information (non-PII) data and/or content?

Yes

If yes - describe the mechanism for extracting or importing non-personally identifiable information from the system in a non-proprietary format:

The project allows each deployment to define what data they collect. Some of these could be non-PII data.

7. Does the project adhere to privacy and other applicable international and domestic laws?

Has this project taken steps to ensure adherence with relevant privacy, domestic, and international laws? For example, the General Data Protection Regulation (GDPR) in the European Union or the Supplementary Act A/SA.1/01/10 on Personal Data Protection for the Economic Community of West African States (ECOWAS) (yes/no)

Yes

If yes, please list some of relevant laws that the project complies with:

  • GDPR

If yes, please describe the steps this project has taken to ensure adherence (include links to terms of service, privacy policy, or other relevant documentation):

  • - MOSIP enables the compliance of privacy laws through its security and feature implementations. However, the owners of specific implementations are responsible for complying with legislations in their jurisdictions.
  • - The owners of specific implementations are responsible for complying with legislations in their jurisdictions.

8. Does the project adhere to standards and best practices?

Does this project support standards? (i.e. Web Content Accessibility Guidelines (WCAG) 2.1 or other standards such as those listed on W3C)

Yes

Which standards does this project support (please list)

  • OpenID Connect
  • JWT
  • ISO/IEC 19794-4:2011
  • ISO/IEC 19794-5:2011
  • ISO/IEC 19794-6:2011
  • ISO 8601
  • ISO/IEC 19785-3
  • OASIS patron format ISO/IEC JTC 1 SC 37
  • digital signatures, PKI and cryptography

Can you point to evidence of your support? (i.e. please link to your validator, open test suite, etc.)

Was this project built and developed according to or in adherence with any design, technical and/or sector best practices or principles? i.e. the Principles for Digital Development?

Yes

Which principles and best practices does this project support (please list)

  • ID for Developments 'Principles on Identification for Sustainable Development'
  • MOSIP has articulated a set of Principles for Engagement with Countries for implementing Good ID
  • MOSIP subscribes to a set of principles which forms the core of its mission:
  • The MOSIP philosophy is to provide a 'Good ID'. As part of this MOSIP embraces a core set of design and architecture principles that allow the platform to offer best practices for a Good ID system. MOSIP is built on the following architecture principles
  • -MOSIP must follow platform based approach so that all common features are abstracted as reusable components and frameworks into a common layer
  • -MOSIP must follow API first approach and expose the business functions as RESTful services
  • -MOSIP must not use proprietary or commercial license frameworks. Where deemed essential, such components must be encapsulated to enable their replacement if necessary (to avoid vendor lock-in)
  • -MOSIP must use open standards to expose it’s functionality (to avoid technology lock-in)
  • -Each MOSIP component must be independently scalable (scale out) to meet varying load requirements
  • -MOSIP must use commodity computing hardware & software to build the platform
  • -Data must be encrypted in-flight and at-rest. All requests must be authenticated and authorized. Privacy of Identity Data is an absolute must in MOSIP
  • -MOSIP must follow the following manageability principles – Auditability & monitor ability of every event in the system, testability of every feature of the platform & easy upgrade ability of the platform
  • -MOSIP must follow the principles of Zero-Knowledge which means that the services know nothing about the Personally Identifiable Information (PII) data stored.
  • -MOSIP components must be loosely coupled so that they can be composed to build the identity solution as per the requirements of a country
  • -MOSIP must support i18n capability
  • -All modules of MOSIP should be resilient such that the solution as a whole is fault tolerant
  • -The key sub-systems of MOSIP should be designed for extensibility. For example, if an external system has to be integrated for fingerprint data, it should be easy to do so.

9. Does the project do no harm by design?

Has this project taken steps to anticipate, prevent and do no harm by design?

On the whole, does this project take steps to ensure that it anticipates, prevents and does no harm by design?

Yes

Is there any additional information you would like to share about the mechanisms, processes or policies that this project uses to avoid doing harm by design?

MOSIP has a set of guidelines it adheres to while working with a country who is willing to adopt MOSIP. These guidelines also typically form part of the MOUs we enter into. The principles of engagement can be found here: https://www.mosip.io/uploads/resources/5cc84b0a08284Country%20Engagement%20Principles_v2.pdf

9.a. Data Privacy & Security

Does this project collect or store personally identifiable information (PII) data and/or content?

Yes

If yes - please list the types of data and/or content collected and/or stored by the project:

  • MOSIP enables collection of demographic and biographic information of the end user for the puspose of ascertaining and issuing a digital identity. The collection of demographic information are based on the project needs - and is configurable by the project owner. It typicaly contains:
  • - legal name
  • - age
  • - address and additional fields are collected as needed
  • Biometric information is collected for the purpose of ascertaining uniqueness and for authentiation, based on countries' policy:
  • - fingerprint
  • - face
  • - iris data is captured one time during the enrollment process.

If yes - does this project share this data and/or content with third parties?

Yes

Please describe the circumstances with which this project shares data and/or content with third parties. Please add links as relevant.

  • with user content, demographic data is shared for KYC as credentials for service. This happens within a governance framework where the project owner mandates policies for sharing of eKYC data with service providers. Biometric information never leaves the system, except for facial images.

If yes - does the project ensure the privacy and security of this data and/or content and has it taken steps to prevent adverse impacts resulting from its collection, storage and distribution.

Yes

If yes - please describe the steps, and include a link to the privacy policy and/or terms of service:

Privacy and security practices are central to MOSIP and the proejct has taken extensive measures to provide security of data and has numerous existing and evolving features on privacy and data protection. MOSIP's technological approach to security and privacy can be found here : https://docs.mosip.io/platform/architecture/privacy-and-security.

9.b. Inappropriate & Illegal Content

Does this project collect, store or distribute content?

No

If yes - what kinds of content does this project, collect, store or distribute? (i.e. childrens books)

Not Applicable

If yes - does this project have policies that describe what is considered innappropriate content? (i.e. child sexual abuse materials)

Not Applicable

If yes - please link to the relevant policy/guidelines/documentation.

Not Applicable

If yes - does this project have mechanisms for detecting and moderating innappropriate/illegal content?

Not Applicable

If yes - please describe the mechanism for detecting, reporting and removing innapropriate/illegal content (Please include the average response time for assessment and/or action. Link to any policies or descriptions of how inappropriate content is handled):

Not Applicable

9.c. Protection from harassment

Does this project facilitate interactions with or between users or contributors?

No

If yes - does the project take steps to address the safety and security of underage users?

No

If yes - please describe the steps this project takes to address risk or prevent access by underage users:

Not Applicable

If yes - does the project help users and contributors protect themselves against grief, abuse, and harassment?

Yes

If yes - please describe the steps taken to help users protect themselves.

Development & deployment countries

List of countries this project was developed in.

  • India
  • Philippines

List of countries this project is actively deployed in.

  • Philippines
  • Guinea