Engaging MOSIP at IndiaOS

So IndiaOS happened last week, as a rather humble attempt to bring together the Indian Free and Open Source (FOSS) community together in one room and hopefully start a conversation. Among all the projects that presented their story (and there were many good ones), the most impactful and controversial was MOSIP (Modular Open Source Identity Platform), that is being created by the group that built India’s ambitious Aadhaar national ID.

Talks at the first IndiaOS, Jan 2020

MOSIP and Aadhaar

Aadhaar, the brain child of Nandan Nilekani, co-founder of a leading IT service company, has been hailed as a great success, but is not without its critics. The goal of such a project is to improve the efficiency of welfare services and also provide an easy way for low income groups and migrants to access welfare and other services that require identity verification.

Other than implementation issues (like security), the primary issue with Aadhaar is that it lacks oversight, and it enables elements in government to identify and possibly target political opponents and activists who can now be easily tracked across various systems. This has been compounded by the missionary zeal with which some of its proponents have pushed through the project, and trolled it’s opponents instead of meaningfully engaging with them.

The MOSIP project is independent of Aadhaar, but is created and managed by its architects, and backed by some big names like the Gates Foundation and Tata Trusts. This makes it very influential, not only for countries that seek to replicate India’s ID project like Morocco and Philippines, but also as a possible blueprint for continuing growth and improvement of Aadhaar itself. Having some insight into how large and complex projects are run, I have pretty sure this is inevitable.

From the context of IndiaOS, this was not only a body of former government technocrats saying we want to make this open, but it was an opportunity for engagement between the “establishment” and free spirited hackers who have often been a thorn in the establishment’s side and often times, and its targets too.

MOSIP at IndiaOS

Unfortunately at IndiaOS, the team at MOSIP decided not to talk about the project, its architecture or its short comings, but went into an evangelical (and commonly known) sermon on the benefits of having a national ID. Instead of talking about how to fix the primary issues, like lack of a consent mechanism or lack of privacy, the speaker started talking about identification by voice or DNA, which felt even more authoritarian and dystopian to the audience.

Participants immediately called out factual errors and there was a sudden outcry from participants on social media. The participants also questioned the open source credentials of MOSIP and its dependency on proprietary biometric modules. When this talk and its reaction happened, as organizers, we were naturally blamed for this.

So after the event, I decided to spend sometime to look at the MOSIP project on GitHub fresh and try and understand from first principles. What I found that the content of the talk did a huge disservice in projecting MOSIP at the event, and a significant amount of effort had infact gone into making MOSIP. The lack of social validation (GitHub stars) on the organization repositories could also mean that the source code has been made public very recently (maybe even in the aftermath of the event). Even then its a great achievement.

0 stars indicates that this could have been recently made public

Issue Tracker

I even raised some issues on its issue tracker, to start a more meaningful, beginner friendly engagement with the MOSIP team. Here is a summary:

1. Why do we need a “centralized” ID project? How does the project plan to minimize its abuse in the hands of authoritarian regimes? Issue #4
2. Does the project have a consent framework and how does it plan to deal with citizens who refuse consent or give partial consent. Issue #5
3. Does the project have an opt-out framework for citizens who want to give up their national ID? Issue #6
4. Can the system allow multiple IDs for a single person so the person can choose to enroll separately (like having multiple Credit Cards). Issue #7

These are just noob questions, but the goal is to start an engagement. I hope other community members will post harder ones. My friend at MOSIP tells me that the team will engage at the Issue Tracker and I hope to find meaningful discussions here. So feel free to fire away the questions!

The Positives

While the engagement between MOSIP and the FOSS community may not have started on the best terms, I think there are a lot of positives.

1. The decision to open source the MOSIP architecture and code shows serious intent by the creators of Aadhaar to engage the community.
2. By choosing to engage in a community forum like IndiaOS, MOSIP also signaled the intent to listen.
3. By facing the hard questions posted by the community, MOSIP has also got an instant feedback on what needs to improve if this engagement has to continue.

Now it is up to both sides to follow up on this engagement.

Engagement

To the FOSS community, I request people to raise hard questions on the issue tracker so we have a public record of the problems that we have from Aadhaar and similar projects. I would also request them to put the cultural issues aside and realize that we should not shut out the establishment either.

While MOSIP may not directly be linked with Aadhaar, and they will officially deny it, its deeper links are quite visible. If this becomes a broader engagement, the government of India at some point, can be pushed to implement Aadhaar using the MOSIP platform, as they have an explicit Open Source policy. This could be an important project for our democracy. It is important to engage and look to find a consensus without diluting the values of freedom and justice.

To MOSIP, I thank you for your presence at the IndiaOS event and your willingness to engage. As a FOSS contributor with more than 10 years of contributing, I would like to warn you that FOSS communities are brutally hard and critical, but also rewarding. Your choice of communication has given you a first feedback but don’t be disheartened. By openly and honestly engaging with the community you are likely to get great feedback on the project and also help citizens get a say in something that deeply affects the way they live.

While some of these problems have been debated (and settled) at the Supreme Court of India, as Apar Gupta said in his subsequent talk, this is where the engineers talk without the lawyers being in the room. Engineers and software architects have a great influence in how a particular policy decision gets implemented and its outcome and impact on people.

While it may amount to nothing if the establishment chooses to ignore the feedback (and it most probably will), the minor chance that it may actually result in a meaningful engagement is worth the effort. In worst case, the documentation it produces will be useful for any alternate systems we may choose to build in the future. I hope both sides choose to proceed cautiously and look at the broader issues here.

(Disclaimer: These are my personal views and not intended to be reflective of views of all the organizers of the IndiaOS event)

Addendums and Clarifications

I want to thank people who took the time to review and give feedback on this post and point out problematic aspects. There are a few clarifications I would like to issue based on this feedback.

1. I might have jumped the gun on publishing this as we had not officially sent a “closing note” on the conference. As a first time event organizer, this will be added to the list of things we will improve next time.
2. The earlier version of this post stated that there was an outcry for the talk from “activists” was incorrect and has been fixed and rephrased. My personal politics has been very much in favour of dissenters and activists (my Twitter feed is proof of it) and I believe that activists play an important role in taking society forward and keeping it honest. While it was used as a positive attribute, in this context it could be interpreted as an accusation, so I have fixed that now.

I realize engaging and organizing multiple FOSS communities is something I am still learning and happy to keep learning. I want to acknowledge the help of Kailash Nadh and Anivar Aravind in taking the time to patiently point these things out.