A government investing in free and open source software, rather than in proprietary solutions, is always a wonderful thing (unless it’s a poor implementation…). When I heard about India’s DigiLocker project, which is built on ownCloud, I was excited to learn more and grateful when someone from ownCloud was able to connect me with the project team.
I emailed the questions to the project team and they sent me back one document, so the answers below are the work of:
- Debabrata Nayak, Project Director, DigiLocker
- Amit Ranjan, Product Architect, DigiLocker
- Amit Jain, Product Manager
- Amit Savant, Technology Product Manager
DigiLocker is an interesting project with a lot of potential, but I was also happy to learn about the Indian government’s other open source software plans, including a git repository. Imagine if every nation shared its code. Imagine what that would mean for the developing world. Heck. I’m American and I would love it if states shared code with each other. Do we really need at least 50 different DMV systems?
Obviously, a project like this throws up a lot of red flags, for me, as an American, in terms of privacy, because I live in a country with laws like this. But the project would work well in more privacy-mindful countries (there are some concerns about Aadhaar, India’s project to assign its citizens unique identification numbers—DigiLocker uses it for digital identity and e-sign/digital signatures; I feel hyprocritical critiquing it as I live in a country where citizens are assigned Social Security numbers).
These complex issues aside, DigiLocker is a huge project and proof that free and open source software scales.
- Can you briefly describe the DigiLocker project? What was its goal?
DigiLocker is a key initiative under Digital India, Government of India’s flagship program aimed at transforming India into a digitally empowered society and knowledge economy.
It is targeted at paperless governance. It is a platform to issue and verify certificates/documents digitally and thus eliminate the use of physical documents. Indian citizens who sign up for DigiLocker get free dedicated cloud storage space.
Organizations that are registered with DigiLocker can push digital copies of documents/certificates (e.g. driving license, educational certificates) directly into citizens’ lockers. Citizens can also upload scanned copies of their legacy documents into their accounts. Citizens can share these documents with other departments while availing their services.
- How is DigiLocker connected to ownCloud? Is it built on ownCloud?
Digital Locker ecosystem has three main components:
- Citizen Lockers: A dedicated storage space for registered users to upload and store their documents.
- Documents Repositories: These are document repositories of various issuers across India. DigiLocker connects to these repositories using a gateway. The documents from these repositories are made available in citizens’ lockers in the form of a link. These documents are referred as Issued Documents.
- Gateway: The gateway connects to all issuer repositories using a standard set of APIs and provides a uniform access mechanism for other organizations and departments who want to access the documents stored in these repositories.
ownCloud is used to provide the Citizen Locker feature.
Why did you decide to go with ownCloud as a platform? Were you looking for a free and open source tool or was ownCloud just the best tool for the job?
For DigiLocker, we were looking for an enterprise scale open platform that is capable of leveraging upon other scalable technologies. This was critical for DigiLocker as we aimed at building a highly scalable product with minimal cost. We found that the ownCloud readily provides a lot of features that we were looking for. It provides a variety of option from traditional file system to distributed file system for file storage. It provides a rich set of APIs for a variety of clients. More importantly, it was available in PHP which was a language of our choice. ownCloud being an open source platform was also an important reason to selecting it. DigiLocker is built completely on open source and open stack technology. We want to showcase that a national system like this can be built using open source technologies.
What has been the response to DigiLocker?
DigiLocker has over 2.5 million registered users within just over a year of its launch. Although, its much less [impressive] considering the population of India. We expect to see more users as we connect more departments to issue documents through DigiLocker. We see a lot of excitement in users to receive important documents in digital format, such as drivers licenses, vehicle registrations and educational records.
What have been the security and privacy concerns about it?
Both security and privacy are important for DigiLocker as it stores personal and important citizen documents. The security is ensured with various measures:
- Standard practices: We follow standard software development practices of uniform coding standards, guidelines and reviews. We strictly follow Open Web Application Security Project (OWASP) security standards and guidelines. Every product release is reviewed and tested internally for security vulnerabilities before it is deployed.
- Application Security: We use standard practices and protocols such as 256-bit Secure Socket Layer encryption for information transmitted during any activity.
- ISO 27001 certified data center.
- Data redundancy: Data is backed-up in a secure environment with proper redundancy.
- Authentication-based sign-up: DigiLocker uses mobile or biometric authentication based sign-up via one-time password for authenticating users and allowing access to the platform.
- Timed log-out: To protect accounts from unauthorized access, our system is designed to terminate a session automatically if extended inactivity is detected.
- Security audit: The DigiLocker application has been security audited by a recognized audit agency and the application security audit certificate has been obtained and is free from the top 10 OWASP vulnerabilities. We carry out vulnerability and penetration testing before every release.
As for privacy, the data from the locker is shared only by the citizen’s explicit consent. All sharing and access activities are logged and conveyed to the users. Organizations that need access to citizens’ certificates need to register on DigiLocker and seek explicit consent from the citizen.
Are you looking at other places to implement free and open source software in government? In which areas?
Yes, we are. In fact, the Government of India released its open source policy in July 2015. The policy not only promotes the use of open source technologies in all government areas but also encourages releasing the source code of government applications under open source license in as many applications as possible. We are working on developing a GitHub-like platform to host the source code of government projects. Many of these will be available under open source license. This will promote the reuse of tools and technologies within the Indian government.
What other government applications do you see for ownCloud?
Various government departments provide documents/certificates to citizens through different services. Citizens apply for these services by providing proof of identity and proof of address. This is a standard practice all over the world. We feel that ownCloud can be used as a platform between citizens and the government to issue, verify and share the necessary documents and certificates. With proper identity and authentication mechanisms with ownCloud, governments can provide counterless/contactless services to citizens, just as DigiLocker is aiming to provide.