Understanding of what #SafeDPI is, how to achieve it creeps forward

If a government spends millions of dollars on an identity system or any other kind of digital public infrastructure that does not deliver its intended benefits, it can be dangerous, for both the ID or DPI and the government itself.

The UN’s “Universal Digital Public Infrastructure (DPI) Safeguards Framework,” stewarded in part by the UNDP, sets out guidance for building what the organization calls #SafeDPI for individuals, businesses and public sector agencies.

A plenary session during ID4Africa 2025 featured two panel discussions of ways to ensure that DPI is safe for everyone, moderated by UNDP e-Gov Senior Advisor & Technologist Chahine Hamila.

The common vision for digital public goods (DPGs), Hamila says, is of open, scalable, free technologies with no license fee that are reusable, interoperable and under sovereign control.

He reviewed why governments and development donors see DPGs as valuable.

But the high expectations for DPGs sometimes allow myths to enter popular thinking. Open source software is based on code that comes free, but building and managing something with it takes major resources.

Hamila provides a breakdown of costs for a five-year sample open source project for a “small to mid-sized country,” showing a total cost of ownership anywhere between $21.5 million and $45.5 million.

The legal freedom of open source licenses can be overestimated too. “Open source” means a few different things, and the details matter.

The security of open source software can also easily be overestimated, Hamila explains. Transparency can help improve cybersecurity robustness, but if it is a malicious actor, rather than a benevolent developer who spots a bug, the result could be a zero day vulnerability. Govtech projects tend to struggle to build communities of contributing developers.

“The point is not just whether it’s a DPG or not, the point is how you take those bricks, those pillars, and build your DPI,” Hamila summarizes.

Well-built DPIs can stimulate innovation ecosystems, which can then create more DPGs. But Hamila’s presentation highlighted how poorly built DPIs can take on the dangers of ballooning costs, legal entanglements and data breaches.

One of the key ways to avoid these dangers is through the use of standards.

Anita Mittal, lead for the Digital Convergence Initiative, Global Alliances for Social Protection, GIZ, described one model for building a standard after building a community consensus.

Stephanie De Labriolle, ED of the Secure Identity Alliance (SIA) and OSIA talked about how OSIA was formed specifically to address the need to ensure interoperability between digital identity technologies from different vendors, and its journey with the ITU.

World Bank Senior Digital Development Specialist Christopher Tullis urged governments to specify the outcomes they want in RFPs, rather than specifying the technology to use. In the same way, the World Bank itself does not promote any specific solution, he says, referring specifically to a perception raised that it encourages MOSIP adoption.

“There’s not really a credible open-source version of an ABIS that can do population scale de-duplication,” he says, as an example of the practical limits of how far governments can go with open-source technology. “There are open-source biometric matchers for one-to-one use cases but if you’ve got 100 million people,” proprietary technology will be necessary. But MOSIP projects all integrate with ABISs.

“The answer is almost never this or that,” Tullis says.

“It’s not DPG versus vendors,” Hamila said, echoing the point.

De Labriolle expressed hope that MOSIP will implement OSIA, noting “it’s a bit silly to have to develop APIs of an API for an integrator.”

The importance of testing based on the implemented standards for keeping DPI safe and effective was emphasized by OpenID Foundation ED Gail Hodges.

Regulators also have an important role to play in keeping DPI projects safe from the risks raised by Hamila, Mifos Initiative VP of DPI Go-to-Market Godfrey Kutumela note. And for that role to be played properly, everyone has to “speak the same language.”

The potential hazards that await DPI projects were highlighted in Margins ID Group ED of Software Development & Systems Integration Andrew Asamoah’s description of the rollout of Ghana’s ID cards. The first attempt was disastrous, with only about 900,000 Ghana Cards printed our of the hoped-for 4 million, at a cost of many millions of dollars.

But a new model of public private partnership, Asamoah says, allowed Margins Group and the government to split the financial risk, and changed the national ID authority from a costly organization to a revenue-generating one. During the first year of issuance under the new system, Ghana has distributed 15.7 million cards, he says.

Another example of a second round of issuance saving a project from initial rollout problems is the Philippines. MOSIP CTO Ramesh Narayanan described how the country turned to the ePhilID to get around delays in physical ID card issuance keeping people from digital service access. This example highlights the importance of public sector teams having the capacity to know what they need. For the Philippines, Narayanan says, this capacity was built up at least in part through experience with the development sandbox it set up to experiment in.

Capacity building was also the goal of the final session of the plenary session, which presented the winning entries of the African Digital Identity Hackathon.

Even if ID cards are in people’s pockets, there is no guarantee they are serving as a piece of the country’s DPI.

iDAKTO CSO and Identity Expert Yann Bouan recounted how Morocco for years had ICAO-compliant contactless ID cards with fingerprint biometric matching on-card, but it was rarely used. iDAKTO worked with the country to utilize standards like OpenID Connect to make the card useful for digital identity to access government services.

The session closed with consensus that with the right governance framework, regulations and standards in place, digital identity technologies can be an example of #SafeDPI, whether they are open-source or proprietary.

Article Topics

digital ID  |  digital public goods  |  digital public infrastructure  |  DPI Safeguards Framework  |  ID4Africa 2025  |  OSIA (Open Standards Identity API)  |  safeDPI  |  UNDP