Bhutan stands up self-sovereign identity with a small team and smaller budget
Bhutan is amongst the poorest and least-developed countries in the world, ranked 134th out of 203 by the United Nations Development Programme. That may make it seem like an unlikely place to look for a digital ID system pioneering self-sovereign identity. But that is what Bhutan’s identity authority has developed.
Jacques Von Benecke, chief technology officer of Bhutan’s Druk Holding & Investments (DHI), which runs the National Digital Identity (NDI) agency, tells Biometric Update in an interview that the country started working on SSI only about 2 years ago. The national digital identity credential is served from a digital wallet produced by the agency, and launched with the enrollment of Bhutan’s crown prince in February.
A surge of interest in establishing digital identity and other digital public infrastructure among developing nations, and digital wallets and SSI in both the world’s rich and poorer nations all converge in the story of how tiny Bhutan leapfrogged most of the world to set up a cost-effective, decentralized digital ID with a small team amidst practical constraints.
What is Bhutan’s NDI?
The rollout of Bhutan’s digital wallet and ID are gradual and ongoing, but most major hurdles have now been passed, and the roadmap ahead is clear.
The digital wallet has five different levels of integration, Von Benecke explains. The first is a single sign-on function for government services. Second is the exchange of data through proof requests, and the issuance of verifiable credentials (VCs). The third is for complex proof requests like KYC (which uses 6 or 7 VCs), and the fourth is for cross-border uses. NDI is currently working with India’s Digi Yatra to allow boarding passes to be issued into Bhutan’s digital wallets. Finally, NDI has just begun planning an AI layer.
The wallet also includes a chat app, which runs on a decentralized model Von Benecke compares to WhatsApp. The SSI layer is currently being added to the chat function, he says. The chat function uses a peer-to-peer model, and starts with a phone scan to establish a relationship between the parties.
It also includes a digital signing platform, with the Digital Identity Act passed by Bhutan’s parliament in June establishing that those e-signatures are legally binding. Prior to the Act, the government held a centralized database with citizen’s data, but with its passage, the database is scheduled to be broken up, its information stripped out, with discrete data points transferred to specific ministries, which are barred from sharing it with other databases.
These many functions are still at various stages of testing, but the country intends to transition into the production app within the next few months, Von Benecke says.
For the KYC platform, Von Benecke says “It’s quite a significant amount of data items, and then the wallet will automatically reply to the proof process and you just have to go ‘yes, yes, no, no,’ whatever you want to do.”
Bhutan doesn’t have traditional POS machines, no tap-and-go, no Apple Pay. Since about 2018, direct payments have been available in Bhutan on the UPI framework, in another reflection of the country’s relationship with India. Bhutan’s digital wallet is integrated with the Bank of Bhutan, which has a 70 percent market share, so it can connect the payment directly to the user’s bank account.
“In your bank app when you’re in a shop you can scan a QR code and the money goes directly from your wallet to their wallet,” Von Benecke says.
Bhutan is also running another project with GLEIF to give a legal identifier to every company in the country.
“There’s only 1,300 so it’s not a huge thing,” Von Benecke says. “But it does mean that all companies and all humans will have a digital identity, which would be very significant for us.”
Bhutan’s digital ID uses a trust register which lists schemas and who can issue and verify credentials, which Von Benecke says is “a little bit different than other SSI platforms.”
In the case of a cancelled credential, a revocation agent updates the credential, rather than the relying party referring to a revocation registry.
Every time a credential is issued, a link with part of a secret and an ID of the credential is sent to an agent, which maintains the legality of the VCs in the wallet. The agent sends the status of the credential, invisible to user, back to the wallet.
If a driver’s license cancelled, for example, the department sends a notification to the agent, and the agent changes the status of the VC, which is held locally by the user. The sync-up and license cancellation occurs the next time the user connects to the revocation agent. In the meanwhile, the credential has a timestamp on its validation, which relying parties can use to decide if it’s trustworthy.
If the credential hasn’t been updated in multiple months, Von Benecke explains, the user is probably avoiding going online for some reason.
Most other systems applying SSI principles use a registry, Von Benecke says, citing cheqd and Polygon (which network NDI is shifting to from Sovrin) as examples. This is fine for them, he says, but because it assumes everyone is online all the time, it is not appropriate for Bhutan’s digital ID.
The structure of the system’s ownership and maintenance is also being carefully architected to support SSI, and ensure the independence that will be necessary to preserve it.
The NDI was created by the Digital Identity Act to take over the digital ID platform, and the Act provides the specifications for a digital ID regulator. NDI is owned by DHI, which Bhutan’s Department of Finance is the sole shareholder of. The government is funding NDI through next June, but has appointed an independent CEO and is establishing an independent board of directors.
“We’re actually an investment company,” Von Benecke says. “We’re the commercial arm of the government.”
The Act includes safeguards to prevent the government from influencing the company’s operations.
Once the digital governance framework is established, it will be codified into the platform, Von Benecke says. “We want to codify it, so that it’s never somebody’s opinion of whether we stick to the rules or not,” he explains.
“This platform is based on the SSI principles. We don’t store any data. There is no central repository in the entire platform. There are agents, and the agents have a database for what they record the information in to issue, like a driver’s license, or issue a passport. Each of those agents, decides then correspond to either a privately owned company or a bank or an airline, because we have a private airline, we have six private banks, and they’re also on the platform.”
Bhutan’s digital ID wallet does not phone home. It supports zero-knowledge proofs and selective disclosure, but also following a similar approach to data persistence as Europe’s GDPR, according to Von Benecke.
“We want to be able to say you can give consent to a human or an organization to be able to access the data that you share with them for a period of time,” he says. “And then automatically, after that period of time, they would get a notification from the platform saying the consent is at the end, so you either need to apply to get it renewed or the data has to be revoked.”
Users can request that their data be deleted, including by government. The latter choice comes with warnings that the government cannot deliver services to people it does not know exist.
“From that perspective it is very, very close to SSI; but the purist people will say it’s not SSI because we have a foundational ID that was issued by the government,” Von Benecke observes. Although this “technically is not correct, it was issued by the national digital identity company, which runs an agent which has access to the government database to get your biometrics.”
The role of biometrics
Biometrics, and specifically face biometrics, for now, play a major role in Bhutan’s national digital ID. When foundational ID issuance is carried out to create the wallet (first VC), facial recognition is used, and biometric authentication takes place every time the Bhutan wallet is opened. There is also a 4-digit PIN for 3-factor authentication.
The next release of the app may also do contactless fingerprints, Von Benecke says.
“We have the fingerprints of everybody in the country, and the facial scans,” he says. “We also have some irises, some palm veins, some finger veins; we’ve been testing a lot of modalities. The problem with the fingerprint ones is they’re very specific to the devices that we use, so we didn’t want to start off with that.”
Bhutan has heard a pitch from one company offering finger vein scans using Android-based phones (since infrared scanning on iPhones is closed off to developers). While NDI is considering all possibilities, it is moving gradually, and Von Benecke hedges his prediction for the introduction of another biometric modality.
“We’re playing around with that technology and hopefully with the next release around March-April next year will allow you to also pick fingerprints,” he says. “That way you’ll have the option to either use facial recognition or fingerprints.”
Bhutan offers about 11 different flavors of wallet, to cover scenarios like parents, and those among a “very small percentage” of the population without easy access to mobile devices.
The physical version includes a “biometric verifiable cryptograph,” which is printed on plastic. It includes the image of bearer and some biometrics in a salted QR code. The user can access the wallet on a device with a liveness test to temporarily move their wallet from the cloud to the device.
All of these capabilities were built in-house, Von Benecke says.
The largest version of a QR code in the publicly available library has three thousand characters, but “to do a biometric verification of somebody I only need about one and a half thousand for a black and white image,” Von Benecke explains. The other one thousand-plus can be used to store the person’s name and other data to question the bearer on.
Von Benecke recounts how NDI took a standard library and built its own reader that adds the encryption, as well as a viewer that decrypts the data. He wrote the code along with a developer on the team, to meet Bhutan’s budget constraints as a very small country.
One problem faced by NDI so far is that the biometrics enrolled were uploaded to the API as raw images, rather than templates. This makes the files too big for the system to handle, resulting in too many errors. The existing images will be templatized, however, so no re-enrollment is needed.
Another challenge has been getting Bhutanese people to pass the liveness check, because many users didn’t understand that they need to follow an on-screen circle with their gaze. NDI made a video to instruct people and put it in the app, and now liveness pass rates are much higher, Von Benecke says.
As the penetration rate increases, public engagement is key, so Bhutan NDI has its own YouTube channel to communicate with the populace. The agency had to train people to teach others, had to write an FAQ, and perhaps most challenging of all, had to teach Bhutan’s people what SSI is.
Usefulness is another key to the adoption plan. There are about 20 partners for level 1 of the wallet (the SSO capability), and 6 level 2 partners (for credential exchanges). The plan for the next release is to increase those partner numbers to 50 and 25, respectively.
“We wanted a set number of use cases that would really push adoption,” Von Benecke says.
He believes that by next March, all government services and most financial services in the country will be on the app.
At that point, all Bhutanese who buy things will use the app every day. Once a year most of the country’s workforce needs to complete a security clearance, for which they will use app. These are among the pillars of a 12-month take-up plan to reach near-universal adoption.
NDI is now starting to translate the app and its communications into all of Bhutan’s languages.
After that, Bhutan intends to share what it has developed with others.
“Ideally, ultimately at some point we’ll sell this platform to some extent to other countries,” Von Benecke reveals. “Not to make billions of dollars, but to help other countries get to that point.”
The technology developed by Bhutan could also help in areas beyond national ID. NDI has had conversations with international organizations about the possible use of its tech with zero-knowledge proofs to protect the privacy and data security of vulnerable people, such as in migration and humanitarian situations.
The most important consequence of Bhutan’s efforts may yet prove to be the example it has set of building a platform to meet practical needs, with the highest level of personal control and privacy protection possible, without the resources of the world’s richest countries or large tech firms.
“Hopefully it will help a lot of people to say, ’Hey, you know what, we’ve built this with about 8 technical people and 11 non-technical people, so it doesn’t take a whole army to get this thing off,’” Von Benecke says.