With the surge in online transactions last year due to the Covid-19 pandemic, the knee-jerk reaction has been to strengthen digital governance as well as make online transactions more secure.
Consequently, the government has included the implementation of the national digital identity (NDI) and digital signatures in the digital economy blueprint, MyDIGITAL, in a bid to increase the scope and quality of online services for a better user experience.
The government looks to implement the NDI as a trusted digital identification and verification for individuals, ensuring flexible and secure online transactions as well as reducing administrative costs while delivering more efficient services.
Complementing this is the acceleration of digital signatures across public online services. The initiative looks to enhance security and trust with a tamper-evident seal as unique as a person’s fingerprint. This will be permanently embedded in documents that are digitally signed. Both these initiatives are targeted to be completed by 2025.
David Lim, CEO and co-founder of Wise AI Sdn Bhd, applauds the government’s commitment to implementing the NDI. This, he says, will provide instant access to services from the comfort of one’s own home, even in suburban and rural areas. This initiative allows people to get bank loans approved or receive government incentives within minutes of applying, which would have a significant impact on financial and social inclusion.
According to studies, Lim says full NDI coverage could create an economic value equivalent to 6% of GDP in emerging economies in 2030. Thus, there is no doubt that digital IDs will serve as a powerful key to inclusive growth, unlocking many opportunities of economic gains for the people and institutions in Malaysia.
“NDI was never meant to replace MyKad, but to complement it, especially in the digital space. Hence, the focus should be on the onboarding of people and integrating the NDI with various services. These include financial services, e-commerce, education and government online services, as well as provide improvements in telecommunication coverage in both rural and urban areas to facilitate the implementation of NDI.”
Innov8tif Solutions Sdn Bhd chief operating officer Law Tien Soon says while he is happy to see NDIs being made a priority, he feels that a five-year timeline to full implementation is a little optimistic.
Firstly, there may be hurdles when rolling out NDIs, especially when weighing the opt-in convenience against the necessity of online government services in the initial rollout phase. “NDI is not just merely about creating a few integration interfaces for online queries and verification of personal records. Most likely, NDI will be a consent-based platform and there will be a one-time enrolment and identity proofing process to be carried out over the counter or self-service kiosk.
“The uptake of self-initiated NDI enrolment among the public is greatly dependent on necessity and convenience from the integrated online government services in its initial phase.”
He cites previous governmental digitisation initiatives such as the electronic tax filing (e-Filing) system that was introduced by the Inland Revenue Board (IRB) in 2004. The system was able to reduce the cycle time from the average of four days via the manual paper-based process to 15 minutes. Even though the convenience and efficiency aspects were promising, the adoption only grew from 5% of total taxpayers from 2006 to 15.3% in 2011.
“It was only in 2017, when the IRB made it mandatory for employers to submit the Return Form of an Employer (Form E) via e-Filing that it saw a 33.5% growth. This shows that the choice of online government services to embrace NDI in its initial rollout will determine the success of NDI adoption.”
Tien Soon adds that for NDIs to be useful for commercial use, personal data on the NDI platform has to be enriched by exchanging data between various government agencies and statutory bodies.
This includes assessed income, employer information, driver’s licence status, travel passport status, vehicle ownership, residential property ownership, retirement savings account balance, present residential address and company directorship information.
“While it is easy to list down the possible useful data items to be made available on the NDI platform, implementation will require an extensive and careful feasibility study and technical design. Not every government agency or data provider is presently at the same pace when it comes to enterprise system architecture and information system infrastructure readiness.”
Edward Law, CEO and executive director of Securemetric Bhd, believes that Malaysia has to play catch-up with regional peers who are aggressively rolling out their respective national digital ID programmes.
He adds that the NDI is the key pillar of trust to achieve a developed digital economy. “Just look at Singapore, where SingPass is widely rolled out. And in Indonesia, one of the licensed certificate authorities (CAs) has already issued more than 12 million verified digital IDs. The Thai and Vietnam governments are also pushing aggressively for digital IDs.”
“We need to put our plans into action fast. This initiative is definitely doable within five years but the government needs to make sure it will not end up as another white elephant. The next five years are very crucial for our country to digitally transform and become one of the leading countries in this region.”
Edward says public key infrastructure (PKI) is the back-end core engine for anyone who wishes to start issuing secured digital IDs. Thus, he believes that one of the key hurdles will be the question of who should issue the NDI. By right, Edwards says, the National Registration Department (NRD) should be the one to issue NDI as it controls the country’s MyKad database, but it is not a CA.
“To issue a digital ID, first, one must be established as a licensed CA under the Malaysian Communications and Multimedia Commission. If NRD decides not to become the CA, the only way to move forward is to work with the four licensed CAs in Malaysia (POS Digicert, MSC Trustgate, Telekom Applied Business and Raffcom). But then, what should the business model be?
“The challenge is always on how to lay a fair and transparent ecosystem that can give everyone access to a fair battle ground while achieving a strong economy of scale to bring down the cost to issue digital IDs.”
“Some countries that successfully rolled out their national scale digital ID such as Estonia and Sweden from Europe, and Indonesia and Singapore in Southeast Asia, share something in common: the digital IDs are either free or have a very low fee. I believe this is the key challenge our government needs to address with our NDI.”
Once the NDI has been established, implementing digital signatures is a natural complementing service. Wise AI’s Lim says one of the stumbling blocks in implementing digital signatures is the legal framework, but since the applications of digital signature are already governed by the Digital Signature Act 1997 and Electronic Commerce Act 2006 in Malaysia, it will reduce the hurdle to implement digital signatures.
“The other key parameter is the security of the system. Wise AI is developing a patented technology to ensure the security of the system. The system is developed to adhere to the standards of ISO15408 for information security.”
In fact, many are already signing digitally, Tien Soon points out, as it is the final step in the e-filing of income tax returns. Recognising the potential of digital signatures, he says since last year, Innov8tif has been collaborating with some of the recognised CAs for commercial use involving digital signing of legal-binding contracts.
“Malaysia already has a matured infrastructure surrounding the ecosystem of digital signature implementation. We just need a little push from the government for some low-hanging fruits and the digital signing trend will flourish,” says Tien Soon.
Securemetric’s Edward believes that NDI is crucial for the success of legally binding digital signatures. It also opens up connectivity to the MyKad database, which is the key for electronic know-your-customer (eKYC) to take off widely. With that in mind, he hopes there will be more support of local talent and a review of laws to make way for these initiatives.
“The government should look at some of the outdated policies and quickly amend it to be in line with MyDIGITAL’s development. Some laws to consider is the US’ eNotary Act, where some states allow notarisation to be done via video call, utilising eKYC and digital signatures.”
NDI rollout challenges
Given the fact that Malaysia has a well-established national registration database and a successful smartcard identity programme, MyKad, Lim believes the process of introducing the NDI will not be that complicated.
However, he adds that there are concerns it might expensive and time-consuming. “On top of setting the infrastructure for onboarding citizens and permanent residents, there is also a need for clear regulations and guidelines for processing the data of these people,” he says.
Another main concern from NDI users is data privacy, says Lim. The government, he adds, will need to develop a robust framework and guidelines to ensure the safety of data.
The NDI framework protects against phishing attacks, says Lim, so the authentication and signing outcomes are even more irrefutable. To this end, he says the NDI system’s security properties are superior to existing password and one-time key systems, including those with hardware generators. It will also be significantly less expensive to operate at scale over time.
Edward concurs. “In the digital world, our MyKad is no longer valid because no one is able to confirm you are who you claim to be unless it is done via an NDI. Whereas for digital signatures, if we implement it correctly, it is impossible to be compromised, at least with today’s computing power.”