In 2003 the Italian Ministry of the Interior decided to launch a pilot project for the use of eID cards in Italy, and asked a contractor to develop the necessary software. The municipality of Grosseto was not satisfied with the resulting application, which had technical shortcomings as well as a restrictive license, and decided to develop its own system based on open source and open standards. In the process, Grosseto became part of an international network of public bodies working on open source eID solutions.
Breaking the mould: Grosseto develops the OpenPortalGuard eID system - ODT
Breaking the mould: Grosseto develops the OpenPortalGuard eID system - PDF
Introduction
In 2003, the Italian government decided to introduce electronic identity cards. Fifty-five municipalities took part in a pilot project. Today the number of participating towns has risen to about 100. The second phase of the “Carta d\'Identita\' Elettronica” (CIE) project started in January 2006. Every newly issued ID card should now be handed out as an electronic ID (eID) card. Municipalities are in charge of issuing the cards and providing the related services. However, budget constraints especially of smaller municipalities have so far hindered a complete nationwide adoption of eID cards.
Grosseto is located in the Italy\'s Tuscany region and has about 80.000 inhabitants. Like in many smaller cities, the administration faces constraints in its budget. For the introduction of the eID cards in 2004 as part of the Carta d\'Identita\' Elettronica project, the municipality at first relied on a technology provider, who was in charge of the development of an access control system for the eID cards. This technology provider was selected by the Ministry of the Interior, which also holds the copyrights on any software developed for the different municipalities. Bud Bruegger, who came to Grosseto to work in the city\'s IT department, however, quickly realized that this was not the most efficient way to use the city\'s resources. He also doubted that the system would work as promised. This was the start of a journey that eventually led Grosseto to develop its own eID access control system, which offered more security and interoperability, while at the same time being less costly than that of the technology provider.
[top]
Organisation and political background
- Municipality of Grosseto<br /> © Attilios 2007. Released under GFDL
After the decision of Italy\'s Ministry of the Interior to introduce electronic ID cards in 2003, many municipalities were faced with the burden of having to properly set up and administer this new system. Initially there were 55 municipalities that participated in the first pilot phase of the Carta d\'Identita\' Elettronica (CIE) project. The municipalities were in charge of issuing the cards and further administering the system, which a technology provider chosen by the Ministry would develop.
In 2006 the second phase of the CIE started, and the number of participating municipalities rose to about 100. At the beginning of the CIE project, there was very little knowledge among the authorities of the municipalities about eID systems, and the technology providers were basically free to develop the system\'s software as they saw fit. After roughly a year and a half of watching the progress, Bud Bruegger at Grosseto\'s IT department became convinced that the software had technical shortcomings, and would carry higher costs than necessary. The IT department up to this point was only in charge of issuing the cards, and further offering the related services and the technology provider was fully responsible for the access control system. This meant that if they wanted to change anything, and take over the responsibility of the system, a renegotiation of the contract with the technology provider was necessary.
Today, after having successfully developed an access control system, the municipality of Grosseto has restructured its IT department. Where most IT-related issues used to be handled by in-house staff, today the company Netspring now performs those tasks. Netspring is owned by the municipality and the province of Grosseto, and functions as the IT support for the public service. The company was bought by the local government in mid-2008.
[top]
Budget and Funding
Many Italian municipalities face budgetary constraints and are reluctant to spend more money than is absolutely necessary. The municipalities were nonetheless obliged to issue the eID cards, just as the
| Quick Facts | |
|---|---|
| Project name |
Open Portal Guard |
| Sector |
eGovernment |
| Start date | 2005 |
| End date | Ongoing |
| Objectives |
Interoperability, security |
| Target group |
Government services, citizens |
| Scope | Local |
| Budget | About 50.000€ |
| Funding | Local |
| Achievements |
Development of a highly |
had issued the previous paper ID cards. For the initial project a budget of about € 400.000 was given to Grosseto for the eID cards and related hardware, as well as for the software to use them. Furthermore, an access point on the Internet had to be developed that would lead citizens and the administration to the right services offered (i.e. changing place of residence, filling out tax forms, or accessing the population register). Initially Grosseto had contracted a technology provider chosen by the Ministry, which developed an access control system for Grosseto and a few other communities. This company had a budget of about € 200.000. The contract with this company stated that the system itself would be free of charge once developed, but the Internet browser plug-in necessary for the authentication of users would be licensed to the municipalities to distribute to its citizens. This was a small but ultimately critical piece of the system, which would have made the municipality depended on the technology provider. “This is something that is economically impossible for a local government” such as Grosseto, Bruegger explains. He further considered this an “indecent proposal”, as the high costs for the development of this access control mechanism would have risen further through a yearly licensing fee that the municipality would have had to pay for this plug-in.
For Bruegger it gradually became evident that for Grosseto to develop its own access control system would save money in the long run, while at the same time offering greater interoperability, which was one of the biggest shortcomings of the previous system. “We didn\'t have funds to put [into this project]. We had only human resources”, Bruegger says. After successfully renegotiating the contract with the technology provider, he focused on the project himself, dedicating nearly 100% of his working time to it. The perspective was that if Bruegger managed to develop a solution that would not only work better, but also be freely available in the future, the city could save substantial amounts of money. Pier Luigi Bonucci, who was then the head of Grosseto\'s IT and now is the technical director of Netspring, explains they “had a budget of about € 50.000 for the development of their own system”. The decision to develop the software in-house therefore brought substantial savings.
[top]
Technical issues
- Pier Luigi Bonucci, Technical Director of<br /> Netspring.<br /> © Pier Luigi Bonucci 2009. Used by permission
At the early stage of the project, when the technology provider was still in charge, Bruegger and his team disliked some aspects of the proposed solution. However, because there was no in-house technical experience concerning eID technology, it was not possible for the team to really judge the solution and the contract between Grosseto and the technology provider. “When you don\'t know much about things, you cannot judge” Bruegger explains that the know-how to see what is necessary and what is not was simply not there at time.
One of the main problems was the proprietary licensing of the browser plug-in. Although the contract between the Ministry of the Interior and the technology providers stated that all software produced would become property of the Ministry after the pilot phase, the technology provider for Grosseto had managed to create one back door in the contract. The company found a way to keep the browser plug-in out of the contract, which was a very small but essentially important piece of software. This software not only caused future costs to the municipality, but would work only on a single operating system, Microsoft Windows. As the municipality uses Open Source software in many aspects of its daily work – e.g. GNU/Linux on its servers, Mozilla Firefox as well as Open Office on workstations – Grosseto\'s IT staff were not comfortable with the idea of being bound to the use of proprietary software and the standards related to it.
Another problem that was soon discovered was related to the security protocol used for the authentication of users. Where the Secure Sockets Layer (SSL) protocol has become standard for providing security of data and user authentication on the Internet, the technology provider saw this as incompatible with the eID system used in the municipality of Grosseto, and decided to use another protocol. Since this protocol did not comply with the related standards, the access control system only worked with the cards issued in the municipality. Cards from other regions or even countries would not have been recognized.
Bruegger considered these flaws to be too great, given the relatively high price demanded that the technology provider demanded for the solution.. In particular, he was unwilling to accept the software\'s lack of interoperability, as he gradually found out how this aspect could be improved without a large budget or a whole team of developers.
With the help of the Open Source community and other municipalities he eventually managed to develop Grosseto\'s own eID access control system, called Open Portal Guard. Largely relying on existing systems that were made available through several platforms, such as Apache, Bruegger managed to include all the features that the previous system lacked. The access control system is now capable of reading eID cards from all of Italy as well as several other European countries, while providing all the functionalities required by the Italian eID system. At the same time, using proven SSL standards made the software more secure and reliable.
[top]
Change management
Before being able to start working on an own access control system for the municipality of Grosseto, Bruegger had to solve one important problem: Since the contract with the technology provider was already signed and work had begun, Grosseto had to renegotiate the terms. As Bruegger states, a “though guy” was needed to eventually change the technology provider\'s assignment, and to give him the freedom to develop the access control system according to his own ideas.
To the municipality of Grosseto the use of Open Source software was nothing new. This meant that both management and users were already familiar with the software, but also with the Open Source approach. The choice of software was therefore not only made with a view towards reducing technology costs and improving secure standards, but also with the perspective of interacting in a community and “giving back to the public”, explains Bruegger. He says that the “fertile ground” for Open Source was there, and the “town was ready to go Open Source” with regard to the access control system.
Obtaining know-how of the subject was perhaps the most important step in the transition away from the proprietary solution offered by the service provider towards an Open Source solution. Bruegger had to find his way in the Open Source ecosystem to get into the subject. As he had worked in Open Source projects before, such as Euspirit.org, and also holds a PhD in engineering, he was well acquainted with researching in an Open Source environment. “We got one part of the know-how from another municipality that was developing their own system […] and we got a hell of a lot know-how from the Open Source community” he says. The communities of Apache and Mod-Python in particular, along with the Porvoo group - a forum for the discussion of good practice in eID - turned out to be the most valuable sources of information, as they offered a meeting point for people from all kinds of fields and discussions on eID systems.
After acquiring the know-how, the next step was to build a network of communities that faced the same problems and also wanted to develop a system better suited to not only national but international standards (see Cooperation with other public bodies below).
Participating in the community and gaining the expertise in the field eventually enabled Bruegger to get a clear image of what was necessary, and what was possible to develop from his side. For the development of the Open Portal Guard, these steps were essential, because they enabled him to avoid certain mistakes and to reuse the code others had successfully developed.
[top]
Effect on government services
Today, Open Portal Guard is seeing heavy use at the municipality of Grosseto. “We use it a very high volume” Bruegger says. For the government services of the city, such as law enforcement and the national insurance, the Open Portal Guard offers a secure way of accessing the population register and other services in combination with the smart card and the reader. In total about twelve of the municipality\'s departments use the software on a daily basis. In contrast to the previous system, the Open Portal Guard allows cards from any nationality and service, and can also direct the card holder towards the appropriate service.
Citizens also make use of the system, but less frequently than the administration. Seeing that “you might change your address every five years and do your taxes every now and then, […] there\'s not a critical use for citizens”, says Bruegger. As the average citizen has relatively little to do with the municipality and its administrative system, the need for an eID system is simply not as urgent as this is the case for the administration of municipalities. The number of cardholders in the municipality nonetheless has reached 40.000 inhabitants. Bonucci says that because hardly anyone owns a card reader, “we have very very few people that use” the eID cards. “We are trying to communicate to the people to get readers” but it is not easy to convince the citizens of the advantages of the eID system.
The “Porvoo group interoperability demonstrator, which is an important part of the access control system that works with the Belgian, Finish, Estonian and Italian cards” ensures the compatibility of this system, Bruegger explains. The work together with other communities in the framework of the Porvoo group (see below) thus brought about a system applicable throughout Europe. In an environment were people increasingly move across borders, especially within Europe, this is a function becoming ever more important. Bonucci also underlines the fact that it was their declared aim to develop a software “that could be used by everyone, no matter what computer or system”, which was not possible under the previous proprietary system. This was also an important criterion, as the developers did not want to make the use of the software depended on certain hardware or software settings.
[top]
Cooperation with other public bodies
After renegotiating the contract with the technology provider, Bruegger\'s main priority was to look for know-how and to participate in a community. As a starting point he thought of local governments close
- Grosseto\'s Palazzo Aldobrandeschi<br /> ©Vinattieri Matteo 2007. Released under Creative Commons<br /> Attribuzione 1.0
by, as these “naturally have good relations”. He made a list of possible cooperators, which might be equally interested in developing a system on their own. He set up a mailing list that offered local governments and experts the change to exchange ideas and suggestions. His aim was to pursue an “Open Source community building strategy to bring people together to solve common problems”, as he describes this early stage of the project. Especially at the beginning the mailing list was highly welcomed by most participants, and lively exchange took place. Simultaneously to this he also launched an association of local governments for open source software, which further expanded the network.
Bruegger eventually came to work more closely with the municipality of Trento, which is located in the north of Italy. Just like Grosseto, the municipality of Trento faced the problem of having a non-standardized authentication mechanism and was keen on developing its own system. The cooperation between the two municipalities became an important ingredient in he successful development of the software, as both had similar problems and goals. Nonetheless the team around Bruegger and Bonucci was also in close contact with other municipalities, such as Prato, which also gave highly valuable input to the discussions throughout the process.
At the same time, the team also looked around in the Open Source ecosystem to find what others had done and what components was already in use. The team came across a reverse proxy that was developed by a Belgian team of developers and released into the Apache community. The Belgian developers also faced the issue of interoperability, and were equally keen on developing a product that would meet their demands. With Bruegger\'s increasing involvement in the Porvoo Group, which serves as an important forum for eID related issues on a European level, this eventually led to the development of the Porvoo interoperability demonstrator. This protocol enabled the access control system to differentiate between nationalities, and to attribute the appropriate rights and identities to each card.
As for many aspects of the work of Bruegger and his team it was thus very important to be active in several networks. On the one hand the involvement in the Open Source community acted as a very important source for the creation of know-how. On the other hand, the cooperation with other communities helped in solving common problems, and supported the work by sharing their own developments.
[top]
Evaluation
Achievements / Lessons learned
- Bud Bruegger, main developer of<br /> OpenPortalGuard.
For Bruegger the “Open Source philosophy is \'small is elegant is beautiful\' and this is kind of an antithesis to what you find in most corporate IT today”. He is convinced that it is possible to achieve a lot if one interacts within a community that offers direct and quality advice. For the OpenPortalGuard project it was therefore not the most difficult and time-consuming part to actually develop the software, but “the biggest problem was the know-how”, which the Grosseto team had to acquire. As most “local governments don\'t have the resources” to dedicate large parts of their budgets to projects like this, it becomes even more appropriate to start with an Open Source approach, which makes it possible to build on other people\'s work. It was therefore a key success factor for Bruegger to work with the Open Source community, as this allows for projects with small financial resources to succeed. Without this possibility it would have been nearly impossible to acquire the know-how to develop a system on their own.
Another important aspect for the success of Open Source software project like OpenPortalGuard is having the a team that is familiar with the Open Source ecosystem. For someone who considers Open Source solutions solely as a means to cut costs without investing in the community, success is less likely in the eyes of Bruegger and Bonucci. In these terms Bonucci says proudly: “last year we were able to stop completely using proprietary office software, and we have about 500 PCs”. And he further ads “our servers are only Unix based already since 2002”. Such a “fertile ground”, as Bruegger puts it, is thus very helpful when starting a project with an Open Source approach. “You have to know what questions to ask, and you have to be willing to give back to the community”, he explains. Moreover there needs to be a management in the background that is willing to take sometimes tough decisions, and believes in the project. This clearly helped the development to quite some extent.
For Bonucci the only shortcoming of the project has been the relative inability to give the project more publicity. “We tried to make our system popular in a European context, but we didn\'t succeed as much as we would have liked”, he says. “We don\'t have the power to communicate on a larger level”. Nonetheless their efforts have not been in vain. Given that the Porvoo 12 forum was held in Grosseto in October 2007, one can certainly see that the municipality has acquired an important position in the development of eID related issues. As the Porvoo Group forums are an important event for the promotion and development of eID technology on an international level, this clearly demonstrates the municipalities\' dedication to the issue.
Conclusion
The Open Portal Guard project illustrates clearly how using an Open Source approach can not only save money, but also improve the functionality of software to a large extent. Especially when resources are scarce this is a way to find “small and beautiful” solutions, in Bruegger\'s words. It further underlines the idea that especially for the public sector this approach makes a lot of sense, as it can not only lower costs and improve services; by releasing their own developments into the community, public bodies can create a situation that is mutually beneficial. The European context offers great opportunities for sharing work on such developments, with platforms such as OSOR facilitating cooperation.
[top]
Links
Open Portal Guard
Open Portal Guard profile OSOR.EU
Presentation of the Open Portal Guard by Bud Bruegger
Case Study on ePractice by Bud Bruegger: Development of a Multi-eID Access Control System
Porvoo 12 Summit in Grosseto
Municipality of Grosseto
This case study is brought to you by the Open Source Observatory and Repository (OSOR), a project of the European Commission\'s IDABC project.
Author: Gregor Bierhals, UNU-MERIT
This study is based on interviews with Bud Bruegger, main developer for the Open Portal Guard, and Pier Luigi Bonucci, Technical Director at Netspring. Moreover the case study “Development of a Multi-eID Access Control System – How to get out of Trouble with Open Source” and further material have been consulted.
[top]
