The Public Services Commission (PSC) is looking for a local firm to consult on the development of an API for a biometric authentication programme. This was revealed in the Government Gazette that was published on the 5th of March 2021.
As with anything that the government is doing there are a set of requirements, and they are as follows:
- The Consulting firm must be a registered entity.
- Must be registered with the Procurement Regulatory Authority.
- Minimum of ten years’ experience in the business of ICT
assessment. - The Company should have qualified and experienced ICT
Auditors. - Knowledge of ICT Governance.
- An appreciation of Public Service Business Processes
The participation is open only for Zimbabweans which is nice to see. After the news of US firm Synergy International getting a US$3 million tender to supply the Judicial Services Commission with a case management system. Many were quite rightly incensed that the govt didn’t trial a local solution.
Now it looks like the doors are open for local software development firms to consult on what is a big project. Now I am guessing that some of you are thinking what is a Biometric Authentication API and why is it important.
The biometric authentication API
An API or Application Programme Interface is a computer interface that mediates interactions between a number of different software and/or hardware. An everyday example/use of an API is when you search for the weather conditions on Google’s search engine.
Google isn’t in the business of tracking meteorological information but it can present it to you through affiliations it has as a third party for services like weather.com
Another example of this is when you are making an online payment from your favourite store. The payment (if done online) is usually processed using an API from a payment gateway like Paynow for example.
So in this case a biometric authentication is a user-defined way of verifying an individual’s identity. This can be done through fingerprint, facial recognition, voice and a number of other means.
The system uses reference data, or the data captured when a user is registered every time they try to access something that requires biometric authentication. An API for biometric authentication then allows facilitating the core software through a number of other devices and or physical locations. This is important because of…
Ghost workers…
The PSC is an arm of the Executive and its functions include the appointment of qualified and competent persons to hold posts in the Public Service. It is this department that has come under some scrutiny in the past for keeping (or being unable to detect) ghost workers on the govt’s wage bill.
Back in 2018, the govt announced the launch of a biometric registry to flush out double salaried and ghost workers.
“A time-lined raft of measures on that front will be announced soon, including an exercise in developing a biometric register of all civil servants on Government payroll which should eliminate leakages through ghost workers.”
President Mnangagwa (via Pindula)
Ghost workers have been a massive problem not only for the Zimbabwean government but for African governments in general. Back in 2018, the Mozambiquan government was able to rid itself of 30 000 ghost workers who cost the taxpayer US$250 million between 2015 and 2017.
In the same year, Cameroon was able to purge 28 000 ghost workers who had either died or had left the country but they were still on the govt’s payroll. How Cameroon and Mozambique did it is not clear but we do know that a biometric registry works.
Just last year the Zimbabwean government, in a report by Bloomberg, was able to remove 20 000 ghost workers through the biometric registry. The assumption is that the system is localised and restricted so now the govt wants to build an API in order to increase the system’s flexibility. But there is however one big problem…
Privacy
APIs carry some of the most sensitive information from payment and card details to your physical location. This is bad enough but when we then look at a biometric registry or biometric authentication API, people’s physical data is being carried to and fro.
A study by the University of Michigan and Fordham Law School titled “APIs and Your Privacy” looked at the security of APIs employed by Netflix, Google Maps and Search, Tinder and ESPN. The report concluded that:
“While APIs are an inherent part of how the online ecosystem works, their privacy implications deserve closer scrutiny – for APIs made available to both developers and advertisers. Driven by exploitation of their APIs, companies like Facebook and Twitter have started to more-tightly control access to their APIs or limit what information is available through APIs.”
Closer to the point, The Daily Swig listed Insecure APIs as one of the common reasons for government data breaches.
Whatever consultations that will be held with the eventual winner of this tender need to include very strict security requirements for this biometric authentication API. Because it is essentially a bridge that allows for the passage of information and if it is not properly reinforced, civil servants’ biometric data could be at risk.
If you are one of the interested parties you can contact the PSC through the following channels:
- Tel: 263700881-4
- E-mail: procurement.unit@psc.org.zw
- Web site: www.psc.gov.zw