Increasing Trust By Protecting Personal Data

[I was a member of the team that created Aadhaar, and continue to stay involved in the creation and evangelisation of the India Stack. As a result, I take part in many conversations around personal identity data. I also believe that users must be able to control their data, and its use.

As a country, we are moving from a world of paper and registers to a new digital, online world. This is the right direction to go. But, issues around the use of personal identity data are beginning to grow, and it is time to consider ways to protect users, and to respect their trust. To this end, I thought that it would be worthwhile to use a simple use case – look at the essence of it, and explore these issues.]

Identity as a source of trust

To buy a SIM card, Ram provides an identity document. The agent copies this document. The telecom company keeps it as proof of KYC compliance. The company also creates a customer record and provides services to the customer. Ram follows a similar process for setting up many different types of relationships. For example, while banking or being employed. 

Trusted identity information, and verification form the basis for setting up these relationships.

Ram may also have to prove his identity while using services. For example, when operating a bank account, or when entering an airport.

A trustworthy verification process allows for smooth access to services and transactions.

Risks

But, Ram risks misuse of his personal data in this process. Let’s look at these risks:

  1. The agent may keep an extra copy of his identity document.
  2. Someone may misuse his document to setup an account in his name without his knowledge.
  3. Someone may misuse his document to take over an existing relationship.
  4. Someone may steal his identity information from the company.
  5. Someone may be able to infer something about him from his behaviour across companies.

Identity theft, data leakage, and surveillance are not new risks, but they have become concerns with digitisation.

Mitigation

But, digital systems also provide better ways to protect Ram, and his data:

  1. Remove the need for an identity at all.
  2. Remove paper copies of the identity document – use a digital version, and protect it.
  3. Alert him on use of his identity
  4. Use different identity documents to prevent linkage.
  5. Strengthen current laws, or make new ones to dissuade bad behaviour.

Types of Data

Any conversation on the use of identity data would be incomplete without looking at the different types of data.

  • Basic Identity attributes of a person. For Example, Name, Address
  • Transaction Data. For example, purchase transactions, banking transactions, phone calls.
  • Data Aggregates – Information based on a collection of data.
  • Behavioural Data – Inferences from transaction data, possibly from different types of transactions.

All conversations around data use, consent, risks, and protection must take into account these different data types.

Interactions as a source of trust

As Ram uses the service, his trust in the reliability of service goes up. At the same time, the service provider trusts Ram more, and may increase various limits, etc.

This is true in other types of relationships as well, employees who stay longer are trusted more.

Aggregated transactions, and behavioural data also increase trust.

Role of consent
In many situations, there is no privacy policy; the user is not informed about the collection of data; and consent is not sought.  In other situations where the user gives consent, it may not be well informed.  Some examples include:

  • Overly broad consent
  • Click accept agreements which are not read
  • Policies that may be modified without notification

The consent process needs to change.  Users must know what to expect from a service provider, and be able to hold them accountable to meet these expectations.

Transparency as a source of trust

Certain services must be transparent to stakeholders and publish data. For instance, a company may publish salaries of top management to gain the trust of shareholders. Similarly, some public service providers may publish list of services delivered with beneficiary details.

Questions

In this context, I would like to frame the following sets of questions:

  1. Trust originates from identity verification, and interactions. Forgery and misrepresentation erode this trust. How do we enable the trust, even in the presence of intermediaries? How do we make this trust bi-directional, so that the user knows more about the company that he / she is dealing with?
  2. Employee records, customer lists, etc. contain identity information. How can companies protect these against theft, leakage and misuse? How can users ensure that their data is not stolen?
  3. How can companies inform users about the use of their personal data use, when asking for consent? How can users verify that the company is not doing anything different?
  4. How can public entities meet transparency requirements while being sensitive about personal data? How can users ensure that their data is not leaked? How can other stakeholders hold the service provider accountable with reduced data?

 

Looking forward to your answers and thoughts in the discussions below.

India Stack: Thoughts on Unleashing the Potential of Digital India

On December 1st 2016, in a much-awaited press conference, Mukesh Ambani, CMD of Reliance Industries, announced that Reliance Jio had crossed 50 million subscribers – a feat it had achieved in a mere 83 days. This made Jio the world’s fastest growing tech company surpassing the likes of Facebook, WhatsApp, and Skype. This astonishing achievement was made possible by the strategy of rolling out e-KYC across all outlets in India, allowing SIM activation in under 5 minutes. 95% of activations were done using e-KYC resulting at a staggering average rate of addition of 6 Lakh subscribers per day. I experienced this first-hand – I went through all required steps of identification, KYC, SIM card application and document signing – all in a couple of minutes, in seamless, paperless, and secure way. I walked out of the Reliance Digital outlet with an elevated sense of excitement, being reassured of the promise of Digital India and the potentially unlimited opportunities as a developer on India Stack.

India Stack as a Platform

Before delving into the nitty-gritties of India Stack (refer to this comprehensive article for an introduction on this topic), it is important to take a step back and understand the platform architecture and the thought process behind the design. Basically, India Stack fits the broad structure of a “platform” because it provides the digital infrastructure to link consumers (a billion plus people) and producers (developers, ISVs, start-ups, enterprises & government). It also provides specifications for service providers to provide complaint services on top of the core APIs, which producers can use to create compelling digital solutions in their own domains. This is illustrated below:

A key manifestation is that the interactions, transactions, and data exchanged in this ecosystem will make India “data rich”, allowing data-driven decision making for scale and inclusion. Nandan explains this in his talk, in detail. This is illustrated below:

Image source: iSpirt

To give another perspective, India Stack has an “hourglass” platform architecture. At the waist of the hourglass is a minimal, simple set of open APIs which allows standardization and easier execution, while adhering to all necessary regulations. Above and below the waist are the ecosystem of services, devices, and applications. Unlike the traditional pipeline structures, this layered, unbundled approach allows for innovations to flourish across the ecosystem – each part can be conceived, experimented, planned, and executed in parallel. Pramod, chief architect of Aadhaar & India Stack explains this in a simple way in his talk about India Stack. Nandan and Viral, in their book, Rebooting India explain how Aadhaar also fits this model. This model is illustrated below:

Image Source: iSpirt

An API platform alone cannot foster change. The “perfect storm” of innovation happens when digital infrastructure is supported by government’s market making policy and favourable regulation. This is what Swati covers as the framework required to foster experimentation and innovation in this excellent thought paper. To this end, the Digital India initiative, launched in July 2015 by the Government of India has a 3-part vision:

  1. Delivering Digital Infrastructure as a Utility to every citizen
  2. Providing governance and services on demand
  3. Digital empowerment of citizens

More details of how this vision is being translated to action is available in this deck from the Department of Electronics and Information Technology or DEITY). Perhaps, I am oversimplifying this massive undertaking, but basically, the Government of India is putting together several schemes under one umbrella, aligning ministries, putting a monitoring committee, setting aside budget for creating broadband infrastructure, enabling universal mobility access, re-engineering government processes using IT, and implementing digital technology-based service delivery across education, healthcare, agriculture, finance, justice, etc. To draw an analogy, a modern, digital expressway is being built as we speak. It is up to developers to meaningfully employ that infrastructure.

What does all this mean to you, as a developer?

Simply put, the conditions are ripe for you to create innovative digital solutions for the entire Indian economic pyramid – for a billion plus people across all domains. Where there were barriers a few years (or months) ago, bridges are being built; thought is meeting action. Disruption is imminent.

To give you a perspective, I have created a couple of aspirational use cases where the potential of India Stack is realized. These are illustrated below:

These use cases illustrate how different parts of the India Stack – like Aadhar authentication, UPI, Digilocker, e-Sign, e-KYC and Consent Architecture can be used to create compelling digital solutions for the common man. These are representative illustrations, but the possibilities are limitless.

What about Economics?

The question that may come immediately to one’s mind is – can we really build innovative, yet economically viable digital solutions for the Indian pyramid? To this end, I draw a lot of inspiration and ideas from CK Prahlad, especially his seminal book – Fortune at the Bottom of the Pyramid. I believe all the ideas are equally applicable in the digital age too.

Let me start by listing several myths around the Indian Pyramid (for the sake of this discussion, I use the term Bottom of Pyramid (BoP) to represent the middle and the bottom of the Indian economic pyramid, which constitutes more than 900M Indians, whose annual household income is less than 10 kakh):

  • The BoP are not our target consumers because with our current cost structures, we cannot profitably compete for that market.
  • The BoP cannot afford and have no use for digital products and services
  • Innovation is for the top of the pyramid. The BoP can use the previous generation of technology
  • The BoP is not important to the long-term viability of business.
  • Developers cannot be excited by the business challenges that have a humanitarian dimension
  • Cheaper technology and services means cheaper quality

 

These myths typically stem from a lack of understanding of behaviours at the BoP. To mention a few facts about BoP:

  • Often pay higher price for some goods and services (especially credit)
  • Cannot afford differentiated products, but readily accept advanced technology
  • Are brand-conscious, price-conscious
  • Have well connected communities (word of mouth)
  • Collectively have purchasing power
  • Are always trying to upgrade from their existing condition

 

The Solution Approach for BoP

Every digital solution must meaningfully tie together Experience, Economics, and Technology. In this post, I want to set the focus on the economics (experience and technology deserve another post). The most important consideration for the BoP is that any digital solution should make technology and experience choices that maximize Price-Performance ratio. To understand this, let’s look at some examples of innovation at the BoP:

  1. The Jaipur prosthetic leg (case study in Prahlad’s book) cost only 40$ while those in the west cost upwards of 8000$. However, the design was meant to address the basic mobility needs (and dignity) of the poor who had lost their limbs – being effective enough to help them do their daily jobs while being highly affordable.
  2. If you walk to any Kiraana store in a village, you wouldn’t see shelves of large-packaged products. Instead, you would see chains of small sachets hanging from the ceiling covering every centimetre of space within the store. You would also notice that many sachets would be from familiar brands – like Clinic Plus (shampoo), Parachute (coconut oil). The innovation from the FMCG companies here (like HUL) lies in packaging, distribution and unit pricing of the products representing popular brands. While the 1-ml sachet may have a higher per-unit cost compared to the 250-ml bottle that you and I buy, it works perfectly well for daily wage worker who cannot afford a full bottle. This model helps FMCG companies be profitable too.

The examples emphasize that cost-effective solutions built for the BoP are no less innovative. The question to ask before we build any digital solution for the BoP is – while being effective at addressing the need in each problem domain, does this have the best price-performance ratio? The solution might entail making specific design choices which are the best given the constraints – for example, may leverage lesser CPU cores (works on cheaper smartphones), may not assume 3G or a smartphone itself (works on USSD with a feature phone). Like in the case of Clinic Plus, the pricing unit could be devised in a way that the BoP can afford and consume the service effectively. Ramappa’s legal advisory “minutes” in the first aspirational use case we saw earlier in the post is a representative example.

Closing notes

  • Thanks to India Stack and the Digital India initiative, developers have an addressable customer base of 1 Billion+. There is tremendous opportunity for volume-based and profitable businesses leveraging digital technology
  • Innovative solutions can help foster universal participation in the digital economy, boost participation in formal sector and help GDP growth thereof.
  • We have a great opportunity for creating meaningful solutions across all domains – Healthcare, Finance, and education to mention a few.
  • We can now take constructive steps to make India cashless, presence-less, and paperless!

What do you think? Please feel free to share your thoughts and ideas.

References

  1. Official media release from Reliance Jio on December 1st
  2. Igniting Hundreds of Experiments – Swati Satpathy
  3. Digital India – Presentation from DeiTY
  4. Understanding the India Stack – by Pramod Varma
  5. Rebooting India – by Nandan Nilekani, Viral Shah (book)
  6. Pipelines, Platforms, and the New Rules of Strategy – HBR
  7. Nandan Nilekani – Keynote Address at Fintech For Next 400M
  8. The Bedrock of Digital India
  9. An alternative view of the future – Nandan Nilekani
  10. Fortune at the Bottom of the Pyramid – CK Prahlad (book)
  11. Presentation by Gopal & Sayan on CK Prahlad’s book

Credits

  1. Online legal services aspirational story– concept credit to Swaroop Karunakara and Satya Vikram
  2. Nikhil (iSpirt) and Sid (Exotel) for helping me with ideas and for feedback.

[Also published on LinkedIn]

India Stack – What, Why, How?

Before delving into each of the APIs, it is important to understand the “Why” aspects of India Stack. The blog entry title “India Stack: Thoughts on unleashing the potential of Digital India”, is the first in the series of blogs to address exactly that. This blog, at a high level, talks about:

The underlying architecture of the India Stack

A couple of illustrated examples of the impact of India Stack on various domains

Some thoughts on building economically viable digital solutions for the bottom of the Indian pyramid

This blog has also has links to key videos and resources to help you get the essence of India Stack.

It is important to understand Aadhar – the foundation of India Stack API was envisioned to be more than just an identity solution. UIDAI has published a fantastic white paper titled “Aadhaar Enabled Service Delivery” (2012), explaining how Aadhaar (unique identity) can solve the problems of service delivery across various sectors and government functions. Efficient service delivery was one of the key tenets in the design of the India Stack.

Two videos, by Sanjay Jain and Pramod Varma respectively give you a great introduction to India Stack:

Connecting India to Grow – Sanjay Jain

Understanding the India Stack – by Pramod Varma

Enhancing the Developer Experience

A world-class developer experience and ecosystem are required to unleash innovation across the developer community. The important aspect to realize is that India Stack represents an Open ecosystem and best served with contributions from the community.

The developer strategy to provide this experience can be summarized into the following streams:

Platform Evangelism & Outreach: To harness the collective creativity of the developer ecosystem, there should be a strong community, both online and offline. This can be fostered through meetups, hackathons, roundtables, AMA sessions, workshops, developer conferences and programs (like Student Ambassador program etc.).

Libraries, Forums and SDKs: To productively leverage a set of APIs, it is important to have a SDKs and libraries available through a popular set of platforms like .NET, Java, Node.js, etc. Additionally, there should be a set of topic-based forums to post queries and get resolutions from community champions. Forums can also be a channel for feedback as well.

Quickstarts, References, Sample Apps and API documentation: Much like popular services like AWS, there needs to be a simple-to-use documentation, representative examples (simple apps which cover a majority of API usage scenarios) and other easy to use code samples (quickstarts).

To this end, OpenForge is a great government initiative to house such collaborative efforts. Today, many such samples and projects are already housed there and developers can use the source control, wiki’s and other resources that are already built in.

Developer Sandboxes: To test out solutions and apps, it is important to provide access to sandboxes which developers can easily use. Cloud-based sandboxes and access credentials will be provided through a closed group of partners. IndiaStack.org has listed several sandboxes for different sets of APIs (eMudra, Khosla labs, etc).

One stop shop – IndiaStack.org: To tie all of these together, a modern, responsive portal is required and IndiaStack.org does just that.

It is important to understand that the developer community involvement is central to this – a constant stream of contributions from the community would make this strategy successful. It is therefore a call to action for the developers to actively engage and contribute to each of the streams above.

 

If you would like to learn more about each of the India Stack APIs, you may go through the following pages:

Aadhaar Authentication: https://indiastack.org/aadhaar/

eKYC: https://indiastack.org/ekyc/

eSign: https://indiastack.org/esign/

Digital Locker: https://indiastack.org/digilocker/

UPI: https://indiastack.org/upi/