The Taiwan Banker

The advantages of a single source of truth for personal identification information can be enormous. In the modern world, governments must keep basic information on all of their citizens, and it makes sense for them to do so in a digital fashion; yet this convenience comes at great risk. Leaks of such information can follow people for the rest of their life, or at the extreme, even force them to change their identity. The privacy risks are grave enough as to warrant influence on the design of digital public infrastructure (DPI) from the very first stages. India’s DPI is emerging as a core element of its soft power. The Economist called India’s DPI its “digital belt and road initiative,” reflecting India’s new place in the world following China’s retreat since the pandemic. With the help of India’s Modular Open Source Identity Platform (MOSIP) created in cooperation with the International Institute of Information Technology in Bengaluru, developing countries are following India’s lead in DPI construction. (Although also used elsewhere, the term is most frequently connected with India.) Despite these successes, however India’s new model is not without its controversies and setbacks, some of which may even call into question the entire value of the initiative. In October, the US cybersecurity agency Resecurity claimed that a database containing personal data on Indian residents, including some 80 million Aadhaar numbers, had been available for sale on the darknet. India’s experience helps demonstrate that despite the clear benefits for inclusion, the details matter enormously when building such a sensitive system. An Indian concept of the nation Other countries in the “global South” have been attracted to India’s model, built around a variety of open APIs for public services, for a number of reasons. Government-provided payment rails can foster financial inclusion without relying on Silicon Valley giants with questionable records on privacy and fee margins. International organizations including the G20 have praised India’s digitalization push, and the United Payments Interface (UPI) has even elicited comparisons with the new FedNow system in the US. Besides commercial payments, digital welfare can help governments streamline anti-poverty programs. During the pandemic, some US$ 4.5 billion was transferred directly to aid recipients. The ability to link cash payments to personal ID numbers absolutely falls within the modern scope of national sovereignty. India’s overall plan consists of several layers, known as the “India stack.” Aadhaar (which is Hindi for ‘foundation’), a 12-digit identity number tied to various biometric and demographic data points, forms the bottom layer. Based on that foundation, UPI has become one of the world’s most widely used payments systems since it was introduced in 2016, in the context of a highly cash-dependent society. A third layer includes DigiLocker, which allows residents to upload and share files with the same legal validity as paper documents. Going forward, India also aims to provide open, de-identified research data, whether for business purposes or for public policy objectives like inclusion. The India Urban Data Exchange for smart city data has been operating since 2019, and now covers 36 cities. The more recently released Agricultural Data Exchange includes information such as crop yields and market data. Thus, DPI not only collects data from private activities, but also gives it back to the public. A variety of tradeoffs A somewhat coercive approach was used to drive the prodigious uptake of these systems. In 2016, Prime Minister Modi, who still holds power, announced the demonetization of older series of 500 and 1,000 rupee notes in an attempt to counter ‘black money’ in the economy, as well as to promote the new UPI system. The nation’s supreme court has heard several questions related to Aadhaar. In 2018, it struck down the government’s previous mandate to link bank accounts with the national ID system. According to the World Bank’s Global Financial Database, 35% of bank accounts in India were inactive in 2021, a markedly high amount indicating that many people set up accounts for purposes other than facilitation of transactions. In some places, the telecom infrastructure is insufficient to facilitate widespread usage. More recently, the UPI has encountered trade-offs with cybersecurity and fraud as a digitally naïve population encounters rapid technological shifts. UPI fraud made up almost half of online financial fraud from 2020 until mid-2023, according to a study by the non-profit startup Future Crime Research Foundation. One frequent channel for fraudulent activity involves fake apps which feign association with the UPI ecosystem. Recent reports indicate that the government will introduce a 4-hour cooling-off period for transactions over 2,000 rupees (NT$ 750) between accounts which have not previously transacted. This new restriction, the first of its kind on the network, will impact certain types of commerce; the threshold was specifically chosen in order to exceed the average bill for everyday shopping. It is important to remember the diverse variety of scams and corruption which previously existed in the cash-based economy. Some degree of criminality on fintech platforms may still indicate an improvement from the past, and digitalization may also make it easier to collect evidence when incidents do occur. Furthermore, overall usage and functionality of the UPI continue to grow. While these problems are not fundamental, they may be worthy of consideration. Centralized management, decentralized architecture A global view may be helpful to put both India’s national ambitions and the (moderate degree of) domestic opposition they have generated into context. One ready point of comparison which has also received much media attention over the years is Estonia’s e-government initiative, e-Estonia. Despite also providing a number of sensitive functions digitally, Estonia has not experienced the same degree of cyber vulnerability as India. Estonia’s success may be attributed to the decentralized architecture facilitated by X-Road, its data exchange layer, which is designed to ensure confidentiality and integrity using an API architecture, despite lacking a central data depository. No request goes to the underlying databases directly, reducing the possibility of compromise. Notably, Estonia has only aimed digitalize government services, without displacing private payments providers, which may reflect the more advanced Eastern European development environment more than philosophical differences. A more futuristic perspective is provided by a widely-circulated “d/acc” blog post written in November by Ethereum co-founder Vitalik Buterin. For some context, several schools of thought about the future of technology have emerged and contended since the recent explosion of LLMs. “Effective altruism” has taken a decidedly oppositional stance to AI, backing a pause in its development last year in order to give regulators a chance to catch up. This position gave rise to “effective accelerationism” or “e/acc” in response, asserting that the problems created by technology will be solved by more technology. The post stakes out a middle position between those two extremes. Vitalik’s unpronounceable glyph may refer to “defense, decentralization, democracy, and differential,” of which decentralization is most relevant for public schemes. In August, Buterin was personally presented a Gold Card by Digital Minister Audrey Tang. In addition to lamenting “the tendency of modern technology to route through centralized choke points,” Buterin also wrote about future technologies which could allow people to prove their reputation without revealing their identity or any other information about them. Zero-knowledge proofs, he wrote “are an excellent example of d/acc principles: they allow users and communities to verify trustworthiness without compromising privacy, and protect their security without relying on centralized choke points that impose their own definitions of who is good and bad.” Future iterations of digital identity schemes might consider integrating such features. More practically, the post also called for decentralized reputation management in order to warn users about scams. All these ideas may help inspire digital infrastructure with more robust construction. Once a given design principle is selected, it can sometimes be difficult to alter. India, an underdeveloped economy with the world’s largest population, has done an admirable job at developing its own national model. Other countries should carefully study both its successes and failures, alongside the growing number of alternative models available from different countries and technological platforms, in order to fully understand their privacy and security implications in the context of a quickly-changing technological landscape.