internet Research Lab logo

Privacy and security in digital public infrastructures

5 December 2024

With the support of the Digital Infrastructures Insights Fund, the internet Research Lab is excited to announce its new project to study privacy and security in digital public infrastructures in India.

The Indian government has widely deployed a set of technological solutions that citizens are de facto required to use to access essential public and private services. Promoted as “Digital Public Infrastructures” (DPIs), these infrastructures digitally mediate a number of day-to-day interactions that citizens have with governments and businesses, including identification, payments, credential management, e-commerce, welfare distribution, healthcare, and banking.

While DPIs are a global phenomenon, India has spearheaded the deployment of infrastructures and even boasts of foreign policy structured around its promotion. At the G20 in India in 2023, world leaders adopted a framework for “Systems of DPI” while stating that DPIs are “safe, secure, trusted, accountable, and inclusive.” While such assertions make for good sound bites, the underlying substantive claims have not been rigorously tested in the Indian context. 

Contrary to what the ‘public’ in ‘digital public infrastructure’ might suggest, many parts of DPIs in India are in reality governed by opaque public-private partnerships or outright for-profit companies. While marketed as facilitating an “open” ecosystem, many DPIs are not free or open source.

For instance, Digi Yatra – a facial recognition system to enable entry into airports – is, in theory, an initiative launched and led by the Ministry of Civil Aviation in the Government of India. In practice, its operations are governed by a non-profit foundation. When simple questions about the system were directed to the Ministry, it rejected them citing the fact that the non-profit foundation does not come under the purview of governmental transparency legislation. Developed by a separate for-profit tech company that has since been accused of siphoning public funds, none of Digi Yatra’s source code is available to the public.

Including and beyond Digi Yatra, DPIs in India operate on and store private data of nearly all residents with little transparency or oversight.

This dearth of oversight has resulted in numerous data breaches and security vulnerabilities in many DPIs, such as Aadhaar, a biometric identification that is practically required for most citizen interactions with the government – from filing income taxes to availing social welfare.

Imagined by technocrats and developed by private companies, Indian DPIs have rarely taken a privacy-respecting approach, generally storing and processing more private user data than is necessary to provide functionality. With many systems now inter-linked because of government policy, privacy researchers in academia and civil society have sounded the alarm on the potential surveillance enabled by DPIs in India.

Indians are also being increasingly coerced into using DPIs – sometimes by the government making them mandatory for many basic interactions and access public to services, sometimes by flouting basic principles of privacy. Airport security staff have been found signing up flyers to Digi Yatra without their consent. Many Indians who registered to get their Covid-19 vaccine shot were automatically signed up for a national “Health ID.” Ditto for anyone who availed a government health insurance scheme. As of 2022, at least three quarters of these “voluntary” Health IDs were generated from these two databases alone. With “Aadhaar-linked birth registration” now active in most states in India, enrolment to the identification program in India now begins at age zero.

Worryingly, many other countries are unwittingly – or worse, on purpose – adopting the ‘DPI model’, aping shortcomings of Indian deployments into their own. The Aadhaar program’s design has already informed numerous digital identity systems in Africa. India recently announced the creation of a global repository for DPI and a social impact fund to accelerate development and deployment of DPIs in the Global Majority. India also led the creation of modular platforms for other countries to adapt, including those for digital identity, payments and welfare distribution. Thirteen countries are currently deploying such systems while pilots are underway in at least seven. India has entered into agreements relating to payment infrastructure with at least twelve countries.

The damage needs to be contained, both in India and outside it.

To inform public, policymakers, researchers and civil society organizations around the world of the risks of DPIs, we will be undertaking a systematic analysis of how “open”, “secure” and “accountable” Indian DPIs really are. Our research project will audit the data collection practices of DPIs to document what entities operate these infrastructures, the data (and metadata) visible to them, and parties the data is shared with. It will also explore how slices of information from disparate applications are already being or can be combined to create a surveillance apparatus. 

If you would like to know more or explore collaborations, please reach out to us at [email protected]

This blogpost was written by Divyank Katira, Gurshabad Grover and Anunay Kulshrestha. It also appeared in the Internet Exchange newsletter on 5 December 2024.