Response to the Consultation Whitepaper on 'Strategy for National Open Digital Ecosystems (NODEs)'

by Rishab Bailey, Harleen Kaur, Faiza Rahman, and Renuka Sane.

The Ministry of Electronics and IT, Government of India (MeitY) had sought public comments on a Consultation Whitepaper (CW) titled a "Strategy for National Open Digital Ecosystems (NODEs)" earlier this year. NODEs are defined as:

open and secure delivery platforms, anchored by transparent governance mechanisms, which enable a community of partners to unlock solutions and thereby transform social outcomes.

The NODES framework will allow the opening up, and sharing of personal and non-personal data held in various sectors (such as healthcare, agriculture, and skills development). Each NODE will consist of infrastructure developed and operated by the government. The private sector will utilise the common infrastructure and data to provide solutions to the public. Per the CW, this will enable greater intra-government and public-private coordination and create efficiency gains. This framework will promote access to innovative e-governance and other services for citizens while enabling robust governance processes to be implemented.

We wrote a detailed response to MeitY. In our submission, we make suggestions on four key issues with the CW:

• Role of the state: The CW needs to demonstrate clarity on the need for government intervention on the scale proposed. The market failures that require State intervention must be identified on a sectoral basis.
• Centralisation of governance and technical systems: The CW envisages establishing monolithic, stack-based digital systems in a variety of sectors. The government would be responsible for establishing and operating the technology infrastructure as well as the governance of such systems. However, excessive centralisation can reduce competition, innovation, and produce unsecure systems.
• Alignment with the existing government policies: The CW needs to consider existing government policies on the adoption of open source software (OSS), open APIs and open standards. Further, the CW needs to account for existing open data and e-governance related initiatives in the identified sectors, and how these would interact with the NODEs framework.
• Preserving and protecting Constitutional norms: The CW needs to ensure the protection of fundamental rights, democratic accountability, and transparency in the creation and regulation of NODEs. Further, it also needs to account for the federal division of competencies enshrined in the Constitution.

This article summarises our comments and suggestions on the above mentioned issues.

Role of the State

The CW adopts a 'solutionist' approach, in that it does not undertake sufficient analysis of the circumstances and problems in each sector. For instance, the CW identifies two market failure in the skills sector: (i) information asymmetry amongst the stakeholders, and (ii) a lack of trust in the information that is available. It proposes a Talent (Skilling and Job) NODE as a one-stop solution to connect employers, job seekers, counsellors and skilling institutes. Instead of the approach undertaken by the CW, one should consider if private entities can or are already innovating to bridge the information asymmetry and trust issues in the sector, and what policies could provide an environment where such information asymmetry may be reduced. If the problem in the skills sector is a lack of trust, it is unclear why this cannot be solved by interventions such as certification standards.

As a general rule, the State should be involved with building technological systems only for essential state activities (Kelkar and Shah, 2019). It is therefore critical to differentiate between sectors where the State has a legitimate role (say in the provision of its welfare and statutory functions), from sectors where private sector solutions could suffice. For example, the State could have a role in providing access to Public Distribution System (PDS), but need not be a player in building a platform for access to rail reservations.

The responsible ministry should analyse if the NODE is serving welfare or other essential function of government. In case there is no such element, the government should not use its finances on creating infrastructure for such a NODE. Such an approach would promote innovation, prevent the emergence of a state-centric technological mono-culture, and allow the private sector to respond appropriately to requirements of any particular sector. Entities would not be forced to build on top of state-mandated infrastructure, which may not always be necessary or appropriate.

In the context of the NODEs framework, the State should primarily have three roles:

1. Open up data: The government must focus on building databases and providing access to the public, in a non-discriminatory manner. The benefits of enabling free flows of information are well known. That said, it is important to keep in mind the need to ensure non-discriminatory access to ensure data quality, and to prevent against privacy and other downstream harms. For instance, the Delhi government recently shared locations for COVID-19 relief centers on Google maps, thereby giving Google a competitive edge over other mapping solutions. We believe that an appropriate approach would involve the Delhi government making the relevant information open. This can be done by providing the geo-tagged locations on its open data governance website. Methods to embed this data in third-party apps and services could be provided to enable non-discriminatory access. Similarly, the benefits of opening up railways related data, which is currently monopolised by the IRCTC can enable the provision of customised travel solutions. Greater linkages could be formed with private players in the hospitality and tourism sectors, leading to mutual benefits to the railways as well as the private sector and consumers.
2. Implement regulatory frameworks: The government should institute regulatory processes and norms based on the need to protect and promote fundamental rights and correct market failures. Interventions must be designed to (a) promote effective competition and the maintenance of a level playing field, (b) avoid function creep, (c) protect and promote fundamental rights, (d) ensure appropriate apportioning of functions, obligations and responsibilities/liabilities.
3. Ensure democratic accountability: It is now well-established that "code is law" (Lessig, 1999). This makes it imperative for the government to establish systems of democratic accountability, transparency and openness in the creation and regulation of public digital systems. Transparency and accountability measures should be implemented both at the conceptualisation stage as well as thereafter. This should involve:

• An open and transparent consultation process in the design of the NODEs, similar to the the Report of the Financial Sector Legislative Reforms Commission recommendations for regulation making.

• A cost-benefit analysis that takes into account the economic costs and benefits of operationalising a NODE within a sector. This would also allow for suitable alternative approaches to be explored.

• Integration of principles of participatory and democratic governance into the implementation and operation phases. This would promote citizen-centric governance, particularly in the context of privatisation of regulatory functions. For example, the National Payments Corporation of India (NPCI) functions as a quasi-regulatory agency due to the scope of its powers, functions, and de-facto regulatory monopoly. However, being a private entity, it has not been brought under the purview of the Right to Information Act, 2005. This limits citizen engagement with governance processes.

• Mechanisms to enable allocation of responsibilities and coordination between government entities at different levels (local, state, and central). This is especially important when dealing with common issues (such as tagging of data sets, instituting grievance redress mechanisms, etc.) without usurping constitutional and statutory functions.

Centralisation of governance and technical systems

Enabling the government to pick technological winners and losers or enabling a technical monoculture would decrease innovation and competition. It is well-recognised that centralisation can lead to increased security concerns. One must also be wary of unintended consequences of even the best planned regulation in the technology space. Technology moves too fast and has multiple possible future use cases. Over-regulation or excessive centralisation could have negative effects on expected outcomes.

In cases where the government is required to create digital systems, these must be federated and decentralised to the extent possible. The creation of monolithic technical architectures, which are often de facto mandatory, must be avoided. For instance, the creation of a centralised identification system -Aadhaar- which was thereafter mandated for use across different sectors has caused various problems ranging from exclusions, intrusions into privacy rights of citizens and inhibiting innovation (i.e. such a system is preferred over other possible forms of identification that could suffice in any particular use-case). Implementing a centralised system of 'public infrastructure' may therefore not be necessary and may in fact reduce competition and civil liberties protections.

Instead, the focus of the government should be on enabling the private sector to develop relevant platforms and technologies that compete with one another on a level playing field, albeit with due consideration for regulatory, human rights and other problems that may arise in any given context. Such a system would also promote greater security. The use of federated databases, enabling the development of alternative technical solutions to be built on data, etc., would mean that problems associated with having a single source of truth or a single source of failure can be avoided.

Alignment with existing government policies

The CW proposes principles of open and interoperable delivery platforms. There are two concerns in the manner in which these are described in the CW.

1. The CW does not refer to existing government policies on the use of OSS in e-Governance projects. Various policies specifically deal with the issue at hand (for example, National Policy on IT, 2012, the policy on Adoption of Open Source Software for Government of India, and the policy on Open Standards for e-Governance).

2. The scope of the word 'open' as used in the CW is vague and appears to confuse concepts of "open access" and "open source". The CW suggests that each NODE will require a different degree of openness to adhere to specific objectives, context, or mitigate potential risks. This approach can dilute existing policies (mentioned above) that contain clear definitions and mandates on the use of open source solutions by the government.

It is imperative that the NODEs framework build on and strengthen existing government commitments towards the use of OSS solutions. This will unlock the benefits of OSS/Open APIs/open standards such as enhanced security and verifiability, no vendor lock-in, etc.

Preserving and promoting constitutional safeguards

The creation of NODEs platforms would significantly impact fundamental rights. We envisage three instances where the NODES environment needs to be careful about preserving constitutional safeguards.

1. Right to equality, right to life, and personal liberty: Digitisation at the scale contemplated by the CW may lead to concerns about access to services and possible exclusions therefrom. Ensuring rights protection may be particularly important in the context of the use of AI-based solutions and possible discrimination that may arise as a result. The understanding of what amounts to discrimination must be evolved by each NODE distinctly and will depend on the sector.

2. Right to privacy: Each of the NODEs will invariably result in the collection and processing of personal data and non-personal data by both government and private entities. The collection and use of personal data by different state entities must necessarily satisfy the tests laid down by the Supreme Court in the Puttaswamy decisions (2017 and 2018). Similarly, principles relating to the use of data by the private sector as laid down in the context of the Aadhaar judgment (Puttaswamy, 2018) must also be adhered to. Due regard must also be given to (the developing) regulatory frameworks concerning personal and non-personal data.

3. Federal structure: The NODEs framework must also consider the impact on the division of subject matter competencies under the Constitution. One could envisage benefits arising from NODEs in areas such as agriculture, judicial services, healthcare, etc. However, these sectors fall under the State List in the Seventh Schedule to the Constitution. Implementation of NODEs in these sectors should not result in de facto centralisation of federated competencies. Instead, mechanisms to ensure coordination and cooperation between different levels of government must be considered.

We, therefore, recommend that each NODE be backed by an appropriate statute, to the extent possible. This would ensure greater democratic deliberations, prevent excessive and arbitrary executive action, set out the rights of citizens and private entities, and clarify the scope/ limits of any particular project. Providing statutory backing would also limit mission creep, while delineating rights and obligations and governance processes. For instance, despite its various faults, the statutory mandate provided to the Unique Identification Authority of India and the restrictions on data sharing in the Aadhaar Act have proven invaluable in ensuring that biometric and other data is not made freely available for non-Aadhaar purposes by the public sector, including for instance, in criminal investigations. In contrast, projects such as FASTags (which aims to digitise highway toll systems) are being gradually expanded with plans to integrate the system with criminal tracking networks, amongst others.

Conclusion

The CW provides a basic overview of the concept of a NODE and identifies certain sectors in which such a system could lead to gains (such as the skills and health sectors). For various reasons outlined in our submission, our recommendation is to not proceed with implementing the NODEs framework in the manner currently outlined in the CW. We believe that the CW should be seen as an exploratory document. Greater clarity is required on the need for interventions on the scale envisaged in the document, particularly in view of the proposed centralised, stack-based approach. The NODEs framework should consider the need for openness at lower layers of the stack (infrastructural layers), adhere to existing government policies on the use of OSS, Open APIs and Open Standards, and consider policy developments concerning the regulation of personal and non-personal data. The CW should also ensure greater transparency and democratic accountability of governance frameworks and the processes for the creation of a NODE.

References

Bailey et al, 2020: Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman, Comments on the draft Personal Data Protection Bill, 2019: Part I, LEAP blog, 2020.

Centre for Digital Built Britain, 2018: A Bolton, M Enzer, J Schooling et al, The Gemini Principles: Guiding values for the national digital twin and information management framework, Centre for Digital Built Britain and Digital Framework Task Group, 2018.

FICCI & KPMG, 2014: FICCI and KPMG, Skilling India: A look back at the progress, challenges and the way forward, 2014.

Kelkar and Shah, 2019: Vijay Kelkar and Ajay Shah, In service of the republic: The art and science of economic policy, Penguin Allen Lane, 2019.

Lessig, 1999: Lawrence Lessig, Code and other laws of cyberspace, Basic Books, 1999.

Puttaswamy, 2018: Justice K.S. Puttaswamy v. Union of India (Aadhaar case), 2019 (1) SCC 1.

Leblanc, 2020: David Leblanc, E-participation: A quick overview of recent qualitative trends, DESA Working Paper No. 163, United Nations Department of Economic and Social Affairs, 2020.

Michealson, 2017: Rosa Michealson, Is Agile the answer? The case of UK universal credit, in Grand Successes and Failures in IT - Public and Private Sector, IFIP Advances in Information and Communication Technology, Springer, 2017.

Ministry of Rural Development, 2013:Ajeevika skills guidelines, Ministry of Rural Development, Government of India, 2013.

Puttaswamy, 2017: Justice K.S. Puttaswamy v. Union of India (Right to privacy case), 2017 (10) SCC 1.

Raghavan and Singh, 2020: Malavika Raghavan and Anubhutie Singh, Building safe consumer data infrastructure in India: Account aggregators in the financial sector - Part I, Dvara Research, 2020.

Steinberg and Castro, 2017: Michael Steinberg and Daniel Castro, The state of open data portals in Latin America, Centre for Data Innovation, 2017.

Zambrano, Lohanto and Cedac, 2009: Raul Zambrano, Ken Lohanto and Pauline Cedac, E-governance and citizen participation in West Africa: Challenges and opportunities, The Panos Institute, West Africa and the United Nations Development Programme, 2009.

The authors are researchers at NIPFP.