Studying Digital Public Infrastructures

This week I attended the AWID Forum in Bangkok. It was a truly memorable moment to commune with 4000 feminists as 2024 comes to a close. I was there to support APC's Women's Rights Programme, in particular as a digital security expert. Here are some highlights:

• Feminist Tech Gardens: Space to meet, discuss and talk. Programming was split across two different areas:
• Advocates of a #bindingtreaty want corporates to be held directly accountable under existing human rights mechanisms.
• Debt relief campaign from the Committee for the Abolition of Illegitimate Debt, which aligns with warnings from The World Bank itself (NYTimes gift link).
• Point of View’s campaign to hold Big Tech accountable resonates with many feminists. Sign up for more info.

A world-wide survey of links

• Email and document leaks show Google Cloud CEO knew Project Nimbus would violate human rights and SIGNED OFF on a contract with Israel ANYWAYS. https://theintercept.com/2024/12/02/google-project-nimbus-ai-israel
• Announcement: This newsletter is now on the fediverse thanks to Ghost inviting us to beta test its ActivityPug integration, typo intended! https://activitypub.ghost.org
• ICANN has a new CEO. https://www.article19.org/resources/icann-new-ceo-and-the-opportunity-to-reiterate-human-rights-commitments
• And the IRTF has a new chair, Dirk Kutscher of Hong Kong University of Science and Technology. https://mailarchive.ietf.org/arch/msg/irtf-announce/YQv9BSxGJ4ChubttT3UA9gDh2Qg
• New work on AI Control (read: robots.txt but for AI) is emerging at IETF. Follow the list in the meantime: https://mailarchive.ietf.org/arch/browse/ai-control
• Read about the new Global Network for Social Justice and Digital Resilience by way of their latest blog post, "Developing technical collaborations within the Network": https://digitalresilience.network/developing-technical-collaborations-within-the-network
• CitizenLab reports on how technology-facilitated gender-based violence is used in digital espionage and transnational repression. https://citizenlab.ca/2024/12/the-weaponization-of-gender-for-the-purposes-of-digital-transnational-repression
• New article in Nature: Why "open" AI systems are actually closed and why it matters: https://www.nature.com/articles/s41586-024-08141-1
• Public AI: Mozilla published a practical roadmap for "a robust ecosystem of initiatives that promote public goods, public orientation, and public use throughout every step of AI development and deployment." https://foundation.mozilla.org/en/research/library/public-ai
• The EU takes one final shot at encryption before closing for the year https://www.techradar.com/computing/cyber-security/the-eu-proposal-to-scan-all-your-whatsapp-chats-is-back-on-the-agenda
• Compiler profiles Proton CEO Andy Yen https://www.compiler.news/r/6f2b7746?m=56683812-c164-4a1b-a744-a679bf232859
• The ACLU is hiring an Algorithmic Justice Fellow. https://www.aclu.org/careers/apply/?job=7742482002&type=national
• Numun fund is looking for a "Programmes Weaver." https://numunfund.notion.site/Programmes-Weaver-aka-Programmes-Senior-Coordinator-Numun-Fund-2024-131bd53513bb8029b7e6d303d4aa7206?pvs=74
• ASL19 is looking for a software engineer. https://asl19.org/en/join-us/software-engineer
• Diversity Travel Grants to IRTF meetings support early-career academics and PhD students from under-represented groups to attend the upcoming IETF122 Meeting in Bangkok in March 2025. https://www.irtf.org/travelgrants

Links in conversation about Digital Public Infrastructure

• "The Sovereign DPI-Hyperscalers Trick." Why We Shouldn’t Fall for It, and What We Should Do Instead: https://cristinacaffarra.blog/2024/12/01/the-sovereign-democratic-infrastructure-hyperscalers-trick
• New America takes a closer look at Digital Public Infrastructure: https://www.newamerica.org/digital-impact-governance-initiative/collections/infrastructure-for-the-digital-age-building-a-safer-more-resilient-digital-ecosystem

Privacy and security in digital public infrastructures

By Divyank Katira, Gurshabad Grover, and Anunay Kulshrestha (internet Research Lab)

The internet Research Lab is hosted at the Exchange Point Institute. The project 'Privacy Risks of Digital Public Infrastructure in India' is supported by the Digital Infrastructure Insights Fund. The authors can be reached at mail@irl.works.

The Indian government has widely deployed a set of technological solutions that citizens are de facto required to use to access essential public and private services. Promoted as “Digital Public Infrastructures” (DPIs), these infrastructures digitally mediate a number of day-to-day interactions that citizens have with governments and businesses, including identification, payments, credential management, e-commerce, welfare distribution, healthcare, and banking.

While DPIs are a global phenomenon, India has spearheaded the deployment of infrastructures and even boasts of foreign policy structured around its promotion. At the G20 in India in 2023, world leaders adopted a framework for “Systems of DPI” while stating that DPIs are “safe, secure, trusted, accountable, and inclusive.” While such assertions make for good sound bites, the underlying substantive claims have not been rigorously tested in the Indian context. 

Contrary to what ‘public’ in ‘digital public infrastructure’ might suggest, many parts of DPIs in India are in reality governed by opaque public-private partnerships or outright for-profit companies. While marketed as facilitating an “open” ecosystem, many DPIs are not free or open source. 

For instance, Digi Yatra – a facial recognition system to enable entry into airports – is, in theory, an initiative launched and led by the Ministry of Civil Aviation in the Government of India. In practice, its operations are governed by a non-profit foundation. When simple questions about the system were directed to the Ministry, it rejected them citing the fact that the non-profit foundation does not come under the purview of governmental transparency legislation. Developed by a separate for-profit tech company that has since been accused of siphoning public funds, none of Digi Yatra’s source code is available to the public.

Including and beyond Digi Yatra, DPIs in India operate on and store private data of nearly all residents with little transparency or oversight.

This dearth of oversight has resulted in numerous data breaches and security vulnerabilities in many DPIs, such as Aadhaar, a biometric identification that is practically required for most citizen interactions with the government – from filing income taxes to availing social welfare.

Imagined by technocrats and developed by private companies, Indian DPIs have rarely taken a privacy-respecting approach, generally storing and processing more private user data than is necessary to provide functionality. With many systems now inter-linked because of government policy, privacy researchers in academia and civil society have sounded the alarm on the potential surveillance enabled by DPIs in India. 

Indians are also being increasingly coerced into using DPIs – sometimes by the government making them mandatory for many basic interactions and access public to services, sometimes by flouting basic principles of privacy. Airport security staff have been found signing up flyers to Digi Yatra without their consent. Many Indians who registered to get their Covid-19 vaccine shot were automatically signed up for a national “Health ID.” Ditto for anyone who availed a government health insurance scheme. As of 2022, at least three quarters of these “voluntary” Health IDs were generated from these two databases alone. With “Aadhaar-linked birth registration” now active in most states in India, enrolment to the identification program in India now begins at age zero.

Worryingly, many other countries are unwittingly – or worse, on purpose – adopting the ‘DPI model’, aping shortcomings of Indian deployments into their own. The Aadhaar program’s design has already informed numerous digital identity systems in Africa. India recently announced the creation of a global repository for DPI and a social impact fund to accelerate development and deployment of DPIs in the Global Majority. India also led the creation of modular platforms for other countries to adapt, including those for digital identity, payments and welfare distribution. Thirteen countries are currently deploying such systems while pilots are underway in at least seven. India has entered into agreements relating to payment infrastructure with at least twelve countries. 

The damage needs to be contained, both in India and outside it.

To inform public, policymakers, researchers and civil society organizations around the world of the risks of DPIs, we will be undertaking a systematic analysis of how “open”, “secure” and “accountable” Indian DPIs really are. Our research project will audit the data collection practices of DPIs to document what entities operate these infrastructures, the data (and metadata) visible to them, and parties the data is shared with. It will also explore how slices of information from disparate applications are already being or can be combined to create a surveillance apparatus.