RFC: Community positions on digital services / DPGs? run by governments

Note: This is not an official position of FOSS United. Just a request for comments / discussion on the topic.

There was an intense debate in the Telegram group on digital public goods (DPGs) and e-governance projects by the government (Aadhaar, UPI, CoWIN etc) and what should be the position of FOSS communities and FOSS United on these.

Since I had proposed to create a note on it, I tried spending the day yesterday on preparing one. After writing multiple pages, it boiled down to:

  1. There should be no monopoly of services.
  2. It should be relatively easy to setup a new node on the network.
  3. No single service provider can serve more than X% of the market
  4. The code used to run the service should be free and open source

The arguments against monopolies and centralisation of data are well known. These systems can lead to:

  1. Single point of failure (security)
  2. Surveillance / violation of privacy
  3. Risk of de-platforming
  4. Stamping out dissent

This is hard to achieve specially when services are given by large govt bodies (like the central gov) or for financial services.

The goal of free software is to ensure that rights and freedoms of users. The rights of users are severely restricted when they are bound to state run (or big tech) monopolies or quasi-monopolies. The only way is to ensure that all systems are distributed by default and people have the freedom to setup nodes as they like.

I am curious to know what other positions we can take as a community.

Edit:

Examples

Service Non-monopoly Ease of setup Competition FOSS
UID :x: :x: :x: :x:
UPI :white_check_mark: :orange_circle: :orange_circle: :x:
Aarogya Setu :x: :x: :x: :x:

A few quick thoughts

  1. If they are building a centralized system, FOSS should be one serious contender. In financial services, for eg., Finacle offers a version of core banking system using JBoss which I think is deployed in cooperative banks today. But all the universal banks still deploy proprietary solutions. This got to change in the future.

  2. If they are building a UPI type networked system there should be a serious FOSS contender for backend. There should also be a reference FOSS node app / sdk.

  3. Sometimes the cloud sponsors of DPG implementations may try and push their proprietary PAAS offerings. FOSS community can play an active role in sensitizing abt the vendor lock-in situations.

Hope this helps

1 Like

The balance of power with any centralized platforms that stores data (whether private or government) shifts to the platform controller. The ideal case scenario is one where the individual is the data principal who can enforce his/her rights against these platforms. The worst case scenario is one where the individual is the data subject oppressed and exploited by both the government and private sector. Digital Public Goods should be designed and implemented in such a way that the balance of power remains with the individual.

1 Like

Definitions

Public Good – https://en.wikipedia.org/wiki/Public_good_(economics)
Social Harm – https://en.wikipedia.org/wiki/Zemiology

Example

Public Goods are not void of social harms. They co-exist. Political position around an infrastructure (highway) - could evolve from various individual needs – low time, cost to reach destination for highway user / farmer who now has to spend more time to get across to other half of his land safely daily. The highway could also impact wildlife / ecological balance and hence wildlife conservationists (who may / may not be from locality) - can see a collective harm, even if individual farmers’ harms are mitigated by underpasses that marginally increases highway cost.

Digital Public Good

A digital public good is defined by the UN Secretary-General’s Roadmap for Digital Cooperation, as: "open source software, open data, open AI models, open standards and open content that adhere to privacy and other applicable laws and best practices, do no harm, and help attain the SDGs

Breaking down – Open X, Adherance to privacy and other applicable laws, best practices, do no harm, helping attain SDG

Open X

Since at-least with FOSS United, its safe to assume open-washing can be detected - open source software, open data, open standards and open content - are clearly defined, and lets say billionaire public license won’t suddenly be called “open” - just because they claim to say so. Open AI models - might still have ambiguities (besides the need of disambiguting from OpenAI LLP), its important to comeback to this in detail for the stand to be reasonably future proof.

Adherance to privacy and other laws

  1. We don’t have a privacy law - what was discussed for 5 years was only “Data Protection law” - simply put - you can violate privacy for purposes mentioned in law, collect data(coerce people) and protect it(and share data through beuracratic rules saying “Whole of Govt”), still be legal.
  2. What are some “other laws” - that should be in the ambit of consideration. Anti-trust / competition laws (that haven’t globally kept pace with big tech platforms), anti-discriminatory laws could be some.

Do no harm

This is the most ambigous and hard part of the definition. Harm - for whom, how is harm measured, who decides what is harm when contested? At a philosiphical level, can something be done, without doing any harm?

Help attain SDG

While SDGs (now Global Goals) might seem to be clearly defined, there are significant complexities around it too. For brevity, there is contestation around SDG from opponents of capitalism, even some “true capitalists”.

We just tried to map one definition of DPG. There could be others too. Taking a community position should always be against a definition with agreed upon attributes/qualities, given the adhoc-ness in usage of term.

Necessary but not sufficient DPG features.

Public roadmap

“Build in public” is now a thing in startups and tech products having fewer users. So why should DPG not be built in public? Aadhaar, UPI, CoWIN – have all had roadmaps shared to select few - (who also use the information arbitrage to their profit) and public has 0 visibility in platform shifts and can call out poor architectures only after infrastructure is developed and it’s too late by then to make a change and users have to live through because investors invested in poor design choice.

Adversarial data out (similar to adversarial interoperability in context of platforms)

In context of DPG - they must emit out / have a means to query data by (political) adversaries aka opposition (includes public, not just a party). Without which the harms can be never be quantified and platform proponents will refuse to acknowledge any shortcomings / failures, without which upgrade fixing the problem can never happen.

  • UPI still hasn’t published any data on fraud(social harm) that happens on it, claiming VISA / MC doesn’t either, all along claiming public good. RTI is too legacy for big data and NPCI sought and got exemption from even that claiming it’s private entity
  • CoWIN never published data on how many vaccinations were actually fake, never measured Adverse defects following immunization (AEFI) properly. How would vaccine manufacturer improve vaccine without having AEFI data and existance of CoWIN itself was supposed to be such data collection given the vaccines were all approved under emergency use license, bypassing traditional trail standards.

Technological guarantees on data access, privacy, security.

I wrote a slightly longer piece on Digital India and data democracy a while ago - https://m.epw.in/engage/article/what-ails-indias-data-economy

Quoting from it –

Instituting Data Budget and Floating a Data Comptroller and Auditor General
Every department in the government, as part of its accountability to the citizens, presents its budget, and keeps its revenue and expenditure in the public domain. The Comptroller and Auditor General (CAG) is a constitutional authority that is empowered to audit government departments. In the same manner, a data budget needs to be presented by the government, noting data revenues, data expenditure, and how they are managed.

If a state is mandated to collect data (say tax administration) for which it is a monopoly function - then DPG must ensure purpose limitation with technical guarentees on data access, processing for the purpose of collection.

Recently, an assembly committee formed by AP govt to look into illegal data access of the previous ruling party, published network traffic reports to suggest vast amount of data was illegally dumped, allegedly by party for electoral gains. Given the typical population scale coverage of DPGs, any and every DPG must provide technical guarantees against such abuse.

2 Likes

Thanks @Srikanth for laying things out with a lot of clarity.

On this, I feel there is no way we can effectively detect or stop use / abuse once the data is centrally available. The data that can be used for partisan gain can also be used for disaster relief or distributing benefits. Hence the only solution seemed that central systems must have as little data as possible and the “activity” or other asset data bases must be siloed and shared across multiple providers. We can also apply the principle that data must be as local as possible, and higher levels of governments should not have immediate access to PII that is only useful at the local level (and only metadata can be shared for statistical analysis)

Unless we introduce architectural constraints, it is very unlikely we will stop abuse.

Edit: You have already mentioned this in your article

“At the same time, effective decentralisation of power over data should be promoted all the way down to the local government bodies, and strengthening data silos would be the only way to retain the rights of individuals and organisations.”

Wondering if we should we come up with explicit guidelines that we can propose as FOSS United?

Thanks @rushabh - Been quite sometime thinking on these, but the lack of body of work commenting on DPG or any deep analysis on platforms projected as DPG is limiting our ability to propose actionable commentary on DPG. One way I could think of fixing this - is building knowledgebase (FOSS United internships for social researchers to create body of knowledge around them - think, reverse of Takshashila fellowship ?) around existing DPGs on narrower topics, that will help analyze better / think of solutions to harms.

I am still unclear on co-creating in adversarial environments, but from whatever limited interactions I have had with those holding pro-DPG positions, there are other limitations / considerations that some of us away from reality of these projects are unaware of.

Example Biometric payments :- As someone who subscribes to fingerprint based biometrics being unsafe for authentications - and hence the Aadhaar enabled Payments System is unfit for population scale use (50% of PMJDY accounts are non-carded, not even RuPay) and have vehimently opposed it - when talking to payments executive, was told - women secure their bank accounts from husbands, poor from local lender with AePS - since if they were carded - the power structures will ensure they are deprived of having access and in that sense - AePS is far more secure - as its an ‘asset’ less transaction instrument - that can’t be mortgaged. The ‘asset less’ transactability - while at some level appears to give rights and agency to people - at a different level takes away agency from them (Aadhaar is a kill switch and your access to bank account is lost if Aadhaar gets blocked).

Similar claims were made for making data issued under Digital locker (now extending to National academic depository, for educational certificates) - people don’t see it as harm 360° degree profile / other social harms that could emanate from public good. NAD for instance could impact wages when the coverage is universal. (Link back to Kailash’s similar comment - https://t.me/fossunited/32535)

Btw, There are parts of India - where even today - people ‘mortgage’ Aadhaar cards - as they would have no knowledge its just a number and card can be regenerated any number of times. One common thread among these interactions - when talking in good faith with people who are involved is - I felt that somehow the “stories” don’t add up. If they did - why was it not part of any documented knowledge base, but only as insight from insider / oral history? This is also evidenced by the fact - there will be no one willing to put their name in an official government document - just like how oral govt diktats / url block orders which want everyone to follow what is pleasing to some ‘unknown’ govt official by unsigned document. What adds salt to the injury is propoganda that flows freely. The biometric payments conversation happened because of propoganda that ‘1234’ was identified by NPCI as most common rural PIN for imaginary debit cards and somehow biometrics design choice was made because poor are too dumb / illiterate to remember a 4 digit number, after having used cellphones for a decade. https://twitter.com/logic/status/1145935283646418944 - Either its a lie - or we have far more serious problem - where ATM PINs are not private information and network intermediary can snoop them.

The data that can be used for partisan gain can also be used for disaster relief or distributing benefits

If this disaster relief bit - comes out of popular PR that Aadhaar was leveraged for COVID relief of ₹ 500 - let me add nuance here by saying that it was the most data light subsidy GoI had ever given post Aadhaar. Infact it did not even go through NPCI and was a direct credit on CBS of all banks that were participating in PMJDY

Yes - the political belief that shape my thoughts - much like yours advocates power decentralisation. But we must not also be blind to reality. This is a COVID-19 example from Kerala - the state best known for power decentralisation, literacy and FOSS awareness, Yet …

Panchayat secretaries were instructed to upload data only to government website which was not the case earlier. The earlier order had asked panchayat secretaries to upload data also to Sprinkler’s website.
https://english.mathrubhumi.com/news/kerala/kerala-govt-releases-deal-document-with-us-firm-sprinklr-relating-to-covid-19-data-1.4690323

HT Anivar / others to have stopped the damage, but point here being - decentralised systems are not rights preserving inherently and we would need continous feedback loops / same level of checks against abuse. Data silos only reduce the damage someone could do from top, but will continue to give agency (for abuse included) to those at lower levels of governance. Some might even argue - giving agency to lower levels of governments will perpetuate caste / gender inequalities and having the system higher.

Wondering if we should we come up with explicit guidelines that we can propose as FOSS United?

I agree we must solidify these thoughts after discussion into some sort of guidelines on Freedoms, OSS and DPG or the likes and personally, I would limit myself to territories of tech / limitations / checks and balances that are solely technical and be slightly more cautious on realms that are outside of tech. The line is fuzzy and hard to draw

2 Likes

Thanks @Srikanth for sharing your deep thoughts and experiences as well.

For some reason, I don’t think adding limitations and checks are going to be effective at all. That cat is out of the bag. Also I agree that decentralisation may also be hard to achieve.

The only strategy I can think of is “counterbalance” - civil society must offer the services (maybe in parallel) to government. I am sure there are firms that offer ID verification services to corporations, they could make it consumer friendly as well. There could be non profits who could also take this up.

If our only strategy is to oppose, then we have lost that battle already because productivity gains are going to be too strong of a motivation. I am not say we stop the opposition. We should continue to critique the services provided by gov/big tech but also as communities come up with alternatives that make up for the benefits that these services are bound to create.

After all these discussions, we can narrow down to 2 main requirements for public architectures that we should advocate:

  1. Open Network (ability to freely setup a new node)
  2. Open Source (code that runs the node)

Right now none of the services run by the government have these features.

Are these sufficient? Any other thoughts?

Open standards.

Open networks need open standards for interoperability.

1 Like