Note: This is not an official position of FOSS United. Just a request for comments / discussion on the topic.

There was an intense debate in the Telegram group on digital public goods (DPGs) and e-governance projects by the government (Aadhaar, UPI, CoWIN etc) and what should be the position of FOSS communities and FOSS United on these.

Since I had proposed to create a note on it, I tried spending the day yesterday on preparing one. After writing multiple pages, it boiled down to:

1. There should be no monopoly of services.
2. It should be relatively easy to setup a new node on the network.
3. No single service provider can serve more than X% of the market
4. The code used to run the service should be free and open source

The arguments against monopolies and centralisation of data are well known. These systems can lead to:

1. Single point of failure (security)
2. Surveillance / violation of privacy
3. Risk of de-platforming
4. Stamping out dissent

This is hard to achieve specially when services are given by large govt bodies (like the central gov) or for financial services.

The goal of free software is to ensure that rights and freedoms of users. The rights of users are severely restricted when they are bound to state run (or big tech) monopolies or quasi-monopolies. The only way is to ensure that all systems are distributed by default and people have the freedom to setup nodes as they like.

I am curious to know what other positions we can take as a community.

Edit:

Examples

Service	Non-monopoly	Ease of setup	Competition	FOSS
UID
UPI
Aarogya Setu

A few quick thoughts

1. If they are building a centralized system, FOSS should be one serious contender. In financial services, for eg., Finacle offers a version of core banking system using JBoss which I think is deployed in cooperative banks today. But all the universal banks still deploy proprietary solutions. This got to change in the future.

2. If they are building a UPI type networked system there should be a serious FOSS contender for backend. There should also be a reference FOSS node app / sdk.

3. Sometimes the cloud sponsors of DPG implementations may try and push their proprietary PAAS offerings. FOSS community can play an active role in sensitizing abt the vendor lock-in situations.

Hope this helps

The balance of power with any centralized platforms that stores data (whether private or government) shifts to the platform controller. The ideal case scenario is one where the individual is the data principal who can enforce his/her rights against these platforms. The worst case scenario is one where the individual is the data subject oppressed and exploited by both the government and private sector. Digital Public Goods should be designed and implemented in such a way that the balance of power remains with the individual.

Definitions

Public Good – Public good (economics) - Wikipedia
Social Harm – Zemiology - Wikipedia

Example

Public Goods are not void of social harms. They co-exist. Political position around an infrastructure (highway) - could evolve from various individual needs – low time, cost to reach destination for highway user / farmer who now has to spend more time to get across to other half of his land safely daily. The highway could also impact wildlife / ecological balance and hence wildlife conservationists (who may / may not be from locality) - can see a collective harm, even if individual farmers’ harms are mitigated by underpasses that marginally increases highway cost.

Digital Public Good

A digital public good is defined by the UN Secretary-General’s Roadmap for Digital Cooperation, as: "open source software, open data, open AI models, open standards and open content that adhere to privacy and other applicable laws and best practices, do no harm, and help attain the SDGs

Breaking down – Open X, Adherance to privacy and other applicable laws, best practices, do no harm, helping attain SDG

Open X

Since at-least with FOSS United, its safe to assume open-washing can be detected - open source software, open data, open standards and open content - are clearly defined, and lets say billionaire public license won’t suddenly be called “open” - just because they claim to say so. Open AI models - might still have ambiguities (besides the need of disambiguting from OpenAI LLP), its important to comeback to this in detail for the stand to be reasonably future proof.

Adherance to privacy and other laws

1. We don’t have a privacy law - what was discussed for 5 years was only “Data Protection law” - simply put - you can violate privacy for purposes mentioned in law, collect data(coerce people) and protect it(and share data through beuracratic rules saying “Whole of Govt”), still be legal.
2. What are some “other laws” - that should be in the ambit of consideration. Anti-trust / competition laws (that haven’t globally kept pace with big tech platforms), anti-discriminatory laws could be some.

Do no harm

This is the most ambigous and hard part of the definition. Harm - for whom, how is harm measured, who decides what is harm when contested? At a philosiphical level, can something be done, without doing any harm?

Help attain SDG

While SDGs (now Global Goals) might seem to be clearly defined, there are significant complexities around it too. For brevity, there is contestation around SDG from opponents of capitalism, even some “true capitalists”.

We just tried to map one definition of DPG. There could be others too. Taking a community position should always be against a definition with agreed upon attributes/qualities, given the adhoc-ness in usage of term.

Necessary but not sufficient DPG features.

Public roadmap

“Build in public” is now a thing in startups and tech products having fewer users. So why should DPG not be built in public? Aadhaar, UPI, CoWIN – have all had roadmaps shared to select few - (who also use the information arbitrage to their profit) and public has 0 visibility in platform shifts and can call out poor architectures only after infrastructure is developed and it’s too late by then to make a change and users have to live through because investors invested in poor design choice.

Adversarial data out (similar to adversarial interoperability in context of platforms)

In context of DPG - they must emit out / have a means to query data by (political) adversaries aka opposition (includes public, not just a party). Without which the harms can be never be quantified and platform proponents will refuse to acknowledge any shortcomings / failures, without which upgrade fixing the problem can never happen.

• UPI still hasn’t published any data on fraud(social harm) that happens on it, claiming VISA / MC doesn’t either, all along claiming public good. RTI is too legacy for big data and NPCI sought and got exemption from even that claiming it’s private entity
• CoWIN never published data on how many vaccinations were actually fake, never measured Adverse defects following immunization (AEFI) properly. How would vaccine manufacturer improve vaccine without having AEFI data and existance of CoWIN itself was supposed to be such data collection given the vaccines were all approved under emergency use license, bypassing traditional trail standards.

Technological guarantees on data access, privacy, security.

I wrote a slightly longer piece on Digital India and data democracy a while ago - What Ails India's Data Economy? | Economic and Political Weekly

Quoting from it –

Instituting Data Budget and Floating a Data Comptroller and Auditor General
Every department in the government, as part of its accountability to the citizens, presents its budget, and keeps its revenue and expenditure in the public domain. The Comptroller and Auditor General (CAG) is a constitutional authority that is empowered to audit government departments. In the same manner, a data budget needs to be presented by the government, noting data revenues, data expenditure, and how they are managed.

If a state is mandated to collect data (say tax administration) for which it is a monopoly function - then DPG must ensure purpose limitation with technical guarentees on data access, processing for the purpose of collection.

Recently, an assembly committee formed by AP govt to look into illegal data access of the previous ruling party, published network traffic reports to suggest vast amount of data was illegally dumped, allegedly by party for electoral gains. Given the typical population scale coverage of DPGs, any and every DPG must provide technical guarantees against such abuse.

Thanks @Srikanth for laying things out with a lot of clarity.

On this, I feel there is no way we can effectively detect or stop use / abuse once the data is centrally available. The data that can be used for partisan gain can also be used for disaster relief or distributing benefits. Hence the only solution seemed that central systems must have as little data as possible and the “activity” or other asset data bases must be siloed and shared across multiple providers. We can also apply the principle that data must be as local as possible, and higher levels of governments should not have immediate access to PII that is only useful at the local level (and only metadata can be shared for statistical analysis)

Unless we introduce architectural constraints, it is very unlikely we will stop abuse.

Edit: You have already mentioned this in your article

“At the same time, effective decentralisation of power over data should be promoted all the way down to the local government bodies, and strengthening data silos would be the only way to retain the rights of individuals and organisations.”

Wondering if we should we come up with explicit guidelines that we can propose as FOSS United?

Thanks @rushabh - Been quite sometime thinking on these, but the lack of body of work commenting on DPG or any deep analysis on platforms projected as DPG is limiting our ability to propose actionable commentary on DPG. One way I could think of fixing this - is building knowledgebase (FOSS United internships for social researchers to create body of knowledge around them - think, reverse of Takshashila fellowship ?) around existing DPGs on narrower topics, that will help analyze better / think of solutions to harms.

I am still unclear on co-creating in adversarial environments, but from whatever limited interactions I have had with those holding pro-DPG positions, there are other limitations / considerations that some of us away from reality of these projects are unaware of.

Example Biometric payments :- As someone who subscribes to fingerprint based biometrics being unsafe for authentications - and hence the Aadhaar enabled Payments System is unfit for population scale use (50% of PMJDY accounts are non-carded, not even RuPay) and have vehimently opposed it - when talking to payments executive, was told - women secure their bank accounts from husbands, poor from local lender with AePS - since if they were carded - the power structures will ensure they are deprived of having access and in that sense - AePS is far more secure - as its an ‘asset’ less transaction instrument - that can’t be mortgaged. The ‘asset less’ transactability - while at some level appears to give rights and agency to people - at a different level takes away agency from them (Aadhaar is a kill switch and your access to bank account is lost if Aadhaar gets blocked).

Similar claims were made for making data issued under Digital locker (now extending to National academic depository, for educational certificates) - people don’t see it as harm 360° degree profile / other social harms that could emanate from public good. NAD for instance could impact wages when the coverage is universal. (Link back to Kailash’s similar comment - Telegram: Contact @fossunited)

Btw, There are parts of India - where even today - people ‘mortgage’ Aadhaar cards - as they would have no knowledge its just a number and card can be regenerated any number of times. One common thread among these interactions - when talking in good faith with people who are involved is - I felt that somehow the “stories” don’t add up. If they did - why was it not part of any documented knowledge base, but only as insight from insider / oral history? This is also evidenced by the fact - there will be no one willing to put their name in an official government document - just like how oral govt diktats / url block orders which want everyone to follow what is pleasing to some ‘unknown’ govt official by unsigned document. What adds salt to the injury is propoganda that flows freely. The biometric payments conversation happened because of propoganda that ‘1234’ was identified by NPCI as most common rural PIN for imaginary debit cards and somehow biometrics design choice was made because poor are too dumb / illiterate to remember a 4 digit number, after having used cellphones for a decade. https://twitter.com/logic/status/1145935283646418944 - Either its a lie - or we have far more serious problem - where ATM PINs are not private information and network intermediary can snoop them.

The data that can be used for partisan gain can also be used for disaster relief or distributing benefits

If this disaster relief bit - comes out of popular PR that Aadhaar was leveraged for COVID relief of ₹ 500 - let me add nuance here by saying that it was the most data light subsidy GoI had ever given post Aadhaar. Infact it did not even go through NPCI and was a direct credit on CBS of all banks that were participating in PMJDY

Yes - the political belief that shape my thoughts - much like yours advocates power decentralisation. But we must not also be blind to reality. This is a COVID-19 example from Kerala - the state best known for power decentralisation, literacy and FOSS awareness, Yet …

Panchayat secretaries were instructed to upload data only to government website which was not the case earlier. The earlier order had asked panchayat secretaries to upload data also to Sprinkler’s website.
Kerala govt releases deal document with US firm ‘Sprinklr’ relating to COVID-19 data, Coronavirus data US firm Sprinklr, Government releases COVID deal data

HT Anivar / others to have stopped the damage, but point here being - decentralised systems are not rights preserving inherently and we would need continous feedback loops / same level of checks against abuse. Data silos only reduce the damage someone could do from top, but will continue to give agency (for abuse included) to those at lower levels of governance. Some might even argue - giving agency to lower levels of governments will perpetuate caste / gender inequalities and having the system higher.

Wondering if we should we come up with explicit guidelines that we can propose as FOSS United?

I agree we must solidify these thoughts after discussion into some sort of guidelines on Freedoms, OSS and DPG or the likes and personally, I would limit myself to territories of tech / limitations / checks and balances that are solely technical and be slightly more cautious on realms that are outside of tech. The line is fuzzy and hard to draw

Thanks @Srikanth for sharing your deep thoughts and experiences as well.

For some reason, I don’t think adding limitations and checks are going to be effective at all. That cat is out of the bag. Also I agree that decentralisation may also be hard to achieve.

The only strategy I can think of is “counterbalance” - civil society must offer the services (maybe in parallel) to government. I am sure there are firms that offer ID verification services to corporations, they could make it consumer friendly as well. There could be non profits who could also take this up.

If our only strategy is to oppose, then we have lost that battle already because productivity gains are going to be too strong of a motivation. I am not say we stop the opposition. We should continue to critique the services provided by gov/big tech but also as communities come up with alternatives that make up for the benefits that these services are bound to create.

After all these discussions, we can narrow down to 2 main requirements for public architectures that we should advocate:

1. Open Network (ability to freely setup a new node)
2. Open Source (code that runs the node)

Right now none of the services run by the government have these features.

Are these sufficient? Any other thoughts?

Open standards.

Open networks need open standards for interoperability.

This is the summary of a discussion that Kailash, Rushabh and I had on DPG/DPI/GovTech last week (27th Jan 2023). Adding it to this thread here so that all the discussions around this subject are in one place and easy to find.

Venky

DPI, DPG or GovTech: What is in a name?

Participants

Kailash Nadh, co-founder of FOSS United
Rushabh Mehta, co-founder of FOSS united
Venkatesh Hariharan (Venky), Public Policy Director, FOSS United

Kailash, Rushabh and I had a discussion on Digital Public Goods/Digital Public Infrastructure (DPG/DPI) and FOSS today. There have been discussions on this topic in the forum and amongst us for the past few months.

I shared the current landscape with DPIs. Across the world, there is significant momentum building up for DPGs. Post Covid, at least 25-30 governments are looking to implement Government to People (G2P) payments systems for doing Direct Benefit Transfers like the Indian Government does. A G2P system needs identity, payments and civil registry systems, and software for these systems are now available under FOSS licenses. MOSIP is being implemented by nine countries and 75 million IDs have been issued through it. I also informed Kailash and Rushabh that I have been invited to be part of a group of think tanks (T20) that provide recommendations to the G20 on DPI, and checked if I should attend it as a representative of FOSS United.

Kailash felt that there is no definitional clarity with the terms “DPI/DPGs” and FOSS is likely being used as a utilitarian tool for sovereignty and cost effectiveness purposes. He added that all FOSS are essentially DPGs and that Linux is perhaps the best example for it. Therefore, there is no need to create a new term like “DPG” for a system that has existed for decades and has already benefited the world immensely. The term DPI also is ambiguous because Public Infrastructure implies right to access. With public physical infrastructure, it is very hard to cut off access to individuals, for example, roads. They are protected by their rights. However, with digital infrastructure, this can happen easily, knowingly and unknowingly. If anyone’s access to a payment system is barred, it is not possible for them to create their own payment network. DPI/DPGs historically have been a global top-down big tech + big gov effort with negligible FOSS community involvement, although the concepts are supposed to be built on FOSS. I mentioned that the other term that is being used in these discussions is GovTech and we felt that this term describes government led technologies in identity, payments and other areas better than ambiguous terms such as DPG/DPI.

Kailash also mentioned that in his interactions with policy makers over the years, he has found them using terms like “AI/ML”, “Open”, “Blockchain” without really understanding them, not because of malicious intent, but because of the lack of understanding and the lack of engagement with technical people/communities who have the capacity to provide objective counsel. However, the use of FOSS and related terms like “Open” without FOSS principles of transparency, accountability, and community involvement erode FOSS and might turn into open washing.

Rushabh felt that at government scale it is not possible to build “products” that will work “out of the box”. Each government is going to be unique and each country’s tech infra will require a custom design. Also, a government is nothing but a bunch of diverse institutions, each with its own needs. So this idea of a few "products’’ like DPI/DPGs that governments across the world can meaningfully use and collaborate on seems infeasible. A better approach may be to adopt and promote open standards and protocols.

At this point in time, it is not very clear how the DPG/DPI concepts affect diverse FOSS/tech communities, civil societies, and the tech industry. So far, large implementations of DPI/DPG seem to have actively excluded diverse FOSS/tech communities. There is also the risk that FOSS United as an org may get inadvertently co-opted into areas where there is a lot of ambiguity. Therefore, it was decided that FOSS United will not officially be a part of these discussions. I will attend these meetings in my individual capacity and share the gist of the T20 discussions in the FOSS United Forum.

For the T20 Working Group, we are asked to share three big ideas. I am sharing what I sent to the WG in my personal capacity.

Venky

=====

Three Big Ideas for TF-2: Our Common Digital Future: Affordable, Accessible and Inclusive Digital Public Infrastructure

1. Focus on governance: The development and deployment of Digital Public Infrastructure (DPI) has attracted millions of dollars because DPIs promise to accelerate the attainment of SDGs. Once deployed, DPIs almost become the “operating system” for a society as it mediates critical functions like identity, payments, data exchange, healthcare, logistics and others. Crucially, they also bring governments back into the digital infrastructure game, a role that they had abdicated to the private sector for more than a decade. This is a development that has the potential to reconfigure power dynamics in our society. Can we ensure that this reconfiguration protects individual rights, limits the unconstrained power of today’s digital platforms, while ensuring that governments acquire enough power to regulate effectively, but not so much power that they become another source of unconstrained power. This requires deep, interdisciplinary thinking therefore, a percentage of the funds being allocated to the development and deployment of DPIs should be allocated to think tanks and academic institutions to work on the governance of DPIs.

2. Embrace full spectrum thinking: There is great optimism around the potential of DPIs. However, we have been here before. We have witnessed periods of tremendous advances in technology that were accompanied by great optimism only to end in despair. To avoid making the same mistakes, we must temper our techno-optimism with an evaluation of the full spectrum of possibilities – from best case scenarios to medium case scenarios to worst case scenarios – and evolve strategies that help us maximize the benefits of DPIs while minimizing the harms.

3. Encourage transparency and participation at all levels of DPI: Broadly speaking, I see three layers of community around DPIs - Community of code, which consists of developers, technology architects, designers and others who build the technological underpinnings of DPIs; community of practitioners and stakeholders who are impacted by DPIs; and the community of governance, policy makers and influencers who set the rules of the game for others. We need to set up open, constructive dialogue at all levels of DPIs to ensure that DPIs deliver the best outcome for society.