Is India privatising governance through partnerships in public digital infrastructure?

While the centre has consistently drawn criticism for introducing policies that threaten digital security before enacting a data-protection law, there has been little focus on the dangers of the digital infrastructure behind these policies. Utkarsh For The Caravan
20 October, 2020

On 19 October, Prime Minister Narendra Modi announced that health IDs would be used for COVID-19 immunisation in India. Modi first proposed these IDs on Independence Day this year, when he launched the National Digital Health Mission—a scheme to provide a digital “health ID” to all of India’s citizens. Despite the scale and ambition of this programme, the NDHM is not supported by a legal or governance framework, and consequently invited much criticism about the Modi government’s policy-making process. The NDHM’s use for the administration of vaccines against the deadly pandemic will likely compel widespread participation. While the centre has consistently drawn criticism for introducing policies that threaten digital security before enacting a data-protection law, there has been little focus on two aspects of the digital infrastructure behind it—the India Enterprise Architecture and the National Open Digital Ecosystem.

India Enterprise Architecture, or IndEA, aims to integrate all government services and make them accessible through a single window, by using a common digital framework that can be adopted across state and central services. By digitising and integrating activities across ministries and sectors, IndEA envisions “government as a single enterprise”—it seeks to create a single window or platform for the delivery of all government services. Many tech and public-policy experts have pointed out that the architecture for seamless data flow between government departments will lead to the creation of centralised database of personal data of citizens. But the central government has denied this, arguing in a framework document that the IndEA will follow a federal architecture.

The successful implementation of IndEA requires the setting up of National Open Digital Ecosystems, or NODEs, which are platforms on which all government ministries and departments are to be able to perform their functions and deliver services, digitally. The NDHM, like many programmes introduced by the central government, is a part of a larger digital framework that includes IndEA and NODE. NODEs are an essential component of the project, because they are the digital delivery platforms for initiatives such as the NDHM.

In March this year, the ministry of electronics and information technology, or MEITY, released a whitepaper highlighting its plans for developing government technology, and seeking comments on the proposed NODEs. Meanwhile, MEITY had released the IndEA framework in October 2018. But none of the three—the NDHM, IndEA or NODE—have undergone parliamentary scrutiny. As a result, there are serious concerns with these technology policies that are not addressed, or even acknowledged, before they are introduced. The consequences of this are not restricted to the information-technology space, because digital infrastructure such as IndEA and NODEs are designed to transform the whole process of governance across all tiers and sectors.

There are procedural concerns with the undemocratic nature of information-technology policy drafting in India, where the government has repeatedly engaging the same small group of IT firms and experts without issuing any formal tender. This practice points to two other significant problems—an apparent whitewashing of conflicts of interest between these firms and their work, and the increasing role of the private sector in public issues of governance.

For instance, the NODE whitepaper states that the technical part of the NODE architecture is run by public and private businesses who leverage the digital infrastructure to develop solutions for “public service delivery or private enterprise.” Similarly, IndEA proposes the use of big-data analytics—tools to process huge volumes of data—which poses its own set of concerns about the monetisation of data. Under the Modi government, India’s IT policy has been marked by the alignment of public projects and private interests, and the NDHM, NODE and IndEA reflect this this trend.

In January this year, the health ministry had released a National Digital Health Blueprint, which first proposed the NDHM and detailed a roadmap to achieve the centre’s digital health mission. The blueprint noted that the ministry had “prioritised the utilization of digital health to ensure efficient service delivery and citizen empowerment.” It also conceptualised setting up a National Digital Health Ecosystem, which is effectively a NODE for the health sector. In a section titled “Technology Principles,” the blueprint stated, “The design of the building blocks of the NDHB will adopt and conform to IndEA by default.”

The NDHM’s use of IndEA framework implies that it may similarly endorse big-data analytics, which the Modi government has already wholly endorsed in its Economic Survey of 2018–19. The survey dedicated one chapter to the use of data as a public good. This included the creation of “an entreprise architecture for governance,” within which there is a common database of all the data collected by the different ministries. The document proposed a model in which this data can be made available to “Data Requestors” through “Data Access Fiduciaries,” who may release subject to the requester obtaining the concerned individual’s consent.

The Economic Survey further noted that “Data Requestors may be public or private institutions.” It went on to state that the cost of this “data revolution” would be at least partially met by monetising the generated data “to ease the pressure on government finances.” It said, “Private sector may be granted access to select databases for commercial use. Consistent with the notion of data as a public good, there is no reason to preclude commercial use of this data for profit. Given that the private sector has the potential to reap massive dividends from this data, it is only fair to charge them for its use.”

Many policy experts, economists and digital activists have since warned that the proposed Economic Survey model would lead to private interests taking over the governance process. The survey clearly states that the proposed digital transformation of governance would rely on monetisation of data. According to a January 2020 report by Credence Research—a global market research firm—big-data analytics is a thriving global market that was valued at $37.34 billion in 2018, and is expected to reach $105.08 billion by 2027. India is currently among the top ten big-data analytic markets in the world and experts have estimated that it will become a $16 billion industry by 2025.

Discussions on digital systems for governance must be seen in this light, coupled with the fact that all this is happening when there are no laws to address issues of privacy and data-sharing arising from the creation of mass databases. The Economic Survey and the IndEA framework appear to operate on an assumption that the legal and technical framework to ensure digital security and prevent misuse of data are already in place. But there are no laws to regulate the use of personal or non-personal data in India.

“The NODE framework does not comprehensively lay down the data protection and privacy risks and solutions for it,” Shashank Mohan, a project manager at the Centre for Communication Governance at the National Law University Delhi, told me. “It doesn’t actively engage with the data-protection principles that are even recognised in the PDP Bill such as consent, data minimisation, purpose limitation, transparency and accountability measure.” Mohan was referring to the Personal Data Protection Bill, 2019, which has been with a standing committee since December last year and would provide the legal framework for data regulation and protection.

Another concern with the central government’s adoption of IndEA is that state governments will follow suit. On 29 October 2018, within two weeks of MEITY releasing the IndEA framework, the Meghalaya government gave in-principal approval to implement the architecture model through the Meghalaya Enterprise Architecture. In December that year, MS Rao, the president and CEO of the National e-Governance Plan under MEITY, wrote a letter to the chief secretaries of all states and union territories about the adoption of IndEA. He wrote, “IndEA provides a generic framework, comprising of a set of architecture models, which can be converted into a whole-of-government architecture for Central governments, departments and states.”

The National e-Governance Plan, or NeGP, was launched in 2006 and is currently tasked with the responsibility to help central ministries, departments and states to prepare blueprints for their enterprise architectures based on the IndEA framework. Two years later, the Second Administrative Reforms Commission, which was tasked with the responsibility of promoting e-governance, recommended forming a legal framework for e-governance on priority.

In its report, the commission noted that the NeGP requires a legal framework, “keeping in consideration the mammoth dimension of the task.” The commission wrote that such a framework would provide a statutory mandate for the entities involved in the NeGP, define their responsibilities, and create an oversight mechanism. The underlying idea was that the transformation brought about by e-governance should be framed and monitored by democratic and statutory institutions.  Twelve years later, the government is yet to pass any such legislation, and that has not prevented it from rolling out digital systems such as the NDHM without any parliamentary or public deliberation.

One person has played a central role in framing and developing India’s IT policy and e-governance programmes—J Satyanarayana, who has had a long history of involvement in the sector. A retired officer of the Indian Administrative Services, Satyanarayana has served as chairperson of the Unique Identification Authority of India, the nodal agency for the Aadhaar project, as India’s IT secretary, and as advisor to the Andhra Pradesh government on its e-governance projects. Satyanarayana continues to play an influential role in shaping IT projects. The IndEA framework and adoption guide, and the NODE whitepaper were drafted by working groups constituted by MEITY, both of which were headed by Satyanarayana. He also headed the committee that drafted the NDHB, and is an advisor to the National Health Authority, which is responsible for implementing the state-insurance scheme, Ayushman Bharat, and which will also implement the NDHM.

In a 2004 book titled e-Government, Satyanarayana wrote that public-private partnership and “tapping the large financial, managerial and manpower resources of the private sector” lies at the centre of his concept of e-governance. He proposed establishing joint ventures to build and run the e-government architecture. Satyanarayana said that the joint venture could be “led by the government or by the private partner,” and would work on the delivery of services, setting up infrastructure  and even “handling of sensitive data and information relating to citizens, businesses and government.” In a 2015 essay titled, “Promoting E-government through Partnerships,” Satynarayana also suggested the built-own-operate model of PPP, where the selected partner designs, develops and implements the project—most often bearing the costs entirely—and operates the system for a fixed period.            

There has been a marked change in India’s approach to IT in governance, especially in the last ten years, according to digital activists. “In the initial years of technological adoption in governance, there was an active phase of software freedom and openness inspired by free and open-source software movement and academia,” Anivar Aravind, a public-interest technologist, told me. The open-source movement is a global movement to develop high-quality software that users are freely able to run, copy, distribute, study and modify the source code of.  “Numerous such polices were adopted by the central government in 2006-2014 period.”

The initial focus was on universalising computer literacy and spreading the use of computers and IT in education. “All these initial attempts of sovereignty, transparency, openness, IT education and capacity building have been ignored, especially since 2015,” Aravind told me. Since then, he said, the unofficial process has been that influential, private IT companies, associated legal firms and their members are engaged by the government despite clear conflicts of interest. According to Aravind, these private firms are ostensibly “taking control of existing sectors” by setting up technology platforms that centralise data, which are in turn mandated either by legislation or through government coercion. Meanwhile, he said, the companies are able to persuade the government to enforce these platforms “by selling surveillance”—that is, by offering the data obtained from surveillance.

The NODE whitepaper had noted that its technical architecture would be run by both private and public businesses, and that it would be used for public services and private enterprise. “The framework does not make it clear what would be the extent of the involvement,” Mohan, the project manager at CCG, said. “How will we ensure that once private players get involved that the citizen rights will be protected? The citizens have constitutional rights from the state and not private parties. When private parties get involved in public service delivery, the risk is heightened because of the lacunae of remedies that the citizens have.”

He explained, “We do have a constitutional right to privacy, but that can only be enforced against the state. If we have to enforce a privacy right against a private party, we do not have a data-protection law for that yet. The government is free to sign contract with private entities, but the central aspect becomes the transparency and accountability measures.”

Numerous organisations pointed to the dominating presence of private IT firms in the NODE project in their responses to the whitepaper released in March this year. Tech-policy organisations such as IT for Change, Software Freedom Law Centre and Tandem Research raised various concerns, ranging from the very conceptualisation of e-governance, to the structure and institutions involved, the absence of a legal framework and the nature of funding. They also stated that the whitepaper failed to address concerns of digital access and exclusion, which are crucial when digitising essential public services.

“NODE governance CANNOT be in the hands of a private body or a Public-Private-Partnership,” the Bengaluru-based NGO IT for Change stated in its response. “A private or PPP body as the anchor point of a NODE would then translate into private actors de facto running government departments.” It further asked, “How can a private sector or even a PPP entity be acceptable as the anchor body for such an agriculture NODE, or, on the same reasoning, for any sectoral NODE? That would directly amount to privatising the Indian government—not just at the implementation peripheries but in terms of its core decision making and resource allocation roles.” Most responses to the whitepaper emphasised the need for a well-defined governance framework and rules on engaging private actors.

The responses to the consultation paper pointed out the NODE’s claim of openness does not hold water. The Mozilla Corporation, a US-based company that runs open software projects, stated in its response that the “the white paper leaves the definition of ‘open’ vague and at the complete discretion of individual implementers.” It added, “Consequently, implementers are not required to adhere to any minimum baseline of ‘open’. This risks empowering private parties to develop closed ecosystems that are only open in appearance while being closed in practice.”

Tandem Research, a Goa-based research collective, raised similar concerns in its response. “There is nothing intrinsic about these principles of openness which guard against monopolies of unfair value capture unless participation in the NODEs is made open to all actors, instead of only a select few,” the organisation wrote. “Open government data programs can be used as a form of privatisation and deregulation: a deliberate attempt to create new markets in public service delivery, instead of providing government services.” 

Aravind, too, noted that the application programming interfaces, or APIs, behind these digital systems are not accessible to everyone. APIs are codes that allow software to communicate with each other—for example, when an app on a phone interacts with a payment gateway. According to Aravind, “In India’s current naming, ‘Open API’ is not actually open, it just a name for ensuring government data access for private proprietary business interest for a closed club without any accountability mechanism.” He added, “India Stack, Aadhar, UPI are all closed set of APIs where the private interests have privileged access to sensitive data sets. “

The NODE whitepaper also leaves no doubt that the formulation and implementation of IT policies in India continue to be spearheaded by a group of tech-company promoters, and IT and financial-technology companies. These players enjoy the active support of government and bureaucrats. For instance, the whitepaper was drafted with the support of Omidyar Network India and Boston Consulting Group. The Omidyar Network is a US-based organisation with investments worth $315 million in technology firms in the field of agriculture, education, health care, and finance, and others. It reportedly aims to invest another $350 million over the next five years.

Nandan Nilekani, the technology billionaire who was the first chairperson of the UIDAI, is among the usual suspects engaged by the government. Unsurprisingly, he was part of the discussions while drafting the whitepaper. The day before Modi announced the use of the health IDs for India’s COVID-19 immunisation programme, the Indian Express published an interview with Nilekani in which he said that he had proposed a digital platform similar to Aadhaar to oversee the administration of the vaccine. Nilekani also serves as an advisor to National Payments Corporation of India, and is a member of National Startup Advisory Council constituted by the commerce ministry. He is also involved with at least thirteen different technology start-ups.

One of the most prominent and recurrent names in this cohort of firms and individuals framing India’s tech policy is the Indian Software Product Industry Roundtable, or iSpirt, a lobby of volunteers, many of whom worked on developing Aadhaar. Nilekani was also a mentor of iSpirit. The lobby’s conflict of interests in government projects have been widely reported.

Meanwhile, its involvement with the government’s technology initiatives has continued—iSpirt developed a service-delivery platform for the NDHM called the National Health Stack. The National Health Stack is a set of APIs, and in effect, the foundational building blocks for the entire NDHM programme, because they control how other applications would interact with the health database.

Each health ID issued under the programme will be linked to a health-data consent manager, which is a set of APIs developed by iSpirt and the Swasth Alliance. The Swasth Alliance is a collaboration of 92 partners across health-tech companies, hospitals, diagnostic labs, insurance companies, tech companies, and venture capital firms including Apollo, Medanta, Onemg. The members of the alliance’s advisory council include Amitabh Kant, the CEO of NITI Aayog; Indu Bhushan, the CEO of Ayushman Bharat and the National Health Authority; and Nilekani.

Bhushan told me that the NHA had not issued any request for proposal for the development of the National Health Stack, and stated that it was released by the NITI Aayog. He similarly stated that the NHA did not choose iSpirt to build the health stack, and again pointed towards the NITI Aayog. Meanwhile, Deepjyot Kaur, listed as a “Young Professional” working with NITI Aayog, told me that the organisation was just “a policy think tank” and directed me to “address these questions to the concerned ministry.” The MEITY and the health ministry did not respond to emailed queries.

Bhushan also noted that the Swasth Alliance had proposed “to develop and donate a Telemedicine e-platform for the National Digital Health Mission using open source technologies.” He noted that a government solution called eSanjeevani was also being implemented and noted that “final solution will be developed through RFP route, as per the framework laid in National Digital Health Blueprint.” Clearly, Bhushan and the NHA do not share the concerns of digital activists about the privatisation of governance, and are only going to encourage such partnerships. He mentioned that the Swasth Alliance’s proposal for telemedicine was “under consideration.”

The National Health Authority has also set up an NDHM Sandbox Environment, which is a platform for private companies to test technology before it is submitted for government approval and rolled out to customers. Currently, there are no rules governing the functioning of sandboxes in the country. In June this year, the Karnataka government became the only state to notify draft rules for sandboxes. This was again done with the assistance of Vidhi Centre for Legal Policy, a legal think tank that has been involved in numerous government projects despite conflicts of interest.

According to Srinivas Kodali, a researcher who works on data and internet, policies such as the IndEA and NODE “are essentially pushing a programmer’s ideology into governance without any laws in place.” He said, “The idea seems to be to remove bureaucrats and replace them with machines, automate the governance process. In the case of Aadhar, we have seen that the citizens are being forced to interact with a machine that does not work.”

Kodali continued, “This exercise would replace the entire government systems with IT system without any regulatory laws. The citizens are not being informed of the polices being implemented while they are reduced into customers of these tech companies.”

According to the digital activists I spoke to, the push towards digital governance points to one ultimate purpose—creating a 360-degree profile of citizens, an all-encompassing database of Indian citizens. Pertinently, during the Supreme Court hearings challenging the Aadhaar project, the central government had stated that it is not creating such a database, and the court had held that such an exercise would not be permissible under law. Yet, the push towards digital governance under various projects effectively leads to the 360-degree profile.

For instance, during Aadhar enrollment, a repository of residents was formed at the state level called the State Resident Data Hub. In May 2016, a presentation by Satyanarayana on a scheme under the Direct Benefit Transfer Bharat mission—a central government initiative to revamp the implementation of welfare schemes—published on its website revealed similar 360-degree profiling plans. The presentation proposed to create a population database comprising Aadhar and National Population Register details, which would be would be linked to schemes such as the public distribution system, the National Rural Employment Guarantee Act, and pension, among others. The presentation said that one of the objectives of the Aadhar-seeded programme was “getting a 360 view of citizens.” This presentation appears to have been taken down from the cabinet secretariat’s website on the DBT mission.

In October 2018, Rajiv Gauba, who was then the union home secretary, attended a conference on the Crime and Criminal Network Tracking Systems—a comprehensive policing database. Speaking at the event, Gauba proposed integrating the CCNTS with another policing database called the Integrated Criminal Justice System, and other databases of prison, courts and transport systems. “Once integrated with these databases,” Gauba said, “coupled with Big Data analysis, CCTNS would be able to provide 360 degree profile of any person.”

Mohan spoke with concern about the integration of databases under IndEA, and of social registries with the National Intelligence Grid, a centralised network of databases for intelligence and law enforcement agencies. Such integration, he said, “poses the risk of mass surveillance, which is not permitted under Indian law at all.”