#87 Lessons from the DigiYatra Debacle
Disembarking from the DigiYatra Journey; Parsing the Indian Space Policy Guidelines
Today, Bharath Reddy writes on the technical and governance issues with DigiYatra, India’s homegrown biometric boarding system for airports. Ashwin Prasad shines a light on the newly released guidelines for implementing the Indian Space Policy.
Also,
We are hiring! If you are passionate about working on emerging areas of contention at the intersection of technology and international relations, check out the Staff Research Analyst position with Takshashila’s High-Tech Geopolitics programme here.
Course Advertisement: Intake for the 8th cohort of Takshashila’s 48-week Post-graduate Programme in Public Policy (PGP) closes on May 31. It’s a fantastic pathway for those who wish to make a career switch to public policy. Check all details on the website.
Cyberpolitik: Disembarking from the DigiYatra Journey
— Bharath Reddy
DigiYatra, the biometric boarding system used at airports, is often touted as a game changer for airport check-ins. Amid allegations about its tech partner being involved in serious fraudulent activities, DigiYatra users were asked to uninstall the old app and reinstall a new one. This raises serious questions about the governance structures for digital infrastructure, which do not prioritise transparency and accountability.
Over a month ago, the DigiYatra Foundation (DYF) informed users on social media to uninstall the existing app and install a new one. New features and updates are constantly rolled out to mobile apps, and this does not require installing a new app. The decision to move to a new app raised suspicion. Following the breadcrumbs, a cybersecurity researcher on Twitter going by the handle @kingslyj posted an expose showing that the reason for the new app was DYF wanting to distance itself from its tech partner Data Evolve.
Data Evolve is a one-person company headed by Kommireddy Avinash. He is accused of cloning the payment gateway for the traffic challan system in Andhra and misappropriating funds to the tune of 36 crores. A report by The Ken found that the contract for DigiYatra was awarded to DataEvolve through a national startup challenge. Incidentally, no background checks were required for the company to be awarded the contract to build such critical infrastructure at a national scale.
DigiYatra has constantly faced pushback from privacy advocates on many counts - a private company collecting sensitive biometric data must be held to the highest standards, especially when India’s data protection legislation is not yet in effect, informed consent is not being properly obtained from users, concerns about their data policy which allows sharing with third-party affiliates and so on.
One of the other main concerns is DigiYatra's governance structure, which is the focus of this article. The DigiYatra Foundation, a private non-profit company, operates the service. It is a consortium that includes five domestic airports, Bengaluru, Cochin, Delhi, Hyderabad, and Mumbai, alongside the Airports Authority of India, which holds a 26% share. This structure resembles that of other digital infrastructure projects in India. For example, the National Payments Corporation of India, a consortium that includes various banks and the Reserve Bank of India, manages the Unified Payments Interface. Similarly, the Open Network for Digital Commerce, which operates an e-marketplace of the same name, is a consortium that includes banks and the Quality Council of India. As private entities, these organisations are not subject to the Right to Information Act, exempting them from certain government transparency and accountability standards. Despite this, as quasi-governmental bodies, they possess the authority to establish regulations and manage infrastructures that have substantial effects on markets, society, and individuals.
Much of the criticism aimed at DigiYatra arises from its governance structure. For instance, the DYF asserts that all data is collected and retained solely on the individual’s mobile device and that no personally identifiable information is stored on central servers. Moreover, although DYF claims to conduct security audits on its infrastructure, it has not released the results to the public despite many requests by privacy advocates. Additionally, the foundation has not been proactive about disclosing its association with a disreputable technology partner and the impact it might have had on users. There is a clear need for more stringent checks and balances.
David Osborne, an author with extensive expertise in public administration, emphasises the importance of separating decision-making roles from those involved in service delivery and compliance for effective public service delivery. In other words, defining what is the right thing and doing things right must be performed in separate roles by different entities. Additionally, it's essential to establish checks and balances to hold the institutions managing such infrastructure accountable to the public. Issues like consent, data protection and grievance redressal are all better addressed within a robust institutional framework.
The Passport Seva portal stands out as a shining example of e-governance done right. The project is a public-private partnership between the Ministry of External Affairs and Tata Consultancy Services to deliver transparent and efficient passport services. The Ministry retains all the sovereign functions and the accountability for the same, such as the approval of passports, while the private sector partner, Tata Consultancy Services, is responsible for re-engineering the application process to enhance efficiency and transparency. While the scope of work might be different for other digital infrastructure projects, it is important to balance the roles and responsibilities while maintaining transparency and accountability.
The cost of convenience cannot be risking sensitive personal data about every passenger. The union government has also been advocating for the export of India’s digital public infrastructure to other countries. For this to succeed, the institutional structure is as important as the technology for maintaining public trust in such systems.
India is set to host the Quad Leaders' Summit in 2024. Subscribe to Takshashila's Quad Bulletin, a fortnightly newsletter that tracks the Quad's activities through the Indo-Pacific.
Your weekly dose of All Things China, with an upcoming particular focus on Chinese discourses on defence, foreign policy, tech, and India, awaits you in the Eye on China newsletter!
The Takshashila Geospatial Bulletin is a monthly dispatch of Geospatial insights for India’s strategic affairs. Subscribe now!
Antariksh Matters: Parsing the Indian Space Policy Guidelines
— Ashwin Prasad
Earlier this month, the Indian space regulator, Indian Space Promotion and Authorisation Centre (IN-SPACe) released the guidelines and procedures to implement the Indian Space Policy. It is great that the government continues to steadily take the space reforms forward in an attempt to boost private participation. However, these guidelines may hurt rather than help the nascent space industry.
Sifting through the guidelines
Given the dual-use nature of space technology, all space activity has to be authorised by IN-SPACe. The guidelines lays out this procedure for different areas like Satellite Communication, Remote Sensing, and Launch Services. Surprisingly, PNT (Positioning, Navigation and Timing) and Scientific Missions are not mentioned at all. The areas covered by the guidelines are a blend of technologies falling under the jurisdiction of multiple ministries and departments. The space policy and government communication suggested that IN-SPACe was going to be a 'one-stop-shop' for all space activity regulation. The guidelines prove this to be a misnomer. After detailed scrutiny, IN-SPACe will only issue a provisional authorisation to its applicants. Later, the applicants will have to seek separate clearances from each of the relevant ministries and departments.
Various sections of the guidelines will benefit from more clarity. For instance, the guidelines impose exit barriers on space-based companies providing important services to the masses. They also require long notice periods and penalties in the case of non-compliance. This is fair considering how critical large-scale services can be, but the guidelines have to include a lot more elaboration on when these provisions will apply.
There are some discrepancies that need rework. When private players apply for an authorisation to IN-SPACe and are rejected, they are allowed to resubmit the application for review. However, this review is done by IN-SPACe again, violating Nemo Judex in Causa Sua. IN-SPACe ideally should not be the judge in its own case. Also, all the exemptions granted to the Indian Space Research Organisation (ISRO) and National Remote Sensing Centre (NRSC) go against the government's announcement that the government and private space agencies will be co-travellers in the country's space journey.
The source of these disparities emerges from the fact that the executive is primarily formulating policy instead of the legislature. These guidelines need to evolve into acts by the parliament.
Need for Legislations
Both IN-SPACe and ISRO are under the Department of Space (DoS) and are headed by the ISRO director. As a regulator, IN-SPACe has to regulate ISRO's activities along with those of the private sector. Thus, you have a system where IN-SPACe supervises the activities of its superior.
As a regulator, IN-SPACe may have to scrutinise and disallow certain private companies that it was trying to enable and encourage as a promoter. Also, these private industries may go on to compete with ISRO someday. Can IN-SPACe be effective in the discharge of its duties given these contradictions? These issues can be addressed by giving IN-SPACe and the NGP a statutory backing.
IN-SPACe's regulatory half needs to be independent of the DoS to ensure independence and impartiality in its functions. Its powers and mandate need to be codified into law lines of TRAI. The act should also create a tribunal to handle disputes and appeals which are likely to regularly crop up between the government, regulator and private sector.
India needs a Space Regulation Act born out of a consultative process with inputs from the industry and experts. Together, these legislations can create a fair, rule-based regulatory environment with the necessary legal clarity that the private sector expects before undertaking ventures as risky and strictly regulated as the space sector.
**This post originally appeared as an op-ed in the Deccan Herald.**
Keep an eye on these developments in AI:
Google has introduced AI overviews in the US and plans to expand to other countries soon. This move comes in response to competition from Bing, chatGPT, and others, and it could significantly alter the way people use search engines.
Anthropic researchers make progress in understanding how a large language model works by identifying how concepts are represented internally.
Nvidia’s rivals and biggest customers are rallying behind an OpenAI-led initiative to build chip-agnostic software that would make it easier for developers of artificial intelligence to switch away from its chips.
The EU adopted the AI Act, which will come into force 20 days after its publication in the official journal. This is expected next month. However, substantive obligations will come into force over a phased 3-year period. Will other countries follow suit?
UK’s information watchdog is looking into Microsoft’s recently launched Recall feature. The feature seems eerily similar to a Black Mirror episode.
What We're Reading (or Listening to)
[Opinion] How Big Data Centers Are Slowing the Shift to Clean Energy, by Jennifer Hiller and Scott Patterson
[Opinion] In the hot seat, under Beijing’s glare, by Anushka Saxena
[Takshashila Discussion Document] A Framework for Identifying Critical Technologies, by Shambhavi Naik