‘Data Breach Is A Fact Of Life In An Increasingly Digital World. You Can't Eliminate It, You Can Only Mitigate It’

16 Nov 2023 22 min read  Share

Regardless of whether India’s digital financial infrastructure may be seen as a true measure of economic progress, the creation of digital public goods, each operating to solve a single problem such as identity authentication, cheap instant payments or data sharing, is a commendable achievement, says technology lawyer and privacy expert Rahul Matthan in his new book The Third Way. As a powerful stack of applications built on a framework of interoperability—data that can be exchanged and understood by different applications—India’s digital public infrastructure offers a new approach to data governance, he tells us in an interview. Data breaches, he says, are ‘a fact of life’.

Technology lawyer and privacy expert Rahul Matthan

Mumbai: Following an August meeting of the G20’s Digital Economy Working Group, an outcome document recognised that accessible, inclusive, secure and safe digital systems have the potential to drive the economy and catalyse growth, innovation, education and sustainable development. Elements of India’s digital public infrastructure (DPI), including Aadhaar and the united payments interface (UPI), have been highlighted as emblematic of India’s ability to leverage technology for the greater good (see here and here). 

In a new book, technology lawyer and privacy expert Rahul Matthan, a partner at law firm Trilegal, argues that India’s DPI can help it leapfrog decades in development. He posits that India’s approach to data governance is a break from the laissez faire model of the US and the heavily regulated European model. 

Indian DPI’s focus on interoperability–technical and legal compatibility for one system of data to be used in conjunction with others—is a ‘third way’, according to Matthan’s book, The Third Way: India’s Revolutionary Approach to Data Governance, published by Juggernaut. The book contends that this approach has enabled greater collaboration between the public sector and private innovators by building an ecosystem where data governance philosophy and regulatory guardrails are actually built into the technology.

Matthan has worked with telecom majors, internet and data service providers, and is an expert on regulatory matters in the technology space including data protection, digital finance, cryptocurrency, e-commerce, telecom, new media, platform technologies, technology acquisitions and biotech. He assisted the Union government in preparing the country’s privacy law, the Digital Personal Data Protection Act, 2023; he served on the Kris Gopalakrishnan committee on non-personal data and the RBI committee on household finance.  

In an interview, Matthan said the essence of what he calls the ‘third way’ is a minimal and skeletal framework that tech companies are forced to comply with because it is written into the protocols on which this framework works, while allowing them to innovate and respond to market forces once the basic compliance with the framework is achieved. 

The idea of a data governance philosophy that embeds democratic and liberal principles into the core building blocks of the technology is a lever that regulators and policymakers should start thinking about, said Matthan. 

“I'm hoping that many other countries think through their problems, use this approach,” he said, “and try to build some of these things directly into the building blocks.”

Excerpts from the interview:

What is the third way of data governance and does it take into account issues of accessibility and inclusion?

This book is about trying to figure out how to do data governance, the same thing that Anu Bradford’s new book Digital Empires does—we just take two different lenses. 

The original approach for data governance was the US-California-techno-liberal approach where the rules of the road were generally left to the private technology companies to decide. It was, in many ways, a reaction to what western techno-liberals believed was authoritarianism within the bureaucracy and the State in the United States and so it was very much a laissez faire approach.

And that approach has given rise to most of the artefacts of the internet and the digital revolution that we're accustomed to using, all very much in the hands of the private sector to decide what is right and what is wrong.

In many senses, the values that underpin these systems are what we would widely recognise as liberal values—free speech, innovation, democracy. Yet, once these systems run for a period of time and come under the influence of the various philosophies of the countries in which they now have to operate, all the big tech companies have had to make some sort of concessions to liberal values, depending on where they operate.

They also have shareholder interest, so they are forced to do what generates the most revenue. 

These and other constraints have put some pressure on this underpinning of liberal values that all of them stand for. So ‘do-no-evil’ is no longer completely accurate because in many instances, a lot of evil is being done. 

And so, we see that the original laissez faire model, which I call the ‘First Way’, as much as it has its liberal underpinnings also has its problems.

The ‘Second Way’ I describe is the European approach, which is very regulatory-first,  to require companies to adhere more closely to their liberal values. They are required, by law now, to do certain things, at least within the European Union, to conform to these values. 

But regulatory work often comes fast on the heels of technology innovation, and doesn't precede it. This has a chilling effect on innovation. Also, in many ways, it's only the big-pocket entities that have the ability to comply with the heavy regulatory burden.

So, in a sense, both the first way and the second way have their advantages, but equally have their disadvantages. 

The point of the book is to posit a ‘Third Way’. It  argues that we could create a technology framework within which innovation can take place, but at the same time, regulation can take place too. In order for that to happen, you’ve got to craft the technology framework and allow that to be in the hands of regulators, ensure that regulators are not just sitting on the sidelines but actually laying some of the bedrock for doing that. 

At the same time, this ensures that the regulators are not, as in China for  example, actually providing the service or getting down to the nuts and bolts, but that the framework allows for innovation.

So in that context, to answer your question, the essence of the third way is to lay down at the minimum required level a skeletal framework that tech companies cannot but comply with, because it is literally written into the protocols on the basis of which this framework works. At the same time this framework allows them, once they meet that bare minimum, to innovate in whichever way they choose, and therefore respond to market forces. 

To answer the question of accessibility, the idea is that the core specification at the base of this technology infrastructure established by regulators would by definition need to be accessible. It can't be denoted in a particular language, it can’t be limited to the sighted. Whether someone builds for the unsighted or in  22 languages is a market-driven feature, but the infrastructure must be designed so it cannot exclude people.

I want to underscore the fact that this is more or less a philosophy of governance and this is not exemplified in the ideal way anywhere in the world. This is a new theory of change. In a sense, it is offering an alternative to the two theories of change that have been the dominant narrative ever since we digitised, and that's the thesis of the book.

What are some of the successful digital public infrastructure elements in India? How are they unique compared to innovations in the rest of the developing world, for example, Aadhaar or UPI or CoWin or the upcoming health services interface? Would you like to comment whether our DPI is truly as momentous a change as it is made out to be? 

Without beating the drum about India’s DPI, I think India has achieved remarkable success in a number of parameters. But you're right, there is a question mark as to whether these are the relevant parameters. I'm not an economist, I don't have the numbers. I have read the papers on both sides, and I know that the Bank for International Settlements believes that India’s achievement in opening 500 million new bank accounts is remarkable, but I know many economists have said this is the wrong parameter.

Without a doubt, India has shown that it is possible to build out a DPI approach. It is extraordinarily difficult to build technology at population scale. Every population scale technology to date that we use has been built by private companies from the ground up, with the exception of those very early technologies of the fundamental internet. 

So I think whatever you say India deserves credit for having rolled out these digital innovations. We have 1.3 billion digital identities that are interoperable by design. Whether in fact interoperability is actually enabled is a regulatory question, but can they be made interoperable? Absolutely. They are API-based, so anyone could do an authentication. (Whether the government allows you to do it or not is a completely separate issue.)

UPI runs transactions currently clocking 10 billion transactions a month, that is a population scale innovation that’s actually not hard to replicate. 

Look at Brazil’s Pix, they're also replicating it; over 50 countries have built fast-payment systems.

The other thing I discovered in the course of this last year when there's been so much talk about DPI is that this is not an Indian innovation because there are countries around the world that are doing fast payments. 

What India has done, which other countries have not, is really leveraged this concept of interoperability. One of the things I talk about in the book, is this idea of reusability, that you build core building blocks, and then you build DPI solutions on the core building blocks. 

This has relevance to governance—if you build governance philosophies into the core building blocks, then you can then ensure that that governance philosophy infects every layer that is built on top of it. 

I’ll give you a simple example in the book, which is India's identity system, Aadhaar.

We had choices as to the ways in which we could identify people. One was search. If you search a database, you will find the person you are looking for but in the process, you will also find all sorts of other people. This is not particularly privacy-preserving. 

India chose to ensure that you can only do an authentication. When you must match with a yes or no answer whether a particular number corresponds to a particular name, you’re eliminating this ability to search. This means everyone else that is building on this authentication feature of Aadhaar has no choice to search the database.

So you have a more privacy-preserving way because your core building block allows you to do nothing else. We think that this philosophy, which embeds some democratic principles, even liberal principles, into the core building blocks is a lever that regulators, policymakers should start thinking about.

The point of the book really is to give examples. I'm hoping that many other countries think through their problems, use this approach, and try to build some of these things directly into the building blocks.

In her latest book Digital Empires, Anu Bradford references the Chinese way, an autocratic government-controlled internet with the Great Firewall of China. They did it at such an early stage of the internet that they were able to do what they did.

Russia is trying to do it now. But Russia is not able to do it because for at least a decade and a half, the Russian Internet has been built on Western values. 

On surveillance, you begin your discussion in the book with the example of the devastating effects of the panopticon prison that was designed to keep prisoners under the impression that they are being constantly watched. Given the evolving nature of surveillance systems and concerns about privacy, would you say Indian policymakers and regulatory bodies have struck a balance between security interests and individual rights? Or are ethical concerns and consent less important components of the discussions around data governance?

The concept of surveillance and the boundaries of what is permissible and not permissible have evolved and continue to evolve. Surveillance is not the preserve of so-called autocratic governments. The number of surveillance technologies being purchased by illiberal governments from so-called liberal governments almost equals the number of liberal governments purchasing surveillance technology from illiberal governments.

Some states will say that they don't interfere with digital rights, France, for example. During  the recent riots, however, France decided to cut off the internet, because they said it was  resulting in agitations.

It is a difficult issue, for balancing national security versus individual privacy is a fraught subject. I don't think any country has got this right. 

The important thing is for countries, and all the arms of the government, to be completely mindful of the trade-offs that they make. Certainly, there is a need to catch a terrorist before he commits an act of terror, and so there is a need to track them. But on the flip side, you cannot, in order to catch terrorists, snoop on everyone's conversations. It is a very hard line to draw. 

People who are responsible for national security err in favour of less privacy; and vice versa, people who perhaps have the privilege of privacy because they're not in conflict zones, will err on the side of more privacy than national security. 

A classic case is Covid-19. In the beginning of the pandemic, everyone was happy that the government imposed strictures to keep us all essentially under house arrest. Everywhere, people felt it was the best thing. 

As time went by, people started chafing at it. As surveillance-like instruments were used, including in very liberal countries, there was  pushback. That shows you that even within the short span of an incident, our tolerance for surveillance changes. 

In the beginning, we thought surveillance kept infected people from being in contact with others, and that the government had a duty to keep them under surveillance. The contact-tracing apps were seen as the government doing what it could. The really important thing is that we need to keep this trade-off in mind

In India, I think the watershed moment was the [August 2017] right to privacy judgement. Many of us don't fully appreciate the impact this has had on the government. It may seem that the government is just as callous as it was to privacy before and after the judgement, but that's actually not the fact. The government is extremely mindful of the requirements of privacy. I know it as somebody who has worked with the government on trying to find these balances.

I worked on the Aarogya Setu app itself and I know that the app would not have been greenlighted if it didn’t address some privacy concerns within the technology itself.

People say Aarogya Setu still violated privacy for it pulled a lot of their data, but  that's the nature of the trade-off. In that particular time, the thinking was that we needed information about people so that we could try and curtail the spread. As we now know, from China's experience of having curtailed movement so radically and still being hit by a punishing wave last year, none of this was going to  work.

Hindsight is always perfect, but these are trade-offs that are really difficult to make; trade-offs are often made in the moment; very often trade-offs are made inaccurately. There are trade-offs by liberal and by illiberal governments alike.

And as far as India is concerned, all I can speak of is my anecdotal, firsthand experience that the Indian government is deeply mindful, much more so after the right to privacy judgement, of the need to make these trade-offs. As  commentators from the outside, what we need to do is educate the government on the points of these trade-offs, that this is what they risk losing if they go down this path, hold the government's feet to the fire whenever we can. 

Your book says that well-crafted DPI can make it difficult for repressive regimes to subvert the original purpose of those systems. And that democratic principles can actually be embedded directly into technical designs. Is that too much faith in technology?

Well-crafted, I said. Take the example of Russia that is trying to create an autocratic, China-type internet, and are struggling.  

You can say look, India's got an identity system that is running for 1.3 billion people, why don’t I sell it to your country of 200 million people? The only reason it's selling is because it is proven to run at 1.2 billion, but actually what you're selling them is a feature of technology that does not allow you to search the database.

That is the point that I make. It is an exhortation to governments that are thinking of going down this path. 

Governments typically hire vendors to build DPI. You can be sure the vendor is not thinking about this. The vendor is only looking to do the quickest solution, and search is a really quick solution. It's not necessarily a solution that aligns to our values. 

It is more difficult to build, it creates greater friction, but the design choice to ensure that there is no search is a very, very powerful feature that India's DPI can offer.  

Your book says journalists sometimes tend to exaggerate the implication of a data leak, but surely there's a need for more reliable privacy protocols. How should  individuals and communities converse with governments that might be sensitive  to criticism and demand more reliable privacy protocols? How do communities in a democracy build trust and confidence in governments whose solutions do end up endangering individuals or communities through leaks of data?

How do you build trust is such a big, open question. It’s very hard to answer how to build trust. But let me suggest a couple of solutions.

I've always written about this—it would be great if the government was more open about a lot of the security measures or even the mitigating efforts they are taking. It shouldn't have been up to me to write in my book and explain some of these things. I might have come off in the book as saying that the Indian government’s technology is actually really good, and not saying loudly enough that it is bad. But much of the reason I wrote the book is that I think no one has said this at all.

And there are features of this technology that I wish the government would stand up and say, look, this is the reason why it is safe. 

In the book, I write about federated data. The only centralised store of data in all of India's DPI is the core Aadhaar database, the CIDR (Central Identities Data Repository).

Other than that, none of India’s DPI works on the principle of aggregating all the data into a central location. All our financial information remains federated, it's in all the various banks, there is no central store of that information. Similarly, there's no central store of your medical information. Medical health data exchanges, the ABDM or Ayushman Bharat Digital Mission, the NHA (National Health Authority), are simply building pipes to connect various disaggregated stores of data.

So if you want a solution to massive data breaches, to me there is no better solution than to actually keep this federated. it is more difficult to do because whenever you need the data you have to fetch it from where it is, and that requires some amount of bandwidth uptime, and some design. But if you can build your system to do that, that is one alternative. 

The other alternative could be to build it such that when it is centralised , it is centralised in the hands of the individual. The health system is actually thinking of doing that in the personal health record (electronic health record or EHR), which will be stored in a sense in your own wallet. You have a digital wallet into which all your health records from your dentist to your pharmacist to everything can be pulled, but actually on the internet or in the ABDM, all of this information is only available by actually individually pulling it from a pharmacy or elsewhere, but we never centralised this into NHA. If there is a breach, if there's a breach of a hospital, then your medical information that is in that hospital may be breached, but not your medical information in  another hospital or in a pharmacy or in a diagnostic laboratory.

Data breach is a fact of life in an increasingly digital world. You can't eliminate data breach, you can at best mitigate it. That is the reason why we need cloud infrastructure so that we can partition our data, spread it around different locations around the world so that no one who breaks in can get all of your information. Frankly, this is the design that is core to India's DPI.

Why the government can't emphasise this, why I had to be the first one to write this in the book, I don't know.  This is really something that you can be proud of, it can actually build confidence in people who hear this.

I've spent a lot of time studying these systems. Disagree with me, say this is not enough, that is perfectly fine. But right now a lot of the conversations are happening from a place of, unfortunately, ignorance. It will be a more informed conversation if we can actually engage with the government and say, for example, that these measures are not enough. But first, everyone needs to get up to that level. The government is not doing a good job in explaining these things. If we did that, we would be able to build trust. 

There are some essential services, for example subsidised food, which lakhs of people continue to be denied today because there is a tech problem with either the biometrics authentication or because they don't have Aadhaar at all. There is an exclusion problem here, the government in its implementation of DPI appears to have not taken this into account. What is the solution, or do we have to just wait until everyone is included? 

There are now 1.37 billion people who have an Aadhaar, so the number of people who don't have an Aadhaar is dwindling. I think we're always going to have a long tail of people who don't have Aadhaar, but right now, for the majority, those are really young people who are perhaps not directly availing the rations. 

Let me address this in two separate parts. The first is, does everyone have an Aadhaar, and of course that is a problem that will approach zero, but will never completely reach zero, that's just the nature of it.

Many of the earlier cases that were spoken about were people who had just got their Aadhaar or their Aadhaar was not linked to the PDS system, or people had not yet got their Aadhaar, a lot of the early cases of exclusion were at that stage. 

With regard to the technology failing, I think the only solution is to use alternate means of authentication. The Aadhaar system is actually designed for many alternate ways of access—biometrics is just one. People like us who are privileged, perhaps have never used our biometrics. Most of us use OTP and phones.

Today, we have one 1.1 billion phone connections and 750 million smart smartphones, so we are now quite quickly approaching the number of people who actually have Aadhaar and have an alternate method of authentication. We have now Aadhaar-enabled offline authentication, a QR code-based, digitally verified authentication. 

The question is now will all the PDS systems align with these alternative systems of authentication. Of course, there's going to be a lag.

The reason why Aadhaar is a  biometric identity is not because of authentication, it is because of deduplication. It was extraordinarily difficult to deduplicate people because our base records were not reliable. Once you build a unique identity system, everyone on the system has to be unique. And the way in which to do that was biometrics. It’s therefore also possible to authenticate using biometrics, and when technology hasn't reached everyone, that is often the only method to authenticate.

The way to solve that is to proliferate other mechanisms of authentication. We have to keep trying new methods of authentication. If fingerprint and iris scans don’t work, face matches are also possible today. The  solution really is to continuously try and ensure that people can be authenticated. 

There are two flip sides to that. One, we say people were denied because their Aadhaar authentication didn't work, but the counterfactual to that is how many people were not getting their rations because they actually had no way to identify themselves? The pre-Aadhaar world  was rife with situations where village elders would aggregate all the rice and not give it to people in whose names it was collected. 

These are the sorts of counterfactuals that are really hard to prove. Has anyone counted the number of people who, thanks to Aadhaar, are now able to genuinely get things that they were not able to get earlier? Women’s World Banking has done some fantastic stories on the fact that we've bridged the gender gap largely because electronic transfer and Aadhaar-enabled payments system goes directly to women’s bank accounts.  

Again, I am not an expert in any of these things, but  I've studied reports by the World Bank, Women’s World Banking, Better Than Cash Alliance and others—they’ve all got a number of studies on the ways in which these have benefited people.

Have there been exclusions? Of course there have been exclusions. All  technology is imperfect. But net-net, is it  improving the situation of people?  Certainly we must improve the way in which these technologies work, but we can't say that look, the technology doesn't work. We can only do that if  X is the number of cases where it hasn’t worked and  X is greater than Y or the number of cases in which it benefits people. That is the question I think people need to think about.

(Kavitha Iyer is on the editorial board of Article 14 and the author of ‘Landscapes of Loss’, an award-winning book on India’s farm crisis. She is based in Mumbai.)

Get exclusive access to new databases, expert analyses, weekly newsletters, book excerpts and new ideas on democracy, law and society in India. Subscribe to Article 14.