Public infrastructure is a set of systems and facilities that are essential for the functioning of a society and its social and economic activities. While roads, dams, and bridges are examples of physical infrastructure, digital public infrastructure (DPI) refers to technological infrastructure on which one can build digital services and support governance.
It is made up of physical layers, which comprises routers, servers, and more, as well as an apps layer that includes payment networks, digital identity systems, and consent systems.
In 2023, India hosted the G20 with two working groups—Digital Economy Working Group and Global Partnership for Financial Inclusion—dedicated to discussions on DPI. These discussions brought DPI to a global centre stage and contributed to its universal definition, as well as the understanding of how it can be best leveraged and the role it plays in inclusion.
The New Delhi Leaders Declaration, a joint statement by member states of the G20, envisions DPI as a means to enable public service delivery that should be built on “open standards and specifications, as well as open-source software”. These characteristics are emphasised to ensure that ecosystem players can innovate by combining various services to make DPI accessible to the public.
However, in practice, there is evidence of DPI falling short on some of the promises it makes. A persistent digital divide across the country’s marginalised sections further exacerbates this. According to Oxfam, 70 percent of the population in India has poor or no connectivity to digital services and only 38 percent of households in India are digitally literate. Privacy and data concerns also arise as various DPI-based technologies become data fiduciaries, which can lead to challenges. Data fiduciaries are entities that determine the purposes and means of processing personal data.
In this article, we explore what DPI is, its application and use cases, how it is governed in the Indian context, and the obstacles to its implementation.
What is DPI?
Since the onset of the internet age, countries around the world have been enhancing their digital capabilities. However, creating digital solutions and assets for individual sectors or projects is an expensive endeavour. It involves building new systems, processes, and capabilities each time.
In the late 2000s, there was a collective realisation that it would instead be more efficient to build a shared digital infrastructure that could be combined, reused, and leveraged for various projects and across sectors. Imagine constructing various shapes and objects with a handful of Lego blocks; these Lego blocks are DPI because they are interoperable (able to exchange information). They are blocks upon which larger applications can be built.
The various applications of digital infrastructure include digital payments, digital identification, data sharing systems, and data protection systems that obtain user consent for a secure connection. DPIs by nature can interoperate with one another and help build various applications and use cases for the government as well as the private sector.
DPI is typically designed to be open access so it can be used by public and private players, but the openness of the specifications varies based on the funding that the infrastructure receives, and the privacy and security it has to maintain. The birth of DPI in India can be traced back to 2009 when the Unique Identification Authority of India (UIDAI) was established to run the Aadhaar programme, which collects biometric data to eventually enable delivery of government services and welfare schemes.
This development was spearheaded by India Stack, a digital ecosystem that helps build the infrastructure (and application programming interface or API) required for DPI. It works in three main areas: the storage of biometric data that is used for identity verification for public services delivery (Aadhaar); storage of digitised credentials (DigiLocker); and digitisation of transactions and payments (Unified Payment Gateway or UPI). Privacy and security of personal data is an integral part of all DPI applications.
What are some applications of DPI?
One important application of DPI is to enable delivery of essential government services without barriers. For instance, an infrastructure that holds digital identity and personal credentials can be leveraged to avail welfare schemes without large amounts of paperwork.
Since DPI is fairly recent, policymakers believe there are several potential use cases in other spaces that can emerge in the coming years.
Let’s consider the example of Ayushman Bharat Digital Mission, which aims to improve the efficiency and transparency of health services in India. Those who enrol for the scheme are allotted a unique identification number, which allows them to store and access their medical records in one place and share them with healthcare providers.
In the education space, Digital Infrastructure for Knowledge Sharing (DIKSHA) is a DPI built with the objective of providing educational resources to students, teachers, and others in the education ecosystem all over the country. Launched in 2017, Diksha has been adopted by several states and union territories and has e-content available in 32 languages.
In the e-commerce space, Open Network for Digital Commerce (ONDC), launched by the Ministry of Commerce and Industry, is a digital network that displays products and services from all participating e-commerce platforms that are a part of its network. This means that consumers and sellers don’t need to register on multiple e-commerce platforms to buy or sell products. Sellers are visible no matter which platform they have registered themselves with, as long as the platform itself is connected to the ONDC network. For instance, Mystore as a platform is connected to ONDC; sellers registered with Mystore can be found by anyone using ONDC. This helps small artisans and sellers, even farmer producer organisations, be visible to buyers and consumers at a low cost.
Since DPI is fairly recent, policymakers believe there are several potential use cases in other spaces that can emerge in the coming years. A UN report highlights how DPI-based online dispute resolution systems can help extend access to justice to people who are currently unreachable through the formal judicial system.
Who governs DPI-based applications?
Being open source, inclusive, universally accessible, and accountable are critical for DPI to be successful. Regulations are imperative to ensure that these are reflected in DPI’s application on the ground.
Currently, individual DPI-based technology is governed, regulated, and bound by the sector it exists in and the extent of public–private partnership it relies on. In India, based on these factors, two models of governance have emerged. First, where the DPI-based application is overseen by a relevant statutory body set up by the government. An example of this is Aadhaar, which is governed by the UIDAI, a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
Second, where the DPI-based application is governed and regulated through a nonprofit. For example, UPI is owned and operated by the National Payments Corporation of India (NPCI), which is registered as a Section 8 company, that is, a nonprofit. Since private partnerships with banks and non-banking financial companies are essential to the working of UPI, the board of NPCI constitutes heads of banks, academics, as well as government representatives. NPCI prescribes rules, regulations, and guidelines for UPI. Since UPI is part of the heavily regulated finance sector, its interface is monitored by the Reserve Bank of India.
In addition to these, all DPI-based technology is bound by the Digital Personal Data Protection (DPDP) Act, 2023. This act lays the grounds for protection and processing of digital personal data. When designing a DPI-based application, compliance with the DPDP is necessary. This means creation of grievance redressal, upholding the user’s right to erase or update data, and so on.
Different regulation models are applied depending on the nature of the DPI-based application. Market-driven applications such as UPI that require public–private partnership usually follow the Section 8 (nonprofit) route. Service delivery–driven applications such as Aadhaar follow the statutory body route. The applications are also bound by any sector-related laws and norms.
Since DPI is still in the early stages of development, newer models of governance may emerge over the course of the next decade. These should account for regulation at multiple stages. According to a study by Digital Empowerment Foundation, this entails establishing a regulatory body with representatives from government and civil society organisations, domain experts, and citizen representatives at state and centre levels. The presence of such a body can help examine new DPI designs and evaluate its use on the ground.
What are the challenges to the implementation of DPI?
1. Data collection and privacy
Any DPI application that collects vast amounts of personal data can be classified as a data fiduciary. There have been multiple instances of cyberattacks and threats to India’s digital payment systems including, but not limited to, phishing and vishing attacks, hacking of payment databases, and malware attacks. In fact, approximately 50 percent of retail financial frauds can be traced back to UPI.
The court upheld right to privacy as a fundamental right and barred private companies from using Aadhaar for authentication.
These leaks are not restricted to payment gateways. Aadhaar data has been exposed and breached multiple times through various government websites, faulty software patches, and hacking of databases that store this data. In 2023, personal details of more than 80 crore Indians were leaked from the database of the Indian Council of Medical Research and sold on the dark web. This contained information from Aadhaar cards, phone numbers, passport details, and health records.
Furthermore, 11 percent of cyber financial scams in 2023 originated from an Aadhaar-enabled payment system—a payment service that allows bank customers to access their bank account through Aadhaar authentication. It is evident from such examples that DPIs don’t have enough safety measures to protect people from financial and identity frauds. Citizens who are less digitally and financially literate are more prone to such attacks. This problem is aggravated when user training on the various technologies is absent.
Privacy was also raised as a concern in the case of K S Puttaswamy v. Union of India, which brought the Aadhaar Act 2016 under the scanner. The Aadhaar Act assigns unique identity numbers to individuals after collecting their biometric data and enables them to avail welfare schemes, among other things.
The 2018 case argued that making Aadhaar mandatory for welfare schemes and service delivery will not only expose citizens to security breaches but also exclude people from accessing welfare schemes. However, the Supreme Court ruled in favour of the Aadhaar Act. The court also upheld right to privacy as a fundamental right and, as a result, barred private companies from using Aadhaar for authentication.
In 2019, the Aadhaar Act was amended against the court’s judgement, allowing private parties to access Aadhaar data. The amendment is being criticised as it is believed to pose a threat to citizens’ civil liberties, and a case against the amendment is currently pending in the Supreme Court.
2. Exclusion from service delivery
Although DPI aims to promote inclusivity and boost the country’s economy, it still excludes those who are unable to access digital services through service delivery. Only 52 percent of India’s population has access to internet services. The divide is widened by pre-existing economic, social, and geographical inequalities. Seventy percent of overall internet users are urban and 57 percent of total users are male. This is particularly concerning considering approximately three quarters of the population resides in rural India.
To avail digital services, people also have to rely on third-party vendors or service providers, which can exacerbate pre-existing social inequalities. An example of this is when the Government of India launched the CoWIN portal as part of its vaccination programme during the COVID-19 pandemic. Registration on the portal was essential to get the vaccine. However, marginalised populations, those residing in low connectivity areas, and those who didn’t own smartphones struggled with this. The portal was also heavily criticised when it first launched in January 2021 because it was available in the English language alone. It was only in May 2021 that the portal was made available in five regional languages.
Many welfare schemes such as the distribution of subsidised food grains and employment and pension services require Aadhaar authentication. While on paper this is supposed to ease service delivery, in practice the Aadhaar authentication fails at various stages. Poor network connectivity, smudged fingerprints, wrong data entry or deletion of beneficiary names, and fraudulent enrolment in schemes are just some of the ways in which authentication becomes a barrier for people. The myriad issues also make it painful for them to figure out the source of the problem. They are then compelled to either take help from social workers, pay intermediaries, or visit government offices, Aadhaar centres, and banks, which proves to be an additional burden.
The Union government also made the Aadhaar-based payment system (ABPS) mandatory for payment of workers under MGNREGA. According to data released in December 2023, 89 million of the total registered workers and 18 million active workers are ineligible to be paid under ABPS. To be eligible for payment under ABPS, a worker’s job card and bank account must be seeded with their Aadhaar. But due to the discrepancies stated, workers face problems in linking their Aadhaar card, leading to the deletion of their MGNREGA job card. Such exclusion from welfare schemes directly impacts the livelihood, income, and rights of marginalised people, creating a stark power imbalance.
3. Unclear policy and regulation
As mentioned above, many DPI-based applications are governed by Section 8 companies. This is done to ensure that profit is not a motive when outlining regulations and norms for the application. However, a large amount of private interest poses a challenge to both privacy and regulation.
For instance, DigiYatra, an app to facilitate contactless air travel, is run by DigiYatra Foundation, a nonprofit built on public–private partnership. As a result, it does not come under the purview of the Right to Information Act, 2005, leading to questions about data storage and privacy of the users of the app.
While DPI and the technologies it enables have the potential to ease services, especially public service delivery, its implementation is riddled with unique obstacles. Furthermore, various DPIs in different sectors currently work in silos, and information or new learnings from one sector are not being shared with another. In order to overcome some of the aforementioned challenges, this needs to be addressed, interoperability standards need to be built, and governance models need to be evaluated.
Halima Ansari and Srishti Gupta contributed to this article with inputs and insights from Apar Gupta and Osama Manzar.
—
Know more
- Listen to this podcast to learn more about how DPIs can enable solutions for electric vehicles.
- Read this report to learn more about how DPIs need to be governed.
- Learn more about how open-source technology can be used for agriculture.