Summary of stakeholder comments sent for InDEA 2.0

tl;dr

In January 2022, the Ministry of Electronics and Information Technology (“MeitY”) released a consultation paper on India Digital Ecosystem Architecture 2.0 (“InDEA 2.0”). Earlier, we provided a short summary of the 98-pager consultation paper, focusing on data rights to help explain its main objectives. Subsequently, we also submitted our comments on the paper. Now, we are publishing a short summary of the comments submitted by other stakeholders based on the RTI response we received from C-DAC.

Why should you care?

InDEA 2.0 is concerning, as its stated objective is “to facilitate a data economy and unlock enterprise value”. However, it stops short of explaining, or no sources or underlying explanations of how this will be achieved. The document essentially says that our data is an “asset” and must be exchanged for “permitted commercial purposes” (Para 2.4.3). This means that our personal and non-personal data may be sold to the private sector. All of this is being done without legislative backing. In the absence of anchoring legislation such as a data protection law, the document fails to fulfil the threshold of legality put in place by the Supreme Court in the right-to-privacy decision.

What is InDEA 2.0?

India Digital Ecosystem Architecture 2.0 is a framework designed by the Indian government to provide a standardised and interoperable digital infrastructure for various government departments and agencies. It aims to facilitate the delivery of digital services to citizens in a seamless and efficient manner and to enable the sharing of information and data across various government departments. The InDEA 2.0 framework includes guidelines for designing and implementing digital services, data management, and security standards.

InDEA 2.0 is based on 27 principles organised into 5 categories: ecosystem principles, architecture principles, business principles, technology principles, and architecture governance principles. The principles aim to strengthen the ecosystem to drive interoperability and innovation further. It aims to generalise the principles from InDEA 1.0 and further adopt those on which other ecosystems like Aadhaar, GSTN and NDHB are built upon.

Summary of responses by Stakeholders:

Industry bodies:

Vodafone Idea Limited: Vi is an Indian telecom service provider. The Company provides pan India Voice and Data services across 2G, 3G and 4G platforms.

Vi India, in its submissions, called for creating a platform to address continual improvement and adaptation of new tech and market requirements. Vi India also suggested that two new identities viz., ‘Student ID’ and ‘Health ID’ may be created to help students and patients deal with multiple educational and healthcare institutions, respectively.

The submission made by Vodafone Idea Limited can be accessed here.

NASSCOM: Established in 1988, the National Association of Software and Service Companies (‘NASSCOM’ or ‘the Association’) is an Indian non-governmental trade association and advocacy group focused mainly on the technology industry of India. In its pointwise response to the consultation paper, NASSCOM has raised 6 issues with the current framework and made recommendations.

  1. On the role of the private sector, NASSCOM has raised that no rationale or explanation has been provided on why private sector participation has been limited to reference building blocks. It has accordingly recommended that the allocation between public and private needs to be revisited.
  2. On the issue of ‘financing the Public Digital Infrastructure’, the Association raises the challenge due to the lack of provision of funding despite the apprehension of some capital costs.
  3. On the issue of Transition & Migration, NASSCOM has highlighted the challenge of legacy e-governance systems currently in use in most governmental departments. Accordingly, it recommends that the framework should also provide for a migration strategy.
  4. On Testing & Certification, the Association has raised the issue of lack of clarity on what the proposal refers to as Testing.
  5. On privacy and data protection, it underlines that the framework does not dwell on how these privacy and security principles will be operationalised.
  6. On Data Access & Sharing, it has raised that the framework does not refer to the [National Data Sharing and Accessibility Policy] NDSAP 2012. Therefore, it is unclear if it will conform to the principles laid down in NDSAP. It further suggests that the data-sharing principle, as espoused in InDEA 2.0 framework, should align with the principles laid down in NDSAP, 2012.

The submission made by NASSCOM can be accessed here.

Tata Consultancy Services: Tata Consultancy Services (TCS) is an Indian multinational information technology services and consulting company. In its detailed comments on the draft report, TCS has made several recommendations, including:

  1. Information on upcoming registries being built under the InDEA 2.0 Master Plan and Architecture Patterns must be made available.
  2. On data-driven decision-making, it recommends standard datasets across sectors and domains should be leveraged.
  3. It suggests that as the digital ecosystem evolves, the stakeholders should be flexible to adopt the relevant architectural principles.
  4. TCS has highlighted that while Principle 2.1.4 mentions "Exceptions shall be justified." procurement departments may take this literally, some best-in-class non-open source solution components could be excluded unnecessarily.
  5. On the mandatory digital systems to be built on open source, TCS has requested more clarity on definition and usage of open-source software (vs. freeware or community editions) as some of these products can be equally costly if not more or stripped-down versions.

The submission made by Tata Consultancy Services can be accessed here.

Salesforce: As described on their website, Salesforce is a company that makes cloud-based software designed to help businesses find more prospects and close more deals. It provides customer relationship management software and applications focused on sales, customer service, marketing automation, analytics, and application development.

Salesforce has remarked on some key aspects of the policy as enumerated below:

  1. Cloud-first approach: Salesforce welcomes the development that policymakers and regulators worldwide are seeing the benefits of cloud while managing risks and competitiveness concerns.
  2. Security-by-design: Salesforce commended that the framework acknowledges and recommends security-by-design.
  3. Privacy-by-design: Salesforce believes it is crucial to ensure that data protection is built into every system, by design and by default, and that privacy considerations are adequately addressed throughout the lifecycle of a feature, policy, product, or technology.
  4. Public procurement: It highlighted that an existing order on Make in India (MII) by the Department for Promotion of Industry and Internal Trade, poses a challenge to the ability of most companies (both foreign and Indian) to bid for public sector contracts in software, due to a focus on the level of software content created locally.
  5. Data-sharing: Salesforce commends the approach which facilitates open government data sharing, with voluntary adoption among the private sector.

The submission made by Salesforce can be accessed here.

Crowdstrike: CrowdStrike Holdings, Inc. is an American cybersecurity technology company. According to their website, CrowdStrike provides security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies which drive modern enterprise. In its responses, Salesforce has provided succinct comments on InDEA 2.0:

  1. Principles-Based Framework: On this, Crowdstrike states that it is critical to focus on internationally-accepted principles-based concepts rather than prescriptive technical requirements to enhance privacy while fostering technologies that secure personal data. It further suggests a risk-based approach whereby factors such as the sensitivity of data in question, the impact of a breach, and mitigation actions taken by affected individuals reflect the realities of a world where technological innovation advances at a faster pace than law.
  2. Security by Design: Crowdstrike suggests that one important element in this regard is the principle of least privilege. Least privilege seeks to limit the scope of any system, effectively limiting the impact (or “blast radius”) in the event of a compromise of a given credential.
  3. Data Portability: Crowdstrike’s comments on data portability states that in order to remain future-flexible, it is important to prioritize the goal of protecting data regardless of where it is, rather than equating data protection with restrictions on cross-border data transfers and data portability.

The submission made by Crowdstrike can be accessed here.

Civil Society organisations:

Centre for Internet and Society: The Centre for Internet and Society is a Bengaluru-based non-profit multidisciplinary research organization. CIS works on digital pluralism, public accountability and pedagogic practices, in the field of the Internet and Society.

CIS has made several comments and recommendations on the InDEA 2.0. Some of its recommendations are:

  1. Provide a detailed design of the proposed federated ID system, preferably with a working prototype implementation, so that researchers can better understand what is being proposed.
  2. Given the surveillance potential of ID systems, we should reduce reliance on individual consent as there is a vast informational asymmetry between the entities collecting data and individuals providing consent for use of their data. If such a system must be built, strong legal and technological restrictions should be placed on where it can and cannot be used before it is deployed. There should be public consultations on it’s appropriate use.
  3. Adopt a defensive approach when dealing with privacy, which accounts for things going wrong. As such, this identifier should be randomly generated and unique to every service that the individual interacts with to prevent malicious or intentional linking of disparate databases.
  4. The proposed use of ID registries that have user-controlled uniqueness, which allows for individuals to transact privately and remain anonymous, should be the mandatory default and not simply a recommendation.
  5. Conduct and publish a cost-benefit analysis of the proposed digitisation of existing ID registries for their participation in a federated ID system.

The submission made by the Centre for Internet and Society can be accessed here.

The Dialogue: The Dialogue is an emerging research and public-policy think-tank based out of New Delhi.

The broad recommendation it has made are:

  1. Clearly lay down the manner in which the usage rights associated with each open design will be determined, i.e. uniform standards that must be adhered to or access to be provided based on individual licensing agreements.
  2. The government must explore the adoption of legacy systems, such as GitHub or GiHab385 that already have a large user base in India, rather than developing open databases like OpenForge that are riddled with issues like a complex user interface, broken web-links and poor community management.
  3. The framework should acknowledge that Federated Digital ID created through the
  4. integration of repositories can be used for authentication while accepting alternative legal IDs for the same purpose.
  5. For FOSS, it recommends creating a FOSS Alliance that can acquire funding and create a systemic feedback mechanism among stakeholders. It recommends that the FOSS Alliance should meet on an annual basis to evaluate FOSS practices.

The submission made by The Dialogue can be accessed here.

SFLC.in: SFLC.in is a New Delhi-based not-for-profit organization that brings together lawyers, policy analysts, technologists and students to protect freedom in the digital world.

  1. On Ecosystem Principles: There needs to be strict adherence to Open Source Policy and all systems should be open source to ensure transparency and accountability. At the same time, a Data Protection Law on an urgent basis should also be enacted to ensure that personal data is not misused.
  2. On Architecture Principles: Single source of truth and system of record mechanisms will require each federated entity to maintain aggregated data records. There is a lack of clarity on the mechanism to access these records of data among the federated entities. Therefore, we recommend clear and transparent data sharing mechanisms.
  3. On Business Principles: Considering the inadequacy of privacy laws mentioned in the DSS framework that InDEA 2.0 intends to adopt, there is a need to revisit the DSS framework or to include robust informational privacy principles within the InDEA 2.0 framework as there is currently no personal data protection law in place.
  4. On Governance Principles: It recommends that before the adoption of any data security mechanism it is imperative to conduct a cost-risk and benefit analysis of each alternative data security mechanism. Thereby, the priority must be placed on data protection principles. Additionally, when the government is the key driver of actual usage, emphasis must focus on high encryption, transparency, accountability, efficiency and state-of-the-art cyber-security practices.
  5. It further suggests that a more broader and adaptive approach be taken by the framework wherein the digital ecosystems must be able to provide for new/modified systems in case the existing systems fail to adapt and become redundant.

The submission made by SFLC.in can be accessed here.

Important Documents:

  1. InDEA 2.0 Report Draft (link)
  2. IFF’s comments on InDEA 2.0 (link)
  3. IFF’s summary of InDEA 2.0 (link)
  4. InDEA 2.0 responses. (link)