Privacy International raises concerns over IndiaStack & UPI for establishing financial identity

Privacy International, an international organization which advocates the right to privacy, has raised concerns and criticized IndiaStack, Aadhaar eKYC, and the Unified Payments Interface (UPI). To recap, IndiaStack is a set of software APIs which includes Aadhaar Auth, eKYC, eSign, DigiLocker, GST Network and the UPI, which is crucial for the government’s Digital India programme.

In a report titled “Fintech: Privacy and Identity in the New Data-Intensive Financial Sector“, Privacy International examines the role of IndiaStack, eKYC, and the UPI in building a financial identity by fintech companies and the impact it would have on a person’s privacy.

“We urgently need a critical analysis of identity in the financial services industry. It is this industry that is producing many of the most interesting developments in the field of identity. These developments have consequences for privacy, both in terms of the increased intrusion of the data feeding into identities as well as the consequences these identities have for privacy. This means that a focus on this emerging sector is particularly informative and valuable,” the report mentioned.

The report took notice of two major software layers in the IndiaStack while creating a financial identity:  Aadhaar KYC and the UPI. It took notice of Aadhaar e-KYC played in the Jan Dhan financial inclusion programme.

“It is important to understand how Aadhaar creates this financial inclusion: by the creation of vast amounts of personally-identifiable data. As the former chairman of the UIDAI, and the “father of Aadhaar” Nandan Nilekani puts it, India will go “from being data poor to data rich” in the next few years. At the heart of this is a plan for India Stack; as we shall see, its goal is to make India a “data-rich” nation,” it noted.

Here are some of the criticisms it noted:

1. IndiaStack’s volunteers 

The report raised some questions on who is building IndiaStack. Remember, IndiaStack is a volunteer-driven organization where they develop software APIs which will eventually use the Aadhaar database maintained by a government body, the UIDAI.

“Having India Stack as a product produced by a group of ‘volunteers’—rather than, say, within the UIDAI—has certain advantages from their point of view: they do not have to operate transparently, there is no requirement for them to be subject to rights to information legislation or procurement rules. Thus, this important initiative—potentially as important as anything coming from government ministries—is not subject to that degree of oversight,” the report noted.

2. Scope of eKYC changed

The report noted that the scope of Aadhaar eKYC changed over the years which put people’s privacy at risk. Under the initial implementation of the Aadhaar database had only a single purpose: do the biometrics of a person match those stored for their Aadhaar number? 

“So, when someone is seeking to authenticate their identity using Aadhaar, they do so either with their biometrics (either a fingerprint or an iris scan) or through a one-time pin (OTP) sent to their registered mobile number. This is checked against the data held in the Central Identities Data Repository (CIDR) database, and the reply is done on a “yes/no” basis: an individual’s Aadhaar number, and their biometric data or an OTP, is transmitted to the CIDR database, and an answer of only “yes/no” is returned,” the report said.

A legislation was drafted in 2010 called the National Identification Authority of India Bill where it stated that no other information other than the yes/no response could not be given. “However, this version of the legislation failed to pass both houses of the Indian parliament, and did not become law,” it said. 

Another legislative bill was drafted by the current BJP government in 2016 called ‘Targeted Delivery of Financial and other Subsidies, benefits and services Bill’ or better known as the Aadhaar Act.

The report took cognizance that the bill was introduced as a money bill where it could bypass the upper house of legislature where the BJP did not have a majority. The money bill only needs to pass in the lower house of Parliament.  “Rather than simply being the yes/no response originally proposed for Aadhaar, this Act allows: ‘any other appropriate response sharing such identity information excluding any core biometric information,’” the report said. 

“Thus, the nature of the Aadhaar system—and thus the relationship of people with the CIDR database—has changed, with a questionable amount of democratic transparency. This has facilitated an increase in the use of Aadhaar in the financial sphere, as well as elsewhere.” the report stated.

3. Scope of the UPI expanded

The report also said that the UPI, a payment infrastructure, has shifted power towards financial institutions and banks via the collection of more data about the transactions of Indians.

It does note that the UPI allows for some limitation of information disclosure by linking the bank accounts to a virtual payment address (VPA) where individuals don’t need share bank account numbers with one another but it also increases potential for additional data processing.

“The Chief Operating Office of NPCI, Dilip Asbe, described the goal of the UPI as “unlocking [the customers’] data footprint via data APIs”. The NPCI sees the data produced by the UPI as an opportunity for banks to understand more about their customers, as well as to develop credit histories to be used for lending,” it said.

Indeed, the Reserve Bank of India appointed a task force for developing a Public Credit Registry (PCR) in India. The public credit registry will have unique identifiers for borrowers: Aadhaar for individuals, and Corporate Identification Number for companies. The new PCR  is also looking to build credit profiles using “reputation collateral” for first-time borrowers by keeping a track of their digital transactions. 

4. Alternative credit scoring

The report also provided examples from three fintech companies which were building alternative credit scoring and loans in Kenya – Tala, Branch and M-Kopa – which mine for personal information on texts and social media. In Kenya, M-Pesa has become ubiquitous the report notes that M-Pesa produces a vast amount of data for its telecom operator Safaricom and these fintech companies are piggybacking on the data generated.

“Each of the millions of transactions that take place a year tell a story. They tell the story of how the small business is operating: the money they’re sending to their suppliers, the transactions that are taking place. But it tells other stories as well: the money that comes in and then is sent to the hospital. The school fees paid by the biological father, unknown to anyone except the mother, father and Safaricom …. However, the details of any transactions are sent, unencrypted, by plain SMS. Even if M-Pesa transactions themselves are sent via secure and encrypted means, the account information is not,” 

Tala’s app asks for a wide range of permissions, including access to installed apps, contacts, precise location via GPS, the content of SMS messages, and the call log. Tala says that one of the key pieces of data they analyze is SMS messages of M-Pesa payments. It takes it further, “For example, Tala analyses call logs: their analysis has found that people who make regular calls to family are 4% more likely to repay their loan. To do this analysis, they need to know who your family is: from the content of text messages that call someone “mama”, and the pattern of calls,” the report adds.

In India, there are companies such as LoanMeet which are practicing invasive methods to collect information on users.

At a pitch demo, today in Bangalore, the CEO of @loanmeet proudly claimed that their app secretly downloads all your contacts. That way if any of their borrowers fail to pay, they can call anyone in their contacts. This is a serious breach of privacy and is illegal.

— Brajeshwar (@brajeshwar) November 28, 2017

Meanwhile, Branch and M-Kopa, in addition to SMS information, takes into account social media profiles while developing credit histories. Both of them involve users giving permission to Facebook profiles including friend lists. In India, there are companies such as EarlySalary which asks borrowers to sign in with their Facebook credentials. EarlySalary builds a credit profile based on 800 data points. The company explained that the algorithms also take into account a customer’s Facebook friends while building a profile. It also indexes a company’s employees on social media and takes into account whether the company is paying salary on time.

Also, read:

– #NAMAPrivacy: Setting up purpose limitation for data collected by companies

–#NAMAPrivacy: The role of app ecosystems and nature of permissions in data collection

– #NAMAPrivacy: Rights-based approach vs rules-based approach to data collection