Other affiliations: Future of Privacy Forum
Bio: Malavika Raghavan is an academic researcher from London School of Economics and Political Science. The author has contributed to research in topics: Operations architecture & Payment. The author has an hindex of 1, co-authored 3 publications receiving 5 citations. Previous affiliations of Malavika Raghavan include Future of Privacy Forum.
TL;DR: In this article, the authors identify the most serious categories of AePS transaction failures based on data and conversations with four financial institutions with a combined presence across the country and highlight the impact on consumers.
Abstract: The Aadhaar enabled Payment System (AePS) has witnessed a surge in transactions during India’s COVID-19-induced lockdown. Many providers have pivoted to use of this system as bank branches experienced service disruptions in the early weeks of the lockdown, limiting the cash-out points in India. This coincided with a huge demand for cash withdrawals by vulnerable citizens in response to announcement of cash transfer schemes by Central and State governments. Many migrants who are part of the mass exodus away from affected cities have heightened reliance on wayside shops and MicroATMs to access cash. Worryingly, the rise in AePS transactions has been accompanied by reports of a spike in transaction failure rates. This has serious consequences for consumers who desperately need to access and remit cash to stay afloat in the crisis. Unfortunately, limited published evidence and analysis of the nature of these transaction failures exists. This policy brief identifies the most serious categories of AePS transaction failures based on data and conversations with four financial institutions with a combined presence across the country. To understand the levels at which these failures occur, the AePS process flow is described in Section 2. Section 3 describes our understanding of the main reasons for AePS transaction failures, especially in April 2020,and highlights the impact on consumers. Section 4 of this brief proposes some immediate and medium-term solutions for urgent discussion, given the enormous costs these failures externalise to the most vulnerable users of India’s financial services infrastructure.
TL;DR: An operational architecture for privacy-by-design based on independent regulatory oversight stipulated by most data protection regimes, regulated access control, purpose limitation and data minimisation is presented.
Abstract: Governments around the world are trying to build large data registries for effective delivery of a variety of public services. However, these efforts are often undermined due to serious concerns over privacy risks associated with collection and processing of personally identifiable information. While a rich set of special-purpose privacy-preserving techniques exist in computer science, they are unable to provide end-to-end protection in alignment with legal principles in the absence of an overarching operational architecture to ensure purpose limitation and protection against insider attacks. This either leads to weak privacy protection in large designs, or adoption of overly defensive strategies to protect privacy by compromising on utility. In this paper, we present an operational architecture for privacy-by-design based on independent regulatory oversight stipulated by most data protection regimes, regulated access control, purpose limitation and data minimisation. We briefly discuss the feasibility of implementing our architecture based on existing techniques. We also present some sample case studies of privacy-preserving design sketches of challenging public service applications.
TL;DR: In this article, the role of the Indian Central Bank in regulating information flows through account aggregators is investigated and the issues that emerge for regulatory consideration, by tracing the evolution of the RBI's regulatory approach to Account Aggregators.
Abstract: This paper seeks to understand the role of the Indian Central Bank in regulating information flows through Account Aggregators. These are licensed entities exclusively dedicated to collecting, retrieving and sharing customers’ financial information with other financial entities with the customers’ consent. By regulating Account Aggregators as non-bank providers, the Reserve Bank of India (RBI) has opened up many foundational questions for Central Banking regulation. This paper investigates the issues that emerge for regulatory consideration, by tracing the evolution of the RBI’s regulatory approach to Account Aggregators. It then considers the regulatory approach taken by the Kingdom of Bahrain and the European Union (EU) to regulate “account information services” pursuant to broader Open Banking mandates. The analysis is used to respond to the central question driving this enquiry: Should Central Banks regulate and enable the flow of personal information? In doing so, the paper addresses the RBI’s approach in the Master Directions on Non-Banking Financial Company - Account Aggregator, 2016. We propose specific changes to anchor the Master Directions to the Central Bank’s core mandate and objectives, and to harmonise it with the broader regulatory rubric for data protection in India.
TL;DR: The Digital Person: Technology and Privacy in the Information Age by Daniel J. Solove as mentioned in this paper is an excellent survey of the state of the art on privacy in the digital age.
Abstract: The Digital Person: Technology and Privacy in the Information Age Daniel J. Solove. New York: New York University Press, 2006. 290 pp. $29.95.Daniel J. Solove, like most contemporary writers on privacy, offers a sky-is-falling perspective on privacy in the modern paperless, transactional age. Due in part to the rise of so-called "digital dossiers" and perhaps, in the opinion of the reviewer, due in part to apathy, Solove observes recent developments as a new paradigm of the privacy problematic. The goal is "to rethink longstanding notions of privacy to grapple with the consequences of living in an information age" (p. 2). Much of what is covered here is not new. As Solove comments in his introduction: "There are hundreds of companies that are constructing gigantic databases of psychological profiles, amassing data about an individual's race, gender, income, hobbies, and purchases" (p. 2). Although the combination of private and public information "has long been viewed as problematic" (p. 6), Solove never adequately explains why or moves beyond the obvious: Marketing, credit, and related research companies have been engaging in such practices for years; in fairness to Solove, perhaps the difference is capacity to collect, to share, to compile, etc. This is the power of "aggregation" which contributes to the inability to assign adequate value to personal information. Though Solove does not make the connection, this may be a key to understanding the power of apathy or more kindly the unawareness that immobilizes individual responses to personal privacy protection. What is new is that "beyond articulating a new understanding of contemporary privacy problems" Solove attempts "to demonstrate the ways that the problems can be solved" (p. 6). After observing traditional conceptualizations such as big brother (Orwellian, pp. 29-35), secrecy and invasion (though he uses the idea of invasion to describe both), Solove claims to use a new Kafkaesque metaphor of irresponsible bureaucracy (pp. 36-41).On the way to this metaphor, Chapter 2 recounts the rise of public and private sector databases and the new uses of the web as a point and source of data collection. Chapter 3 reviews various metaphors and views the ultimate harm as one affecting human dignity through misjudgments, diminished capacity to participate, and unfairness (perhaps unevenness is more descriptive) in the collection of information. Chapter 4 reviews the inadequacy of the private (traditional tort and more recent statutory sector by sector approaches) and public law of privacy in the United States. …
TL;DR: A case study of the incorporation of Aadhaar, the world's largest digital identity platform, in India's primary food security scheme is conducted, showing how the incorporation produced degenerative effects in the access, monitoring, and policy layers of the social protection system.
Abstract: Digital identity platforms are widely regarded as important means to improve social protection systems. Yet these platforms have been implicated in the production of a range of unintended outcomes for development beneficiaries. To clarify how digital identity platforms enable the production of one such outcome that we call degenerative, because it causes target systems to deteriorate, we conduct a case study of the incorporation of Aadhaar, the world's largest digital identity platform, in India's primary food security scheme. Based on the data from two South Indian states, we show how the incorporation produced degenerative effects in the access, monitoring, and policy layers of the social protection system. These effects lead us to theorise how Aadhaar enabled the degenerative outcome via exclusion, distortion, and redirection, making public distribution of subsidised goods displaceable in favour of cash transfers.
01 Jan 2010
27 Jun 2022
TL;DR: In this article , the authors propose a joint research agenda on digital identity, datafication of the Global South and adverse digital incorporation, which groups together researchers from ICT4D and critical data studies.
Abstract: The fields of Information and Communication Technologies for Development (ICT4D) and critical data studies have been historically distinct from each other, each bearing different histories and research foci. However, recent evolutions of ICT4D have problematised the focus on “development” that originally characterised the field, and shifted to an approach that openly embraces themes proper of the newer field of critical data studies. In this paper, after outlining the conceptual evolution of ICT4D, we note its new intersection with the themes and problems posed by critical data studies. To detail such an intersection, we offer a joint research agenda – on themes of digital identity, datafication of the Global South and adverse digital incorporation – that groups together researchers from the two fields. By doing so, this paper sets the basis for a conversation between ICT4D and critical data studies, a conversation that can generate epistemological growth for both fields.