00:00
Hi everyone, welcome to the LAOT Podcast. I’m Bharati and I have with me Sohina, Saranya and Harshitha. Today we have the privilege of having a conversation with none other than Mr. Rahul Matthan. Mr. Matthan is a founding partner of Trilegal and heads their TMT practice. Mr. Matthan has also helped craft India’s privacy laws and has served in committees like the Gopal Krishna Committee on Non-Personal Data, as well as the RBI Committee on Household Finance.
00:29
He doesn’t just pen legal briefs, he’s also a dedicated blogger and author. He publishes weekly articles on his blog Ex Machina, which I’m personally a big fan of. It’s a Web3 newsletter and you could actually mint NFT off of it. He’s authored the book Privacy 3.0 and most recently The Third Way, which will be the focus of our conversation today. He doesn’t just wear a lot of hats. He collects them like trophies.
00:58
In addition to being a legal and policy stalwart and incisive writer, Mr. Matthan is a coffee connoisseur, a wildlife photographer, and even has a song out on Spotify. So grab your favorite brew, which if you were Mr. Matthan, you would source from a friend’s roastery in Auroville, settle in and get ready for a conversation that’s sure to enlighten and inspire. Mr. Matthan, we are so very excited to have you on board, sir, and welcome to the show.
01:27
Thank you. Thank you very much, particularly for that effusive welcome. I don’t think I’ve ever been introduced with that much diversity and variety, so thank you. You flatter me too much.
01:41
Digging right into our conversation, we want to start with some background on your book, The Third Way. Could you explain the three ways of data governance, the context in which each of these evolved, and what the Third Way really is? We’re also curious to know what prompted you to write this book at this juncture.
Yeah, so the reason for the book was to try and make sense of
02:08
the place that India’s digital public infrastructure holds in the larger ecosystem of data governance, if in fact it does hold such a space. And then to sort of articulate that in the context of all of the things that have come before this. And so, in order to do that, one of the things that I looked at was really the evolution of the way we think about
02:38
regulating the internet and all the data that goes on it. And as it happened after I completed the book, I realized that there was another book that was written on the same or similar subject called Digital Empires by Anu Bradford, where strangely she speaks about three digital empires. And it just so happened that the three empires were the US, Europe and China.
03:07
Whereas in my book, The Third Way, the three ways are the US way, the European way, and the Indian way. And so clearly there’s a bunch of different people thinking about a similar idea, come to similar conclusions, though slightly varied in terms of participants. So, what exactly are the three ways? Let me just talk about the two ways that Anu and I agree on before I move on to
03:37
speak about the third way as compared to the third digital empire. The first way really relates to how the internet came about. Right at the beginning when the internet started, it started in the US. And so, people needed a way in which to define the rules of the road as it were. And at that time, there was this belief that there is sort of no difference between
04:06
doing things online as compared to doing things offline. And so, if there are people who post comments on your website, that you should be liable for whatever it is that they say in much the same way as a publisher of a newspaper is liable for what it publishes in its pages. And at that point in time, that continued to be the way in which we functioned.
04:33
Arguably, we would not have the internet as we do because it was a very nascent industry. It was being managed by people pretty much as a hobby in their spare time. And if we hadn’t protected them in some way, I doubt that the internet would have reached the place that it has today. And so, in the US, section 230 of the Communications Decency Act created what is well understood as this concept of internet exceptionalism.
05:03
This idea that there is a different set of rules that we need to apply to the internet. As a result of internet exceptionalism, we ended up with a lot of protections granted to tech companies. And as a result, the first way ends up being that the private players that actually provide us access and allow us to…
05:31
avail a number of services on the internet, the ones that write the rules of the road, as it were, for the internet. Now, as a result of all of this, we saw a lot of, I guess, negative consequences. You know, you see the rise of this concept of surveillance capitalism that Shoshana Zuboff talks about. We see the rise of this concept of attention economy, the fact that private companies through which we access the internet
06:00
are in many ways fighting with each other for our attention, resulting in all sorts of negative consequences. And so you see the pushback to this. And that pushback comes from Europe, which starts to impose regulatory fetters on the operations of technology companies. And so the second way very much is the rise of the regulatory state.
06:30
It starts with GDPR, which is currently the gold standard of data protection regulation that imposes a whole set of restrictions on what people can and cannot do with data. And so over and above the rules of the road that private companies lay down in their terms of service and privacy policies and all of these various things that for the longest time were really the only rules of the road, you also have the rules that states impose. The GDPR is one.
07:00
Ever since then, Europe has come up with its own digital strategy, which encompasses a whole range of other things, the Digital Markets Act, the Digital Services Act, the Data Act, the Data Governance Act, now very recently the AI Act. And there’s a whole framework around how regulations will really determine how the online world functions and how data is governed. And in the context of both of these, I think it’s important to.
07:27
also mentioned what Anuradha talks about is the Chinese model. The Chinese model in her framing of it is a very state-driven model, a model where the state actually controls the private companies. And so you have the private sector actually operate a lot of the infrastructure that people are using in China, WeChat, Alipay, et cetera.
07:57
The private sector, private or in name only is the allegation. It is very much under the control of the state. And so that’s certainly a different lens. But the lens that I approached this from was to, in a sense, look at the ways in which we actually implement the regulation. And the first way, which is the US way, is that data governance is implemented by private entities that are building up the infrastructure.
08:26
And they are saying that these are the things that you can and cannot do on the infrastructure. The second way is the regulatory underpinnings of the way in which this work are being dictated by the state. But the state really doesn’t have anything in its arsenal other than a regulation to say that you must do things in a particular way.
08:56
Since they do not have an infrastructure, they don’t have direct control over the infrastructure, the ways in which they can give effect to this new architecture is by actually trying to enforce rules and regulations. We realize that there is a significant lag in that whole process. One GDPR took maybe a decade to actually come into force. It was negotiated for a long time.
09:25
And it was enacted in 2016 came into effect only in 2018. And by the time it came into effect, there were a whole range of other things that are required. So you can see that there’s a long lag between the time new technologies come and regulations are brought into to regulate them. And so the idea was that there needs to be some other way to do this. And I think the other concern really with regulation is that if you focus on regulation,
09:54
it is also possible that you could stifle innovation. And so how do we manage these two? Which really brings me to the third way, and the idea that is it possible for us to build an infrastructure, a common infrastructure, on which regulators can regulate and innovators can innovate? If we have the ability to do something like this, essentially what we will have is
10:23
an infrastructure that regulators can have direct control over so that regulatory policies can be implemented with very little lag time. But at the same time, it’s an infrastructure on which private entities that are looking to innovate can actually innovate because the infrastructure quite clearly describes in code the restrictions that they are subject to.
10:52
And as a result, as long as they just comply with those restrictions, comply, when I say comply, get their code to conform to the limitations that are imposed on the way that code performs, that is in the context of the infrastructure itself. Then absent that or outside of that, they can innovate to create various products and services. Now, this theory, this concept is not a new concept.
11:22
In the book I reference Lawrence Lessig’s very important work that he wrote, I’m going to say, almost 25 years ago called Code and the Other Laws of Cyberspace. In that book, he pretty much articulated this very same philosophy. But it is in India’s digital public infrastructure that through the course of the book I described how in India we have actually built what I think is…
11:52
the start or the initial design of just such an infrastructure, a infrastructure on which regulators can regulate and innovators can innovate. So this essentially is what I think is the third way. I think in India, we have over the last 15 years, part by part built this into this current infrastructure. And having built this, I think it’s certainly
12:21
something that we can export to the rest of the world, this idea of the DPI approach. And that’s what the book seeks to articulate. Sir, I think even when reading the book, the most interesting aspect to me was not just that data regulation goes through these phases, but also how they might potentially intersect with each other. As you mentioned, India is one of the pioneers of the third wave.
12:51
But we also have our own data protection laws, which are in part inspired by regulations like the GDPR. Therefore, do you think for different sectors like artificial intelligence or established social media platforms like Facebook built under the first way regulatory regime, we would need different regulatory approaches right now? Yeah, I mean, to be clear, the third way is not, the suggestion is not that
13:20
we do not have rules and regulations. I think laws, rules, regulations are absolutely necessary because in order to understand what it is we embed into the technology infrastructure in the third way, we need to have the legal principles articulated quite clearly in the laws and regulations that the country abides with. And so I think the,
13:50
statement that you made is actually quite accurate. There is an overlap between all of them. I think it is important to allow the private sector the ability to write certain rules off the road. As long as they don’t write all the rules of the road, we will be fine. I think the problem with the private sector is that the private sector often responds only to shareholder or internal stakeholder.
14:19
incentives, they have no desire to respond to long term societal interests. They will respond to long term societal interests only when they align with their stakeholder interests. And that’s exactly as it should be. I don’t mean that as any kind of a negative. And so we need to ensure that where there is a societal interest that needs to supervene over a stakeholder interest, that that is implemented.
14:49
Other than that, we need to allow the private sector to do what it needs to do to be able to innovate because it’s out of the private sector innovation that we’re going to get all of the various products and improvements and advancements that we’re going to have. So there is certainly a space for that first way to operate. The second way, which is the regulation, as I said, on the one hand provides you with some sort of clarity as to what needs to be embedded into the code.
15:17
But over and above that, I think is actually quite important because a lot of what is carried out through that secondary is within the purview of various states and their rights as sovereign entities to decide what can and cannot be done. We cannot remove that from them. So you’re absolutely right. I think there is a gray area at the intersection of
15:47
all of these different approaches. The only reason to call out the third way in this manner is because many people believe that there are only two ways. The one way is to allow the private sector to innovate and let’s not interfere with them. The other way is to have the rules and regulations expressed in such microscopic detail that companies know exactly what they can and cannot do.
16:17
And most people think that these are the only two options before us. The idea for writing the book was to say that there is a third option. There is a third way to think about data governance. It allows you to achieve the objectives of both. It takes a little bit of effort. It takes a little. It requires you to create some of these infrastructures. But once you’ve done it, that it offers you additional tools as it were.
16:46
in your toolbox to achieve the societal objectives that you have.
16:52
Your point is well taken sir. On that note, what factors do you think drew or led India to the DPI ecosystem as opposed to other jurisdictions like the United States or the European Union? And additionally, what are some core design elements which can be built into DPI which makes it different from other forms of digital infrastructure built by the private sector? I mean the history of India’s DPI has been well documented and.
17:21
the objectives are well understood. I think it starts with Aadhaar in 2008, 2009 time frame. The objective behind Aadhaar was to provide everyone in the country a unique identity. But in its design, Aadhaar was not like every other identity. It was a purely digital identity, which was also interoperable, which meant that
17:49
the identity that you have provided could be accessed on a digital interface, which gave rise to various use cases such as authentication and KYC, which eventually were very useful in rolling out bank accounts to people who didn’t have bank accounts because of EKYC, much more simplified form of the Know Your Customer regulations.
18:14
that allowed more people to be brought onto the financial system than would otherwise have been possible and at a much lower cost, which meant that the common saying is that India didn’t take banks to the villages, but we certainly did take banking to the villages. And that has resulted in what the BIS describes as the single largest growth in inclusion in the financial sector that has ever happened in a two-year period. Every second bank account that was opened in the world was opened in India.
18:45
And that led to the digital payments explosion that we have seen today, today UPI clocks in the region of 12 billion transactions a month. It is by far the largest digital payment system by volume anywhere in the world. And its stated objective is to try and get to a billion transactions a day, which when they first announced it seemed ludicrous. Today seems to be quite
19:14
achievable. And like this, there are a number of other digital innovations that India has made under the rubric of what is now commonly, after the G20 particularly, understood to be digital public infrastructure. This includes open transaction networks, ONDC and the like. It includes the entire data empowerment and protection architecture, which allows for consented data sharing
19:43
various data silos under the consent of the data principle. All of which has, the objective of all of this is really, on the one hand, to allow data and digital technologies to empower people in a way that was perhaps not possible without the evolution of these systems. And secondly, to offer
20:13
a some way in which the country could, in a sense leapfrog traditional stages of evolution. The best example of this really is financial inclusion. The Bank of International Settlements in a paper said that India achieved in nine years what would otherwise have taken 47, and that it is almost entirely due to the innovations in DPI that
20:42
have resulted in this. So the second part of your question is, what are the elements that go into the design of DPI? And there are many in the book I refer to a few. The core element of digital public infrastructure is that it is an open, interoperable modular system.
21:11
The Architecture of DPI is open so that people can connect to it. These are not proprietary solutions that you need a license from a private sector entity to access. They’re interoperable in that one particular DPI or digital public good can interoperate with others. This allows you to create stacked.
21:40
layers. We speak a lot about India stack, but that is the core element. One of the analogies is Lego blocks. If you think about each DPI as an interoperable component, just think about it as a Lego block and you can layer many Lego blocks on top of each other to create a house or to create whatever it is that you want to create. And that’s what DPI is all about. One of the best examples of that is during COVID, we needed to
22:08
do direct benefits transfers to a number of people, it was possible for us to set up an infrastructure to do these direct benefits transfers very, very quickly, I think, probably in the span of a couple of weeks, precisely because we had DPI that was designed to be interoperable. We could very quickly put them together such that these DBTs could be done at record time. I was in a meeting
22:35
with the US Secretary of the Treasury. And in the US, many years after COVID, there was still the COVID checks that had to reach various beneficiaries were still being mailed to them. And so you can see just the difference between having a modular, interoperable Digital Public Infrastructure.
23:05
and not even in the arguably most developed nation in the world. And there are many other such elements to the design. One of the others that I speak about is federated design, which India’s DPI has been designed around. Essentially, federated design keeps data at the edges or keeps data close to where it was collected. And we, rather than centralizing
23:33
the data build pipes to ensure that the data can be accessed as and when required. This of course has various cybersecurity benefits, but also it has a significant data protection benefit in that it limits the surface of attack or even the impact of any attack to the particular data silo that was impacted or not all of the data. And so in the book, I argue that we must
24:01
As we think through this, we must appreciate and understand these elements and try and build DPI so that they align to these elements. And then later on in the book, I talk about how some of these ideas and lessons could also be used for data governance. On the point of DPI having these core design elements, could you explain what the potential for DPI in India is?
24:30
beyond UPI and identification systems. For instance, we noticed in a blog post of yours that you drew a parallel between Aadhaar and Worldcoin which is sort of a global identification system, noting how Worldcoin has not been ambitious enough and can aim to do much more than just identifying human actors. In that vein, could you explain what more we could do with DPI beyond Aadhaar?
24:56
There are many, and I think we’re already implementing a lot of them. I’ll just give you an example of a few. I think you mentioned identity. And closely alined to identity is credentials. So one way to understand that is an identity system tells you who you are. A credential system tells you what you are. And it is almost equally important.
25:22
for both systems to exist. An identity system will uniquely identify you so that benefits entitled, that you are entitled to reach you and aren’t diverted to someone else. But a credential system will certify your eligibility for certain things. And if you think about a credential system, your driver’s license is a credential system, which gives you the ability to drive a vehicle. Your, during COVID, your COVID certificate was a credential.
25:51
which gave you an entitlement to access certain areas, including planes. And there are many other credentials. So for instance, in the skilling ecosystem, your credentials will define your level of skill. From a developmental context, this is very relevant because a carpenter from Rajasthan who is looking for work in Telangana, if he moves to Telangana, as far as everyone knows, he’s just a carpenter. They don’t know that he’s a.
26:21
grade A carpenter who’s highly skilled, there should be some way in which we can actually, in addition to carrying his identity, also attach his credentials to it. And in India, Digilocker, which is, it’s a surprisingly underappreciated digital public infrastructure at this point in time. I think there are something like 250 million people who are using it. There are somewhere close to 7 billion documents on it.
26:50
And this is fundamentally a credentialing system. And we can see how, even though this is not being used for that farmer use, that carpenter use case that I said, you can see how this sort of a system can form the basis of many of these sorts of benefits. And we should certainly not only leverage this particular infrastructure, but build infrastructure like this to address some of these issues and challenges. And then there are…
27:19
you know, various other sorts of systems that have been built. The open transaction networks that I mentioned earlier, the Beckham protocol, which has given rise to ONDC, which is the open network for digital commerce, is another implementation of this, essentially allowing people who want to make transactions to perform and complete those transactions without the need for a platform intermediary.
27:49
Now, this, of course, has very significant anti-monopoly consequences, but also has very unique use cases. So for instance, as important as it is to have vertically integrated commerce providers, like Flipkart and Amazon and all of these entities, it is equally important to have some other type of solution for hyperlocal commerce, for things
28:18
Which is specifically regionally relevant and perhaps for other kinds of use cases. For instance, let’s just take renewable energy and distributed storage and use of renewable energy. Right now, we’ve got a lot of rooftop solar. We’ve got a lot of electric vehicles that essentially are large batteries that store a lot of energy that could be used at down times.
28:47
But what we lack is some sort of a protocol that would connect these various sources of energy to persons who are looking to use that energy when the grid is not available. And we could, just as the Beckham protocol connects buyers to sellers, it could connect persons that are in need of energy to persons that have excess energy capacity, in the way that I described.
29:17
And so we can build systems around this. We could use leverage some of this for, you know, some of the problems with AI. How do we get data sets to people who need them? There are a number of such use cases. And I think that the power of the DPI approach is that what is presented to people to innovators is, I guess, the different building blocks and the ways in which
29:46
to connect the building blocks. And then it’s left to the various innovators to find ways in which to connect them, to yield these solutions that perhaps the creators of the DPI never envisaged would be solutions that would come up. And that really is how this should work. I don’t think we should go into building DPI thinking that there is one and only one way in which it will be deployed. I think it would benefit us much more.
30:14
if we actually allow multiple different use cases to occur.
30:22
Sir, listening to you highlight the different benefits DPI could bring, I am curious to know your take on a recurring concern regarding the degree of governmental control over the infrastructure itself. Taking a step back, who is it that actually builds, maintains and regulates the DPI in India? Is it predominantly the state or is the private sector also actively involved in the process? If it is predominantly state controlled, how do we ensure that there is consistent innovation of the DPI?
30:52
No, so look, I think because the third way, in a sense, is a balance between the first way and the second way, we’re going to need to strike that balance in the most appropriate way. And so on the one hand, we know that we cannot allow private actors to have complete control over the infrastructures that we use on a daily basis for payments for.
31:19
you know, exchange of data and things like that, because we’ve seen the harmful consequences of that. We also know that we can’t have the state control this infrastructure because the state is terrible at innovation. And so if the state is the only way in which we get access to things, it’s going to ossify and it’s going to, you know, provide us with some optimal outcomes. And so really, the third way is an attempt to balance these two extremes.
31:49
And so, even as much as the state has control, the state doesn’t have control over every aspect of the infrastructure. The state has control over the core protocol, which is essentially the basic elements that are required for that particular DPI to work. So just take the example of UPI. The state will prescribe what the protocol is for UPI. And essentially, the UPI protocol will describe how people will transfer messages from the state.
32:18
one person to the other that will result in the bank account of person A being debited and the bank account of person B being credited by the exact same amount at the exact same time so that it looks like money has actually passed from one person to the other. But in actual fact, there’s just been a debit in one place and a credit in the other through this messaging system. That’s utterly reliable. And so that’s all that the government prescribes.
32:47
Now, on top of that, the private sector can do all sorts of things. And the private sector has done that. PayTM came up with this innovation called the Soundbox, where it created a small device that is sold to various people at a very nominal price that receives the message of the completion of the transaction and speaks it out in whatever vernacular language the person wants it in. And as a result, in a
33:15
crowded street market, people can use UPI, regardless of level of literacy, by the way, but more importantly, regardless of just the form factor of it. And the moment the payment has been made, can hear the soundbox actually saying that this payment has been received, this is the amount that’s been received, so that you know that in fact, the vegetables that you’re selling have been paid for, and you can hand it over to the person.
33:44
Now, this sort of innovation did not come from the government. This is the sort of innovation that actually came from the private sector. The reason why it came from the private sector is because all that the government did was prescribe the basic protocols. It said nothing about what else could be done with it. And there are many other instances like this. So I would say that it is a fine balance. I think that at some point in time, some of these innovations that bubble up from the private sector perhaps need
34:13
incorporated into the architecture of the platform protocol itself. Because if we can do that, we can ensure some sort of a consistency across the ecosystem. One example of that is Bharat QR. In order to have people transfer money very quickly from one person to the other, you could, of course, tell them what your VPA is, which means if they understand what your VPA is, they can transfer money to you. But that’s cumbersome.
34:43
And a lot of deep apps came up with this idea of having a QR code. But then Google Pay had its own QR code, and Phone Pay had its own QR code, and WhatsApp had its own QR code. And that meant that you would need to sign up to different QR codes in order to get money in different places. But Bharat QR took the idea of QR codes and brought it up to a single.
35:10
unified kind of a standard where a single QR code could be read regardless of what the platform was that you are accessing it from or that I am receiving it in as a UPI recipient. So that there’s just one QR code today that we need to worry about, which is why if you go to shops today, you may see two or three different POS machines to receive credit
35:39
accept payments from any third-party application provider app and it would get transferred into your bank account. So these are just some examples of how I think it’s important to keep balancing these two things. You need to make space for the private sector to innovate but you need to have the regulator sort of figure out how to conform this intervene at some point in time to
36:09
try and provide new efficiencies in the market, but at the same time not intervene so much that it stifles innovation. This is one of those things that you just have to, as the Chinese say, feel the pebbles as you walk. It is just one of those things that you have to say, look, this is the objective, but we don’t know.
36:39
how much to regulate or how little to regulate until we are actually faced with the circumstances for which we need to put the regulation. And I think that’s sort of the way in which DPI and the DPI approach needs to proceed.
36:56
Sir, even if there is a healthy balance with respect to governmental control in the DPI, concerns over personal data protection have exacerbated in the recent past. There have been data breaches, as in incidents like the COVID data leaks. In your book also, you address these challenges and to rebuild trust, you mention a strategic overahaul of digital systems as a potential mitigator of such possibilities. On that note, I would like to shift the focus.
37:23
to the buzzword of last year and this year, which is the Digital Personal Data Protection Act. How promising do you think the Data Protection Act is in addressing these concerns?
37:37
So the Digital Personal Data Protection Act is actually quite a law. It’s quite aligned with what the objectives are for the DPI approach. I think first, it is the sort of data protection law that is, I think, around the world recognized as one of those which are aligned with GDPR, and at least to a large extent aligned
38:07
the principles by which data protection is governed around the world. So I think the first thing to state is that, at least for the most part, there are some exceptions. There are some things that don’t align. But for the most part, this is aligned with the way the rest of the world does data protection. Since the act was enacted, I’ve spoken at various international events.
38:33
events and that’s been endorsed by people from around the world. And I think much of the focus is on those few things which diverge. But more importantly, since the DPDP Act has been written in the Indian context, it makes reference to certain things which are uniquely Indian and also uniquely aligned with India’s digital public infrastructure approach. In particular,
39:01
The reference to consent managers, which everyone seems to assume has a particular connotation in the European or in the GDPR context, but we all know refers to the consent manager in the Indian framework that has been first implemented in articulation in the financial services sector as the account aggregator.
39:30
have also been referenced in the context of India’s national health architecture and the consented medical data sharing framework. So I would say that the reason why DPDP is so relevant is that it is at the outset a
40:00
But also it is particularly relevant to the Indian context because it does at least consider and incorporate the provisions that were aligned with India’s approach, the DPI approach. So in a sense, it marries these two in regulatory framework. It gives legitimacy to this regulatory framework.
40:28
Of course, we need to see how this will be implemented, because while the act has been enacted and notified in the Gazette, we’re still waiting for the rules. And a lot of the clarity that we need on a lot of things, even including some of the things that I’ve mentioned, will only be available to us once we’ve seen the details of the rules. But we’re all quite hopeful of the law from this perspective that it does address these two things.
41:00
Just to press a little bit on the DPDP Act, one thing you’ve spoken about is the wording itself, which is data principle and fiduciary and not subject. Do you think there’s a broader shift in the attitudes of the state as well as Indian society on data governance, especially drawing from your experience with the initial drafts of this act?
41:22
Yeah, look, I think there’s been clearly, from the first time that I started working on data. There’s been a sea change in people’s approach to data protection. The very first draft that I worked on was in 2012. And at that point in time, we had to do a lot to convince the government that there was a need for data protection and privacy. And you’ve got to understand that this came in the backdrop of the fact that for a decade before that, the government had been criticized for not being transparent in its actions. And so, the government is going overboard to try and be more and more transparent about its actions. In some instances, that transparency was to such an extreme that in the efforts of being transparent, they were disclosing a lot of personal data about citizens in ways that would certainly be contrary to what anyone beliefs is in line with data protection standards around the world. So, my initial interactions were very much colored by that perspective. And then, of course, we had Aadhaar. We had the Supreme Court judgment, both the right to privacy nine-judge bench as well as the other five-judge bench, all of which
42:56
focused a lot of public attention, judicial attention, and executive attention on the idea of data protection. And I think that, coupled with just a whole host of other issues, very much changed the perspective and the thinking in India around data protection, to the point where, as much as people may think otherwise,
43:22
Today, in my interactions with the government, I know that it is very much something that the government is focused on. The government is constantly concerned about the ways in which these tradeoffs have to be made. And look, just to be completely clear, all of privacy, all of data protection, in fact, all of policymaking is a tradeoff. And as much as we want to provide…
43:51
a lot of privacy and data protection protections, all of them come with trade-offs at every point in time. And so those are trade-offs that need to be navigated in societal interest, in the interest of just healthy commerce, in personal interest as well. But I think that from about a decade and some ago, when I first started doing this to now,
44:21
there has been quite a significant shift in the way in which people think about it. I think there’s always room for improvement, there’s always things that people get wrong now and we would be perhaps happier if it ended up in a particular way rather than the way it did. But as a result of I think a lot of these steps in this evolution, I think we’re certainly in much different place from what we were a decade ago.
44:53
Thank you for your insights in the act, sir. Circling back to DPI, what are some core challenges that you foresee for the scalability of the third way and DPI in India? And how do you see DPI addressing these challenges as it grows both nationally as well as internationally?
45:17
I think the challenge with DPI and actually with all technology is that we have to recognize that the technology is only relevant in the first the context in which it is actually working. And one of the problems with technology that’s been around now for a decade and a half is to keep it constantly current and relevant to what is currently demanded of those technologies. And since the protocols are in the hands of government, since government, as we have described before, doesn’t move very fast, as much as this is an improvement on the alternative, which is that the government would just
45:51
prescribed rules and regulations, and it would take a long period of time before those were properly converted into code, and therefore to the ways of working of the digital world. I think the risk of having the protocols ossify is actually quite significant. So I think what we’re seeing is that,
46:18
What we did up until now, which was create this framework, allow innovation to happen. I think the next stage of this would be for us to figure out how to keep the protocols updated. And by updated, I don’t mean that it’s outdated. I just mean that, look, as and when new innovations, new market innovations come up, we need to find a way to incorporate the best of those innovations into DT. It’s not like we’re not doing it. As I said.
46:47
There are a number of innovations that have been elevated, like the Bharat QR and things like that. But it’s important to make sure that this continues to happen. And if there’s one thing I worry about, it is this side of it. In the book, I mentioned the need for technical standards organizations, just entities that are keeping an eye out for these new technical standards that should be incorporated.
47:15
so that they can actually help the government in deciding version two or version three of the protocol to make sure that it is technologically salient in the current context. I think the globalization of the DPI idea, of the DPI approach, which was very much the focus of India’s G20 presidency, is actually quite significant. There is.
47:43
a need for a number of countries around the world to improve their development and to improve it at a pace which is far faster than what happened in the developed world. And if we look at the developed world today, 50 years ago, they were very different from what they are right now. But it took them 50 years and sometimes in some instances took them even a century to get to where they are. We cannot afford.
48:09
to allow those timescales to continue to persist for many parts of the world. And DPI and the DPI approach offers a way to accelerate and leapfrog that development. And so I think from a international perspective, regardless of what political decision countries eventually come to, I think it’s important for countries to be aware of the DPI approach. I think the DPI approach offers them
48:39
an ability to do the things that they want to achieve for themselves, but do that with full sovereign control and also do that in a way that aligns with the sort of democratic interests that I think, democratic principles that I think the rest of the world adheres to. And so I think that offering these solutions as an alternative is extremely, extremely powerful. Not to mention
49:06
An example of India’s soft power in that India has built these systems. India is happy to share these systems with the rest of the world. By saying share these systems, it’s not necessarily give a copy of UPI to someone, but just the way in which you should go about thinking about building a digital payment system. A lot of the principles that I had spoken about can be, it doesn’t have to be the exact UPI design. It could be something similar, but something that adheres to these principles because
49:36
after many years of using it, we’ve realized that these principles work. And we have many experiences that we can share with other countries. So to me, I think this is the natural evolution of DPI as we take it global. And then finally, your question on emerging technologies. I think the most exciting emerging technology that I think is relevant from the DPI perspective is probably artificial intelligence. I think.
50:04
There’s a limit to how far the infrastructure can penetrate. For that next level of penetration, all the way down to individual homes, perhaps, or individual outcomes is another way to think about it. Educational outcomes, developmental outcomes, et cetera. Artificial intelligence is really going to play a big role. I can see how this will work in a country like India, where we’ve got 22 official languages, 150
50:34
active languages and maybe 3,000 languages in total, that having artificial intelligence help us with language translation will certainly benefit the vast majority of the people in this country. There are many other implementations of artificial intelligence that could be useful for educational outcomes, targeted educational plans.
51:02
are responsive to learners at different stages of their journey in order to bring them back on track, to bring them up to speed with where they should be in their learning journey for their age and their circumstance. So these are the sorts of things that I think we can build DPI for the platform, the framework, the content. But you need artificial intelligence to actually take it that next level further.
51:32
such that people can see it. So this is a very exciting time that after a decade and a half of building our BPI that we have with large language models, just this ability to now take this to the next level, which is really interesting.
51:52
As we near the end of the podcast, sir, we’re also curious about your personal engagement with technology. With its rise all around us, you express concerns about losing the very essence of human communication and knowledge.
to seemingly innocuous means, going beyond the usual tropes. In your 2022 Ex Machina blog post, Cycles of Technology, you’ve also discussed avoiding algorithmic curation for your own personal media consumption, which I personally do too and am quite curious about. How do you think we can prevent the erosion of our humanness and retain the essence of knowledge and communication that you’ve cautioned against losing? On a slightly unrelated note,
52:29
I’m also curious about your work stack because you’ve mentioned Obsidian in your latest article, but then there’s also mentions of Tana from 2019 and other softwares such as those. So could you also tell us a little bit about that?
52:55
Oh, before that, and there’s an article somewhere, I used Roam. So, you know, I constantly evolve my tech stack and I’m constantly thinking of new ways in which to optimize.
52:59
what I have. It’s not a path that I recommend to people unless you’re willing to deal with the kind of disruption that comes from constantly evolving your tech stack, but it sort of works for me. So yeah, just in terms of the tech stack that I use, I keep looking for new innovations, new ways in which I can improve just the process of knowledge curation.
53:29
and also forming my own worldview, which is shaped by the things I read, the discussions I have, as well as many of the reflections that I personally make on all of these things. And so in order to do that, I think at least for my workflow, I like to read a lot, and then I like to reflect on what I’ve read, sort of connect.
53:55
what I’ve read to something I might have read previously or heard previously. And that’s what gets reflected in my notes. And really, whether I use Tana or I use Obsidian or I use LogSeq, which I endowed with for some time, or Roam, which was really the first network note-taking app that I use. And before that, Evernote and various other technologies that I’ve used. Essentially, those technologies are just the tools. They’re just the tools.
54:25
They’re just the repository as it were, or the ways in which I do this. But the process of thinking is something that’s remained consistent throughout that, which is essentially finding connections between things that perhaps without deeper reflection may not seem connected, but which in fact are connected. And those sorts of connections help us get a better understanding of the world.
54:54
And that, of course, informs the various things that we do. Look, I mean, as far as technology and losing your humanism, it’s really very difficult to try and figure out exactly what it is that you need to do, what the path is that you need to take. To be clear, I use all sorts of things. If recommendations pop up on the internet,
55:23
Amazon as to what the next book is, I’ll happily take it. Because very often, these recommendation engines are remarkably accurate. And they surface things that are actually things that I should be reading. Forget about that I would like to read, but very often, it surfaces up things that are absolutely part of mandatory reading for me. But I think in the article that you referenced,
55:52
The point I was making was that sometimes these algorithms, as much as they can surface things that are necessarily reading for you, they sometimes go down too deep into the rabbit hole, which will leave you consuming more and more of a single type of content. And as I said, my whole point in life is sensemaking to get a better understanding of the world and that better understanding is not going to come from reading more and more.
56:22
books about the intersection of law and technology, it could come out of understanding the history of music or understanding what, as David Deutsch talks about, what is a bad explanation and what is a good explanation so that we can better understand the fabric of reality, not just from a quantum sense, but also just from a sense of philosophy and the philosophy of science.
56:52
the history of human interactions. And it’s only when you can actually read all of these things that you can make this bigger argument and have a better sense of how some of these small things that we’re talking about in the law, technology, society, space intersect with the larger canvas on which we’re living our lives. And it’s in that that I think sometimes the algorithm
57:22
does us a disservice. And so I think the real answer is certainly listen to what the algorithm says, because the algorithm throws up things which are interesting and valuable. But at the same time, also reach out to other sources of curation. And there are many that exist today. There are a number of newsletters, there are podcasts where you can actually hear authors talk about the books that they’ve written.
57:51
And a lot of these are curated by human beings. And if you have a sense of what that human being is interested in, you’ll find that the curation that that human being does aligns with what your particular view of the world is. But most importantly, I guess, speak to friends. I mean, you’ve got a community of people who you actually know. The reason why you know and continue to speak and hang out with them is because they are interested in things that interest you. Leverage off of that.
58:21
and get the recommendations from there as well. I think the only purpose of that article was to sort of say that as enticing as all of this is, Spotify recommendations are absolutely great. I’ve learned a lot of new music just going down that path. It’s so easy to just say, look, I want to listen to something new, create a radio channel.
58:49
that is similar to such and such and you get really really good music. But some of the best music recommendations I’ve got have been from friends who, you know, the other day someone introduced me to a Grateful Dead album that I’d never heard never heard of. Now I used to love Grateful Dead when I was in school, still love them, haven’t listened to them a lot, so Spotify doesn’t throw them up. But an old friend said, look there’s this new album that’s come out, or there’s this album that’s come out that you haven’t heard. And
59:19
And I think that’s sort of the thing that I think we at least need to make space for. I think that it’s so easy for us to just be seduced by the algorithm that we forget that these other sources exist. And that was just a plea to remember that those things are still valuable and that we should make space for them as well.
59:42
Thank you, sir. In the spirit of great book recommendations, to all our listeners, we would definitely reading the book third way. The book further delves into the DPI with a lot more discussion on privacy and consent, the broader history of data regulation, and some extremely interesting examples of data privacy, which we may not have been able to explore in this episode. It is surprising to see that we’ve witnessed Digilocker and UPI become such a regular part of our life. We’ve never quite realized the widespread ramifications it could have in the future, an aspect which the book covers
01:00:18
a lot greater in depth. Thank you once again, sir, for giving us your time in what must be a very busy schedule. This was an excellent conversation and I’m sure all our listeners will also find it to be extremely insightful. Thank you once again.
1:00:36
Thank you very much. Very glad to be here and thank you for doing this.
[…] Posted byRahul Matthan, Bharati Challa, Saranya Ravindran and Sohina Pawah […]