Such seems to be the fate that awaits the sun that had positioned itself right at the centre of India’s digital ecosystem, India Stack. Appearing seemingly out of nowhere around five years ago, India Stack quickly became the gravitational centre around which India’s banking, telecom and fintech planets started revolving.
Such was the power of India Stack that multi-billion-dollar businesses could be created, or destroyed, based on their knowledge and access to the APIs—‘application programming interfaces’ are software functions that allow disparate applications to talk to each other and exchange data—provided by India Stack.
Jio, India’s newest and most disruptive telecom player, owed its fast growth to its ability to authenticate new customers via Aadhaar’s eKYC, an online authentication mechanism linked to people’s unique Aadhaar IDs. PhonePe, the Flipkart-owned runaway success in the digital payments space, owed its rapid rise to its early work and access to UPI, a real-time money transfer protocol.
Both eKYC and UPI were powered by India Stack.
But on 26 September, India’s Supreme Court sucked away the fuel that was powering India Stack – Aadhaar.
A five-judge constitution bench that was hearing a slew of legal challenges to India’s unique ID project for years, finally held that Aadhaar was legal and that the government could continue to use it to identify citizens to deliver services.
But the same bench also struck down the entire section in the Aadhaar act that allowed private companies or entities its use and declared it “unconstitutional” for good measure.
Barring a series of legal miracles from a government that’s in its final year, India Stack’s fate seems sealed, albeit over a period of months, maybe even a few years. And with it, dozens of startups that had based their entire business models around it.
“There are no two ways about it: India Stack and its whole Aadhaar authentication project is dead in the water,” says a Delhi-based lawyer with a prominent think-tank, who did not want to be quoted because of the sensitivity of the judgement.
Aadhaar, India’s unique ID project, was the foundation for India Stack’s ambition in more ways than one. First, by acting as a unique key that would identify all digital transactions made by Indians. And second, by creating a critical mass of data on each user by virtue of both the government and hundreds of private companies demanding it for pretty much anything a user wanted to do. Like opening a bank account, getting a credit card, changing your mobile operator, buying stocks or mutual funds, or even hiring a cab or a share bicycle.
Emboldened by its rapid ascent, India Stack had been working on creating many more “stacks” for other verticals. “Health Stack” was the next big project, something that’s been in the works for nearly two years. Its goal was to tie in patients and their health records, insurers, hospitals, doctors, and government-sponsored health schemes into a common platform.
Take away Aadhaar and all these stacks lose their reason to exist.
“Aadhaar was India Stack’s version of a digital Google ID. The idea was to use your Aadhaar as a digital passport. That ambition is curtailed and is not possible now. iSpirt [Indian Software Products Industry Round Table, a think tank that evangelises India Stack] will now need to assess how to implement India Stack,” says Prasanna S, a lawyer who aided the petitioners on the Aadhaar cases in the Supreme Court.
This existential threat was something India Stack was aware of. It had even bandied together a few dozen startups in January this year to appeal to the Supreme Court that private companies be allowed to use Aadhaar. The Supreme Court didn’t seem to have paid their arguments much heed.
“This judgement also comes partly in lieu of the fear that UIDAI, or the commercial forces behind them, were trying to monetise this whole database,” says a senior official in the Ministry of Electronics and IT, or MeitY. He requested not to be named.
Even after the judgement, iSpirt continues to insist that all was well. It put out a long-winded post saying “Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does”. Except, it does.
“For companies that continue to interpret the judgement the way iSpirt is doing, they will end up facing contempt of court. In this scenario, executives can be arrested. All operation will have to be completely stopped. I don’t think VCs understand yet the full import of what might happen if they continue to back businesses who insist for e-KYC. The government will be more than happy to throw these companies under the bus. In time, there might be an attempt at enabling a provision, or a law, which will also be tested. But the reality is that you can be held criminally accountable if you’re in contravention of the judgement,” says Raman Chima*, a lawyer and policy director at Access Now, a global non-profit that advocates for an open and fair internet.
That opinion is borne out by other lawyers, too. “Even if companies claim that they are using their customers’ Aadhaar with their consent, given the wording of the judgement, it’s still unconstitutional. It’s illegal because the judgement clearly states that this use might lead to unwanted profiling for business interests,” says Praavita, a lawyer and member of the Rethink Aadhaar Campaign, an advocacy collective known for its strong views against the Aadhaar project.
A stack for everyone
At its core, India Stack is nothing but a set of APIs whose architecture is designed by iSpirt and other private companies and then given to different government entities to run.
It starts with a “presence-less layer” that lets government agencies and companies use Aadhaar as an authentication mechanism, so users can prove their identities any time and any place with consent. Then there is the “paperless layer” involving Aadhaar eKYC, e-signatures and a Digilocker, a secure cloud storage facility where official documents can be saved.
Then comes a “payments layer” involving Aadhaar Bridge Payments and Aadhaar-Enabled Payments Systems, methods to make or receive payments using Aadhaar authentication.
And the final layer is one of electronic consent, which was still in the works as the Supreme Court judgement came out.
Based on multiple conversations with lawyers, policy experts and entrepreneurs, all parts of the stack that touch Aadhaar is now endangered.
The first to go—and the one that will hurt the most—is the Aadhaar-based eKYC. 69% of startups that were doing KYC (Know Your Customer) for their customers were using Aadhaar eKYC, according to a 2017 Yes Bank survey.
Even if the government brings in a law that enables fintechs to use eKYC, sans the mandatory linking of Aadhaar to bank accounts and mobile numbers (which was also struck down), eKYC becomes less useful.
“India Stack loses its essence without Aadhaar because now, people won’t link Aadhaar to most things,” says a payments executive who requested not to be named. “If users don’t seed their Aadhaar number with bank accounts and mobile numbers, it is pointless even if a law enables it.”
Then comes the eSign part of the stack. Arpit Ratan, the co-founder of Signzy, a digital signature provider, said that to be able to digitally sign using Aadhaar, he requires an eKYC check from UIDAI. That’s not allowed any more.
Users of the Digilocker service hitherto got 1GB cloud storage space to store documents that were linked to their Aadhaar number. But with mandatory linkage disallowed, this, too, is gone. The scope of Digilocker also included requesters of documents like employers and financial service providers. But now they cannot request those documents as long as they’re linked to an Aadhaar ID, points out Jyoti Panday, a policy researcher at Indian Institute of Management Ahmedabad’s Center for Telecom Excellence.
“The tripartite of Aadhaar, mobile phone and banks is what connects every citizen to India Stack. India Stack may claim it is public goods but that area comes with responsibility and accountability which are lacking in the ecosystem. Similarly, it is not clear which parts of India Stack are purely functioning at the infrastructure layer and which are solutions developed by private players,” she says.
“The core APIs are held by private players but are aided and abetted by the state. Though they say they are public goods, their APIs are not a public good,” she adds.
In many cases, the APIs though conceptualised by iSpirt, continue to be partly or fully-owned by others. For instance, the UPI APIs are claimed by a Kolkata-based RS Software that makes custom e-payment solutions, while the Aadhaar Authentication APIs were created by IT firms Mindtree and Accenture.
The other troublesome part of India Stack, she adds, is that the architecture, instead of being a purely market-based solution, is becoming mandatory for the digital economy.
This begs the question, for an institution that is neither government-owned nor government run, how did it become central to India’s digital economy?
The future is bleak
Ironically, for all of iSpirt’s avowed goals to level the playing field for Indian startups, it may end up doing the exact opposite.
Multiple sources say the government is currently focusing on legislation that enables regulated private companies to be able to access Aadhaar data. This means telecom operators, banks and those in other financial services under the purview of regulators like Telecom Regulatory Authority of India and The Reserve Bank of India. In almost all cases, these are either large incumbents or large, well-funded late-stage startups. And the “non-regulated” entities left aside will be smaller startups.
“The ultimate business pitch by companies was that they had the benefit of using e-KYC. Companies like PhonePe might be able to move on since they already have collected and used this data, but new businesses won’t have that advantage. Aadhaar was the trusted system they built their companies around. Now they can’t do that,” says the Delhi-based lawyer mentioned above.
Even if the government does manage to bring in legislation to allow the use of Aadhaar, its scope will be severely curtailed.
“It’s legally possible to introduce legislation through an ordinance route to open up Aadhaar for private entities, but based on particular use cases where the use is for a public good,” says Arghya Sengupta, founder and research director at Vidhi Legal, a policy advisory group considered by many to be the shadow authors of the Aadhaar Act.
“It is a blunder and a wishful reading of the judgement. The only way private sector companies are going to be able to do e-KYC now is perhaps when the Parliament or state legislatures pass separate laws for each purpose of use. And if that legislation can demonstrate that it is simply impossible for private profiteering out of that personal information including biometrics,” says Prasanna S.
For startups that had built their products and business plans on top of India Stack and Aadhaar, things can only get bleaker. Venture capitalists are not in the business of financing legal and regulatory risks or placing odds against a constitutional judgement from the top court of a country.
“Private sector companies are no longer allowed to store Aadhaar data. You don’t need to store biometric data once authentication has happened. It’s been an iSpirt argument that this data needs to be stored because they want to facilitate other uses like financial credit scoring stacks, a health stack, a data-sharing marketplace. But all those plans end now. Companies will have to start building around this new reality,” says Chima.
“Those who exclusively use the Aadhaar database will suffer. For businesses that depended on India Stack, they should’ve asked the question: What is the relationship between them and the government? Is it an MoU, a contract? How have they had the privilege of using this database without any accountability?” suggests Chima.
Many will cease to be viable without access to Aadhaar-enabled flows of customer data or transactions.
“Aadhaar was seen as a money spinner. By owning access to Aadhaar data, through their platform, India Stack imagined they would be the one source or business model for all authentication services in the country. But those hopes of a soaring business, built on the back of a public dataset, have now been dashed. You cannot authenticate anymore by touching the Aadhaar database. India Stack and its related companies are facing the consequence of an action taken without a mandate,” says the senior Meity official quoted earlier.
With inputs from Arundhati Ramanathan and Olina Banerji.