Hey everyone. I'm Sid har Shadi, an architect, and volunteer with the ice spirit foundation, primarily been focusing on how do we design as one of the previous sessions spoke about protocols, the right set of open protocols that really empower individuals in small businesses to access better financial services, health services, and other services that are socioeconomically important to them.
And that collection of protocols that India has built over the last 10 to 15 years is collectively known as the India stack while particularly in today's session, focus on the consent layer of the India stack, which is a more recent development. The backstory is this builds on the back of aha, which was an identity protocol that was scaled out to over a billion Indians, where they can digitally authenticate themselves in a completely paperless presents list manner. And we do 50, 60 million authentications month on month.
And that resulted again, because these were built as open APIs.
You had multiple service providers across public and private, one of the key elements. And you'll see that as a recurring theme in today's presentation is what we call as a Jule Bundy between public infrastructure and private innovation. That should be unleashed on top because we of the view that especially when you look at solving problems for a billion people, with large amounts of diversity, there's no one service provider be it government or private sector, that's gonna be able to do that.
And also the consequences that arise from having one or a small set of players doing that, the journey then resulted in the creation of a payments protocol called up the unified payments interface.
Since people now had bank accounts and you could create a system where they could flow money between each other and between merchants at scale U P I does a few billion payment transactions a month, again, built out in a way where you had public infrastructure that connected the banks, but you opened it up to a range of private companies on top that innovated on the front end experiences and created vari variations of that.
Now, as this rolled out as 4g connectivity permeated into hundreds of millions of Indians homes, what became important is we realized people were becoming data rich, but the paradigm was slightly different. The paradigm, unlike a lot of Western economies, when their individuals became data rich, you already had areas where there are high levels of per capita income.
And so therefore data was fundamentally used to shape that discretionary income shape, those spending patterns in an ad driven business model, in an emerging economy like India, what we realized is that's not the path we want to go into. And also people don't have large amounts of discretionary income at scale. So can we invert this entire paradigm where data, instead of being used to sell things to the user is actually used to empower them to access the range of services we just discussed.
And that resulted this inversion resulted in, in really us thinking deeply about how do you put the user in the center of their data flows.
And it's not just technical. It is. We have to think about it at three layers. There is the technology, the open protocols that should bring this ecosystem to life. We realized we also needed a new institutional architecture because the current way with which people were given control of their data, wasn't really scalable.
And this needed an overarching regulatory framework to be built on top so that you could scale it out to all use cases with adequate protections for the user against any privacy harms that may arise. So the first step in that journey was actually thinking about consent. And when I talk about consent, it's slightly different from the consent. Most of us are used to where in, in GDPR jurisdictions, you go to a website, it asks you for your consent to collect your data.
What I'm talking about here is consent to share your data, which is once an entity has collected it, can I have a low transaction cost, trusted, safe mechanism to share this electronically from one service provider to any other, rather than me having to give my username and password or physically run around and take printouts or digitally do that through PDF downloads from a Porwal.
So therefore to put that in place and to give people control, we had to standardize what consent means. And it's broadly based on a set of principles we call organs.
So consent is an open standard are in organs is it's revocable. That means I could give consent for a doctor to monitor my, my health over a period of time, but I could go back and revoke it at the end of that transaction G is it's very granular. That means I don't always have to share all of my raw data. I have the ability to permission and share a subset of that data. A query let's say someone wants to know, do I have a minimum average balance greater than 1000 euros, rather than sharing my raw transaction statement? I can just share a query saying yes or no.
As part of that, a in organs is its auditable N is noticed.
So just like when money leaves your account, you get notified in this new paradigm. When data is shared about you, you get notified as well and S is it's secure. So it's end to end encrypted. Now that we had this open standard, the key question was where does the user go to generate consent? And as I just mentioned, what we are predominantly used to is the user, either going to information providers, it could be finance, it could be health, a range of sectors. These are custodians of your information.
Or we go to the information user. This is where you have misaligned incentives taking place because the information user has no real interest in creating what in many of our legislations are considered informed consent experiences. So what we did is we unbundled consent from both the provider of your data, as well as the consumer and created a new class of institutions, which are called consent managers.
So consent managers cannot store your data. Think of them as fiduciaries. They have a fiduciary responsibility towards creating those informed consent experiences.
And there are multiple of them that exist. So there's no one consent manager it's open to many market players and broadly the way it works is there are a set, which is the data empowerment protection architecture set of protocols that have been defined that allow consent managers in an interoperable manner to talk to any information provider. There are no technical or even legal bilaterals that exist between them.
And that's important because as a user, I should have the ability to go to any consent manager of my choice, discover wherever my data recites data continues to be decentralized with the custodian, choose any identifier. So identity in this system is completely federated. We don't require the need for the user to have a unique ID to fetch or aggregate their data.
The code design principle is that the user should have the ability to add their identifiers and create a unified view, but no one else in the system should have a unique view of that individual.
And so I can go to a consent manager of my choice, discover where my data resides, link. Those accounts like link three bank accounts. Once I've linked it, I have my consent manager ID, which might be say, Siddharth at the rate of cm one. And now I can take that consent manager ID and go to a lender. And the lender says, I want access to your data for this time period. And these accounts, could you gimme your consent manager ID? So I give them that ID in real time, I get a consent request. I can review it. That consent request is shown to me in a manner that that's informed.
You could have consent request that are assisted rather than self-service in cases where people don't even have smartphones. And once I approve it, I may reject it. But if I so decide to approve it in real time, that consent artifact is sent to the providers who have to return back machine readable, digitally signed data that's sent to and encrypted and forward to the responding data consumer on the other end. And so this system is now rolling out at scale. We roughly have about 300 to 400 million bank accounts that are live on this system.
And it's rolling out across different types of financial data. So not just banking, there are certain insurers that are live taxation for both individuals, as well as small businesses. This is in similar way being rolled out for health data as well. And once we have the data protection bill, this will extend to private categories of data.
So this is a broad overview of the architecture and sort of to sum up, there's also an effort to now what, what we realized is this techno legal approach, because many jurisdictions we have similar legislations, they might be certain variations, but the first principles are the same, the ideas of consent and data portability and the like, and so supplementing those legislations with the right set of technical standards, including those principles. So that subsequently when networks adopted, they honor the, the principles in the legislation.
We found a lot of resonance with like-minded countries and regions. And so now there's an active conversation with the European union, with Japan, Australia, Norway, Rwanda, and a few other countries, including India and few multilateral agencies, particular, the DPG Alliance and the bank of international settlements on how does one take this to other parts of the world? Thank you.