India’s National Open Digital Ecosystems (NODE) strategy should avoid “open washing”, Mozilla said. Mozilla pointed to the fact that IndiaStack initiatives are often claimed to be open, but are not substantially open sourced to the public. They addded that it was important that NODEs be truly open, saying “Many initiatives associated with the IndiaStack project have been accused of open washing, and the leeway provided by the Strategy only increases the risk of this recurring.” Mozilla said projects should “define the minimum baseline of openness to be followed by these projects,” and that they “should be called ‘open’ only if they satisfy this baseline.”

The National Open Digital Ecosystems strategy has been put forward for consultation by the Ministry of Electronics and Information Technology (MEITY) to guide the next wave of e-governance applications and systems used by the government. The consultation period ended on May 31. Mozilla said further consultations should be held, adding that “regular workshops with diverse stakeholders should be held to aid multi stakeholder inputs, including civil society groups outside the technology sector.”

Data protection law should be in place

Mozilla said that a data protection law should first be in place before the strategy is adopted. “[The Strategy] should explicitly recommend that strong data protection law with an independent data protection authority be enacted before any NODE project is implemented,” Mozilla said.  “Each NODE project should explicitly state the relevant policies, regulations, laws, and court decisions that apply to the project’s operations and design.”

  • Govt can use its own open source guidelines: Mozilla pointed to these three standards by the government that encourage open source code and open APIs, saying they could be used by the government to make sure that NODEs are truly open.
  • Excessive centralisation could be harmful: Holding a single organisation accountable may not be effective, Mozilla warned, pointing to how leakages under Aadhaar were not sufficiently addressed even though the UIDAI was the sole accountable organisation. Citing distributed ownership and “effective enforcement of rights and obligations,” Mozilla also said that “Critically, in order for [a] data protection law to fulfill [the objective of transparent data governance], it must also apply to the State.”
  • Don’t sell data to third parties: Mozilla said that NODEs need to have protections against selling data to private parties. “Rather than opening the possibility of projects chasing monetization via measures that sell data of Indians, there should be a clear set of prohibitions when it comes to data processing,” such as preventing automated algorithmic decision-making and sharing data even within the government without explicit user consent.”
  • Accessibility: For the NODE principle of inclusiveness, Mozilla said accessibility should be explicitly included in the principle. Additionally, the principle “should also explicitly state that NODEs should identify specific organizational staff who are responsible for, and held accountable for, examining the diversity, equity, and inclusion (DEI) within the project, the contributing community, and guarding end users interests at large.”
  • Rights-based approach: “Constitutional and legal rights that guarantee access to critical government services [should not be] replaced with internal mechanisms governed merely by standard operating procedures,” Mozilla said. They added that principles like purpose limitation, lawfulness, accuracy of data, accountability and data minimisation should be followed by teams in different organisations.
  • On e-Estonia modelThe e-Estonia model is cited by the consultation as a success story. While Mozilla says that it was “not perfect”, it said that features like audit trails for accessing citizen data are worthwhile things to look at. “Letting Indians own all their data (like the e-Estonia model) but not limiting what can be done with it by a NODE project will be counterproductive to the idea of privacy being a fundamental right,” Mozilla warned.

Mozilla’s response | Other responses to NODE consultation | Our summary of the NODE whitepaper here