Posted on

#1 India’s Health Leapfrog – Towards A Holistic Healthcare Ecosystem

In July 2018, NITI Aayog published a Strategy and Approach document on the National Health Stack. The document underscored the need for Universal Health Coverage (UHC) and laid down the technology framework for implementing the Ayushman Bharat programme which is meant to provide UHC to the bottom 500 million of the country. While the Health Stack provides a technological backbone for delivering affordable healthcare to all Indians, we, at iSPIRT, believe that it has the potential to go beyond that and to completely transform the healthcare ecosystem in the country. We are indeed headed for a health leapfrog in India! Over the last few months, we have worked extensively to understand the current challenges in the industry as well as the role and design of individual components of the Health Stack. In this post, we elaborate on the leapfrog that will be enabled by blending this technology with care delivery.

What is the health leapfrog?

Healthcare delivery in India faces multiple challenges today. The doctor-patient ratio in the country is extremely poor, a problem that is further exacerbated by their skewed distribution. Insurance penetration remains low leading to out-of-pocket expenses of over 80% (something that is being addressed by the Ayushman Bharat program). Additionally, the current view on healthcare amongst citizens as well as policymakers is largely around curative care. Preventive care, which is equally important for the health of individuals, is generally overlooked.  

The leapfrog we envision is that of public, precision healthcare. This means that not only would every citizen have access to affordable healthcare, but the care delivered would be holistic (as opposed to symptomatic) and preventive (and not just curative) in nature. This will require a complete redesign of operations, regulations and incentives – a transformation that, we believe, can be enabled by the Health Stack.

How will this leapfrog be enabled by the Health Stack?

At the first level, the Health Stack will enable a seamless flow of information across all stakeholders in the ecosystem, which will help in enhancing trust and decision-making. For example, access to an individual’s claims history helps in better claims management, a patient’s longitudinal health record aids clinical decision-making while information about disease incidence enables better policymaking. This is the role of some of the fundamental Health Stack components, namely, the health registries, personal health records (PHR) and the analytics framework. Of course, it is essential to maintain strict data security and privacy boundaries, which is already considered in the design of the stack, through features like non-repudiable audit logs and electronic consent.

At the second level, the Health Stack will improve cost efficiency of healthcare. For out-of-pocket expenditures to come down, we have to enable healthcare financing (via insurance or assurance schemes) to become more efficient and in particular, the costs of health claims management to reduce. The main costs around claims management relate to eligibility determination, claims processing and fraud detection. An open source coverage and claims platform, a key component of the Health Stack, is meant to deal with these inefficiencies. This component will not only bring down the cost of processing a claim but along with increased access to information about an individual’s health and claims history (level 1), will also enable the creation of personalised, sachet-sized insurance policies.

At the final level, the Health Stack will leverage information and cost efficiencies to make care delivery more holistic in nature. For this, we need a policy engine that creates care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers. We have coined a new term for such policies – “gamifier” policies – since they will be used to gamify health decision-making amongst different stakeholders.

Gamifier policies, if implemented well, can have a transformative impact on the healthcare landscape of the country. We present our first proposal on the design of gamifier policies, We suggest the use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers. We also give examples of policies created by combining different techniques.

What’s next?

The success of the policy engine rests on real-world experiments around policies and in the document we lay down the contours of an experimentation framework for driving these experiments. The role of the regulator will be key in implementing this experimentation framework: in standardizing the policy language, in auditing policies and in ensuring the privacy-preserving exchange of data derived from different policy experiments. Creating the framework is an extensive exercise and requires engagement with economists as well as computer scientists. We invite people with expertise in either of these areas to join us on this journey and help us sharpen our thinking around it.

Do you wish to volunteer?

Please read our volunteer handbook and fill out this Google form if you’re interested in joining us in our effort to develop the design of Health Stack further and to take us closer to the goal of achieving universal and holistic healthcare in India!

Update: Our volunteer, Saurabh Panjawani, author of gamifier policies, recently gave a talk at ACM (Association for Computing Machinery)/MSR (Microsoft Research) India’s AI Summit in IIT Madras! Please view the talk here: https://www.microsoft.com/en-us/research/video/gamifier-policies-a-tool-for-creating-a-holistic-healthcare-ecosystem/

Posted on

Angel Tax Notification: A Step In The Right Direction, But More Needs To Be Done

There have been some notifications which have come out last week, it is heartening to see that the government is trying to solve the matter. However, this is a partial solution to a much larger problem, the CBDT needs to solve for the basic reason behind the cause of Angel Tax (Section 56(2)(viib)) to be able to give a complete long-term solution to Indian Startups.

While the share capital and share premium limit after the proposed issue of share is till 10 crores and helps startups for their initial fundraising, which is usually in the range of Rs 5-10 Cr. Around 80-85% of the money raised on LetsVenture, AngelList and other platforms by startups is within this range, but the government needs to solve for the remaining 15-20% as startups who are raising further rounds of capital, which is the sign of a growing business, are still exposed to this “angel tax”. Instead, the circular should be amended to state that Section 56(2)(viib) will not apply to capital raises up to Rs 10 Cr every financial year provided that the startups submit the PAN of the investors.

The income criteria of INR 50 lakhs and net worth requirement of INR 2 crores is again a move by the government that requires further consideration for the investing community. Therefore, to further encourage investments by Angels or to introduce new Angels to the ecosystem, there is a need to look towards a reduced income criterion of INR 20 Lakhs or a net worth of INR 1 crore, enabling more investors for a healthier funding environment. We also, need to build a mechanism to facilitate investments by corporates and trusts into the startups.

Most importantly, any startup who has received an assessment order under this section should also be able to for the prescribed remedies and submit this during their appeal. They should not be excluded from this circular since its stated scope is both past and future investments. The CBDT should also state that the tax officers should accept these submissions during the appeals process and take it into consideration during their deliberation.

So, to summarise:

  • Section 56(2)(viib) should not apply to any investment below Rs 10 crore received by a startup per year or increase the share premium limit to Rs 25 Crores, from Indian investors provided that the startup has the PAN of the investors
  • Section 56(2)(viib) should not apply to investors who have registered themselves with DIPP as accredited investors, regardless of the quantum of investment
  • The threshold stated should be either a minimum income of Rs 25 lakhs or a net worth of at least Rs 1 crore
  • Any startup who has received an assessment order should be able to seek recourse under this circular during their appeal

Through this circular, the government has reaffirmed its commitment to promoting entrepreneurship and startups in India. With these suggestions, the spectre of the “angel tax” will end up as a footnote in the history of the Indian startup ecosystem.

We look forward to the early resolution of these pending matters. For any suggestions, Do write to us [email protected]

The article is co-authored with Siddarth Pai, Policy Expert – iSPIRT Foundation and Founding Partner – 3one4 Capital.

Posted on

Disciplining The Not So Angelic, Angel Tax

If you are an entrepreneur, investor, or simply interested in the start-up sector, then you already know that Angel Tax is the buzzword right now.

Based on a law that was introduced in the 2012 budget by Mr Pranab Mukherjee, the rule aimed to target money laundering through high share premium. But unfortunately, the same provision is today attacking startups for their “high” share premiums and treating the difference between book value and DCF (Discounted Cash Flow) projections as income taxable at 30%. (For those interested in a more in-depth study of the provision and associated rulings can check out this article.

Thus, a law to penalize shell corporations and sham transactions are now being used against startups employing tens of people and generating value for the community.  Valuations are usually based on a startup’s future potential for growth and revenue and using book value, a method that’s better suited to asset-heavy manufacturing industries, is like measuring time in light years – it sounds right but is blatantly inappropriate

Hence the problem. This section hasn’t kept pace with the other anti-laundering and anti-abuse measures instituted by law and has become a blanket provision with little opportunity for a Startup to distinguish itself from a fake business. It also specifically discriminates against domestic investments thereby discouraging both investors and startups from accepting investments from Indian residents.

Latest changes, notified just yesterday, provide some way out for certain startups. However, this is a partial solution to a much larger problem, the CBDT needs to solve for the basic reason behind the cause of Angel Tax to be able to give a complete long-term solution to Indian Startups.

While the share capital and share premium limit after the proposed issue of share is till 10 crores and helps startups for their initial fundraising, which is usually in the range of Rs 5-10 Cr. Around 80-85% of the money raised on LetsVenture, AngelList and other platforms by startups is within this range, but the government needs to solve for the remaining 15-20% as startups who are raising further rounds of capital, which is the sign of a growing business, are still exposed to this “angel tax”. Instead, the circular should be amended to state that section 56(2)(viib) will not apply to capital raises up to Rs 10 Cr every financial year provided that the startups submit the PAN of the investors.

The notification also introduces the concept of an “accredited investor” into the startup ecosystem, which is an acknowledgement of the role that domestic investors play. Globally, an accredited investor tag is given to sophisticated investors investing in risky asset classes to denote that they acknowledge the risks associated with such investments and that they have the financial ability to do so. But instead of fulfilling both criteria of income and net worth, they should follow the global model of fulfilling either criteria and lowering the threshold to 25 lakhs of income or a net worth of Rs 1 crore. Their investment into startups should be excluded from the scope of section 56(2)(viiib). As a process mechanism if the CBDT could put in place a simple once a year mechanism for the Investor to submit his returns and giving him a reference number valid for the financial year, this will enable him to invest in more startups in the year without the need to get permissions every time the investor invests his funds.

Most importantly, any startup who has received an assessment order under this section should also be able to for the prescribed remedies and submit this during their appeal. They should not be excluded from this circular since its stated scope is both past and future investments. The CBDT should also state that the tax officers should accept these submissions during the appeals process and take it into consideration during their deliberation.

So, to summarise:

  • The angel tax should not apply to any investment below Rs 10 crore received by a startup per year, from Indian investors provided that the startup has the PAN of the investors
  • The angel tax should not apply to investors who have registered themselves with DIPP as accredited investors, regardless of the quantum of investment
  • The threshold stated should be either a minimum income of Rs 25 lakhs or a net worth of at least Rs 1 crore
  • Any startup who has received an assessment order should be able to seek recourse under this circular during their appeal

Through this circular, DIPP has reaffirmed its commitment to promoting entrepreneurship and startups in India. With these suggestions, the spectre of the “angel tax” will end up as a footnote in the history of the Indian startup ecosystem. We look forward to these pending matters

Start up India, Stand up India.

The post is authored by our policy experts, Nakul Saxena and Siddarth Pai.

Posted on

Discussion on “The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018”

Ministry of Electronics and Information Technology (Meity) has put up a new set of draft rules for the IT Act, and is inviting feedback.

The draft rules mostly relates to governing violations on social media.

The Draft is given at:

http://meity.gov.in/content/comments-suggestions-invited-draft-%E2%80%9C-information-technology-intermediary-guidelines

It contains a link to the new rules:

http://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf

This PolicyHacks recording was done on 2nd January 2018 at 5.30 pm covering a discussion on the proposed rules ( amendment ).

iSPIRT Volunteers, Sanjay Jain, Saranya Gopinath, Venkatesh Hariharan (Venky), Tanuj Bhojwani iSPIRT volunteers and Bhusan, a lawyer from IDFC participated in the discussions with Sudhir Singh.

The main aspects of the draft amendment and its impact on the Software product and Start-ups in tech world in India are covered in the discussions. A transcript of the discussion is given below for read. Or you could choose to listen to the recorded audio/video on you tube embedded below.

 

The draft rules mainly cover information published by users on intermediaries also referred to as platforms in this discussion. The three broad aspects that draft rules cover are :

 

  1. Putting higher onus on Intermediaries on objectionable content
  2. High level of compliance and penalties
  3. Enforcing traceability of objectionable content

With above introduction to topic floor was opened for discussions by host Sudhir Singh. Below is the transcript of contribution made by participants ( the transcript may not be complete word by word but follows the semantics of contribution made).

On Question on how the draft rules will impact industry

Sanjay Jain – “Two three element that you have highlighted in there.

First is the definition of the platform player. Intermediaries are broadly defined. They include everybody from  telecom players, ISPs, a Social network and even a site like apartment Adda, Baba-jobs, because all of these will have some kind of user generated content, which is being published and shared with others. While the law drafting may have had one type of intermediary in mind, but it actually applies to all of them and as such that is where some of the issue starts.

Second part is that by moving some of the Onus to the platform, and I actually think they have not fully moved the onus to the platform, which is very dicey situation because, they have moved and not moved at the same time. And because, the onus is primarily still on the Govt. to notify to the intermediary, that there is something objectionable and they have to remove it. But, at the same time they have said that intermediary shall develop technological means for identifying  all of this, as well. Sometimes there is an assumption that technology can do a lot, and in reality while you can have 99.9% accuracy, you still have those 0.1% and that becomes an issue.

Third part, I wanted to say is cost of compliance goes up considerably. They have put a limit 50 Lakh users in India, though we believe 50 lakh may either be little low. They should go little higher and depending upon type of user generated content they should allow for little graded form of compliance.”

Bhusan, from IDFC Institute –  “As a context, these rules have come about are drafted based on earlier rules of 2011 and have some new features like graded approach such as significant intermediary to non-significant intermediary. They have put time lines in terms of response from intermediary and so these rules are being built upon existing set of rules.

There is some short of tightening of the compliance on intermediary e.g. 72 hours of time line for response. If you are a significant intermediary, than you have to be incorporated in India and has to appoint a person who is available 24X7, and you also have to have proactive measure to screen content on your side. Some of this is coming from frustration of getting information from intermediaries.”

On issue of how much these numbers are practical for small players? How to save start-ups?

Sanjay Jain – “Differed assumption is that if you publish any content which is against the law, you are liable. Being an intermediary protects you. If you remember the case of Baje.com, the only protection they got was proving to be an intermediary. Hence, you want to call them (Start-ups) intermediaries but get a better procedural control to stop harassment at hand of low level law enforcement.”

Tanuj came in and quoted the the line after 72 hours, in section 5 it says”as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.”

According to Tarun, this statement is so broad that any junior level officer can say I got information that someone from Hissar in Haryana is harassing a person and give information of all users in Haryana.

Venky – “I agree with Tarun, we have the laws or the rule meant to be more sharply defined and have sharp implementation guidelines. In this case seems to be pretty loosely framed.”

Sudhir Singh – “There is another issue in draft rules on once in a month information to user, and taking their consent. Any hard compliance of rules is normally easier for large players, they may easily invest and handle with technology but small players and start-ups it is difficult situation to comply.”

Sanjay – “From technology experience we learn that if you make something automated, user ignore it. So, what will happen is this will be implemented by sending one email to every user, once in a month, stating if you don’t comply, we will delete your account from platform.

That’s an email that is going to get ignored. So, it is a very ineffective suggestion. Also, there is an implicit assumption that all users are identifiable, which is not the case always. So, just to implement it you will have to identify users. That may not be a valid requirement.”

Bhusan –  “On the point that you need to have more than 5 million users. My question is procedurally how do you even establish that?

Will platform will have to do GPS type of tracking to ensure that and does this not create a privacy risk in itself e.g. I do not know does platforms like Quora know that they have more than 5 million users in India or not. It seems, there is this focus on regulating Big Techs and this 5 Million number really come from that.”

Sanjay – “Basically, anybody can be hosting user generated content. So, lets us say we are on a common platform, and there is a message flowing from me to you. If I violate the law, and let’s say the message is liable of incitement or any other law, then I should be held liable and not the platform.

For that platform needs to be qualified as intermediary, put under safe harbour and intermediary takes on the responsibility of helping the law enforcement. So, we should not take up start-ups out of its ambit. What we have to do is make sure that, the conditions required is that conformance to the standard should not be so terrible that start-up should be excluded.

So, we need to sharpen the requirement they they should be conforming with and make it easy enough for somebody to confirm.”

It is being discussed that Govt. is aiming for higher level of Penalty. What should be our recommendation?

Tanuj – “If you take very young company any short of hit is bad, but if you can put proportion of revenue basis, it will be at least more forward thinking, even if it is not absolutely fair, in some sense more fair of not having that rule or having flat rule. The amendments of changes we should think about of moving the penalty would be not being in favour of arbitrary penalty.”

Tarun added – “Our recommendations should be around sharpening rules, like who can use it who cannot use, what are the accountability measures on them, more than magnitude of these numbers.”

Saranya – “Just to address the Data protection law vis-à-vis intermediary act. The subject matter of Data Protection law is ‘personally identifiable information’, whereas Intermediary act tries to cover ‘all communication in some sense’ and hence, Intermediary act has a longer leash with regard to the person who can take the intermediaries to task.

The criteria of what would be offensive under Intermediary act is very different e.g. encouraging consumption of narcotics. Hence, the criteria that a person can take intermediary to task is extremely wide and needs to be curtailed.”

Bhusan – “There is an inherent subjectivity in these rules and there is need to some short of standard procedures on how these rules are applied by law enforcement agencies across. All that these rules say is  – any request has to come in writing and intermediaries have to comply with.”

Venky –  “From an implementation perspective we need implementation guideline. Section 5 is so wide that anybody can drive a truck through it.”

How the numbers (e.g. 72 hours period to respond and 50 lakh users) should be defined in a manner that is suits Start-ups who are in the early phase.

Sanjay – “Broadly, we need to identify the places and various numbers to apply proportionally depending upon the size of entity and size of violation, in our feed back to the Government.”

Sanjay also brought in attention to the “Appropriate Govt”, needs to be defined well. He said,  “What we want is the Govt. agencies to be defined.”

Bhusan –  “This is very standard way of defining. I have not seen any precise definition on specifying agencies in general regulation and I do not see they will start with IT act on this.

Bhusan mentioned another important issue of end-to-end encryption is a more political point rather than national security issue. (refer section 5 last lines).

Sanjay –  “This is about tracking and tracing may not be about encryption. The fact, that I sent information to some body is about meta data, it’s not about information itself. This may be clarified better, but is not about end-to-end encryption but about meta data.”

Sanjay further added, “perhaps one clause you could add is to say that the ‘intermediary should be able to do this based on the information it has, if it does not have information, there should be not requirement to maintain information’ e.g. if you take business of mailinator, they don’t keep record of mails sent in and out.”

Bhusan, added “it should not lead to intermediaries having a requirement to do KYC on users.”

Is 50 lakh only to target large platform players?

Sanjay, “my read is they may have thought that way. But in reality a regional ISP or even a small newspaper will fall in to that category.”

“Bhusan, I don’t think it is a number generate by some study, but it seems like they just picked it.”

The discussion was rapped with thanks to all players.

Author note and Disclaimer:

  1. PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on case to case basis.
  2. PolicyHacks discussions and recordings are intended at issues concerning the industry practitioners. Hence, views expressed here are not the final formal official statement of either iSPIRT Foundation or any other organisations where the participants in these discussions are involved. Media professionals are advised to please seek organization views through a formal communication to authorised persons.   
Posted on

Story in Asia Times, on iSPIRT, and Aadhaar

Last week, on Thursday evening, we received an email from Saikat Datta, where he claimed that he had a recording of a conversation, from an iSPIRT meeting, where we discussed various ways to get around the Supreme Court verdict on Aadhaar, along with other allegations.

While this recording was unauthorised, and we were in the midst of internal deliberations (and we have pointed this out to Mr Datta), we have engaged with the reporter to ensure that our view was presented fairly.  We are publishing this email exchange and that audio file in the interest of full disclosure, and transparency.

Thursday 3rd Jan 12:52 PM, separate emails from Saikat Datta to Sanjay Jain & Sharad Sharma 

Thursday 3rd Jan 10:32 PM, response from Sanjay Jain to Saikat Datta

Sunday 6th Jan, 3:47 PM, a second email from Saikat Datta along with Audio recording

Sunday 7th Jan, 12:13 AM, the response from Sanjay to Saikat Datta

In our last email to Saikat, we have mentioned that we have earlier seen activism in the form of reporting, and requested that he report on this issue fairly and that he present our answers in full.  We do hope that he will do so.

In the meantime, we wanted to let the iSPIRT community know that we will continue to deal with issues such as these with transparency.  If we are doing something incorrect/inappropriate, we will welcome any feedback.

The post is authored by Sanjay Jain and Sharad Sharma.

Posted on

A Fond Sendoff

Today we are giving a fond sendoff to Praveen Hari and Venky Hariharan as they transition out of full-time volunteering and onto new challenges! This is a bittersweet moment: as excited as we are about their future plans, we can’t help but feel a sense of loss. We will most certainly miss their selfless energy in our mission to democratize credit in India.

Democratizing credit is vital for India’s future. This particular breed of the societal problem needs a jugalbandi between public platforms like India Stack and market players like banks, NBFCs, and Fintechs – a kind of jugalbandi that is new to our ecosystem. To bring it about, it needed catalysts like Praveen and Venky.

Praveen has been iSPIRT’s ‘dynamo’ behind flow-based lending. He has done innumerable learning sessions, pulled together countless borrower pools, knocked partnerships together, and was instrumental in the design of “Type-4” loans. He has been the go-to person on all things around flow-based lending for lenders, loan service providers (LSPs), technology providers, sophisticated model builders, and VCs. His can-do spirit is legendary: he has been an inspiring blend of thought-leadership and hustle for all of us volunteers in iSPIRT. Because of this, his name will be forever etched into the history of flow-based lending in India.

Venky anchored our Fintech Leapfrog Council (FTLC) efforts from the very beginning and took on the challenging task of helping incumbent banks embrace non-linear change. Since its launch, FTLC has been instrumental in kicking off a number of market experiments and has helped banks think through their strategies around UPI, BBPS, cash flow based lending, and the technology and data governance changes they need to transition to a new era.

Venky’s soft-spoken approach masks a determination to get difficult things done. His charm is legendary, and he used it to help leaders of FTLC banks practice intentional unlearning. This collective effort has moved the industry forward, helped the banks prepare for a more dynamic future, and set the stage for partnership between banks and new age technology and Fintech players.

As quintessential iSPIRT volunteers, both Praveen and Venky have created enormous ecosystem value, and they did it for the mission. Many market players benefited from their work, and (as is iSPIRT custom) not one paisa flowed to either of them. This selfless volunteering is the iSPIRT way. After subsisting on a small Living Wage as full-time volunteers, it is time for Praveen and Venky to move on.

New Beginnings
Praveen is planning to become an entrepreneur again. After his two month cooling off period, he will launch his new startup. We, for one, are hoping that this startup will be in the flow-based lending space! We are rooting for him to be the Jonathan Rosenberg of flow-based lending: Jonathan was instrumental in bringing SIP Protocol to life as an IETF standard, and in helping to create Skype as a winning implementation of SIP Protocol as its Chief Technology Strategist. We hope Praveen’s path will have a similar trajectory, both in direction and impact! In parallel, he will continue to volunteer part-time for our PSP Connect (formerly M&A Connect) program where he has been active since the beginning. He will no longer be involved in our policy work.

Venky is moving to IDFC Institute to create a new Data Governance Network. We are at the cusp of a new data regime and data economy in India driven by Data Empowerment and Protection Architecture (DEPA), something that is very different from the paths taken by the US, Europe, and China. This Network will bring evidence-based inputs into the policy and practice of data governance; in this new world of data, it is key to secure empowerment and protection of each individual. Alongside this important new responsibility, Venky plans to keep volunteering part-time with iSPIRT on our software patents initiative where he has been active for many years.

When our full-time volunteers roll off to new challenges, they are a gift to the ecosystem. They carry with them an emboldened sense of what India can be, and an energized plan to make new things happen – in turn creating new capacity in the market.

Shifting Gears: Playground Orchestration
iSPIRT has been at work on the societal problem of democratizing credit for the last 4-5 years. We have made considerable progress, yet more needs to be done: Rajni is not yet being served as we would like it.

After some soul-searching, we realized that the next phase of ecosystem building for credit democratization needs a more deliberate orchestration of market and state actors.  Meghana Reddyreddy, a power volunteer, will drive this phase; she will don the mantle of Playground Orchestrator for Democratizing Credit.

Volunteering with iSPIRT
Our central tenet is that societal problems are solved by market players. To come up with truly innovative solutions, these market players need various kinds of public goods – scaleable public platforms, supportive policy and procedural guidelines, transformational market catalysts, and world-class playbooks – to succeed. Our volunteers build these public goods in a selfless fashion. They are often the most talented and driven folks in the ecosystem. Some do this public goods building on weekends. Others, like Praveen and Venky, take a year or two off from their career to do this.  

If you want to be one of these volunteers, read our Volunteer Handbook (https://pn.ispirt.in/presenting-the-ispirt-volunteer-handbook/) and feel free to reach out to us.

By Sharad Sharma, Pramod Varma, Siddharth Shetty for Volunteer Fellow Council and Pankaj Jaju for Donor Council.

Posted on

My iSPIRT Experience, A Learning Of A Lifetime By Praveen Hari

In 2016, the company I co-founded, Thinkflow, went through a liquidity event. It was a great outcome for all and I was thinking of the next move. It was natural for me to think of starting again. I was wiser, had seed capital and only had to find a problem attractive enough. It looked like I was going down that path and would build another software product company for the global market.

Something interesting was happening in India at that same time. All the global giants were investing in or had invested in companies that were building for India. Venture funds like Softbank, DST Global, Naspers were making bold bets in the Indian consumer space. A lot of digitization was also happening in India. UPI was in the initial release phase (Flipkart had already committed to back PhonePe, when it was just Sameer and Rahul’s idea), the GST bill was tabled in Parliament, a system to track real-time movement of goods was being discussed. It was really a lot of action and if venture investments were any indication, it was the validation of the India story.

In a meeting with Sharad, for the first time, I understood the true potential of the digital stack (now called the IndiaStack) that was taking shape then. While the stack was not fully ready for all the use cases that we covered in the meeting, the vision to solve some of the hardest problems India was facing through technology was fascinating. That vision combined with the kind of commitment the Open API team (it is now called the IndiaStack team) put in is unparalleled in my experience

I left the meeting with a question from Sharad.  “Do you want to do a 2-year MBA that pays you a small stipend?”. I thought about it and said ‘yes’. Amongst all the challenges, unlocking credit for small businesses resonated with me. Having faced the consequences of not having access to timely credit during my Thinkflow days, I could identify with this problem and ended up doing work around data-driven and cash-flow lending. We make a number of decisions in a lifetime but a few handfuls of them are life-changing. And my decision to work with iSPIRT and to focus on Flow-based lending has been a life-changing one.

Over the last 30 months, I worked towards Improving efficiencies in the loan delivery and collections cycle so we could bring a lot more borrowers to the formal system. As an iSPIRTer, I had the privilege of working with CEOs of banks, NBFCs and Small Finance banks to design new loan products. We were working on new ways to use data to underwrite small loans for new-to-credit businesses. I was guiding them on how to use technology to deliver credit at lower costs and worked alongside them to devise new strategies to build new workflows around origination, disbursement, collections, et al.

The iSPIRT stint has been a rewarding one. iSPIRT is all about putting country first and solving country scale problems. Core values such as this and others like setting up fellow volunteers for success were totally unheard of to me in the modern day workplace. iSPIRT is a safe space for any volunteer who is passionate about changing India. The institution has been about investing in the success of its fellows –  I had the benefit of learning from the wisdom of people like Nandan Nilekani, Sharad Sharma, Pramod Varma, Sanjay Jain. My colleagues are A-players and I had the opportunity to learn from and work alongside Meghana Reddyreddy, Nikhil Kumar, Venkatesh Hariharan, Jai Shankar, Tanuj Bhojwani, Siddharth Shetty and Karthik

As I prepare to roll-off my responsibilities at iSPIRT, I want to express my gratitude and a special thanks to Sharad Sharma for giving me this opportunity. He is a great guide and has been a great mentor for me. Thank you for being there for me when I needed you. It has been a great experience working with you and the team and my learnings here are my core strength as I move on to solving for India through my next venture.

Posted on

India Financial Services – Disrupt or Be Disrupted

Matrix India recently hosted two firebrands of the financial services world, Mr Sanjay Agarwal, founder AU Small Finance Bank and Mr Sharad Sharma, founder iSPIRT Foundation, Volunteer at India Stack, for a no holds barred discussion at the Matrix Rooftop in Bangalore. Here is an excerpt from the evening and some of our learnings for fin-tech entrepreneurs.

Part 1 of the two-part series features the untold story of AU Bank, in the words of Sanjay Agarwal himself, as below:

Sanjay Agarwal – on his background and early days before starting AU:

“In my early Chartered Accountancy days, I started out by doing audit work, taxation, and managing clients. I had studied hard and was naïve and enthusiastic at that time hoping, to solve the world’s problems. This pushed me to work harder and I had a desire to do something more.

I believe that we are the choices we make. While evaluating various choices, I eliminated all the options that I didn’t want to pursue e.g. to work for a fee or commission and then I started digging deeper on what really interests me – that was when the concept of AU Financiers was formed.

In 1996, as 26 years old, I began approaching HNIs to raise capital, as back then, there were no VCs. I was fortunate to raise INR 10 cr at a 12% hurdle rate and I had to secure the funding with a personal guarantee. But what is the guarantee of the guarantor? No one questioned this at that time. So, I technically became one of the first P2P lenders, and structured a product that didn’t exist– short term, secured and at a 30% rate of interest. That was the start of the AU journey.”

The Early Days of AU:

“I started off AU as a one-man army. I was everything from the treasurer to the collector. Slowly we built our team and rotated the 10 cr of capital to disburse 100 cr of loans – not a single rupee was lost. There were several challenges at that time for e.g., there was no CIBIL score, financial discipline was lacking, people were still learning how to take a loan and repay it and customer ids didn’t even have a photograph. But somehow, we managed.

The period from 1996 to 2002 taught me everything I needed to learn – how to lend, how to collect, how to manage people, read people’s body language, and most importantly how to manage yourself in different situations. I follow all of that until today, and my team also benefits or suffers from those learnings of mine even today. In those 7 years, we would have dealt with 2000 customers out of which 500 defaulted. That was the ratio of defaulters – 25%. But we managed and there were actually no NPL’s.”

Partnering with HDFC Bank

“In 2002, retail credit was beginning to take off, but our HNIs started pulling their money out, as they wanted a higher return. However, at that time, the most premium bank in the country, HDFC Bank, appointed us as their channel partner. The model we followed was very simple – AU was responsible for sourcing the customer, KYC processing and doing on the ground diligence while loans were booked on HDFC’s balance sheet. HDFC is perceived to be a conservative bank, and it is – however, they gave me Rs 400 cr, on a net worth of only Rs 5 cr! They made an exception in our case due to our strong track record, through execution, sound knowledge of the market, and most importantly our integrity.

By 2008, our net worth had increased to Rs 10 crore through internal accruals. At that time, HDFC told us that we can’t give you any more capital, as we were overleveraged, and that we now needed to bring in equity capital if we wanted to grow.”

Growing the balance sheet and partnering right

“I had two choices at that point, I could continue in Jaipur, keep my ambition under control and live comfortably or figure out what else is possible. I chose the latter and this marked the beginning of my partnership with Motilal Oswal. Its easier to raise equity now, back in the day shareholder agreements used to look like loan agreements with min IRR requirements, etc. As luck would have it, a few months after we raised equity, the Lehman Brothers crisis broke out and most banks stopped funding. We were supported once again by HDFC – they were our saviour and I will cherish my relationship with them always. Once the market settled down, having survived this negative environment, there was no looking back.

Our next major investor was IFC. For the entrepreneurs here, I want to say that you have to be selective about your investors, who will help with not just capital – there should be added value they bring to the table apart from money. IFC was giving me 20% lower valuation, but I knew that I didn’t have any lineage to fall back on. As a first-generation entrepreneur, I had to raise money on the strength of my balance sheet and not basis my family name. I knew that partnering with IFC would shift the perception of AU within the industry, especially for PSU banks. After their investment, we grew from one bank relationship with HDFC to 40 bank partnerships. One thing led to another and Warburg Pincus, ChrysCapital, and Kedaara Capital all came on board after that.”

Consistent performance

“From 2008 onwards, we started diversifying from vehicle lending and got into other forms of secured lending like a loan against property, home loans etc. We never tried unsecured lending and never ventured into microfinance or gold finance. Those were very popular products at that time but focusing on what we were good at resulted in a consistently strong performance. We never had a bad year. In the world of finance, the margin of error is very less. If you have a bad year you can almost never come back. Good companies survive regardless of the market condition, you can never blame the market for your company’s poor performance. In 2015-16, we were a successful NBFC, our RoA was close to 3% with an asset base of close to 8,000 crores, with a RoE of 27-28% and everyone was chasing us – the question at that time before us was, what next?”

How we became a bank

“As an NBFC, it is very hard to manage a book of Rs 50,000 cr with the same efficiency and effectiveness as it’s a people dependent business, there are limits to the kind of products you can do and you can’t keep raising capital. Hence, we became a bank because we wanted to be there for the next 100 years and that perpetual platform can only be created through a bank. That is the biggest platform and it is not available at a price. It’s available through your integrity, business plan and execution. Today, we receive Rs 100 cr of money every single day. This is the same person who was struggling to raise Rs 10 cr in 1996, and is now getting money at the speed of Rs 100 cr every day – it feels amazing but there is a lot of responsibility!”

Part 2 of the two-part series features insights from Sharad Sharma:

Recognizing the Athletic Gavaskar moment in Indian Financial Services

“Indian financial services industry is going through its equivalent of the Athletic Gavaskar project of Indian cricket. The motive behind this project was to instil the importance of being athletic to successfully compete in the modern game. A new team was created with the rule that if you are not athletic, you cannot be a part of the team, regardless of other skills that you bring to the table. Virat Kohli eventually became the captain of this team and the results are for everyone to see. Similar yet contrasting stories played out in hockey and wrestling. In hockey, we lost for 20 years because we refused to adapt to the introduction of astroturf. However, in wrestling, the Akhadas in Haryana embraced the move from mud to mat with rigour, and Indian wrestling is already punching above its weight class and hopefully will do even better over time. The idea of sharing this is that similar to sports, sometimes an industry goes through a radical shift. Take the telecom space, for example, if Graham Bell came alive in 1995, he would recognize the telephone system, 20 years later he wouldn’t recognize it at all. The banking industry is going to go through a hockey/wrestling or communications type disruption and a lot of us are working hard to make it happen.”

Infrastructure changes lead to New Playgrounds

“All the banks and NBFCs put together are not serving the real India today. We have 10 million+ businesses that have GST id’s, out of which 8 million+ are big enough to pay GST on a monthly basis, but only 1.2 million have access to NBFC or bank finance. This is a gap that needs to be addressed and it cannot be solved through incremental innovations.

Entrepreneurs and incumbents should learn from what happened in the TV industry when new infrastructure became available. When India went from state-run TV towers in 34 cities to cable and satellite TV in pretty much every town, there was a massive new market that was unlocked that did not want to watch the same Ramayan or Hum Log TV serials. What transpired was an explosion of entertainment products because of the high demand stemming from the new markets and the TV channel players that reinvented their content is thriving today while others that did not, are barely surviving or have shut down.

So where does this leave the bankers? I think it is the biggest opportunity for the right banker who understands this problem, wants to serve this section of the market and is willing to reinvent the way they do their business and take advantage of the new infrastructure that will be available.”

Dual-immersed entrepreneurs have the biggest advantage

“Entrepreneurs who are immersed in the messiness of both the new infrastructure and the old problem are “dual immersed entrepreneurs”. They are the ones that succeed when a market shift is underway. Today this is not happening. Some of our city-bred entrepreneurs are more comfortable with California rather than Bharat. And some of our sales-oriented entrepreneurs are intimidated by the messiness of the new technology infrastructure.”

New Playgrounds need new Gameplay

“In a world where eKYC exists, and we can transfer money through UPI from a phone, and sign documents digitally – we are ready to deliver financial products on the phone and this is the disruption that is required. Access to credit drives the economy and with this new infrastructure, it is now possible to lend to the real India. However, it’s easy to give money, but the ability to get it back and keeping defaults at a minimum is the real trick. Even there we are moving towards seeing a radical improvement. Debt providers now have powers they never had and defaulters are being brought to book. Customers are now incentivized to build their own credit history to get better and lower interest rates over time. A new Public Credit Registry is coming to enable this at scale. But the biggest innovation is related to the dramatic shortening of the tenor. One can structure a one-year loan into 12 monthly loans or 52 weekly loans. This rewards positive customer behaviour and brings about the behaviour change that is needed.

There is no secret sauce here, it requires gumption – like that shown by Reed Hastings, founder of Netflix. He disrupted the TV and home video industry by first having the wisdom to go from ground to cloud and then again when they started developing original content. In both cases, he had little support from the board or investors. If you can reinvent yourself before it becomes necessary, you’re a winner but this is harder to do for a successful company. The legacy of success provides resisters with the clout to block change. The real beneficiary of Aadhaar based eKYC in the telecom world was not the incumbents but Jio – eKYC allowed Jio to acquire customers at an unprecedented scale and they saved INR 5000 crores on KYC costs as well.”

About iSPIRT

iSPIRT is a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India.

About AU Small Finance Bank:

AU Small Finance Bank Limited (AU Bank) started in 1996 as a vehicle financing NBFC, AU Financiers and scaled to touch over a million underbanked and unbanked customers across 11 states of North, West and Central India, prior to becoming a bank in April 2017. During this time, AU attracted equity investments from marquee investors such as IFC, Warburg Pincus, Chrys Capital, Kedaara Capital and recently went public when its IPO was oversubscribed ~54 times. Over the years, AU Bank, led by its founder Sanjay Agarwal, has created significant shareholder value with its equity value growing from ~$120 million in 2012 to current market capitalization of ~$3 billion.

Please Note: The blog was first published and authored by Matrix India Team and you can read the original post here: matrixpartners.in/blog

Posted on

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

  • Sean Blagsvedt – sean _@_ blagsvedt.com
  • Siddharth Shetty – siddharth _@_ siddharthshetty.com
  • Anukriti Chaudharianukriti.chaudhari _@_ gmail.com
  • Sanjay Jain – snjyjn _@_ gmail.com

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Posted on

AI/ML is not Sexy

One would think that the new sexy in the startup capital of the world is self-driving cars, AI/ML… I got news for you! AI/ML (esp. Machine Learning) is not listed in Gartner’s hype cycle for 2018.

Source: https://commons.wikimedia.org/wiki/File:Hype-Cycle-General.png

This was corroborated on my recent trip to the valley and the US east coast, where I met several investors, founders, corp dev and other partners of the startup community. It was evident that the AI/ML hype which peaked in 2016 & 2017 is no longer considered a buzzword. It is assumed to be table stakes. What you do with AI/ML is something everyone is willing to listen to. Using AI/ML to solve a high-value B2B SaaS problem is Sexy! (Gartner trends for 2018).

As the hype with AI/ML settles down, B2B startups across the globe are discovering the realities of working the AI/ML shifts for SaaS. Many AI tools & frameworks in the tech stack are still evolving and early pioneers are discovering constraints in the stack and creatively building workarounds as they build their products.

Many entrepreneurs are watching from the sidelines the unfolding of the AI/ML hype, wondering on many valid questions like these (and more):

Q: Do I have to stop what we are building and jump onto the AI bandwagon? No.
Q: Are the AI/ML resources mature & stable to build better value products? No, they are still evolving.
Q: Do I need expensive investments in constrained resources? No, not until you have a high-value problem to solve.

B2B SaaS startups go through 2 key struggles. How to find market-fit and survive? And how to stay relevant and grow. And if you don’t evolve or reinvent as the market factors change, there are high chances for an upstart to come by and disrupt you. The iSPIRT entrepreneur playbooks look to help entrepreneurs get clarity on such queries and more. Our goal is to help our startups navigate such market shifts, stay relevant and grow. Our mini roundtables Playing with AI/ML are focused on WhyAI for SaaS discussions in multiple cities. If you or a startup you know may benefit do register

The MiniRT Agenda

Seeding & creating an active discussion on Why AI/ML? What is the higher order value being created? How to identify the value & opportunities to leverage AI? How to get started with an AI playground (if not already running)? How to think of data needs for AI/ML investments, How to address the impact on Product & Business… Insights from these sessions are meant to help refine our approach & readiness to leverage AI/ML for building higher order value products. And in doing so building a vibrant community focused around navigating this shift.

Upcoming PlaybookRTs on AI/ML

6-Oct (Chennai) 10 am – 1 pm – MiniRoundTable on WhyAI for B2B SaaS – Shrikanth Jagannathan, PipeCandy Inc
18-Oct (Bangalore) 6 pm – 8 pm MiniRoundTable with Dr Viral Shah on AI/ML Tools & discuss your ML/DeepLearning challenges
27-Oct (Delhi/Gurgaon) 2 pm – 6 pmMiniRoundTable on WhyAI for B2B SaaS, Adarsh Natarajan, CEO & Founder – Aindra Systems
TBD (Bangalore)MiniRoundTable on WhyAI for B2B SaaS, (based on registered interest)
TBD (Mumbai)MiniRoundTable on WhyAI for B2B SaaS, (based on registered interest)

The AI+SaaS game has just begun and it is the right time for our hungry entrepreneurs to Aspire for the Gold, on a reasonable level playing field.

Click to Register for the AI/ML Playbooks Track.

Please note: All iSPIRT playbooks are pro-bono, closed room, founder-level, invite-only sessions. The only thing we require is a strong commitment to attend all sessions completely and to come prepared, to be open to learning & unlearning, and to share your context within a trusted environment. All key learnings are public goods & the sessions are governed by the Chatham House Rule.

Image source: https://commons.wikimedia.org/wiki/File:Hype-Cycle-General.png

Interesting Reads

The slow, light touch of AI in Indian Saas

Posted on

Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does

On behalf of iSPIRT, Sanjay Jain recently published an opinion piece regarding the recent supreme court judgement on the validity of Aadhaar. In there, we stated that section 57 had been struck down, but that should still allow some usage of Aadhaar by the private sector. iSPIRT received feedback that this reading may have been incorrect and that private sector usage would not be allowed, even on a voluntary basis. So, we dug deeper, and analyzed the judgement once again, this time trying to disprove Sanjay’s earlier statement. So, here is an update:

Section 57 of the Aadhaar act has NOT been struck down!

Given the length of the judgement, our first reading – much like everyone else’s was driven by the judge’s statement and confirmed by quickly parsing the lengthy judgement. But in this careful reanalysis, we reread the majority judgement at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin!

Revisiting Section 57

Here is the original text of section 57 of the Aadhaar Act

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Now, let us simply read through the operating part of the order with reference to Section 57, ie. on page 560. This is a part of paragraph 447 (4) (h). The judges broke this into 3 sections, and mandated changes:

  1. ‘for any purpose’ to be read down to a purpose backed by law.
  2. ‘any contract’ is not permissible.
  3. ‘any body corporate or person’ – this part is struck down.

Applying these changes to the section, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Cleaning this up, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgement does not completely invalidate the use of Aadhaar by private players, but rather, specifically strikes down the use for “any purpose [..] by any body corporate or person [..] (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting.

As an exercise, we took the most conservative interpretation – “all private use is struck down in any form whatsoever” – and reread the entire judgement to look for clues that support this conservative view.

Instead, we found that such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order (paragraphs 355 to 367). The conclusion there – paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion and not an operative clause of the judgement. But even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

The court could have simply struck down the linking specifically because most banks and telcos are private companies. Instead, they applied their mind to the orders which directed the linking as mandatory. This further points to the idea that the court does not rule out the use of Aadhaar by private players, it simply provides stricter specifications on when and how to use it.

What private players should do today

In our previous post, we had advised private companies to relook at their use of Aadhaar, and ensure that they provide choice to all users, so that they can use an appropriate identity, and also build in better exception handling procedures for all kinds of failures (including biometric failures).

Now, in addition to our previous advice, we would like to expand the advice to ask that each company look at how their specific use case draws from the respective acts, rules, regulations and procedural guidelines to ensure that these meet the tests used by this judgement. That is, they contain adequate justification and sufficient protections for the privacy of their users.

For instance, banks have been using Aadhaar eKyc to open a bank account, Aadhaar authentication to allow operation of the bank accounts, and using the Aadhaar number as a payment address to receive DBT benefits. Each of these will have to be looked at how they derive from the RBI Act and the regulations that enable these use cases.

These reviews will benefit from the following paragraphs in the judgement.

The judgement confirmed that the data collected by Aadhaar is minimal and is required to establish one’s identity.

Paragraph 193 (and repeated in other paras):

Demographic information, both mandatory and optional, and photographs does not raise a reasonable expectation of privacy under Article 21 unless under special circumstances such as juveniles in conflict of law or a rape victim’s identity. Today, all global ID cards contain photographs for identification alongwith address, date of birth, gender etc. The demographic information is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions …

The judgement has a lot to say in terms of what the privacy tests should be, but we would like to highlight two of those paragraphs here.

Paragraph 260:

Before we proceed to analyse the respective submissions, it has also to be kept in mind that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21…

Paragraph 289:

‘Reasonable Expectation’ involves two aspects. First, the individual or individuals claiming a right to privacy must establish that their claim involves a concern about some harm likely to be inflicted upon them on account of the alleged act. This concern ‘should be real and not imaginary or speculative’. Secondly, ‘the concern should not be flimsy or trivial’. It should be a reasonable concern…

Hence, the privacy risk in these use cases must be evaluated in terms of the data in the use case itself, as well as in relation to biometrics, and the Aadhaar number in the context of the user’s expectations, and real risks. Businesses must evaluate their products, and services – particularly those which use Aadhaar for privacy risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual Ids, Tokenization, QR Codes on eAadhaar, etc. which must be used for this purpose.

What private players should do tomorrow

In the future, the data protection bill will require a data protection impact assessment before deploying large scale systems. It is useful for businesses to bring in privacy and data protection assessments early in their development processes since it will help them better protect their users, and reduce potential liability.

This is a useful model, and we would hope that, in light of the Supreme Court judgement, the Government will introduce a similar privacy impact review, and provide a mechanism to regulate the use of Aadhaar for those use cases, where there are adequate controls to protect the privacy of the users and to prevent privacy harms. Use cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organization, or a private sector organization.

Note: This is in continuation of Sanjay Jain’s previous op-ed in the Economic Times which is available here and same version on the iSPIRT blog here.

The writer is currently Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many of the APIs of the India Stack.  He was the Chief Product Manager of UIDAI till 2012

(Disclaimer: This is not legal advice)

Posted on

Make It ID Of Choice For Your Users

Wednesday’s Supreme Court judgment has upheld not just the constitutionality of Aadhaar but also our right to identity. It also recognises Aadhaar as a tool that fulfils that right. While the founding principles of Aadhaar — privacy and inclusion —were upheld, a few provisions of the Aadhaar Act, including Section 57, were struck down.

Section 57 was an enabling provision for Aadhaar’s use in many contexts. The portion of the section that enables “body corporates and individuals to seek authentication under force of contract” has been declared unconstitutional.

I’d like to open an account with my Aadhaar

As a result, some quarters are concerned that the use of Aadhaar by private firms has been completely prohibited. These concerns are largely unfounded.

The striking down of Section 57 must not be read in isolation. The majority judgment recognises the purposes of identification in other contexts. Section 2(u), when read with Section 8, provides a clear path for Aadhaar authentication and eKYC (know your customer) by regulated private entities. Para 367 explicitly states that a citizen may voluntarily offer her Aadhaar card to anyone as proof of identity.

To put it simply: private entities can request for Aadhaar authentication from an individual on a voluntary basis when backed by law.

Furthermore, Government of India (GoI) has confirmed this view that the use of Aadhaar authentication by private entities, when ‘backed by law’, will be permitted and, if required, ‘corrective measures’ will be taken to ensure the same. Given the permissive provisions of the judgment and GoI’s progressive stance, the IndiaStack ecosystem should continue to thrive with Aadhaar and the upcoming Data Protection Bill as strong foundations.

This is important as the private sector spans every industry and accounts for over six crore jobs. Many of these sectors require ID verification by law, and, of late, have used Aadhaar eKYC to dramatically reduce the cost of onboarding and servicing customers — thus enabling them to serve the previously underserved.

This is Aadhaar’s inclusiveness potential at work in the private sector.

So, where does the industry go from here? Many regulated use cases will find that they are backed by laws like the Prevention of Money Laundering Act (PMLA), the Securities and Exchange Board of India (SEBI) Act, and the Information Technology Act.

But the regulators must review the regulations, and ensure they contain adequate justifications so that they can pass the proportionality test.

The judgment has placed the individual at the centre. India Inc will have to pay special attention to getting informed consent. This will strengthen the trust between them and users. Industry must review their products — giving people more ways to prove their identity. They must also improve their protocols to handle authentication failures and other exceptions. These measures will allow the industry to conform to the judgment while improving products and services.

The laws and regulations pertaining to Aadhaar and data protection are new and subject to constant evolution.

The development of rules and regulations for this ecosystem must comply with the Supreme Court judgment, protect user privacy, and reduce the cost of serving the customer. These rules of the game will let companies know how to behave, and users know what to expect. This can only happen through new institutions.

Twenty-first-century technology platforms can’t be built with the support of old-school trade body structures. It needs a new kind of industry body, one built by new-age players, and is responsible and nimble enough to facilitate the twin goals of regulatory compliance and constant innovation. It is time the new-age technology platforms that are at the forefront of India Stack adoption take on this mantle and build an ecosystem that unlocks the full potential of our economy while respecting the law of the land, and protecting the rights of every Indian.

Please note: The article was first published on The Economic Times (https://blogs.economictimes.indiatimes.com/et-commentary/make-it-id-of-choice-for-your-users/)

Posted on

How To Empower 1.3 Billion Citizens With Their Data

2018 has been a significant year in our relationship with Data. Globally, the Cambridge Analytica incident made people realise that democracy itself can be vulnerable to data.  Closer to home, we got a first glimpse at the draft bill for Privacy by the Justice Sri Krishna Committee.

The writing on the wall is obvious. We cannot continue the way we have. This is a problem at every level – Individuals need to be more careful with whom they share their data and data controllers need to show more transparency and responsibility in handling user data. But one cannot expect that we will just organically shift to a more responsible, transparent, privacy-protecting regime without the intervention of the state. The draft bill, if it becomes law, will be a great win as it finally prescribes meaningful penalties for transgressions by controllers.

But we must not forget that the flip side of the coin is that data can also help empower people. India has much more socio-economic diversity than other countries where a data protection law has been enacted. Our concerns are more than just limiting the exploitation of user data by data controllers. We must look at data as an opportunity and ask how can we help users generate wealth out of their own data. Thus we propose, that we should design an India-specific Data Protection & Empowerment Architecture (DEPA). Empowerment & Protection are neither opposite nor orthogonal but co-dependent activities. We must think of them together else we will miss the forest for the trees.

In my talk linked below which took place at IDFC Dialogues Goa, I expand more on these ideas. I also talk about the exciting new technology tools that actually help us realise a future where Data can empower.

I hope you take away something of value from the talk. The larger message though, is that it is still early days for the internet. We can participate in shaping its culture, maybe even lead the way, instead of being passive observers. The Indian approach is finding deep resonance globally, and many countries, developing as well as developed, are looking to us for inspiration on how to deal with their own data problem. But it is going to take a lot more collaboration and co-creation before we get there. I hope you will join us on this mission to create a Data Democracy.

Posted on

Volunteer Hero: Nikhil Kumar

iSPIRT volunteers are strivers. We seek the good for our nation and our ecosystem. We brainstorm, ideate, experiment, build, and evangelize to fulfill our mission of making India a Product Nation. Every volunteer draws us into an ever-enlarging realm of intellectual possibilities and purposeful engagements.

Take Nikhil Kumar for instance. He stepped up almost two years ago to evangelize UPI and handhold its early adopters. He set out to create winning implementations that would put traditional payment systems to shame. Needless to say, this wasn’t an easy thing to do. There was no template to follow. And, most didn’t believe in the potential of this new breakthrough payment system. But this didn’t faze Nikhil. He had chosen his adventure inside iSPIRT and nothing could hold him back.

Today, UPI is a success story. However, that’s not the full story.

Nikhil showed us how to stay cool under fire, to foster affinity, and skillfully navigate diverse opinions amongst many stakeholders. His all-hands-on-deck work ethic came with an ability to take decisive action when the situation demanded it. He showed that a young volunteer can be a visionary with big plans and the capacity to bring them to life. He has set an example for all of us on how to pay-forward and serve a cause bigger than all of us. All this makes him an iSPIRT Volunteer Hero.

iSPIRT Volunteer Heroes – Vivek Raghavan, Rohith Veerjappa, Nikhil Kumar

From tomorrow, Nikhil is shifting gears. He is stepping away from being a volunteer-in-residence. He is taking a few months break. After that, he plans to create a startup. This is great news for iSPIRT. While our India Stack and other technology public platforms create possibilities, it is the products and services that create value. We need all elements of a healthy society – sarkar, samaj, bazaar – to come together to solve population scale problems sustainably. So, we wish him all the very best in this new pursuit of excellence.

All shifts require an adjustment. While Nikhil will remain a part-time iSPIRT volunteer working on WANI, he will no longer be the iSPIRT voice on payments for media, policymakers, startups and financial institutions.

Nikhil’s lasting legacy is that he opened up iSPIRT volunteering for talented youngsters under-30s. Today we have more than a dozen young power volunteers. He has helped all of us see the particular gifts that these young volunteers bring to the cause. His spirit will live on!

By Sharad Sharma, Pramod Varma and Sanjay Khan Nagra for Volunteer Fellow Council

Posted on

It takes time to build something successful!

Since SaaSx second edition, I have never missed a single edition of SaaSx. The 5th edition – SaaSx was recently held on the 7th of July, and the learnings and experiences were much different from the previous three that I had attended.

One primary topic this year was bootstrapping, and none other than Sridhar Vembu, the CEO and Founder of Zoho, was presenting. The session was extremely relevant and impactful, more so for us because we too are a bootstrapped organisation. Every two months of our 4.5 year-long bootstrapped journey, we have questioned ourselves on whether we have even got it right! If we should go ahead and raise funds. Sridhar’s session genuinely helped us know and understand our answers.

However, as I delved deeper, I realised that the bigger picture that Sridhar was making us aware of was the entrepreneurial journey of self-discovery. His session was an earnest attempt to promote deep thinking and self-reflection amongst all of us. He questioned basic assumptions and systematically dismantled the traditional notions around entrepreneurship. Using Zoho as an example, he showed how thinking from first principles helped them become successful as a global SaaS leader.


What is it that drives an entrepreneur? Is it the pursuit of materialistic goals or the passion to achieve a bigger purpose? The first step is to have this clarity in mind, as this can be critical in defining the direction your business would take. Through these questions, Sridhar showed that business decisions are not just driven by external factors but by internal as well.

For example, why should you chase high growth numbers? As per him, the first step to bootstrapping is survival. The top 5 goals for any startup should be Survive, Survive, Survive, Survive, Survive. Survival is enough. Keep your costs low and make sure all your bills are paid on time.  Cut your burn rate to the lowest. Zoho created 3 lines of business. The current SaaS software is their 3rd. They created these lines during their journey of survival and making ends meet.


Why go after a hot segment (with immense competition) instead of a niche one?  If it’s hot, avoid it i.e. if a market segment is hot or expected to be hot, it will be heavily funded. It will most likely be difficult to compete as a bootstrapped organisation and is henceforth avoidable. Zoho released Zoho docs in 2007, but soon as he realized that Google and Microsoft had entered the space, he reoriented the vision of Zoho to stay focused on business productivity applications. Zoho docs continues to add value to Zoho One, but the prime focus is on Applications from HR, Finance, Support, Sales & Marketing and Project Management.  Bootstrapping works best if you find a niche, but not so small that it hardly exists. You will hardly have cut throat competition in the niche market and will be able to compete even without heavy funding.

Most SaaS companies raise funds for customer acquisition. Even as a bootstrapped company customer acquisition is important. As you don’t have the money, you will need to optimise your marketing spend. Try and find a cheaper channel first and use these as your primary channel of acquisition. Once you have revenue from the these channels, you can start investing in the more expensive one. By this time you will also have data on your life time value and will be able to take better decisions.

Similarly, why base yourself out of a tier 1 city instead of tier 2 cities (with talent abound)? You don’t need to be in a Bangalore, Pune, or a Mumbai to build a successful product. According to Sridhar, if he wanted to start again, he would go to a smaller city like Raipur. Being in an expensive location will ends up burning your ‘meager monies’ faster. This doesn’t mean that being in the top IT cities of India is bad for your business, but if your team is located in one of the smaller cities, do not worry. You can still make it your competitive advantage.

Self-discipline is of utmost importance for a bootstrapped company. In fact, to bootstrap successfully, you need to ensure self-discipline in spends, team management, customer follow-ups, etc. While bootstrapping can demand frugality and self-discipline, the supply of money from your VC has the potential to destroy the most staunchly disciplined entrepreneurs as well. Watch out!

And last but not the least – It takes time to build something successful. It took Zoho 20 years to make it look like an overnight success.

This blog is authored by Ankit Dudhwewala, Founder – CallHippo, AppItSimple Infotek, Software Suggest. Thanks to Anukriti Chaudhari and Ritika Singh from iSPIRT to craft the article.