Ambigous specification doesnt give clarity on surveillance

Originally posted on Srikanth @logic ‘s old blog on March 7, 2017. Reposted for historic purpose.

Update : This post was written in Mar 2017. UPI subsequently released v2, but specifications were never made public.

Multiple sources in the industry we spoke to, admitted that its essentially mandatory, even though the specification is ambiguous and is probably used by Fraud, Risk Monitoring of banks. But this mandatory collection of GPS for every transaction poses a privacy risk.

Old blog post below.

Last month I made an explosive claim based on my reading of UPI specification (v 1.2).

The claim was based on interpretation that every request made by any UPI apps collects geocodes of the user. In a centralized architecture such as UPI, where each request is decrypted at NPCI, this means that any user of UPI app is constantly sending location information to NPCI (a pvt body owned by banks and a friend of state). The claim was never contested by IndiaStack, which meant that UPI, by design is collecting geo-location of its users constantly and was being silently accepted by proponents.

A re-reading by myself after a month (Note that none of IndiaStack "volunteers" bothered to clarify), prompted by another reply allows me to give benefit of doubt that collecting geo-coding might not be mandatory, as the specification says one device.tag is mandatory and does not say which one is. The whole thing would be clear if XSD schemas were published.

Fact remains, no body cares to respond to fears of privacy, surveillance, regressive terms and conditions because products of India Stack are one large monopoly, that is friendly to power corridors, run by not willing to be accountable to public. When a journalist writing the story Are the terms and conditions of BHIM-Aadhaar anti-consumer or simply anti-interpretation? calls up NPCI for a comment repeatedly, there is no response.

In addition to calls of IndiaStack to be free and open , I now make a call for accountable IndiaStack which responds to technical critique. It is to be noted that the specification I referred to was of version 1.2, while UPI platform currently runs on v1.5+. It is only fair that latest and greatest platform specifications are made publicly available before calling for public comments for UPI v2. I have no patience like the journalist to keep calling people who prefer not to engage. Best wishes for a successful UPI.