In today’s digital age, technology is the ultimate double-edged sword – holding the potential to benefit or harm, to uplift or undermine. Its true impact on individuals and society lies in the choices we make in its design, deployment, and governance. Amidst this technological balancing act, digital public infrastructure (DPI) offers a pathway to harness digital power for public good.
DPI is centered around an approach to digital transformation that, when harnessed thoughtfully and governed in the public interest, can act as a catalyst for immense positive change. Already, we have seen DPI’s ability to close longstanding inclusion gaps by expanding economic participation and broadening access to vital services and opportunities.
But as the DPI movement gains steam, it is essential for builders and adopters to anticipate and address the risks for potential negative impacts upfront. While these risks can seem daunting, examining them early and often allows us to design processes and make informed decisions that ensure ongoing monitoring and improvement. And, at the same time, this will ensure we can responsibly realize DPI’s potential to improve people’s lives.
So, how do we avoid a digital dystopia? First, by painting the picture.
To get a sense of the necessary safeguards and guardrails, we first need to build a holistic understanding of all the risks that can derail the development of good DPI. The UN Tech Envoy’s Safe DPI initiative offers a starting point. Powered by a consultative process with global experts from the private, public, and civil society sectors, the initiative aims to establish guardrails for the safe and inclusive implementation of DPI. Our CEO, Priya Vora, has helped steer the initiative as a high-level advocate and co-chair of the Governance Working Group.
As the first in a series of reports the initiative will produce, the interim Safe Digital Public Infrastructure (DPI) report offers early findings on the opportunities presented by DPI and notes the urgent need for guardrails. The report highlights a crucial challenge, that “improperly or inappropriately designed and implemented DPI may result in risks at all scales of social organization: individual, community, institutional, regional, national and global.” The initiative identified three primary categories of risks: normative risks (related to human rights violations, such as discrimination and exclusion); organizational risks (arising from institutional failures, like lack of transparency and accountability); and technical risks (such as systems failures and security vulnerabilities).
Outside of the UN’s Safe DPI assessment of risks, skeptics have also flagged the risks inherent in the fact that DPI, as manifested today, is most often under state control. As such, these systems have the potential to facilitate government surveillance that could lead to privacy violations, strip people of their fundamental rights, and fuel abuse of power.
Like any technology-based system, DPI systems are also vulnerable to cyber-attacks, which – on a national-scale – can disrupt critical public services and compromise sensitive data. In addition, scholars have also argued DPI choices could point to the emergence of a new “alt big tech” – a term, designed to capture the state-backed monopoly of these infrastructures, their data aggregation advantages, gatekeeping functions, and control over technical standards to be followed by all network participants. This concentration of power in state-controlled DPI can stifle innovation, crowd out private sector alternatives, and potentially create an uneven playing field that hinders fair competition in the digital economy.
Today, we have many tools and strategies at our disposal to mitigate these risks.
Through our work with key stakeholders driving DPI adoption, we have identified five actionable ways in which countries can mitigate risks and ensure DPI systems are properly implemented to center on people’s rights and aspirations. These include initiatives that are currently in progress and others that can be activated to create a trusted DPI ecosystem.
1. DPI labs and contextual testing: Setting up dedicated DPI labs or sandboxes allows for the testing of new systems and features in controlled environments before their wider rollout. For example, the Upanzi DPI Lab in Rwanda, part of the Upanzi Network led by Carnegie Mellon University Africa (CMU-Africa) and funded by the Gates Foundation, focuses on creating, testing, and implementing digital technologies at scale.
It is crucial we continue building and testing new features for safe DPI. Conducting extensive pilot programs across diverse contexts, such as urban and rural areas and among different socioeconomic groups, helps identify potential issues early on. Involving end-users in the testing process is essential to gather real-world feedback and improve the usability of the systems. This proactive approach ensures that DPI solutions are well-adapted to various environments and user needs, ultimately leading to more effective and inclusive digital public services.
2. Transparency and open data: Implementing a policy of “open by default” for all non-sensitive DPI data and processes promotes transparency and accountability. Regularly publishing detailed reports on DPI performance, usage statistics, and any incidents or challenges keeps the public informed and builds trust in the system. Conducting frequent internal audits of DPI systems, processes, and governance ensures ongoing scrutiny and improvement. For example, India’s National ID system, Aadhaar, has been regularly audited by the Comptroller and Auditor General (CAG) to ensure accountability and transparency. The CAG’s audit revealed critical issues, including privacy gaps and duplication of cards, prompting the Unique Identification Authority of India to address these concerns and enhance the system’s integrity.
Regular public reporting and an “open by default” approach allows the DPI ecosystem to iterate, improve, and ultimately thrive. Creating public dashboards that display real-time DPI system status and key metrics further enhances transparency, allowing citizens, institutions, and other stakeholders to monitor the effectiveness and reliability of the digital infrastructure. Engaging independent third-party auditors to perform comprehensive assessments on a regular schedule adds an additional layer of credibility and rigor. Additionally, publishing audit results and action plans to address any identified issues demonstrates a commitment to continuous improvement and public accountability. This multifaceted approach to openness ensures that DPI initiatives operate with a high degree of integrity and public confidence.
3. Lessons from physical infrastructure: DPI developers can draw inspiration from large-scale physical infrastructure projects to understand and mitigate risks. Just as these projects conduct comprehensive risk assessments throughout their lifecycle, DPI projects could conduct thorough evaluations of potential cybersecurity threats, data privacy issues, and technological obsolescence. The concept of risk allocation, where risks are assigned to the parties best equipped to manage them, can then be applied to DPI by delegating specific risks to specialized entities, such as assigning cybersecurity risks to expert security firms. For example, the National Payments Corporation of India contracted cybersecurity specialist firm, Lucideus Tech (now Safe Security) to assess and manage cybersecurity risks in preparation for the launch of India’s fast payment system, Unified Payments Interface (UPI).
Similarly, the phased implementation approach often used in large physical projects can be adapted for DPI, allowing for gradual feature rollouts and continuous learning from each phase. Singapore’s Singpass exemplifies this phased approach. Evolving from a simple username and password login system for government websites in 2003 to a comprehensive National Digital Identity platform with over 2,000 integrated services and 4.5 million users by 2024, Singpass demonstrates the clear benefits of gradual expansion and continuous improvement. Physical infrastructure projects also typically include contingency budgets and timelines, a practice that DPI initiatives could emulate by building in buffers for unexpected challenges like system outages or data breaches.
By adopting these time-tested risk management practices, countries can significantly enhance their ability to navigate challenges and mitigate risks associated with DPI implementations. Given the similarities between physical and digital infrastructures – in their size, purpose, and key actors – historical insights from previous infrastructure eras, including how, and by whom, projects were constructed, managed, and financed can be vitally instructive.
4. Peer learning and knowledge sharing: Establishing formal channels for countries to share experiences and best practices in DPI implementation is crucial. Knowledge sharing on DPI saw a significant upswing with India championing it as a flagship agenda under its G20 presidency. Events like MOSIP Connect, which focused on digital identity systems, and ID4Africa, a pan-African movement assisting nations in building robust identity ecosystems, serve as prime examples of peer learning opportunities. Additionally, DIAL’s peer learning workshop for East African countries on data sharing and government service portals exemplifies how such engagements can foster collaboration and knowledge exchange.
These efforts can be expanded to surface insights on how to expand DPI that is both safe and inclusive. How might this happen? First, in recognition of the importance of DPI as a growth vector for G20 economies, it is critical that the topic of DPI is established as an engagement group – if not a permanent agenda item – under the G20. Such an engagement group could become a hub for rallying practitioners, experts, and policymakers annually under the G20 umbrella. Second, there is a clear opportunity to support regional gatherings in the form of peer learning networks for South Asia, East Asia, and Latin America, providing tailored support and enhancing regional collaboration. Finally, developing case studies and resource repositories ensures that valuable insights are easily accessible, enabling countries to learn from each other’s successes and challenges. An example of such a repository is the ‘DPI Map’ project, built by the Institute for Innovation and Public Policy at University College London.
5. Global standards and oversight mechanisms: Countries must come to a consensus on universal principles for DPI implementation to ensure safety, interoperability, and ethical practices across borders. This includes establishing global standards for data protection, technical interoperability, and cross-border data sharing. The International Civil Aviation Organization’s (ICAO) Document 9303, which standardizes passport requirements globally, provides a model for how universal standards can enhance security and interoperability.
In line with this idea, the G20 Digital Economy Working Group (DEWG) has already initiated discussions on a similar concept. The Indian Presidency had proposed a voluntary initiative aimed at bringing together governments, industry, academia, civil society, and other key stakeholders to synergize global efforts in the DPI ecosystem. Discussions on this could be continued with the next G20 Presidency with South Africa. Incidentally, in his opening of parliament address last week, South African President Cyril Ramaphosa highlighted his government’s plan to harness DPI to drive growth and inclusion.
To support these efforts, stakeholders could establish a global DPI oversight body with regional chapters to provide necessary governance and accountability. This multi stakeholder body could create standardized audit processes for DPI practices and facilitate regular reporting on global DPI governance. International agreements and collaborations could encourage the adoption of these standards, creating a more cohesive global DPI landscape. By implementing these global standards and oversight mechanisms, we can significantly enhance the safety, reliability, and interoperability of DPI systems worldwide.
While there are various frameworks and toolkits available to build and operate DPI, the ecosystem collectively needs more ways to identify and understand the impact of new technologies that significantly shape societies and economies.
Our actions today will define tomorrow’s digital landscape.
As DPI becomes increasingly crucial for economic development and improving public service delivery, builders and adopters must adopt risk adaptation and mitigation methods. Existing areas of knowledge and insights offer actionable measures. At the same time, they need to devise new approaches tailored to the digital realm. Much of this will involve calibrated and iterative feedback cycles, enabling countries adopting DPI to learn and adapt in real-time.
Alongside the Safe DPI initiative, our suggestions for rigorous testing, increased transparency, and global standards and oversight mechanisms present additional, complementary pathways to mitigate the risks of DPI. Similarly, by adapting the safety mechanisms and operational processes from many physical infrastructure projects, we can build resilient, inclusive, and trusted DPI that benefits everyone.
