Aadhaar Notes – Part I: Some Quick Fixes

The Aadhaar (TARGETED DELIVERY OF FINANCIAL AND OTHER SUBSIDIES, BENEFITS AND SERVICES) Act 2016 aims to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services. While the objectives for the Act are noble, the manner of implementation has been shoddy and it often accomplishes the opposite of what the Act attempts to do.

Much of the debate around Aadhaar and UIDAI often finds the participants occupying extreme ends of the spectrum, calling either for its dismantling it or a flat out refusal to discuss its flaws. This post is an attempt to find a middle ground and discuss concrete steps that can potentially weed out some of the flaws and work towards a more citizen-friendly version.

The Rationale

Systems can be used (independent of the design or intent) in ways that includes or excludes the participants. The primary objective of a welfare program is to ensure that the deserving must get their benefits and, secondarily, it should eliminate, fraud and wastage. A truly inclusive program will not deny the deserving, while working in parallel to eliminate the non-deserving. A program that excludes as a default will result in a lot of the deserving being excluded from the benefit in the pursuit of efficiency over fairness.

As it stands now, the social contract that Aadhaar sets up between the government and the citizens is one where the state considers the citizen an adversary looking to unfairly benefit off it, till proven otherwise, solely on the basis of the existence of an Aadhaar number. This stems from approach that Aadhaar is the solution to a multitude of problems.

Solving problems of identity, authentication, efficiency and transparency require multiple tools and not a single tool. Some of these problems are completely unrelated to the issue of identity. It is more than possible to have a population tick all the boxes to certify efficiency, identity and transparency and still have a lot of the problems remain unfixed even with 100% Aadhaar coverage.

The Crucial Design Flaw

The UIDAI projects the zero-knowledge nature of the core Aadhaar services as a key facet that allows it to guarantee a high level of privacy. This is absolutely correct if you look at it solely from the perspective of the services that UIDAI provides. The flaw is that a service that only authenticates identity cannot guarantee things like efficiency, good governance etc.

Aadhaar alone does nothing to enable this; it depends on the larger ecosystem to provide this, which may or may not be possible using Aadhaar. Thus, claim that Aadhaar in its current avatar will enable it all is incorrect.

Let us take an example of how this works in real life:

Sita is a bank account holder with Example Bank. Bank wants to authenticate if Sita is who she claims to be. They collect and send Sita’s Aadhaar number and verifies it with biometric or SMS OTP to validate that it is indeed Sita who the bank is interacting with.

This is all what Aadhaar provides within the realm of identifying someone. It does not tell the bank if Sita is a great person. It does not tell if Sita can be trusted to pay back her loans etc..

What happens after this between the Sita and Example Bank is of no concern to UIDAI. This design allows UIDAI to not have to deal with what happens further in the loop. They call it the “zero knowledge” interaction. But, at the same time, UIDAI claims that just by its existence the Aadhaar number makes things more efficient and transparent without having any interest or say in how that is being done.

This flaw is glaringly obvious when things do go wrong, as it has happened in the recent spate of data disclosures by service providers across the country. UIDAI washes their hands off these problems as not theirs to solve. The resulting scenario is one where there is a distinct lack of ownership of the data that is collected by service providers.

The service providers only know they need to collect the Aadhaar number of their users. UIDAI will have nothing to do with how the data is collected, how it is used and how it is disseminated. The beneficiaries are left in a situation where, should a problem arise with the seeding where it is mandatory, they risk losing access to services that they were previously legitimately entitled to with no clearly mentioned redressal mechanisms.

Another problem in taking this “Aadhaar will fix everything” approach is that it cannot fix everything.

Let us go back to Sita to see how this can play out.

Assuming Example Bank has already seeded Sita’s Aadhaar number, without any further authentication, they can still provide services in Sita’s name and it will look perfectly legitimate if the service requires only Aadhaar as the key identifier. This is precisely kind of fraud that is most prevalent in India and it is one that Aadhaar, with its zero knowledge model, cannot solve.

On the other hand, it is very much possible that during an audit where Sita’s use of the services are crosschecked with another data source and found to be fraudulent. Based on this alone Sita can be denied services for no fault of hers and there will be little recourse available for her to prove that this is not true.

Lastly, not having an Aadhaar number can result in the denial of a service that Sita is legitimately deserving of otherwise and probably has the documentation to support too. This fails all of the stated goals of Aadhaar and also fails the fairness principle. In effect, you suddenly denying people who are perfectly legitimate and should receive the benefit.

As it stands, the entire process of seeding and how that data is further used is flawed and a growing mess. It needs to be rethought and re-calibrated to address the crucial flaws. Some of the ways in which this can be done:

1. Halt the seeding until a framework is established to ensure all stakeholders are properly educated about how to handle Aadhaar data. Currently, very few people know the entire picture. Even fewer people know what is the correct picture.

The way in which it is being done right now carries the risk of putting the service provider DBs in a state from where it will be difficult to get a clear picture of the linkage between the internal ID and the Aadhaar number. This is a hard problem to solve and needs to be done in a measured manner; unlike the breakneck speed at which it is being attempted.

2. Stop denying services on the basis of no Aadhaar if there are other documents that provide identity. Even the Aadhaar Act itself stresses on the this aspect where people should not be denied access to services if they can prove who they are with other documents.

3. Appoint an external auditor for auditing both UIDAI and the service providers. The idea originally was proposed in this excellent technical paper on Aadhaar: http://www.cse.iitm.ac.in/~shwetaag/papers/aadhaar.pdf

4.  For the current service providers who have seeded with Aadhaar data, audit them to ensure compliance. A good place to start from would be to enforce the AUA checklist for service providers: https://authportal.uidai.gov.in/static/AUA%20Compliance%20Checklist.pdf

5. Set up comprehensive processes and documentation for service providers to ensure that seeding is handled properly. Make it mandatory for seeders to explain in clear terms what is being collected, what happens in the backend and how the data will be used.

6. Publish granular stats in a voluntary manner about state/district/taluk level about Aadhaar(enrolment, auth attempts, auth failures). If the government truly believes in data, then embrace it and use it to better services. Take the ambiguity out of understanding how well is it working. The data is already there: need to make this searchable easily visusalized.

This is a good start, but it needs a lot more of work: https://data.uidai.gov.in/uiddatacatalog/dataCatalogHome.do

7. Have a single location that lists information about valid service providers and the reasons why they are performing Aadhaar seeding. Provide a simple mechanism (email/SMS/toll free number) by which people can verify the details regarding a service provider who is performing the seeding.

8. Initializing seeding should be a clearly defined process. This should be done with a circular from the service provider first, followed by a verification message from the UIDAI that a particular entity has been cleared as a valid seeding partner.

9. Provide a simple means by which an Aadhaar registration center/AUA/ASA can be looked up and validated.

10. Establish guidelines for making Aadhaar mandatory for something. You should not be able to randomly point at something and say, make Aadhaar mandatory for it. Establish SLAs for a region or a service before it can be brought under consideration as a mandatory thing.

11. Introduce penalties for SLAs not being met in Aadhaar-mandatory environments. Make it non-mandatory till the SLAs are not met again.

12. Ensure that service providers are given service specific tokens than just yes/no. Make it illegal to store Aadhaar numbers in any manner outside the CIDR. Ensure they are periodically audited for compliance in storage and dissemination.

13. Educate the customer how enrollment is done, de-duplication is done, auth is done.

14. Educate the customer about their rights. How to ask questions, what to ask questions about. They are completely in the dark right now. So much so that the likelihood that anyone asking for Aadhaar right now will get it easily from the people because they are used to giving it out for everything.

15. Educate the user about consent: at enrollment, authentication.

16. Make the user part of the de-duplication process. There is no visibility the user has in this at the moment.

17. Make the Aadhaar documentation better. There are numerous formats/versions floating around. There is no consistent way of versioning docs, naming them or having a clear location from where you search them, access them or find versions properly.

18. Don’t lose control of domains (uidai.net that used to host services is no longer with UIDAI).

19. Have a comprehensive redressal framework in place.

Edit: Added one crucial point from @kshashi:

20.  Be more open to criticism and researchers studying the underlying technical and policy framework. There are a good bunch of people who work on the right side of the law researching these things. Have them on your side working with you.

Change The Contract

The contract between the state and its citizens is one that is primarily punitive in India. It promotes (and thrives) on fear and attempts to use that fear towards getting people to comply.

Consequently, the average citizen is not invested in helping the state prosper as there is no correlation between the well-being of the state and its citizens. The well-being of the state is considered just an unavoidable cost of living in the country.

A state that is not in the service of its citizens has its citizens preferring to avoid any contact with it (police, courts, offices), if they can help it. The exceptions to this are few. Nearly all interactions are driven from desperation; or are interactions led by the state.

What makes it worse is that the state does not incentivize good behavior. As a bad person, as long as you don’t get caught, you are much better off than the people who behave well. Meanwhile, doing the straight and narrow does not get you anything better than the ones who don’t do the same. In a lot of cases it gets you far less than the ones who don’t go by the book.

This, in turn, incentivizes people towards cutting corners and finding workarounds; turning a whole lot of the population into reluctant crooks. Income tax is a major example of this as for those who pay their taxes honestly, there is an increased risk of scrutiny. On the other hand, the risk:reward ratio makes it worth it for the privileged as the rewards are much higher for them than the less-privileged to dodge taxes.

Incentivizing good behavior is not an approach without its flaws. Every system will be gamed, especially in a country like India. But a gamed system that doesn’t benefit the deserving is far more flawed, compared to a system that benefits the vast majority of people who do the right thing while some still game the system.

If India has to stand any chance to transform itself into a developed country the contract between the government and its citizens has to change. The citizens need to stop fearing the state and know that the state has their welfare as the most important thing.

Anything else — war-on-corruption, cashless economy, poverty alleviation etc. — are small ideas that doesn’t address the core issue. They are just nice themes to rally around, while the rot at the core remains the same.

About Unicorns And Related Things

Monday morning brings with it a post laying out the new ‘strangeness’ in the universe of the Indian unicorns by my former boss, Haresh Chawla. Some of the points, especially the one on doing due diligence, are ones that have bothered me for a while. I mean, even as an outsider, without access to the P&L statements of the companies it is not too difficult to mock up a hypothetical model of the business the investors are putting money into. So, why is it that the landscape seems to be littered with what seems to be strange moves by all parts of the ecosystem, unicorn or otherwise?

Be warned, what is to follow is a mix of personal experience, anecdotal information and lots of conjecture.

The crux of my argument is based on the factors that play an important role in the India story.

Execution

This is the ability of a team, enabled with capital, to execute a product/platform. It means that things work as advertised, as a norm. Whatever does not work is quickly fixed and the state of the system is such that edge-cases are minimal.

In some markets, this ability is determined by the team’s chops at quickly setting up a product operations, in other markets, it means primarily how enabled is the team towards closing key alliances, leads and relationships. In India this factor is particularly important because who you know can make a significant difference in being able to close a deal than the outright finesse of the product of the state of the finances of the start-up.

Market Size Validation

The truly gifted salesman can sell an ice cream to an Eskimo, but not even the most gifted salesman cannot build a big business selling ice creams to Eskimos. Every early-stage business and market makes assumptions about the size of the market it is selling to. The gap between starting a business and the business hitting escape velocity is often marked by the time spent in validating the market size and the long-term margins that can be accrued in selling to that market.

Market Growth Potential

Some markets start small, but given the right conditions, it can grow into substantial ones. A classic case of this is mobiles in India. 15-years-ago, this is a market that barely existed. Today, it is a multi-billion dollar industry. Given the right conditions, can a market grow like this?

Path To Opening Up Market

A market that is large enough or one that has enough potential to grow a lot alone does not mean that you can open up that market. Some will require a lot of capital to acquire users (deep discounting and CoD that did this for Indian e-commerce), others will require regulatory roadblocks to be lifted. There are various paths to getting this done, some are feasible, others are not.

Ease Of Access To Capital

Every business needs money to run and most early stage businesses will always spend more than what they earn. Which means that they need money in the bank to cover for expenses till the tide turns and they can turn at least cashflow positive. Easy access to capital means a lot of undeserving ideas/companies will also get funded, but a lack of it means a lot of good ideas/companies will never get funded.

Operational Efficiency

Operational metrics is key to measuring the health of a company. A company that does not manage to make at least a couple of operational metrics more efficient as the years go by is a big stonking red flag that everyone needs to take notice of.  If you keep needing more and more to do less and less and at some stage the ability to acquire the more is going to run out.

Capital Efficiency

This one is self-explanatory and the classic “how much do you make on your dollar?” question.

Exits, M&A

Investors and founders (especially the former), need an eventual big payday for all the risk and effort they have put into the start-up. A healthy ecosystem needs a regular supply of exits (through IPOs, M&A) for the payoff and also to correct over-leveraged players. Not all exits are of the sexy kind, where founders and investors make lots of money. But even fire sales are necessary to let the early risk takers cap losses. An ecosystem where exits are far and few in-between will struggle to sustain itself in the long run.


The Indian ecosystem, seen through the prism of the above factors, has gone through two cycles so far. For the sake of convenience I will ignore the smaller cycles (the 2008 meltdown, for instance).

 The First Stage (1997 – 2005)

  • Execution was terrible
  • Market size unknown
  • Market growth abysmal
  • Path to opening up market unknown
  • Lack of easy growth capital
  • Operationally inefficient
  • Capital inefficient
  • Unit Economics Is Bad
  • Very few exits, M&A

The Second Stage (2005 – 2015)

  • Execution has improved significantly
  • Market size has been validated
  • Market growth has picked up
  • Path to opening up market is known
  • Plenty of easy growth capital
  • Operational inefficiencies have skyrocketed
  • Capital inefficiency has skyrocketed
  • Unit economics has worsened
  • Exits and M&A has picked up

The key to unlocking the value in the Indian ecosystem is to get all the points to go green. We have improved significantly in execution, validating the size of the market and figuring out how to open up that market. But the two key factors — of improving operational and capital efficiency — are key to the long term well-being of the ecosystem and we are far from being able to crack open those two fronts. It is imperative that we figure out how to do that in the next stage at least.

Through 2015, I had the opportunity to see up close some of the e-commerce operations struggle with extreme inefficiencies. These operations can easily improve margins significantly if they can reduce inefficiencies. But that is easier said than done.

Some of the reasons behind the inefficiencies:

A System That Monetizes Inefficiency

Our famous ‘jugaad’ system ensures that people who can navigate around that can quickly acquire wealth and a significant number of people benefit from the existence of that inefficiency. A component of an ecosystem that brings itself into play in the ecosystem because of its complexity will always strive to increase the complexity in the system as a matter of survival.

Most of the e-commerce companies deal with problems on a daily basis that are in place because of this inefficiency. We have varying tax codes, local laws and levies. Till we get in place an administration that has the political willpower to remove these inefficiencies, it is anyone’s guess when that point in time will arrive when the people who benefit most from the inefficiency will stand to benefit more from an efficient and predictable system.

No Standardization

You would assume that after so many years into the e-commerce revolution in India, there would be a standardized framework of addressing pin codes in India. The funny fact is that there is not one. There are numerous ways of doing this and some of the courier companies even make up their own pin codes. Even where the pin codes are the same, the areas they consider under coverage of a pin code can vary from company to company. There is no standardization on buckets of weights or measurements either.

All this leads to an environment where an apple is not the same apple for everyone. An apple can be various kinds of apples and each shipment of apple takes a conversation with all stakeholders which results in disagreements, disputes etc.

No Experience In Large Scale Retail

The scale of e-commerce possible in India requires prior experience at the scale of what retail is like in North America, where it has been refined to a fine art with decades of experience driving logistics, pricing and marketing. The largest Indian operation on that front, which comes closest is a Big Bazaar, which is tiny compared to the large American retailing operations.

The lack of this experience has resulted in a bonanza for the same sellers across the platforms, while for the customers there is not much in terms of differentiation other than price. Our discounting is also not well thought through, because we don’t understand discounting as well as we should.


All this results in the current strangeness of the Indian unicorn ecosystem. From the investor side, most of the money being put into the market is just what the investors have to put in during each round to stay in the game. There is little to guide them, even in these times, to show what is possibly a good bet. The market is such that someone can easily outspend the top player into a position of dominance as there are really no moats that cannot be overcome with money.

This also leads to the overemphasis on founding teams than pure product in India. A good team in India that can move the wheels faster is always likely to win more than a great product with an inexperienced/not-so-well-connected team.

UIDAI, NIC And India’s Data Security Nightmare

Should the worst happen to India’s official information technology infrastructure, AS4758 is a term that will feature prominently in it. The term denotes a unique name/number (ASN) for a network that is used for routing traffic over IP networks and AS4758 is operated by the National Informatics Center. This prefix represents a vast majority of the servers and sites (the 164.100.0.0 – 164.100.255.255 IP address range) operated by the NIC. Some of the key sites operating from this network include UIDAI, website of the Chief Electoral Officer, Delhi and the NIC Certifying Authority. These three are just a minor part of the vast array of sites and services, that cover everything from the personal information of the citizens of the country, to key information about the government itself.

This post is one that I have been putting off writing for a while. The main reason is that it is not right to identify weak points in our key IT infrastructure in such a public manner. But the fact is that the speed with which we are going ahead to centralize a lot of this information, without thinking through the requisite safeguards is an issue that overrides that concern. Improperly secured, this information is a grave risk to everyone, including the government. And from the evidence seen in public, there is not adequate knowledge or expertise within the system to even take a call on what is adequate security for an undertaking this grave in nature. The secondary reason is the inadequacies of the underlying technology in mining this information. They are immature and not accurate enough and it will lead to a flood of false positives in a system where the legal system itself is under-equipped to make key differentiation when it comes to the evidence that supports the case made by the false positive.

Another point to note is that I am hardly a security expert, the little that I know is what I need to know to keep my applications secure. Whatever I have seen is a tiny percentage of what is available for everyone to see. Information security has become such a complicated and specialized field now that it is no longer good enough to know some of the factors involved in keeping an application and infrastructure secure from prying eyes. I would not dare to certify a client website/application as secure based on my own knowledge. I would rather get a specialized security firm to do that, even if they cost a lot of money. The important bit here is that if I can see these issues, someone with malicious intent can see a hundred other things that can be used to gain unauthorized access.

All Eggs In One Basket

Coming back to As4758, it is a case of keeping too many eggs in one basket. From the outside, it looks like multiple vendors have access to the servers on that network. Forget forcing users to SSL-enabled versions of the sites, most of them don’t even give that as an option. This is true of both the UIDAI website and the Delhi CEO’s website where users have to enter personal information to retrieve more personal information. A compromised machine on the network can easily listen to all network traffic and silently harvest all this data without anyone knowing about it.

A year ago, NISG, which is one of the key service providers for the NATGRID and UIDAI project was running its website on an old Windows desktop (Windows XP or 97, if I remember correctly). Thankfully, NISG seems to have moved to a Linux machine recently. Also, the NISG set-up is not hosted within the NIC’s network, so any the possibility of damage from the machine would have been comparatively lower. Though, we will never know for sure.

That said, even being on different networks won’t provide iron-clad security, if you don’t design networks, access protocols and authentication as the first order of business. Done as an afterthought, it will never be as effective as it needs to be. Agencies often require data from each other to be mashed up (example: overlay UIDAI data over NATGRID data) and this is often managed at the protocol level by restricting access by IP. In the hypothetical case of the NISG server being allowed access to UIDAI data and the former is compromised, you have a scenario where even the most secure UIDAI data center will leak information due to compromise in another network.

Cart Before Horse

A moot point here is the assumption that the UIDAI infrastructure is secure enough in the first place. An NISG requirement for a data center security and risk manager position does not give us confidence in that assumption one bit. As the saying goes, the chain is only as strong as its weakest link and in this case, it seems that security is an afterthought. Part of the problem is that there is not enough experience within the government machinery to even determine what is secure enough. A simple rule about getting work done by someone is that you need to know, better than the person you are engaging to get that work done, what you are looking to get done. We just don’t have that in place in India at the moment.

These systems need to be designed primarily with security in mind and that does not seem to be the case. My fear with these systems is not as much that the government itself will misuse the data (which is a valid and important concern for me), but that it will be quietly pilfered away by foreign players and nobody would know about it. Having such information about all of the citizens of a country opens up millions of avenues for the malicious players to recruit people to their cause as all those people become potential targets to blackmail. Since we are going to collect information about everyone in the country, the potential of who can be blackmailed can range from the richest and most powerful, to the poorest and the weakest. And the best part is that what exposes people to blackmail need not even be illegal behaviour, it can be perfectly legal behaviour that affects social and professional standing of an important person.

We are going to present all of that information to interested parties with a nice bow on top.

Access, Identity, Authentication, Logging

  1. Any secure system will require you to control access to the resource as a whole and/or parts of the resource itself. This planning has to start from physical access to the core and nodes that access the core and it has to then take into account the applications that will provide access to the information and the applications that will access this information from the nodes.
  2. Any secure system will have a clear policy in assigning identities to people who can access those resources. This needs to be consistent across the core and the nodes. This makes the system rather inflexible and a pain to operate, but it is necessary to mitigate even the weakest of attacks.
  3. Any secure system will clear mechanism of of authenticating the identity of a valid user in the system. There cannot be any backdoors built into such a system as it has been proven time and again that the backdoors become a point of major weakness over time.
  4. Any secure system will log all actions at all levels in the system and establish triggers for any out-of-band activity that covers even legitimate use.

The above four points are just an amateur attempt by me at defining the outlines of a reasonably secure system. A proper attempt at this by a real security professional will have a hell of a lot more of points and also go into a great deal of detail. But these points should give you a rough idea about the complexity involved in designing security for systems like these. You simply cannot slap on top security as an afterthought here.

Mining Nightmares

Which brings us to the issue of accuracy in data mining for initiatives like NATGRID.

Personally, I do believe that there is a valid case for governments to either collect or have access to information of any kind. What I do not like is unfettered collection, mining and access and zero oversight on any of those processes.

The reason why mining big data as a sort of Google search for suspicious activity is a terrible idea is simple. It does not work accurately enough to be of use in enforcement. The same technology that results in mis-targeted marketing phone calls and the tech that serves you ads that are irrelevant to you are the ones that are going to be used to determine whether a person or a group of people are likely to do bad things. Even in marketing or advertising it works with an appalling rate of failure, using it in intelligence, surveillance and enforcement will lead to an ocean of false positives and wind up putting a lot of innocent people behind bars for no good reason.

Even worse is the fact that legal system itself has such a weak grasp on these matters that appeals are likely to fall on deaf ears as the evidence is likely to be considered the gospel as there is no understanding available within the system that can say it is not the case. And then there is the potential for real abuse — not limited to planting evidence through spyware — that can ruin lives of anyone and everyone.

Conclusion

Our approach to security and centralized information collection is terrible beyond what can be expressed in words. It needs to be stopped in its tracks and reviewed closely and should be redesigned from the ground-up to keep security as the first objective and data collection as a final objective. We need to codify access laws to data collected in this manner and ensure that all of it does not reside in a single place and access to a complete picture is available only in the rarest and most exceptional of circumstances. What is happening right now is none of that and I am afraid we will find that out in the most painful manner in the coming years.

About The Imminent Online Future Of Indian Media

NYT’s India Ink takes a swipe at that contentious topic of the future of media in India, seen through the eyes of an emerging online media scene in India. The post covers interesting aspects of the problem and is well worth a read, but it also misses a few key points.

For one, niche, experimental new media websites are hardly a new thing in India. In some ways, we have been ahead of even the western markets on that front. There used to be this fantastic (but way too costly to run) product called The Newspaper Today from the India Today Group and the first incarnation Tehelka was another of these experiments. Now, if you consider that, both were products from the 2000 – 2003 period, you will realize that our experiments in the space go that long back.

I was involved with both products for very short periods of time early in my career and I went on to work at digital operations of many other media companies after that. The idea that good content, somehow, will change the game was a popularly held misconception then and it remains the same even now and someone is bound to revisit that theme every couple of years, only to go home pretty singed by the whole experience.

Secondly, it is not the quality, but the cost that makes the proposition rather untenable in India. It costs way too much to create even less-than-average content here (points tackled in a bit more detail in an earlier post here), creating good quality content, on the lines of a daily, is even harder and costlier. The concept has been a first love of sorts for me, since content and journalism is where I started my career, and every now and then I wonder if I should try doing a venture there. By the time I am done with even the most basic financial models on it, the stark reality always holds me back.

Thirdly, the myth of the booming class of novueau-riche Indians who are dying for quality English content is something that is created by people like me who want to read more of this type of content and imagine ourselves as a growing tribe. Let me break it to everyone, we are not a growing tribe. We are a vocal, somewhat visible group given to group-think and internal amplification like any other group. Unfortunately, the group is so tiny that most niche online publications in India consider even half-a-million page views in a month as an excellent month.

Lastly, it is not impossible to have a growing, scaleable online content business in India. It will be in a non-English language, with content that probably won’t appeal to the upper class and it will need the backing of some really good investors who are patient enough to put money into a team and a business that will take 3-5 years to bootstrap properly.

P.S: Ironically, one of the people interviewed in the post, P V Sahad of VCCircle, was a colleague at The Newspaper Today. He’s one of the smarter guys in the business who realized early enough in the game that there is no money in doing content if you want to do a lot of it.

Go West, Young Man And Other Tales From The Entrepreneurial Crypt

Washington is not a place to live in. The rents are high, the food is bad, the dust is disgusting and the morals are deplorable. Go West, young man, go West and grow up with the country. — Horace Greeley

The context maybe different, but the theme — that the fight is simply not worth it here, aim for the Western market — is a recurring one in the digital entrepreneurial space in India. The difficulties in starting up in India are well known and documented. The most recent notable one was Dev Khare‘s ‘The Silent Killers of Startup Growth‘.

The popular thesis seems to be that it is better not to build a product specifically aimed at the Indian market, but at the global one. This thesis is backed by the two kinds of proof – the first being the success story of Wingify and the second being stories like Linea, which, reportedly, has raised $4 million recently. An app like that would not stand any chance in India, no matter how well executed it may be.

The problem has different parts:

1. Lack of funding.

2. Lack of an existing market.

3. Lack of exits, M&A activity.

4. Product DNA that’s not tailored to the Indian audience.

Most of these factors actually compound each other, so the effect is rather drastic on both activity and perception of the market.

But, Hold That Thought

The story is not all of gloom and doom, as shown by the SAIF Partners’ story. The fund, apparently, made 4x returns on their first fund and are on course to do a 5x return on their second fund. Not bad for a country that seems to be a bad bet for entrepreneurs, eh?

The devil, though, in any story (positive and negative) is always in the details. SAIF’s portfolio is not limited to digital and it is spread across different domains. They also struck out with iStream, which recently shut shop and the prospects for the e-commerce plays are not too bright at the moment (Zovi maybe an exception due to their manufacturing background).

Even then, their willingness to make big bets across sectors and have more hits than misses in a market like ours is remarkable. And, having met the team couple of times, I have to say that they are very approachable and low key.

Let us be honest. The Indian story is not a straight forward one. As pointed out rightly by Archit Gupta on a Hacker News thread, success here can often be about having the right connections. A good product and a great team addressing a potentially huge market opportunity is absolutely no guarantee of success here. Connections, above everything else, matters.

Even when corruption and regulation are not determining factors, who you know in a company and how much you can influence them is more critical to closing a sale here often than having an excellent product. Unfortunately, it is also reality that we cannot choose to ignore if we have to grow in the market.

The way out of this morass is neither simple nor easy. There are some really excellent people in every part of the ecosystem who are good and who are looking to good, but they are nowhere close to being empowered to do it. For all of us who care enough, it is imperative to make all the changes we can make, even if it looks hopeless. It is even more important for those who are in influential positions to make this change.

It will take time, it will be hard, but we can break this wall down, one brick at  a time.

Please Don’t Stop The Music

And just like that Flipkart announced the demise of the Flyte, their digital music offering. And the numbers are pretty damning. 100K paying customers is not a great number, when you consider that even a single track purchase at Rs.5 can be considered as a paying customer and we don’t know the detailed breakup of the numbers.

The biggest downside of this development is that it will now set a sort of benchmark at 100K users for any paid digital content product in India, at a really low ARPU. This will have a pretty damning effect on anyone who is looking to get into this segment as Flipkart’s failure will loom large for a long time to come; at least until the fundamentals of the market changes.

While it is hard to figure out what exactly caused Flipkart to shut Flyte down within a year (sorry, no insider info), from the outside, it would seem that the company miscalculated the market size and costs. The product probably made sense two-years-ago when it was critical for the company to widen its base of offerings and topline; much has changed (drastically) since that time.

Even when you keep aside the licensing costs (the minimum guarantee mess), it still costs a lot to deliver the product. Going by NBW’s 2.5 million downloads/100K users number and Medianama’s Rs 9-12 ARPU, the revenue barely touches Rs. 1.5 crore. Another, slightly more liberal, calculation does not push the revenue over Rs. 3 crore for the same time period. Even the most optimistic scenario barely covers the licensing cost, in a segment rife with issues in hitting hyper growth.

None of this should have come as a surprise to the company, as these are well known facts about the digital goods market in India. What has changed is the outlook in the primary business Flipkart is in and the bleak prospects there. With their road ahead firmly set (grow massively big or die quick), they can’t afford to be in niches that won’t enable hyper growth. Flyte seems to be the first casualty of that.

And, oh, incidentally, if you think the Spotify clones are doing any better out here, you are mistaken. They have to pay per stream (at least the cases I know of), monetization is scant and some are already looking for more money to sustain themselves in the long run.

 

Data On The Move: Lava W150 + Tata Indicom 32GB Plan

If you move around a lot, being able to access data on your phone alone won’t cut it for long. There is the option of tethering your phone for that, but it eats up your phone battery pretty quickly if you are dependent on the phone for things other than using it as an access point.

After trying out various approaches — dongles, tethering — I have figured that the optimal solution is to carry one of those pocket wifi routers. They cost little and tend to be stabler than tethering your phone and saves you the trouble of installing drivers and horrible dialer software that data dongles usually require you to do.

I had picked up the Lava W150 in November 2012 along with a Tata Indicom (Docomo for the rest of India) dongle. The device is Huawei-made and branded as Lava (as it is the case with most of the cheap Indian phone devices these days) and runs embedded Linux.

The Web admin UI is powered by the GoAhead Web Server and it provides for a advanced options. It is not the most user-friendly experience that you can have, but it does its job quite well, even if it has a bad habit of restarting everything for major configuration changes.

The device is only one part of the data-on-the-move equation, the other (and the more important part) is finding a data plan that won’t ruin you. I have a preference here for pre-paid plans as my usage is erratic and I don’t want to pay a fixed high amount for capacity that I’ll rarely use.

The golden rule with pre-paid data plan pricing  is that you have to hit the road and find out from the vendors what is the best available plan. The ones that companies advertise online is not often the best ones out there and I went looking for 30 GB for Rs 5000 plan and found one that gave me 32 GB instead.

The other issue with picking a provider is knowing your travel pattern well. The overall coverage and quality of coverage differs from state-to-state and provider-to-provider. My strategy is to use Airtel on the phone (2G plan that has a quota of 2GB of transfer every month at Rs 149), Indicom on the pocket router and a backup on the Micromax A73 with a 1.1GB 3G plan on MTNL.

It has been a good experience overall and with controlled usage I have finished only 8 GB of data of the 32 GB that I am allowed. The good thing about the Indicom plan is that it has a validity for a year, so I can probably use it all year at the current burn rate that I have.

India Telco Scenario: Re-living 2005 in 2013

Looks like Airtel’s move to hike the price of its 1GB 2G plan by 25% will soon be aped by other operators. And thus continues the decimation of mobile data (and voice to a lesser extent) in India thanks to policies put in place by various governments of various formulations. We are now in the very unique situation where 3G is too expensive to be used in any reasonable quantities by the masses, so we are now marketing 2G in 2012, which should have been the case in 2005. What a mess.

Due to crazy amounts of money spent on 3G licences, the telcos have no choice but to eke out every possible paisa from the subscribers by hook or by crook. Even at the really expensive prices for 3G data, the telcos won’t recover the money they plonked into the licenses, so reducing the prices is no longer a feasible option for them, even though many attempt to do that by putting in place new plans that have minuscule transfer limits, after which the subscriber is billed at per Kb or per 10 Kb rate, which can easily throw up bills that run into the thousands for the subscriber.

The net result of such adventures is that subscribers get sucked into the trap one large group at a time. Such a scalding puts the subscribers off such services, while the telco balance sheets brighten up a bit for as long as they can keep finding more subscribers to die on the 3G data sword. The data billing process and plans are so convoluted now that we are seeing a new level of innovation in both pricing and products (even though some many alternatively call it dishonest business practices).

Some of the innovations:

  1. Capped high speed 3G connection with an ‘unlimited’ slower connection after the FUP which, for some reason, also puts a billing limit in place.
  2. Cheap volume plans with extremely low validity. Basically, you can’t use all of the data you have paid for within the given time. You’re actually paying more for less, even though it looks otherwise.
  3. 3G connections that bill fallback 2G connections on a per Kb or per 10 Kb basis. There’s no way to track this during normal usage as 3G tower footprint is dicey even within metros.
  4. Airtel also sells 2G plans which reduce in transfer speed after the plan’s limit is reached with ambiguous terms on how they define ‘unlimited’ after that.
  5. It is really hard to use even 1 GB of data in a month on a 2G connection. Most customers I know are underutilizing that data allocation every month. They were already paying more for using less, now they’ll pay even more.

What is even more troubling is that 2G cannot support bulk usage due to limited spectrum, you can already experience this in places that have a high concentration of people using mobile data over 2G in the area covered by the same towers. This is one of those spectacular cases that has failure built into it as a fact.

It is only the government who is capable of altering this terrible state of affairs, but being the party that came out smelling the sweetest of all the involved parties (other two being the telcos and the customers), it will be foolhardy to expect them to alter the course on this front. Which is a real pity as affordable 3G data had the potential to transform our internet penetration scenario. That said, we are in good company in the 3G mess. Over in China, the story is no different with 3G eroding margins for operators, thanks to lousy government policy.

The story, for me, as a consumer is different. I spent the last 3-months of 2012 streamlining my connectivity scenario. I was spending an average of Rs. 4000 per month on data and voice till then and a bit of moving things around has almost halved that amount. I switched to a Rs. 149 per month 2G plan on Airtel (2GB transfer & ‘unlimited’ slow transfer after the cap), changed my plan with a higher upfront payment but a lot of free minutes and messages, picked up a Tata Photon data card with a Rs 5000 for 32GB transfer (validity for a year) plan and stuck to a Rs 1200 plan for home broadband.

Is ‘My Airtel’ App A Hint Of Airtel’s Future?

Text message from Airtel prompting me to upgrade to Android ICS from Samsung.
Text message from Airtel prompting me to upgrade to Android ICS from Samsung.

The image on the left is a message I received from Airtel on the 29th of December, 2012, suggesting that I should upgrade to Android 4.0.4 on my Samsung Android device and it says I should visit the Samsung India website to get the process going. This is interesting for a few reasons:

1. The device has not run stock Samsung firmware after 2010 and for a while in 2011. For the past year and a half it has only run various custom ROMs, mostly various builds based on CyanogenMOD.

2. As far as I know, Samsung India does not have my phone number registered with this device. In fact, I am fairly sure that I have not registered for anything with Samsung India regarding the phone. The phone has never seen a Samsung service center.

3. The obvious suspect is Airtel. The device resides on their network and I have the ‘My Airtel‘ app installed on the device, which has permissions to read phone state, identity, network and location details. It is fairly trivial for the app to gather the required details and suggest an upgrade.

4. The lesser suspect is Google. The phone has always been wired to a Google Account and from that point it can access the firmware number, mobile number, location, carrier details etc. But the message originated from the same source that Airtel uses to send other alerts. Unless there is a formal tie-up between Airtel and Google, this will not be possible.

If it can be confirmed that the Airtel app was used to trigger the SMS, it should give us a hint that Airtel is fairly serious about the app. The app is shown to be in the 500,000 installs range by Google Play and it has a decent number of 5-star reviews. If it now triggers firmware upgrade text messages based on the model/manufacturer, it will be another significant move by Airtel to move out of the ‘dumb-pipe’ trap that telcos are desperate to get themselves out of.

Why do Investors and Start-ups Ignore Small Businesses in India?

Every enterprise, be it micro, small or medium these days have a common set of requirements at the digital level. In an earlier era, office automation or digitization involved the installation of computers and digitization of documents. Today, the story is vastly different and the requirements can be roughly summed up under the following categories:

Connectivity: This covers portables (mobile phones, tablets, laptops), desktops and miscellaneous devices (IP-enabled webcams). They all need to hook up to IP networks (public & private) over wired and unwired networks. As the SaaS slowly makes its way through this space, ubiquitous IP connectivity will become the norm and any solution that will provide a simple, single point interface to manage all of that infrastructure will do really well.

Document & Information Management: This covers content management systems, file management systems, documentation systems (not limited to accounting, shipping and taxation roles), internal and external websites. Current solutions are either at the extreme high end or at the lower end where the integration nightmares put off smaller enterprises. Another neglected fact is that every sector and sub-sector has different requirements that needs solutions tailored to its needs.

Storage & Disaster Recovery: Network-attached, role-restricted devices and services are again non-existent at a lower price level or unaffordable at the higher end. Most of the smaller companies I have interacted with badly need a plug-and-play solution that has an optional cloud component.

Communication: Email, collaboration and IM servers and services. Needs range from simple email to secure web conferencing at the higher end. Various pieces of this exist in the market right now, but there is again no single easy-to-use managed service.

Business Intelligence: I am really surprised that something like ActiveCell for India does not exist in the market. A significant chunk of the SME/SMB space has decisions driven by instinct than information. If it can be packaged and made to work right, the opportunity is considerable.

There are obvious challenges to addressing the small business space, especially in India, the usual bugbear of payments being only one of the significant problems. But the transition to a younger leadership in the space is also changing the game. From a generation of leaders who were unfamilair with technology or computers, we have transitioned to a world where a sizable chunk of the leaders now have Blackberries and are familiar with various digital products.

Another important fact is that to make selling to SMEs in India is not just a case of running another A/B test or a smart Adwords campaign. The one thing that works well for sales in the segment is boots on the ground and as amply demonstrated by the success of Naukri.com, it is not a challenge that cannot be overcome.

In 2013, I am hopeful that we’ll see more action in this space both from investors and entrepreneurs.