Month: July 2017

It’s 2017 and the quality of the average WhatsApp and FaceTime call in Bombay and other cities has gotten better than that of a regular voice call.

There’s also enough anecdotal evidence to suggest regular voice call quality has in fact dropped: voices scrambled or cutting out; calls dropped even when not moving between cell towers.

As operators optimize for data over voice, both with bandwidth and pricing, people will soon prefer calling others over these services than a regular phone call, and soon it’ll be the norm.

This is also exciting because there’s a robust application layer for voice-over-IP (and video over IP); most major messaging applications have or are building voice & video calling capabilities: Skype, Duo, Hangouts, Facebook Messenger, WhatsApp, FaceTime, Slack. Most have easy interfaces to add and remove people to/from calls, message alongside a call, and save these recordings and messages.

As text <> speech tech gets better (not in small part due to work on voice driven assistants), transcribing calls with be easy too. Skype has had an early version of real time translation working for a while now. People can already take and make calls from/to other Apple devices (iPad/Mac), and more messaging apps will likely offer this. And who knows what experiences AR will bring to this.

In an alternate world, operators (carriers/telcos) would have made it easy for third parties to build services on top of regular voice networks. That’s not what happened, though, and they have become dumb pipes. Short of dismantling a neutral Internet, I don’t see how they can become anything other than utilities (not that that is a bad thing).

This also shows how important, no critical, open standards are. None of this would have been possible without a published TCP/IP protocol, so an iPhone on a Vodafone 4G connection in Bombay can make a Whatsapp call to an Android on Wifi in Buenos Aires. Of course each of these video/audio services are closed, non-interoperable, and that will bring with it its own set of problems in the years to come.

A comment I wrote on a post where someone wondered if the sea was what made Bombay special:

It’s the sea. It’s the sea off the slightly rustic beaches at Aksa and Manori and Uttan, and Madh; the sea that stubbornly insists at northern Versova beach that it will not take shit, then switches mood, laps at the fringes of a competing sea of humanity at Juhu, then alternately cools and steams Khar along Carter Road, plays background to a thousand selfies an evening at Bandstand, skulks anonymously under the Sea Link, letting the structure take all the attention. As suburbia turns to City, it’s the sea that runs placidly, featurelessly along Worli Seaface so as to not distract from an art gallery’s worth of sunsets, plays hide and seek with Haji Ali’s approach road, then quite literally defines the graceful queen’s necklace, lets Bombay run a few kilometres to the south before sweeping it back up north and east, creating Apollo Bunder and Gateway and the Tajs and disappearing behind military walls, docks hosting cargo both mundane and not, north north north before finally welcoming the Ulhas river at its flamingo-festooned creek, saying to its waters No matter what you’ve seen inland it’s nothing compared to what you’re going to sweep against every day now.

This long post on the threat to the Internet’s open nature, which we take for granted, is worth every one of the twenty minutes you’ll spend reading it.

The Internet is far more centralized than it was when it began to gain widespread acceptance, with the vast amount of our communication and data routed through a handful of companies. Access to the Internet is also a lot more concentrated than one commonly thinks. Finally, as it becomes a utility, the Internet has attracted more regulation than before, not always in individuals’ favour.

Lawmakers in the United States are bent on dismantling net neutrality (which would make Internet access a lot like cable TV). China has made ‘unauthorised VPNs’ illegal. The Indian IT Act’s notorious section 66A (struck down, but not quite) has been used to arrest people who’ve done nothing more than ‘like’ a Facebook post.

It’s important we understand at a high level how access to the Internet works. It’s just important we look at how the telephone, radio and television industries – the previous dominant communication media – became highly protected oligopolies, so we can guard ourselves against the same happening to the Internet.

Personally identifiable information (name, bank account, aadhaar number among others) has been leaked a number of times from government websites (“Details of over a million Aadhaar numbers published on Jharkhand govt website“) and from companies with Aadhaar-based eKYC (“Jio users’ names, email addresses & more leaked online, but it is in denial“).

Because these departments and companies have gotten this information from the UIDAI’s Aadhaar infrastructure, calls for de-linking Aadhaar from other customer accounts grow stronger with every leak. This is barking up the wrong tree:

1. In Reliance Jio’s case, the company (likely registered as a KYC User Agency, KUA) requested data from UIDAI’s Aadhaar database by sending it the customer’s Aadhaar number. The customer then signalled his/her assent by having a fingerprint scanned and sent to UIDAI, which verified it and then sent Jio the KYC data packet. This packet has the personally identifiable information in question – name, date of birth, gender, phone, email, address and photograph – which serves as proof of identity and address, and which has since been leaked. (see Aadhaar eKYC API 2.0 specification, PDF)

I don’t see why any company that registers itself as a KUA to perform an eKYC should receive this data about the customer. UIDAI ‘knows’ the customer, and Jio (or any other company performing eKYC) trusts UIDAI. The KUA gains nothing from keeping its own copy of the data other than automatically filling in its customer profile. KYC is completely different from customer signup; data from one shouldn’t be used for another. As a customer I may want to give such entities a different phone number or email address than the one on record with UIDAI (which is likely my private, primary one).

The Authentication API (which returns a yes/no answer to prove identity) can be extended for KYC purposes: for example, whether a customer is 18 and over – to sign up for a SIM card – is also a yes/no question that UIDAI can answer. Nothing is gained by sending the KUA the exact date of birth.

2. Even if the entity receives no personally identifiable information (PII) from UIDAI, it still has the customer’s Aadhaar number, linked to a customer profile. When that data is breached, the customer’s PII and Aadhaar number are now public. Ideally, that shouldn’t be a security risk; any transaction involving Aadhaar requires either an OTP to the registered mobile number or a biometric scan as authentication. Simply showing up with an Aadhaar card is no proof of identity, nor is it meant to be – that is why the Aadhaar card is printed on simple paper and not on a smart card with a PIN – it’s laughably easy to forge an Aadhaar card because possession means nothing.

It turns out though that this isn’t widely known or understood in India. Therefore an Aadhaar card’s treated just like a driver’s license or voter ID card or PAN card: if the photograph on the card matches the holder’s, it’s taken as proof. This – a fundamental misunderstanding of how Aadhaar’s designed to work – is why such a data leak is problematic.

It is this misunderstanding we should tackle, not the linking of Aadhaar to mobile number, bank and other accounts. There are tremendous benefits to having a ubiquitous national ID that is digitally – and only digitally – verifiable – just look at how efficient Estonia’s interfaces to government are; it was the first country to design and issue such digital national cards over a decade ago. Aadhaar’s design in many ways is superior to Estonia’s (which relies on a chip and PIN card). Let’s stop making Aadhaar the bogeyman and identify and resolve the actual problems of misunderstanding and misuse.

Raising money by offering part of your equity and/or profits through ‘initial coin offerings’ is gaining momentum. Companies raised over 600 million dollars through ICOs in June alone:

Here’s a primer on this:

Such a purchase of digital tokens only has value if such a token is central to the company’s business model, else it is little more than toy currency. In other words, the company much be built on the blockchain on which this currency is issued: