Last month I made an explosive claim based on my reading of UPI specification (v 1.2).
— Srikanth ஸ்ரீகாந்த் (@logic) April 2, 2017
The claim was based on interpretation that every request made by any UPI apps collects geocodes of the user. In a centralized architecture such as UPI, where each request is decrypted at NPCI, this means that any user of UPI app is constantly sending location information to NPCI (a pvt body owned by banks and a friend of state). The claim was never contested by IndiaStack, which meant that UPI, by design is collecting geo-location of its users constantly and was being silently accepted by proponents.
A re-reading by myself after a month (Note that none of IndiaStack “volunteers” bothered to clarify), prompted by another reply allows me to give benefit of doubt that collecting geo-coding might not be mandatory, as the specification says one device.tag is mandatory and does not say which one is. The whole thing would be clear if XSD schemas were published.
— Srikanth ஸ்ரீகாந்த் (@logic) May 5, 2017
Fact remains, no body cares to respond to fears of privacy, surveillance, regressive terms and conditions because products of India Stack are one large monopoly, that is friendly to power corridors, run by not willing to be accountable to public. When a journalist writing the story Are the terms and conditions of BHIM-Aadhaar anti-consumer or simply anti-interpretation? calls up NPCI for a comment repeatedly, there is no response.
In addition to calls of IndiaStack to be free and open , I now make a call for accountable IndiaStack which responds to technical critique. It is to be noted that the specification I referred to was of version 1.2, while UPI platform currently runs on v1.5+. It is only fair that latest and greatest platform specifications are made publicly available before calling for public comments for UPI v2. I have no patience like the journalist to keep calling people who prefer not to engage. Best wishes for a successful UPI.