Rahul Matthan on AI, Privacy, and Digital Public Infrastructure

Shruti and Rahul Matthan discuss India’s digital revolution, privacy, and how AI will transform everything.

SHRUTI RAJAGOPALAN: Welcome to Ideas of India, where we examine the academic ideas that can propel India forward. My name is Shruti Rajagopalan, and I am a senior research fellow at the Mercatus Center at George Mason University. 

Today my guest is Rahul Matthan, a technology lawyer and partner at Trilegal. He assisted the Indian government in developing India’s data privacy law. And he is the author of the recent books Privacy 3.0 and The Third Way. We spoke about India’s digital public infrastructure revolution, India’s unified payments system, AI, blockchain, the design issues around India’s NCPI, Aadhaar, privacy, and much more. 

For a full transcript of this conversation, including helpful links of all the references mentioned, click the link in the show notes or visit mercatus.org/podcasts. 

Welcome to the show. Thank you so much for doing this. It’s a pleasure to chat with you, though this is over Zoom, which is appropriate for the book.

RAHUL MATTHAN: Thanks so much for doing this, Shruti. I have listened to Ideas of India for a while, so really, really glad to be here.


RAJAGOPALAN: I want to start with two books of yours, recent books that I have really enjoyed, one is Privacy and the other one is The Third Way.

When I got to the end of both books, to me, it seemed like the real issue is not one of privacy, it is really one of control. It’s a question of not that people want things to be private, but they want to be in control of who can get in or outside of their private sphere. They can choose the boundary. One, the way we formulated the privacy question in India, it is the same boundary for everyone. That is people can’t choose their level of inclusion or exclusion. Second, that the protection is a little bit stronger against private parties than it is against the state. Is this a good way of thinking about what’s happening in India in terms of privacy and the legal framework?

MATTHAN: I guess yes and no. Partly because when we talk about privacy in India, of course, we’ve had the full jurisprudence build through courts over a very, very long time, but we only just have a privacy law. That law has only just been enacted. That law, at the time of this recording, and it may change literally a week after we record, we still don’t know what the rules are. We still don’t have a sense what the regulator is going to do.

In terms of what we have so far, we actually have the opposite, which is we’ve got privacy as a fundamental right, which essentially affects what the state does with privacy. The law that’s going to come is going to prescribe in a little more detail what the private sector does. I think just on that point that at this particular point in time, the private sector they actually have a free pass. They can do whatever they want, and they are currently doing whatever they want.

The state is a little more constrained because the right to privacy judgment actually prescribes the three-fold or the four-fold test, whichever way you think about it, and that applies at this very moment to what the state does as far as privacy is concerned. 

The larger point that you make I think is actually a very deep and profound point, and that’s the question of control. I wouldn’t say that this is a challenge that India alone faces. I think this is a challenge that we face around the world.

As I argue in my first book, that largely has to do with the fact that all the pressure that we feel in the context of privacy is essentially on account of the evolution of technology. From the very first articulation of the right to privacy in the US in that famous article that Brandeis and Warren wrote in one of the very early issues of the Harvard Law Review, that was a reaction to this new technology of photography or portable cameras.

Then if you look through every evolution of technology, essentially that was what was happening, which is that because of the new technology, we were losing control over some facet of our lives that we relied on to be private because this new technology found some new way to invade that privacy. A lot of the privacy legislation, even to this day, is sometimes actually even a knee-jerk reaction to a new technology. We’re seeing it at this very moment with artificial intelligence. Of course, there are many issues with artificial intelligence, but one of the key issues around artificial intelligence is really how it will affect personal privacy.

I think the deeper point that you’re asking is whether it should be granular, whether we should have a more nuanced control. Really difficult question because I think some of these technologies are so difficult to comprehend, to wrap our arms around that even if we did have granular control, I wonder whether the layperson would know how to exercise it. That’s really how complicated it is. If you think about the Cambridge analytica case, that happened because Facebook had this friend-of-friends kind of feature. 

The friend-of-friends feature was such a powerful featureIt was brilliant. We didn’t know that when we allowed that to happen, which was great because I was finding some long-lost friend in a friend’s list of friends. A lot of that made it so beautifully, the friends it threw up, but what we didn’t realize was that it actually gave researchers a very vast pool of data subjects to analyze. That was a deep violation of privacy.

I would say that, look, even though we granted that thinking that it would result in some benefit, unknowingly it resulted in harm, and really this is a feature of all control that we try and exert over the privacy. I think we get better. I think we get burnt a bit. We learn what that means, and then we learn how to deal with it and handle it. That’s the way that it goes.

RAJAGOPALAN: I’m glad you brought up the Cambridge analytical case and the famous Harvard Law Review paper, because to me there are three aspects. One is reputational, which was the core concern of Warren and Brandeis, which is things that I wish to keep private should not get out in the public domain either because I just don’t wish it, or I may suffer reputational costs. Once the genie is out of the bottle it can’t go back in.

The second privacy concern, this is especially post World War II and with the rise of terrorism and the Cold War and so on, was surveillance. That’s the slightly different kind of privacy concern. There it’s not so much a reputational question. The mere act of it is an infringement of privacy. 

The third part of it is the control question, which is I didn’t think this information was private. I actually happily and willingly gave it up to a particular party. I just didn’t realize that I was losing control of it for all participants in the world for all times in the future. That’s why I feel like it might be useful to separate these three because, in my mind, the regulation of these three questions is necessarily different, right?

MATTHAN: They’re also fundamentally intertwined. Of course, the way we think about surveillance, we tend to think about government surveillance, but equally, there is private sector surveillance, which results in what Shoshana Zuboff calls surveillance capitalism, just the entire capitalist economy is oriented towards surveillance, so that other people call it the attention economy, people are vying for our attention.

There is this interrelationship between the nature of technology. There’s a lovely book by Yasha Levine that speaks about this, Surveillance Valley. Essentially, what that book proposes is that everything digital from the very earliest computers were designed for surveillance. Now, of course, we didn’t call it surveillance then. It was designed to know more about you. Yes, I agree that it’s nice to separate the question of privacy into these buckets, but we should also be mindful of the fact that they’re deeply interlinked, and certainly is a very important and essential element to this, but it is linked with all the others.

My real concern with underscoring control to this extent is what I started to say in my previous response. Maybe I can double-click on that to talk about the privacy paradox, which I think makes control so much harder. Essentially, the privacy paradox is that in order to provide your consent in today’s complicated data-driven age, you need to be given so much information. That the amount of information that you need to decide whether you want to exert control or not is too much for any individual to actually process.

On the one hand, for informed consent, every piece of information needs to be given to you, but if I give you every piece of information that you need for informed consent, you would not be able to comprehend it. If you think about that for one service, multiply it by all the tens of hundreds of thousands of different services that we’re using and it’s just an almost impossible scenario.

How do we exert this control? As much as we must have control, is it really meaningful to give us this control? These are really difficult questions. What’s your alternative? Do we allow the private companies or the state departments that are taking our data and processing it and using it, do we rely on them to behave? We know that that doesn’t always happen. These are really wicked, thorny problems, and I don’t know if there are clear solutions to all of them.

The Third Way?

RAJAGOPALAN: I want to pivot to the second book, which is very much focused on the new digital public infrastructure that India has built out over the last decade or so. This space is evolving. 

One of the core things that has been taking place is the question of design in the India Stack versus the question of law to be brought in as regulation. There are two parts, one is tech is regulation, and law is regulation. This has quite nicely highlighted in The Third Waywhich is there are certain types of protocols that are built into, say, Aadhaar and UIDAI and the way they function into UPI, and the way it functions, which naturally keep either privacy concerns at the core, or surveillance concerns or duplication concerns at the core. Whatever technology is not able to accomplish, then the role of law has to come in.

Where do you think we are when it comes to the India Stack? Where are we, where technology has really done most of the work in the protocol protecting the individual versus where are the gaps where the law needs to now start really filling in and cramming in those gaps?

MATTHAN: This is really one of those chicken and egg kind of things. Clearly, in India, the chicken came before the egg because we didn’t have a law, and we had built this digital infrastructure in the absence of a legal framework. Much of the protections that we have to this deeply pervasive digital public infrastructure that’s been in the country now for over a decade and a half, is really the protocols that have been built into the technology.

Maybe I can step back a bit to just discuss that concept. Much of the reason why I call this book The Third Way is because I look to the US way. Anu Bradford has a great book called Digital Empires, where she also has three ways, slightly different ways, but it’s a different lens at the way she looks at it. Essentially, we both agree that the US way is one of the ways, which is a laissez-faire kind of an approach to regulation.

I argue that a lot of what can and can’t be done on the internet and the digital sphere has been left to the private companies to dictate because for the most part, from the dawn of the internet all the way until today, a lot of our interactions online are mediated by private intermediaries. They’re the ones who, through their privacy policies, their terms of service decide, determine what happens on their platforms. The second way, in many ways, is the European reaction, which is regulatory heavy, GDPR is the gold standard as far as privacy is concerned.

In that tension, I started to see two different approaches. One was allow the regulation to be implemented in the way in which the private sector designs its platforms, the other side was force the private sector to design platforms that align with laws. The third way essentially is a meld between these two to try and build those legal principles that are implicit in GDPR, and perhaps, the competition regulations, the Digital Markets Act, the Digital Services Act that’s being still negotiated in Europe, and build some of those things directly into the protocols that we all use.

I think in answer to your question, if we set aside the which came first, chicken or the egg, I think the idea really is to have an underpinning of legal regulation but to have that at the high, principle level. The reason why I say that is because when technology moves so quickly, really hard-coding regulations in we find is actually very ineffective. If you just think about the EU AI Act that we just got agreement on, they had to literally rewrite the whole thing in this last year because it was largely written before generative AI. Over the course of this last year before they finally reached agreement, they had to incorporate elements of large language models and generative AI into the act. By the time it gets enacted into law, who knows what other new types of artificial intelligence will come about. This is a characteristic of all technology.

The point is, to answer your question, I think we certainly should have an underpinning of legal principles, but at a high level, so that it withstands evolutions of technology, which now we’re seeing happens on a 12-month, 6-month cycle. Then where possible, embed those principles into the protocols of the platforms that we use, and have some control over what those protocols should be. Allow the government or the regulator to define the protocols, so that if there is an evolution in the technology, we can amend the protocols so that they, in the context of this new evolution, can still reflect the legal principles that are sort of the umbrella over everything.

Now, this is easier said than done. This is not stuff that regulators, policymakers are trained. Not even lawyers and economists such as you and me, we’re not trained to do this other stuff. This, I argue in the book, is perhaps the new skills that we need to develop. I, sometimes, say trying to rein in technology companies or technology platforms using law is bringing a knife to a gunfight because it’s going to change so quickly that you’re not going to be able to have any effect on there. We’ve seen it with technology after technology. That’s the idea. Perhaps it’s too ambitious, but I think we should certainly start thinking in that direction.

One last thing that I’ll say is that this is certainly not my idea. Over 20 years ago, close to 25 years ago, Lawrence Lessig wrote a wonderful book, literally the dawn of the internet called Code and Other Laws of Cyberspace, where he says essentially the same thing. He says on the internet law is actually defined by code. I just point to that guiding principle and try and interpret some of what India has done through its digital public infrastructure in that context to say that it is possible, these are implementations that reflect some of those principles.

RAJAGOPALAN: I’m glad you did this zoom out. I’ll tell you how I thought about the books. One, I have to say a small quibble, I thought you should have named it “The Fourth Way.” In the comparison between the United States and Europe, I think there’s one more comparison, which is China, maybe Russia, and North Korea. They’re terrible comparisons, no one wants to go that way, but that is another way, and then there is India. Maybe you didn’t want to discuss China because India really has to be in the laissez-faire world, so to speak, somewhere on the spectrum of the free world.

MATTHAN: No, there’s a reason for that. Look, I think Anu Bradford actually talks about the three digital empires, which are the US, Europe, and China. The lens that I took to this, and maybe you’ll disagree, and maybe you’ll say that I’m being too simplistic and perhaps people will not like what I say. In many ways, from the way I’m thinking about it, the US model and the Chinese model are actually quite similar in the sense that the US model—I know you won’t like it. This is not what anyone wants to hear but essentially in my telling of the US model, the governance of the space is very much defined by the way in which the tech companies design their platforms.

The only difference between the US and China is that in the US the private sector has got complete freedom to design their platforms in whichever way they want. In China, once again, all the infrastructure is built out by Alibaba and WeChat. A lot of the infrastructure is essentially private infrastructure. I guess the difference is that the Chinese government has got a lot of say in terms of what those platforms do. That, in the way I see the world, in order to build my argument for techno-legal governance puts China and the US essentially at the side of the spectrum where the regulations are defined through the code of the infrastructure that everyone uses.

Europe doesn’t do any of that. Europe doesn’t bother with the infrastructure. Europe actually spends all its time and effort putting out regulations. 

How the India model differs is that the regulators are actually very heavily involved in designing just the protocols. They’re not dictating what the companies do. They leave the companies, constrained by the protocols that have been defined, to innovate in whichever way they want. I think it was that distinction that—perhaps I failed in bringing that distinction out as clearly as I should, but it is that distinction that I think we have to see as different from both what the US is doing and what China is doing. Of course, there’s a symmetry around three that I wanted to bet. Maybe I’m overfitting just because I like three.

RAJAGOPALAN: I’ll tell you why I might characterize it as four. When I read the way you talked about the United States, to me, that model is one of permissionless sort of technology, and there the thought process very much. If I had to say this colloquially, it’s better to ask for forgiveness than ask for permission. That’s the US model. They work off of penalties that the DOJ or the SECFCC or the FTC or whoever is the relevant regulator might impose and that is that.

The European way has gone the complete other extreme where unless permission is given, you can’t innovate. Which is another reason many people talk about how it stifles innovation, whether it intends to or not, because the process of asking for permissions is very similar to the process of asking for consent. That transactions cost is baked into that model.

The Chinese model, you may not have to ask for permission, but there is no forgiveness in that model because the state controls everything. Here, I think the Indian way is slightly different because there’s a certain amount of permissionlessness baked into the protocol. That is once you are on the stack, there is a certain kind of permissionless innovation and interoperability and things that can take place.

However, there is a meta level where there can be exclusion and people do need permission to engage with the stack. This is, for instance, foreign banks or only licensed banks can have a seat at the table when it comes to certain kinds of digital transactions or a seat on the board of say NPCI and so on. That’s how I’m thinking about it. I thought of it very much from the point of view of what is allowed without permission and what requires permission. That’s the reason I see four shades there.

MATTHAN: I think there are many lenses that we can bring to this and I’m really glad that there are so many different lenses being brought to this because we need to look at it from all these different lenses. I don’t think any one view is correct. Just to elaborate a little bit on the point that you’re making just from the Indian context. I think the protocols tend to be fairly binary because you either can do something or can’t do something. The protocol doesn’t allow shades of gray. Because it’s written in code, it is binary.

I think even though it is permissionless, it’s permissionless in the sense that there are some things you just can’t do. Even if you want to do it, you can’t really try and do something and then ask for forgiveness because the code will not allow you to interact with other people on the same protocol. If the protocol provides a valuable service, there’s no way that you can function in the ecosystem without it. Just take UPI, for example, a payment interface. If you want to interact with someone else that also is operating on UPI, you just have to do it the way the protocol provides for.

I think the essential feature of this is that that protocol isn’t prescriptive in the way that European regulation is prescriptive. European regulation is prescriptive down to a very, very fine degree. GDPR is largely principle-based law, but over time so many guidances and clarifications have been issued, but it is fairly prescriptive down to a very fine degree of granularity. I think that stifles innovation. I’m not saying that Europe stifles innovation. That’s a much larger point to make. I think that by restricting the prescription to a high-level protocol and still allowing innovation down the stack, India has sort of got the best of both worlds, or at least it’s trying to achieve a balance between the two.

In the book, I give the example of one of the innovations which is really, I think an example of how this model really works. In the UPI stack, one of the most deeply used, widely pervasive innovations is the sound box. Essentially a little device that you’ll see in crowded marketplaces, particularly street markets. The moment a digital transaction is made will actually announce that digital transaction in whichever vernacular the shopkeeper uses.

That’s an innovation which is down the stack. You use the same protocol, but you’ve just taken that instruction of the completion of the transaction and spoken it out so that a person who’s not literate perhaps, or perhaps just too busy, maybe literate but just too busy, can actually hear what’s happened. It’s this sort of innovation, there’s no permission required for this innovation. It complies with the protocol. It’s just an extension.

This is the sort of, I think, evolution that India brings us and manages to balance the two. The flip side to this would be if you were not allowed to build a sound box unless you got the permission of the regulator, I don’t know for what reason. Perhaps no one wants to have the details of their transactions spoken out loudly. I don’t know. I’m making things up. If it was something like that, then it would’ve been very difficult to see innovations like the sound box come to fruition.


RAJAGOPALAN: On the specific different levels of the India Stack, I want to get into the specific problems that have been highlighted. Now, Aadhaar is the foundational model of the entire stack. Has that question of the government actually cannot mandate Aadhaar, but it is now, again, the genie has escaped. You can’t put the genie back in the bottle. Everyone is mandating Aadhaar down to the local level. I don’t live in India. I have one of those NRE bank accounts. My bank account wanted me to get an Aadhaar. They still send OTPs in a way that’s exhausting. Every little transaction that one needs to do with an Indian bank account it can be exhausting without the need to be so exhausting.

That first question which was really relevant, say 8, 10 years ago about the mandate. Have we just gone past it? Does it just no longer matter? Or is that still a question that is open and we need to think about it in civil society and we can roll it back in a way that people can say, “Hey, you can’t mandate the Aadhaar and then refuse to give it?”

MATTHAN: Once again, it depends who you ask. Even now here, particularly over DigiYatra most recently. DigiYatra for listeners in the US is this automatic entry into airports which is quite magical when it works, but of course involves connecting your Aadhaar to the software. Most recently around DigiYatra, I’ve heard a lot of renewed commentary around this mandatory nature of Aadhaar.

Just to step back, my own personal experience of this, I have an Aadhaar. I had an Aadhaar not right at the beginning but fairly early on. Personally, I’ve used my Aadhaar twice, used my Aadhaar in the sense actually got myself authenticated on the CIDR, which is really the only official way that you can use Aadhaar. Other than that, you’re just flashing a card, someone’s looking at your photograph and moving through. The only time that I’ve used it is actually to get a little plastic Aadhaar card, which the UIDAI will issue, but other than that, I’ve never been asked to authenticate myself on the CIDR.

What we do get asked a lot is, as you said, for a bank, every now and then, the bank will ask for it. If you’re a director on the board of a company, there are various circumstances where they will ask for your Aadhaar card. Just because it’s my job not out of a point of principle, but just to test whether this is actually the case, I almost always refuse to give my Aadhaar. Maybe it’s because I’m a lawyer with a slightly scary reputation because I work in privacy, I’ve not had to provide my Aadhaar. I guess the only time I would do it is if someone’s asking my mom for her son’s Aadhaar, and I don’t want to put her through the trouble of doing this argument that I do, but other than that, it’s not required.

One final point, I think the place where we used to have to do this was when we go to a hotel because hotels, under local municipal law, are required to take a copy of identity documents. There was a time when hotels would say, “Look, we only want Aadhaar.” What’s happened is that, largely because of all of the privacy pressure, the UIDAI has increasingly enforced this obligation to vault Aadhaar.

It’s there in the Act, but they’ve been implementing it with greater stagnancy. As a result, even photocopies of an Aadhaar, which by actual virtue of the fact that the number is on the Aadhaar, will actually have that Aadhaar number and also all the other demographic information that would link you to the Aadhaar, is now just taking that photocopy and storing it digitally because all hotels just take a photograph using their phone is, in fact, violating the obligation to vault this information.

More recently, I’ve actually found, at least on one instance, a hotel saying, “Please do not give me your Aadhaar card. Can you give me any other form of identity because I don’t want to do this vaulting requirement?” It’s taken a while. I think a lot of these early concerns that we had are being mitigated in different ways. To answer the question whether it is still mandatory, in some circumstances it is, but I think with a little pushback, people move away. It’s certainly not ever prescribed as the only way in which you can get something, with the exception of benefits I think the Supreme Court said that—

RAJAGOPALAN: The public subsidy aspect because that was the whole point of it. Yes.

MATTHAN: That was the whole point with it. The idea was, look, there are people who are double dipping and triple dipping into the benefits pool, and as a result, denying other people access to the benefits and so we need to duplicate that database. That, I guess, is probably one of the only things that, yes, it is still mandatory for. Once again, I think if you ask different people, they’ll have different answers. I can just speak out of my personal experience as well as my experience of how this law has been implemented over time.

One final thing I’ll say is that since the privacy judgment, the right to privacy judgment, and then a lot of the work that’s happened after that, there has been even within government, a renewed appreciation of the constraints that they need to work under given the privacy judgment. It’s not always obvious, and it’s taken some time for it to percolate all the way through all the different arms of government. When I work with different departments of the government, I find appreciation or at least every now and then they will say, “Look, does this meet the Puttaswamy test?” That, in a way, it takes a while for these things to seep in. As you know, the government is not just one thing, it is many things, and so in some places, there’s greater uptake, in others, there isn’t.

RAJAGOPALAN: On the Aadhaar thing, the funny thing, I think this was my parents or maybe my in-laws they thought the U in the UIDAI is universal and not unique. I can totally imagine someone thinking that just because the way it goes in India, which was such lack of confidence in most identity documents except for the top end of the pyramid, I can understand the temptation for everyone to just start asking for Aadhaar as the main kind of identity.

In the United States, it might be a driver’s license for most things. When I have to clear an airport or things like that, they ask me for my driver’s license, but in India, anyone can buy a driver’s license without knowing how to drive, and you can have five of them and so on. I can understand why a certain kind of universality came from not necessarily from the government mandate but from the people who are interacting with government requirements and with private people in a way that even the private sector prefers more legibility than less, right?

MATTHAN: Oh, absolutely.

RAJAGOPALAN: There’s that funny thing going on but the original government wishy-washiness on the mandate or lack thereof and how long it took for the Supreme Court to pronounce it, my sense is by then the ship had sailed. That’s how I feel, and you’re right, maybe we can start rolling this back as more and more people push back, more people have more forms of identification. That’s the other lovely thing about inclusion, the more you are included in the system through the India Stack, the more kinds of identification you can then get because you’re now part of the formal system.

MATTHAN: Look, there’s a couple of reasons why the ship has sailed. One is over 1.3 billion people now have an Aadhaar. In the early days, there was a large community of holdouts. There are friends of mine who still hold out. I don’t know how they do it because they still have to pay taxes and there’s no exemption as far as tax is concerned.

RAJAGOPALAN: We have the same friends who are fighting the PAN number linking to the Aadhaar number. Yes.

MATTHAN: Look, there is that community, but that’s small given that almost the entire population is covered. Then the second point, which you alluded to, I think is really important to understand. Aadhaar is the foundational identity, but we are now on the basis of Aadhaar getting derived identity. We’ll get a derived identity in the health stack when it gets developed the Aadhaar number and then we’re getting a whole set of other derived identities to the point where there is really no need for anyone to flash their Aadhaar, because any one of the other identities would be just as valid.

You’re absolutely right. As a country, it was only the really creamy layer of the elite of the country that had a form of identity. People who knew how to drive, people who were traveling outside the country, which is a really small fraction of the people. People who were paying tax, they had a PAN card. One very, very small subset of— I would say in total maybe 200, 250 million people had this form of identity. For a country with 1.4 billion people, that’s like 1.2 billion people do not have this sort of identity.

RAJAGOPALAN: Except an election card, I should say.

MATTHAN: Exactly, the election card is, I guess, the other thing, but even with the election card, its had such a patchy history until EPIC came, which literally came after Aadhaar. We’ve had so many—I don’t even know which election card to use. This last election, I actually had to find my EPIC number and then do it digitally because I have three or four different election cards and they didn’t work.

I think the point is that for a country that was starved of identity, this big government push to give everyone a digital identity that was really easy for them to enroll in and use was like a lifesaver. Everyone wanted to be recognized by the government in some way or the other, and so everyone just defaulted to this which over a period of 5 years covered 50% 60% of the population and then in the next 5 years covered pretty much the rest of the population. Now, there’s just the long tail of children who are getting into the age that they can be enrolled. There are some states in the country where coverage is not very good, but otherwise, it’s 99% coverage in most parts of the country.

Unified Payment Interface

RAJAGOPALAN: Now, to get to the other layers of the stack, to me, the most interesting are UPI combined with ONDC. UPI is the Unified Payment Interface, and ONDC is the Open Network for Digital Commerce. UPI makes sense for a whole bunch of reasons, not the least of which is I live in the United States, which is the most backwards financial transaction when it comes to between individuals or between banks with the kinds of crazy wire fees and so on.

The Unified Payment Interface made it very easy to have a virtual identity plus a virtual bank account address, almost, through which people can transact, banks can transact, and it made public subsidies, all sorts of interactions very easy. The way I think about the UPI, and eventually also the ONDC, is it is in a way mitigating the problem of network goods or network companies in the private sector becoming so big that they are very difficult to challenge.

This was the big question that the United States was dealing with. There, the network goods, whether it’s Meta, whether it’s Google, all these just got so big that the fundamental threat in developing countries, especially one like India, where scale is such an obvious outcome, was we need to have the pipes not built by the private sector and instead built by the public sector.

First, is that a good way to think about the UPI, aside from all the benefits that banks and individuals get? Then second, are you worried about the fact that the government built the pipes and not exactly controls the pipes, but at a meta-level, again, has some control of the pipes?

MATTHAN: Excellent questions because I think this is really the core of the design principles around all of India’s DPI, but particularly UPI. I think this is exemplified even more in ONDC. We’ll get to ONDC in a bit. What people don’t realize, and I didn’t realize it until I went to Brazil, was how radically interoperable India’s UPI is. Most of us use either Google Pay or PhonePe as the apps through which we make payments.

Google Pay and PhonePe can be connected to absolutely any bank on the system. If I have an account with HDFC Bank, I don’t need to use HDFC Bank’s UPI app. I can use either Google Pay or if I want, I can use ICICI Bank’s UPI app. It’s radically interoperable. I think almost all of us at the same time have BHIM, which is the original UPI app, Google Pay, PhonePe—


MATTHAN: Any one of these because you have no idea at which point in time the system is going to get congested for one or the other. Very rarely do they get congested. This is a huge benefit. The reason I mentioned that it wasn’t clear to me until I went to Brazil was Brazil’s Pix is actually probably as good as India’s, except that when I was in Brazil, I realized that most people use Pix as a digital app that allows them to access their own bank. It’s not as interoperable as India’s.

I think this gets to the heart of the point that you made, which is the reliance on certain companies or certain platforms to provide the entire ecosystem and the network effects that would eventually come from something like that. I think we would experience that less in a highly regulated sector like the banking sector. India has got hundreds of banks, and there are a few really big banks, one really big state bank, and a few really big private banks.

I guess in that sector, for various other reasons, we’re not going to have the same monopoly effects or network effects that we have witnessed in say the e-commerce space. If you then turn to the e-commerce space, you can see how building this protocol and deeply interoperable protocols can be of benefit to avoid some of those harms. I think this is a very perceptive understanding of why India’s UPI is so remarkable.

I think if you look at the statistics, I think it’s like we’re touching 12 billion transactions a month. All of that is really impressive. What’s really impressive at the bottom of all of this is this. Then to get to your second question, which is, am I worried that the government has built it, and the government controls it? In a sense, I am. I touch upon this really in the very last chapter of the third section of the book, which is one of the worries for me is that it’s okay that you’ve built a protocol, but you’ve also got to keep upgrading the protocol. This is not the core skill set of the government.

The RBI [Reserve Bank of India] through ReBIT, which is its IT arm, controls the protocol. I’m concerned that ReBIT is not innovating the protocol as rapidly as it should. I think NPCI is doing a lot of really interesting things. Last September, it announced voice payments, it announced feature phone-based payments, all really AI-based things. All of that feels like it’s at the cutting edge. The core protocol still needs to be approved by RBI, and that’s not its core skill set.

In the book, I argue that we perhaps need to set up technical standards organizations. This is not something new. I think in the digital space, we’ve got IEEE, IETF, W3C. These are technical standards organizations that have kept the World Wide Web and other such protocols current. I argue in the book, we need to have something like that to a nonprofit organization that perhaps economists like you can figure out a proper approach for governance of these entities so that they don’t get captured by either the private sector or some department of the government but can still throw up new protocols or revisions to the existing protocol.

This, to me, is one of my deepest concerns, and I think we’ll start to see this in some of the older—I don’t think the identity protocol is that much of a concern because there isn’t really much there and there’s not much to upgrade. I may be wrong, there probably is. I think the payment interface, we need to constantly make sure that that is at the cutting edge. As we go, in a sense, up the stack, it becomes more and more important.

Can a regulated top have a free tail?

RAJAGOPALAN: I always struggle with the openness and the interoperability of UPI and ONDC, which is entwined for all purposes when it comes to market transactions. On the one hand, I’m completely with you that it is the most interoperable system that exists today in the modern world.

In that sense, India leapfrogged. To some extent, we can see the tiniest of e-commerce companies and fintech companies, literally like a housewife running a little kitchen out of her home who is able to immediately get on the stack and both use UPI at very low levels of barriers to entry and also use ONDC for other things like being able to provide credible information about the stream of revenue, about the credit score, about the business practices, and so on.

On the other hand, again, outside of this technological bubble, India is not a very easy place to run business when it comes to getting permissions, when it comes to the government being able to shut something down or ban something, the government being able to conduct a tax raid, or the government being able to even impose taxes and cesses retroactively.

India has a bunch of these bizarre problems. This tech part may seem like a laissez-faire bubble, but that’s a tiny bubble within the larger infrastructure where a lot of state control is exerted on companies. How do you think of the interplay between these two? Because on the one hand, yes, the UPI and ONDC are open, but on the other hand, the government and the RBI do decide who can be licensed as a bank and who can be licensed to work in a payment system, who can actually provide credit, who is authorized or licensed to provide credit.

Those things start getting in the way. If the government can deny someone that permission plus control the largest platform, which is becoming unchallengeable in a way, just like Meta and Google and so on, then are we back in the same spot that we are in other countries that don’t have this amazing technological interoperability?

MATTHAN: These are deep profound questions. Some of these are beyond my area of expertise to answer, but I look at this as top and tail. I think the top, you are absolutely right. It’s still regulated subject to perhaps arbitrary restrictions, the whims and fancies of regulators, but the digital public infrastructure is actually aimed at the tail. It’s aimed at, in fact, a very, very long tail.

There I think you find very little—of course, you will find local corruption and municipal pressures on operating businesses, but it’s not of the order that I think that you would see at the top end of the stack. This is not an excuse, but I think the point behind DPI is that it has actually enabled a large section of society to do business in ways that would otherwise not have been possible.

RAJAGOPALAN: Absolutely. There’s no challenging that. I mean, the numbers are just out there for everyone to see. I don’t think there are too many people who quibble with that.

MATTHAN: Yes. Look, the example that I always gave because we all lived it while we were all locked down during COVID is exactly the kinds of things that you mentioned. Just housewives were at home, and they decided to cook some food. I remember it was a veritable feast. I could get food from absolutely anywhere on the planet, by just sending a WhatsApp message to someone, then I would use Dunzo to get it picked up. I would just make a UPI payment and it was wonderful.

They would make whatever, they would earn on their living. I think there’s a huge enablement that’s happened at that lower level. What you are talking about is actually not really affected by tech. This is more the operations of the larger entities. Do I have a concern around the fact that NPCI, controls the entire ecosystem? Yes and no.

I think in a sense, we’ve got to find a balance between having many payment systems that eventually need to be interconnected. The only other way to do this would be a completely decentralized protocol, which as we can see in the crypto space, has its own challenges, in terms of I don’t know if it would be sustainable to do 12 billion transactions a month when you have a completely decentralized protocol. You’re making some trade-offs there.

NPCI, after all, is a not-for-profit kind of entity that’s really not subject to shareholder pressures. There is a regulator on the board, RBI has got a seat on the board. It has a fairly broad representation of all the different stakeholders. Not everyone is on the board, obviously. It’s not an ideal situation, but I think we flirted with the idea of having other NPCIs with the NUE concept.

That’s still something that is not completely off the table. We keep hearing that being brought up. When I think about NUEs—NPCI is one, and you have maybe NPCI 2 and NPCI 3 that are controlled by some private consortium—fundamentally, all these NPCIs need to interoperate with each other. In another talk that I gave, it has to be turtles all the way down.

There’s got to be one turtle on whose back all the other turtles are sitting, because otherwise we are talking about a decentralized system which has its own trade-offs. Look, these are tough questions. If you have someone right at the bottom that’s actually doing the payment and settlement and doing the clearing, that is the entity that has extraordinary control in the ecosystem.

Right now, that’s NPCI, but if you make multiple NPCIs, you’re going to have to have some super NPCI that coordinates all of these. I think that really is—in my head as I think about this, that’s a challenge with centralization versus decentralization in the context of payments. In ONDC, for example, we don’t have this problem because ONDC is designed to be all the buyers can aggregate, all the sellers can aggregate. You can have multiple buyer apps and seller apps that can interoperate among themselves, and they can work.

When I think about this centralized versus decentralized question, UIDAI which is our identity system is highly centralized. There is one government entity that has the identity and demographic information. NPCI in the payments ecosystem is slightly less centralized, in the sense that NPCI is not run by the government. The board is comprised of various banks, et cetera. Then if you look at every other element on the stack, it’s ONDC data, the account aggregator framework, these are all completely decentralized because there is no central switch.

In the account aggregator framework, we’ve got, I think, seven consent managers that are currently operating. There is no one central manager—consent manager to rule them all. You see the higher you go up the stack that it is possible for us to have greater decentralization without affecting the efficiency of the transactions.

RAJAGOPALAN: Many threads there, but I’ll start with one, which is your comparison of UIDAI and UPI/NPCI. Now, you’re absolutely right that UIDAI is more centralized, but on the other hand, it’s very minimal. There is a certain level of contestability built into the system in the sense that if UIDAI has a huge screw-up, lots of breaches, which it hasn’t had. The leaks and breaches are coming from a different source. They’re not exactly coming from UIDAI servers. If UIDAI screws up in a big way or other people start screwing up Aadhaar in a very big way, the whole purpose of it being a unique identity is going to start creating problems. There will be contestability very quickly. That is, people are interested in having a credible identity, private sector is interested in using Aadhaar as long as it is secure. The moment it’s not secure, people will switch.

Now, the rest of the stack outside of Aadhaar is not that binary, nor is it that minimal. That is, we are just telling you if someone is who they say they are, and it’s not duplicated. Now when it comes to UPI, there is going to be a certain amount of error built into any payment system that everyone is willing to live within all businesses are willing to live with. That’s the trade-off that they make for the ease of the system.

To my mind, UPI has to screw up a lot more for there to be challenges from somewhere else or contestability from somewhere else saying, “Hey, we need an alternative to UPI because either there’s too much government surveillance or there’s too much government exclusion. It’s not letting the best companies join the UPI system, or it’s keeping certain foreign players out, or so on, so forth.” How do you think about that trade-off?

I know this is a little bit beyond the scope of the books that you’ve written, but to me, these are the big questions of the future because when you create a system that’s interoperable, what you’re basically saying is we want it to be contestable. We don’t want a single form to control large part of the market share. Now you created a platform which is even less contestable than in the laissez-faire world because now the platform is somewhat determined and mandated by the government. This is where I’m going with this line of questions.

MATTHAN: I think there are many ways to look at this. I think if you think about NPCI as the platform, remember that you and I who use it don’t even see NPCI. NPCI is completely invisible to us. The platform to me is Google Pay. Quite frankly, Google Pay has got very active competition from PhonePe. That’s the reason why between the two of them, they now control close to 80% of all payment transactions in the country. If you think about it, what the customer is interfacing with, and in relation to that, there is no one platform. There are two competitive and internally interoperable platforms. I can make a payment on Google Pay. If that doesn’t go through, I will immediately switch to PhonePe. 

What does that mean for Google Pay? They jolly well see to it that they’re always up because someone’s going to switch to PhonePe immediately. I think that in a sense is an answer to this platform concern. The concern that you express is a much deeper concern as to the nuts and bolts of how this whole ecosystem works.

RAJAGOPALAN: To me, that’s the new platform level because now we’ve made Google Pay and PhonePe competitors. Now they’re no longer operating like platforms, the way they do in other parts of the world.

MATTHAN: Isn’t that good? Because you’ve achieved an outcome. Now we need to say, what’s NPCI is denying us that we would benefit from a competitor to NPCI? Because then the NPCI will be forced to do these features that it is not doing right now. Arguably there would be many things, but I think the trade-off then becomes, as I said, it’s turtles all the way down. You either have two separate competing platforms that are not interoperable with each other, which means that I lose the benefits that I currently have.

There will be some merchants who will only accept payments from an NPCI-supported platform, and another that will accept payments from an NPCI 2-supported platform, which is a big issue as far as in the Indian context right now. Right now, there is such flexibility that you have a single QR code. That’s because of Bharat QR. That’s another great unifying innovation.

Earlier Google Pay, PhonePe each had their own QR codes. If you had a QR code from the one, I couldn’t pay with the other app, but now there’s a single QR code that I can use to pay any app. I think that’s the real trade-off. If you want competition to NPCI, we’re going to need to build two separate competing noninteroperable payment systems. That is a trade-off that perhaps will bring a level of inconvenience that people don’t want.

RAJAGOPALAN: That’s fair enough.

MATTHAN: If you don’t have competition to NPCI, then a lot of the things that I said would happen, which is we won’t have innovation in the UPI tech stack. These are really difficult questions to answer. At this point in time, I think people—maybe it’s not moving as fast as perhaps the tech companies want, but for the man on the street, we’re constantly getting new innovations.

We’re constantly—now with AI and voice-based payment, we can reach the entire part of the population that doesn’t have a smartphone because they can just use their feature phones to make a call and say—in the NPCI demo, it was just a call saying, “Pay my wife 200 rupees.” The AI actually first authenticates, understands who the wife is in the whole list of contacts, and then replies, “Shall I pay Sita such and such amount,” or something like that. That’s all really cool. As far as the customer is concerned, yes, they are seeing innovations, despite the fact that NPCI has got no competition.

RAJAGOPALAN: Here I know everyone is so happy that NPCI is a not-for-profit, but actually as an economist, that concerns me more than anything else. There are two core concerns I have about NPCI. One is technically it’s a nonprofit, but it’s entirely controlled by the current incumbents of the banking system. And now I’m not talking next 6 months, next 10 months, and financial inclusion, I’m talking long-term innovation. To me, that spells disaster because if the incumbents control a system very quickly, you’re going to start having permissions.

They’re going to have huge problems with crypto or any other decentralized blockchain systems, even if they do things at a speed which they currently don’t, or they’re going to start having issues with—I mean, there’s already an issue with MasterCard saying they’re creating this other network. There are these global networks that will start getting included or excluded because of the current incumbent. That’s part one.

The second layer of the current incumbents that worries me is that most of them are state banks or state-owned banks. The banking sector overall is just so tightly controlled by the Indian government. Their concerns are almost entirely about limiting capital mobility, that I am actually worried that what is built into the NCPI— their way of thinking is we need to keep foreigners out. We need to make sure capital mobility can stay controlled, and so on.

This is not a question of protocol; I think this is a question of norms and culture because who is on the NCPI board? That’s like the one big issue. The second big issue is that it’s a not-for-profit, which means there isn’t any internal pressure to innovate. If the not-for-profit had board members of banks, which are for-profit, that would be a separate matter. I think two of the board members are privately owned banks, everyone else is your State Bank of India, Bank of Baroda, basically, we really don’t have a profit constraint and get bailed out by the taxpayer.

This, to me, is very concerning in the long-term future of the NCPI. What worries me is once you, and Pramod [Verma]., And Nandan [Nilekani], and this generation that created the base of the stack moves on, the next set of people who come in, are they going to have any pressure to innovate, now that core issue of financial inclusion and the very original principle issues are now off the table?

MATTHAN: That last point I don’t have an answer to. How do we ensure a few generations down that the innovation continues? How do we ensure, through the design of the system that it continues to innovate is really a question that deserves a lot of attention. I wouldn’t say it’s personality-driven, but I think really we need to think cleverly about how to create an institutional design that promotes innovation. That’s certainly something that we need to talk about.

Just on the other points, I think the NPCI board is actually fairly representative of the ecosystem of digital payments because you’ve got Google Pay and PhonePe on the board. You’ve got Paytm on the board, you’ve got HDFC bank, Yes Bank, so you’ve got a broad cross-section of the various participants on the board. Whether they can speak freely given the relative strength of SBI versus—that’s a different question, but I’ve actually participated as an external observer or as an external expert on some NPCI board meetings.

I find that the board is actually quite broadly represented. There’s also a bunch of independents, academics who are quite vocal. My experience with the board is that it is actually quite a rigorous and independent board. Now, that’s just anecdotal. I’ve been invited to two board meetings or three board meetings, so it perhaps is not fully representative. I think the final—

RAJAGOPALAN: If I can interrupt there, it is representative of everyone who is allowed by the RBI and Ministry of Finance to do business in this space, which is a particularly small group of people of the overall sets of people who could have been part of that space. That would be my disclaimer, but sorry, please go on.

MATTHAN: Absolutely. No, that is a function of the entire Indian banking system.

RAJAGOPALAN: Yes, which I think is very problematic as an economist.

MATTHAN: Essentially, let me just break it down. I agree that perhaps as an economist, we have to open this up much more, but if we are talking about digital public infrastructure and payments, we can only apply the digital public infrastructure in payments to the participants who are permitted to operate in the payments ecosystem, which at this point in time is constrained by this overarching constraint that, perhaps rightly or wrongly, the government has imposed saying that there are only certain people who’ve got a license who can participate.

I do not have the scholarly knowledge to be able to answer whether one is right or wrong. All I can say is that legally speaking the digital payments ecosystem is a subset of the payments ecosystem. Legally speaking, the digital payments ecosystem cannot enable entities that are not permitted by the banking system itself. The problem you have is not a digital payments problem, it’s more a banking system problem, and you most likely are right, but it’s not going to solve it using digital payments.

RAJAGOPALAN: I’ll tell you why I still have a minor disagreement with you. I agree with you that this is representative of the payment system and the banking system. When we think of something that is a public good or a public infrastructure, and now I’m speaking only as an economist, not as a lawyer, a public good is something that is necessarily non-excludable, non-rival, right?

MATTHAN: Correct.

RAJAGOPALAN: The pipes that have been built for UPI and NCPI more broadly for all the other parts of the stack, they are definitely non-rival. On that, there is no question, but they are not non-excludable? What one takes away, the reason these criticisms are popping up, especially from economists, when an economist thinks of digital public infrastructure, which is how the whole thing has been branded, public infrastructure necessarily means that the barriers to entry and excludability are not there. Technically, anybody who could have enabled payments should have been part of this without having RBI to okay that system and so on. That was the entire point of the decentralized e-commerce and other networks. 

Now we’re saying we’re okay as long as you’re selling mangoes and malpua, but we’re not okay as long as you’re selling some kind of financial technology and financial payment system.

I know that that’s way beyond the remit of what you were trying to achieve or trying to do, but this is just something that’s useful to footnote in terms of why the criticism comes from the financial sector or economists over and over again because, for us, this is a design question. It is a protocol question. It would’ve been lovely to some of us, especially the more free market economists if this had helped us chip away at the power of RBI and the incumbent state inefficient banking players.

In fact, what it’s done is the reverse. It’s fossilized it in some way. I think that’s the broader point, which of course doesn’t disagree when you say, “Hey, we’re working with a payment system, we’re working within the laws of a government, and if the government says these are the only people who are allowed to participate in the payment system, so be it.” You understand where the more philosophical question is coming from. This is the core question of what is a public good or public infrastructure.

MATTHAN: I completely get it. These are arguments that I’ve heard from many economists, and I have two responses to this. First, just the practical nature of policymaking. In my experience, if the RBI wants to apply a particular regime to the banking system, you’re not going to undermine the RBI by trying to pull wool over their eyes through some digital system that somehow magically allows people outside of the system to participate. The RBI is not going to countenance that at all. That’s not going to happen.

The fact that we have an opportunity through the digital sphere to broaden the way in which banking is done in the country is not going to actually give us the ability to do that. That can only happen through policy, and if the RBI’s policy is not open to this, the fact that digital could enable this, as much as all of us might wish it, and let me go on record to say that I would’ve loved this to be non-rivalrous and non-excludable.

The second point I’ll make, I’m going to play my lawyer card and use a very strict technical response to what you said. The definition of digital public goods is certainly non-rivalrous and non-excludable. Digital public infrastructure as a term-of-art does not exist. I would argue that the reason why we are calling this digital public infrastructure and not digital public goods is because of this reason. If we had called it digital public goods, yes, the definition of digital public goods requires these two things.

Digital public infrastructure is not subject to this constraint. The Digital Public Goods Alliance is a global organization that actually is a repository for digital public goods. They would not allow many of India’s digital public infrastructure into that repository. Not allow, but they just wouldn’t qualify for these reasons. You can’t deny that this digital infrastructure that is India’s built, whether it cleaves to the classic definition of digital public goods or not, still has tremendous impact.

RAJAGOPALAN: Absolutely. I honestly don’t think there’s anyone quibbling with that.

MATTHAN: No, there’s no question.

RAJAGOPALAN: I think it’s a question of how do we make it better? How do we make it more inclusive? How do give more power in the hands of the people who are challengers or who are trying to contest either business or governments or certain kinds of thing? I think that’s really what everyone’s trying to push at.

MATTHAN: Without a doubt. I would say that there’s a lot to be said for this argument that you’re making,but we are working within the—what we have to do is the art of the possible, and in my experience, at this point in time, this is what is possible. On many instances, I’ve had the opportunity to push the government, to push NPCI. I just give one example. I would really like for the entire NPCI protocol and stack to be released as open source. It has not been released as open source for various reasons.

RAJAGOPALAN: Even Pramod [Verma]. He wanted to really go at this, all the different moving parts should be open source, and is there a divide between the policy people and the technical people on this with you squarely in the middle, or stuck between the two groups? [chuckles].

MATTHAN: There are challenges to this. It’s easy to say that you want to put something out into open-source, but it actually takes a lot of work to maintain open-source code. You need to have a whole bunch of people who are monitoring the code. If you put it out on GitHub, then someone has to merge, pull request. Someone has to be sitting there and deciding what’s going to happen. This is a full-time job.

NPCI is saying, “Look, I have to run the digital payments ecosystem for the entire country. That’s more than a full-time job. I can’t now be—” Because a few economists want us to qualify for the DPG definition to now—Look, I’m simplifying the argument.

RAJAGOPALAN: I know. I understand.

MATTHAN: There are many nuances to this, which are not really—some of them are extraordinarily practical. I don’t necessarily agree with all of them. Personally, I would love to see a lot of this released as open source because I think that’s the only way that we can benefit the entire world. If our objective was just to build systems for India, that’s okay, but after the G20, we’ve announced that we are open for business, that countries around the world that want to leverage what we have learned and developed should be allowed to do that.

I would say that one of the first things that we need to do for that is to actually release a lot of this in open source so that there’s no problem with countries doing that. Now I can say it because I don’t have to maintain that code base. Someone has to be employed to actually maintain that code base, and that’s not a trivial thing, given that different countries will have different requirements and there would be all sorts of pressures put on the software. Look, there are some practical challenges. There are some core sovereignty challenges that also perhaps I don’t agree with, but this is—we work within the art of the possible, and it’s not always possible to get to where we want to. I think we will eventually get there, and I think that as long as all of us are diligent about this, putting this pressure on the government, the government will keep considering this. I think we will see more and more parts of the stack qualifying for the definition of digital public goods.

I think we already see other elements of the stack that are qualified. For instance, all of the DEPA protocols and infrastructure is available on GitHub. That is actually a lot easier to deal with than NPCI. I also think it’s a question of the stage of evolution. I think UID and NPCI with the very early digital public innovations. Perhaps they were more constrained in a sense to the older way of thinking, and if you look at a lot of the newer innovations, ONDC, DEPA, these tend to have a much more open approach. Maybe this is what we have to live with. We have to live with this evolution, and I don’t know if NPCI will ever open up, but we should be satisfied that down the stack, it’s much more open and it’s much more aligned with the DPG idea.

RAJAGOPALAN: Which is why going back to the head of the conversation, I was like, “We have a lot more choice and control when it comes to private players and a lot less choice and control when it comes to the state.” NCPI is a nice example of that.


I want to talk to you a little bit about blockchain. To me, the fundamental difference, or the core trade-off is things that are on the chain are much better when it comes to privacy, when it comes to protection from surveillance, when it comes to trust. There’s really nothing better than that, but on the other hand, when it comes to ease of transactions, when it comes to speed of transactions when it comes to efficiency and efficiency losses, it doesn’t perform quite as well.

Now on the other extreme centralized systems, whether they’re centralized by an individual private company or whether they’re centralized by the state, whether lots of private platforms that operate, they give you that ease and efficiency, but they are then large targets for all the reasons that we just discussed. Is this the way you think about the trade-off between the two, and if so, do you think with more computing and the AI revolution coming about and so on, blockchain will just become so much cheaper and the transactions cost will reduce, that’ll be the future? Not that far or not that unforeseeable future, but pretty soon—

MATTHAN: Right now, if you think about these two, these are perhaps two ends of the spectrum, but with Ethereum, with CBDCs, we’re starting to see these two converge in a sense. I think we will eventually converge because I think we need to leverage the formal financial system.

The former digital payment system needs to leverage a lot of these features of the blockchain that you’ve mentioned and many others. I would say, the concept of tokenization, which Ethereum has made possible is necessary for even central bank digital currencies because Brazil has done some incredible work tokenizing private money, which is the next step to CBDCs.

CBDCs fundamentally break the private money, public money, construct that has been the hallmark of the banking system, I guess since the Medicis. Therefore, to move everyone who’s looking to do digital payments to a CBDC perhaps is not the right way to go. I think that we will start to converge between these two extremes. Once again, there are other elements that central bankers have told me are more economic in nature.

The fact that, at least the traditional notion of Bitcoin as a cryptocurrency allows very little macroeconomic interference is a challenge that’s pure market forces working. Every central banker is really nervous about, what if there’s a shock or, to the system, or we need some stimulus in a pure decentralized, completely entirely decentralized system? We’re not going to be able to provide that support and innovation.

Once again, these are things that I’m not an expert in. I perhaps am misstating the argument entirely, but I think that there is a need to converge. I think there is. I’m personally very interested in the Level 2 and Level 3 innovations on the chain. I’m less interested in the cryptocurrency, the traditional Bitcoin currency question.

I think now with the ETFs being approved in the US, we’re going to see that more and more look like an investment, and that perhaps is not what Satoshi Nakamoto intended. With Vitalik’s innovations on Ethereum and more recently a lot of the really cool use cases that we’re seeing at the Layer 3 of the stack. There’s a lot that the traditional digital payments work and learn from that.

One of the side projects that I’m working on right now is just this, what if we tokenize the entire world? What if that mic that you’re sitting in front of has a token that can be actually attached to the mic in a way that you can’t remove it and delete it? How would that world look when the Mona Lisa has a token attached to it? You can buy that token, and as a result, we’ll have provenance of the entire chain of ownership. We can do it using smart contracts. I think these are all really interesting ideas that the world can’t ignore. 

All of this resides at Layer 2 and Layer 3 of the chain, not at the core layer. I would see some mixture between these two that perhaps we will come to some conclusion as to Layer 1, but then certainly leverage the chain for Layer 2 and Layer 3, such that we can use some of the governance frameworks that are enabled through DAOs and, this new forms of governance that the chain allows.

Super interesting ideas. My sense—I may be wrong—is that we will converge. We may not converge in the way that is apparent to us or even that we wish right now. I think there’s just too many good ideas and too many societal imperatives on both sides for us not to leverage all of that and come to some halfway house.

RAJAGOPALAN: For me, when you say you want to tokenize everything, I want to start with land in India and more generally, property in India. That’s the puzzle I keep trying to crack when I’m idle and thinking about what’s the place we need it the most and where the most value remains waiting to be unlocked.

MATTHAN: It’s also the easiest part of the chain to see. When I said the mic or any movable property, it’s so difficult.


MATTHAN: The way I have started thinking about it is anywhere where property moves through a register don’t need a centralized register, you can make it a decentralized register.

RAJAGOPALAN: Absolutely.

MATTHAN: Then you think about, works of art. If works of art are moving because Sotheby’s has got a register, then that is amenable to this. These are these, you mean the antiques, or the vehicles because all vehicles need to be registered with a regional transport office. These are the sorts of places where we can very easily substitute the physical register or the authority that is the final word as to whether you are the owner or you are the transfer. That can easily be substituted and more efficiently, far more efficiently substituted by a chain, which gives us complete certainty on land title and all of these sorts of things.

AI Revolution

RAJAGOPALAN: I would be remiss if I didn’t talk to you a little bit about AI, given that everything is happening. We heard at Davos that ChatGPT 5 is ready and going to be on road soon and it’s so much more powerful than anything we know. Deepfakes was a problem even before these big AI models, but that seems to be the new frontier of what we were talking about originally, which is there’s a question of reputation, there’s a question of surveillance, and there’s a question of duplication.

Somehow deepfakes are at the center of all three of those problems. How does a privacy lawyer think about the kinds of challenges that AI poses to privacy without— we can’t just kill the technology or say we’re going to ban it, or something like that. What is a way to think about that question? Can that question or problem only be solved with better technology, or can law have any role in solving that problem?

MATTHAN: Deepfakes—Well, let me reference a podcast that I really like, called Pessimist Archive. For those listeners who haven’t heard it, it’s been rebranded to Build for Tomorrow or something less negative. The idea behind the podcast is that our concerns around technology we experience them in cycles.

I’m mentioning this because what deepfake is doing today, we have witnessed before in a different form of technology. Let me just step back a bit. There was a time when the photograph we believed was the perfect evidence of reality because the mechanical act of taking a photograph in the early days of photography was just capturing the light that came off what you saw in front of you, and that could not be altered.

Then Photoshop came and we realized that no photograph, there’s absolutely no way we can rely on any photograph as being true. If you think about deepfakes in that context, all it’s done is changed the frame of reference from still photographs to moving forward.

RAJAGOPALAN: To animation. Yes.

MATTHAN: How are we now surviving in a world where photographs may be true or maybe false? We are surviving in that world because we have built as society a very healthy skepticism to whether a photograph is actually the absolute evidence of the truth. I believe that we will develop this healthy skepticism as far as video is concerned.

There are also many other ways to do this. There are ways to forensically identify whether something is real or not. We will find those techniques as well. We are already finding those techniques as far as deepfakes are concerned. I guess my answer to your question as to whether law is going to solve this?

Yes, of course, law will make it very hard for people to do Deepfakes, or rather, what can law do? Law can essentially say that if you get caught making a deepfake, we will throw you in the deepest, darkest abyss. Perhaps that would scare people enough not to do it, but there are a lot of people who really think that’s a tradeoff that they’re willing to do because there’s so much of an upside. I can win an election,or I can sit in another country and do it to another.

These are the sorts of concerns that laws are never going to act against. The only way that we’re going to be able to inoculate ourselves against this is really changing the ways in which we are just completely accepting of a video as being the truth because it is essentially people moving and speaking, and these are very difficult things to fake. Now we know that it’s really easy to fake and we will develop that. My answer to this is that—that’s the reason why I mentioned Pessimists Archivebecause we keep going through these cycles of technology.

As we’re in the middle of a radical transformation in technology, AI, I’ve said many times, is the first general-purpose technology that we have had since electricity. The impact of AI, if we think we are worried about deepfakes, it’s like in the early days of electricity, we were worried about what we would do if it was light after dark. How will we survive if the lights were always on? Would we go mad? Those were the initial concerns around electricity. Today, the concerns around elasticity are they power mobile phones. Mobile phones are attention-grabbing devices [is] far from what we were worried about as possible.

I think that the real concern with AI, the second and third-order risks of AI would be things like radical transparency of information. What are we going to do when nothing is beyond our ability to access or understand? I haven’t even started to think of what that could mean in the context of our daily lives. Even for me, it’s like a one-and-a-half order of magnitude. The real second and third-order of magnitudes of what AI could do are not even possible to imagine given the current state of what we are seeing.

All we’re seeing right now is that AI is a convenient thing. It is useful sometimes, but more often than not, it gets stuff wrong. What happens when it’s 100% accurate all the time? Researchers like you, what are you going to do? We don’t need—


MATTHAN: [chuckles] No, we shouldn’t, Shruti. 

RAJAGOPALAN: No, I think I’m going to be like those housewives who are cooking out of the kitchen. I think the world is open. Why are we trapped in a particular way of thinking?

MATTHAN: I’ll tell you why. Because I think AI is actually a tool. Electricity is a tool. AI is a tool. It currently will change the way in which you and I work, but if we are smart enough, we will find a way to use this to make possible what currently we can’t even imagine is possible. I don’t even know what it is, but for a researcher, I think if AI gives you the linear output and gives you linear outputs in a way that was not accessible before, as you’re doing the various projects that you’re doing, it takes you a lot of time to get this work. You can get it in seconds right now. What more will you be capable of doing?


MATTHAN: The orthogonal connections that even an LLM is not able to do. I think that’s really what’s super interesting about this time. I’m all into AI. I’ve tried every AI app that’s possible.

RAJAGOPALAN: Same.That’s what I am on.

MATTHAN: Yes. I’m never going to retire. Now, I’m fighting with my son because my son is an AI native. He doesn’t need 25 years of experience that I have to be equal to me in many things. It’s going to get worse and worse. What can I bring to the table which my experience gives me that AI cannot replace? I think really that’s the sort of questions that all of us have to ask ourselves, regardless of which profession.

RAJAGOPALAN: No. Honestly, when I said retire, I didn’t mean that in a negative way, or I wasn’t feeling bad about it. What I mean is I had to read a lot of books and think about things carefully to come speak with you. If a bot can do that in a fraction of time and make me superfluous, I don’t know if that’s the worst thing. My self-esteem might take a slight hit. Again, as an economist when I step back, I’m like, “That’s probably great.” If my AI bot and your AI bot could have had this chat and saved both of us 90 minutes to go garden or cook or have a good time.

Then all we had to do was sit down for 30 minutes and edit just to make sure that the AI bot misrepresented us, great. Both of us gained an hour instead of losing a couple of hours recording this. I don’t think of it necessarily as a net loss when I say retire. What I truly mean is I welcome the day that an AI can actually write really great law review papers and have really deep conversations. That’s a good world to be in. I’m not worried about it.

MATTHAN: I can only speak for myself. For me, I would actually look at AI as a way to rethink the ways in which I work. I think that any new technology offers us the opportunity to be more productive is perhaps very reductionist because that’s—be more efficient. It’s perhaps doing things that would otherwise be impossible.

RAJAGOPALAN: Absolutely.

MATTHAN: In doing those things that are otherwise impossible, if we as humans do it in our human way, AI will allow us to come up with marvelous things that we perhaps couldn’t have ever hoped to get before and that’s net enriching to all of human society. As you can see, I’m a terrible techno-optimist. It’ll never get out. I just love these new things that push my mind. As I watch younger people engage with technology, you see it all the time. They’re coming up with new innovative ways to use that yields results that otherwise, would be so difficult for us to do.

My son’s coaching a football team, and he wanted to get a jersey made. He just did it on ChatGPT Plus DALL-E and that’s it. Otherwise, you’d have to hire a designer. These are simple examples, but I’m sure there are many mind-bending, world-changing examples ahead of us.

RAJAGOPALAN: For me, healthcare is the area where I’m most optimistic because I think the way AI is able to crack these questions of protein folding or simulations trying to find antivirals and antibacterial solutions, that stuff blows my mind because there was just such an obvious human capital constraint there, which it’s suddenly been released. 

I’ll tell you why deepfakes particularly worries me. It’s not because I think we can’t cope with deepfakes, but it’s because we have a horrible reaction to new technology when it infringes on us very personally.

Nothing is more personal than literally taking our image and our voice and our mannerisms and making it do something we wish it hadn’t done or making it say something we would never say, and so on. I worry about deepfakes because I think that’s the first point where people will suddenly try to clamp down on this, especially politicians who are used to doing campaign speeches, and they could be misrepresentation. That worries me in a way that large language models writing a draft of legal opinion doesn’t quite worry me because I don’t think there’s a strong enough coalition that’ll be so offended that will just clamp down on the whole thing.

MATTHAN: You’re absolutely right. It can be deeply violative in a sense. The only argument I will have to counter what you’re saying is the liar’s dividend. At some point in time, there will be so many deepfakes around that people are just going to use that as a get-out-of-jail card. They’re going to say, “Look, it obviously is a deepfake. I could not have said that. Look at the amount of deepfakes that are around. This is also a deepfake.” Then no one would know the other side as well. It may be something true that you actually did, which was completely egregious, but then you could just say it’s a deepfake and get away with it.

At some point in time, this is all going to normalize in a sense. People are going to find a way to figure out which deepfake is actually a deepfake, and which egregious politician’s misdeed is actually an egregious politician’s misdeed.

RAJAGOPALAN: You don’t think it’ll be the ostensible reason to clamp down on this?

MATTHAN: Look, it obviously will be. Particularly now I think The Economist that I read recently said that in this year, there are more elections than any other year in a long time. I think 50% of the world is going for election. Of all times, this is the time where deepfakes are going to be the most challenging. Depending on who you are, you may actually want to allow deepfakes to continue or want to clam down completely on it. I think we’re going to see a lot of laws coming, certainly in India, we’re debating a deep fake law very seriously.

The point I’m trying to make is that regardless of what we do legislatively, regardless of what we do in enforcement, this is not going away. There is the liar’s dividend where you are going to find people taking advantage of this in the opposite way. Where do we end up with this?

RAJAGOPALAN: No, and I think AI will solve the problem. Honestly, AI will help us figure out what is a fake and what is not as will tokenization and putting things on the chain. I think there are lots of solutions around it. The thing with AI, like any transformative technology, it happens so quickly and suddenly the people get really freaked out. I think that’s the core.

MATTHAN: We’re deep in the middle, or perhaps we’re at the early stage of this fundamental, radical societal transformation. These are always the times where it becomes very difficult for us to—as much as I’m trying to reassure you by saying that this has happened in the past—I know it’s going to be very difficult to deal with. I know that if there’s a deep fake about me, very soon, it will be very difficult for me to deal with the consequences of it.

I may know that it’s not true. My friends may know it’s not true, but I will still have to undo a lot of harm that it would have caused. These are challenging things to deal with. It’s very glib and easy to say that this is going to pass, but until it passes, you’re going to have to bear the consequences. That’s not something I wish on anyone.

RAJAGOPALAN: Well, more work for privacy lawyers. That’s always a good thing. Thank you so much for doing this. This was such a pleasure. I’m very excited about all the things you’re working on and how this space unfolds, and you write very readable books. I hope I’m looking forward to your next book.

MATTHAN: Thank you so much, Shruti. Thanks for doing this conversation. It was much broader than I thought it was, and I thoroughly enjoyed it.

About Ideas of India

Host Shruti Rajagopalan examines the academic ideas that can propel India forward. Subscribe in your favorite podcast app