Securing a cashless society

With the current cash flow deficit, people are being forced to make digital payments. Without proper precautions and security policies, the highly reactive nature of cybersecurity leaves us vulnerable to cyberattacks.

One of the biggest financial data breaches in India, exposed in late October, had compromised the financial data of over three million users and victimised major banking companies. The breach occurred when a network of Hitachi ATMs infected with malware enabled hackers to steal users’ login credentials and make illegal transactions. Following this, companies issued new cards and asked customers to limit their ATM usage to those operated by their banks. However, a few weeks after the breach, the demonetisation announcement pushed people to do just the opposite — rush to withdraw money from just any functioning ATM. Till date, there has been no communication from banks or the Reserve Bank of India assuring the public that the infected ATMs have been taken out of service or fixed to prevent further breaches.

 Digital transactions

Over the past week, digital payments have hit record transactions: PayTM said there was a 200 per cent increase in its mobile application downloads and a 250 per cent increase in overall transactions; MobiKwik said its user traffic and merchant queries increased by 200 per cent within a few days of the government’s announcement. Companies such as Oxigen and PayU have also seen a rise in their service usage.

This trend is certainly heading in the right direction if we are moving towards a cashless economy, but the speed of technological development and its integration into our economy far supersedes the speed of defence mechanisms and protocols that could mitigate cyberattacks. Cybersecurity is unparalleled and reactive in nature, which begs the question: is it safe to utilise these new payment platforms?

PayTM, for instance, is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and a few other international dealers. This is an essential certification for companies that store credit card information. PayTM and other such companies also use 128-bit encryption technology to crypt any information transfer between two systems. It takes more than a hundred trillion years to crack a password under 128-bit encryption. Needless to say, transactions via these companies are fairly secure, hence there is little doubt that companies taking advantage of demonetisation are employing their share of precautions for secure transactions.

However, this does not mean that these precautions won’t make us invulnerable. Apart from login credentials, hackers target other things. For example, just a few weeks back, hackers breached a British mobile company, Three Mobile’s database, putting at risk the private information of six million users, which was later used to purchase mobile accessories at the users’ expense. Other uses for stolen data include underground sales, identity theft, or targeted personal attacks such as extortion. According to the 2015 data breaches study by IBM and the Ponemon Institute, India is the most targeted country for data breaches.

While these attacks may appear sophisticated, there are easier methods that anyone with basic IT skills can deploy. These include creating fake mobile applications and spyware that steal information, or social engineering tactics that make you reveal your login credentials. Forums on the Internet are flush with step-by-step instructions on how to create fake websites that imitate digital payment platforms.

The larger concern, however, is that if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, also experienced cyberattacks, what does that imply about unsuspecting users? Most new users, especially street vendors, have been forced onto the digital payments bandwagon. Are they aware of the security risks involved? And even if they are, what precautions can they take to minimise the potential damage from attacks?

 Collective responsibility

Companies, customers, and the government should collectively participate to mitigate cyberattacks and minimise its damages.

First, all companies that offer platforms or services enabling digital payments should increase awareness among their customers of the risks, and educate them on ways to secure themselves. They must employ behaviour analytics and pattern analysis at their fraud prevention departments to predict suspicious behaviour. They must be proactive in looking out for any fake applications or websites that masquerade their service. They must monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement measures to thwart such tactics.

Second, the government should check if the current policies regulating these platforms are adequate and update them regularly. People must be educated on the risks involved, strict policies must be enforced, and companies accountable for not meeting security standards must be held. Benefits that come from overlooking security precautions must be minimised, and public-private partnerships on live information sharing about cyberattacks and fraud should be strengthened.

Third, customers should educate themselves about the risks involved and take precautions. They must minimise vulnerability with two-factor authentication and change their password frequently. They must check the authenticity of applications by looking for the number of downloads and read reviews by other users — the higher the number of downloads and reviews, the higher the chances that the application is legitimate. Customers must also check for other application releases from that developer. For instance, they must check the Website’s authenticity by searching for the proper spelling of the Web address, check if the Website is secure by looking out for a green padlock symbol on the left side of the Web address, and keep Web browsers updated so they can recognise illegitimate sites easily.

Prime Minister Narendra Modi recently asked people to embrace the digital cashless world, reiterating that digitisation of economic activities is here to stay. In the midst of going cashless, we should not cast a blind eye to the security aspect of digital payments. We all share a collective responsibility to build a safe and secure digital infrastructure.

This article was co-authored with Puru Naidu, research analyst with The Takshashila Institution and first published by The Hindu.

Regulating the smart, to make it safe

Recent DDoS attacks using IoT devices make a strong case for regulation of smart appliances.

Last year in September when a couple of hackers wirelessly controlled a Cherokee Jeep, they demonstrated how the ‘connected’ world we live in today can become a nightmare with the proverbial ‘flick of a switch’ or as in this case by injecting malicious code in an otherwise normally functioning machine. The matter was hushed up by Chrysler after releasing a software patch for the affected model and the hackers landed a job with Uber’s Advanced Technology Centre! A case of all’s well that ends well maybe? Definitely not.

Breaking the internet, literally

Couple of weeks back, services of websites like Twitter, Facebook, Netflix, Airbnb, Reddit and The New York Times went down across the world when a distributed denial of service (DDoS) attack took down internet infrastructure provider Dyn. Investigation into the attack revealed that it was engineered by a botnet (a temporary network of ‘dumb’ devices controlled by a malicious code) created using the Mirai bot. Mirai is a program that helps attackers to search for devices over the internet that are using ‘default’ passwords, the attackers then gains access to these devices for their own bidding and uses them to send repeated requests to a target website/service provider leading it to eventually crash due to overload.

The Dyn attack is not an isolated incident as attacks using bots like Mirai have become increasingly frequent this year. In September, French hosting service OVH was targeted by a IoT botnet composed of 1,14,607 compromised digital video recorders and IP cameras, in case of Dyn this number is estimated to be of about a lakh of such compromised devices. In fact some security researchers believe that the comparatively lesser number of compromised devices used may point to this been a trial run by cyber criminals. The possibility of a more powerful attack in the future is undeniable because the developer behind Mirai has released the malware’s source code along with step-by-step instructions on how to use it in public domain.

Security in collaboration

Ideally, having seen the potential for catastrophe, the manufacturers of IoT devices should take steps on their own to boost device security. But that isn’t likely to happen as IoT devices are price-sensitive and investments in security increases costs. The competition to bring out a product into the ever crowding niche is strong enough to push security and data privacy concerns in the background. Collaboration is one of the ways forward, as shown by the Allseen Alliance, an industry group consisting of around 170 members including Haier, Panasonic, Qualcomm and Microsoft. The alliance has come up with ‘AllJoyn’, a collaborative open-source software framework that makes it easy for devices and apps to discover and communicate with each other. AllJoyn is manufacturer and OS independent, facilitating direct communication over Wi-Fi or Bluetooth protocols. If more manufacturers are compliant with these standards it will push low quality devices to be off the consumer’s choice lists. The Open Connectivity Foundation is also engaged in developing standards and certification for IoT devices. It has sponsored a project called ‘IoTivity’ whose goal is to create a new extensible, secure and robust architecture that works for smart devices globally. Adopting a ‘Security in Design’ approach for IoT devices would go a long way in preventing repeats of Mirai bot attacks in near future.

Sharing responsibility for ‘Everything’

According to Gartner, the Internet of Things is slated to reach 6.4 billion installed devices by the end of this year and would continue to grow at a phenomenal pace to reach 21 billion devices by 2020. Each one of these devices will be a node that will generate, transmit or process end user data. A very large chunk of this data will be personal in nature (health records, financial transactions, location etc.) making it a prime target for attackers with malicious intents. Fine tuning existing data collection and privacy policies is thus the need of the hour. End users will need to have control over what information to share, with whom to share and a clear knowledge of recipients of this information. Further, there needs to be active user education that makes her aware of the choices.

This should be supplemented by a shared liability regime between software developers, device manufactures and insurers. Lengthy and complex end use agreements that practically disown any liability for the developers need to be replaced with ones that actually define the liability while being user friendly in draft and execution. When manufacturers and developers own up on the legal responsibilities for security and privacy breaches it will increase end user confidence in adopting the Internet of Things.

Regulating smart devices

Lastly, governments need to work on regulatory framework to oversee this process. This would include dusting the cobwebs off ancient technology laws and aligning them with the changes in the Internet landscape. User privacy concerns and secure designing should be integrated in charters of respective standard setting organizations within respective jurisdictions. Further, the process of establishing a shared liability regime can be pushed through by legislation if market dynamics are hindering its uptake. Policy documents that address these concerns need to be widely discussed and debated in public domain. The Indian government is yet to formalize its IoT policy after it released a draft in public domain last year. The draft in its present form pays mere lip service to the aspects of data security and user data privacy. For a government looking to move towards net zero import of electronic products by 2020 under its Digital India initiative, codifying its IoT policy should be a top priority.

Openness, anonymity and the lack of government regulation are the principles that have led to the growth of the internet that we know today. But the advent of IoT has ensured that the same idealism that built the internet now threatens it by exposing it up to infrastructure crippling attacks. Standard setting for IoT devices needs to be extended as a measure of user safety. If there are standards so that devices don’t catch fire or give an electric shock to the user, would it not be right to expect devices that are not easily compromised by hackers? If we fail to do this now, then we should not be surprised if we hear about a botnet bringing down a power supply network using your smart refrigerator as a bot in the not so distant future.

This article was first published by Hindustan Times

Connecting the dots with data

The unveiling of an Open Government Data Portal by the Pune Municipal Corporation is the first-of-its kind in India by an urban local governing body

Being the birth anniversary of Mahatma Gandhi and Lal Bahadur Shastri, 2 October is not only an important day in Indian context, it also sits next to the Independence and Republic days in terms of announcement of new policies, programmes and schemes by governments at all levels in the country.

One among those was the news of unveiling of an Open Government Data (OGD) Portal by the Pune Municipal Corporation (PMC), the first-of-its kind in the country by an urban local governing body.

The idea of OGD is not new, a National Data Sharing and Accessibility Policy (NDSAP) was drafted in 2012, and the idea recently got a much-needed push at the central level with launch of the revamped OGD portal (data.gov.in).

Variants of this portal have been replicated by many state governments as well. The lack of availability of hyper local level data was one of the primary reasons why evidence based policy formulation is not common at city level.

In our rapidly urbanizing country, faulty urbanization policies continue to adversely impact the lives of millions of citizens across generations. The idea of a ‘Smart City’ hinges on how real time and historic data can be utilized to deliver citizen services like clean water, public transportation, open spaces and better livelihood opportunities for migrant population. PMC’s portal is a welcome step towards this end.

RTI and Open Data

The Right to Information Act (2005) undoubtedly heralded the era of increased transparency and accountability across government machinery in the country and brought about some fundamental changes in the way citizens could interact with governments at all levels. The RTI-enabled decade saw some important reforms in governance, now the time is right to address few of the shortcomings of the Act.

Important among these are the allegations of RTI been used to slow down policy formulation and implementation by those with vested interests. Also, RTI is primarily used by organized citizen groups, activists and NGOs more than individual citizens owing to the time consuming processes and lack of awareness regarding the various formats in which information can be asked for by citizens. The average time for a RTI query to be answered is still in the 30-day bracket, this tells us that we need to move to a model that is more citizen centric in application and real time in delivery.

Open Data, which is the practice of hosting public data that is non-sensitive in nature, pertaining to a multitude of government actions that is made available for free and which can be used by citizens for social, economic and developmental purposes, presents itself as the next step after RTI. In fact, clause 4 of the RTI Act itself talks about suo moto disclosure of information and data by government departments so that when it comes to standard information availability the dependence on RTI queries can be reduced. PMC’s OGD portal same model at city level will help to channelize citizen centric transition from RTI to Open Data at a much faster pace.

Liberating Data for Citizens

The mere availability of data in public domain does not bring a transformation in governance. Citizens would need to become active stakeholders in this transformation if they wish to see their cities becoming better places to live, if not necessarily smarter. Open data is a right step in this direction. The PMC has already provided the functionality to ask for specific data sets and seek clarification or information from respective data officer on the portal.

To nudge citizen participation the PMC should first reach out to citizen groups and elucidate to them the benefits of data in public domain. As activist and citizen organization become accustomed to the change, they will pass on the message to citizens who usually do not interact with government machinery. Educational and research institutions can be taken on board as knowledge partners and specific projects can be assigned to them that mandate use of the newly available data.

Most importantly, this data can be used to prepare updated ‘Corporator Report Cards’ to assess the performance of local legislators as elections to the Corporation are due early next year. This will probably be the single most empowering aspect of this portal as it will allow individual citizens to track the work done by their representative real time. Another way in which the PMC can engage citizen is by arranging regular ‘Hackathons’ to crowd source analysis, translation or even policy research around the data sets available.

Connecting data with citizens

Credit must be given to Kunal Kumar, presently Commissioner of the PMC and Rahul Jagtap, head of PMC’s information technology department, for conceiving and successfully implementing the first stage of this project. However, in its present form, the portal, while interactive and user friendly, has a very limited number of data sets. Most of them are policy documents and performance reports that were earlier scattered across other PMC websites.

Data sets on public transport, one of the important areas that need long term policies at city level are entirely missing from the portal. Similarly not all data sets are available in vernacular language, this might hamper citizen participation as English is not the language of choice for day to day communication in the city. PMC plans to encourage development of mobile applications that link to the portal to enable tracking of PMC’s work real time, making data available on a real time basis for these applications would be a challenging ask.

The next step would be to determine the best possible way in which offline citizens can be benefitted from online data. How the PMC goes about with this objective will define the success of the initiative. Failure to use the data to engage citizens would relegate the OGD portal as yet another of those vendor driven ‘e-governance’ initiatives that had been hailed as governance reforms in the past.

We are definitely a long way from Open Government Data (OGD) taking over the mantle of transparency and accountability in governance from RTI but the transition has begun nonetheless. This beginning on 2 October makes it even more symbolic as transparency and accountability in governance will help us getting closer to realizing the fabled Ram Rajya that the father of the nation asked us to aspire for.

This article was first published by Mint on October 11, 2016.

Hey Taxi!

What are autonomous cabs and can we get them to be tested and used in India?

Until last week, it was expected that Uber, world’s largest cab aggregator firm, would be the first to roll out ‘driverless’ cabs that can be hailed from a phone app as early as the end of this month. However, on August 26, Singaporean autonomous vehicle start-up nuTonomy rolled out public trials of its autonomous cab service in a small district in the city state. Although the scale of nuTonomy’s trial is much smaller than what Uber plans to do in Pittsburgh, its intentions are the same and the race to be the first to offer autonomous vehicles as a consumer service will only get intense.

Uber bought Otto, a driverless truck start-up firm, and then signed a deal with Volvo to modify the Volvo XC90 SUV with cameras, lasers, radars and GPS instrumentation. While doing so it edged past Google, which has several years’ worth of data from its autonomous car, as well as Tesla, which recently announced plans to introduce Auto Pilot 2.0 — an advanced version of its self-driving technology.

Tests undertaken at present are not exactly with empty driver seats. The Singaporean company and Uber have specially-trained drivers with hands off the wheel to take control of the vehicle as the situation demands. More often than not, it is the vehicle that indicates when it needs human intervention, but all controls respond to human inputs on priority. The co-passenger is usually a data scientist who is tracking all inputs real-time to help understand how the driving algorithm can be improved. Uber’s car even has a computer in the trunk to help with processing of all this data real-time. To incentivise riders, all rides in autonomous cabs are free for now.

With all this happening in the domain of autonomous vehicles around the world, the next question to ask is: can we see this disruptive technology in India? If one is to be skeptical and point out that we have patchy mobile networks, inaccurate GPS integrations, lack of funding for disruptive tech, trust issues between drivers and riders as well as unruly traffic conditions that may not let an autonomous vehicle work in India, then let us also agree that these were the very issues quoted when the feasibility of a cab-hailing app was first discussed in the country. Today, we have Uber running more rides out of Bangalore than it does out of San Francisco and we have Ola, which is among the few ‘unicorn’ start-ups to get a billion dollars in funding. As for the traffic conditions, they make us the ideal ‘testing’ ground for this technology. Data from navigating on Indian roads could exponentially improve driving algorithms.

The issues that we may need to look into as and when such a technology presents itself in India are of a different nature, but not something we are unaccustomed to. The first one is that of perceived job loss for cab drivers, which would be an extension to the agitations of auto rickshaw and taxi drivers that the advent of cab aggregator apps has seen. State governments would do better if they factor in the possibility of autonomous cabs tomorrow while dealing with agitations against cab aggregator apps today. The need would be understand and pass on the message that technology is a labour augmenter, our robust service industry is a proof that new and better jobs are created when technology disrupts the status quo in traditional labour intensive markets. On the other hand, with manufacturing and skill development at the core of the present government’s employment generation plans, we may actually have to push for more automation to be adopted in other sectors.

 Driver-centric clauses in the regulations issued by states such as Maharashtra and Karnataka for cab aggregators would be the next area to look into. In their present form, the regulations require drivers to have undergone strict police verification and, to quote from the Karnataka on-demand Transportation Technology Aggregators Rules (2016), have a “good moral character”. Policy-makers need to embrace the fact that the very concept of human accountability, associated with a cab ride, can be turned on its head by autonomous cabs. Liability laws for loss of life or limb now need to be framed in the light of who ‘owns’ the machine than the human operating it. We would also need to look at proposed legislations like the Geospatial Information Bill (2016) that specifically prohibit the kind of geospatial data collection that autonomous cars would do to improve their functionality. We may also need to look at our age-old motor vehicles acts because we cannot penalise an algorithm driven vehicle for a traffic violation the same way we attempt to penalise humans.

Benefits that would accrue out adopting this technology are immense. Most prominent among them is a decrease in congestion caused by unruly traffic, algorithms are not known to jump lanes or overtake from wrong sides unlike humans. Transportation costs will go down substantially as cab companies will not have to pay drivers. Most of the vehicles presently being tested are either electric or hybrid, the uptake of environmental-friendly vehicles may also increase in the long run. Car interiors would get much needed flexibility, allowing for more user focused additions, spacious seats and better infotainment systems. The overall aspect of women safety may increase with the human element removed, but this may vary from person to person.

Autonomous vehicles can be looked at as that overarching solution for a plethora of issues that we face today in our day-to-day commutes. They may give the commercial push that city-wide public Wi-Fi implementation has lacked so far, improve overall road safety and reduce rampant corruption in traffic departments. Do we have the infrastructure to start off tomorrow? Definitely not; what we do have though are some tailor-made circumstances. High rates of accidents on highways may come down if truckers don’t have to drive at night or under fatigue, BRTS and public buses may become more efficient if automated, even cabs of IT & ITES firms that have to ferry female employees at night can be a good pilot project.

The jury is still out on whether autonomous vehicles will be the future of transportation as we know today. However, we should not let uncertainty of outcomes deter us from framing policies that would promote such technology, because the thing about disruptive technology is that while we might not gain much as early adapters, we stand to lose a lot if we miss the bus, or the cab, in this case.

This article was first published by Hindustan Times on August 29, 2016

What’s up with the Encryption?

Explaining the technology and legality of end-to-end encryption in India

Last week Supreme Court dismissed a public interest litigation seeking to ban messaging applications like WhatsApp that use end to end encryption to secure communication between two users. While the petitioner admitted that he is not against the use of encryption per se, his contention is that the keys to decrypt such communications should be made available to law enforcement and security agencies in the interest of national security.

Across the world, government agencies are struggling to come to terms with new forms of technology implemented to encrypt end user data. Countries like Brazil have already tried to ban the use of WhatsApp, when they were not able to hand over end user data to law enforcement agencies. The FBI-Apple confrontation, where Apple was asked by the FBI to help in decrypting the phone of a terror convict, also fueled the debate globally. So how does the entire scenario around encryption technology stack up in India? More importantly, how does this debate impact end users of such technology in the country?

What is encryption technology and where do we use it?

Encryption is the commonly used term for an umbrella of technologies implemented for securing communication in the presence of a third party. It encompasses a wide spectrum of applications that scramble communication sent in plain text, and decrypt it when received by intended recipient. It could also mean setting up a secure channel of communication through which plain text data can be sent. You can see a functional example of this if the website you are accessing begins with HTTPS, instead of HTTP, which means that it is using a secure channel to transmit data. Also, websites are known to store large databases of user information in an encrypted form so that it cannot be accessed easily. End to end encryption used by WhatsApp is designed such that only the two devices communicating with each other are able to read the communication. In theory this makes it impossible for anyone to snoop on to such a communication, the flip side been that even the application company does not have any means to decrypt this data.

What are ‘Keys’ used in Encryption?

A ‘Key’ or a set of ‘Keys’ usually denotes a piece of code (algorithm) that when applied to plain text, will convert it into encrypted text. There are a variety of Keys such as Public Keys (used for encrypting) and Private Keys (used for decrypting). As the names suggest, a private key is always with the receipt of the message while a Public Key may or may not be sent along with the message depending upon the combination been used. The ‘bit’ added (40, 64, 128) after the key denotes the strength of the algorithm used to encrypt the data. Larger the bit size, stronger the encryption.

What are the legal provisions for use of encryption technology in India?

India does not have a law or regulatory framework for encrypting data. Sec 84A of the IT Act delegates responsibly on the Central Government to make rules regarding the use and regulation of encryption technologies in India. There are some sectoral regulations like those issued by the Securities and Exchange Board of India (SEBI), which asks for a 64/128 bit encryption standard to be used while engaging in online trading. The RBI on the other hand has mandated that a 128 bit standard should be used in all online transactions. The Department of Telecom, in its Internet Service Providers (ISPs) License permits the use of a 40 bit encryption standard; anything above this limit would be allowed only if copies of the keys are submitted to DoT.

What are the policy guidelines for the use of encryption technology in India?

In September 2015, the Department of Electronics and Information Technology (DEIT) came out with the draft National Encryption Policy. Its stated objective was to promote the use of encryption technology for security and confidentiality and to protect privacy in information and communication infrastructure without unduly affecting public safety and national security. However, provisions in the policy that mandated end users to store copies of their communication in plain text for 90 days, mandatory registration of foreign vendors and insistence on Indian users to use only these registered products led to a strong public criticism of the policy. As a result, the policy was withdrawn and a new policy is now awaited that will hopefully cover the concerns in the initial draft.

So is WhatsApp operating illegally in India?

Due to the absence of a defined law that explicitly states the standard of encryption that can be used by different applications, WhatsApp is legal as of now. Should the Government or any of its agencies come up with requirements of a higher standard than the one used now by WhatsApp or if it mandates that a copy of all keys should be submitted to an agency appointed for this, then it would cause serious issues for these messaging applications. While the court dismissed his petition stating that there are agencies in the country that will take care of the national security aspects, the petitioner plans to take up the issue with the Department of Telecom and the Ministry of Information and Technology as well as present his case to the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) to push for OTT messaging applications to submit keys to government agencies.

The encryption debate in India will only get stronger from here on. As more and more applications implement end to end encryption technologies to appeal to end users, law enforcement and security agencies will press harder for back-doors to be created for them to such access data under the need to maintain public order and national security.

This article was first published on The Dialogue.

Transforming broadband internet in India

NITI Aayog approves trials of disruptive tech to push broadband connectivity under Digital India

Among the many ambitious programs launched by the present NDA government, Digital India seemed to be the laggard of sorts. While the intention of the program and its transformative potential were undoubted ambitious, the implementation was not exactly taking off as expected. One of the primary reasons for this was the sorry state of the broadband infrastructure in the country. While the program provided a road map to transform the broadband infrastructure through special missions focused on expansion of fiber optic connectivity in rural and urban areas, it put the entire burden of this transformation on Government funded efforts and did not look to tap into contribution of the private sector towards attaining the objectives specific to Broadband Highways and Public Internet Access Program.

What this meant was that the growth of broadband in the country would primarily be driven by the Bharat Net Project that was launched in 2003 as the National Open Fiber Network (NOFN). Bharat Net has not being able to catch up with the demand for high speed broadband in the country. It has also seen frequent revisions of its targeted year of completion with the most recent completion target moved to 2017 from 2013, and even this will cover only 1 lakh out of the targeted 2.5 lakh village panchayats. It was becoming more apparent with every passing day that the growth of broadband in the country would need to be fast tracked to ensure any significant measure of success of the Digital India program. It is towards this objective that the NITI Aayog recently approved the trials of three new technologies for taking broadband to the yet un-connected.

First on this list is the “White Spectrum Space” technology that uses the unutilized spectrum between the 200-300 MHz frequencies used by Television channels to provide data transmission wirelessly. This technology has already been tested across Kenya, Tanzania, Philippines, Singapore and UK by Microsoft. Currently this spectrum is held by Doordarshan and the trials will not hamper the transmission abilities of the state broadcaster. Microsoft would be the partner in this project in India as well.

Second is VSAT or Very Small Aperture Terminal technology, in simple terms this is internet delivery via satellites. It involves a network of Medium Earth Orbit (MEO) satellites that will deliver satellite Internet services and mobile backhaul services to urban and rural areas alike. This is usually done by Ka band satellites orbiting at an altitude of 8,000 km. The benefit of this technology is that it can be used in the remotest of locations with minimal investment in on-ground infrastructure.

The third technology in this list is Wi-Fi, while not exactly disruptive and path breaking it has a high potential to engage private sector players. Google is already providing Wi-Fi hotspot at selected Railway stations. These need to be extended to public places and institutions like schools, hospitals etc. more so in rural areas such that the erstwhile Chaupal could become the Wi-Fi hotspot in the village!

Apart from these three, the government has already given approval for trials of Google’s Loon project. Loon is conceptualized as a project that sends out solar powered balloons which in turn provide connectivity to a ground area about 40 km in diameter using a wireless communications technology called LTE (Long-Term Evolution). In order to use this technology, Google partners with telecommunications companies and shares cellular spectrum so that people will be able to access the Internet everywhere directly from their phones and other LTE-enabled devices. At present the movement of the balloons is controlled by Google which it aims to deregulate to stratospheric winds as the project scales up. Trials are underway in New Zealand’s South Islands and 300 such balloons will soon be realized in space over Argentina, Chile, Uruguay, Paraguay, Australia and now India.

Fifty three years have passed since the Internet evolved from a lab experiment of the US Department of Defense (DOD) under the Advanced Research Projects Agency Network (ARPANET) and today it is the single largest source of information dissemination globally connecting more than 3 billion users across the globe. The rate of growth of the internet however, is showing a steady downward trend from 47.3% in 2000 to 7.5% in 2016. With more than half of the global population still without a connection to the internet, this decline points to the saturation of the present day infrastructure sustaining the internet. Coupled with regulatory hurdles, government sponsored censorship and increasing strain on existing service providers to scale up services, the growth of internet in the coming decades demands a paradigm shift in the fundamental technology that powers the idea of the Internet.

As is the case with freeing up any channel of information dissemination, the hurdles to all the above mentioned technologies were political than technical. Governments are known to hold on dearly to spectrum in the hope of monetizing it rather than giving it away for test projects. Balloons in the stratosphere will usher in a “borderless” internet in true sense, but the thought of such devices in sovereign air space and beyond may not work well with the security establishments on ground. Corporates investing large amounts of money in public internet infrastructure is already frowned upon by some internet activist as they believe this will go against the core principles of open access and net neutrality in future.

Evolution of the Internet in India will depend on the rate at which it reaches the yet unreachable; here choice of technology will merely be the enabler, natural selection should be driven by the end user. The move to experiment disruptive technologies in India will go a long way in making this possible and may even led to broadband leap frogging mobile as the engine of growth of internet in India.

This article was first published by Hindustan Times and then by The Dialogue.

Should we buy data for Free?

Responses to TRAI’s consultation paper on Free Data

Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.

TRAI’s intentions to ensure that the internet reaches the yet unconnected are definitely commendable. However, by proposing such access through the medium of ‘Free Data’, TRAI appears to be treating ‘data’ as a Public Good, a “non-rivalrous” and “non-excludable”, good that that one individual can consume without reducing its availability to another individual and from which no one is excluded. The ideal model for Free Data would thus allow all users to access all content across all platforms, for Free. It is obvious that in a market driven system such a model is unsustainable in the long run. The platform suggested by TRAI lacks the basic characteristic of been neutral for all content, even if the platforms proposed are TSP agnostic.

Reward based Model:

If the objective of a Free Data model is to facilitate the expansion of internet access in the country then a reward based model would be antithetical to the idea. For this model to work it is necessary that the user would already be connected to the internet and initially uses some data utilizing services. This model is appropriate if the objective is to ensure that the user stays connected to the internet after first use but would not be an incentive for promoting first use. If this reward would be decided by a TSP agnostic, it would result into the platform acting as an gatekeeper, as this platform would then determine what the user would need to access in order to avail ‘Free Data’.

Toll Free API Model:

The consultation paper describes this is an alternative that would allow users access to all content from the platform but not charge them for ‘access to certain websites and applications’. It further states that in this model the TSP will not act as gatekeeper and play a passive role instead. The paper assumes that the platform owner has business interest in allowing access to all content, which might not be the case every time. The fact that the paper has not defined who or what organization will own such platforms makes this model very similar to the Free Basics model proposed by Facebook which was prohibited from operating in India by TRAI’s order on Differential Pricing.

Direct Transfer Model:

 As an extension of the Rewards Model, this model proposes a direct data/voice usage transfer to the end user for usage of data over the TSP agnostic platform. This model would also need the end user to be online to avail such services and does not meet the objective of getting more users to access the internet for the first time. Another lacunae in this model is the assumption that the platform owner would measure data usage real time, which may conflict with the way data usage is measure on the users device (background services consume data on smart phones) or even by the TSP.

A recommended model would be to encourage smart phone manufacturers to give data coupons free with purchase of handsets that can be encashed with any TSP by paying for a data pack of an equal value. This will incentivize the purchase of new handsets and then help in getting more users to the access to internet for the first time.

Whether such platforms need to be regulated by the TRAI or market be allowed to develop these platforms?

The TSP agnostic platform recommended by this consultation paper by end up promoting differential pricing through other means and regulating them would only add on to the tasks of the regulatory authority.

Whether free data or suitable reimbursement to users should be limited to mobile data users only or could it be extended through technical means to subscribers of fixed line broadband or leased line?

It is recommended that the TRAI should not promote the ‘Free Data’ models as a means to expand internet access in the country. As pointed out earlier, this will end up making data a Public Good and bring with it a new set of issues, particularly those of Free riders, where some users would feel that their data usage is been charged to subsidize data use of other users. This ‘Free Data’ focused growth model for internet in India is a risky preposition as it entails behavioral changes that will be hard to reverse once they morph into a benefit-seeking mindset. The TRAI would do well to stay away from it in the long term. It should instead focus on enabling last mile growth of fixed line broadband so that it can be channelized to provide public Wi-Fi hotspots and other such services that will enable the yet un-connected and under-connected to access the possibilities of the internet without TSPs playing gatekeepers to their aspirations.

Any other issue related to the matter of Consultation Response:

Apart from examining policies around free data, zero rating and other models, it is also important to bear in mind that the root cause of many of these issues lies in the existence of arbitrary data caps imposed by TSPs. Data caps are in many ways, ineffective when it comes to managing congestion as they only impact the amount someone uses the internet, not when. Network congestion typically happens at peak hours, when many people are using the internet at the same time.

In addition, the concept of data caps is baffling to most consumers who neither understand how 1MB of data is measured, nor have awareness of if and when they are reaching their “cap.” Therefore, rather than a tool that enables consumers to effectively manage their internet usage, this may be seen as a way to make money off uninformed consumers, and in fact limit people’s ability to access the internet for productive and social work.

These responses are made in individual capacity and do not represent the views of any organisations that I’m affiliated with. 

 

Should you store in India?

Last week the Telecom Regulatory Authority of India (TRAI) came out with a comprehensive 120 pager consultation paper on ‘Cloud Computing’. It sits right next to TRAI’s paper on differential pricing of over the top (OTT) applications if one was to consider the number of issues that a single paper aims to address. This one covers everything from growth of cloud services in India, interoperability of data among various cloud platforms, quality of service, security of data on the cloud, government initiatives (or intervention) to promote implementation of cloud services and most importantly the legal and regulatory framework for cloud services in India.

An entire chapter is dedicated to the legal and regulatory aspects of cloud computing in the country. It begins with defining the concerns that have been identified with cloud computing services worldwide.

Data Privacy and Data Protection: Currently we do not have any procedure in place to ensure that CSPs are compliant with any data protection standards. The level of data protection available to end users is dependent on whether the cloud service is free or paid and on what is the level of data protection legislation in the location that this data is stored. Such protection is entirely at the discretion of the CSP if specific laws mandating protection of user data on the cloud are not present.

Data Ownership: In an ideal scenario rights and ownership of the data rests with the creator of such data, irrespective of where that data is stored. However, CSPs can negotiate terms that can allow for some sort of ownership over the data. The data available with CSPs can be misused for marketing or data mining purposes. This is a potential security threat to end user data and often goes unaddressed in any contractual or legal agreement at present.

Multi-jurisdiction issues: Any information on the cloud will eventually end up on some physical machine owned by a person or organization, located in a particular country. CSPs can move this data from one country to another without necessarily informing the end users. Furthermore the CSP may even sub-contract such storage and the end user may not have any control over such movement of data.

Disclosure and Cross Border movement of Data: The laws of some countries prohibit the transfer of certain type of information across geographical boundaries, for example, the USA does not allow cross border movement of tax returns or health records. On the other hand, when such data is moved to the cloud it is difficult to enforce legislations on its movement across geographical boundaries. More worrisome is the fact that such data can be accessed by governments in the country where the data resides.

Current Legal/Regulatory Framework

The paper then deep dives into the current legal framework that touches upon various aspects of the cloud computing services in the country. It accepts upfront that there is no dedicated cloud computing regulation or legislation available in the country at present, and then goes on to list down all existing laws that apply completely or partially to CSPs.

Cloud computing services come under the ambit of a colonial era legislation called The Indian Telegraph Act, 1885 as such a service sends and receives data over a closed network or the Internet, similar to sending and receiving telegraphs, according to the paper. The question as to why the TRAI is interested in regulating CSPs is answered by stating that Cloud computing falls under the ambit of ‘telecommunication service’ of Section 2(k) of the Telecom Regulatory Authority of India Act, 1997.

Further, the paper states that the cloud computing and virtualization service providers in the country are required to comply with various provisions of the Information Technology Act, 2000 and the Internet Intermediary Liability Rules (2011) framed under this act. Sections 43, 65, 66 and 72 of the IT Act find a detailed mention in the paper, where Sec 43 and 43 (A) along with the Reasonable Security Practices and Procedures Rules (2011) puts the responsibility of securing personal data on the person or organization handling such data. The paper interprets this as an obligation on the data intermediary to ensure that effective data protection measures are in place to prevent wrongful loss or wrongful gain by breach of data from a cloud platform. Section 72 (A) deals with penal provisions for disclosure of information by a person or organization in possession of data without the consent of the owner of this data. Sections 65 and 66 have penal provisions for tampering ‘source code’ and fraudulent data breach respectively. India’s IT Act also has extra-territorial jurisdiction, which means that it applies to acts committed out of India by non-Indians as well. Considering the wide swath of the IT Act combined with the cross-border nature of cloud computing the paper proposes a framework that would define the new legislation and regulation for CSPs in future.

The paper states up front that the current legislations in India may not be able to address the present and future issues arising in cloud computing services comprehensively. It maintains that the new legislation would primarily be focused on fostering and developing competition in the cloud computing market. Following measures have been proposed in the new legal/regulatory framework

Lawful Interception: Government would need to ensure that strict and vigilant lawful interception systems for law enforcement agencies are in place over the cloud computing services. These would be needed for protecting boundaries, integrity and sovereignty of the country as well as addressing national security issues. The paper however does not mention the type of law enforcement agencies that would have access to such interception abilities.

Customized Agreements for Data: CSPs would need to get into customized agreements with end users that inform them of the risks involved and mitigation measures in place for trans-border movement of data.

Data Ownership Legal Framework: CSP should safeguard the integrity of data as well as provide for easy migration of data and information to another cloud platform if needed for enhancing performance. This would also mandate the need to ensure complete deletion of user data in the existing cloud service

Cross Border movement Legal Framework: A proposed solution is to evolve a separate set of rules for cyberspace that does not cater to geographical borders

Multi-Jurisdiction Issue Legal Framework: One of the possibilities to address the issue of multiple jurisdictions is to mandate that CSPs locate their data centers within Indian geographical boundaries. Another alternative is to impose strong restriction on cross border movement of critical data like tax returns, financial transactions or health records.

The long term solution recommended is the adoption of a set of self-regulating measures by CSPs like the ‘Binding Safe Processor Rules (BSPR)’ based on the European Privacy Standards. The paper also recommends that the penal provisions in the present legislations need to be made more stringent with a steep rise in the fines imposed and introduction of clauses that allow of revocation of service license for organizations that repeatedly fail to prevent breach of sensitive data. The Government may also introduce licensing or operational restrictions on intermediate service providers who are involved in collection of sensitive information and transmitting it across multiple cloud platforms.

One of the positive mentions in the paper is that of a proposed ‘Right to Privacy Bill’ that the government plans to bring in order to give Indian citizens an entitlement-based safeguard over the privacy of their data. The chapter in question is clearly advocating for a location centric legislation and regulatory framework around the geographically dispersed cloud computing environment. Based on the responses received from the public consultation, TRAI will submit its recommendations to the Department of Telecommunications (DoT).

Will this lead to a legal/regulatory framework that provides for a conducive environment to the growth of India’s Data Infrastructure or does it end up coercing multinational companies looking to tap into the tremendous growth of cloud services in India to set up physical data centers in India is the thing to watch out for in coming days.

This article was originally published by the Hindustan Times and later by The Dialogue.

Net neutrality: What is it that can be offered for free?

Analysis of TRAI’s paper on Free Data 

The Telecom Regulatory Authority of India (TRAI) has rolled out a new consultation paper, titled ‘Consultation Paper on Free Data’. This paper is third in the series of consultation papers that TRAI has rolled out since April last year with the intention to find a workable solution to the issue of increasing internet access in the country while preventing the throttling of content that is accessible through some platforms controlled by telecom service providers (TSPs), also known as the ‘net neutrality’ issue.

To understand the premise of this paper we need to take a step back and look into the two papers before this one. The paper on ‘Regulatory framework for Over-the-top (OTT) Services’ asked the question, ‘Who will pay for what is offered for free?’ and in the paper on ‘Differential Pricing for Data Services’, TRAI asked, ‘How to pay for what is offered for free?’. The first paper saw vibrant public debate around the issue that, while TSPs are investing in putting up physical infrastructure for the growth of mobile internet, application providers are piggybacking on this infrastructure without adding any value or investing in it. The paper on ‘Differential Pricing’ not only saw a public debate but was also instrumental in pushing through a regulation that effectively banned differential pricing by TSPs and put Facebook’s Free Basics platform on the back burner. In the light of these two papers, the paper of ‘Free Data’ finally seems to ask, ‘What is it that can be offered for free?’

The paper reiterates the understanding that allowing TSPs to act as gate-keepers and regulators of content on their platforms is not the way forward for the growth of internet in India. It perceives such platforms and pricing models to be anti-competitive and against the spirit of innovation that the internet brings with it. It also expresses apprehension about letting the control of internet in the hands of TSPs. It however goes on to point out that there is still a need to have in place a TSP-agnostic platform that can give equal access to everyone and allows small entrepreneurs to reach out to consumers and give them more choice in an online ecosystem. TRAI believes that such a platform is necessary for the growth of internet based services like e-commerce, e-payments in the country.

In its entirety, the idea of ‘Free Data’ appears to present data as a public good, a good that one individual can consume without reducing its availability to another individual and from which no one is excluded. Economists refer to public goods as “non-rivalrous” and “non-excludable”. All the models presently in play introduce some or the other element of exclusion, whether it be excluding all users of a platform from accessing a certain service or excluding a certain service from been accessed by users unless they pay more for it. By looking for a model for ‘Free Data’, TRAI is looking for a model that will allow all users to access all content across all platforms, for Free. It is obvious that in a market driven system such a model is unsustainable in the long run. Hence the paper proposes certain alternatives like

• Reward-based model: Whenever users access a website/application from the ‘TSP agnostic’ platform they will be rewarded in form of data/voice usage. There is no clarity in the paper on how users who have not yet been connected to mobile internet through smart phones can use such a platform that rewards ‘after’ using a service. Also, this model misses out on the fact that a user would need to pay to be online with sufficient ‘data balance’ to use such a model.
• Toll-free API: This is an alternative that would allow users access to all content from the platform but not charge them for ‘access to certain websites and applications’. This seems like a watered down version of Facebook’s Free Basics and the paper claims that such models are existing in many developed countries without going into further details.
• Direct Transfer Model: In this model the user will use data normally and the cost of data will be transferred to her bank account, much like the direct benefit transfer prevalent for LPG cylinders. This model is very similar to the Reward based model and will also need that the user pays upfront to avail ‘free’ usage later.

To conclude, the paper asks for inputs on whether such a TSP agnostic platform is needed to provide free data (or suitable reimbursement) to users, without violating the principles of Differential Pricing for data laid down by TRAI. It also asks if such a platform needs to be regulated by TRAI or should the market be allowed to self-regulate it.

But it is the last question that brings an entirely new dimension to the discussion. It asks if such a platform should be limited only for mobile users or should it be extended to subscribers of fixed line broadband or leased line as well. This ‘Free Data’ focused growth model for internet in India is a risky preposition as it entails behavioral changes that will be hard to reverse once they morph into a benefit-seeking mindset. The TRAI would do well to stay away from it in the long term. It should instead focus on enabling last mile growth of fixed line broadband so that it can be channelized to provide public Wi-Fi hotspots and other such services that will enable the yet un-connected and under-connected to access the possibilities of the internet without TSPs playing gatekeepers to their aspirations.

This article was originally published by Hindustan Times  and later on The Dialogue

On the Dialogue

As a part of my research on the Data Infrastructure in our country, I have put up a series of three articles on The Dialogue.

Part 1 – State of Data Infrastructure in India
http://www.thedialogue.co/the-state-of-data-infrastructure…/

Part 2 – Contours of Indian Data Infrastructure Policy
http://www.thedialogue.co/store-india-part-2-contours-indi…/

Part 3 – Making India the Data Hub of the world
http://www.thedialogue.co/store-india-making-india-data-hu…/

These articles summarize my policy paper ‘Store in India’ that proposes a National Data Infrastructure Policy (NDIP) for India.