CIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks
This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.
The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.
1.1. This submission presents responses by the Centre for Internet and Society (“CIS”)  on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 .
1.2. The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised  two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the Consultation Paper on Proliferation of Broadband through Public WiFi : 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum .
2. General Responses
2.1. Before responding to the specific questions posed by the Note, we would like to make the following observations.
2.2. There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.
2.3. As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.
2.4. The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country . By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.
2.5. Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.
2.6. As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.
2.7. Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.
2.8. The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.
2.9. The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission . It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.
2.10. Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance . It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.
3. Specific Responses
Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?
3.1. No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.
3.2. There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.
3.3. The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.
Q2. Would you like to suggest any alternate model?
3.4. Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.
3.5. Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).
3.6. The CIS suggests the following steps towards conceptualising an “alternative model”:
- remove existing regulatory disincentives,
- urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,
- examine spectrum requirements for provision of public Wi-Fi, and
- provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.
Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?
3.7. CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.
3.8. In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.
3.9. Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.
Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?
3.10. The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.
3.11. While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.
3.12. From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.
3.13. Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers . In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.
Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.
3.14. Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.
3.15. It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.
3.16. As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.
3.17. The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.
Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?
3.18. The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.
3.19. The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.
 See: http://cis-india.org/.
 See Section C.6 of the Note.
 See Section E.11. of the Note.
 See: https://www.wi-fi.org/.
 See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/.