We are anonymous, we are legion

CIS Cybersecurity Series (Part 22) - Anonymous

purba — 2015-07-13T13:40:42Z

CIS interviews a Tibetan security researcher and information activist, as part of the Cybersecurity Series. He prefers to remain anonymous.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-22-anonymous

Free Speech Policy in India: Community, Custom, Censorship, and the Future of Internet Regulation

bhairav — 2015-08-23T10:12:16Z

This note summarises my panel contribution to the conference on Freedom of Expression in a Digital Age at New Delhi on 21 April 2015, which was organised by the Observer Research Foundation (ORF) and the Centre for Internet and Society (CIS) in collaboration with the Internet Policy Observatory of the Center for Global Communication Studies (CGCS) at the Annenberg School for Communication, University of Pennsylvania

Download the Note here (PDF, 103 Kb)

Preliminary

There has been legitimate happiness among many in India at the Supreme Court’s recent decision in the Shreya Singhal case to strike down section 66A of the Information Technology Act, 2000 ("IT Act") for unconstitutionally fettering the right to free speech on the Internet. The judgment is indeed welcome, and reaffirms the Supreme Court’s proud record of defending the freedom of speech, although it declined to interfere with the government’s stringent powers of website blocking. As the dust settles there are reports the government is re-grouping to introduce fresh law, allegedly stronger to secure easier convictions, to compensate the government’s defeat.

Case Law and Government Policy

India’s constitutional courts have a varied history of negotiating the freedom of speech that justifiably demands study. But, in my opinion, inadequate attention is directed to the government’s history of free speech policy. It is possible to discern from the government’s actions over the last two centuries a relatively consistent narrative of governance that seeks to bend the individual’s right to speech to its will. The defining characteristics of this narrative – the government’s free speech policy – emerge from a study of executive and legislative decisions chiefly in relation to the press, that continue to shape policy regarding the freedom of expression on the Internet.

India’s corpus of free speech case law is not uniform nor can it be since, for instance, the foundational issues that attend hate speech are quite different from those that inform contempt of court. So too, Indian free speech policy has been varied, captive to political compulsions and disparate views regarding the interests of the community, governance and nation-building. There has been consistent tension between the individual and the community, as well as the role of the government in enforcing the expectations of the community when thwarted by law.

Dichotomy between Modern and Native Law

To understand free speech policy, it is useful to go back to the early colonial period in India, when Governor-General Warren Hastings established a system of courts in Bengal’s hinterland to begin the long process of displacing traditional law to create a modern legal system. By most accounts, pre-modern Indian law was not prescriptive, Austinian, and uniform. Instead, there were several legal systems and a variety of competing and complementary legal sources that supported different interpretations of law within most legal systems. J. Duncan M. Derrett notes that the colonial expropriation of Indian law was marked by a significant tension caused by the repeatedly-stated objective of preserving some fields of native law to create a dichotomous legal structure. These efforts were assisted by orientalist jurists such as Henry Thomas Colebrook whose interpretation of the dharmasastras heralded a new stage in the evolution of Hindu law.

In this background, it is not surprising that Elijah Impey, a close associate of Hastings, simultaneously served as the first Chief Justice of the Supreme Court at Fort William while overseeing the Sadr Diwani Adalat, a civil court applying Anglo-Hindu law for Hindus, and the Sadr Faujdari Adalat, a criminal court applying Anglo-Islamic law to all natives. By the mid-nineteenth century, this dual system came under strain in the face of increasing colonial pressure to rationalise the legal system to ensure more effective governance, and native protest at the perceived insensitivity of the colonial government to local customs.

Criminal Law and Free Speech in the Colony

In 1837, Thomas Macaulay wrote the first draft of a new comprehensive criminal law to replace indigenous law and custom with statutory modern law. When it was enacted as the Indian Penal Code in 1860 ("IPC"), it represented the apogee of the new colonial effort to recreate the common law in India. The IPC’s enactment coincided with the growth and spread of both the press and popular protest in India. The statute contained the entire gamut of public-order and community-interest crimes to punish unlawful assembly, rioting, affray, wanton provocation, public nuisance, obscenity, defiling a place of worship, disturbing a religious assembly, wounding religious feelings, and so on. It also criminalised private offences such as causing insult, annoyance, and intimidation. These crimes continue to be invoked in India today to silence individual opinion and free speech, including on the Internet. Section 66A of the IT Act utilised a very similar vocabulary of censorship.

Interestingly, Macaulay’s IPC did not feature the common law offences of sedition and blasphemy or the peculiar Indian crime of promoting inter-community enmity; these were added later. Sedition was criminalised by section 124A at the insistence of Barnes Peacock and applied successfully against Indian nationalist leaders including Bal Gangadhar Tilak in 1897 and 1909, and Mohandas Gandhi in 1922. In 1898, the IPC was amended again to incorporate section 153A to criminalise the promotion of enmity between different communities by words or deeds. And, in 1927, a more controversial amendment inserted section 295A into the IPC to criminalise blasphemy. All three offences have been recently used in India against writers, bloggers, professors, and ordinary citizens.

Loss of the Right to Offend

The two amendments of 1898 and 1927, which together proscribed the promotion of inter-community enmity and blasphemy, represent the dismantling of the right to offend in India. But, oddly, they were defended by the colonial government in the interests of native sensibilities. The proceedings of the Imperial Legislative Council reveal several members, including Indians, were enthusiastic about the amendments. For some, the amendments were a necessary corrective action to protect community honour from subversive speech. The 1920s were a period of foment in India as the freedom movement intensified and communal tension mounted. In this environment, it was easy to fuse the colonial interest in strong administration with a nationalist narrative that demanded the retrieval of Indian custom to protect native sensibilities from being offended by individual free speech, a right derived from modern European law. No authoritative jurist could be summoned to prove or refute the claim that native custom privileged community honour.

Sadly the specific incident which galvanised the amendment of 1927, which established the crime of blasphemy in India, would not appear unfamiliar to a contemporary observer. Mahashay Rajpal, an Arya Samaj activist, published an offensive pamphlet of the Prophet Muhammad titled Rangeela Rasool, for which he was arrested and tried but acquitted in the absence of specific blasphemy provisions. With his speech being found legal, Rajpal was released and given police protection but Ilam Din, a Muslim youth, stabbed him to death. Instead of supporting its criminal law and strengthening its police forces to implement the decisions of its courts, the colonial administration surrendered to the threat of public disorder and enacted section 295A of the IPC.

Protest and Community Honour

The amendment of 1927 marks an important point of rupture in the history of Indian free speech. It demonstrated the government’s policy intention of overturning the courts to restrict the individual’s right to speech when faced with public protest. In this way, the combination of public disorder and the newly-created crimes of promoting inter-community enmity and blasphemy opened the way for the criminal justice system to be used as a tool by natives to settle their socio-cultural disputes. Both these crimes address group offence; they do not redress individual grievances. In so far as they are designed to endorse group honour, these crimes signify the community’s attempt to suborn modern law and individual rights.

Almost a century later, the Rangeela Rasool affair has become the depressing template for illegal censorship in India: fringe groups take offence at permissible speech, crowds are marshalled to articulate an imagined grievance, and the government capitulates to the threat of violence. This formula has become so entrenched that governance has grown reflexively suppressive, quick to silence speech even before the perpetrators of lumpen violence can receive affront. This is especially true of online speech, where censorship is driven by the additional anxiety brought by the difficulty of Internet regulation. In this race to be offended the government plays the parochial referee, acting to protect indigenous sensibilities from subversive but legal speech.

The Censorious Post-colony

Independence marked an opportunity to remake Indian governance in a freer image. The Constituent Assembly had resolved not to curb the freedom of speech in Article 19(1)(a) of the Constitution on account of public order. In two cases from opposite ends of the country where right-wing and left-wing speech were punished by local governments on public order grounds, the Supreme Court acted on the Constituent Assembly’s vision and struck down the laws in question. Free speech, it appeared, would survive administrative concerns, thanks to the guarantee of a new constitution and an independent judiciary. Instead Prime Minister Jawaharlal Nehru and his cabinet responded with the First Amendment in 1951, merely a year after the Constitution was enacted, to create three new grounds of censorship, including public order. In 1963, a year before he demitted office, the Sixteenth Amendment added an additional restriction.

Nehru did not stop at amending the Constitution, he followed shortly after with a concerted attempt to stage-manage the press by de-legitimising certain kinds of permissible speech.

Under Justice G. S. Rajadhyaksha, the government constituted the First Press Commission which attacked yellow journalism, seemingly a sincere concern, but included permissible albeit condemnable speech that was directed at communities, indecent or vulgar, and biased. Significantly, the Commission expected the press to only publish speech that conformed to the developmental and social objectives of the government. In other words, Nehru wanted the press to support his vision of India and used the imperative of nation-building to achieve this goal. So, the individual right to offend communities was taken away by law and policy, and speech that dissented from the government’s socio-economic and political agenda was discouraged by policy. Coupled with the new constitutional ground of censorship on account of public order, the career of free speech in independent India began uncertainly.

How to regulate permissible speech?

Despite the many restrictions imposed by law on free speech, Indian free speech policy has long been engaged with the question of how to regulate the permissible speech that survives constitutional scrutiny. This was significantly easier in colonial India. In 1799, Governor-General Richard Wellesley, the brother of the famous Duke of Wellington who defeated Napoleon at Waterloo, instituted a pre-censorship system to create what Rajeev Dhavan calls a “press by permission” marked by licensed publications, prior restraint, subsequent censorship, and harsh penalties. A new colonial regime for strict control over the publication of free speech was enacted in the form of the Press and Registration of Books Act, 1867, the preamble of which recognises that “the literature of a country is…an index of…the condition of [its] people”. The 1867 Act was diluted after independence but still remains alive in the form of the Registrar of Newspapers.

After surviving Indira Gandhi’s demand for a committed press and the depredations of her regime during the Emergency, India’s press underwent the examination of the Second Press Commission. This was appointed in 1978 under the chairmanship of Justice P. K. Goswami, a year after the Janata government released the famous White Paper on Misuse of Mass Media. When Gandhi returned to power, Justice Goswami resigned and the Commission was reconstituted under Justice K. K. Mathew. In 1982, the Commission’s report endorsed the earlier First Press Commission’s call for conformist speech, but went further by proposing the appointment of a press regulator invested with inspection powers; criminalising attacks on the government; re-interpreting defamation law to encompass democratic criticism of public servants; retaining stringent official secrecy law; and more. It was quickly acted upon by Rajiv Gandhi through his infamous Defamation Bill.

The contours of future Internet regulation

The juggernaut of Indian free speech policy has received temporary setbacks, mostly inflicted by the Supreme Court. Past experience shows us that governments with strong majorities – whether Jawaharlal Nehru’s following independence or Indira Gandhi’s in the 1970s – act on their administrative impulses to impede free speech by government policy. The Internet is a recent and uncontrollable medium of speech that attracts disproportionately heavy regulatory attention. Section 66A of the IT Act may be dead but several other provisions remain to harass and punish online free speech. Far from relaxing its grip on divergent opinions, the government appears poised for more incisive invasions of personal freedoms.

I do not believe the contours of future speech regulation on the Internet need to be guessed at, they can be derived from the last two centuries of India’s free speech policy. When section 66A is replaced – and it will be, whether overtly by fresh statutory provisions or stealthily by policy and non-justiciable committees and commissions – it will be through a regime that obeys the mandate of the First Press Commission to discourage dissenting and divergent speech while adopting the regulatory structures of the Second Press Commission to permit a limited inspector raj and forbid attacks on personalities. The interests of the community, howsoever improperly articulated, will seek precedence over individual freedoms and the accompanying threat of violence will give new meaning to Bhimrao Ambedkar’s warning of the “grammar of anarchy”.

For more details visit https://cis-india.org/internet-governance/blog/policy-in-india-community-custom-censorship-and-future-of-internet-regulation

Regulatory Perspectives on Net Neutrality

pranesh — 2015-07-18T02:46:30Z

In this paper Pranesh Prakash gives an overview on why India needs to put in place net neutrality regulations, and the form that those regulations must take to avoid being over-regulation.

With assistance by Vidushi Marda (Programme Officer, Centre for Internet and Society) and Tarun Krishnakumar (Research Volunteer, Centre for Internet and Society). I would like to specially thank Vishal Misra, Steve Song, Rudolf van der Berg, Helani Galpaya, A.B. Beliappa, Amba Kak, and Sunil Abraham for extended discussions, helpful suggestions and criticisms. However, this paper is not representative of their views, which are varied.

Today, we no longer live in a world of "roti, kapda, makaan", but in the world of "roti, kapda, makaan aur broadband". ^{^[1]} This is recognized by the National Telecom Policy IV.1.2, which states the need to "recognise telecom, including broadband connectivity as a basic necessity like education and health and work towards 'Right to Broadband'."^{^[2]} According to the IAMAI, as of October 2014, India had 278 million internet users. ^{^[3]} Of these, the majority access Internet through their mobile phones, and the WEF estimates only 3 in 100 have broadband on their mobiles.^{^[4]} Thus, the bulk of our population is without broadband. Telecom regulation and net neutrality has a very important role in enabling this vision of Internet as a basic human need that we should aim to fulfil.

1. Why should we regulate the telecom sector?

All ICT regulation should be aimed at achieving five goals: achieving universal, affordable access; ^{^[5]} ensuring and sustaining effective competition in an efficient market and avoiding market failures; protecting against consumer harms; ensuring maximum utility of the network by ensuring interconnection; and addressing state needs (taxation, security, etc.). Generally, all these goals go hand in hand, however some tensions may arise. For instance, universal access may not be provided by the market because the costs of doing so in certain rural or remote areas may outweigh the immediate monetary benefits private corporations could receive in terms of profits from those customers. In such cases, to further the goal of universal access, schemes such as universal service obligation funds are put in place, while ensuring that such schemes either do not impact competition or very minimally impact it.

It is clear that to maximise societal benefit, effective regulation of the ICT sector is a requirement, which otherwise, due to the ability of dominant players to abuse network effect to their advantage, is inherently prone towards monopolies. For instance, in the absence of regulation, a dominant player would charge far less for intra-network calls than inter-network calls, making customers shift to the dominant network. This kind of harm to competition should be regulated by the ICT regulator. However, it is equally true that over-regulation is as undesirable as under-regulation, since over-regulation harms innovation - whether in the form of innovative technologies or innovative business models. The huge spurt of growth globally of the telecom sector since the 1980s has resulted not merely from advancements in technology, but in large part from the de-monopolisation and deregulation of the telecom sector.^{^[6]} Similarly, the Internet has largely flourished under very limited technology-specific regulation. For instance, while interconnection between different telecom networks is heavily regulated in the domestic telecom sector, interconnection between the different autonomous systems (ASes) that make up the Internet is completely unregulated, thereby allowing for non-transparent pricing and opaque transactions. Given this context, we must ensure we do not over-regulate, lest we kill innovation.

2. Why should we regulate Net Neutrality? And whom should we regulate?

We wouldn't need to regulate Net Neutrality if ISPs were not "gatekeepers" for last-mile access. "Gatekeeping" occurs when a single company establishes itself as an exclusive route to reach a large number of people and businesses or, in network terms, nodes. It is not possible for Internet services to reach the customers of the telecom network without passing through the telecom network. The situation is very different in the middle-mile and for backhaul. Even though anti-competitive terms may exist in the middle-mile, especially given the opacity of terms in "transit agreements", a packet is usually able to travel through multiple routes if one route is too expensive (even if that is not the shortest network path, and is thus inefficient in a way). However, this multiplicity of routes is not possible in the last mile.

This leaves last mile telecom operators (ISPs) in a position to unfairly discriminate between different Internet services or destinations or applications, while harming consumer choice. This is why we believe that promoting the five goals mentioned above would require regulation of last-mile telecom operators to prevent unjust discrimination against end-users and content providers.

Thus, net neutrality is the principle that we should regulate gatekeepers to ensure they do not use their power to unjustly discriminate between similarly situated persons, content or traffic.

3. How should we regulate Net Neutrality?

3.1. What concerns does Net Neutrality raise? What harms does it entail?

Discriminatory practices at the level of access to the Internet raises the following set of concerns:

1. Freedom of speech and expression, freedom of association, freedom of assembly, and privacy.

2. Harm to effective competition

a. This includes competition amongst ISPs as well as competition amongst content providers.

b. Under-regulation here may cause harm to innovation at the content provider level, including through erecting barriers to entry.

c. Over-regulation here may cause harm to innovation in terms of ISP business models.

3. Harm to consumers

a. Under-regulation here may harm consumer choice and the right to freedom of speech, expression, and communication.

b. Over-regulation on this ground may cause harm to innovation at the level of networking technologies and be detrimental to consumers in the long run.

4. Harm to "openness" and interconnectedness of the Internet, including diversity (of access, of content, etc.)

a. Exceptions for specialized services should be limited to preserve the open and interconnectedness of the Internet and of the World Wide Web.

It might help to think about Net Neutrality as primarily being about two overlapping sets of regulatory issues: preferential treatment of particular Internet-based services (in essence: content- or source-/destination-based discrimination, i.e., discrimination on basis of 'whose traffic it is'), or discriminatory treatment of applications or protocols (which would include examples like throttling of BitTorrent traffic, high overage fees upon breaching Internet data caps on mobile phones, etc., i.e., discrimination on the basis of 'what kind of traffic it is').

Situations where the negative or positive discrimination happens on the basis of particular content or address should be regulated through the use of competition principles, while negative or positive discrimination at the level of specific class of content, protocols, associated ports, and other such sender-/receiver-agnostic features, should be regulated through regulation of network management techniques . The former deals with instances where the question of "in whose favour is there discrimination" may be asked, while the latter deals with the question "in favour of what is there discrimination".

In order to do this, a regulator like TRAI can use both hard regulation - price ceilings, data cap floors, transparency mandates, preventing specific anti-competitive practices, etc. - as well as soft regulation - incentives and disincentives.

3.1.1 Net Neutrality and human rights

Any discussion on the need for net neutrality impugns the human rights of a number of different stakeholders. Users, subscribers, telecom operators and ISPs all possess distinct and overlapping rights that are to be weighed against each other before the scope, nature and form of regulatory intervention are finalised. The freedom of speech, right to privacy and right to carry on trade raise some of the most pertinent questions in this regard.

For example, to properly consider issues surrounding the practice of paid content-specific zero-rating from a human rights point of view, one must seek to balance the rights of content providers to widely disseminate their 'speech' to the largest audiences against the rights of consumers to have access to a diverse variety of different, conflicting and contrasting ideas.

This commitment to a veritable marketplace or free-market of ideas has formed the touchstone of freedom of speech law in jurisdictions across the world as well as finding mention in pronouncements of the Indian Supreme Court. Particular reference is to be made to the dissent of Mathew, J. inBennett Coleman v. Union of India^{^[7]} and of the majority Sakal Papers v. Union of India^{^[8]} which rejected the approach.

Further, the practice of deep-packet inspection, which is sometimes used in the process of network management, raises privacy concerns as it seeks to go beyond what is "public" information in the header of an IP packet, necessary for routing, to analysing non-public information. ^{^[9]}

3.2 What conditions and factors may change these concerns and the regulatory model we should adopt?

While the principles relating to Net Neutrality remain the same in all countries (i.e., trying to prevent gatekeepers from unjustly exploiting their position), the severity of the problem varies depending on competition in the market, on the technologies, and on many other factors. One way to measure fair or stable allocation of the surplus created by a network - or a network-of-networks like the Internet - is by treating it as a convex cooperation game and thereupon calculating that game's Shapley value:^{^[10]} in the case of the Internet, this would be a game involving content ISPs, transit ISPs, and eyeball (i.e., last-mile) ISPs. The Shapley value changes depending on the number of competitors there are in the market: thus, the fair/stable allocation when there's vibrant competition in the market is different from the fair/stable allocation in a market without such competition. That goes to show that a desirable approach when an ISP tries to unjustly enrich itself by charging other network-participants may well be to increase competition, rather than directly regulating the last-mile ISP. Further, it shows that in a market with vibrant last-mile competition, the capacity of the last-mile ISP to unjustly are far diminished.

In countries which are remote and have little international bandwidth, the need to conserve that bandwidth is high. ISPs can regulate that by either increasing prices of Internet connections for all, or by imposing usage restrictions (such as throttling) on either heavy users or bandwidth-hogging protocols. If the amount of international bandwidth is higher, the need and desire on part of ISPs to indulge in such usage restrictions decreases. Thus, the need to regulate is far higher in the latter case, than in the former case.

The above paragraphs show that both the need for regulation and also the form that the regulation should take depend on a variety of conditions that aren't immediately apparent.

Thus, the framework that the regulator sets out to tackle issues relating to Net Neutrality are most important, whereas the specific rules may need to change depending on changes in conditions. These conditions include:

● last-mile market

○ switching costs between equivalent service providers

○ availability of an open-access last-mile

○ availability of a "public option" neutral ISP

○ increase or decrease in the competition, both in wired and mobile ISPs.

● interconnection market

○ availability of well-functioning peering exchanges

○ availability of low-cost transit

● technology and available bandwidth

○ spectrum efficiency

○ total amount of international bandwidth and local network bandwidth

● conflicting interests of ISPs

○ do the ISPs have other business interests other than providing Internet connectivity? (telephony, entertainment, etc.)

3.3 How should we deal with anti-competitive practices?

Anti-competitive practices in the telecom sector can take many forms: Abuse of dominance, exclusion of access to specific services, customer lock-in, predatory pricing, tying of services, cross-subsidization, etc., are a few of them. In some cases the anti-competitive practice targets other telecom providers, while in others it targets content providers. In the both cases, it is important to ensure that ensure that telecom subscribers have a competitive choice between effectively substitutable telecom providers and an ability to seamlessly switch between providers.

3.3.1 Lowering Switching Costs

TRAI has tackled many of these issues head on, especially in the mobile telephony space, while competitive market pressures have helped too:

● Contractual or transactional lock-in. The easiest way to prevent shifting from one network to another is by contractually mandating a lock-in period, or by requiring special equipment (interoperability) to connect to one's network. In India, this is not practised in the telecom sector, with the exception of competing technologies like CDMA and GSM. Non-contractual lock-ins, for instance by offering discounts for purchasing longer-term packages, are not inherently anti-competitive unless that results in predatory pricing or constitutes an abuse of market dominance. In India, switching from one mobile provider to another, though initiated 15 years into the telecom revolution, is in most cases now almost as easy as buying a new SIM card.^{^[11]} TRAI may consider proactive regulation against contractual lock-in.

● Number of competitors. Even if switching from one network to another is easy, it is not useful unless there are other equivalent options to switch to. In the telecom market, coverage is a very important factor in judging equivalence. Given that last mile connectivity is extremely expensive to provide, the coverage of different networks are very different, and this is even more true when one considers wired connectivity, which is difficult to lay in densely-populated urban and semi-urban areas and unprofitable in sparsely-populated areas. The best way to increase the number of competitors is to make it easier for competitors to exist. Some ways of doing this would be through enabling spectrum-sharing, lowering right-of-way rents, allowing post-auction spectrum trading, and promoting open-access last-mile fibre carriers and to thereby encourage competition on the basis of price and service and not exclusive access to infrastructure.

● Interconnection and mandatory carriage. The biggest advantage a dominant telecom player has is exclusive access to its customer base. Since in the telecom market, no telco wants to not connect to customers of another telco, they do not outright ban other networks. However, dominant players can charge high prices from other networks, thereby discriminating against smaller networks. In the early 2000s, Airtel-to-Airtel calls were much cheaper than Airtel-to-Spice calls. However, things have significantly changed since then. TRAI has, since the 2000s, heavily regulated interconnection and imposed price controls on interconnection ("termination") charges.^{^[12]} Thus, now, generally, inter-network calls are priced similarly to intra-network calls. And if you want cheaper Airtel-to-Airtel calls, you can buy a special (unbundled) pack that enables an Airtel customer to take advantage of the fact that her friends are also on the same network, and benefits Airtel since they do not in such cases have to pay termination charges. Recently, TRAI has even made the interconnection rates zero in three cases: landline-to-landline, landline-to-cellular, and cellular-to-landline, in a bid to decrease landline call rates, and incentivise them, allowing a very low per call interconnection charges of 14 paise for cellular-to-cellular connections. ^{^[13]}

○ With regard to Net Neutrality, we must have a rule that no termination charges or carriage charges may be levied by any ISP upon any Internet service. No Internet service may be discriminated against with regard to carriage conditions or speeds or any other quality of service metric. In essence all negative discrimination should be prohibited. This means that Airtel cannot forcibly charge WhatsApp or any other OTT (which essentially form a different "layer") money for the "privilege" of being able to reach Airtel customers, nor may Airtel slow down WhatsApp traffic and thus try to force WhatsApp to pay. There is a duty on telecom providers to carry any legitimate traffic ("common carriage"), not a privilege. It is important to note that consumer-facing TSPs get paid by other interconnecting Internet networks in the form of transit charges (or the TSP's costs are defrayed through peering). There shouldn't be any separate charge on the basis of content (different layer from the carriage) rather than network (same layer as the carriage). This principle is especially important for startups, and which are often at the receiving end of such discriminatory practices.

● Number Portability. One other factor that prevents users from shifting between one network and another is the fact that they have to change an important aspect of their identity: their phone number (this doesn't apply to Internet over DSL, cable, etc.). At least in the mobile space, TRAI has for several years tried to mandate seamless mobile number portability. The same is being tried by the European Commission in the EU. ^{^[14]} While intra-circle mobile number portability exists in India - and TRAI is pushing for inter-circle mobile number portability as well^{^[15]} - this is nowhere as seamless as it should be.

● Multi-SIM phones. The Indian market is filled with phones that can accommodate multiple SIM cards, enabling customers to shift seamlessly between multiple networks. This is true not just in India, but most developing countries with extremely price-sensitive customers. Theoretically, switching costs would approach zero if in a market with full coverage by n telecom players every subscriber had a phone with n SIM slots with low-cost SIM cards being available.

The situation in the telecom sector with respect to the above provides a stark contrast to the situation in the USA, and to the situation in the DTH market. In the USA, phones get sold at discounts with multi-month or multi-year contracts, and contractual lock-ins are a large problem. Keeping each of the above factors in mind, the Indian mobile telecom space is far more competitive than the US mobile telecom space.

Further, in the Indian DTH market, given that there is transactional lock-in (set-top boxes aren't interoperable in practice, though are mandated to be so by law^{^[16]}), there are fewer choices in the market; further, the equivalent of multi-SIM phones don't exist with respect to set-top boxes. Further, while there are must-carry rules with respect to carriage, they can be of three types: 1) must mandatorily provide access to particular channels^{^[17]} (positive obligation, usually for government channels); 2) prevented from not providing particular channels (negative obligation, to prevent anti-competitive behaviour and political censorship); and 3) must mandatorily offer access to at least a set number of channels (positive obligation for ensuring market diversity). ^{^[18]} Currently, only (1) is in force, since despite attempts by TRAI to ensure (3) as well.^{^[19]}

If the shifting costs are low and transparency in terms of network practice is reported in a standard manner and well-publicised, then that significantly weakens the "gatekeeper effect", which as we saw earlier, is the reason why we wish to introduce Net Neutrality regulation. This consequently means, as explained above in section 3.2, that despite the same Net Neutrality principles applying in all markets and countries, the precise form that the Net Neutrality regulations take in a telecom market with low switching costs would be different from the form that such regulations would take in a market with high switching costs.

3.3.2 Anti-competitive Practices

Some potential anti-competitive practices, which are closely linked, are cross-subsidization, tying (anti-competitive bundling) of multiple services, and vertical price squeeze. All three of these are especial concerns now, with the increased diversification of traditional telecom companies, and with the entry into telecom (like with DTH) of companies that create content. Hence, if Airtel cross-subsidizes the Hike chat application that it recently acquired, ^{^[20]} or if Reliance Infocomm requires customers to buy a subscription to an offering from Reliance Big Entertainment, or if Reliance Infocomm meters traffic from another Reliance Big Entertainment differently from that from Saavn, all those would be violative of the principle of non-discrimination by gatekeepers. This same analysis can be applied to all unpaid deals and non-commercial deals, including schemes such as Internet.org and Wikipedia Zero, which will be covered later in the section on zero-rating.

While we have general rules such as sections 3 and 4 of the Competition Act, we do not currently have specific rules prohibiting these or other anti-competitive practices, and we need Net Neutrality regulation that clearly prohibit such anti-competitive practices so that the telecom regulator can take action for non-compliance . We cannot leave these specific policy prescriptions unstated, even if they are provided for in section 3 of the Competition Act. These concerns are especial concerns in the telecom sector, and the telecom regulator or arbitrator should have the power to directly deal with these, instead of each case going to the Competition Commission of India. This should not affect the jurisdiction of the CCI to investigate and adjudicate such matters, but should ensure that TRAI both has suo motu powers, and that the mechanism to complain is made simple (unlike the current scenario, where some individual complainants may fall in the cracks between TRAI and TDSAT).

3.3.3 Zero-rating

Since a large part of the net neutrality debate in India involves zero-rating practices, we deal with that in some length. Zero-rating is the practice of not counting (aka "zero-rating") certain traffic towards a subscriber's regular Internet usage. The zero-rated traffic could be zero-priced or fixed-price; capped or uncapped; subscriber-paid, Internet service-paid, paid for by both, or unpaid; content- or source/destination-based, or agnostic to content or source/destination; automatically provided by the ISP or chosen by the customer . The motivations for zero-rating may also be varied, as we shall see below. Further, depending on the circumstances, zero-rating could be competitive or anti-competitive. All forms of zero-rating result in some form of discrimination, but not all zero-rating is harmful, nor does all zero-rating need to be prohibited.

While, as explained in the section on interconnection and carriage above, negative discrimination at the network level should be prohibited, that leaves open the question of positive discrimination. It follows from section 3.1 that the right frame of analysis of this question is harm to competition, since the main harm zero-rating is, as we shall see below, about discriminating between different content providers, and not discrimination at the level of protocols, etc.

Whether one should allow for any form of positive discrimination at the network level or not depends on whether positive discrimination of (X) has an automatic and unfair negative impact on all (~X). That, in turn, depends on whether (~X) is being subject to unfair competition. As Wikipedia notes, "unfair competition means that the gains of some participants are conditional on the losses of others, when the gains are made in ways which are illegitimate or unjust." Thus, positive discrimination that has a negative impact on effective competition shall not be permitted, since in such cases it is equivalent to negative discrimination ("zero-sum game") . Positive discrimination that does not have a negative impact on effective competition may be permitted, especially since it results in increased access and increases consumer benefit, as long as the harm to openness and diversity is minimized .

While considering this, one should keep in mind the fact that startups were, 10-15 years ago, at a huge disadvantage with regard to wholesale data purchase. The marketplaces for data centres and for content delivery networks (which speed up delivery of content by being located closer, in network terms, to multiple last-mile ISPs) were nowhere near as mature as they are today, and the prices were high. There was a much higher barrier to startup entry than there is today, due to the prices and due to larger companies being able to rely on economies of scale to get cheaper rates. Was that unfair? No. There is no evidence of anti-competitive practices, nor of startups complaining about such practices. Therefore, that was fair competition, despite specific input costs that were arguably needed (though not essential) for startups to compete being priced far beyond their capacity to pay.

Today the marketplace is very different, with a variety of offerings. CDNs such as Cloudflare, which were once the preserve of rich companies, even have free offerings, thus substantially lowering barriers for startups that want faster access to customers across the globe.

Is a CDN an essential cost for a startup? No. But in an environment where speed matters and customers use or don't use a service depending on speed; and where the startup's larger competitors are all using CDNs, a startup more or less has to. Thankfully, given the cheap access to CDNs these days, that cost is not too high for a startup to bear. If the CDN market was not competitive enough, would a hypothetical global regulator have been justified in outright banning the use of CDNs to 'level' the playing field? No, because the hypothetical global regulator instead had the option to (and would have been justified in) regulating the market to ensure greater competition.

A regulator should not prohibit an act that does not negatively impact access, competition, consumer benefit, nor openness (including diversity), since that would be over-regulation and would harm innovation.

3.3.3.1 Motivations for Zero-Rating

3.3.3.1.1 Corporate Social Responsibility / Incentivizing Customers to Move Up Value Chain

There exist multiple instances where there is no commercial transaction between the OTT involved and the telecom carrier, in which zero-priced zero-rating of specific Internet content happens. We know that there is no commercial transaction either through written policy (Wikipedia Zero) or through public statements (Internet.org, a bouquet of sites). In such cases, the telecom provider would either be providing such services out of a sense of public interest, given the social value of those services, or would be providing such services out of self-interest, to showcase the value of particular Internet set the same time.

The apprehended risk is that of such a scheme creating a "walled garden", where users would be exposed only to those services which are free since the search and discovery costs of non-free Internet (i.e., any site outside the "walled garden") would be rather high. This risk, while real, is rather slim given the fact that the economic incentives for those customers who have the ability to pay for "Internet packs" but currently do not find a compelling reason to do so, or out of both a sense of public interest and self-interest of the telecom providers works against this.

In such non-commercial zero-priced zero-rating, a telecom provider would only make money if and only if subscribers start paying for sites outside of the walled garden. If subscribers are happy in the walled garden, the telecom provider starts losing money, and hence has a strong motivation to stop that scheme. If on the other hand, enough subscribers start becoming paying customers to offset the cost of providing the zero-priced zero-rated service(s) and make it profitable, that shows that despite the availability of zero-priced options a number of customers will opt for paid access to the open Internet and the open Web, and the overall harms of such zero-priced zero-rating would be minimal. Hence, the telecom providers have an incentive to keep the costs of Internet data packs low, thus encouraging customers who otherwise wouldn't pay for the Internet to become paying customers.

There is the potential of consumer harm when users seek to access a site outside of the walled garden, and find to their dismay that they have been charged for the Internet at a hefty rate, and their prepaid balance has greatly decreased. This is an issue that TRAI is currently appraised of, and a suitable solution would need to be found to protect consumers against such harm.

All in all, given that the commercial interests of the telecom providers align with the healthy practice of non-discrimination, this form of limited positive discrimination is not harmful in the long run, particularly because it is not indefinitely sustainable for a large number of sites. Hence, it may not be useful to ban this form of zero-priced zero-rating of services as long as they aren't exclusive, or otherwise anti-competitive (a vertical price-squeeze, for instance), and the harm to consumers is prohibited and the harm to openness/diversity is minimized.

3.3.3.1.2 Passing on ISP Savings / Incentivizing Customers to Lower ISP's Cost

Suppose, for instance, an OTT uses a CDN located, in network distance terms, near an eyeball ISP. In this case, the ISP has to probably pay less than it would have to had the same data been located in a data centre located further away, given that it would have fewer interconnection-related charges.

Hence the monetary costs of providing access to different Web destinations are not equal for the ISP. This cost can be varied either by the OTT (by it locating the data closer to the ISP - through a CDN, by co-locating where the ISP is also present, or by connecting to an Internet Exchange Point which the ISP is also connected to - or by it directly "peering" with the ISP) or by the ISP (by engaging in "transparent proxying" in which case the ISP creates caches at the ISP level of specific content (usually by caching non-encrypted data the ISP's customers request) and serves the cached content when a user requests a site, rather than serving the actual site). None of the practices so far mentioned are discriminatory from the customer's perspective with regard either to price or to prioritization, though all of them enable faster speeds to specific content. Hence none of the above-mentioned practices are considered even by the most ardent Net Neutrality advocates to be violations of that principle. ^{^[21]} However, if an ISP zero-rates the content to either pass on its savings to the customer^{^[22]} or to incentivize the customer to access services that cost the ISP less in terms of interconnection costs, that creates a form of price discrimination for the customer, despite it benefiting the consumer.

The essential economic problem is that the cost to the ISP is variable, but the cost to the customer is fixed. Importantly, this problem is exacerbated in India where web hosting prices are high, transit prices are high, peering levels are low, and Internet Exchange Points (IXPs) are not functioning well. ^{^[23]} These conditions create network inefficiencies in terms of hosting of content further away from Indian networks in terms of network distance, and thus harms consumers as well as local ISPs. In order to set this right, zero-rating of this sort may be permitted as it acts as an incentive towards fixing the market fundamentals. However, once the market fundamentals are fixed, such zero-rating may be prohibited.

This example shows that the desirability or otherwise of discriminatory practices depends fully on the conditions present in the market, including in terms of interconnection costs.

3.3.3.1.3 Unbundling Internet into Services ("Special Packs")

Since at least early 2014, mobile operators have been marketing special zero-rating "packs". These packs, if purchased by the customer, allow capped or in some instances uncapped, zero-rating of a service such as WhatsApp or Facebook, meaning traffic to/from that service will not be counted against their regular Internet usage.

For a rational customer, purchasing such a pack only makes sense in one of two circumstances:

● The person has Internet connectivity on her Internet-capable phone, but has not purchased an "Internet data pack" since she doesn't find the Internet valuable. Instead, she has heard about "WhatsApp", has friends who are on it, and wishes to use that to reduce her SMS costs (and thereby eat into the carriage provider's ability to charge separately for SMSes). She chooses to buy a WhatsApp pack for around ₹25 a month instead of paying ₹95 for an all-inclusive Internet data pack.

● The person has Internet connectivity on her Internet-capable phone, and has purchased an "Internet data pack". However, that data pack is capped and she has to decide between using WhatsApp and surfing web sites. She is on multiple WhatsApp groups and her WhatsApp traffic eats up 65% of her data cap. She thus has to choose between the two, since she doesn't want to buy two Internet data packs (each costing around ₹95 for a month). She chooses to buy a WhatsApp pack for ₹25 a month, paying a cumulative total of ₹120 instead of ₹190 which she would have had to had she bought two Internet data packs. In this situation, "unbundling" is happening, and this benefits the consumer. Such unbundling harms the openness and integrity of the Internet.

If users did not find value in the "special" data packs, and there is no market demand for such products, they will cease to be offered. Thus, assuming a telco's decision to offer such packs is purely customer-demand driven - and not due to deals it has struck with service providers - if Orkut is popular, telcos would be interested in offering Orkut packs and if Facebook is popular, they would be interested in offering a Facebook pack. Thus, clearly, there is nothing anti-competitive about such customer-paid zero-rating packs, whereas they clearly enhance consumer benefit. Would this increase the popularity of Orkut or Facebook? Potentially yes. But to prohibit this would be like prohibiting a supermarket from selectively (and non-collusively) offering discounts on popular products. Would that make already popular products even more popular? Potentially, yes. But that would not be seen as a harm to competition but would be seen as fair competition. This contravenes the "openness" of the Internet (i.e., the integral interconnected diversity that an open network like the Internet embodies) as an independent regulatory goal. The Internet, being a single gateway to a mind-boggling variety of services, allows for a diverse "long tail", which would lose out if the Internet was seen solely as a gateway to popular apps, sites, and content. However, given that this is a choice exercised freely by the consumer, such packs should not be prohibited, as that would be a case of over-regulation.

The one exception to the above analysis of competition, needless to say, is if that these special packs aren't purely customer-demand driven and are the product of special deals between an OTT and the telco. In that case, we need to ensure it isn't anti-competitive by following the prescriptions of the next section.

3.3.3.1.4 Earning Additional Revenues from Content Providers

With offerings like Airtel Zero, we have a situation where OTT companies are offering to pay for wholesale data access used by their customers, and make accessing their specific site or app free for the customer. From the customer's perspective, this is similar to a toll-free number or a pre-paid envelope or free-to-air TV channel being offered on a particular network.

However, from the network perspective, these are very different. Even if a customer-company pays Airtel for the toll-free number, that number is accessible and toll-free across all networks since the call terminates on Airtel networks and Airtel pays the connecting network back the termination charge from the fee they are paid by the customer-company. This cannot happen in case of the Internet, since the "call" terminates outside of the reach of the ISP being paid for zero-rating by the OTT company; hence unless specific measures are taken, zero-rating has to be network-specific.

The comparison to free-to-air channels is also instructive, since in 2010 TRAI made recommendations that consumers should have the choice of accessing free-to-air channels à-la-carte, without being tied up to a bouquet.^{^[24]} This would, in essence, allow a subscriber to purchase a set-top box, and without paying a regular subscription fee watch free-to-air channels. ^{^[25]} However, similar to toll-free numbers, these free-to-air channels are free-to-air on all MSO's set-top boxes, unlike the proposed Airtel Zero scheme under which access to a site like Flipkart would be free for customers on Airtel's network alone.

Hence, these comparisons, while useful in helping think through the regulatory and competition issues, should not be used as instructive exact analogies, since they aren't fully comparable situations.

3.3.3.1.5 Market Options for OTT-Paid Zero-Rating

As noted above, a competitive marketplace already exists for wholesale data purchase at the level of "content ISPs" (including CDNs), which sell wholesale data to content providers (OTTs). This market is at present completely unregulated. The deals that exist are treated as commercial secrets. It is almost certain that large OTTs get better rates than small startups due to economies of scale.

However, at the eyeball ISP level, it is a single-sided market with ISPs competing to gain customers in the form of end-users. With a scheme like "Airtel Zero", this would get converted into a double-sided market, with a gatekeeper without whom neither side can reach the other being in the middle creating a two-sided toll. This situation is ripe for market abuse: this situation allows the gatekeeper to hinder access to those OTTs that don't pay the requisite toll or to provide preferential access to those who pay, apart from providing an ISP the opportunity to "double-dip".

One way to fix this is to prevent ISPs from establishing a double-sided market. The other way would be to create a highly-regulated market where the gatekeeping powers of the ISP are diminished, and the ISP's ability to leverage its exclusive access over its customers are curtailed. A comparison may be drawn here to the rules that are often set by standard-setting bodies where patents are involved: given that these patents are essential inputs, access to them must be allowed through fair, reasonable, and non-discriminatory licences. Access to the Internet and common carriers like telecom networks, being even more important (since alternatives exist to particular standards, but not to the Internet itself), must be placed at an even higher pedestal and thus even stricter regulation to ensure fair competition.

A marketplace of this sort would impose some regulatory burdens on TRAI and place burdens on innovations by the ISPs, but a regulated marketplace harms ISP innovation less than not allowing a market at all.

At a minimum, such a marketplace must ensure non-exclusivity, non-discrimination, and transparency. Thus, at a minimum, a telecom provider cannot discriminate between any OTTs who want similar access to zero-rating. Further, a telecom provider cannot prevent any OTT from zero-rating with any other telecom provider. To ensure that telecom providers are actually following this stipulation, transparency is needed, as a minimum.

Transparency can take one of two forms: transparency to the regulator alone and transparency to the public. Transparency to the regulator alone would enable OTTs and ISPs to keep the terms of their commercial transactions secret from their competitors, but enable the regulator, upon request, to ensure that this doesn't lead to anti-competitive practices. This model would increase the burden on the regulator, but would be more palatable to OTTs and ISPs, and more comparable to the wholesale data market where the terms of such agreements are strictly-guarded commercial secrets. On the other hand, requiring transparency to the public would reduce the burden on the regulator, despite coming at a cost of secrecy of commercial terms, and is far more preferable.

Beyond transparency, a regulation could take the form of insisting on standard rates and terms for all OTT players, with differential usage tiers if need be, to ensure that access is truly non-discriminatory. This is how the market is structured on the retail side.

Since there are transaction costs in individually approaching each telecom provider for such zero-rating, the market would greatly benefit from a single marketplace where OTTs can come and enter into agreements with multiple telecom providers.

Even in this model, telecom networks will be charging based not only on the fact of the number of customers they have, but on the basis of them having exclusive routing to those customers. Further, even under the standard-rates based single-market model, a particular zero-rated site may be accessible for free from one network, but not across all networks: unlike the situation with a toll-free number in which no such distinction exists.

To resolve this, the regulator may propose that if an OTT wishes to engage in paid zero-rating, it will need to do so across all networks, since if it doesn't there is risk of providing an unfair advantage to one network over another and increasing the gatekeeper effect rather than decreasing it.

However, all forms of competitive Internet service-paid zero-priced zero-rating, even when they don't harm competition, innovation amongst content providers, or consumers, will necessarily harm openness and diversity of the Internet. For instance, while richer companies with a strong presence in India may pay to zero-rate traffic for their Indian customers, decentralized technologies such as XMPP and WebRTC, having no central company behind them, would not, leading to customers preferring proprietary networks and solutions to such open technologies, which in turn, thanks to the network effect, leads to a vicious cycle. These harms to openness and diversity have to be weighed against the benefit in terms of increase in access when deciding whether to allow for competitive OTT-paid zero-priced zero-rating, as such competition doesn't exist in a truly level playing field . Further, it must be kept in mind that there are forms of zero-priced zero-rating that decrease the harm to openness / diversity, or completely remove that harm altogether: that there are other options available must be acknowledged by the regulator when considering the benefit to access from competitive OTT-paid zero-priced zero-rating.

3.3.3.1.6 Other options for zero-rating

There are other models of zero-priced zero-rating that either minimize the harm is that of ensuring free Internet access for every person. This can take the form of:^{^[26]}

● A mandatorily "leaky" 'walled garden':

○ The first-degree of all hyperlinks from the zero-rated OTT service are also free.

○ The zero-rated OTT service provider has to mandatorily provide free access to the whole of the World Wide Web to all its customers during specified hours.

○ The zero-rated OTT service provider has to mandatorily provide free access to the whole of the World Wide Web to all its customers based on amount on usage of the OTT service.^{^[27]}

● Zero-rating of all Web traffic

○ In exchange for viewing of advertisements

○ In exchange for using a particular Web browser

○ At low speeds on 3G, or on 2G.

3.3.3.2. What kinds of zero-rating are good

The majority of the forms of zero-rating covered in this section are content or source/destination-based zero-rating. Only some of the options covered in the "other options for zero-rating" section cover content-agnostic zero-rating models. Content-agnostic zero-rating models are not harmful, while content-based zero-rating models always harm, though to varying degrees, the openness of the Internet / diversity of OTTs, and to varying degrees increase access to Internet-based services. Accordingly, here is an hierarchy of desirability of zero-priced zero-rating, from most desirable to most harmful:

1. Content- & source/destination-agnostic zero-priced zero-rating.^{^[28]}

2. Content- & source/destination-based non-zero-priced zero-rating, without any commercial deals, chosen freely & paid for by users. ^{^[29]}

3. Content- & source/destination-based zero-priced zero-rating, without any commercial deals, with full transparency. ^{^[30]}

4. Content- & source/destination-based zero-priced zero-rating, on the basis of commercial deal with partial zero-priced access to all content, with non-discriminatory access to the same deal by all with full transparency.^{^[31]}

5. Content- & source/destination-based zero-priced zero-rating, on the basis of a non-commercial deal, without any benefits monetary or otherwise, flowing directly or indirectly from the provider of the zero-rated content to the ISP, with full transparency. ^{^[32]}

6. Content- & source-destination-based zero-priced zero-rating, across all telecom networks, with standard pricing, non-discriminatory access, and full transparency.

7. Content- & source-destination-based zero-priced zero-rating, with standard pricing, non-discriminatory access, and full transparency.

8. Content- & source-destination-based zero-priced zero-rating, with non-discriminatory access, and full transparency.

9. Content- & source-destination-based zero-priced zero-rating, with non-discriminatory access, and transparency to the regulator.

10. Content- & source-destination-based zero-priced zero-rating, without any regulatory framework in place.

3.3.4 Cartels and Oligopoly

While cartels and oligopolies may have an impact on Net Neutrality, they are not problems that any set of anti-discrimination rules imposed on gatekeepers can fix. Further, cartels and oligopolies don't directly enhance the ability of gatekeepers to unjustly discriminate if there are firm rules against negative discrimination and price ceilings and floors on data caps are present for data plans. Given this, TRAI should recommend that this issue be investigated and the Competition Commission of India should take this issue up.

3.4 Reasonable Network Management Principles

Reasonable network management has to be allowed to enable the ISPs to manage performance and costs on their network. However, ISPs may not indulge in acts that are harmful to consumers in the name of reasonable network management. Below are a set of guidelines for when discrimination against classes of traffic in the name of network management are justified.

● Discrimination between classes of traffic for the sake of network management should only be permissible if:

○ there is an intelligible differentia between the classes which are to be treated differently, and

○ there is a rational nexus between the differential treatment and the aim of such differentiation, and

○ the aim sought to be furthered is legitimate, and is related to the security, stability, or efficient functioning of the network, or is a technical limitation outside the control of the ISP^{^[33]}, and

○ the network management practice is the least harmful manner in which to achieve the aim.

● Provision of specialized services (i.e., "fast lanes") is permitted if and only if it is shown that

○ The service is available to the user only upon request, and not without their active choice, and

○ The service cannot be reasonably provided with "best efforts" delivery guarantee that is available over the Internet, and hence requires discriminatory treatment, or

○ The discriminatory treatment does not unduly harm the provision of the rest of the Internet to other customers.

These principles are only applicable at the level of ISPs, and not on access gateways for institutions that may in some cases be run by ISPs (such as a university network, free municipal WiFi, at a work place, etc.), which are not to be regulated as common carriers.

These principles may be applied on a case-by-case basis by a regulator, either suo motu or upon complaint by customers.

^{^[1]} Report of the Special Rapporteur on the Promotion and Protection of the right to freedom of opinion and expression, (19 May 2011), http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf.

^{^[2]} Available at http://www.trai.gov.in/WriteReadData/userfiles/file/NTP%202012.pdf.

^{^[3]} IAMAI, India to Cross 300 million internet users by Dec 14, (19 November, 2014), http://www.iamai.in/PRelease_detail.aspx?nid=3498&NMonth=11&NYear=2014.

^{^[4]} World Economic Forum, The Global Information Technology Report 2015, http://www3.weforum.org/docs/WEF_Global_IT_Report_2015.pdf.

^{^[5]} http://www.ictregulationtoolkit.org/4.1#s4.1.1

^{^[6]} See R.U.S. Prasad, The Impact of Policy and Regulatory Decisions on Telecom Growth in India (July 2008), http://web.stanford.edu/group/siepr/cgi-bin/siepr/?q=system/files/shared/pubs/papers/pdf/SCID361.pdf.

^{^[7]} 1973 AIR 106

^{^[8]} 1962 AIR 305

^{^[9]} "When ISPs go beyond their traditional use of IP headers to route packets, privacy risks begin to emerge." Alissa Cooper, How deep must DPI be to incur privacy risk? http://www.alissacooper.com/2010/01/25/how-deep-must-dpi-be-to-incur-privacy-risk/

^{^[10]} Richard T.B. Ma & Vishal Misra, The Public Option: A Non-Regulatory Alternative to Network Neutrality, http://dna-pubs.cs.columbia.edu/citation/paperfile/200/netneutrality.pdf

^{^[11]} Mobile number portability was launched in India on January 20, 2011 in the Haryana circle. See http://indiatoday.intoday.in/story/pm-launches-nationwide-mobile-number-portability/1/127176.html . Accessed on April 24, 2015.

^{^[12]} For a comprehensive list of all TRAI interconnection regulations & subsequent amendments, see http://www.trai.gov.in/Content/Regulation/0_1_REGULATIONS.aspx.

^{^[13]} See Telecommunication Interconnection Usage Charges (Eleventh Amendment) Regulations, 2015 (1 of 2015), available at http://www.trai.gov.in/Content/Regulation/0_1_REGULATIONS.aspx.

^{^[14]} Article 30 of the Universal Service Directive, Directive 2002/22/EC.

^{^[15]} See Telecommunication Mobile Number Portability (Sixth Amendment) Regulations, 2015 (3 of 2015), available at http://www.trai.gov.in/Content/Regulation/0_1_REGULATIONS.aspx.

^{^[16]} The Telecommunication (Broadcasting and Cable) Services (Seventh) (The Direct to Home Services) Tariff Order, 2015 (2 of 2015).

^{^[17]} Section 8, Cable Television Networks Act, 1995.

^{^[18]} TRAI writes new rules for Cable TV, Channels, Consumers, REAL TIME NEWS, (August 11, 2014), http://rtn.asia/rtn/233/1220_trai-writes-new-rules-cable-tv-channels-consumers.

^{^[19]} An initial requirement for all multi system operators to have a minimum capacity of 500 channels was revoked by the TDSAT in 2012. For more details, see http://www.televisionpost.com/cable/msos-not-required-to-have-500-channel-headends-tdsat/.

^{^[20]} Aparna Ghosh, Bharti SoftBank Invests $14 million in Hike, LIVE MINT, (April 2, 2014), http://www.livemint.com/Companies/nI38YwQL2eBgE6j93lRChM/Bharti-SoftBank-invests-14-million-in-mobile-messaging-app.html.

^{^[21]} Mike Masnick, Can We Kill This Ridiculous Shill-Spread Myth That CDNs Violate Net Neutrality? They Don't, https://www.techdirt.com/articles/20140812/04314528184/can-we-kill-this-ridiculous-shill-spread-myth-that-cdns-violate-net-neutrality-they-dont.shtml.

^{^[22]} Mathew Carley, What is Hayai's stance on "Net Neutrality"?, https://www.hayai.in/faq/hayais-stance-net-neutrality?c=mgc20150419

^{^[23]} Helani Galpaya & Shazna Zuhyle, South Asian Broadband Service Quality: Diagnosing the Bottlenecks, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1979928

^{^[24]} DTH players told to offer pay channels on la carte basis, HINDU BUSINESS LINE (July 22, 2010), http://www.thehindubusinessline.com/todays-paper/dth-players-told-to-offer-pay-channels-on-la-carte-basis/article999298.ece.

^{^[25]} The Telecommunication (Broadcasting and Cable) Services (Fourth) (Addressable Systems) Tariff Order, 2010.

^{^[26]} These suggestions were provided by Helani Galpaya and Sunil Abraham, based in some cases on existing practices.

^{^[27]} This is what is being followed by the Jana Loyalty Program: http://www.betaboston.com/news/2015/05/06/with-a-new-loyalty-program-mobile-app-marketplace-jana-pushes-deeper-into-the-developing-world/

^{^[28]} Example: free Internet access at low speeds, with data caps.

^{^[29]} Example: special "packs" for specific services like WhatsApp.

^{^[30]} Example: zero-rating of all locally-peered settlement-free traffic.

^{^[31]} Example: "leaky" walled gardens, such as the Jana Loyalty Program that provide limited access to all of the Web alongside access to the zero-rated content.

^{^[32]} Example: Wikipedia Zero.

^{^[33]} A CGNAT would be an instance of such a technology that poses network limitations.

For more details visit https://cis-india.org/internet-governance/blog/regulatory-perspectives-on-net-neutrality

India’s digital check

sunil — 2015-09-15T14:55:47Z

All nine pillars of Digital India directly correlate with policy research conducted at the Centre for Internet and Society, where I have worked for the last seven years. This allows our research outputs to speak directly to the priorities of the government when it comes to digital transformation.

The article was originally published by DNA on July 8, 2015.

Broadband Highways and Universal Access to Mobile Connectivity: The first two pillars have been combined in this paragraph because they both require spectrum policy and governance fixes. Shyam Ponappa, a distinguished fellow at our Centre calls for the leveraging of shared spectrum and also shared backhaul infrastructure. Plurality in spectrum management, for eg, unlicensed spectrum should be promoted for accelerating backhaul or last mile connectivity, and also for community or local government broadband efforts. Other ideas that have been considered by Ponappa include getting state owned telcos to exit completely from the last mile and only focus on running an open access backhaul through Bharat Broadband Limited. Network neutrality regulations are also required to mitigate free speech, diversity and competition harms as ISPs and TSPs innovate with business models such as zero-rating.

Public Internet Access Programme: Continuing investments into Common Service Centres (CSCs) for almost a decade may be questionable and therefore a citizen’s audit should be undertaken to determine how the programme may be redesigned. The reinventing of post offices is very welcome, however public libraries are also in need urgent reinventing. CSCs, post offices and public libraries should all leverage long range WiFi for Internet and intranet, empowering BYOD [Bring Your Own Device] users. Applications will take time to develop and therefore immediate emphasis should be on locally caching Indic language content. State Public Library Acts need to be amended to allow for borrowing of digital content. Flat-fee licensing regimes must be explored to increase access to knowledge and culture. Commons-based peer production efforts like Wikipedia and Wikisource need to be encouraged.

e-Governance: Reforming Government through Technology: DeitY, under the leadership of free software advocate Secretary RS Sharma, has accelerated adoption and implementation of policies supporting non-proprietary approaches to intellectual property in e-governance. Policies exist and are being implemented for free and open source software, open standards and electronic accessibility for the disabled. The proprietary software lobby headed by Microsoft and industry associations like NASSCOM have tried to undermine these policies but have failed so far.

The government should continue to resist such pressures. Universal adoption of electronic signatures within government so that there is a proper audit trail for all communications and transactions should be made an immediate priority. Adherence to globally accepted data protection principles such as minimisation via “form simplification and field reduction” for Digital India should be applauded. But on the other hand the mandatory requirement of Aadhaar for DigiLocker and eSign amounts to contempt of the Supreme Court order in this regard.

e-Kranti — Electronic Delivery of Services: The 41 mission mode projects listed are within the top-down planning paradigm with a high risk of failure — the funds reserved for these projects should instead be converted into incentives for those public, private and public private partnerships that accelerate adoption of e-governance. The dependency on the National Informatics Centre (NIC) for implementation of e-governance needs to be reduced, SMEs need to be able to participate in the development of e-governance applications. The funds allocated for this area to DeitY have also produced a draft bill for Electronic Services Delivery. This bill was supposed to give RTI-like teeth to e-governance service by requiring each government department and ministry to publish service level agreements [SLAs] for each of their services and prescribing punitive action for responsible institutions and individuals when there was no compliance with the SLAs.

Information for All: The open data community and the Right to Information movement in India are not happy with the rate of implementation of National Data Sharing and Accessibility Policy (NDSAP). Many of the datasets on the Open Data Portal are of low value to citizens and cannot be leveraged commercially by enterprise. Publication of high-value datasets needs to be expedited by amending the proactive disclosure section of the Right to Information Act 2005.

Electronics Manufacturing: Mobile patent wars have begun in India with seven big ticket cases filed at the Delhi High Court. Our Centre has written an open letter to the previous minister for HRD and the current PM requesting them to establish a device level patent pool with a compulsory license of 5%. Thereby replicating India’s success at becoming the pharmacy of the developing world and becoming the lead provider of generic medicines through enabling patent policy established in the 1970s. In a forthcoming paper with Prof Jorge Contreras, my colleague Rohini Lakshané will map around fifty thousand patents associated with mobile technologies. We estimate around a billion USD being collected in royalties for the rights-holders whilst eliminating legal uncertainties for manufacturers of mobile technologies.

IT for Jobs: Centralised, top-down, government run human resource development programmes are not useful. Instead the government needs to focus on curriculum reform and restructuring of the education system. Mandatory introduction of free and open source software will give Indian students the opportunity to learn by reading world-class software. They will then grow up to become computer scientists rather than computer operators. All projects at academic institutions should be contributions to existing free software projects — these projects could be global or national, for eg, a local government’s e-governance application. The budget allocated for this pillar should instead be used to incentivise research by giving micro-grants and prizes to those students who make key software contributions or publish in peer-reviewed academic journals or participate in competitions. This would be a more systemic approach to dealing with the skills and knowledge deficit amongst Indian software professionals.

Early Harvest Programmes: Many of the ideas here are very important. For example, secure email for government officials — if this was developed and deployed in a decentralised manner it would prevent future surveillance of the Indian government by the NSA. But a few of the other low-hanging fruit identified here don’t really contribute to governance. For example, biometric attendance for bureaucrats is just glorified bean-counting — it does not really contribute to more accountability, transparency or better governance.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation that has zero-rating alliances with telecom operators in many countries across the world

For more details visit https://cis-india.org/internet-governance/blog/dna-sunil-abraham-july-8-2015-india-digital-check

'IRCTC’s Aadhaar play can violate SC order and derail National Security'

praskrishna — 2015-07-07T15:10:08Z

Your online railway bookings are going to become a wee bit more difficult if they aren’t already so.

The blog entry by Shubhra Rishi was published by CIO.IN on July 1, 2015. Sunil Abraham gave his inputs.

That is, if the IRCTC makes Aadhaar card compulsory during the registration process for e-ticketing. The move, according to a recent announcement by IRCTC, will ensure that users registering on the IRCTC website are properly identified of their identity and address through the Aadhaar card number verification.

So in case, you already have an Aadhaar card, then you need not worry. For those who don't have it yet or are reluctant to apply for it, are in for a tough time.

According to Sandip Dutta, public relations officer at IRCTC, the plan, although still in the preliminary state, is to make Aadhaar compulsory which will prevent touts from further exploiting the e-ticketing platform.

IRCTC which already has around three crore registered users, adds 15,000 new registrations every day. Just to give you the scale of an IRCTC website, a 15-minute tatkal window has about 1,000,000 people trying to log on to the IRCTC website. This means a new user won't be able to book a railway ticket on the IRCTC site until he owns an Aadhaar card.

Also Read: Indian CISO don’t trust UID with their data

"This is a complete overkill and will only result in harassment of an ordinary citizen," says Sunil Abraham, executive director at The Centre for Internet & Society. "Aadhaar, he says, should be used to prevent politicians and bureaucrats from engaging in big-ticket fraud or whole-sale corruption. It should be used to make the state more accountable to citizens and not the other way around. It is unfortunate that techno-utopians are using biometric technology to fight retail corruption or small-ticket fraud.

If IRCTC makes Aadhaar mandatory for user registrations, they will be in direct violation of the Supreme Court's interim order of September 23, 2013 where it has ordered that no person should suffer for not getting the Aadhaar card in spite of the authority making it mandatory, since government says it is voluntary.

On March 24, 2014 again, the Supreme Court reiterated its earlier order of 2013 and directed all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an Aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.

According to cyber law expert and Supreme Court Lawyer, Pavan Duggal, till the time Aadhaar has been brought to a legislative sanctity, no government agency must make it compulsory and if they do so, they will be in gross violation of the order and will be held for contempt of court. "The National Identification Authority of India Bill that intends to give statutory backing to UIDAI (introduced in Rajya Sabha in 2010) is yet to be passed by the Parliament. Aadhaar is also non-compliant with the Information Technology Act 2000," says Duggal. Aadhaar, he says, is the unwanted child that hasn't proven legitimacy yet.

The illegitimacy, which continues to prevail due to several anomalies in the UIDAI’s Aadhaar allotment process. In March this year, about 20 million people enrolled in Delhi for an Aadhaar identification number, according to Census. However, the UIDAI generated about 17.7 million unique numbers in Delhi, about a million more than the city population.

In another incident, Aadhaar numbers were assigned to adult residents in 13 of the country's 36 states, and union territories surpassed their respective population as per 2011 census figures. However, the UIDAI blames that ‘gaps’ in census evaluation may have resulted in inaccuracy of the population data.

There have also been bizarre instances in the past where some Aadhaar cards displayed pictures of an empty chair, a tree, and a dog instead of the actual applicant.

So how does it aid unscrupulous elements in misusing the flaws of the Aadhaar card system?

To start with, Aadhaar captures biometrics of a user, which is neither permanent nor immovable, says Dr. Anupam Saraph, innovator, professor and an advisor in governance, informatics and strategic planning.

"Biometrics change during the life of a person, sometimes even within a year, or without warning. Biometrics can be easily stolen, replicated or misused as has been demonstrated by instances of fingerprints and iris scans of high profile targets being hacked. The enrollment agencies that have captured the biometric have the entire demographic and biometric database in their possession and as such it can be misused or stolen. Once the biometric fails or is stolen, all the functions that have crept to link access to the biometric are denied with little or no recourse to the victim," says Saraph.

“Another benign scenario may be large scale fake bookings to make tickets pricier, the malignant scenario will be entire trains used to transfer armies of anti-nationals and terrorists. Therefore, the Railway Minister must rise to cancel any such plans," says Saraph, and the Home Minister and Defence Minister must immediately scrap the linkage of Aadhaar to any database, require that the entire UID is destroyed as was done in the UK. “This kind of compromise requires the initiation of a time-bound judicial probe by a retired CAG and Supreme Court Judge supported by the CBI to investigate the exposure of the country to serious threats to national security due to UID,” he says.

And therefore, the bigger question isn't whether Aadhaar should be made compulsory or not, but whether it is a foolproof method to validate someone's identity. If it isn’t, then why is IRCTC playing the Aadhaar card?

For more details visit https://cis-india.org/internet-governance/news/cio-july-1-2015-irctc-aadhaar-play-can-violate-sc-order-and-derail-national-security

The Digital Divide: pros and cons of Modi's latest big initiative

praskrishna — 2015-07-06T02:11:56Z

Prime Minister Narendra Modi inaugurated the Digital India (DI) initiative on 1 July, at an event attended by scores of government officials as well as industry leaders.

The blog post by Suhas Munshi was published in Catch News on July 2, 2015. Sunil Abraham is quoted.

The initiative

Digital India aims to make all citizens digitally literate. Bring e-governance to every doorstep.

Corporates have promised to invest Rs 4.5 lakh crore in the initiative.

This is greater than the total spend on all govt schemes. It is equivalent to 1/4th of the national budget.

The positives

It will be a boost to industry; both large and small enterprises.

It will ostensibly create a lot of jobs.

It's ideal if citizens can connect directly with the government.

The negatives

Will the initiative be genuinely inclusive?

How will corporates recover their costs? Will the promised investments end up as bad loans from banks?

Who will handle the personal data of so many citizens; will it be efficient?

Who will the vendors be?

Will the proposed digital lockers for official documentation be reliable?

Will the initiative give the govt a tool to conduct mass surveillance?

The alternative focus

Some experts feel the govt should concentrate on giving people access to basic necessities like water, power and sewage.

The backbone of the project, the National Optical Fibre Network, has already run into massive infrastructure issues.

The programme aims to make all citizens digitally literate and bring the internet and e-governance to all sections of the society.

Like Modi's past initiatives, this too has polarised opinion, in this case on the government's aggressive push for e-governance.

While some advise patience before arriving at a verdict, others think it isn't too early to begin celebrations.

Astronomical budget

Most of the funds for this initiative are expected to come from the private sector. The total investments promised by big corporates, according to Modi, is Rs 4.5 lakh crore.

That is an astonishing number - it is equivalent to a quarter of the country's budget.

If true, then the amount spent on this project will be way over the total money spent on all of the government's 66 central sponsored schemes.

However, India hasn't been able to deliver on the last big welfare scheme promised - the Food Security Act, two years after it was passed in Parliament.

Investments promised by corporates add up to Rs 4.5 lakh crore, which is one-fourth of India's total budget

This scheme, which is set to cost the country Rs 1.25 lakh crore, aims to provide subsidised food grains to two-thirds of the populace.

The immediate concern experts have expressed with the budget is the possible intervention of the private sector.

The big corporate houses that have promised these staggering investments, would also be looking to recover them.

"As I see it, effectively a new sector is being created for this initiative. While it is good, when the private sector comes in to support big government projects, we also have to examine what the recovery model for those investments are. Hopefully, more details about investments will be made available," said Subrata Das, Executive Director, Centre for Budget and Governance Accountability.

Boost to industry

The initiative has already received a massive thumbs up from the industry. Corporate leaders made a beeline to praise the initiative.

RIL chairman Mukesh Ambani said that with Digital India, the government has moved faster than industry. He added that Reliance Jio Infocomm will invest Rs 2,50,000 crore as part of the Digital India programme.

"Tata Consultancy Services (TCS) has partnered with the government for projects like Passport Seva and income tax e-filing, as well as state-level projects," said Cyrus Mistry, chairman of Tata Group, at the event.

Azim Premji, Wipro chairman, was quoted as saying the initiative will democratise the nation and "break down the digital divide in India".

He added that the level of skills of India's people will have to be significantly improved in order to make full use of the new initiative.

Kumar Mangalam Birla, chairman of the Aditya Birla Group, said it would leverage its Idea Cellular network of 165 million subscribers across 3,50,000 towns and villages in India to provide mobile-based healthcare and education services, as well as weather forecasting advisories and 'mandi' prices to over one million farmers.

The company will also launch a mobile wallet and payment bank as well as invest over $2 billion in the next five years in various internet-based sectors.

There seems to be a consensus on the kind of platform DI will provide to small entrepreneurs and the massive job opportunities it will create.

"Who has not heard about their computer engineer friends trying to develop a product in their spare time? These small entrepreneurs will get a lot of help if they are brought to a common platform with big companies and if lack of resources don't impede their work. Besides, as government starts to spend, there will be a severe need for hardware technicians, network operators, data entry operators," said Manish Sabharwal, chairman, Teamlease.

Rajeev Chandrasekhar, independent lawmaker in the Rajya Sabha, says DI is not only essential for the idea of 'minimum government, maximum governance', it is a big boost for the Indian IT industry.

"It is absolutely essential for good governance that as many people as possible are put directly in touch with their government. One of the biggest achievements, I think, will be in connecting 700 million people, so far sequestered, with the rest of the country. This obviously helps small entrepreneurs with launching their startups and bringing in a healthy workforce into the folds of this scheme," he said.

Many sunrise sectors before have similarly promised job growth that has not materialised. It remains to be seen how much of this euphoria plays out in concrete terms.

Privacy concerns

Therefore, while there's been a lot of positive buzz, not everyone is sold on the initiative.

Concerns are being raised about the handling of personal data of so many citizens.

There is a question about the reliability of the digital lockers in which all citizens will have their official documentation, and the anxiety of the data falling into the wrong hands.

"Of course, the concern with respect to privacy is legitimate and urgent.

Since the data the government will collect will be very large in terms of volume and can be misused, the reliability of the government's systems will have to be quite high.

So let's wait to see the nuts and bolts of the programme," said Apar Gupta, a senior lawyer specialising in information technology.

According to Reetika Khera, associate professor, economics at IIT Delhi, applications like digital lockers will make it easier for government to conduct mass surveillance.

There are questions over the reliability of digital lockers and about data falling into the wrong hands

"Programmes like Aadhar, digi-locker, central monitoring system (of mobile calls) etc are creating and enabling a massive surveillance infrastructure in India that will put NSA's PRISM, XKeyScore etc to shame.

"For instance, if Aadhaar is linked to your mobile number, bank account, travel details, the government can build a profile of each person at the click of a mouse. This is especially worrying because data protection and privacy laws are weak or non-existent," she said.

Sunil Abraham, executive director of Bangalore-based research organisation Centre for Internet and Society, also agrees with the concerns but is optimistic about the safeguards being put in place.

"There is a very mature draft of the Privacy Bill at the Department of Personnel and Training which will hopefully be introduced into Parliament after some rounds of public consultation and feedback.

"This, along with appropriate architectural and technological changes to e-governance services, will mitigate privacy concerns," said Abraham.

Misplaced priorities?

Then there is an argument that the less-privileged sections of society may need basic social services before they're considered for internet inclusion.

"What is true at the ground is that many people still don't have access to basic services, so while I think this is a good initiative, it should be part of our medium-term strategy.

"To begin with, we should focus on setting up basic infrastructure and extending water, power and sewer lines to most of the country," said Amitabh Kundu, retired JNU professor, who's advising the government on various projects.

Apar Gupta wonders how the government intends to bring people who are semi-literate, with no access to internet, within the fold of this e-governance project.

"Extending social welfare schemes to this section of people solely through digital medium is not viable," he said.

Some feel that the whole DI initiative is a mass-scale feel-good exercise. The argument is that using technology to 'uplift' the masses isn't a new idea, and is introduced periodically, and turns out to be largely ineffective.

"From the looks of it, this initiative seems to be nothing but techno-optimism. There is a belief that new technologies will, by themselves, transform the social world, but this doesn't happen.

"Techno-optimism, which we have seen before, is no different to traditional forms of governance, and over time, turns out to be nothing but a public relations exercises. An exercise to make governance visible to masses," said Ravi Sundaram, professor at the Centre for the Study of Developing Societies (CSDS).

Infrastructure issues

A project of this ambition and magnitude is bound to run into difficulties and, just a day after the launch, The Indian Express reported that the National Optical Fibre Network, the backbone of the initiative, is way behind schedule.

The project was supposed to be completed by December 2016. Initially, the 2014-15 target was to execute the work for one lakh gram panchayats, which was later halved to 50,000.

However, up until March 2015, only about 20,000 gram panchayats have been covered.

The primary problem is the cascading delays faced by central agencies, and when the active intervention of states was sought, 'right of way' charges have become the bone of contention.

Lack of contractors to do specialised work is also turning out to be an issue.

Thus, it won't be a stretch to say that while the initiative sounds like a great thing, doubts over its proper execution will continue till there is some concrete success to show for it.

For more details visit https://cis-india.org/internet-governance/news/catch-news-july-2-2015-the-digital-divide-pros-and-cons-of-modi-s-latest-big-initiative

Anti-Spam Laws in Different Jurisdictions: A Comparative Analysis

Rakshanda Deka — 2015-07-02T16:21:01Z

This paper is divided into three sections. The first section puts forth a comparative table of the spam laws of five different countries - the United States of America, Australia, Canada, Singapore and the United Kingdom - based on eight distinct parameters- jurisdiction of the legislation, definition of ‘spam’, understanding of consent, labelling requirements, types of senders covered, entities empowered to sue, exceptions made and penalties prescribed. The second section is a brief background of the problem of spam and it attempts to establish the context in which the paper is written. The third section is a critical analysis of the laws covered in the first section. In an effort to spot the various loopholes in these laws and suggest effective alternatives, this section points out the distinctions between the various legislations and discusses briefly their respective advantages and disadvantages.

Note:- This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analyzing the existing spam laws across the world.

	CAN-SPAM Act, 2003	Spam Act, 2003 (Australia)	Spam Control Act, 2007 (Singapore)	Canada's Anti-Spam Legislation, 2014	The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom)
Jurisdiction	National Jurisdiction. The defendant must be either an inhabitant of the United States or have a physical place of business in the US.[1]	National Jurisdiction. Must have an "Australian link" i.e. (a) the message originates in Australia; or (b) the individual or organisation who sent the message, or authorised the sending of the message, is: (i) an individual who is physically present in Australia when the message is sent; or (ii) an organisation whose central management and control is in Australia when the message is sent; or (c) the computer, server or device that is used to access the message is located in Australia; or (d) the relevant electronic account-holder is: (i) an individual who is physically present in Australia when the message is Spam Act, 2003, § 7 Spam Control Act, 2007, § 7(2) Canada's Anti-Spam Legislation, 2014, §accessed; or (ii) an organisation that carries on business or activities in Australia when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address does not exist-assuming that the electronic address existed, it is reasonably likely that the message would have been accessed using a computer, server or device located in Australia.[2]	National Jurisdiction. Must have a "Singapore link" An electronic message has a Singapore link in the following circumstances: (a) the message originates in Singapore; (b) the sender of the message is - (i) an individual who is physically present in Singapore when the message is sent; or (ii) an entity whose central management and control is in Singapore when the message is sent; © the computer, mobile telephone, server or device that is used to access the message is located in Singapore; the recipient of the message is- (i) an individual who is physically present in Singapore when the message is accessed; or (ii)an entity that carries on business or activities in Singapore when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address has ceased to exist (assuming that the electronic address existed), it is reasonably likely that the message would have been accessed using a computer, mobile telephone, server or device located in Singapore.[3]	Extends to cases where the mail originates in a foreign state but is accessed in Canada Section 6 of the CASL prohibits the sending of unsolicited CEMs.[4] As per Section 12 of the CASL, A person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message. CASL applies to CEMs sent from, or accessed in, Canada.[5] So, if a CEM is sent to Canadians from another jurisdiction, CASL will apply. Notably, there is an exception where the person sending the message "reasonably believes" that the message will be accessed in one of a list of prescribed jurisdictions with anti-spam laws thought to be 'substantially similar' to CASL and the message complies with the laws of that jurisdiction.	European Union These regulations can be enforced against a person or a company anywhere in the European Union who violates the regulations.
Definition Of Spam	"unsolicited, commercial, electronic mail"[6], where a commercial electronic mail is "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"[7]	"unsolicited commercial electronic messages" where electronic message means a message sent "using an internet carriage service or any other listed carriage service; and to an electronic address in connection with: an e-mail account; or an instant messaging account; or a telephone account; or a similar accounts."[8]	"unsolicited commercial electronic message sent in bulk", where a CEM is unsolicited if the recipient did not- i) request to receive the message; or ii)consent to the receipt of the message;[9] and CEMs shall be deemed to be sent in bulk if a person sends, causes to be sent or authorizes the sending of- a) more than 100 messages containing the same subject matter during a 24-hour period; b) more than 1,000 messages containing the same subject matter during a 30-day period; c) more than 10,000 messages containing the same subject matter during a one-year period.	"unsolicited, commercial, electronic message"[10] where, an "electronic message" means a message sent by any means of telecommunication, including a text, sound, voice or image message.[11]	These rules apply to all unsolicited direct marketing communications by automatic call machines[12], fax[13], calls[14] or e-mail[15]. Where, "direct marketing" is defined as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"[16] The UK used its discretion to include voice-to-voice telephone calls as well.
Consent Requirement	Opt-out	Opt-in	Opt-out	Opt-in	Opt-in
Consent Requirement	CEMs are unlawful unless the message provides- (i)clear and conspicuous identification that the message is an advertisement or solicitation; (ii)clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and (iii) a valid physical postal address of the sender.[17]	Section 16 prohibits the sending of unsolicited commercial electronic messages. However, where a recipient has consented to the sending of the message, the said prohibition does not apply.[18] Consent means: (a) express consent; or (b) consent that can reasonably be inferred from: (i) the conduct; and (ii) the business and other relationships; of the individual or organisation concerned.[19]	CEMs are unlawful unless the message contains- 1 a) an electronic mail address, an Internet location address, a telephone number, a facsimile number or a postal address that the recipient may use to submit an unsubscribe request; and b) a statement the above information may be utilized to send an unsubscribe request. 2. Where the unsolicited CEM is received by text or multimedia message sent to a mobile telephone number, the CEM must include a mobile telephone number to which the recipient may send an unsubscribe request. [20]	Under the CASL, it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless, (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) The message must- (i) set out prescribed information that identifies the person who sent the message and the person - if different - on whose behalf it is sent; (ii) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (i); and (iii) set out an unsubscribe mechanism in accordance with subsection 11(1) of CASL.[21]	Under Section 19 , A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line. Under Section 20 , A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of an individual or a company except in the circumstances where the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller. Under Section 21, A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line. Under Section 22 , a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
Labelling Requirements	Warning Labels mandatory on e-mails containing pornographic content No person may send to a protected computer, any commercial electronic mail message that includes sexually oriented material and- (a) fail to include in subject heading for the electronic mail message the marks or notices prescribed by the law; or (B) fail to provide that the matter in the message that is initially viewable to the recipient, when the message is opened by any recipient and absent any further actions by the recipient, includes only- (i) material which the recipient has consented to; (ii) the identifier information required to be included in pursuance Section 5(5); and (iii) Instructions on how to access, or a mechanism to access, the sexually oriented material.[22]	Not Applicable.	True e-mail title and clear identification of advertisements with "ADV" label Every unsolicited CEM must contain- a) where there is a subject field, a title which is not false or misleading as to the content of the message; b) the letters "<ADV>" with a space before the title in the subject field or if there is no subject field, in the words first appearing in the message to clearly identify that the message is an advertisement; c) header information that is not false or misleading; and d) an accurate and functional e-mail address or telephone number by which the sender can be readily contacted.[23]	Not Applicable.	Not Applicable.
Other Banned/Restricted Activities	Illegal Access- Prohibition Against Predatory and Abusive Commercial E-Mail- "Whoever, in or affecting interstate or foreign commerce, knowingly- (1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple CEMs from or through such computer, (2) uses a protected computer to relay or retransmit multiple CEMs, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages, (3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages, (4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or (5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses, or conspires to do so, shall be punished as provided for in the Act.[24]	Supply of address harvesting software and harvested‑address lists "A person must not supply or offer to supply: (a) address‑harvesting software; or (b) a right to use address‑harvesting software; or (c) a harvested address list; or (d) a right to use a harvested‑address list; to another person if: (e) the supplier is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer; or (f) the customer is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer."	Dictionary Attacks and Address harvesting software "No person shall send, cause to be sent, or authorize the sending of, an electronic message to electronic addresses generated or obtained through the use of- a) a dictionary attack; b) address harvesting software.[25] Where, "dictionary attack" means the method which by which the electronic address of a recipient is obtained using an automated means that generates possible electronic addresses by combining names, letters, numbers, punctuation marks or symbols into numerous permutations.[26] And, "address harvesting software" means software that is specifically designed or marketed for use for- a)searching the Internet for electronic addresses; and, b) collecting, compiling, capturing or otherwise harvesting those electronic addresses."[27]	Altering Transmission Data "It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless (a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4) of CASL; or (b) the alteration is made in accordance with a court order.[28] Installation of Computer Program A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5) of the CASL; or (b) the person is acting in accordance with a court order. (2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions."[29]	Electronic mail for direct marketing purposes where the identity or address of the sender is concealed A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail- (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or (b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.
Types of Senders Covered	Spammers and beneficiaries- the term ''sender'', when used with respect to a commercial electronic mail message, means a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message."[30]	Spammers and beneficiaries- A person must not send, or cause to be sent, a commercial electronic message that: (a) has an Australian link; and (b) is not a designated commercial electronic message.[31]	Spammers, beneficiaries, and providers of support services "sender" means a person who sends a message, causes the message to be sent, or authorizes the sending of the message.[32] Further, persons aiding or abetting the offences under Section 9 or 11 are also punishable under the Act.[33]	Spammers and beneficiaries- Under Section 6, it is prohibited to send or cause or permit to be sent to an electronic address a CEM. Under Section 7, It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in a CEM. Under Section 8, A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system.	Spammers and beneficiaries- The texts of Sections 19, 20, 21 and 22 all prohibit the transmission as well as the instigation of the transmission of, communications for direct marketing purposes without the consent of the recipient.
Who Can Sue	FTC[34], Attorney Generals[35], ISPs and IAPs[36] and most recently even companies/private entities[37]	Australian Communications and Media Agency (ACMA)[38]	Any injured party, including individual users.[39]	Any injured party, including individual users.[40]	Any person who suffers damage by reason of any contravention of any of the requirements of these Regulations.[41]
Exceptions	Transactional or Relationship Messages [42] where, The term ''transactional or relationship message'' means an electronic mail message the primary purpose of which is- (i) to facilitate, complete, or confirm a commercial transaction; (ii) to provide warranty information, product recall information, etc. with respect to a commercial product or service used or purchased by the recipient; (iii) to provide notifications- (I) concerning a change in the terms or features of; (II) of a change in the recipient's standing or status with respect to; or (III) information with respect to a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; (iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or (v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.	Designated Commercial Electronic Message (DCEM). A DCEM is a message containing purely factual information, any related comments of non-commercial nature and some limited commercial information as to the identity of the sender company/individual.[43] A message is a DCEMs if- a) the sending of the message is authorized by any of the following bodies: (i) a government body; (ii) a registered political party; (iii) a religious organization; (iv) a charity or charitable institution; and (b) the message relates to goods or services; and (c) the body is the supplier, or prospective supplier, of the goods or services concerned.[44] Messages from educational institutions: an electronic message is a *DCEM* if: (a) the sending of the message is authorised by an educational institution; and (b) either or both of the following subparagraphs applies: (i) the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; (ii) a member or former member of the household of the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; and (c) the message relates to goods or services; and (d) the institution is the supplier, or prospective supplier, of the goods or services concerned.	Electronic Messages authorized by the Government[45] The Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in the public interest or in the interests of public security or national defence.[46] A certificate signed by the Minister shall be conclusive evidence of existence of a public emergency and the other above stated matters.[47]	Family and Personal relationships, where "Family relationship" is a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship who have had direct, voluntary two-way communications; and "personal relationship" means a relationship between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal.[48] Mails sent to an individual who practices a particular commercial activity with the mail containing solely an inquiry or application related to that activity[49]. A mail which - provides a quote or estimate for the supply of a product, goods, a service, etc. if requested by the recipient; · facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into with the sender; · provides warranty information, product recall information etc. about a product, goods or a service that the recipient uses, has used or has purchased; · provides notification of factual information about- (i) the ongoing use or ongoing purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the sender, or · provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled; · delivers a product, goods or a service, including updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the sender.[50] · Telecommunications service provider merely because the service provider provides a telecommunications service that enables the transmission of the message.[51] · CEMs which are two-way voice communication between individuals sent by means of a facsimile or a voice recording sent to a telephone account.[52]	A person may send or instigate the sending of electronic mail for the purposes of direct marketing where - (a) the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.[53]
Penalties	Civil and Criminal Statutory damages- Amount calculated by multiplying the number of violations by up to $250. Total amount of damages may not exceed $2,000,000. [54] Imprisonment- upto 5 years.[55] Forfeiture from the offender, of- i) any property, real or personal, constituting or traceable to gross proceeds obtained from such offense; ii) any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.[56]	Civil only For a body corporate without prior record, for upto 2 contraventions, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1000 penalty units in any other case. For a body corporate with prior record, for upto 2 contravention, civil penalty should not exceed i) 500 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 250 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 10,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 5,000 penalty units in any other case. For a person without prior record, for upto 2 contraventions, civil penalty should not exceed i) 20 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 10 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 400 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 200 penalty units in any other case. For a person with prior record, for upto 2 contravention, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1,000 penalty units in any other case.[57]	Civil only i) Injunction ii) Damages- calculated in terms of loss suffered as a direct or indirect result of the contravention of the Act. ii) Statutory Damages not exceeding $25 for each CEM; and not exceeding in the aggregate $1 million, unless the plaintiff proves that his actual loss from such CEMs exceeds $1 million.[58] iii)Costs of litigation to the plaintiff.[59]	Civil only Administrative Monetary Penalty , the purpose of which is to promote compliance with the Act and not to punish.[60] The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.[61]	Civil on private action; Criminal for non-compliance with IC's notice A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.[62] The enforcement authority for these regulations is Britain's Information Commissioner who oversees both the Act and the Regulations, and investigates complaints and makes findings in the form of various types of notices.[63] Failure to comply with any notice issued by the Information Commissioner is a criminal offence and is punishable with a fine of upto £5000 in England and Wales and £10,000 Scotland.[64]

THE PROBLEM OF SPAM -WHY IT PERSISTS

As per a study conducted by Kaspersky Lab in 2014, 66.34% of all messages exchanged over the internet were spam.[65] Over the 2000s, several countries recognized the threats posed by spam and enacted specific legislations to tackle the same. The ones taken into consideration in this paper are the CAN-SPAM Act, 2003 of the United States, Canada's Anti-Spam Legislation, 2014, The Spam Act, 2003 of Australia, Singapore's Spam Control Act, 2007 and The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom). As will be analyzed in the course of this paper, none of these laws have evolved to become comprehensive mechanisms for combating spam yet. Nevertheless, post the enactment of these laws, spam has reduced as a percentage of the net email traffic; however, the absolute quantity of spam has increased owing to the exponential growth of email traffic universally.[66]

Who Benefits from Spam?

1. Commercial establishments - Spamming is one of the most cost-effective means of promoting products and services to a large number of potential customers. Spams are not necessarily duplicitous and often contain legitimate information to which a fraction of the recipients respond positively. As per a recent study, for spam to be profitable, only 1 in 25,000 spam recipients needs to open the email, get enticed, and make a gray-market purchase.[67]

2. Non-commercial establishments benefitting from advertisements - Many seemingly non-profit messages benefit from revenue generated through advertisements when recipients visit their site. Advertisers pay these sites either per click or per impression.

3. Spammers - The costs incurred by spammers largely include the cost of e-mail/phone number harvesting and the cost of paying botnet operators. As compared to the revenue generated as a percentage of profits earned by the merchant on whose behalf spam messages are sent, these costs are negligible.[68]

Thus, spamming proves to be an activity that involves minimal investment and often yields some response from prospective clients.

The impact of spam is clearly widespread. Presently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam across the globe and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.

OBSERVATIONS AND ANALYSIS

1. Definition of Spam

a. 'Spam' must be defined in a technologically neutral manner

The legislations analyzed in this paper deal with either one or a cluster of modes of communication through which spam may be sent. However, it is essential that 'spam' is defined in a manner that is technologically neutral. Most commercial spam is aimed at promoting products and services to a large number of prospective customers. Thus, making only spam e-mails illegal, like the CAN-SPAM Act does, fails to address the issue wholly as companies would always retain the option of sending unsolicited messages through other communicative devices. It becomes an issue of merely switching modes of communication without there being any actual deterrence to spamming. Thus, a narrow understanding of spam, limiting it to one or few modes of communication, is problematic and for a model law, a broader definition that discourages unsolicited messages sent via any network is warranted.

b. Non-commercial spam must also be addressed

The five legislations examined in this paper address only the issue of unsolicited 'commercial' mails/messages. For instance, under the CAN-SPAM, a commercial mail means " any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service". Singapore's Spam Control Act defines a commercial message in a similar fashion but more elaborately. CASL, while limiting the scope of the law to commercial mail, additionally prescribes that such communication need not have a profit motive. Australia's Spam Act defines a commercial message as a message that has the purpose of offering, advertising or promoting goods or services or the supplier or prospective supplier of goods or services. Under the EC Directive, the term used is 'marketing communication'; however, in essence, it includes only commercial communications.[69] These definitions suffer from an obvious exclusion error. It is known from experience that not all unsolicited messages received are in pursuance of commercial interests. Often, unsolicited mails and messages are received with explicit sexual content as well as promoting political and religious agendas sent by party volunteers.

Thus, it would be in higher consonance with the greater aim of curbing spam to broaden the scope of these legislations to address both commercial as well as non-commercial messages.

c. Bulk requirement and its quantification

The Singaporean law makes 'sent in bulk' a mandatory requirement for spam. However, deciding what quantity of a particular message qualifies it as bulk is difficult. If an objective threshold is set, say 100 messages in 24 hours, then anything short of that, say even 99 messages, go unaddressed simply because it does not meet the statutory requirement of being in bulk. This enables spammers to misuse the law by marginally falling short of the threshold and still continuing to spam. The issue here is comparable to the one faced in setting age as bar to criminal culpability. No matter what, any number arrived at is likely to be arbitrary and consequently subject of criticism. A possible way to tackle this would be to strengthen the unsubscribe mechanisms by virtue of which individuals are able to, at the very least, stop receiving unsolicited mails. For the determination of threshold for State action and its feasibility, a much more detailed study is merited.

2. Consent Requirement

	Opt- out Model	Opt-in Model	Double Opt-in Model
Countries following the model	United States of America and Singapore	Canada, Australia and the United Kingdom	None at present.
When messages may be sent	At all times until recipient voluntarily opts out/unsubscribes.	Only after the recipient voluntarily opts-in/subscribes to receive messages by submitting his/her contact details to be part of a particular mailing list.	Only after the recipient responds in the affirmative to the confirmation mail sent by the sender on receiving an opt-in request from the recipient.
Specific requirements	1. The mail/message must bear a clear identifier of its content. E.g. marked as 'ADVT' for advertisements; 2. An 'unsubscribe' option must be provided in the message which may be utilized by the recipient to express his/her disinterest in the message; and 3. The message must conspicuously bear a valid physical postal address.	N/A	N/A
Advantages	Promotes commercial speech rights- Since the default position presumes the right to market, average collection rates are considerably higher as more emails can be sent to more people.	1. Reduction in unsolicited messages- Commercial messages are not sent until the recipient voluntarily consents to receiving such messages by submitting his/her contact information. 2. Availability of unsubscribe option- Even after a recipient voluntarily opts in, he/she still has the right to withdraw from such messages by unsubscribing.	1. Ensures people are entering their information correctly, which equals a cleaner list and lowers bounce rates. 2. Reduces the probability of spam complaints because subscribers have had to take the extra step to confirm their consent.
Disadvantages	1. This merely places the burden of reduction of spam on the recipients. 2. The functionality of the 'unsubscribe' link is itself questionable. Very often these links themselves are fraudulent. In such a case, the recipient is further harmed before any opting-out can even take place. 3. In the absence of any strict regulatory oversight, there exists no incentive for the senders to strictly address unsubscribe requests.	1. Consent may be obtained in fact but not in spirit through inconspicuous pre-ticked check boxes. 2. E-mail addresses may be added to a list by spambots. Where, the person 'opted-in' may not actually be the person opting in. 3. Errors may be made when entering emails; a typo may result in someone submitting an address that is not theirs. 4. Legitimate addresses may be added by someone who does not own the address.	1. Genuine subscribers may not understand clearly the confirmation process and fail to click the verification link. 2. Confirmation emails may get stuck in spam filters.

The comparison above highlights that the opt-out model as well as the opt-in model may leave loopholes. The opt-in model has been advocated for as the better model as compared to the opt-out model as it prohibits the sending of messages unless the recipient consents to receiving such messages. However, as pointed out above, in this model consent may be given by entities other than the owner of the contact details. In such a situation, a double opt-in model may be a viable option to contemplate as it is the only model where it can be ensured that only the addressee is enabled to successfully opt-in.[70]

Presently, the double opt-in model has not been adopted by any of the countries discussed in this paper. Nonetheless, it seems to have the potential to aid the fight against spam more effectively than the existing models. Its real efficacy however, shall be proven only on practical implementation.

3. Exceptions

a. Family and Personal Relationships

Under the CASL, an exception is made for 'personal relationships' and 'family relationship'. However, these terms are defined quite narrowly. For instance, family relationship is defined as 'a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication'.^[71] This implies that in a situation where an individual wants to send a message offering to sell something to an individual in his extended family, say his cousins, doing so without obtaining their consent first, would qualify his mail as spam under the CASL. This would become especially problematic in the Indian context where comparatively larger family structures prevail.

In the anti-spam legislations of the other four countries, no such exceptions are made. Quite obviously, these exceptions are of crucial significance and must be provided in any anti-spam legislation; however, it is important that they are defined in a manner such that their actual purpose i.e. of exclusion of familial and personal relationships from regulations applicable to spammers, is effectively achieved and the law does not become a creator for unnecessary litigation.

b. Transactional Messages

The term 'transactional messages' is used only under the CAN-SPAM Act of the USA. It basically covers messages sent when the recipient stands in an existing transactional relationship with the sender and the mail contains information specific to the recipient. It also includes employment relationships. In CASL, a similar exception is made under Section 6(6). The section is worded almost identically as the CAN-SPAM provision, though the term 'transactional messages' is not used. In the UK laws, messages for the purpose of direct marketing may be sent where the contact information of the recipient is received in the course of the sale or negotiations for the sale of a product or service to that recipient, thus implying an existing transactional relationship. One added proviso under the UK law is that the recipient must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use.[72]

An exception for transactional messages is essential to ensure freedom of commercial speech rights even while effectively tackling spam. In the formulation of a model law, a combination of the American and the English laws may be workable.

c. Governmental Messages

The Spam Act, 2003 of Australia makes an exemption for 'designated commercial electronic message (DCEM)'. This exemption is to avoid any unintended restriction on communication between the government and the community.^[73] In order to be a DCEM, a message must-

1. Be authorized by the government;

2. Contain purely factual information and any related comments of non-commercial nature; and

3. Contain some information as to the identity of the sender company/individual.

DCEMs need not always be sent by government bodies and may also be sent by third parties authorized by the government.^[74] Such messages are exempt from the consent requirement as well as the unsubscribe option requirement but must comply with the identifier requirement. However, where government bodies are operating in a competitive environment, the provisions of the act would apply normally to them.^[75]

Similarly, Singapore's Spam Control Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in public interest or in the interests of public security or national defence.

These exemptions are essential in order to enable free communication of important information between the government and the citizens. The Singaporean wording of the exception is rather broad and would give the government immense space for misusing the law. Such a wording might be more effective if supplemented with the Australian proviso wherein governmental communications operating in a competitive environment are excluded.

4. Penalties

a. Penalties must be higher than benefit from spamming

If the penalty prescribed itself is too low, such that loss suffered from paying penalties is lower than net benefit from spamming, the spammer is not sufficiently deterred. Four out of the five countries analyzed in this paper prescribe only civil penalties in the form of fines for spamming. Recently, a Facebook spammer was found to have made a profit of $200 million in a year.[76] For instance, as noted above, the Australian law sets a limit for penalty at $1 million. Thus, such a penalty would constitute a small fraction of the profit from spamming and would not deter a spammer.

b. High penalty does not imply effective deterrence where probability of prosecution is low.

The CAN-SPAM Act prescribes the harshest penalties including both civil as well as criminal penalties. However, it has been rather ineffective in reducing spam. This is for the reason that this Act is more about how to spam legally than anything else. It is more like- ' you can spam but do not use false headers.'[77] As a consequence, unintentional spam from ignorant commercial establishments has reduced. However, due to easy compliance standards, the 'real' spammers still go undetected to a large extent.[78] Thus, even moderate penalties may serve as good deterrents where the probability of prosecution is high.

c. Effective enforcement is the key to effective deterrence.

The cornerstone of an effective spam law is effective enforcement. Penalties must be enforced in a manner that the cost of punishment is always higher than the benefit from spamming and the probability of conviction is high. In order to implement legislative measures effectively, governments should also undertake an information campaign on spam issues targeting users, business communities, private sector groups and other stakeholders as the one primary reason for sustenance of spam is the response received from certain recipients. Such supplementary activities would also facilitate the preservation of commercial rights as excessive penalties could inhibit regular commercial activities.

CONCLUSION

The observations made in this paper are crucial to the formulation of a model anti-spam law for India. The most important part of any ant-spam legislation would be the definition of 'spam' which, as established above, must be technologically neutral in order to be able to address as much unsolicited communication as possible. On the question of consent, a double opt-in is what this paper would propose. This model has been contemplated and recommended by academic and policy researchers as a possibly more effective consent model for spam laws; however, it has not been codified as a legal regime till date. It could be a rather groundbreaking approach that India could adopt as this clearly is the only model where 'opting-in' is realized in fact and in spirit. Further, exceptions are necessary in order to prevent the abuse of laws making certain such exceptions do not suffer from inclusive or exclusion errors. A combination of the exceptions under the Australian and the American laws seems ideal at this stage of research. In terms of penalty, this paper observed that only prescribing harsh penalties is not sufficient to effectively deter spammers but efficient modes of enforcement have to be formulated to ensure actual deterrence. Lastly, while a well-drafted national anti-spam legislation is clearly the need of the hour for India; additional steps have to be taken towards sensitizing citizens to the fact that the problem of spam is real and a costly threat to the communications infrastructure of the country and combat has to begin at the individual level.

[1] CAN-SPAM Act, § 7706(f) (7).

[2] Spam Act, 2003, § 7

[3] Spam Control Act, 2007, § 7(2)

[4] Canada's Anti-Spam Legislation, 2014, § 6.

[5] Canada's Anti-Spam Legislation, 2014, § 12.

[6] 15 U.S.C. § 7701 (2003).

[7] CAN-SPAM Act, Section 3 (2)(A)

[8] Spam Act, 2003, § 6

[9] Spam Control Act, 2007, § 5(1)

[10] Canada's Anti-Spam Legislation, 2014, § 6

[11] Canada's Anti-Spam Legislation, 2014, § 1(1)

[12] Regulation 19, EC Directives, 2003

[13] Regulation 20, EC Directives, 2003

[14] Regulation 21, EC Directives, 2003

[15] Regulation 22, EC Directives, 2003

[16] Section 11, Data Protection Act, 1998

[17] CAN-SPAM Act, Section 5(5)

[18] Spam Act, 2003, § 16(2)

[19] Spam Act, 2003, Schedule 2 (2)

[20] Spam Control Act, 2007 Section 11, Schedule 2(2)

[21] Canada's Anti-Spam Legislation, 2014, Section 6

[22] CAN-SPAM Act, 2003, Section 5(d)

[23] Spam Control Act, 2007, Schedule 2, 3(1), Section 11

[24] Chapter 47 of title 18, U.S.C., § 1037, inserted through an amendment by the CAN-SPAM Act, § 4(a) (1); '§ 5(A)(1).

[25] Spam Control Act, 2007, '§ 9

[26] Spam Control Act, 2007, '§ 2

[27] Spam Control Act, 2007, '§ 2

[28] Canada's Anti-Spam Legislation, 2014, § 7

[29] Canada's Anti-Spam Legislation, 2014, § 8

[30] CAN-SPAM Act, 2003, § 3(16)(A)

[31] Spam Act, 2003, Section 16(1), Section 8

[32] Spam Control Act, 2007, § 2

[33] Spam Control Act, 2007, § 12

[34] CAN-SPAM Act, 2003, § 7(a)(c)(d)

[35] CAN-SPAM Act, 2003, § 7(f)

[36] CAN-SPAM Act, 2003, § 7(g)

[37] MySpace, Inc. v. The Globe.com, Inc., 2007 WL 1686966 (C.D. Cal., Feb. 27, 2007)

[38] Spam Act, 2003, § 26(1)

[39] Spam Control Act, 2007, § 13

[40] Canada's Anti-Spam Legislation, § 47

[41] Regulation 30(1), EC Directives, 2003

[42] CAN-SPAM Act, 2003, § 3(2)(B)

[43] Spam Act, 2003, Schedule 1, § 2

[44] Spam Act, 2003, Schedule 1, § 3

[45] Spam Control Act, 2007, § 7(3)

[46] Spam Control Act, 2007, First Schedule Clause (1)

[47] Spam Control Act, 2007, First Schedule Clause (2)

[48] Canada's Anti-Spam Legislation, § 6(5a)

[49] Canada's Anti-Spam Legislation, § 6(5b)

[50] Canada's Anti-Spam Legislation, § 6(6)

[51] Canada's Anti-Spam Legislation, § 7

[52] Canada's Anti-Spam Legislation, § 8

[53]Section 22(3), EC Directives, 2003

[54] CAN-SPAM Act, § 7 (f)(3)(A).

[55] CAN-SPAM Act, § 4 (b)

[56] CAN-SPAM Act, § 4 (c)

[57] Spam Act, 2003, Sections 24, 25

[58] Spam Control Act, 2007, § 14

[59] Spam Control Act, 2007, § 15

[60] Canada's Anti-Spam Legislation, 2014, § 20(2)

[61] Canada's Anti-Spam Legislation, 2014, § 20(4)

[62] Regulation 30(1), EC Directive, 2003

[63] Regulations 31-32, EC Directive, 2003

[64] Section 47 and 60, Data Protection Act, 1998

[65] Spam and Phishing Statistics Report Q1-2014, Kaspersky Lab

http://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q1-2014#.VVQxNndqN5I (last accessed 29^th May, 2015)

[66] Snow and Jayakar, Krishna, Can We Can Spam? A Comparison of National Spam Regulations, August 15, 2013. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy.

[67] Justin Rao and David Reiley, The Economics of Spam, Vol. 26, No. 3 The Journal of Economic Perspectives (2012), p. 104.

[68] Supra n. 66; p. 7

[69] Refer Table in Section 1.

[70] Dr. Ralph F. Wilson, Spam, Spam Bots, and Double Opt-in E-mail Lists, April 21, 2010; available at http://webmarketingtoday.com/articles/wilson-double-optin/ (last accessed 29^th May 2015).

[71] Section 2(a), Electronic Commerce Protection Regulations, http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html (last accessed 29^th May 2015)

[72] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[73] Spam Act 2003- A Practical Guide for Government, Australian Communications Authority, available at- http://www.acma.gov.au/webwr/consumer_info/spam/spam_act_pracguide_govt.pdf (last accessed 29^th May 2015)

[74] Ibid

[75] Id

[76] Charles Arthur, Facebook spammers make $200m just posting links, researchers say, The Guardian, 28^th August 2013, http://www.theguardian.com/technology/2013/aug/28/facebook-spam-202-million-italian-research (last accessed 29^th May, 2015)

[77] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[78] Carolyn Duffy Marsan, CAN-SPAM: What went wrong?, 6^th October 2008, available at

http://www.networkworld.com/article/2276180/security/can-spam--what-went-wrong-.html (last accessed 29^th May, 2015)

For more details visit https://cis-india.org/internet-governance/blog/anti-spam-laws-in-different-jurisdictions

Five Nations, One Future?

praskrishna — 2015-07-18T02:34:16Z

The Silicon Valley model for success - what Bangalore, Chile, London and Rwanda want to learn from California.

When it comes to IT, Silicon Valley is viewed worldwide as the model for success. What can we learn from the drivers of innovation in California? We investigate in Bangalore, Chile, London and Rwanda. The article by Bjorn Ludtke, Ellen Lee, Jaideep Sen, Gwendolyn Ledger, David Nicholson, and Jesko Johannsen was published by Voestalpine. Sunil Abraham was quoted extensively. Read more about the article.

For more details visit https://cis-india.org/internet-governance/news/five-nations-one-future

Most emerging firms low on cyber security: Experts

praskrishna — 2015-06-29T16:02:51Z

When Pavitra Badrinath saw that the upgrade to a shopping application on her smartphone asked access to her contacts and messages, she decided against it. "Laws on privacy are not clear in India. So I am doing what I can to protect my information," the 26-year-old technology firm employee said.

The article by Malavika Murali and Payal Ganguly was published in the Economic Times on June 24, 2015. Sunil Abraham gave his inputs.

Are users taking a risk by allowing applications to gain access to personal data shadowed by an upgrade? "Most definitely ," said Bikash Barai, cofounder and chief executive of security firm iViz Security .

With at least 10 alleged breaches and hacks into the databases of startups such as Ola and Gaana this year, the alarm bells are going off.

Experts warn that emerging businesses are lax with security frameworks, which is especially worrying as millions more Indians are shopping online, including on their phones, exposing crucial personal and financial data to fraud.

More than 70 per cent of Indian companies are under-prepared when it comes to cyber security, according to a report by CISO Platform, a social platform for security experts where Barai is chief adviser.

India's largest cab-hailing company, Ola denied hackers' claims in an email response to ET, stating that its data were not compromised.

Music service Gaana.com, in response to being hacked by a person in Pakistan calling himself MakMan, said it had strengthened its security team and offerings in recent weeks. "In addition, we are working on a `bug bounty' program, which will allow individuals to point out any potential vulnerability in a safe way," said Pawan Agarwal, business head at Gaana.com.

According to Google India, the number of online shoppers is expected to cross 100 million by the end of next year, from 35 million ear, from 35 million n 2014. But lack of roust regulations and ata privacy laws as ell as the fragmentd nature of the starup ecosystem, do not llow much scope for esearch on cyber seurity , said experts."Under the Indian "Under the Indian regime, there are no self-regulatory mechanisms for putting out breach notifications," said Sunil Abraham, executive director of the Centre for Internet and Society. "The numbers available with a central body like Data Security Council of India will be a gross underestimation of the cases of breach."

"Most of the startups in India want to do everything in-house. This can lead to a potential compromise or lack of expertise on the security front, even if it is made priority," said Harshit Agarwal, founder and chief executive of Singapore-based Appknox, which provides security services to Paytm, Freecharge and Myntra among other clients.

Jabong founder and managing director Praveen Sinha said the online fashion retailer spends 15-20 per cent of its revenue on cyber security. But other startups contended that budgets and teams sizes are not accurate indicators of security preparedness.

"We do not work with any external security firms as we have realised that the average report is as good as our internal team can make," said Mukesh Singh, chief executive officer of online grocer ZopNow.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-24-2015-malavika-murali-and-payal-ganguly-most-emerging-firms-low-on-cyber-security-experts

Government's stand on internet governance draws applause from civil society organisations

praskrishna — 2015-06-29T15:40:07Z

India's decision to support the multistakeholder model of internet governance has drawn mostly applause from civil society organisations and individuals who have been following the issue, even as they cautioned that implementation will determine the success of the model.

The article by Neha Alawadhi was published in Economic Times on June 24, 2015. Sunil Abraham gave his inputs.

A day after communications and IT minister Ravi Shankar Prasad said India will support the multistakeholder model, reactions poured in on Tuesday, largely hailing the move to break the longstanding status quo on the issue.

"What matters now is how the approach articulated by the minister is translated into coordinated action across various fora, including ICANN, BRICS, and perhaps most crucially the UN WSIS+10 Review Process, which culminates in the meeting of the UN General Assembly in December 2015," said Vinay Kesari, a lawyer specialising in ICT and internet governance.

Not just at international fora, India also needs to figure out tistakeholder stand within the country, said Arun Mohan Sukumar, senior fellow at the Centre for Communication Governance, National Law University. "Multistakeholderism is very attractive in principle but, as the ICANN experience shows, it is susceptible to concerns like elite capture and lack of accountability to the general public," he said.

Prasad made the announcement in a video address during the opening ceremony of the Internet Corporation for Assigned Names and Numbers (ICANN)'s 53rd public meeting in Buenos Aires on Monday. ICANN manages the Domain Name System (DNS), which helps organise the internet with the allotment of domain names such as .com, .org and .net and has often come under the scanner for not being transparent enough.

The multistakeholder model involves all stakeholders such as businesses, civil society, governments, research institutions and non-governmental organisations in the dialogue, decision-making and implementation of policymaking and governance.

The external affairs ministry, telecom department and the department of electronics and IT have long held divergent views on issues of internet governance, with no clear stand being made at international platforms. While welcoming the announcement, Sunil Abraham, executive director at the Centre for Internet and Society, said the minister could have explained in greater detail, especially the ongoing transition of internet governance control from US government to a multistakeholder model.

"He also spoke about government being responsible for security and human rights over the internet, which adds to the confusion over whether India will really let the internet be a fair and free medium," he said.

Prasanth Sugathan, counsel for the Software Freedom Law Centre, said the government should seek the views of other stakeholders as well on the issue. "When you talk of multistakeholderism, it should not be only at an international level. It should also happen at a national level. The government should have other parties also contributing to issues of internet governance," he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-24-2015-neha-alawadhi-govts-stand-on-internet-governance-draws-applause-from-civil-society-organisations

The generation of e-Emergency

sunil — 2015-06-29T16:40:54Z

The next generation of censorship technology is expected to be ‘real-time content manipulation’ through ISPs and Internet companies.

The article was published in Livemint on June 22, 2015.

Censorship during the Emergency in the 1970s was done by clamping down on the media by intimidating editors and journalists, and installing a human censor at every news agency with a red pencil. In the age of both multicast and broadcast media, thought and speech control is more expensive and complicated but still possible to do. What governments across the world have realized is that traditional web censorship methods such as filtering and blocking are not effective because of circumvention technologies and the Streisand effect (a phenomenon in which an attempt to hide or censor information proves to be counter-productive). New methods to manipulate the networked public sphere have evolved accordingly. India, despite claims to the contrary, still does not have the budget and technological wherewithal to successfully pull off some of the censorship and surveillance techniques described below, but thanks to Moore’s law and to the global lack of export controls on such technologies, this might change in the future.

First, mass technological-enabled surveillance resulting in self-censorship and self-policing. The coordinated monitoring of Occupy protests in the US by the Department of Homeland Security, the Federal Bureau of Investigation (FBI) counter-terrorism units, police departments and the private sector showcased the bleeding edge of surveillance technologies. Stingrays or IMSI catchers are fake mobile towers that were used to monitor calls, Internet traffic and SMSes. Footage from helicopters, drones, high-res on-ground cameras and the existing CCTV network was matched with images available on social media using facial recognition technology. This intelligence was combined with data from the global-scale Internet surveillance that we know about thanks to the National Security Agency (NSA) whistle-blower Edward Snowden, and what is dubbed “open source intelligence” gleaned by monitoring public social media activity; and then used by police during visits to intimidate activists and scare them off the protests.

Second, mass technological gaming—again, according to documents released by Snowden, the British spy agency, GCHQ (Government Communications Headquarters), has developed tools to seed false information online, cast fake votes in web polls, inflate visitor counts on sites, automatically discover content on video-hosting platform and send takedown notices, permanently disable accounts on computers, find private photographs on Facebook, monitor Skype activity in real time and harvest Skype contacts, prevent access to certain websites by using peer-to-peer based distributed denial of service attacks, spoof any email address and amplify propaganda on social media. According to The Intercept, a secret unit of GCHQ called the Joint Threat Research Intelligence Group (JTRIG) combined technology with psychology and other social sciences to “not only understand, but shape and control how online activism and discourse unfolds”. The JTRIG used fake victim blog posts, false flag operations and honey traps to discredit and manipulate activists.

Third, mass human manipulation. The exact size of the Kremlin troll army is unknown. But in an interview with Radio Liberty, St. Petersburg blogger Marat Burkhard (who spent two months working for Internet Research Agency) said, “there are about 40 rooms with about 20 people sitting in each, and each person has their assignments.” The room he worked in had each employee produce 135 comments on social media in every 12-hour shift for a monthly remuneration of 45,000 rubles. According to Burkhard, in order to bring a “feeling of authenticity”, his department was divided into teams of three—one of them would be a villain troll who would represent the voice of dissent, the other two would be the picture troll and the link troll. The picture troll would use images to counter the villain troll’s point of view by appealing to emotion while the link troll would use arguments and references to appeal to reason. In a day, the “troika” would cover 35 forums.

The next generation of censorship technology is expected to be “real-time content manipulation” through ISPs and Internet companies. We have already seen word filters where blacklisted words or phrases are automatically expunged. Last week, Bengaluru-based activist Thejesh GN detected that Airtel was injecting javascript into every web page that you download using a 3G connection. Airtel claims that it is injecting code developed by the Israeli firm Flash Networks to monitor data usage but the very same method can be used to make subtle personalized changes to web content. In China, according to a paper by Tao Zhu et al titled The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions, “Weibo also sometimes makes it appear to a user that their post was successfully posted, but other users are not able to see the post. The poster receives no warning message in this case.”

More than two decades ago, John Gilmore, of Electronic Frontier Foundation, famously said, “the Net interprets censorship as damage and routes around it.” That was when the topology of the Internet was highly decentralized and there were hundreds of ISPs that competed with each other to provide access. Given the information diet of the average netizen today, the Internet is, for all practical purposes, highly centralized and therefore governments find it easier and easier to control.

For more details visit https://cis-india.org/internet-governance/blog/livemint-june-22-2015-sunil-abraham-the-generation-of-e-emergency

IANA Transition Stewardship & ICANN Accountability (II)

jyoti — 2015-07-31T15:47:20Z

This paper is the second in a multi-part series, in which we provide an overview of submitted proposals and highlight areas of concern that will need attention moving forward. The series is a work in progress and will be updated as the processes move forward. It is up for public comments and we welcome your feedback.

The discussions and the processes established for transition plan have moved rapidly, though not fast enough—given the complicated legal and technical undertaking it is. ICG will be considering the submitted proposals and moving forward on consultations and recommendations for pending proposals. ICANN53 saw a lot of discussion on the implementation of the proposals from the numbers and protocols community, while the CWG addressed the questions related to the 2^nd draft of the names community proposal. The Protocol Parameters (IANA PLAN Working Group) submitted to ICG on 6 January 2015, while the Numbering Resources (CRISP Team) submitted on 15 January 2015. The Domain Names (CWG-Stewardship) submitted its second draft to ICG on 25 June 2015. The ICG had a face-to-face meeting in Buenos Aires and their proposal to transition the stewardship of the IANA functions is expected to be out for public comment July 31 to September 8, 2015. Parallelly, the CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015 and organised two working sessions at ICANN'53. More recently, the CCWG met in Paris focusing on the proposed community empowerment mechanisms, emerging concerns and progress on issues so far.

Number and Protocols Proposals

The numbering and the protocol communities have developed and approved their plans for the transition. Both communities are proposing a direct contractual relationship with ICANN, in which they have the ability to end the contract on their terms. The termination clause has seen push back from ICANN and teams involved in the negotiations have revealed that ICANN has verbally represented that they will reject any proposed agreement in which ICANN is not deemed the sole source prime contractor for IANA functions in perpetuity.[1] The emerging contentious negotiations on the issue of separability i.e., the ability to change to a different IANA functions operator, is an important issue.[2] As Milton Mueller points out, ICANN seems to be using these contract negotiations to undo the HYPERLINK "http://www.internetgovernance.org/2015/04/28/icann-wants-an-iana-functions-monopoly-and-its-willing-to-wreck-the-transition-process-to-get-it/#comment-40045"community process and that ICANN’s staff members are viewing themselves, rather than the formal IANA transition process shepherded by the ICG, as the final authority on the transition.[3] The attempts of ICANN Staff to influence or veto ideas regarding what solutions will be acceptable to NTIA and the Congress goes beyond its mandate to facilitate the transition dialogue. The ARIN meeting[4] and the process of updating MoU with IETF which mandates supplementary SLAs[5] are examples of ICANN leveraging its status as the incumbent IANA functions operator, with which all three operational communities must negotiate, to ensure that the outcome of the IANA transition process does not threaten its control.

Names Proposal

Recently, the CWG working on recommendations for the names related functions provided an improved 2nd draft of their earlier complex proposal which attempts to resolve the internal-external debate with a middle ground, with the creation of Post-Transition IANA (PTI). PTI a subsidiary/affiliate of the current contract-holder, ICANN, will be created and handed the IANA contract and its related technology and staff. Therefore, ICANN takes on the role of the contracting authority and PTI as the contracted party will perform the names-related IANA functions. Importantly, under the new proposal CWG has done away altogether with the requirement of “authorisation” to root zone changes and the reasons for this decision have not been provided. The proposal also calls for creation of a Customer Standing Committee (CSC) to continuously monitor the performance of IANA and creation a periodic review process, rooted in the community, with the ability to recommend ICANN relinquishing its role in names-related IANA functions, if necessary. A key concern area is the external oversight mechanism Multistakeholder Review Team– has been done away with. This is a significant departure from the version placed for public comment in December 2014. It is expected that clarification will be sought from the CWG on how it has factored in inputs from the first round of public comments.

Consensus around the CWG 2nd Draft

There is a growing consensus around the model proposed—the numbers community has commented on the proposal that it does "not foresee any incompatibility between the CWG's proposal”.[6] On the IANA PLAN list, members of the protocols community have also expressed willingness to accept the new arrangement to keep all the IANA functions together in PTI during the transition and view this as merely a reorganization.[7] However, acceptance of the proposal is pending till clarification related to how the PTI will be set up and its legal standing and scope are provided.

Structure of PTI

Presently, two corporate forms are being considered for the PTI, a nonprofit public benefit corporation (PBC) or a limited liability corporation (LLC), with a single member, ICANN, at its outset. Milton Mueller has advocated for the incorporation of PTI as a PBC rather than as a LLC, with its board composed of a mix of insiders and outsiders.[8] He is of the view that LLC form makes the implementation of PTI much more complex and risky as the CWG would need to debate mechanisms of control for the PTI as part of the transition process. The choice of structure is important as it will define the limitations and responsibilities that will be placed on the PTI Board—an important and necessary accountability mechanism.

Broadly, the division of views is around selection of the Board Members that is if they should be chosen either by IANA's customers or representative groups within ICANN or solely by the Board. The degree of autonomy which the PTI has given the existing ICANN structure is also a key developing question. Debate on autonomy of PTI are broadly centered around two distinct views of PTI being incorporated in a different country, to prevent ICANN from slowly subsuming the organization. The other view endorsed by ICANN states that a high degree of autonomy risks creates additional bureaucracy and process for no discernible improvement in actual services.

Functional Separability

Under the CWG-Stewardship draft proposal, ICANN would assume the role currently fulfilled by NTIA (overseeing the IANA function), while PTI would assume the role currently played by ICANN (the IANA functions operator). A divisive area here is that the goal of “functional separation” is defeated with PTI being structured as an “affiliate” wholly owned subsidiary, as it will be subject to management and policies of ICANN. From this view, while ICANN as the contracting party has the right of selecting future IANA functions operators, the legal and policy justification for this has not been provided. It is expected that ICANN'53 will see discussions around the PTI will focus on its composition, legal standing and applicability of the California law.

Richard Hill is of the view that the details of how PTI would be set up is critical for understanding whether or not there is "real" separation between ICANN and PTI leading to the conclusion of a meaningful contract in the sense of an agreement between two separate entities.[9] This functional separation and autonomy is granted by the combination of a legally binding contract, CSC oversight, periodic review and the possibility of non-renewal of the contract.[10]

Technical and policy roles - ICANN and PTI

The creation of PTI splits the technical and policy functions between ICANN and PTI. The ICANN Board comments on CWG HYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"PrHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"oHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf"posal also confirm PTI having no policy role, nor it being intended to in the future, and that while it will have control of the budget amounts ceded to it by ICANN the funding of the PTI will be provided by ICANN as part of the ICANN budgeting process.[11] The comments from the Indian government on the proposal states this as an issue of concern, as it negates ICANN's present role as a merely technical coordination body. The concerns stem from placing ICANN in the role of the perpetual contracting authority for the IANA function makes ICANN the sole venue for decisions relating to naming policy as well as the entity with sole control over the PTI under the present wholly subsidiary entity.[12]

Key areas of work related to the distinction between the PTI and ICANN policy and technical functions include addressing how the new PFI Board would be structured, what its role would be, and what the legal construction between it and ICANN. The ICANN Board too has sought some important clarifications on its relationship as a parent body including areas where the PTI is separate from ICANN and areas where CWG sees shared services as being allowable (shared office space, HR, accounting, legal, payroll). It also sought clarification on the line of reporting, duties of the PTI Directors and alignment of PTI corporate governance with that of ICANN.

The Swedish government has commented that the next steps in this process would be clarification of the process for designing the PTI-IANA contract, a process to establish community consent before entering the contract, explicit mention of whom the contracting parties are and what their legal responsibilities would be in relation to it.[13]

Internal vs External Accountability

The ICANN Board, pushing for an internal model of full control of IANA Functions is of the view that a more independent PTI could somehow be "captured" and used to thwart the policies developed by ICANN. However, others have pointed out that under proposed structure PTI has strong ties to ICANN community that implements the policies developed by ICANN.[14] With no funding and no authority other than as a contractor of ICANN, if PTI is acting in a manner contrary to its contract it would be held in breach and could be replaced under the proposal.

Even so, as the Indian government has pointHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf"edHYPERLINK "http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf" out from the point of view of institutional architecture and accountability, this model is materially worse off than the status quo.[15]

The proposed PTI and ICANN relationship places complete reliance on internal accountability mechanisms within ICANN, which is not a prudent institutional design. The Indian government anticipates a situation where, in the event there is customer/ stakeholder dissatisfaction with ICANN’s role in naming policy development, there would be no mechanism to change the entity which fulfils this role. They feel that the earlier proposal for the creation of a Contract Co, a lightweight entity with the sole purpose of being the repository of contracting authority, and award contracts including the IANA Functions Contract provided a much more effective mechanism for external accountability. While the numbers and protocol communities have proposed a severable contractual relationship with ICANN for the performance of its SLAs no such mechanism exists with respect to ICANN's role in policy development for names.

Checks and Balances

Under the current proposal the Customer Standing Committee (CSC) has the role, of constantly reviewing the technical aspects of the naming function as performed by PTI. This, combined with the proposed periodic IANA Function Review (IFR), would act as a check on the PTI. The current draft proposal does not specify what will be the consequence of an unfavourable IANA Functions Review.

Some other areas of focus going forward relate to the IFR team inclusion in ICANN bylaws along the lines of the AOC established in 2009.[16] Also, ensuring the IFR team clarifies the scope of separability. The circumstances and procedures in place for pulling the IANA contract away if it has been established that ICANN is not fulfilling it contractual agreements. This will be a key accountability mechanism and deterrent for ICANN controlling the exercise of its influence.

CCWG Accountability

Work Stream (WS1): Responsible for drafting a mechanism for enhancing ICANN accountability, which must be in place before the IANA stewardship transition.

Work Stream (WS2): Addressing long term accountability topics which may extend beyond the IANA Stewardship Transition.

The IANA transition was recognized to be dependent on ICANN’s wider accountability, and this has exposed the trust issues between community and leadership and the proposal must be viewed in this context. The CCWG Draft Proposal attempts 4 significant new undertakings:

A. Restating ICANN’s Mission, Commitments, and Core Values, and placing those into the ICANN Bylaws. The CCWG has recommended that some segments of the Affirmation of Commitments (AOC)– a contract on operating principles agreed upon between ICANN and the United States government – be absorbed into the Corporation’s bylaws.

B. Establishing certain bylaws as “Fundamental Bylaws” that cannot be altered by the ICANN Board acting unilaterally, but over which stakeholders have prior approval rights;

C. Creating a formal “membership” structure for ICANN, along with “community empowerment mechanisms”. Some of the community empowerment mechanisms including (a) remove individual Board members, (b) recall the entire Board, (c) veto or approve changes to the ICANN Bylaws, Mission Statement, Commitments, and Core Values; and (d) to veto Board decisions on ICANN’s Strategic Plan and its budget;

D. Enhancing and strengthening ICANN's Independent Review Process (IRP) by creating a standing IRP Panel empowered to review actions taken by the corporation for compliance both with stated procedures and with the Bylaws, and to issue decisions that are binding upon the ICANN Board.

The key questions likely to be raised at ICANN 53 on several of these proposals will likely concern how these empowerment mechanisms affect the “legal nature” of the community.

Membership and Accountability

At the heart of the distrust between the ICANN Board and the community is the question of membership. ICANN as a corporation is a private sector body that is largely unregulated, with no natural competitors, cash-rich and directly or indirectly supports many of its participants and other Internet governance processes. Without effective accountability and transparency mechanisms, the opportunities for distortion, even corruption, are manifold. In such an environment, placing limitations on the Board’s power is critical to invoke trust. Three keys areas of accountability related to the Board include: no mechanisms for recall of individual board directors; the board’s ability to amend the company’s constitution (its bylaws), and the track record of board reconsideration requests.[17]

With no membership, ICANN’s directors represent the end of the line in terms of accountability. While there is a formal mechanism to review board decisions, the review is conducted by a subset of the same people. The CCWG’s proposal to create SOs/ACs as unincorporated “members” with Articles of Association has met with a lot of discussion, especially in the Governmental Advisory Council (GAC).[18] The GAC has posed several critical questions on this set up, some of which are listed here:

Can a legal person created and acting on behalf of the GAC become a member of ICANN, even though the GAC does not appoint Board members?
If GAC does not wish to become a member, how could it still be associated to the exercise of the 6 (community empowerment mechanisms) powers?
It is still unclear what the liability of members of future “community empowered structures” would be.
What are the legal implications on rights, obligations and liabilities of an informal group like the GAC creating an unincorporated association (UA) and taking decisions as such UA, from substantial (like exercising the community powers) to clerical (appointing its board, deciding on its financing) and whether there are implications when the members of such an UA are Governments?

Any proposal to strengthen accountability of ICANN needs to provide for membership so that there is ability to remove directors, creates financial accountability by receiving financial accounts and appointing editors and can check the ICANN’s board power to change bylaws without recourse to a higher authority.

Constitutional Undertaking

David Post and Danielle Kehl have pointed out that the CCWG correctly identifies the task it is undertaking – to ensure that ICANN’s power is adequately and appropriately constrained – as a “constitutional” one.[19] Their interpretation is based on the view that even if ICANN is not a true “sovereign,” it can usefully be viewed as one for the purpose of evaluating the sufficiency of checks on its power. Subsequently, the CCWG Draft Proposal, and ICANN’s accountability post-transition, can be understood and analyzed as a constitutional exercise, and that the transition proposal should meet constitutional criteria. Further, from this view the CCWG draft reflects the reformulation of ICANN around the broadly agreed upon constitutional criteria that should be addressed. These include:

A clear enumeration of the powers that the corporation can exercise, and a clear demarcation of those that it cannot exercise.
A division of the institution’s powers, to avoid concentrating all powers in one set of hands, and as a means of providing internal checks on its exercise.
Mechanism(s) to enforce the constraints of (1) and (2) in the form of meaningful remedies for violations.

Their comments reflect that they support CCWG in their approach and progress made in designing a durable accountability structure for a post-transition ICANN. However, they have stressed that a number of important omissions and/or clarifications need to be addressed before they can be confident that these mechanisms will, in practice, accomplish their mission. One such suggestion relates to ICANN’s policy role and PTI technical role separability. Given ICANN’s position in the DNS hierarchy gives it the power to impose its policies, via the web of contracts with and among registries, registrars, and registrants, on all users of the DNS, a constitutional balance for the DNS must preserve and strengthen the separation between DNS policy-making and policy-implementation. Importantly, they have clarified that even if ICANN has the power to choose what policies are in the best interest of the community it is not free to impose them on the community. ICANN's role is a critical though narrow one: to organize and coordinate the activities of that stakeholder community – which it does through its various Supporting Organizations, Advisory Committees, and Constituencies – and to implement the consensus policies that emerge from that process. Their comments on the CCWG draft call for stating this clarification explicitly and institutionalizing separability to be guided by this critical safeguard against ICANN’s abuse of its power over the DNS.

An effective implementation of this limitation will help clarify the role mechanisms being proposed such as the PTI and is critical for creating sustainable mechanisms, post-transition. More importantly, clarifying ICANN’s mission would ensure that in the post-transition communities could challenge its decisions on the basis that it is not pertaining to the role outlined or based on strengthening the stability and security of the DNS. Presently, it is very unclear where ICANN can interfere in terms of policymaking and implementation.

Other Issues

Other issues expected to be raised in the context of ICANN's overall accountabiltiy will likey concern the following:

Strengthening financial transparency and oversight

Given the rapid growth of the global domain name industry, one would imagine that ICANN is held up to the same standard of accountability as laid down in the right to information mechanisms countries such as India. CIS has been raising this issue for a while and has managed to received the list of ICANN’s current domain name revenues.[20]

By sharing this information, ICANN has shown itself responsive to repeated requests for transparency however, the shared revenue data is only for the fiscal year ending June 2014, and historical revenue data is still not publicly available. Neither is a detailed list (current and historical) of ICANN’s expenditures publicly available. Accountability mechanisms and discussions must seek that ICANN provide the necessary information during its regular Quarterly Stakeholder Reports, as well as on its website.

Strengthening transparency

A key area of concern is ICANN's unchecked influence and growing role as an institution in the IG space. Seen in the light of the impending transition, the transparency concerns gain significance and given ICANN's vocal interests in maintaining the status quo of its role in DNS Management. While financial statements (current and historic) are public and community discussions are generally open, the complexity of the contractual arrangements in place tracking the financial reserves available to ICANN through these processes are not sufficient.

Further, ICANN as a monopoly is presently constrained only by the NTIA review and few internal mechanisms like the Documentary Information Disclosure Policy (DIDP)[21], Ombudsman[22], Reconsideration and Independent Review[23] and the Accountability and Transparency Review (ATRT)[24]. These mechanisms are facing teething issues and some do not conform to the principles of natural justice. For example, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws, it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests.[25]

Responses to the DIDP requests filed by CIS reveal that the mechanism in its current form, is not sufficient to provide the transparency necessary for ICANN’s functioning. For instance, in the response to DIDP pertaining to the Ombudsman Requests[26], ICANN cites confidentiality as a reason to decline providing information as making Ombudsman Requests public would violate ICANN Bylaws, toppling the independence and integrity of the Ombudsman. Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN with an aim was to test and encourage discussions on transparency from ICANN. We have received responses for 9 of our requests, and in 7 of those responses ICANN provides very little new information and moving forward we would stress the improvements of existing mechanisms along with introduction of new oversight and reporting parameters towards facilitating the transition process.[27]

[1]John Sweeting and others, 'CRISP Process Overview' (ARIN 35, 2015) https://regmedia.co.uk/2015/04/30/crisp_panel.pdf

[2]Andrew Sullivan, [Ianaplan] Update On IANA Transition & Negotiations With ICANN (2015), Email http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html

[3]Milton Mueller, ‘ICANN WANTS AN IANA FUNCTIONS MONOPOLY – WILL IT WRECK THE TRANSITION PROCESS TO GET IT?’ (Internet Governance Project, 28 April 2015) http://www.internetgovernance.org/2015/04/28/icann-wants-an-iana-functions-monopoly-and-its-willing-to-wreck-the-transition-process-to-get-it/#comment-40045

[4]Tony Smith, 'Event Wrap: ICANN 52' (APNIC Blog, 20 February 2015) http://blog.apnic.net/2015/02/20/event-wrap-icann-52/

[5]Internet Engineering Task Force, 'IPROC – IETF Protocol Registries Oversight Committee' (2015) https://www.ietf.org/iana/iproc.html

[6]Axel Pawlik, Numbers Community Proposal Contact Points With CWG’S Draft IANA Stewardship Transition Proposal (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00003.html

[7]Jari Arkko, Re: [Ianaplan] CWG Draft And Its Impact On The IETF (2015), Email http://www.ietf.org/mail-archive/web/ianaplan/current/msg01843.html

[8]Milton Mueller, Comments Of The Internet Governance Project (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00021.html

[9]Richard Hill, Initial Comments On CWG-Stewardship Draft Proposal (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00000.html

[10]Brenden Kuerbis, 'Why The Post-Transition IANA Should Be A Nonprofit Public Benefit Corporation' (Internet Governance Project, 18 May 2015) http://www.internetgovernance.org/2015/05/18/why-the-post-transition-iana-should-be-a-nonp

[11]ICANN Board Comments On 2Nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions (20 May 2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfrIUO5F9nY4.pdf

[12]Comments Of Government Of India On The ‘2nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions’ (2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf

[13]Anders Hektor, Sweden Comments To CWG-Stewardship (2015), Email http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/msg00016.html

[14]Brenden Kuerbis, 'Why The Post-Transition IANA Should Be A Nonprofit Public Benefit Corporation |' (Internet Governance Project, 18 May 2015) http://www.internetgovernance.org/2015/05/18/why-the-post-transition-iana-should-be-a-nonprofit-public-benefit-corporation/

[15]Comments Of Government Of India On The ‘2nd Draft Proposal Of The Cross Community Working Group To Develop An IANA Stewardship Transition Proposal On Naming Related Functions’ (2015) http://forum.icann.org/lists/comments-cwg-stewardship-draft-proposal-22apr15/pdfJGK6yVohdU.pdf

[16]Kieren McCarthy, 'Internet Kingmakers Drop Ego, Devise Future Of DNS, IP Addys Etc' (The Register, 24 April 2015) http://www.theregister.co.uk/2015/04/24/internet_kingmakers_drop_ego_devise_future_of_the_internet/

[17]Emily Taylor, ICANN: Bridging The Trust Gap (Paper Series No. 9, Global Commission on Internet Governance March 2015) https://regmedia.co.uk/2015/04/02/gcig_paper_no9-iana.pdf

[18]Milton Mueller, 'Power Shift: The CCWG’S ICANN Membership Proposal' (Internet Governance Project, 4 June 2015) http://www.internetgovernance.org/2015/06/04/power-shift-the-ccwgs-icann-membership-proposal/

[19]David Post, Submission Of Comments On CCWG Draft Initial Proposal (2015), Email http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/msg00050.html

[20] Hariharan, 'ICANN reveals hitherto undisclosed details of domain names revenues', 8 December, 2014 See: http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014

[21] ICANN, Documentary Information Disclosure Policy See: https://www.icann.org/resources/pages/didp-2012-02-25-en

[22] ICANN Accountability, Role of the Ombudsman https://www.icann.org/resources/pages/accountability/ombudsman-en

[23] ICANN Reconsideration and independent review, ICANN Bylaws, Article IV, Accountability and Review https://www.icann.org/resources/pages/reconsideration-and-independent-review-icann-bylaws-article-iv-accountability-and-review

[24] ICANN Accountability and Transparency Review Final Recommendations https://www.icann.org/en/system/files/files/final-recommendations-31dec13-en.pdf

[25] ICANN Bylaws Article iv, Section 2 https://www.icann.org/resources/pages/governance/bylaws-en#IV

[26] ICANN Response to DIDP Ombudsman https://www.icann.org/resources/pages/20141228-1-ombudsman-2015-01-28-en

[27] Table of CIS DIDP Requests See: http://cis-india.org/internet-governance/blog/table-of-cis-didp-requests/at_download/file

For more details visit https://cis-india.org/internet-governance/blog/iana-transition-stewardship-and-icann-accountability-2

DesiSec: Cybersecurity and Civil Society in India

Laird Brown — 2015-06-29T16:25:43Z

As part of its project on mapping cyber security actors in South Asia and South East Asia, the Centre for Internet & Society conducted a series of interviews with cyber security actors. The interviews were compiled and edited into one documentary. The film produced by Purba Sarkar, edited by Aaron Joseph, and directed by Oxblood Ruffin features Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad.

Originally the idea was to do 24 interviews with an array of international experts: Technical, political, policy, legal, and activist. The project was initiated at the University of Toronto and over time a possibility emerged. Why not shape these interviews into a documentary about cybersecurity and civil society? And why not focus on the world’s largest democracy, India? Whether in India or the rest of the world there are several issues that are fundamental to life online: Privacy, surveillance, anonymity and, free speech. DesiSec includes all of these, and it examines the legal frameworks that shape how India deals with these challenges.

From the time it was shot till the final edit there has only been one change in the juridical topography: the dreaded 66A of the IT Act has been struck down. Otherwise, all else is in tact. DesiSec was produced by Purba Sarkar, shot and edited by Aaron Joseph, and directed by Oxblood Ruffin. It took our team from Bangalore to Delhi and, Dharamsala. We had the honour of interviewing: Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad. Everyone brought something special to the discussion and we are grateful for their insights. Also, we are particularly pleased to include the music of Charanjit Singh for the intro/outro of DesiSec. Mr. Singh is the inventor of acid house music, predating the Wikipedia entry for that category by five years. Someone should correct that.

DesiSec is released under the Creative Commons License Attribution 3.0 Unported (CC by 3.0). You can watch it on Vimeo: https://vimeo.com/123722680 or download it legally and free of charge via torrent. Feel free to show, remix, and share with your friends. And let us know what you think!

Video

For more details visit https://cis-india.org/internet-governance/blog/desi-sec-cybersecurity-and-civil-society-in-india

IANA Transition Stewardship & ICANN Accountability (I)

jyoti — 2015-07-31T14:56:26Z

This paper is the first in a multi-part series, in which we provide a background to the IANA transition and updates on the ensuing processes. An attempt to familiarise people with the issues at stake, this paper will be followed by a second piece that provides an overview of submitted proposals and areas of concern that will need attention moving forward. The series is a work in progress and will be updated as the processes move forward. It is up for public comments and we welcome your feedback.

In developing these papers we have been guided by Kieren McCarthy's writings in The Register, Milton Mueller writings on the Internet Governance Project, Rafik Dammak emails on the mailings lists, the constitutional undertaking argument made in the policy paper authored by Danielle Kehl & David Post for New America Foundation.

Introduction

The 53rd ICANN conference in Buenos Aires was pivotal as it marked the last general meeting before the IANA transition deadline on 30th September, 2015. The multistakeholder process initiated seeks communities to develop transition proposals to be consolidated and reviewed by the the IANA Stewardship Transition Coordination Group (ICG). The names, number and protocol communities convened at the conference to finalize the components of the transition proposal and to determine the way forward on the transition proposals. The Protocol Parameters (IANA PLAN Working Group) submitted to ICG on 6 January 2015, while the Numbering Resources (CRISP Team) submitted on 15 January 2015. The Domain Names (CWG-Stewardship) submitted its second draft to ICG on 25 June 2015. The ICG had a face-to-face meeting in Buenos Aires and their proposal to transition the stewardship of the IANA functions is expected to be out for public comment July 31 to September 8, 2015.

Parallelly, the CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015 and organised two working sessions at ICANN'53. More recently, the CCWG met in Paris focusing on the proposed community empowerment mechanisms, emerging concerns and progress on issues so far. CIS reserves its comments to the CCWG till the second round of comments expected in July.

This working paper explains the IANA Transition, its history and relevance to management of the Internet. It provides an update on the processes so far, including the submissions by the Indian government and highlights areas of concern that need attention going forward.

How is IANA Transition linked to DNS Management?

The IANA transition presents a significant opportunity for stakeholders to influence the management and governance of the global network. The Domain Name System (DNS), which allows users to locate websites by translating the domain name with corresponding Internet Protocol address, is critical to the functioning of the Internet. The DNS rests on the effective coordination of three critical functions—the allocation of IP Addresses (the numbers function), domain name allocation (the naming function), and protocol parameters standardisation (the protocols function).

History of the ICANN-IANA Functions contract

Initially, these key functions were performed by individuals and public and private institutions. They either came together voluntarily or through a series of agreements and contracts brokered by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) and funded by the US government. With the Internet's rapid expansion and in response to concerns raised about its increasing commercialization as a resource, a need was felt for the creation of a formal institution that would take over DNS management. This is how ICANN, a California-based private, non-profit technical coordination body, came at the helm of DNS and related issues. Since then, ICANN has been performing the Internet Assigned Numbers Authority (IANA) functions under a contract with the NTIA, and is commonly referred to as the IANA Functions Operator.

IANA Functions

In February 2000, the NTIA entered into the first stand-alone IANA Functions HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/sf_26_pg_1-2-final_award_and_sacs.pdf"contract[1] with ICANN as the Operator. While the contractual obligations have evolved over time, these are largely administrative and technical in nature including:

(1) the coordination of the assignment of technical Internet protocol parameters;

(2) the allocation of Internet numbering resources; and

(3) the administration of certain responsibilities associated with the Internet DNS root zone management;

(4) other services related to the management of the ARPA and top-level domains.

ICANN has been performing the IANA functions under this oversight, primarily as NTIA did not want to let go of complete control of DNS management. Another reason was to ensure NTIA's leverage in ensuring that ICANN’s commitments, conditional to its incorporation, were being met and that it was sticking to its administrative and technical role.

Root Zone Management—Entities and Functions Involved

NTIA' s involvement has been controversial particularly in reference to the Root Zone Management function, which allows allows for changes to the HYPERLINK "http://www.internetsociety.org/sites/default/files/The Internet Domain Name System Explained for Non-Experts (ENGLISH).pdf"highest level of the DNS namespace[2] by updating the databases that represent that namespace. DNS namespace is defined to be the set of names known as top-level domain names or TLDs which may be at the country level (ccTLDs or generic (gTLDs). This HYPERLINK "https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf"function to maintain the Root was split into two parts[3]—with two separate procurements and two separate contracts. The operational contract for the Primary (“A”) Root Server was awarded to VeriSign, the IANA Functions Contract—was awarded to ICANN.

These contracts created contractual obligations for ICANN as IANA Root Zone Management Function Operator, in co-operation with Verisign as the Root Zone Maintainer and NTIA as the Root Zone Administrator whose authorisation is explicitly required for any requests to be implemented in the root zone. Under this contract, ICANN had responsibility for the technical functions for all three communities under the IANA Functions contract.

ICANN also had policy making functions for the names community such as developing HYPERLINK "https://www.iana.org/domains/root/files"rules and procedures and policies under HYPERLINK "https://www.iana.org/domains/root/files"which any changes to the Root Zone File[4] were to be proposed, including the policies for adding new TLDs to the system. The policy making of numbers and protocols is with IETF and RIRs respectively. HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/ntias_role_root_zone_management_12162014.pdf"NTIA role in root zone management[5] is clerical and judgment free with regards to content. It authorizes implementation of requests after verifying whether procedures and policies are being followed.

This contract was subject to extension by mutual agreement and failure of complying with predefined commitments could result in the re-opening of the contract to another entity through a Request For Proposal (RFP). In fact, in 2011 HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"NTIA issued a RFP pursuant to ICANN HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"'HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf"s Conflict of Interest Policy.[6]

Why is this oversight needed?

The role of the Administrator becomes critical for ensuring the security and operation of the Internet with the Root Zone serving as the directory of critical resources. In December 2014, HYPERLINK "http://www.theregister.co.uk/2015/04/30/confidential_information_exposed_over_300_times_in_icann_security_snafu/"a report revealed 300 incidents of internal security breaches[7] some of which were related to the Centralized Zone Data System (CZDS) – where the internet core root zone files are mirrored and the WHOIS portal. In view of the IANA transition and given ICANN's critical role in maintaining the Internet infrastructure, the question which arises is if NTIA will let go of its Administrator role then which body should succeed it?

Transition announcement and launch of process

On 14 March 2014, the NTIA HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"announced[8] “its intent to transition key Internet domain name functions to the global multistakeholder community”. These key Internet domain name functions refer to the IANA functions. For this purpose, the NTIA HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"asked[9] the Internet Corporation for Assigned Names and Numbers (ICANN) to convene a global multistakeholder process to develop a transition proposal which has broad community support and addresses the following four principles:

Support and enhance the multistakeholder model;
Maintain the security, stability, and resiliency of the Internet DNS;
Meet the needs and expectation of the global customers and partners of the IANA services; and
Maintain the openness of the Internet.

The transition process has been split according to the three main communities naming, numbers and protocols.

Structure of the Transition Processes

ICANN performs both technical functions and policy-making functions. The technical functions are known as IANA functions and these are performed by ICANN are for all three communities.

I. Naming function: ICANN performs technical and policy-making for the names community. The technical functions are known as IANA functions and the policy-making functions relates to their role in deciding whether .xxx or .sucks should be allowed amongst other issues. There are two parallel streams of work focusing on the naming community that are crucial to completing the transition. The first, Cross-Community Working Group to Develop an IANA Stewardship Transition Proposal on Naming Related Functions will enable NTIA to transition out of its role in the DNS. Therefore, accountability of IANA functions is the responsibility of the CWG and accountability of policy-making functions is outside its scope. CWG has submitted its second draft to the ICG.

The second, Cross-Community Working Group on Accountability (CCWG-Accountability) is identifying necessary reforms to ICANN’s bylaws and processes to enhance the organization’s accountability to the global community post-transition. Therefore accountability of IANA functions is outside the scope of the CCWG. The CCWG on Enhancing ICANN Accountability offered its first set of proposals for public comment in June 2015.

II. Numbers function: ICANN performs only technical functions for the numbers community. The policy-making functions for numbers are performed by RIRs. CRISP is focusing on the IANA functions for numbers and has submitted their proposal to the ICG earlier this year.

III. Protocols function: ICANN performs only technical functions for the protocols community. The policy-making functions for protocols are performed by IETF. IETF-WG is focusing on the IANA functions for protocols and has submitted their proposal to the ICG earlier this year.

Role of ICG

After receiving the proposals from all three communities the ICG must combine these proposals into a consolidated transition proposal and then seek public comment on all aspects of the plan. ICG’s role is crucial, because it must build a public record for the NTIA on how the three customer group submissions tie together in a manner that ensures NTIA’s HYPERLINK "http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions"criteria[10] are met and institutionalized over the long term. Further, ICG's final submission to NTIA must include a plan to enhance ICANN’s accountability based on the CCWG-Accountability proposal.

NTIA Leverage

Reprocurement of the IANA contract is HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"essential for ICANN HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"'HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/"s HYPERLINK "http://www.newamerica.org/oti/controlling-internet-infrastructure/" legitimacy[11] in the DNS ecosystem and the authority to reopen the contract and in keeping the policy and operational functions separate meant that, NTIA could simply direct VeriSign to follow policy directives being issued from the entity replacing ICANN if they were deemed to be not complying. This worked as an effective leverage for ICANN complying to their commitments even if it is difficult to determine how this oversight was exercised. Perceptually, this has been interpreted as a broad overreach particularly, in the context of issues of sovereignty associated with ccTLDs and the gTLDs in their influence in shaping markets. However, it is important to bear in mind that the NTIA authorization comes after the operator, ICANN—has validated the request and does not deal with the substance of the request rather focuses merely on compliance with outlined procedure.

NTIA's role in the transition process

NTIA in its HYPERLINK "http://www.ntia.doc.gov/files/ntia/publications/ntia_second_quarterly_iana_report_05.07.15.pdf"Second Quarterly Report to the Congress[12] for the period of February 1-March 31, 2015 has outlined some clarifications on the process ahead. It confirmed the flexibility of extending the contract or reducing the time period for renewal, based on community decision. The report also specified that the NTIA would consider a proposal only if it has been developed in consultation with the multi-stakeholder community. The transition proposal should have broad community support and does not seek replacement of NTIA's role with a government-led or intergovernmental organization solution. Further the proposal should maintain security, stability, and resiliency of the DNS, the openness of the Internet and must meet the needs and expectations of the global customers and partners of the IANA services. NTIA will only review a comprehensive plan that includes all these elements.

Once the communities develop and ICG submits a consolidated proposal, NTIA will ensure that the proposal has been adequately “stress tested” to ensure the continued stability and security of the DNS. NTIA also added that any proposed processes or structures that have been tested to see if they work, prior to the submission—will be taken into consideration in NTIA's review. The report clarified that NTIA will review and assess the changes made or proposed to enhance ICANN’s accountability before initiating the transition.

Prior to ICANN'53, Lawrence E. Strickling Assistant Secretary for Communications and Information and NTIA Administrator HYPERLINK "http://www.ntia.doc.gov/blog/2015/stakeholder-proposals-come-together-icann-meeting-argentina"has posed some questions for consideration[13] by the communities prior to the completion of the transition plan. The issues and questions related to CCWG-Accountability draft are outlined below:

Proposed new or modified community empowerment tools—how can the CCWG ensure that the creation of new organizations or tools will not interfere with the security and stability of the DNS during and after the transition? Do these new committees and structures create a different set of accountability questions?
Proposed membership model for community empowerment—have other possible models been thoroughly examined, detailed, and documented? Has CCWG designed stress tests of the various models to address how the multistakeholder model is preserved if individual ICANN Supporting Organizations and Advisory Committees opt out?
Has CCWG developed stress tests to address the potential risk of capture and barriers to entry for new participants of the various models? Further, have stress tests been considered to address potential unintended consequences of “operationalizing” groups that to date have been advisory in nature?
Suggestions on improvements to the current Independent Review Panel (IRP) that has been criticized for its lack of accountability—how does the CCWG proposal analyze and remedy existing concerns with the IRP?
In designing a plan for improved accountability, should the CCWG consider what exactly is the role of the ICANN Board within the multistakeholder model? Should the standard for Board action be to confirm that the community has reached consensus, and if so, what accountability mechanisms are needed to ensure the Board operates in accordance with that standard?
The proposal is primarily focused on the accountability of the ICANN Board—has the CCWG considered accountability improvements that would apply to ICANN management and staff or to the various ICANN Supporting Organizations and Advisory Committees?
NTIA has also asked the CCWG to build a public record and thoroughly document how the NTIA criteria have been met and will be maintained in the future.
Has the CCWG identified and addressed issues of implementation so that the community and ICANN can implement the plan as expeditiously as possible once NTIA has reviewed and accepted it.

NTIA has also sought community’s input on timing to finalize and implement the transition plan if it were approved. The Buenos Aires meeting became a crucial point in the transtion process as following the meeting, NTIA will need to make a determination on extending its current contract with ICANN. Keeping in mind that the community and ICANN will need to implement all work items identified by the ICG and the Working Group on Accountability as prerequisites for the transition before the contract can end, the community’s input is critical.

NTIA's legal standing

On 25th February, 2015 the US Senate Committee on Commerce, Science & Transportation on 'Preserving the Multi-stakeholder Model of Internet Governance'[14] heard from NTIA head Larry Strickling, Ambassador Gross and Fadi Chehade. The hearing sought to plug any existing legal loopholes, and tighten its administrative, technical, financial, public policy, and political oversight over the entire process no matter which entity takes up the NTIA function. The most important takeaway from this Congressional hearing came from Larry Strickling’s testimony[15] who stated that NTIA has no legal or statutory responsibility to manage the DNS.

If the NTIA does not have the legal responsibility to act, and its role was temporary; on what basis is the NTIA driving the current IANA Transition process without the requisite legal authority or Congressional mandate? Historically, the NTIA oversight, effectively devised as a leverage for ICANN fulfilling its commitments have not been open to discussion. HYPERLINK "http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/pdfnOquQlhsmM.pdf"Concerns have also been raised[16] on the lack of engagement with non-US governments, organizations and persons prior to initiating or defining the scope and conditions of the transition. Therefore, any IANA transition plan must consider this lack of consultation, develop a multi-stakeholder process as the way forward—even if the NTIA wants to approve the final transition plan.

Need to strengthen Diversity Principle

Following submissions by various stakeholders raising concerns regarding developing world participation, representation and lack of multilingualism in the transition process—the Diversity Principle was included by ICANN in the Revised Proposal of 6 June 2014. Given that representatives from developing countries as well as from stakeholder communities outside of the ICANN community are unable to productively involve themselves in such processes because of lack of multilingualism or unfamiliarity with its way of functioning merely mentioning diversity as a principle is not adequate to ensure abundant participation. As CIS has pointed out[17] before issues have been raised about the domination by North American or European entities which results in undemocratic, unrepresentative and non-transparent decision-making in such processes. Accordingly, all the discussions in the process should be translated into multiple native languages of participants in situ, so that everyone participating in the process can understand what is going on. Adequate time must be given for the discussion issues to be translated and circulated widely amongst all stakeholders of the world, before a decision is taken or a proposal is framed. This was a concern raised in the recent CCWG proposal which was extended as many communities did not have translated texts or adequate time to participate.

Representation of the global multistakeholder community in ICG

Currently, the Co-ordination Group includes representatives from ALAC, ASO, ccNSO, GNSO, gTLD registries, GAC, ICC/BASIS, IAB, IETF, ISOC, NRO, RSSAC and SSAC. Most of these representatives belong to the ICANN community, and is not representative of the global multistakeholder community including governments. This is not representative of even a multistakeholder model which the US HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"g HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"ov HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"ernment HYPERLINK "http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design"has announced[18] for the transition; nor in the multistakeholder participation spirit of NETmundial. Adequate number of seats on the Committee must be granted to each stakeholder so that they can each coordinate discussions within their own communities and ensure wider and more inclusive participation.

ICANN's role in the transition process

Another issue of concern in the pre-transition process has been ICANN having been charged with facilitating this transition process. This decision calls to question the legitimacy of the process given that the suggestions from the proposals envision a more permanent role for ICANN in DNS management. As Kieren McCarthy has pointed out [19]ICANN has taken several steps to retain the balance of power in managing these functions which have seen considerable pushback from the community. These include an attempt to control the process by announcing two separate processes[20] – one looking into the IANA transition, and a second at its own accountability improvements – while insisting the two were not related. That effort was beaten down[21] after an unprecedented letter by the leaders of every one of ICANN's supporting organizations and advisory committees that said the two processes must be connected.

Next, ICANN was accused of stacking the deck[22] by purposefully excluding groups skeptical of ICANN’s efforts, and by trying to give ICANN's chairman the right to personally select the members of the group that would decide the final proposal. That was also beaten back. ICANN staff also produced a "scoping document"[23], that pre-empt any discussion of structural separation and once again community pushback forced a backtrack.[24]

These concerns garner more urgency given recent developments with the community working HYPERLINK "http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html"groups[25] and ICANN divisive view of the long-term role of ICANN in DNS management. Further, given HYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164"ICANNHYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164" HYPERLINK "https://www.youtube.com/watch?v=yGwbYljtNyI#t=1164"President Chehade’s comments that the CWG is not doing its job[26], is populated with people who do not know anything and the “IANA process needs to be left alone as much as possible”. Fadi also specified that ICANN had begun the formal process of initiating a direct contract with VeriSign to request and authorise changes to be implemented by VeriSign. While ICANN may see itself without oversight in this relationship with VeriSign, it is imperative that proposals bear this plausible outcome in mind and put forth suggestions to counter this.

The HYPERLINK "http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html"update from IETF on the ongoing negotiation with ICANN on their proposal[27] related to protocol parameters has also flagged that ICANN is unwilling to cede to any text which would suggest ICANN relinquishing its role in the operations of protocol parameters to a subsequent operator, should the circumstances demand this. ICANN has stated that agreeing to such text now would possibly put them in breach of their existing agreement with the NTIA. Finally, HYPERLINK "https://twitter.com/arunmsukumar/status/603952197186035712"ICANN HYPERLINK "https://twitter.com/arunmsukumar/status/603952197186035712"Board Member, Markus Kummer[28] stated that if ICANN was to not approve any aspect of the proposal this would hinder the consensus and therefore, the transition would not be able to move forward.

ICANN has been designated the convenor role by the US government on basis of its unique position as the current IANA functions contractor and the global coordinator for the DNS. However it is this unique position itself which creates a conflict of interest as in the role of contractor of IANA functions, ICANN has an interest in the outcome of the process being conducive to ICANN. In other words, there exists a potential for abuse of the process by ICANN, which may tend to steer the process towards an outcome favourable to itself.

Therefore there exists a strong rationale for defining the limitations of the role of ICANN as convenor. The community has suggested that ICANN should limit its role to merely facilitating discussions and not extend it to reviewing or commenting on emerging proposals from the process. Additional safeguards need to be put in place to avoid conflicts of interest or appearance of conflicts of interest. ICANN should further not compile comments on drafts to create a revised draft at any stage of the process. Additionally, ICANN staff must not be allowed to be a part of any group or committee which facilitates or co-ordinates the discussion regarding IANA transition.

How is the Obama Administration and the US Congress playing this?

Even as the issues of separation of ICANN's policy and administrative role remained unsettled, in the wake of the Snowden revelations, NTIA initiated the long due transition of the IANA contract oversight to a global, private, non-governmental multi-stakeholder institution on March 14, 2014. This announcement immediately raised questions from Congress on whether the transition decision was dictated by technical considerations or in response to political motives, and if the Obama Administration had the authority to commence such a transition unilaterally, without prior open stakeholder consultations. Republican HYPERLINK "http://www.reuters.com/article/2015/06/02/us-usa-internet-icann-idUSKBN0OI2IJ20150602"lawmakers have raised concerns about the IANA transition plan [29]worried that it may allow other countries to capture control.

More recently, HYPERLINK "https://www.congress.gov/bill/114th-congress/house-bill/2251"Defending Internet Freedom Act[30] has been re-introduced to US Congress. This bill seeks ICANN adopt the recommendations of three internet community groups, about the transition of power, before the US government relinquishes control of the IANA contract. The bill also seeks ownership of the .gov and .mil top-level domains be granted to US government and that ICANN submit itself to the US Freedom of Information Act (FOIA), a legislation similar to the RTI in India, so that its records and other information gain some degree of public access.It has also been asserted by ICANN that neither NTIA nor the US Congress will approve any transition plan which leaves open the possibility of non-US IANA Functions Operator in the future.

Funding of the transition

The Obama administration is also HYPERLINK "http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393"fighting a Republican-backed Commerce, Justice, Science, and HYPERLINK "http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393"Related Agencies Appropriations Act (H.R. 2578)[31] which seeks to block NTIA funding the IANA transition. One provision of this bill restricts NTIA from using appropriated dollars for IANA stewardship transition till the end of the fiscal year, September 30, 2015 also the base period of the contact in function. This peculiar proviso in the Omnibus spending bill actually implies that Congress believes that the IANA Transition should be delayed with proper deliberation, and not be rushed as ICANN and NTIA are inclined to.

The IANA Transition cannot take place in violation of US Federal Law that has defunded it within a stipulated time-window. At the Congressional Internet Caucus in January 2015, NTIA head Lawrence Strickling clarified that NTIA will “not use appropriated funds to terminate the IANA functions...” or “to amend the cooperative agreement with Verisign to eliminate NTIA's role in approving changes to the authoritative root zone file...”. This implicitly establishes that the IANA contract will be extended, and Strickling confirmed that there was no hard deadline for the transition.

DOTCOM Act

The Communications and Technology Subcommittee of the House Energy and Commerce Committee HYPERLINK "http://energycommerce.house.gov/markup/communications-and-technology-subcommittee-vote-dotcom-act"amended the DOTCOM Act[32], a bill which, in earlier drafts, would have halted the IANA functions transition process for up to a year pending US Congressional approval. The bill in its earlier version represented unilateral governmental interference in the multistakeholder process. The new bill reflects a much deeper understanding of, and confidence in, the significant amount of work that the global multistakeholder community has undertaken in planning both for the transition of IANA functions oversight and for the increased accountability of ICANN. The amended DOTCOM Act would call for the NTIA to certify – as a part of a proposed GAO report on the transition – that “the required changes to ICANN’s by-laws contained in the final report of ICANN’s Cross Community Working Group on Enhancing ICANN Accountability and the changes to ICANN’s bylaws required by ICANN’s IANA have been implemented.” The bill enjoys immense bipartisan support[33], and is being lauded as a prudent and necessary step for ensuring the success of the IANA transition.

[1] IANA Functions Contract <http://www.ntia.doc.gov/files/ntia/publications/sf_26_pg_1-2-final_award_and_sacs.pdf> accessed 15th June 2015

[2] Daniel Karrenberg, The Internet Domain Name System Explained For Nonexperts <http://www.internetsociety.org/sites/default/files/The%20Internet%20Domain%20Name%20System%20Explained%20for%20Non-Experts%20(ENGLISH).pdf> accessed 15 June 2015

[3] David Post and Danielle Kehl, Controlling Internet Infrastructure The “IANA Transition” And Why It Matters For The Future Of The Internet, Part I (1st edn, Open Technology Institute 2015) <https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf> accessed 10 June 2015.

[4] Iana.org, 'IANA — Root Files' (2015) <https://www.iana.org/domains/root/files> accessed 11 June 2015.

[5] 'NTIA's Role In Root Zone Management' (2014). <http://www.ntia.doc.gov/files/ntia/publications/ntias_role_root_zone_management_12162014.pdf> accessed 15 June 2015.

[6] Contract ( 2011) <http://www.ntia.doc.gov/files/ntia/publications/11102011_solicitation.pdf> accessed 10 June 2015.

[7] Kieren McCarthy, 'Confidential Information Exposed Over 300 Times In ICANN Security Snafu' The Register (2015) <http://www.theregister.co.uk/2015/04/30/confidential_information_exposed_over_300_times_in_icann_security_snafu/> accessed 15 June 2015.

[8] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[9] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[10] NTIA, ‘NTIA Announces Intent To Transition Key Internet Domain Name Functions’ (2014) <http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions> accessed 15 June 2015.

[11] David Post and Danielle Kehl, Controlling Internet Infrastructure The “IANA Transition” And Why It Matters For The Future Of The Internet, Part I (1st edn, Open Technology Institute 2015) <https://static.newamerica.org/attachments/2964-controlling-internet-infrastructure/IANA_Paper_No_1_Final.32d31198a3da4e0d859f989306f6d480.pdf> accessed 10 June 2015.

[12] National Telecommunications and Information Administration, 'REPORT ON THE TRANSITION OF THE STEWARDSHIP OF THE INTERNET ASSIGNED NUMBERS AUTHORITY (IANA) FUNCTIONS' (NTIA 2015) <http://www.ntia.doc.gov/files/ntia/publications/ntia_second_quarterly_iana_report_05.07.15.pdf> accessed 10 July 2015.

[13] Lawrence Strickling, 'Stakeholder Proposals To Come Together At ICANN Meeting In Argentina' <http://www.ntia.doc.gov/blog/2015/stakeholder-proposals-come-together-icann-meeting-argentina> accessed 19 June 2015.

[14] Philip Corwin, 'NTIA Says Cromnibus Bars IANA Transition During Current Contract Term' <http://www.circleid.com/posts/20150127_ntia_cromnibus_bars_iana_transition_during_current_contract_term/> accessed 10 June 2015.

[15] Sophia Bekele, '"No Legal Basis For IANA Transition": A Post-Mortem Analysis Of Senate Committee Hearing' <http://www.circleid.com/posts/20150309_no_legal_basis_for_iana_transition_post_mortem_senate_hearing/> accessed 9 June 2015.

[16] Comments On The IANA Transition And ICANN Accountability Just Net Coalition (2015) <http://forum.icann.org/lists/comments-ccwg-accountability-draft-proposal-04may15/pdfnOquQlhsmM.pdf> accessed 12 June 2015.

[17] The Centre for Internet and Society, 'IANA Transition: Suggestions For Process Design' (2014) <http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design> accessed 9 June 2015.

[18] The Centre for Internet and Society, 'IANA Transition: Suggestions For Process Design' (2014) <http://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design> accessed 9 June 2015.

[19] Kieren McCarthy, 'Let It Go, Let It Go: How Global DNS Could Survive In The Frozen Lands Outside US Control Public Comments On Revised IANA Transition Plan' The Register (2015) <http://www.theregister.co.uk/2015/05/26/iana_icann_latest/> accessed 15 June 2015.

[20] Icann.org, 'Resources - ICANN' (2014) <https://www.icann.org/resources/pages/process-next-steps-2014-08-14-en> accessed 13 June 2015.

[21] <https://www.icann.org/en/system/files/correspondence/crocker-chehade-to-soac-et-al-18sep14-en.pdf> accessed 10 June 2015.

[22] Richard Forno, '[Infowarrior] - Internet Power Grab: The Duplicity Of ICANN' (Mail-archive.com, 2015) <https://www.mail-archive.com/infowarrior@attrition.org/msg12578.html> accessed 10 June 2015.

[23] ICANN, 'Scoping Document' (2014) <https://www.icann.org/en/system/files/files/iana-transition-scoping-08apr14-en.pdf> accessed 9 June 2015.

[24] Milton Mueller, 'ICANN: Anything That Doesn’T Give IANA To Me Is Out Of Scope |' (Internetgovernance.org, 2014) <http://www.internetgovernance.org/2014/04/16/icann-anything-that-doesnt-give-iana-to-me-is-out-of-scope/> accessed 12 June 2015.

[25] Andrew Sullivan, '[Ianaplan] Update On IANA Transition & Negotiations With ICANN' (Ietf.org, 2015) <http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html> accessed 14 June 2015.

[26] DNA Member Breakfast With Fadi Chehadé (2015-02-11) (The Domain Name Association 2015).

[27] Andrew Sullivan, '[Ianaplan] Update On IANA Transition & Negotiations With ICANN' (Ietf.org, 2015) <http://www.ietf.org/mail-archive/web/ianaplan/current/msg01680.html> accessed 14 June 2015.

[28] Mobile.twitter.com, 'Twitter' (2015) <https://mobile.twitter.com/arunmsukumar/status/603952197186035712> accessed 12 June 2015.

[29] Alina Selyukh, 'U.S. Plan To Cede Internet Domain Control On Track: ICANN Head' Reuters (2015) <http://www.reuters.com/article/2015/06/02/us-usa-internet-icann-idUSKBN0OI2IJ20150602> accessed 15 June 2015.

[30] 114th Congress, 'H.R.2251 - Defending Internet Freedom Act Of 2015' (2015).

[31] John Eggerton, 'House Bill Blocks Internet Naming Oversight Handoff: White House Opposes Legislation' Broadcasting & Cable (2015) <http://www.broadcastingcable.com/news/washington/house-bill-blocks-internet-naming-oversight-handoff/141393> accessed 9 June 2015.

[32] Communications And Technology Subcommittee Vote On The DOTCOM Act (2015).

[33] Timothy Wilt, 'DOTCOM Act Breezes Through Committee' Digital Liberty (2015) <http://www.digitalliberty.net/dotcom-act-breezes-committee-a319> accessed 22 June 2015.

For more details visit https://cis-india.org/internet-governance/blog/iana-transitition-stewardship-icann-accountability-1

The I-MACX Summit & Demo Day (Spring 2015)

praskrishna — 2015-08-23T09:37:40Z

IIIT-B Innovation Center organized this event in Bangalore on June 18, 2015. Sunil Abraham participated as a speaker.

Programme

Time	Agenda
1.00 p.m.	Registration
1.15 p.m.	Welcome Address
1.30 p.m.	Keynote: “Solving Civic Issues through Technology Platforms” by Dr. Pramod Varma, Chief Architect – Technology, UIDAI
1.50 p.m.	Panel Discussion: “Opportunities and Challenges in Civic-Tech Startup Space” Ms. Radha Kizhanattam, Principal – Unitus Seed Fund Mr. Shyam Menon, Co-founder – Infuse Ventures Mr. Sunil Abraham, Executive Director – The Center for Internet & Society Mr. Rajith Shaji, Product Manager – Janaagraha Mr. VS Prakash, Director – Karnataka State Natural Disasters Monitoring Center (Retd.); Currently Registrar – IIIT Bangalore Mr. Syed Suhale Perveez, Senior Manager – Emergency Management Research Institute (108) Moderated by Dr. TK Srikanth, Professor – IIIT Bangalore
2.45 p.m.	Startups Pitch
3.55 p.m.	Vote of Thanks
4.00 p.m.	Investors – Startups discuss over High Tea Startups demonstrate their innovative solutions

About the Summit:

The I-MACX Summit is a civic-tech focused event that intends to bring together innovators from government and social organizations along with civic-minded startups, influencers, activists, investors and entrepreneurs.

The I-MACX Summit aims to not only bring out the opportunities and the challenges in the civictech space, but also showcase the offerings that are being created by the civic-tech startups nurtured at IIIT-B Innovation Center.

The I-MACX Summit, envisions itself as a thought-leadership forum that would delve into how the various players in the civic-tech ecosystem could potentially transform governance and society, using the emerging technologies (IOT, Data Analytics, Sensors, Mobile, Cloud).

For more details visit https://cis-india.org/internet-governance/news/icmax-summit-and-demo-day