Centre for Internet & Society

In an interview with Catch, Sunil Abraham, executive director of Center for Internet & Society, puts the recent US-India cyber relationship framework into perspective. Abraham also talks about how Indian surveillance policies are outdated and why the country has failed to check the hegemonic tendencies of companies like Facebook and Google.

The interview was published by Catch News on July 3, 2016.

Sunil Abraham

US-India signed a cyber relationship framework earlier this month. Could you explain some of the takeouts that may have important implications in the near future?

In the framework, both sides have made a "commitment to the multi-stakeholder model of Internet governance" - in immediate practical terms that means India will accept the Internet Assigned Numbers Authority (IANA) transition proposed for the Internet Corporation for Assigned Names and Numbers (ICANN). Unfortunately, as my colleague Pranesh Prakash points out "U.S. state control over the core of the internet's domain name system is not being removed by the transition that is currently underway."

India along with Brazil and other emerging powers should have insisted that the question of jurisdiction be addressed before the transition. We must remember, that the multi-stakeholder model is just a fancy name for open and participatory self-regulation by the private sector. While the multi-stakeholder model is useful as a complement to traditional state-led regulation, it cannot be used to protect human rights or ensure the security of a nation state.

[That is precisely why - the very next sentence in the announcement for the the framework for the US-India Cyber Relationship says "a recognition of the leading role for governments in cyber security matters relating to national security". This is because ICANN-style multistakeholderism requires all stakeholders to be on "equal footing" without "distinct roles and responsibilities". In other words, the governments are saying that the multistakeholder model is fine for all Internet Governance areas with the exception of Cyber Security. Given the limits of the multistakeholder model this is indeed the wise thing to do. Since American corporations dominate the Internet, US foreign policy has historically pushed for the multistakeholder model as fig leaf for forbearance and reduced foreign regulatory burden American corporations operating in other jurisdictions. Therefore India must not drink the multistakeholder cool-aid whole sale. It cannot afford a laissez-faire approach where it waits for corporations to self-regulate - it must regulate whenever public interest or human rights are harmed. In other words, it must go beyond the multistakeholder model and produce appropriate regulation where necessary. Needless to add - it must also deregulate in areas where harms don't exist. Apart from this many of the details of the announcement are positive steps that will increase security in India and the USA, and indeed the also across the world.]

What are some aspects of Intellectual Property Rights that should be looked at, in the context of the framework?

There is some language around Intellectual Property Rights (IPR) that should be examined carefully too. The US corporations benefit from a maximalist IP regime. But Make in India, Digital India and Startup India all depend on flexibilities to the IP regime and therefore India should refuse signing. Trans-Pacific Partnership (TPP) obligations like the "Digital 2 Dozen" which the US is actively proselytizing across the Pacific. If we make that mistake, we will make zero progress in indigenous security research and product development and also many other areas of our economy, health sector and education sector will be severely compromised. Therefore it would be best to keep IP rights expansion and enforcement out of the framework for the US-India Cyber Relationship.

The PIL seeking a ban on WhatsApp was refused by the SC recently. Encrypted messaging services like Telegram however, have been used in the past by terror groups. What's your take on such end-to-end encryption services?

Privacy and security are two sides of the same coin. You cannot have one without the other. End-to-end encryption is the basis for online privacy. End-to-end encryption is a pre-requisite for many legitimate actions of law abiding citizens online such as commerce, banking, tele-medicine, protection of intellectual property, witness/source protection, client confidentiality etc. Therefore, banning end-to-end encryption would mean the death of individual privacy and national security.

If the government wants to promote cyber security it should promote the use of end-to-end encryption amongst law abiding citizens.

Terrorist have to be stopped through targeted profiling, surveillance and interception. Big data analytics may be useful to watch for patterns in the meta data but there is no replacement for good old fashioned police work.

Once suspects have been identified the encrypted channels can be compromised by:

  1. Placing trojans on the end-user devices
  2. Performing man-in-the-middle attacks and
  3. Using brute force attacks with super computers.

Snowden's revelations have made it very clear that blanket and mass surveillance does not help foil terror attacks or stop organised crime. So far, research and government reports from across the world indicate that only a minority of terrorists use encryption. However, this situation may change.

We don't have any proper encryption policy under the IT Act yet. What's taking so long and what are the key points that any policy in this matter must include in future?

We need many different types of encryption policies. We need a policy that mandates encryption and digital signature for all government personnel and also for all government transactions. We need policies that promote research and development in cryptography and mathematics. We need to update our criminal procedure code so that encrypted communications and data can be targeted by law enforcement and used effectively in the criminal justice process.

However, we should not have any broad encryption policy that tries to regulate encryption as a technology. That would be a highly regressive move and will be impossible to enforce. That would breed contempt for rule of law.

Surveillance and the tech around it has been contentious for various governments. Where do we stand vis-a-vis regulating surveillance measures by the state?

Our surveillance and interception laws are outdated. They need to be modernized to deal with advancements in technology and also global developments when it comes to data protection and privacy law.

In fact, our organisation was part of a global effort called Necessary and Proportionate which identified 13 principles to modernise surveillance which are connected to various aspects such as Legality, Legitimate aim, Competent judicial authority, Integrity of communications and systems and more. Some of these principles may have to be customised for the Indian context. [For example, given the load on courts perhaps India should stay with executive authorization of interceptions and data access requests. However, getting the law correct is only half the job. For the law cannot fix what the technology has broken. Some surveillance projects are well designed. For ex. the NATGRID - from what I understand it is a standard and platform that which will allow 12 security, intelligence and law enforcement agencies to temporarily make unions of sub-sets of 21 data sources. These automated temporary databases will be created under existing data access provisions of the law. I also hope the NATGRID is also using cryptography to ensure the maintenance of a non-repudiable log that will identify all officers involved in authorizing the each request and accessing the resultant data. Unfortunately, other surveillance projects are unmitigated disasters. For example, UID or Aadhaar. Many Indians don't realize that Aadhaar is a surveillance project. Biometrics is just a fancy name for remote, covert and non-consensual identification technology. Using the UID database the government can identify every single Indian without their consent. The so called "consent layer" in the India Stack is being developed by volunteers outside the UIDAI to avoid transparency under the Right to Information Act. Nothing in the current layer of the "consent layer" allows citizens to revoke consent. There is no facility in the UID Act to delete yourself from the database. Identity information aka the UID number and authentication information aka your biometrics for about a billion Indians have been collected and stored in a centralized location. It is as if our parliamentarians have written an open letter to criminals and foreign governments says "here is the information you need to wreck whole sale damage - come and get it". Hopefully the Supreme Court will save us from this impending disaster.]

With a sluggish US market, India has the biggest potential for companies like FB & Google, next only to China. Do you feel that in the quest to take over the Indian market, FB & Google are going to monopolise cyberspace in India?

I have news for you - they have already monopolised Indian cyberspace. They have completely wiped out competition in certain domains.

One of the many reasons they have done this is because we don't have laws and regulations to temper their hegemonic tendencies. For example, we could use data portability and interoperability mandates for social media to spark competition in markets where there are entrenched monopolies.

Competition law can be used to protect other firms from abuse of market power. Consumer protection law and privacy law could be used to ensure that user's rights are not compromised in the race for market share. In addition, a modern privacy law compliant with the best practices in the European Data Protection Regulation 2016, would allow emerging Indian companies to compete with giants like Facebook and Google on a level playing field. [Speaking of level playing field - only recently has the government introduced the "equalization levy". This was long overdue. Imagine the amount of tax that could have been collected so far and damage that has been done to competition. Regardless the current NDA government deserves our kudos for ensuring that Facebook and Google contribute their fair share of taxes. The new IPR Policy was also an opportunity to address the monopoly of Google and Facebook. There should have been a concerted attempt to use free/open source software, open standard and open content to bolster Indic language technologies. A billion dollars from every spectrum auction should be used to create incentives for Indian private sector, research and academic organisation who can contribute openly to the Indic cyberspace. This is the market where we can still build a highly competitive market. Today, given government inaction - millions of Indians are training Google's language platforms every time they use machine translation or speech to text technologies. This corpus of information will not be available for public interest research. Ideally we should also have Indians contributing to commons-based peer production projects like Wikipedia for their Indic language needs. Unfortunately the government totally missed this opportunity.]