Centre for Internet and Society

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act

Citizens’ Draft Privacy Bill Seeks To Revolutionise Data Collection, Storage In India

Admin — 2018-06-11T02:47:46Z

A draft privacy bill proposes sweeping reforms to the way personal data is collected, processed and stored in India.

The blog post by Arpan Chaturvedi was published in Bloomberg Quint on June 9, 2018. CIS research was quoted.

Titled Indian Privacy Code, 2018, the draft proposes that “all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force”.

The draft has been put together by a group of lawyers and policy analysts and uploaded on the website of ‘Save our Privacy’ — a public initiative to put forth a model law on data protection. The initiative is backed by the India Privacy Foundation.

No person, including a data controller and data processor, shall collect any personal data without obtaining the consent of the data subject to whom it pertains, the draft bill says. Collection of personal data without consent can happen only when:

It’s necessary for the provision of an emergency medical service.
Prevent, investigate or prosecute a cognizable offence.
Exempted by a privacy commission that the draft seeks to institute

Also, the draft bill proposes that no person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received. The same applies to the processing of personal data.

The draft bill has been submitted to the Justice Sri Krishna Committee — which will deliberate on a data-protection framework for the country. The committee’s first draft is likely to be submitted this month.

The bill prescribes punishment for offenses related to interception of communication, surveillance, abetment, repeat offenders and offenses by companies.

The bill, according to information on the website, is based on seven principles, foremost of which is the importance of individual rights. The others are:

A data protection law must be based on privacy principles and guidelines discussed in the report of Justice AP Shah Committee of Experts; the Supreme Court judgement on Right to Privacy and European Union’s General Data Protection Regulation.
A strong privacy commission must be created to enforce privacy principles. The commission should be granted wide powers of investigation, adjudication, rule-making and enforcement. The privacy commission must have jurisdiction over the government as well as private bodies.
The government must respect user privacy. The government cannot deny essential services to citizens if they choose not to share data with it. The draft says government withholding services on pretext of collection of information effectively amounts to “extortion of consent”.
A complete privacy code must come with surveillance reform. Even when individual interception and surveillance is carried out this should be severely limited in substance and practiced through procedural safeguards.
Strengthen the Right To Information Act and exempt information commissioners from interference or control by the privacy commissioner
International protection and harmonisation is a must to protect the open internet. The group suggests the law must have extraterritorial effect and apply to web services and platforms which are accessible in India and gather personal data of Indians.

The bill takes inspiration from the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtable discussions and inputs conducted by the Centre for Internet and Society, Bengaluru.

The individuals who were involved in the drafting of the model law are Raman Jit Singh Cheema, Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman N Aggarwal, Praavita Kashyap, Prasanna S, Ujjwala Uppaluri, Vrinda Bhandari.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-june-9-2018-draft-bill-seeks-to-revolutionise-data-collection-storage-in-india

Citizen Activism the Past Decade

Nilofar Ansher — 2015-04-24T11:52:44Z

Call for Contributions to the ‘Digital Natives with a Cause?’ newsletter, ‘Citizen Activism the Past Decade’. Deadline: August 15, 2012.

The past decade (2001 – 2011) has been marked by unprecedented democratic protests across the globe. Not only have citizens risen against autocratic regimes or systemic corruption, which is not unprecedented in itself, but also, a spark in one region inflamed solidarity among neighbouring nations to pick up the placards and march for change. Plenty has been written about the strategic deployment of social media, Web 2.0 platforms and Smart-gadgets by the digital natives (the youth and the old alike) to rewrite the rules of citizen activism.

In this issue of the newsletter, we explore the mechanics of activism aided by media: web, social, digital, and traditional. What do we understand by a cause and how does it find resonance at the local and global platforms? Is the digital native a community player or a global citizen? How do digital natives connect, collaborate, mobilize and bring about their visions of change? The aim is to not establish or reinforce these dichotomies, if indeed they exist, but to understand the dimensions of the stage the digital natives operate on and if that stage is a synecdoche for global youth-led civic action. A case in point: ‘Slut Walk’ moved from being a one-off march in Toronto to becoming a global movement and came full circle when small towns and cities across the world organized protest marches with a local ‘twist’.

Topics that contributors can explore:

What do we understand by citizen activism? How has citizen activism changed over the last 10 years with the advent of new media tools?
Youth as 'change agents'. Are protest movements youth oriented today? How are civil rights movements of the past decade different from the wave of movements that marked the 60s? (women's lib, LGBT rights, civil rights, disability rights). Explore the mechanics of organizing, mobilizing and measuring the success of a campaign in both the cases.
Participatory Politics and Web 2.0 | Value and power of the Network in effecting change | Mobilizing support and consensus within the network |studies on politically active youth using social media | digital natives as apathetic citizens | Is Slacktivism still a misunderstood term?
Kony 2012 video campaign | interviews | what went wrong and what did they do right? | Rise of DIY activism | mechanics of digital activism | resources, tools and strategies
Rise of the ‘Glocal’ (global with local resonance) cause | Slut Walk and Co – global protests inspiring local campaigns | Children of globalization with global stakes supporting local causes – how does this work?
Role of new media as a vehicle for civic engagement | Are new media and traditional media mutually exclusive in influencing citizen action? | How are new media strategies deployed by citizens in comparison with traditional media engagement?
Learning from past campaigns: citizen activism initiates and strategies in history that inspire modern campaigns (The ‘Walk to Work’ protest in Uganda protesting against fuel price hike and removal of subsidies is similar to Mahatma Gandhi’s Dandi March in pre-independence India to protest against Salt Tax).
Finding commonalities in citizen activism across Asia, Africa and Middle East | Explore the citizen action campaigns that have shaped political discourse in the past decade | Explore some of the most successful youth action campaigns of the past decade
How do we measure value, quality and success of campaigns? When does a protest officially end? Studies that explore the life-cycle of a protest or movement
The future of activism: new technologies, new demography, new forms of engagement | art and activism | Gamification
Role of non-governmental organizations and civil society networks in fostering political change | collaboration between NGOs and social media activists / independent protesters
State and the empowered citizen | State response to protest | surveillance and censorship
Technologies of protest
Studying citizen activism | digital native research methodology to study citizen activism

To know more about the topics you can write about, please write to: nilofar.ansh@gmail.com (Nilofar Ansher, Community Manager). Contributions can be in the form of essays, notes, commentaries, reviews (book or paper), dialogues and chat transcript, poems, sketches / graphics. Essay word count between 800-1,600 words. Send your entries along with a brief bio and a profile picture by August 15, 2012.

View previous issues of the 'Digital Natives with a Cause?' newsletter here: http://cis-india.org/digital-natives/newsletter

For more details visit https://cis-india.org/digital-natives/citizen-activism-the-past-decade

CIS_BD4D_Guideline04_PT+PB_BigDataAIEthicsReview_ExtendedNotes PDF

pranav — 2020-05-19T10:58:54Z

For more details visit https://cis-india.org/raw/bd4d-guideline-documents/ExtendedNotes

CIS@IGF 2014

geetha — 2014-10-08T10:31:47Z

The ninth Internet Governance Forum (“IGF2014”) was hosted by Turkey in Istanbul from September 2 to 5, 2014.

A BestBits pre-event, which saw robust discussions on renewal of the IGF mandate, the NETmundial Initiative and other live Internet governance processes, flagged off a week of many meetings and sessions. At IGF2014, the ICANN-led processes of IANA transition and ICANN accountability found strong presence. Human rights online, access and net neutrality were also widely discussed. Centre for Internet and Society, India participated in multiple workshops and panels.

Workshops and Panel Discussions

WS206: An evidence-based framework for intermediary liability
CIS organized a workshop on developing an evidence-based framework for intermediary liability in collaboration with the Stanford Center for Internet and Society. By connecting information producers and consumers, intermediaries serve as valuable tool for growth and innovation, and also a medium for realisation of human rights. The workshop looked to a concerted approach to understanding intermediaries’ impact on human rights demands our urgent attention. Jyoti Panday of CIS was contributed to the workshop’s background paper and organisation. Elonnai Hickok of CIS was a speaker. At this workshop, a zero-draft of international principles for intermediary liability was released. The zero-draft is the interim outcome of an ongoing, global intermediary liability project, undertaken by CIS in collaboration with Article 19 and Electronic Frontier Foundation. See the video.

WS112: Implications of post-Snowden Internet localization proposals
Organised by ISOC and Center for Democracy and Technology, this panel questioned the distinctions between Internet-harmful and Internet-beneficial Internet and data localization. As a speaker at this workshop, Sunil Abraham of CIS identified state imperatives for Internet localization, such as taxation, network efficiency and security. See video.

WS63: Preserving a universal Internet: Costs of fragmentation
Internet and Jurisdiction Project organized this workshop to explore potential harms to Internet architecture, universality and openness as a result of Internet balkanisation. Sunil Abraham was one of the speakers.

WS2: Mobile, trust and privacy
Organised by GSMA, this panel discussed methods, benefits and harms of use of mobile transaction generated information and data. Sunil Abraham was a speaker. See video.

WS188: Transparency reporting as a tool for Internet governance
This GNI workshop examined transparency reporting by Internet intermediaries and companies, and sought to identify its strengths and shortcomings as a tool for Internet governance. Pranesh Prakash of CIS was a speaker. See video.

WS149: Aligning ICANN policy with the privacy rights of users
This Yale ISP panel examined ICANN’s obligations for data protection, in light of international standards and best practices. This discussion is particularly relevant as ICANN’s WHOIS policy, Registrar Accreditation Agreement, and other policies have attained the status of a global standard for the handling of personal data. Pranesh Prakash moderated this panel.

Other Participation

Launch of the GISWatch Report

Association for Progressive Communications (APC) and the Humanist Institute for Cooperation with Developing Countries (Hivos) released the Global Information Society Watch Report (GISWatch) on national and global mass surveillance. The report “explores the surveillance of citizens in today's digital age by governments with the complicity of institutions and corporations”. Elonnai Hickok of CIS contributed a thematic chapter on Intermediary Liability and Surveillance to this report.

For more details visit https://cis-india.org/internet-governance/blog/cis-at-igf-2014

CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022

Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas, and Vipul Kharbanda — 2022-11-22T13:22:24Z

The Department of Telecommunications, Government of India invited comments on the Draft Indian Telecommunication Bill, 2022. The Centre for Internet & Society (CIS) submitted its comments.

Reviewed by Pallavi Bedi

Preliminary

The Centre for Internet and Society (CIS) is a non-profit organization that undertakes interdisciplinary research on the internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around the internet, technology, and society in India, and elsewhere. Over the last decade, CIS has worked extensively on policy issues related to telecommunication, internet access, digital inclusion, and so on.

In the past, CIS has responded to various public consultations pertaining to telecommunication such as the Telecom Regulatory Authority of India (TRAI) consultation on 5G Auctions^{^[1]}, TRAI consultation on regulation of over-the-top (OTT) services^{^[2]}, to name a few .

We appreciate the efforts of the Department of Telecommunications (DoT) for having consultation on the “Draft Indian Telecommunication Bill 2022”. We are grateful for the opportunity to put forth our views and comments to the draft bill.

Summary of Recommendations

At the outset, we recommend that in the interest of transparency and accountability, prior to enacting important legislations like the Telecom Bill, the government would be well-advised to conduct an “impact assessment” exercise such as “regulatory impact assessment” and put the report in public as practised in jurisdictions such as the European Union.^{^[3]} We would also recommend the government to disclose responses and submissions that it receives during the process to ensure a transparent and consultative process of policymaking.

We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach.

The draft bill’s attempt to provide for a non-discriminatory and an affordable Right-of-way (RoW) regime is appreciable. However, the central government has been given an overriding power over the local government which has constitutional powers with regard to permissions in their jurisdiction. The bill must clarify the modalities to ensure coordination between centre, state, and local authorities.

We recommend that clause 46 of the draft bill which significantly dilutes TRAI’s power should be deleted. Moreover, the government must work towards further strengthening TRAI by hiring subject matter experts to ensure that India has a powerful sector regulator which is well prepared to usher in the next wave of innovation.

We recommend that the Bill be inline with the Puttaswamy Judgement, and that of Anuradha Bhasin vs Union of India. The Bill, while paying close attention to the protection of users and duty of the user, fails to uphold rights of the user such as the right to privacy and the freedom of speech and expression.

As per clause 29, the objectives for which Telecommunication Development Fund (TDF) can be utilised is broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation which has thus far remained a significant challenge with the universal funds (USOF) regime.

The bill does not have any provisions upholding the principles of net neutrality. The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

Detailed Response

Preamble

No comments

Chapter 1: Short Title, Extent and Commencement

No comments

Chapter 2: Definitions

➔ 2(9): “message” means any sign, signal, writing, image, sound, video, data stream or intelligence or information intended for telecommunication.

Comment: The terms “intelligence” and “data stream” are not clear in the definition and these terms have not been defined elsewhere in the bill. Moreover, the definition of message is broad and may have implications with regard to surveillance and privacy of users, when read with clause 4(8) and clause 24(2)(a).

Recommendation: We recommend that the terms “intelligence” and “data stream” are defined under the bill, in order to reduce chances of excessive surveillance and to maintain the informational privacy of the individual. Additionally the definition could have an expansive list of what could constitute a message in order to prevent mission creep.

➔ 2(18): “telecommunication equipment” means any equipment, appliance, instrument, device, material or apparatus, including customer equipment, that can be or is being used for telecommunication, and includes software integral to such telecommunication equipment;”

Comment: The inclusion of customer equipment in the definition of telecommunication equipment has implications. The definition of the “customer equipment”^{^[4]} as provided in clause 2(5) of the Bill is broad enough to include personal devices such as phones, routers, among others. As per clauses 23 to 26 the Central Government has wide ranging powers with respect to telecommunications equipment and telecommunications networks such as issuing various directions for telecommunications networks and even has the power to take over such networks. As the definitions currently stand, these provisions would automatically become applicable to customer equipment as well which may be a violation of the right to privacy of the citizens of the country.

Moreover, according to 3(2)(c), possession of wireless equipment requires authorization. On reading 3(2)(c) with the definitions of wireless equipment in 2(23) and customer equipment in 2(5), an argument could be framed that the customer equipment could technically also require a licence, and so would the software integral to such equipment. If customer equipment is in fact included in telecom equipment and software integral to it is also included therein, then arguably even Android OS or other OS can be licensable.

Recommendation: Thus, we suggest that the government should remove customer equipment from the definition of telecommunication equipment.

➔ 2(21): “telecommunication services" means service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite based communication services, internet based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top (OTT) communication services) which is made available to users by telecommunication, and includes any other service that the Central Government may notify to be telecommunication services;”

Comment: Clause 2(21) expands the scope of “telecommunication services” significantly. The overly-broad definition of “telecommunication services”, and what constitutes a “message”^{^[5]}, brings within its ambit a host of internet services including but not limited to email, instant messaging, social media services, and even payments and e-commerce transactions. Neither the bill, nor the accompanying explanatory note provides a satisfactory rationale for an all-encompassing definition of “telecommunication services”. The explanatory note attached to the bill suggests that legislations in Australia, EU, UK, Singapore, Japan, and USA have been examined while drafting this bill. However, our research^{^[6]} suggests that none of these jurisdictions define “telecommunication services” so expansively and seek to regulate entities offering only internet based services companies through licensing, in particular. It may also be worthwhile to note that TRAI recommended against such an approach and also clarified that there is no issue of financial arbitrage.^{^[7]} However, the bill attempts to bring OTT communication services within the purview of licensing. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach. There can be major implications of expanding the definition of telecommunication services, some of which are listed below:

● The draft bill has stringent provisions on surveillance and shutdowns [clause 23 to clause 28]. These clauses would be naturally applicable to the expanded bucket of telecommunication services. This has serious implications on user’s right to privacy and freedom of expression online. For example, the bill gives the government the power to surveil citizens over apps such as WhatsApp, Telegram, to name a few, and even email. [some of this will be delved into greater detail in the foregoing sections]

● Some of the internet-based services listed in the definition in 2(21) are already regulated under the Information Technology (IT) Act 2000. For example, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulates intermediaries, including the significant social media intermediaries (SSMI) such as Facebook and Twitter. Putting an additional regulatory burden on these service layer companies in the form of licensing, as envisaged in clause 3 and clause 4 of the bill would hamper the innovation in the sector. Furthermore, it has been observed that the compliance burden of regulations is higher on small businesses in cases where regulations impose identical requirements on entities regardless of the firm size.^{^[8]} Therefore, inserting such a requirement would have a detrimental impact on innovation because excessive compliance requirements would act as a significant entry barrier for smaller firms.

Moreover, there is significant overlap between various services that are mentioned in the definition of telecommunication services which may lead to significant challenges. As these services are not defined elsewhere in the bill, it leaves scope for ambiguity. The bill makes a mention of “over-the-top (OTT) communication services” without defining it. We argue that making a distinction between communication and non-communication OTT services is superficial and does not take into account today’s realities where categorising applications into different categories is extremely difficult. A majority of the OTT applications such as e-commerce, healthcare, food delivery, payments, and so on, provide integrated communication channels. Disaggregation and making an artificial distinction of such apps into communication (with licensing requirements) and non-communication (without licensing requirements) would result in fragmentation of the internet which is definitely not a desirable outcome.

The “same-service same-rules” argument put forth by Telecommunication Service Providers (TSPs/ telcos) for the regulation of OTT apps which provide communication services [generally referred to as OTT communication services] at par with them is flawed for the reasons elaborated herein below:

● It is well recognized that there are significant differences at the technical and architectural level between TSPs and OTT apps which provide communication services . Regulating OTT apps which provide communication services at par with TSPs just on the basis of functionality without considering the inherent technical and architectural differences between them is a definite recipe for failure.

● Moreover, even at the functional level, OTT communication apps offer several additional features which are not available in the traditional TSP services.^{^[9]} Due to this, establishing functional equivalence between TSP’s services and OTT communication services is not only technically unfeasible but also unnecessary since those apps are better regulated by MEITY.

● Furthermore, TSPs enjoy privileges which OTTs don't. For example, TSPs have exclusive rights to spectrum, right of Way (RoW), numbering resources, to name a few. TSPs have control over underlying broadband infrastructure which OTTs and other internet-based service companies do not have.

As opposed to what has been suggested in the bill i.e, licence all telecommunication services [clause 3(2)(a)] including the internet-based services, it may be prudent to explore alternative approaches to regulate this space. For instance, a “two-layered framework”^{^[10]} for regulatory intervention can be considered. In this two-layered framework, the first layer would be the network layer consisting of the network and infrastructure; and the second layer would be the service layer consisting of applications and services. The services in the second layer can be further refined into the following three categories: (i) services provided over a non-Internet Protocol (IP) based architecture e.g Public Switched Telephone Network (PSTN) voice calls provided over a circuit switched network; (ii) specialised services that are provided over an IP based architecture in a closed network including facility-based services e.g., facilities-based VoLTE calls to PSTN and IPTV; (iii) IP-based/ Internet-based services such as OTTs. The gist^{^[11]} of the framework is:

The network layer may be regulated by way of licensing.

Non-IP Services and Specialised services may be regulated by way of licensing.

Internet-based services should be regulated by instruments other than licensing. Such instruments should preferably be in the form of legislations like the IT Act and its rules thereunder.

While there can be approaches apart from the one described above to regulate internet-based services such as the OTT and those approaches can be discussed and debated, putting licensing requirements for every internet-based service is not the way forward.

Recommendation: We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. In the interest of transparency and accountability, prior to enacting such a legislation the government would be well-advised to conduct a “regulatory impact assessment” exercise and put the report in public, as done in jurisdictions such as the European Union.

Chapter 3: Licensing, Registration, Authorization and Assignment

Clause 4. Licensing, Registration Authorization and Assignment

➔ 4(6): “The possession and use of any equipment that blocks telecommunication is prohibited, unless authorised by the Central Government for specific purposes.”

Comment: While assuming jurisdiction over equipment capable of blocking telecommunication via this clause is a welcome step, it is not clear why equipment capable of intercepting telecommunications has been kept out of the scope of this clause. Since unlawful and unauthorised interception of telecommunications is a violation of the fundamental right to privacy of an individual,^{^[12]} it is imperative that the scope of this clause be increased to include interception equipment as well. Furthermore, the latter part of the provision mentions “specific purposes” without adequate checks and balances in place. As such, the specific purposes must be defined exhaustively to ensure that this power is not misused.

➔ 4(7): "Any entity which is granted a licence under sub-clause (2) of clause 3, shall unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed."

Comment: All services do not require a verification of the identity of a person. There is a legitimate need to verify a person in the case of financial transactions, however a similar level of scrutiny is not warranted for applications that a person might use once, or applications that do not pose a threat to anyone. For example the need to verify a person through Know Your Customer (KYC) or otherwise for an application to order food, or an application which is meant for communication can be excessive regulation. Furthermore, number based internet communication apps such as Whatsapp require users to sign in through a mobile number, which have already gone through a KYC process. Therefore, dual KYC would be redundant and serve no purpose.

The Supreme Court while looking at the constitutionality of the Aadhaar Act upheld the need for banking and financial institutions to require an individual’s Aadhaar number stating the legitimate aim of preventing money laundering; however, the Court struck down the provision that required any private entity to collect Aadhaar details.^{^[13]} Justice Bhushan held that the collection by private entities violated the right to privacy, by failing the first prong of the test laid down in Puttaswamy, the test of legality.^{^[14]}

Recommendation : Clause 4(7) should be deleted.

➔ 4(8) “The identity of a person sending a message using telecommunication services shall be available to the user receiving such message, in such form as may be prescribed, unless specified otherwise by the Central Government.”

Comment: Although the intent behind this provision may have been to curb the menace of anonymous harassment of users, a blanket requirement to reveal the identity of the sender of a message in every instance may be considered a violation of the right to privacy of the sender. . There are clearly a number of competing rights involved here and the issue needs to be addressed in a more nuanced manner. Additionally there are a number of services such as chat applications providing support for mental health, that allow users to be anonymous in order to remove the concern and stigma around seeking help. A requirement that the user's name be revealed in these applications could hinder the functioning of these services as well as prevent more people from seeking help.

Anonymity was also explained in the Puttaswamy Judgment where it was stated that - “Privacy involves hiding information whereas anonymity involves hiding what makes it personal. An unauthorised parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy.” In his judgement, Justice F. Nariman talks about different aspects of the right to privacy in the Indian context and observes “Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognises that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right”.^{^[15]}

In this backdrop it is perhaps preferable that the issue be addressed through separate guidelines rather than through a blanket direction in the Statute. Recently the Department of Telecom sent a reference to the TRAI for framing a mechanism for using KYC based identification.^{^[16]} It would be advisable if the TRAI in its response also takes into account the competing rights involved in this issue of caller identification and suggests a framework that addresses these concerns as well.

Retaining anonymity on the internet: Individuals may choose to remain anonymous online for a number of reasons. This includes employees expressing opinions about their employers and whistleblowers, people providing anonymous tips to newspapers or law enforcement, people expressing political opinions and criticism that may be subject to persecution, or simply someone saying something that they may be embarrassed about.^{^[17]} In India, in particular, an individual’s caste can be derived from their name, and they may choose to remain anonymous or adopt a pseudonym to escape centuries of stigma and discrimination that their communities have faced. Religious, gender and sexual minorities may also make this choice for similar reasons. The broad definition of telecommunication services in the bill places restrictions on anonymity online and severely degrades an individual’s ability to exercise their fundamental right to freedom of expression.

Right to privacy: The overly broad definition of “telecommunication services” and what constitutes a “message” also brings a number of digital services under the ambit of this bill. This can include email, instant messaging, social media services, and even payments and e-commerce transactions. Mandating identification of individuals as they navigate these services, which they require to go about their daily lives, creates an unprecedented potential for surveillance and abuse of personal information. To evaluate the legal validity of this infringement on privacy, we can utilise the necessity and proportionality tests put forth by the Puttaswamy Judgment. The explanatory note accompanying the bill states that the purpose of this provision is to “prevent cyber frauds”, establishing a legitimate aim for mandating identification. However, it fails to justify whether this is the least intrusive means necessary to achieve the stated aim. Law enforcement agencies have access to a wide variety of metadata, such as IP addresses, already collected by digital services today, which can be used to identify individuals committing cyber crimes. Furthermore, as the internet is a global network, bad actors can evade identification by routing their internet traffic through another country by using services such as Virtual Private Network (VPNs), proxies and onion routing. Well resourced actors can simply hire someone in another country to communicate on their behalf. The infringement upon the right to privacy by this provision is also disproportionate to the objective sought. By mandating storage of personally identifiable information that is not required for the operation of the wide range of services that fall under the ambit of this bill, it allows not only for state surveillance, but also creates the possibility of misuse by criminal actors and hostile states who may gain unlawful access to this information through data breaches. Overall, this provision can easily be circumvented by the bad actors it intends to catch, leaving us with a surveillance mechanism that is ripe for misuse against ordinary, law-abiding citizens.

Misunderstanding how the internet works: This draft bill assumes and propagates a centralised view of the internet. Unlike traditional telecommunication services, which require access to a finite spectrum or other physical infrastructure, the internet allows any individual or organisation to self-host their own communication service. Several organisations and technologically savvy individuals host their own email services, instant messaging services, blogs and social media networks. It is unclear how the licensing provisions in this bill apply to people developing and hosting their own communication equipment.

Recommendation : Clause 4(8) should be deleted.

Clause 5. Spectrum Management

➔ 5(2)(b): “administrative process for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1; or”

Comment: Even though the draft bill seeks to provide an explicit statutory framework and predictability for spectrum management policy in India, it appears that for the large part it would be relying on spectrum auctions for assignment of spectrum. While the bill provides for administrative allocation of spectrum for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1, the explanatory note provided for the draft bill indicates auction to be the predominant method for spectrum assignment. Even though the explanatory memorandum cannot be used for legal interpretation, it can be used to indicate that for the foreseeable future the government intends to allocate spectrum predominantly through auctions. While it can be argued that an auction based regime ensures transparency, it also creates significant barriers to entry for smaller operators. It is also pertinent to mention that in the seven auctions held since 2010, the government has successfully sold 100 percent of the auction only once. Relying solely on auctions since 2010 has led to unsold spectrum, lost revenue, and deferring of the rural digital ecosystem.^{^[18]} Therefore, auctions should be supplemented with “administrative allocation” and other innovative approaches to ensure that affordable broadband connectivity does not remain within the remit of a few. For instance, Canada has initiated a consultation on a non-competitive local licensing framework in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands, and one of its objectives is to facilitate broadband connectivity in rural areas.^{^[19]} Therefore, we would like to recommend the DoT to explore other forms of spectrum assignment and not rely solely on auctions to ensure efficient utilisation of available spectrum and to also ensure affordable access to hitherto underserved regions.

Moreover, the bill does not provide clarity with regard to unlicensed spectrum for public Wi-Fi, and assignment of shared spectrum for satcom services.^{^[20]} Spectrum allocation for satcom becomes all the more important as the draft bill seems to give a preference to auction for spectrum assignment, while the global practice on spectrum assignment for satcom has been administrative allocation.

Furthermore, clause 5(2)(b) read with Schedule 1 suggests that BSNL and MTNL can acquire spectrum through an administrative process in view of public interest or necessity. However, we would like to submit that spectrum assignment to BSNL and MTNL may no longer serve the public interest and it only protects a very small interest group. For context, BSNL and MTNL have a combined market share of only 9.83%, as per TRAI subscription data of Aug 31, 2022.^{^[21]} For such a small subscriber share, it cannot be argued that these PSUs serve a public interest. The government can easily migrate these subscribers to the other three telcos. Moreover, this also provides the PSUs with an unfair advantage over its competitors and distorts the level playing field, thereby creating competition concerns in the market.

➔ 5(8): “The Central Government may, to promote optimal use of the available spectrum assign a particular part of a spectrum that has already been assigned to an entity (“primary assignee”), to one or more additional entity/ entities (“secondary assignees”), where such secondary assignment does not cause harmful interference in the use of the relevant part of the spectrum by the primary assignee, subject to the terms and conditions as may be prescribed.”

Comment: “Secondary assignment” of spectrum and the shift from “right to exclusive use” to “right to protection from interference”, as envisaged in 5(8) is a progressive move towards efficient utilisation of spectrum.

CIS, in its past submission^{^[22]} to the TRAI had highlighted the merits of a “use-or-share” approach in spectrum. The chasm that exists between expensive exclusive spectrum licensing and the licence-exempt ecosystem can be bridged by enshrining “use-it-or-share-it” provisions in spectrum licences. As such, ‘use-it-or-share-it’ rules enable the regulator to grant secondary access to licensed or governmental spectrum that is unused or underutilised.^{^[23]} ‘Use-it-or-share-it’ rules expand the productive use of spectrum without risking harmful interference or undermining the deployment plans of primary licensees. Clauses such as 5(8) enable “use-or-share” provisions are a step in the right direction.

➔ 5(9): “The Central Government, after providing a reasonable opportunity of being heard to the assignee concerned, if it determines that spectrum that has been assigned, has remained unutilized for insufficient reasons for a prescribed period, may terminate such assignment, or a part of such assignment, or prescribe further terms and conditions relating to spectrum utilization.”

Comment: There is lack of coherence between 5(8) and 5(9) when read together. 5(8) and 5(9) should be put as sub-clauses under a parent clause to ensure clarity.

We believe that the provision must be articulated clearly to state that licensees would first be given an opportunity to share spectrum and in cases where the entity fails to do so within a reasonable amount of time, the spectrum licence would be cancelled to prevent wilful spectrum hoarding. The Independent Communications Authority of South Africa (ICASA) in the 2nd Information Memorandum has expressed similar provisions with clarity. While, we feel five years may be an unnecessarily long timeframe for the government to enact spectrum sharing provisions, the language put forth by ICASA captures the essence of our argument:

“11.6.2 In cases where the spectrum is not fully utilised by the licensee within 5 years of issuance of the Radio Frequency Spectrum Licences, the Authority will initiate the process for the Licensee:

11.6.2.1 to share unused spectrum in all areas to ECNS licensees who may, inter alia, combine licensed spectrum in any innovative combinations in order to address local and rural connectivity in some municipalities including by entrepreneurial SMMEs;

11.6.2.2 to surrender the radio frequency spectrum licence or portion of the unused assigned spectrum in accordance with Radio Frequency Spectrum Regulations, 2015”

Recommendation: Clause 5(8) and 5(9) must be brought under one clause and it must be clarified that licence holders would lose their licence in case they fail to successfully incorporate spectrum sharing.

Clause 7. Breach of Terms and Conditions

➔ 7(1): “In case of breach of any of the terms and conditions of licence, registration, authorization or assignment granted under this Act, the Central Government may, after providing an opportunity of being heard to the party concerned, do any one or more of the following: ……”

Comment: Usually the consequences of breach are specifically illustrated in the licence. Listing the consequences of breach in the statute itself may lead to lack of clarity unless the terms of licence are also referenced. It could also be argued by a defaulting licensee that the powers listed in clause 7(1) are exhaustive and the Central Government cannot add any other conditions for breach of the conditions of the licence as in the licence agreement and any such conditions not specified in clause 7(1) are void and ultra vires the Statute.

Recommendation: In order to avoid such a situation, the clause should clearly state whether the powers listed in clause 7(1) are in addition to the terms and conditions that may be specified in the licence.

Chapter 4: Right of Way for Telecommunication Infrastructure

Comment: The draft bill attempts to provide for a non-discriminatory and an affordable Right-of-way regime, which is appreciable. However, the provision suggests that the central government has an overriding power over the local government. Provided that the Constitution of India defines certain powers which reside with the local authority in terms of providing permissions in the local areas, it is unclear from the bill on how the coordination between various authorities will take place. We recommend that there needs to be a mechanism that ensures coordination between centre, state, and local authorities.

❖ 14(3) : “In the event the person under sub-clause (1) does not provide the right of way requested, and the Central Government determines that it is necessary to do so in the public interest, it may, either by itself or through any other authority designated by the Central Government for this purpose, proceed to acquire the right of way for enabling the facility provider to establish, operate, maintain such telecommunication infrastructure, in the manner as may be prescribed.”

Comment: The right of the Central Government to acquire the right of way should be in lieu of adequate and appropriate compensation to be paid to the property owner. This requirement should be clearly mentioned in sub-clause (3). The clause as it currently stands only mentions the Central Government’s right to acquire but contains no mention of said acquisition being in lieu of adequate and proportionate compensation.

Chapter 5. Restructuring, Defaults in Payment and Insolvency

➔ 19(1): “Any licensee or registered entity may undertake any merger, demerger or acquisition, or other forms of restructuring, subject to provisions of applicable law, after providing notice to the Central Government of the same.”

Comment: Sub-clause (1) only requires that the Central Government be given a notice in case of merger, demerger, acquisition or restructuring of the licensee. Although sub-clause (2) requires that the successor entity shall comply with all the terms and conditions of the licence, considering the strategic nature of the telecommunications sector^{^[24]} it would be advisable to change the requirement of notice to a requirement of permission from the Central Government for restructuring the business rather than a mere notice requirement. In order for this requirement to not be a hindrance to the growth of the industry there could be a provision for deemed approval if the approval is not granted within a particular period of time.^{^[25]}

Recommendation: Any merger in the sector must be approved by the DoT. In order to ensure that this does not lead to unnecessary delays, a deemed approval route may be considered.

Chapter 6: Standards, Public Safety and National Security

❖ 24(2): “On the occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, for reasons to be recorded in writing, by order:

(a) direct that any message or class of messages, to or from any person or class of persons, or relating to any particular subject, brought for transmission by, or transmitted or received by any telecommunication services or telecommunication network, shall not be transmitted, or shall be intercepted or detained or disclosed to the officer mentioned in such order; or

(b) direct that communications or class of communications to or from any person or class of persons, or relating to any particular subject, transmitted or received by any telecommunication network shall be suspended”.

Comment: The pre-conditions for interception contained in the Bill are similar to those contained in the Telegraph Act, 1885, i.e. “occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”. Although more stringent, these conditions are different from those contained in the Information Technology Act, 2000 which does not contain the added safeguard of there being a “public emergency or in the interest of public safety”.^{^[26]} With consumers spending more and more time on the internet and using internet based technologies and applications for communications, there is significant regulatory overlap between the Telecommunications Bill and the Information Technology Act, 2000. It is therefore advisable that the interception and blocking provisions under both the legislations should be aligned and standardised.

The judgement in the Puttaswamy case provides some guidance to assess the limits and scope of the constitutional right to privacy in the form of the three prong test. The test requires the existence of a law, a legitimate state interest and the restriction (to privacy) should be ‘proportionate'. The order to intercept, detain, disclose or suspend a communication made between private individuals, acts as a violation of privacy and to ensure that this does not provide extensive grounds to surveil people, the three prong test especially the grounds of proportionality combined with the necessity provision are essential to ensure that this provision is not used disproportionately.

More recently in Anuradha Bhasin vs Union Of India the Supreme Court stated “A public emergency usually would involve different stages and the authorities are required to have regards to the stage, before the power can be utilised under the aforesaid rules. The appropriate balancing of the factors differs, when considering the stages of emergency and accordingly, the authorities are required to triangulate the necessity of imposition of such restriction after satisfying the proportionality requirement.” The court while passing the judgement also stated “The concept of proportionality requires a restriction to be tailored in accordance with the territorial extent of the restriction, the stage of emergency, nature of urgency, duration of such restrictive measure and nature of such restriction. The triangulation of a restriction requires the consideration of appropriateness, necessity and the least restrictive measure before being imposed.”^{^[27]} The judgement while examining the duration of the suspension mentioned that any order which suspends the internet must adhere to the principle of proportionality and must not extend beyond necessary duration.

Recommendation: There is a need to look at the implications of such an order enabling blocking or suspension of services post the Puttaswamy judgement where informational privacy, and dignity were considered as some of the aspects of privacy. While this clause uses the test of necessity and expediency, we suggest that along with these two the clause also introduce the three prong test laid out in Puttaswamy I. In addition to this since this legislation has been drafted subsequent to the Anuradha Bhasin judgement the provisions of the legislation must be in conformity with the same in order to avoid confusion and reduce litigation.

Chapter 7: Telecommunication Development Fund

➔ Clause 29: “The sums of money received towards the Telecommunication Development Fund under clause 27, shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament, to the Telecommunication Development Fund from time to time for being utilised to meet any or all of the following objectives:

(a) support universal service through promoting access to and delivery of telecommunication services in underserved rural, remote and urban areas;

(b) research and development of new telecommunication services, technologies, and products;

(d) support pilot projects, consultancy assistance and advisory support towards provision of universal service under sub-clause (a) of this clause; and

(e) support introduction of new telecommunication services, technologies, and products.”

Comment: Clause 27 of the draft bill proposes to rename the Universal Service Obligation Fund (USOF) to Telecommunication Development Fund (TDF) and expand its scope to include underserved urban areas in addition to rural and remote areas. This has been done, ostensibly to expand the scope of current USOF to include within its ambit underserved urban areas, research and development, and skill development, among others.^{^[28]} While there is a need to spend the vast amount of unspent balance within the USOF, and spending it on skill development, investments in innovative low cost-technology that enables affordable broadband connectivity for all is important, the manner in which the TDF is currently defined is loose and vague. In order to ensure that the fund is spent to include digitally marginalised groups only, the purpose for which the TDF can be used needs to have an “exact” and “specific definition”. The purpose should be narrowly defined to include only those activities that have the potential to mitigate and bridge the many digital divides that exist in our country because in its absence TDF may be misused to subsidise urban middle class users as opposed to originally intended beneficiaries - the hitherto marginalised sections of the society.

Furthermore, the Bill suggests that the money received towards the TDF shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament. This is a relic of the erstwhile USOF policy funds, and allocations are made on a demand and review basis. One of the reasons that India has an unspent balance of nearly INR 50,000 crore in USOF is owing to a delay in its implementation due to bureaucratic delays since all credits to this fund require parliamentary approvals.^{^[29]} In order to ensure that funds received through USOF/TDF are utilised efficiently, the government must ring fence these funds and ensure that they are only spent on the objectives envisaged under the TDF. Furthermore, funds collected for this purpose must not be credited to the Consolidated Fund of India since requiring additional approvals delays implementation of the fund. For instance, the rural road fund is ring fenced which has ensured smoother flow of funds.^{^[30]} Moreover, auction proceeds, and other levies on the sector such as service tax and GST are already credited to the Consolidated Fund of India, therefore the government can afford to ring fence funds collected for universal service as opposed to crediting them to the Consolidated Fund of India.

Recommendation: The objectives for which the TDF can be utilised is vague and too broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. This would go a long way in ensuring that the funds are not misspent on providing subsidies to users that may not be in need for such a subsidy. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation.

Chapter 9: Protection of users

➔ Clause 34 : “In the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, no user shall furnish any false particulars, suppress any material information or impersonate another person while establishing identity for availing telecommunication services.”

Comment: The intent behind this provision appears to be to prevent misrepresentation or identity and the giving of false information for availing telecom services. Whilst it is understandable that there may be privacy issues involved in the matter of revealing one’s identity for availing telecommunications services, the requirement to provide correct identity documents is a well established and accepted norm in the industry today which is manifest in the KYC requirements that have to be fulfilled by every customer. Therefore there is no need to qualify the obligation to provide true and accurate documents with the phrase “in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”.

Chapter 10: Miscellaneous

➔ Clause 46: Amendment to Act 24 of 1997

Comment: Clause 46 of the Bill significantly dilutes the power of TRAI and effectively renders the Regulator to the role of the government’s rubber stamp through proposed amendments to clause 11^{^[31]} of the TRAI Act. Section 11 of the TRAI Act as it currently stands requires DoT to solicit recommendations from TRAI on issues pertaining to licensing, new services, and spectrum management, where the powers vest with the government. However, if the Bill becomes a law, this would not be mandatory on the government’s part. It may or may not seek the Regulator’s recommendations, thus eroding the transparency which was built in the process of policymaking. Consequently, as per the current Bill, the government will effectively be the licensor, operator, and the Regulator. Since the government owns BSNL/MTNL (a telecom operator) the role of an independent regulator assumes even more significance. Even without the proposed amendments, the Indian regulator has been largely ineffective since it lacks significant functional autonomy including negligible penalisation powers, limited role in its hiring decisions, and lack of financial autonomy since it needs DoT’s approvals for its budget.^{^[32]} Even in its present form, TRAI has lesser power as compared to many regulators across the globe. For instance Federal Communications Commission (FCC) of the USA, Ofcom of the UK, and regulators in Pakistan, Bangladesh, and Sri Lanka have powers over spectrum and licensing, while TRAI has only recommendatory powers.^{^[33]} With the advent of 5G, the lines between telecom and digital services are likely to blur even more and in order to ensure that we are able to exploit the vast potential this new wave of innovations could unleash, it is important to have skilled policymakers well-versed with technology at the helm of affairs. Amidst this backdrop, it is important to invest in enhancing TRAI’s competence by hiring subject matter experts, and ensuring that TRAI functions as an independent and transparent regulator.

Furthermore, the bill empowers the government to set up an alternate dispute resolution mechanism effectively making the role of Telecom Disputes Settlement and Appellate Tribunal (TDSAT) redundant. Currently, TDSAT is the first body which looks into any dispute between two (i) telecom operators, (ii) telecom operators and the government, and (iii) between operators, the government and as well as the regulator. Only once the TDSAT has passed orders on such disputes can they be appealed in the Supreme Court. Therefore, clauses diluting the power of TRAI must be deleted. The government must also clarify what it means by an alternate dispute resolution mechanism, and the role it envisages for TDSAT.

Lastly, TRAI process is consultative by design providing various stakeholders with an opportunity to participate in the policymaking process. However, the proposed bill does not have any provisions mandating the DoT to hold transparent stakeholder consultations.

Recommendation: Clause 46 of the proposed bill should be deleted. Furthermore, the government must work towards further strengthening TRAI by hiring subject matter experts and further empowering TRAI by giving it penalising powers. Also, TRAI must be responsible for conducting spectrum audits and ensuring that licensees are adhering to licensing conditions.

➔ 46(k): “Provided further that the Authority may direct a licensee or class of licensees to abstain from predatory pricing that is harmful to the overall health of the telecommunication sector, competition, long term development and fair market mechanism” shall be inserted.”

Comment: The Bill through clause 46 (k) empowers the TRAI to decide on ‘predatory pricing’, which falls within the remit of the Competition Commission of India (CCI) which could potentially create jurisdictional overlaps between the two regulators. Even in the past, there has been friction between the two regulators on whether TRAI has jurisdiction to decide on matters relating to competition and predatory pricing in telecom tariffs.^{^[34]} In Competition Commission of India v. Bharti Airtel Limited & Ors^{^[35]}, Supreme Court of India rejected the contention by the incumbent dominant operators (IDOs) that TRAI, as the sectoral regulator, had exclusive jurisdiction to rule on competition-related aspects in the industry. It ruled that if TRAI had determined that the IDOs had formed a cartel or colluded to block Jio’s entry, the CCI then would have jurisdiction to decide whether the IDOs’ actions had an appreciable adverse effect on competition. While TRAI’s powers of sanction were limited by the TRAI Act, the CCI had the power to prescribe and enforce structural remedies to promote genuine competition in the telecom sector. The court prescribed comity between TRAI and the CCI in the discharge of their roles.^{^[36]} Over time, the telecom sector has evolved from being a rudimentary voice service to being a complex data-centric converged service, and even though overlapping jurisdictions cannot be completely wished away,^{^[37]} there is a need for clearly defined roles for various ministries and regulators. And there will also be a need to adopt a consultative approach towards policymaking through inter-departmental consultations, an area that India has thus far been lacking in. As evidenced by the International Telecommunication Union’s (ITU) Global ICT Regulatory Outlook 2020, which ranks India at 94 (out of a total of 193) countries in terms of the maturity and collaborative approach shown by telecom regulatory bodies, lower than countries such as Japan, Singapore, Korea, Pakistan, Kenya, and Nigeria.^{^[38]}

Therefore, inserting such a provision may create more chaos and regulatory uncertainty. It is advisable that the government ensures there are no jurisdictional issues between the two regulators by clearly defining the role of TRAI and inserting provisions to facilitate inter regulatory consultation mechanism.

➔ Clause 48: “If the person committing an offence under this Act is a company, the employee(s) who at the time the offence was committed, was responsible to the company for the conduct of the business relating to the offence, shall be liable to be proceeded against and punished accordingly.”

Comment: While there is a need to ensure that offenders and violators of provisions under this Act are provided with penalties, there is a need to look at ways to ensure that the fear of penalties does not stifle innovation. This legislation intends to bring into its ambit a number of new stakeholders who might not be able to comply with all the requirements due to the inexperience, which could lead to inadvertent offences and violations. The current wording of clause 48, does not make any distinction between offences that were done with prior knowledge and malafide intentions and those done without knowledge of its commission.

Recommendation: We suggest that the Act keeps the wordings in line with similar legislations such as the draft Personal Data Protection Bill 2019. The revised text could have a proviso that reads as “Nothing contained in sub-clause (1) shall render any such person liable to any punishment provided in this Act, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.”

Keeping in mind the existing burden of work both on the executive and the judiciary, and the time sensitive nature of the provisions of the Bill there is a need to look at different, swift, and inexpensive strategies. One possible way could be through Informal Guidances, similar to Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law.^{^[39]} As there will be a number of new players that will be under the Bill, it would be useful for entities to get guidance. Another possible step could be to use Undertakings, where the regulator enforces the errant party to seek contractual undertakings to take certain remedial steps.^{^[40]}

➔ Clause 51: “Notwithstanding anything contained in any law for the time being in force, where the Central Government, a State Government or a Government of a Union Territory is satisfied that any information, document or record in possession or control of any licensee, registered entity or assignee relating to any telecommunication services, telecommunication network, telecommunication infrastructure or use of spectrum, availed of by any entity or consumer or subscriber is necessary to be furnished in relation to any pending or apprehended civil or criminal proceedings, an officer, specially authorised in writing by such Government in this behalf, shall direct such licensee, registered entity or assignee to furnish such information, document or record to him and the licensee, registered entity or assignee shall comply with the direction of such officer.”

Comment: The requirement to provide information or document even for “pending or apprehended civil or criminal proceedings” is too wide and could be misutilised, specially given the fact that there is no judicial authority making the determination that the information or document is required for such proceedings. Even in clause 91 of the Cr.P.C. , the requirement to provide documents or information is only for existing investigations, inquiries, trials or proceedings. Therefore the requirement to provide information, document or record for apprehended civil proceedings should be deleted.

Additional Comments

➔ Comment: The bill fails to incorporate net neutrality requirements

Technological convergence and vertical integration within the sector make adherence to net neutrality critical to keep discrimination and anti-competitive conduct in check. While extant TRAI regulations, forbid TSPs from discriminating on the basis of content, sender or receiver, protocols or user equipment based on prior arrangements, by slowing down one application or providing fast lanes to another. However, there is lack of clarity on how adherence to net-neutrality principles is currently being monitored. In 2020, TRAI had recommended setting up a Multistakeholder body for monitoring adherence to net neutrality by licensees.^{^[41]} However, the draft bill fails to codify net neutrality requirements and as such non-discriminatory treatment of traffic does not find a mention in the bill or the explanatory note accompanying it.

Recommendation: The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

➔ Comment: There is no provision in the bill that requires the government to report vital statistics and other information relating to the sector. We understand that both TRAI and DoT have taken efforts in publishing those statistics through DoT dashboard and reports such as the annual report, performance indicator reports, and subscriber reports. But, putting reporting requirements in the statute would be better.

Recommendation: In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

^{^[1]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/blog/response-to-trai-consultation-auction-of-spectrum-in-frequency-bands-identified-for-imt-5g

^{^[2]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/internet-governance/blog/response-to-trai-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

^{^[3]} “Impact Assessments”, European Commission, accessed 10 November 2022,<https://ec.europa.eu/info/law/law-making-process/planning-and-proposing-law/impact-assessments_en#:~:text=Impact%20assessments%20examine%20whether%20there,support%20the%20decision%2Dmaking%20process.>

^{^[4]} Clause 2(5) defines customer equipment as follows: “ “customer equipment” means equipment deployed on the premises of a person, other than the equipment of the licensee or registered entity, to originate, route or terminate telecommunication, or equipment used by such person for accessing telecommunication services;”

^{^[5]} As defined in clause 2(9) of the draft bill.

^{^[6]} Japan: "Telecommunications service" means intermediating communications of others through the use of telecommunications facilities, or any other acts of providing telecommunications facilities for the use of communications by others; Singapore: “telecommunication service” means any service for telecommunications but excludes any broadcasting service; UK: “electronic communications service” means a service of any of the types specified in subsection (2A) provided by means of an electronic communications network, except so far as it is a content service. Those types of service are— (a)an internet access service; (b)a number-based interpersonal communications service; and (c)any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting.

^{^[7]} Muntazir Abbas, “Regulating OTT players complicated: Trai”, The Economic Times, 30 January 2020,<https://economictimes.indiatimes.com/industry/telecom/telecom-policy/regulating-ott-players-complicated-trai/articleshow/73759307.cms?from=mdr >

^{^[8]} Justin Douglas and Amy Land Pejoska, Regulation and Small Business, <https://treasury.gov.au/sites/default/files/2019-03/p2017-t213722-Roundup_Sml_bus_regulation-final.pdf>

^{^[9]} See, for instance, “Features, Whatsapp (2020), <https://www.whatsapp.com/features>; “Signal

Messenger Features”, Signal (2020)

^{^[10]} CIS has recommended this “two layered framework” in its previous submissions to TRAI.

^{^[11]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society.

^{^[12]} “Internet Privacy in India”,Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india

^{^[13]}Justice K. Puttaswamy and Others v. Union of India and Others 1 SCC 1 (2019)

^{^[14]}“Judgement in Plain English Constitutionality of Aadhaar Act”, “Supreme Court Observer, accessed 10 November 20222,https://www.scobserver.in/reports/constitutionality-of-aadhaar-justice-k-s-puttaswamy-union-of-india-judgment-in-plain-english/

^{^[15]} “Right to Encrypt : Subset of Right to Privacy?”, SFLC, accessed 10 November 20222,https://sflc.in/right-encrypt-subset-right-privacy

^{^[16]} PTI, “Trai to moot mechanism for KYC-based caller name display”,The Economic Times, 20 May 2022,https://economictimes.indiatimes.com/industry/telecom/telecom-news/trai-to-moot-mechanism-for-kyc-based-caller-name-display/articleshow/91695117.cms?from=mdr

^{^[17]} Palme, Jacob, and Mikael Berglund. "Anonymity on the Internet.” <https://people.dsv.su.se/~jpalme/society/anonymity.pdf >

^{^[18]} Rajat Kathuria, Isha Suri “Why spectrum needs a change in approach”, Indian Express, 20 October 2022, https://indianexpress.com/article/opinion/columns/why-spectrum-needs-a-change-in-approach-8235997/

^{^[19]} Consultation on a Non-Competitive Local Licensing Framework, Including Spectrum in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands - Spectrum management and telecommunications

^{^[20]} Aneesh Phadnis“Extant rules choke growth, telecom bill needs review: Broadband India Forum”, Business Standard, 23 September2022<https://www.business-standard.com/article/companies/extant-rules-choke-growth-telecom-bill-needs-review-broadband-india-forum-122092301265_1.html >

^{^[21]} Highlights of Telecom Subscription Data as on 31st August, 2022, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/PR_No.67of2022.pdf

^{^[22]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society.

^{^[23]} Calabrese, M. (2021). Use it or Share It: A New Default Policy for Spectrum Management. Available at SSRN 3762098. <https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3762098_code2826029.pdf?abstractid=3762098&mirid=1 >

^{^[24]} “Guidelines for Implementation of New Public Sector Enterprises (PSEI Policy for CPSEs in Non-Strategic Sector' regarding”, “Government of India Ministry of Finance Department of Public EnterPrises, 10 November 2022, https://dpe.gov.in/sites/default/files/DPE_OM_DTD_13.12.21_Guidelines_on_New_PSE_Policy_0.pdf, Economic Survey 2021-2022, India Budget, accessed 10 November 2022, <https://www.indiabudget.gov.in/economicsurvey/ebook_es2022/index.html#p=86 >

^{^[25]} A similar approach has been taken in the new Occupational Safety, Health and Working Conditions Code, 2020 for registration of establishments under clause 3(3) of the Code.

^{^[26]} Sections 69 and 69A of the Information Technology Act, 2000.

^{^[27]} Anuradha Bhasin vs Union Of India, 3 SCC 637 (2020)

^{^[28]} Explanatory Note to the draft Indian Telecommunication Bill, 2022, Pg. 14.

^{^[29]}“USOF Scheme for Aspirational Districts in 5 states”, “Drishti IAS”, accessed 10 November 2022, https://www.drishtiias.com/daily-updates/daily-news-analysis/usof-scheme-for-aspirational-districts-in-5-states

^{^[30]}“What BharatNet can learn from the rural-roads scheme: involve states, local bodies, private sector” “ Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/telecom/blog/what-bharatnet-can-learn-from-the-rural-roads-scheme-involve-states-local-bodies-private-sector

^{^[31]} Functions of Authority, clause 11, TRAI Act, 1997.

^{^[32]} Pratap Vikram Singh, “Trai, try again: India’s toothless telecom regulator fights for more powers”, Aug 31, 2021, The Ken, <https://the-ken.com/story/trai-try-again-indias-toothless-telecom-regulator-fights-for-more-powers/>

^{^[33]} Ibid.

^{^[34]} “PTI” “Have power to settle competitive tariff issues: TRAI to CCI”, Aug 7, 2017, The Economic Times, https://economictimes.indiatimes.com/news/economy/policy/have-power-to-settle-competitive-tariff-issues-trai-to-cci/articleshow/59959144.cms?from=mdr

^{^[35]} CIVIL APPEAL NO(S). 11843 OF 2018

^{^[36]} Ibid at Para 90

^{^[37]} “Market Study on the Telecom Sector”, Jan 22, 2021, Competition Commission of India

^{^[38]} Global ICT Regulatory Outlook 2020 - Pointing the way forward to collaborative regulation (2020), ITU, https://www.itu.int/dms_pub/itu-d/opb/pref/D-PREF-BB.REG_OUT01-2020-PDF-E.pdf

^{^[39]}Informal Guidance Scheme of SEBI: Understanding the Concept and Analyzing the Guidance Provided by SEBI, Vijay Kumar Singh https://www.researchgate.net/publication/228226352_Informal_Guidance_Scheme_of_SEBI_Understanding_the_Concept_and_Analyzing_the_Guidance_Provided_by_SEBI>

^{^[40]} We have made similar recommendations to the Personal Data Protection Bill 2019, on the offences and penalties under the Bill. The comments can be viewed here: <https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019>

^{^[41]}Recommendations On Traffic Management Practices (TMPs) and MultiStakeholder Body for Net Neutrality, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/Recommendations_22092020_0.pdf

The comments were drafted by Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas and Vipul Kharbanda, and reviewed by Pallavi Bedi. Click to download the submission here

For more details visit https://cis-india.org/telecom/blog/cis-comments-to-draft-indian-telecom-bill-2022

CIS-ITfC-e-Shram-issue-brief-Dec-21 pdf

pranav — 2021-12-10T11:01:03Z

For more details visit https://cis-india.org/raw/cis-itfc-e-shram-issue-brief-dec-21-pdf

CIS's Comments on the Draft Geospatial Information Regulation Bill, 2016

pranesh — 2016-06-05T15:06:09Z

The Centre for Internet and Society is alarmed by the Draft Geospatial Information Regulation Bill, 2016, and has recommended that the proposed law be withdrawn in its entirety. It offered the following detailed comments as its submission.

Comments on the Draft Geospatial Information Regulation Bill, 2016

by the Centre for Internet and Society

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the draft Geospatial Information Regulation Bill, 2016 (“the draft bill” / “the proposed bill” / “the bill”).

2. Centre for Internet and Society

2.1. The Centre for Internet and Society is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from the perspectives of policy and academic research. The areas of focus include accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding the public interest, and particularly the representing the interests of ordinary citizens and consumers. The comments in this submission aim to further the principles of people’s right to information regarding their own country, openness-by-default in governmental activities, freedom of speech and expression, and the various forms of public good that can emerge from greater availability of open (geospatial) data created by both public and private agencies, and the innovations made possible as a result.

3. Comments

3.1. General Remarks

3.1.1. While CIS welcomes the intentions of the government to prevent use of geospatial information to undermine national security, the proposed bill completely fails to do so, infringes upon Constitutional rights, harms innovation, undermines the national initiatives of Digital India and Startup India, is completely impractical and unworkable, and it will lead to a range of substantial harms if the government actually seeks to enforce it.

3.1.2. There are already laws in place that prevent the use of geospatial information to undermine national security. For instance, the Official Secrets Act, 1923 (“OSA”) already contains provisions — sections 3(2)(a), (b), and (c) — all of which would prevent a person from creating maps that undermine national security and would penalise their doing so. Section 5 of the OSA contains multiple provisions that penalise the possession and communication of maps that undermine “national security.” The penalties under the OSA range from imprisonment of up to 3 years all the way to imprisonment up to 14 years. Given this, there is absolutely no need to create yet another law to deal with maps that undermine “national security.” Indeed, it is the government’s stated policy to reduce the number of laws in India, whereas the proposed bill introduces a redundant new law that adds multiple layers of bureaucracy.

3.1.3. The National Mapping Policy, 2005, already puts in place restrictions on wrongful depictions of India’s international boundaries, and as we explain below in section 3.4 of this document, even the National Mapping Policy is over-broad. Even if the government wishes to provide statutory backing to the policy, it should be a very different law that is far more limited in scope, and restricts itself to criminalising those who misrepresent India’s international boundary with an intention to mislead people into thinking that that is the official boundary of India as recognised by the Survey of India. CIS would support a law of such limited scope and mandate, provided it has an appropriate penalty.

3.1.4. There would be much utility in a law that creates a duty on the Survey of India to make available, in the form of an open standard, an official electronic version of the maps that it creates, and expressly allows and encourages citizens and startups to reuse such official maps, however the Ministry of Home Affairs would not be the nodal ministry for such a law.

3.1.5. We recommend that the proposed law be scrapped in its entirety.

3.1.6. We additionally provide an alternative manner of reducing the harms caused by this bill, in our comments below. By no means should these further comments be seen as a repudiation of our above position, since we do not feel the proposed bill, even with the inclusion of all of our recommendations, would truly further its stated aims. All our below recommendations would do is to reduce the bill’s harmful, and often unintended, consequences.

3.2. Definition of “Geospatial Information” is over-broad, all- encompassing

3.2.1. The second part of the definition of “geospatial information” refers to all “graphic or digital data depicting natural or man-made physical features, phenomenon or boundaries of the earth or any information related thereto” that are “referenced to a co-ordinate system and having attributes.” (Section 2(1)(e)) As per the definition, this will include all geo-referenced information, and data, that is produced by everyday users as an integral part of various everyday uses of digital technologies. This will also include geo-referenced tweets and messages, location of public and private vehicles shared in the real-time with agencies tracking their location (from public transport authorities, to insurance agencies, etc.), location data of mobile phones collected and used by telecommunication service providers, location of mobile phones shared by the user with various kinds of service providers (from taxi companies to delivery agencies), etc.

3.2.2. We recommend that instead of regulating all kinds of geospatial information, and giving rise to a range of possible harms, the draft bill be revised to specifically address “sensitive geospatial information,” defined as geospatial information related to the “Prohibited Places” as defined in the Official Secrets Act 1923 (section 2(8)) which will allow the bill to effectively respond to its key stated concerns of ensuring “security, sovereignty and integrity of India.” Since the National Map Policy defines “Vulnerable Points” and “Vulnerable Areas” (para 3(b)) as the two main types of geospatial units associated with “Prohibited Places”, these terms should also be referred to in the revised version of the draft bill.

3.3. Unreasonable regulation of acquiring and end-use of geospatial information

3.3.1. Section 3 of the draft bill states that “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition” and “[e]very person who has already acquired any geospatial imagery or data ... including value addition prior to coming of this Act into effect, shall within one year from the commencement of this Act, make an application alongwith requisite fees to the Security Vetting Authority.” This effectively makes it illegal to acquire and maintain ownership of geospatial information that has not been subjected to security vetting.

3.3.2. This draft bill doesn’t apply just to geospatial information that may undermine national security but covers all manners of geospatial information and modern geospatial technologies embedded in everyday digital devices and intimately connected to various electronic products and services, from cars to mobile phones, result in the creation and acquiring of various kinds of geo-referenced information, ranging from the geo-referenced photographs to locations shared with friends. Even ordinary users who are unknowingly looking at maps that contain sensitive geospatial information, which are illegal under the Official Secrets Act, are committing an illegal act under the draft bill, because the users temporarily acquires such sensitive geospatial information in her/his digital device, as part of the very act of browsing the map concerned. This clearly cannot be the intention of the bill. Thus we recommend deletion of the word “acquire.”

3.3.3. Further, the insertion of the phrase “including value addition” in both Section 3(1) and 3(2) appears to suggest that all users who have created derivative products using geospatial information that includes sensitive data (that is data related to Prohibited Places) may be held liable under this draft bill, even if these users have not themselves collected or created such sensitive geospatial information, which was part of the original geospatial information published by the source map agency. This too cannot be the intention of the bill. Thus, we recommend deletion of the phrase “including value addition.”

3.3.4. In the definition of the “Security Vetting of Geospatial Information” itself, it is mentioned that the process will include “screening of the credentials of the end-users and end-use applications, with the sole objective of protecting national security, sovereignty, safety and integrity.” (Section 2(1)(o)) This appears to indicate that all end-users of all electronic and analog services and products using geospatial information will have to be individually vetted before such services and products are used, which would cover a large proportion of the Indian population. This imposes an enormous and impractical burden on the Indian digital economy in particular, and the entire national economy in general, without improving national security. This too cannot be the intention of the draft bill. Thus, we recommend deletion of this phrase, and ensure that end users are not covered by the law.

3.3.5. Given these specific characteristics of how modern geospatial technologies work, and how they provide a basis for various kinds of everyday use of electronic products and services, we would like to submit that the regulatory focus should be on large-scale and/or commercial dissemination, publication, or distribution of geospatial information, and not on the acts of acquiring, possessing, sharing, and using geospatial information. Further, the regulation in general should be aimed at the party owning the geospatial information in question, and not at the parties involved in its dissemination (say, Internet Service Providers) or in its generation or use (say, end-users).

3.4. Removal of journalistic, political, artistic, creative, and speculative depictions of India from the scope of Section 6

3.4.1. Section 6 of the draft bill states that “[n]o person shall depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.” Section 15 imposes a penalty for such wrong depiction of maps of India.

3.4.2. Depictions of India, which do not purport to accurately represent the international boundaries as recognised by the Indian government should not be penalised. For instance, a map published in a newspaper article about India’s border disputes that shows the incorrect claims that the Chinese government has made over Indian territory would also be penalised as “wrong or false topographic information of India”, since there is a clear intention to depict the boundary as claimed by China. Criminalising such journalism cannot be the legitimate intent of such a provision.

3.4.3. There are numerous instances which have been willfully depicting inaccurate and inauthentic maps of India with international borders for political ends. For instance, there are often depictions of India which show territories within present day Pakistan, Bangladesh, Bhutan, Nepal and Sri Lanka as part of an “Akhand Bharat.” Depictions of this sort should not be penalised. In doing so, would contradict the freedom of expression guaranteed under Article 19(1)(a) without being a reasonable restriction under Article 19(2).

3.4.4. Even depictions of India for purposes of speculative fiction would be penalised under this proposed bill unless they depict the official borders. This is clearly undesirable and would not be allowed as a reasonable restriction under Article 19(2).

*3.4.5.* Even geography students in schools and colleges who mis-draw the official map of India would be liable to penalties under the draft bill. This plainly, cannot be the intention of the drafters of this bill. The creator of a rough and inaccurate tourist map of an Indian city can also be identified as committing a criminal act under the proposed bill as she would be depicting “… wrong or false topographic information of India …”

3.4.6. In brief: Merely depicting, disseminating, publishing or distributing any “wrong or false topographic information of India” should not be penalised. unless a person publishes and widely circulates an incorrect map of India while claiming that that represents the official international boundaries of India, such should not be penalised.

3.4.7. CIS recommends that the bill should instead state: “No person shall depict, disseminate, publish, or distribute any topographic information purporting to accurately depict the international boundaries of India as recognised by the Survey of India unless he is authorised to do so by the Surveyor General of India; provided that usage by any person of the international boundaries as is electronically and in print made available by the Survey of India shall deemed to be usage that is authorised by the Surveyor General of India.”

3.5. Absence of Publicly Available and Openly Reusable Standardised National Boundary of India

3.5.1. Given the lack of an reusable versions of maps of India, including of India’s official boundary as recognised by the Survey of India, it becomes impossible for people to accurately depict the boundary of India. We recommend that the bill requires the Survey of India to publish all “Open Series Maps,”as defined in the National Mapping Policy, 2005, including maps depicting the official international and subnational political and administrative boundaries of India, using open geospatial standards and under an open licence allowing such geospatial data to be used by citizens and all companies.

3.6. Remove Requirement for Prior License for Acquire, Dissemination, Publication, or Distribution of Geospatial Information

3.6.1. Section 9 of the draft bill refers to “any person who wants to acquire, disseminate, publish, or distribute any geospatial information of India” (emphasis added), which can be interpreted as the need for a prior license before any person decides to acquire (including creation, collection, generation, and buying) geospatial information. This creates at least two problems:

modern digital geospatial technologies have enabled everyday digital devices (like smartphones) to instantaneously acquire, disseminate, publish, and distribute geospatial information all the time when the person holding that device is looking at online digital maps, say Google Maps, or sharing location with their friends, online platforms and services and service providers (both local and foreign); and
the requirement of prior license involves payment of a “requisite fees” to the Security Vetting Authority, which may act as an arbitrary (since the fee might be based upon the volume of geospatial information to be acquired that one may not know fully determine before acquiring) and effective barrier to acquiring, dissemination, publication, or distribution of geospatial information even if it does not violate the concerns of “security, sovereignty, and integrity” in any manner. This requirement also impedes competition in the market, because new entrants to the geospatial industry may not have enough upfront capital to procure licenses.

3.6.2. Further, the requirement of necessary prior license for acquiring geospatial information does not seem to be a crucial component of the security vetting process, since the geospatial information, once acquired by the agency concerned, is in any case directed to be shared with the Security Vetting Authority for undertaking necessary expunging of sensitive or incorrect information.

3.6.3. We recommend revision of this section so that no prior license and/or permission is required for collection, acquiring, distribution, and/or use of geospatial information; instead, a framework may be established for monitoring of published geospatial information for purposes of ensuring geospatial information pertaining to “Prohibited Places,” as defined under the Official Secrets Act, is not made available to the general public by any person or entity under Indian jurisdiction, including, for instance, Indian subsidiaries and branches of foreign corporations.. Such a framework must not address the end-user of such geospatial information, but its publishers.

3.7. Unenforceable jurisdictional scope

3.7.1. Section 5 of the draft bill states “[s]ave as otherwise provided in any international convention, treaty or agreement of which India is signatory or as provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall, in any manner, make use of, disseminate, publish or distribute any geospatial information of India, outside India, without prior permission from the Security Vetting Authority.”

3.7.2. In compliance with this section, domestic and foreign companies and platforms will be required to obtain permission from the Security Vetting Authority of India prior to publishing, distributing etc. geospatial information. Similarly in the preliminary, the draft bill holds in person who commits an offence beyond India under the scope of the bill. The bill is thus proposing extraterritorial applicability of its provisions, yet the extent and method of enforcement of the same on other jurisdictions are kept unclear.

3.8. Negative implications for rights of citizens

3.8.1. There are a number of sections in the draft bill which have negative implications for the rights of all users and potentially impinge on the constitutional rights of Indian citizens. These include:

a. Section 18(2) which empowers the Enforcement Authority to conduct a search without a judicial search order;

b. Section 17(3) which empowers the Enforcement Authority to conduct undefined surveillance and monitoring to enforce the Act;

c. Chapter (V) which penalises individuals with Rs. 1-100 Crores and/or seven years in prison for an offence under the act;

d. Section 22 which allows the government to take ownership of a person’s land if a financial penalty has not been paid;

e. Section 30(1) which holds, in the case of the offense being committed by a company, every person in charge of and responsible for the conduct of business of the company, guilty and liable.

3.9. Overly broad powers and responsibilities of the Apex Committee and Enforcement Authority, and lack of adequate oversight

3.9.1. Section 7(2) states that “[t]he Apex Committee shall do all such acts and deeds that may be necessary or otherwise desirable to achieve the objectives of the Act, including the following functions:...” The wording in this section is broad and open ended, and allows for the responsibilities of the Apex Committee to be expanded without clear oversight of such expansion.

3.9.2. Similarly, section 17 established an “Enforcement Authority” for the purpose of carrying out surveillance and monitoring for enforcement of the draft bill. The Authority has been given a number of powers including the power of inquiry, the power to adjudicate, and the power to give directions. These powers have direct implications on the rights of individuals, yet the Authority is not subject to oversight or accountability requirements.

3.9.3. We recommend that the powers and responsibilities of the Apex Committee and Enforcement Authority are narrowly defined in the draft bill itself, limited by the principle of necessity, and subject to independent oversight and accountability requirements.

3.10. Remove the Security Vetting Authority’s power of delegation

3.10.1. Section 8(3) allows the Security Vetting Authority to delegate to any constituent member of the Authority, other subordinate committee, or officer powers and functions as it may deem necessary except the power to grant a licence. In practice, this will allow security vetting to be done by another institution and risks potential involvement of private agencies and/or quasi-governmental bodies.

3.10.2. We recommend that the power of delegation should not be granted to the Security Vetting Authority.

3.11. Negative implications for innovation and India’s digital economy

3.11.1. Section 3 of the draft bill states “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”. This effectively ensures that each and every user of geospatial data, products, services, and solutions — since all of these either include or are derivatives of geospatial information — would require prior permission from the Security Vetting Authority. This will substantially affect the existing and emerging digital economy in particular, and the entire economy in general.

3.11.2. Further, Section 9 of the draft bill mandates that any person submitting an application for geospatial information to be vetted must pay a fee. As the provisions of the bill mandate that users approach the Security Vetting Authority for license to use geospatial information, this will impose an immense burden on all users of digital devices in and outside of India. CIS submits that imposition of this fee for security vetting be removed.

3.12. Disproportionate penalty for acquisition of geospatial information

3.12.1. Section 12 states that “[p]enalty for illegal acquisition of geospatial information of India.- Whoever acquires any geospatial information of India in contravention of section 3, shall be punished with a fine ranging from Rupees one crore to Rupees one hundred crore and/or imprisonment for a period upto seven years.” Seven years in prison is disproportionate to the offense of acquiring geospatial information without vetting by the authority concerned. This is particularly true given the broad and all-encompassing definition of “geospatial information” in the draft bill, and the fact that the bill applies to individuals and companies both within and outside of India.

3.13. Improper and inconsistent usage of terms in the draft bill

3.13.1. Section 4 of the draft bill regulates the visualization, publication, dissemination and distribution of geospatial information of India, while section 5 regulates use, dissemination, publication, and distribution of geospatial information outside of India. The definition of “visualization” remains unclear, and the act is only regulated in section 4. The section 6 of the draft bill uses the term ‘depict’, which is undefined as well. We submit that in this context terms are interchangeable, and the draft bill should either define them expressly to avoid ambiguity in interpretations, or consistently use only one throughout the draft bill.

3.13.2. Section 11 (3) of the draft bill requires licensees to “[d]isplay the insignia of the clearance of the Security Vetting Authority on the security-vetted geospatial information by appropriate means such as water-marking or licence as relevant, while disseminating or distributing of such geospatial information.” We observe that geospatial information includes graphical representation, location coordinates, inter alia. While the former may be represented visually on an “as is” basis after the completion of the vetting, the latter may be used to perform other complex functions at the “back-end” (i.e., vendor-facing side) in various technologies. Water-marking and/or displaying of insignia would place undue burden on the licensee, depending on the kind of platform, service, or individual.

3.14. Lack of reference to technical implementation guidance

3.14.1. The regulation, harmonisation, and standardisation of the collection, generation, dissemination etc. of geospatial information is a complex process that goes beyond a process of security vetting and that will require extensive technical implementation guidance from the government. At a minimum this could include quality assurance considerations and standard operating procedures, yet the draft bill makes no reference to the need for technical standards or guidance.

Comments prepared by Sumandro Chattapadhyay, Adya Garg, Pranesh Prakash, Anubha Sinha, and Elonnai Hickok. Submitted by the Centre for Internet and Society, on June 3, 2016.

For more details visit https://cis-india.org/internet-governance/blog/comments-draft-geospatial-information-regulation-bill-2016

CIS' General Comments to the PDP Bill 2019

pallavi — 2020-02-21T10:10:54Z

For more details visit https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019

CIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy

elonnai — 2014-02-24T10:49:46Z

The “Fifty Second Report on Cyber Crime, Cyber Security, and Right to Privacy” issued by the 2013 -2014 Standing Committee on Information Technology on February 12th 2014, highlights the urgent need for reform in India’s cyber security framework and the need for the much awaited privacy legislation to be finalized and made into a law.

Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology

The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward.

The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.

Broadly, the Standing Committee sought input from DEITY on eight different aspects of cyber crime, cyber security, and privacy in India - namely: the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime, the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.

The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:

Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act: When asked by the Standing Committee about the right to privacy and cyber security, DEITY highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY should coordinate with the DoPT and become involved in the process.

As recognized by the Standing Committee, the Centre for Internet and Society would like to further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India. Inadequate aspects of the provisions have been pointed out by a number of sources. For example:

The Report of the Group of Experts on Privacy: Prepared by the committee chaired by Justice AP Shah
First Analysis of the Personal Data Protection Law in India: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha
India’s U-Turns on Data Privacy: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011

Unclear Enforcement of 43A and associated rules: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24). The Standing Committee did not directly respond to this comment.

The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies that have been found to be compliant. The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.

UIDAI not in compliance with 43A and associated Rules: In evidence provided, DEITY noted that “..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.

The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.

The potential harms of metadata: In evidence provided, the Department noted “...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.” (pg.47) The Standing Committee did not respond directly to this comment.

The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.

Inadequacy of the Information Technology Act: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner. DEITY also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.

The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:

Breaking Down Section 66A of the IT Act
Short note on IT Amendment Act, 2008

Implications of domestic servers: In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.

The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.

Incorporation of safeguards into MOU’s for international cooperation: When asked about MOU’s for international cooperation that DEITY has engaged in with other countries, DEITY reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported India entering into MOU’s for purposes of international cooperation, and encouraged DEITY to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.

The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY to ensure that all MOU’s and/or Mutual Legal Assistance Agreements:

Uphold the principle of dual criminality
Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance
Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.
Are clearly documented and publicly available
Contain provisions guaranteeing procedural fairness.[1]

Hactivism as a benefit to society: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.

The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism can benefit society and strengthen cyber security by finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.

This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.[2]

Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.

While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.

Conclusion

Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID, the Centre for Internet and Society welcomes the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.

[1]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance” https://en.necessaryandproportionate.org/text

[2]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: http://www.iwar.org.uk/cyberterror/resources/denning.htm

For more details visit https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy

CIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.

elonnai — 2013-11-30T07:25:18Z

The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights.

On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

Respect and protect the right to privacy, particularly in the context of digital communications.
To ensure that relevant legislation is in compliance with international human rights law
To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

For more details visit https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks

Sunil Abraham, Sharath Chandra Ram, Vidushi Marda, and Thejaswi Melarkode — 2016-10-02T06:16:46Z

The Centre for Internet and Society (“CIS”) is grateful for the opportunity to comment on this Consultation Paper (“Paper”). The comments were prepared by Sunil Abraham, Sharath Chandra Ram, Vidushi Marda, and Thejaswi Melarkode. Special thanks to Shyam Ponappa and Arjun Venkatraman for their inputs and feedback.

Preliminary Comments

Even in the early to mid-seventies, many Indians who wanted to own a radio receiver were expected to get a license from the government. If not then they were in violation of the law and there was nothing the government could do to enforce policies for their benefit. The deregulation of radio ownership has been key to its unfettered adoption and popularity today. Similarly, Wi-Fi, a radio transceiver must be deregulated further to bridge India's digital divide.

Before addressing specific questions posed by the Paper, we would like to make the following observations:

The Paper considers only commercial models for the provision of public Wi-Fi networks. This is a problematic assumption as it ignores the potential of not-for-profit models that involve grassroots communities, academia and civil society.
The Paper is infused with a vision and philosophy that is reminiscent of a colonial, license raj, centralized, top-down, command and control based, state monopoly paradigm. This is diametrically opposed to the foundational ethos of the Internet.
The Paper assumes that more regulation is required in order to ensure mass adoption of public Wi-Fi. In fact, the exact opposite is true - the rapid proliferation of broadband through public Wi-Fi networks will only be accomplished by aggressive deregulation.
The technological architecture being advanced by the Paper signals support of governance cum surveillance projects such as Aadhaar aka UID, India Stack, UPI and related projects which only undermine cyber-security and interferes with healthy competitive market dynamics between commercial and non-commercial actors. Again this is diametrically opposed to the foundational ethos of the Internet and a modern democratic information society.

Q1. Are there any regulatory issues, licensing restrictions or other factors that are hampering the growth of public Wi-Fi services in the country?

The most pressing issue which is hampering the growth of public Wi-Fi services in the country is that of over regulation. Under the current regulatory framework, public Wi-Fi is subject to licensing requirements, data retention, and Know-Your-Customer ("KYC") policies. The next issue is paucity of spectrum. So far the approach has been to assign exclusive property rights to certain frequencies and also raise billions of US Dollars through spectrum auctions based on the Supreme Court's understanding of spectrum as a national resource. Given the advancements in transceiver technologies, such as cognitive radios, it is possible for us to transcend the grid-lock of property rights and embrace paradigms like shared and unlicensed spectrum. Innovative technologies and neutral allocation of unlicensed spectrum will result in the growth of public and community wireless networks including those built on the Wi-Fi standard.

Q2. What regulatory/licensing or policy measures are required to encourage the deployment of commercial models for ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas?

The regulatory approach should be to deregulate the radio transceiver as much as possible so as to encourage innovation with lower barriers for participation.

The question falsely assumes that only commercial players can provide public Wi-Fi, Para 1.9 of the Paper only identifies scenarios where Unified License (UL) holders can take advantage of unlicensed spectrum to provide public Wi-Fi services. It fails to recognize that civil society, academia, and grassroots communities can also bring about ubiquitous city-wide Wi-Fi networks and expansion to remote and rural areas. For example, Village Telco and mesh networks are community-driven Wi-Fi models that are allowing a large number of individuals to gain access to Internet services using a public spirited or peer-to-peer philosophy.^{^[1]}

In terms of regulatory measures, CIS would recommend minimal and proportionate regulation, i.e. the regulation of entities involved in the provision of public Wi-Fi networks based on their capacity to harm the public interest and/or individual rights. By this we mean that only public Wi-Fi networks that have a large number of users (say, more than 5,000 individual users) should be subject to any regulation. Small-scale public Wi-Fi network providers, like public Wi-Fi networks in small villages or apartment complexes, should be left to self-regulation. Regulatory burdens which serve no purpose only deter these providers from providing such services at all.

Regulation must be technology-neutral, and should focus on the entities using these technologies who are capable of unlocking good or causing harm. This neutrality should be reflected in the name of the policy: "community-networking policy" and not "community Wi-Fi policy". The necessary changes must also be incorporated in the Paper and the draft policy to make this clear. The current definition of Wi-Fi is closely coupled with certain frequencies, and public wireless networks should be promoted regardless of technology and specific frequency bands.

In cases where private data services, (such as mobile telephony/ other private application specific data infrastructures) which may have been granted permission to deploy on an open-unlicensed or delicensed part of the spectrum, experience interference from a Public Wi-Fi setup. On the same frequency band, we call for the Public Wi-Fi to be given priority. This will prevent spectrum squatting.

Q3. What measures are required to encourage interoperability between the Wi-Fi networks of different service providers, both within the country and internationally?

This is a requirement for elite parts of society only but not a deal breaker for the provision of public Wi-Fi in India. There are a variety of existing market-based approaches. The further deregulation of Wi-Fi will result in the rise of public, community and non-commercial players which in turn will lead to further innovation and competition when it comes to interoperability across disparate Wi-Fi networks and providers.

Q4. What measures are required to encourage interoperability between cellular and Wi-Fi networks?

No measures are required. Millions of consumers in India already are able to interoperate between cellular networks and their home and office networks as they are in charge of the authentication or they have left these networks open. The reason they are unable to operate more easily with other networks is due to data retention, and KYC policies. Even in countries with much more challenging national security concerns, the data retention and KYC policies are not so strict. We are paying a terrible price in terms of broadband adoption because of our flawed approach to surveillance and cyber security. The answer here lies in deregulation of existing requirements, especially for community based organisations, NGOs, research institutions, educational institutions, galleries, museums, archives and public libraries. This will address the needs of those who cannot pay and are vulnerable. For those who can pay - commercial actors will innovate and provide the high-quality interoperability that they seek - this will not require any action on the part of the government.

Q5. Apart from frequency bands already recommended by TRAI to DoT, are there additional bands which need to be de-licensed in order to expedite the penetration of broadband using Wi-Fi technology? Please provide international examples, if any, in support of your answer.

In a 2012 policy brief on unlicensed spectrum^{^[2]}, CIS recommended the changes, listed below [in italics]. Since then, more modern approaches may have emerged which merit revisiting this question. These advances also merit delicensing bands more aggressively as the proprietary approach becomes more and more dated. This approach should also be technology neutral and must find a balance between proprietary, unlicensed, and shared spectrum.^{^[3]}

Frequencies in the 6, 11, 18, 23, 24, 60, 70, and 80 GHz bands, to facilitate replicating examples like Webpass (USA) which has radios capable of delivering up to 2Gbps both upstream and downstream.^{^[4]}
Frequencies in the 5.15 GHz-5.35 GHz bands, as well as 5.725-5.775 GHz bands are unlicensed for indoor use only. These bands should be unlicensed for outdoor use as well in order to facilitate the creation of wider wireless communication networks and the use of innovative technologies.
There should be more unlicensed spectrum in the 2.4 GHz range, beyond what is already unlicensed, for the expansion of wireless communication networks.
The 1800-1890 MHz band, which is earmarked for the operations of low power cordless communication in India, should be unlicensed in line with international practices. Many bands for this use have already been unlicensed in Europe and the United States. ^{^[5]}
50 Mhz in the 700Mhz - 900Mhz band, earmarked for broadcast should be made available to better utilize available spectrum, almost 100Mhz is currently unused in most parts of the country.

Q6. Are there any challenges being faced in the login/authentication procedure for access to Wi-Fi hotspots? In what ways can the process be simplified to provide frictionless access to public Wi-Fi hotspots, for domestic users as well as foreign tourists?

The challenge here is that of over regulation and the belief that elaborate KYC requirements will solve problems of national security. What these requirements achieve is a lot of inconvenience for the general population while criminals are able to evade detection through fake IDs, burner phones, etc. as KYC requirements only create barriers without security payoffs. The fact that jurisdictions such as the UK, and other countries in Europe allow for purchase of SIM cards without KYC norms goes to show that there are effective ways of gathering intelligence that do not involve a KYC regime.

In terms of authentication, a healthy ecosystem will allow for both anonymous access to Wi-Fi hotspots as well as access through authentication.

There is a need for deregulation in order to allow anonymous access. For access through authentication, some providers may wish to have light KYC norms whereas others may choose to have rigorous KYC norms that are integrated with Aadhaar, India Stack, etc. The decision should ultimately be taken by the provider and thus deregulation is the key. The most frictionless model is the unauthenticated model that allows anonymous access, followed by a light KYC regime, and the model with the most friction is that with intensive KYC requirements.

The existing customer log-in procedure requirements that have been laid down by the Department of Telecommunications (DoT), Ministry of Communications, Government of India, which necessitate a user to provide a photo ID or to avail a one-time password (OTP) through SMS should be done away with for two reasons. First, it does not allow for a user to access the public Wi-Fi network without authentication and this leads to a loss of anonymity over that network when the user accesses any Internet-based services. Secondly, it assumes that all people will have access to mobile phones/smartphones. So far as the Indian scenario is concerned, this is certainly not the case in many households where only the head of the family, who is more often than not a male member, has access to such devices. Many individuals also use much simpler devices which may not be able to receive OTPs (see Raspberry Pi models, for example). Such a requirement would, in effect, deprive a large number of individuals from accessing public Wi-Fi services and would defeat the purpose of even setting up such networks.

Q7. Are there any challenges being faced in making payments for access to Wi-Fi hotspots? Please elaborate and suggest a payment arrangement which will offer frictionless and secured payment for the access of Wi-Fi services.

This question is backed by three assumptions. First, it assumes that only commercial provision of Wi-Fi is possible. Second, it assumes that "a (singular) payment arrangement" is the preferred approach. Third, it assumes that it is possible for regulators to predict the most appropriate business / technological model for payments online. This is best left to competition between commercial and noncommercial players in the market. The existing regulations from the RBI and laws that govern electronic transactions are sufficient. No specific regulations are required for access to Wi-Fi hotspots.

Q8. Is there a need to adopt a hub-based model along the lines suggested by the WBA, where a central third party AAA (Authentication, Authorization and Accounting) hub will facilitate interconnection, authentication and payments? Who should own and control the hub? Should the hub operator be subject to any regulations to ensure service standards, data protection, etc.?

"A central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Any attempt to foist that on Indian citizens will lead to a slowing down of wireless broadband adoption. From a cyber-security perspective this can only lead to large-scale and irreversible disasters and on the contrary policy measures should be taken to prevent centralization. For Indian cyberspace to be a resilient and free market, competition amongst both commercial and noncommercial players must be enabled for Authentication, Authorization and Accounting.

Q9. Is there a need for ISPs/ the proposed hub operator to adopt the Unified Payment Interface (UPI) or other similar payment platforms for easy subscription of Wi-Fi access? Who should own and control such payment platforms? Please give full details in support of your answer.

As we submitted in response to the earlier question: "a central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Aadhaar aka UID, India Stack and the Unified Payment Interface (UPI) are similar state sanctioned monopolies that only increase fragility and interfere with the functioning of markets. Also this question assumes that citizens will have to pay for access to WiFi. Therefore, we recommend that the government does not regulate payments beyond the existing measures in Banking Law.

Q10. Is it feasible to have an architecture wherein a common grid can be created through which any small entity can become a data service provider and able to share its available data to any consumer or user?

The government or the regulator should not be making recommendations on technical architectures. All that is required to the lift all limits on reselling or sharing data via law.

Q11. What regulatory/licensing measures are required to develop such architecture? Is this a right time to allow such reselling of data to ensure affordable data tariff to public, ensure ubiquitous presence of Wi-Fi Network and allow innovation in the market?

CIS would ask for forbearance in this regard, as anything else will be a case of over regulation.

Q12. What measures are required to promote hosting of data of community interest at local level to reduce cost of data to the consumers?

There are two measures that can be taken. The first is to change the public procurement policy to promote openness in the form of free and open source software, open standards, open content, open access, open educational resources and open data.

The second is to use public funds to shape the market and create publicly licensed material, or material available under exceptions and limitations of copyright law. To promote hosting data of community interest at a local level, public funds must be used to create intellectual property that can be freely licensed to the public. India already has a progressive copyright law, and the exceptions available under it should be seeded by the government through public funding. These exceptions include the statutory exception of copyright cess/ levy to broadband bills, exceptions for the disabled, libraries and archives and also education.

Q13. Any other issue related to the matter of Consultation.

Figure 2.2 of the Paper depicts Wi-Fi Monetization Pyramid based on Cisco's Wi-Fi Opportunity Pyramid.[2] As pointed out earlier, this ignores the possibility of non-commercial models. To quote Bruce Schneier, "surveillance is the business model of the Internet" ^{^[6]} and this business model is one that should not be encouraged. The pyramid only allows for a for-profit model and it is inherently based on needless surveillance of users. While monetization may be one of the main incentives, it is by no means the only way to sustain such public Wi-Fi networks and for this reason, CIS recommends that such a depiction be discarded.

The balancing of this monetization pyramid is one of the requirements to put in place an effective public Wi-Fi network structure. Another issue arises with respect to the definition of Wi-Fi. Currently, spectrum is limited to the 2.4 GHz or the 5 GHz bands but this has been expanded upon to encompass the LTE (4G) Core during the GSMA, Wireless Broadband Alliance and Wi-Fi Alliance 3GPP following the Mobile World Congress in 2013. Such a set-up would allow for frequency hopping between bands and to prevent (or allow) this, the definition of Wi-Fi in the context of public Wi-Fi networks must be clarified.

^{^[1]} See Centre for Internet and Society, Unlicensed Spectrum Brief for the Government of India, June 2012; Available at http://cis-india.org/telecom/unlicensed-spectrum-brief.pdf

^{^[2]} Supra note 1.

^{^[3]} Example of shared spectrum being advanced in the US: " Specifically, the FCC adopted rules for CBRS, opening 150 MHz of spectrum in the 3550-3700 MHz band for commercial use. A Spectrum Access System (SAS), which is now in the process of being hammered out at the FCC with prospective coordinators, will make it possible to share spectrum where it hasn't been done before ." See, Monica Alleven, "Google, Intel, Nokia and more partner to advance U.S. 3.5 GHz CBRS", Fierce Wireless, (February 18, 2016) available at http://www.fiercewireless.com/tech/google-intel-nokia-and-more-partner-to-advance-u-s-3-5-ghz-cbrs .

^{^[4]} " Webpass buildings have radios capable of delivering up to 2Gbps both upstream and downstream… Anything beyond 5,000 meters will still work but you lose bandwidth… Webpass radios operate in many different frequencies, including the unlicensed 2.4GHz and 5GHz bands used by Wi-Fi, Barr said. Webpass also uses the 6, 11, 18, 23, 24, 60, 70, and 80GHz bands. These include a mix of licensed and unlicensed frequencies…" See, Jon Brodkin, "500 Mbps broadband for $55 a month offered by wireless ISP", arsTECHNICA, (June 18, 2015), available at: http://arstechnica.com/information-technology/2015/06/500mbps-broadband-for-55-a-month-offered-by-wireless-isp/

^{^[5]} Supra note 1, at 17.

^{^[6]} See Bruce Schneier, 'Stalker economy' here to stay, CNN, (Nov. 26, 2013, 17:53 GMT), available at http://edition.cnn.com/2013/11/20/opinion/schneier-stalker-economy/index.html

For more details visit https://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks

CIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks

2016-12-12T13:59:00Z

This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.

1. Preliminary

1.1. This submission presents responses by the Centre for Internet and Society (“CIS”) [1] on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 [2].

1.2. The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised [3] two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the Consultation Paper on Proliferation of Broadband through Public WiFi [4]: 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum [5].

2. General Responses

2.1. Before responding to the specific questions posed by the Note, we would like to make the following observations.

2.2. There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

2.3. As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.

2.4. The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country [6]. By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.

2.5. Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.

2.6. As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.

2.7. Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.

2.8. The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.

2.9. The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission [7]. It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.

2.10. Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance [8]. It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.

3. Specific Responses

Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?

3.1. No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.

3.2. There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.

3.3. The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.

Q2. Would you like to suggest any alternate model?

3.4. Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.

3.5. Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).

3.6. The CIS suggests the following steps towards conceptualising an “alternative model”:

remove existing regulatory disincentives,
urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,
examine spectrum requirements for provision of public Wi-Fi, and
provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.

Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?

3.7. CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.

3.8. In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.

3.9. Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.

Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?

3.10. The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.

3.11. While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.

3.12. From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.

3.13. Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers [9]. In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.

Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.

3.14. Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.

3.15. It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.

3.16. As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.

3.17. The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.

Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?

3.18. The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.

3.19. The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://trai.gov.in/Content/ConDis/20801_0.aspx.

[3] See Section C.6 of the Note.

[4] See: http://trai.gov.in/Content/ConDis/20782_0.aspx.

[5] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[6] See Section E.11. of the Note.

[7] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[8] See: https://www.wi-fi.org/.

[9] See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/.

For more details visit https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi

CIS submission to the UNGA WSIS+10 Review

jyoti — 2015-08-09T16:24:04Z

The Centre for Internet & Society (CIS) submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead.

To what extent has progress been made on the vision of the peoplecentred, inclusive and development oriented Information Society in the ten years since the WSIS?
The World Summit on the Information Society (WSIS) in 2003 and 2005 played an important role in encapsulating the potential of knowledge and information and communication technologies (ICT) to contribute to economic and social development. Over the past ten years, most countries have sought to foster the use of information and knowledge by creating enabling environment for innovation and through efforts to increase access. There have been interventions to develop ICT for development both at an international and national level through private sector investment, bilateral treaties and national strategies.

However, much of the progress made in the past ten years in terms of getting people connected and reaping the benefits of ICT has not been sufficiently peoplecentred, nor have they been sufficiently inclusive.

These developments have not been sufficiently peoplecentred, since governments across the world have been using the Internet as a monumental surveillance tool, invading people’s privacy without legitimate justifications, in an arbitrary manner without due care for reasonableness, proportionality, or democratic accountability. These developments have not been sufficiently peoplecentred, since the largest and most profitable Internet businesses — businesses that have more users than most nationstates have citizens, yet have one-sided terms of service — have eschewed core principles like open standards and interoperability that helped create the Internet and the World Wide Web, and instead promote silos.

We still reside in a world where development has been very lopsided, and ICTs have contributed to reducing some of these gulfs, while exacerbating others. For instance, persons with visual impairment are largely yet to reap the benefits of the Information Society due to a lack of attention paid to universal, while sighted persons have benefited far more; the ability of persons who don’t speak a language like English to contribute to global Internet governance discussions is severely limited; the spread of academic knowledge largely remains behind prohibitive paywalls.

As ICTs have grown both in sophistication and reach, much work remains to achieve the peoplecentred, inclusive and developmentoriented information society envisaged in WSIS. While the diffusion of ICTs has created new opportunities for development, even today less than half the world has access to broadband (with only eleven per cent of the world’s population having access to fixed broadband). See International Telecommunication Union, ICT Facts and Figures: The World in 2015.

Ninety per cent of people connected come from the industrialized countries — North America (thirty per cent), Europe (thirty per cent) and the AsiaPacific (thirty per cent). Four billion people from developing countries remain offline, representing two-thirds of the population residing in developing countries. Of the nine hundred and forty million people residing in Least Developed Countries (LDCs), only eighty-nine million use the Internet and only seven per cent of households have Internet access, compared with the world average of forty-six per cent. See International Telecommunication Union, ICT Facts and Figures: The World in 2015. This digital divide is first and foremost a question of access to basic infrastructure (like electricity).

Furthermore, there is a problem of affordability, all the more acute since in the South in comparison with countries of the North due to the high costs related to access to the connection. Further, linguistic, educational, cultural and content related barriers are also contributing to this digital divide. Growth of restrictive regimes around intellectual property, vision of the equal and connected society. Security of critical infrastructure with in light of ever growing vulnerabilities, the loss of trust following revelations around mass surveillance and a lack of consensus on how to tackle these concerns are proving to be a challenge to the vision of a connected information society. The WSIS+10 overall review is timely and a much needed intervention in assessing the progress made and planning for the challenges ahead.

There were two bodies as major outcomes of the WSIS process: the Internet Governance Forum and the Digital Solidarity Fund, with both of these largely failing to achieve their intended goals. The Internet Governance Forum, which is meant to be a leading example of “multi-stakeholder governance” is also a leading example of what the Multi-stakeholder Advisory Group (MAG) noted in 2010 as “‘black box’ approach”, with the entire process around the nomination and selection of the MAG being opaque. Indeed, when CIS requested the IGF Secretariat to share information on the nominators, we were told that this information will not be made private. Five years since the MAG lamented its own blackbox nature, things have scarcely improved. Further, analysis of MAG membership since 2006 shows that 26 persons have served for 6 years or more, with the majority of them being from government, industry, or the technical community. Unsurprisingly, 36 per cent of the MAG membership has come from the WEOG group, highlighting both deficiencies in the nomination/selection
process as well as the need for capacity building in this most important area. The Digital Solidarity Fund failed for a variety of reason, which we have analysed in a separate document annexed to this response.

What are the challenges to the implementation of WSIS outcomes?

Some of the key areas that need attention going forward and need to be addressed include:

Access to Infrastructure

Developing policies aimed at promoting innovation and increasing affordable access to hardware and software, and curbing the ill effects of the currentlyexcessive patent and copyright regimes.

Focussing global energies on solutions to lastmile access to the Internet in a manner that is not decoupled from developmental ground realities.
This would include policies on spectrum sharing, freeing up underutilized spectrum, and increasing unlicensed spectrum.
This would also include governmental policies on increasing competition among Internet providers at the last mile as well as at the backbone (both nationally and internationally), as well as commitments for investments in basic infrastructure such as an openaccess national fibreoptic backbone where the private sector investment is not sufficient.
Developing policies that encourage local Internet and communications infrastructure in the form of Internet exchange points, data centres, community broadcasting.

Access to Knowledges

As the Washington Declaration on IP and the Public Interest5 points out, the enclosure of the public domain and knowledge commons through expansive “intellectual property” laws and policies has only gotten worse with digital technologies, leading to an unjust allocation of information goods, and continuing royalty outflows from the global South to a handful of developing countries. This is not sustainable, and urgent action is needed to achieve more democratic IP laws, and prevent developments such as extra judicial enforcement mechanisms such as digital restrictions management systems from being incorporated within Web standards.
Aggressive development of policies and adoption of best practices to ensure that persons with disabilities are not treated as secondgrade citizens, but are able to fully and equally participate in and benefit from the Information Society.
Despite the rise of video content on the Internet, much of that has been in parts of the world with already high literacy, and language and illiteracy continue to pose barriers to full usage of the Internet.
While the Tunis Agenda highlighted the need to address communities marginalized in Information Society discourse, including youth, older persons, women, indigenous peoples, people with disabilities, and remote and rural communities, but not much progress has been seen on this front.

Rights, Trust, and Governance

Ensuring effective and sustainable participation especially from developing countries and marginalised communities. Developing governance mechanisms that are accountable, transparent and provide checks against both unaccountable commercial interests as well as governments.
Building citizen trust through legitimate, accountable and transparent governance mechanisms.
Ensuring cooperation between states as security is influenced by global foreign policy, and is of principal importance to citizens and consumers, and an enabler of other rights.
As the Manila Principles on Intermediary Liability show, uninformed intermediary liability policies, blunt and heavy handed regulatory measures, failing to meet the principles of necessity and proportionality, and a lack of consistency across these policies has resulted in censorship and other human rights abuses by governments and private parties, limiting individuals’ rights to free expression and creating an environment of uncertainty that also impedes innovation online. In developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries, interoperable and harmonized regimes that can promote innovation while respecting users’ rights in line with the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the United Nations Guiding Principles on Business and Human Rights are needed and should be encouraged.
An important challenge before the Information Society is that of the rise of “quantified society”, where enormous amounts of data are generated constantly, leading to great possibilities and grave concerns regarding privacy and data protection.
Reducing tensions arising from the differences between cultural and digital nationalism including on issues such as data sovereignty, data localisation, unfair trade and the need to have open markets.
Currently, there is a lack of internationally recognized venues accessible to all stakeholders for not only discussing but also acting upon many of these issues.

What should be the priorities in seeking to achieve WSIS outcomes and progress towards the Information Society, taking into account emerging trends?
All the challenges mentioned above should be a priority in achieving WSIS outcomes and ensuring innovation to lead social and economic progress in society. Digital literacy, multilingualism and addressing privacy and user data related issues need urgent attention in the global agenda. Enabling increased citizen participation thus accounting for the diverse voices that make the Internet a unique medium should also be treated as priority. Renewing the IGF mandate and giving it teeth by adopting indicators for development and progress, periodic review and working towards tangible outcomes would be beneficial to achieving the goal of a connected information society.

What are general expectations from the WSIS + 10 High Level Meeting of the United Nations General Assembly?
We would expect the WSIS+10 High Level Meeting to endorse an outcome document that seeks to d evelop a comprehensive policy framework addressing the challenges highlighted above . It would also be beneficial, if the outcome document could identify further steps to assess development made so far, and actions for overcoming the identified challenges. Importantly, this should not only be aimed at governments, but at all stakeholders. This would be useful as a future road map for regulation and would also allow us to understand the impact of Internet on society.

What shape should the outcome document take?
The outcome document should be a resolution of the UN General Assembly, with high level policy statements and adopted agreements to work towards identified indicators. It should stress the urgency of reforms needed for ICT governance that is democratic, respectful of human rights and social justice and promotes participatory policymaking. The language should promote the use of technologies and institutional architectures of governance that ensure users’ rights over data and information and recognize the need to restrict abusive use of technologies including those used for mass surveillance. Further, the outcome document should underscore the relevance of the Universal Declaration of Human Rights, including civil, political, social, economic, and cultural rights, in the Information Society.

The outcome document should also acknowledge that certain issues such as security, ensuring transnational rights, taxation, and other such cross jurisdictional issues may need greater international cooperation and should include concrete steps on how to proceed on these issues. The outcome document should acknowledge the limited progress made through outcome-less multi-stakeholder governance processes such as the Internet Governance Forum, which favour status quoism, and seek to enable the IGF to be more bold in achieving its original goals, which are still relevant. It should be frank in its acknowledgement of the lack of consensus on issues such as “enhanced cooperation” and the “respective roles” of stakeholders in multi-stakeholder processes, as brushing these difficulties under the carpet won’t help in magically building consensus. Further, the outcome document should recognize that there are varied approaches to multi-stakeholder governance.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-unga-wsis-review

CIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights

2019-02-20T10:48:24Z

CIS responded to the call for submissions from the UN Special Rapporteur on Freedom of Speech and Expression. The submission was on the Surveillance Industry and Human Rights.

CIS is grateful for the opportunity to submit the United Nations (UN) Special Rapporteur on call for submissions on the surveillance industry and human rights.1 Over the last decade, CIS has worked extensively on research around state and private surveillance around the world. In this response, individuals working at CIS wish to highlight these programs, with a special focus on India.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights

Centre for Internet and Society

Civil Liberties and the amended Information Technology Act, 2000

Citizens’ Draft Privacy Bill Seeks To Revolutionise Data Collection, Storage In India

Citizen Activism the Past Decade

Topics that contributors can explore:

CIS_BD4D_Guideline04_PT+PB_BigDataAIEthicsReview_ExtendedNotes PDF

CIS@IGF 2014

Workshops and Panel Discussions

Other Participation

CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022

Preliminary

Summary of Recommendations

Detailed Response

Preamble

Chapter 1: Short Title, Extent and Commencement

Chapter 2: Definitions

Chapter 3: Licensing, Registration, Authorization and Assignment

Clause 5. Spectrum Management

Clause 7. Breach of Terms and Conditions

Chapter 4: Right of Way for Telecommunication Infrastructure

Chapter 5. Restructuring, Defaults in Payment and Insolvency

Chapter 6: Standards, Public Safety and National Security

Chapter 7: Telecommunication Development Fund

Chapter 9: Protection of users

Chapter 10: Miscellaneous

Additional Comments

CIS-ITfC-e-Shram-issue-brief-Dec-21 pdf

CIS's Comments on the Draft Geospatial Information Regulation Bill, 2016

Comments on the Draft Geospatial Information Regulation Bill, 2016

1. Preliminary

2. Centre for Internet and Society

3. Comments

3.1. General Remarks

3.2. Definition of “Geospatial Information” is over-broad, all- encompassing

3.3. Unreasonable regulation of acquiring and end-use of geospatial information

3.4. Removal of journalistic, political, artistic, creative, and speculative depictions of India from the scope of Section 6

3.5. Absence of Publicly Available and Openly Reusable Standardised National Boundary of India

3.6. Remove Requirement for Prior License for Acquire, Dissemination, Publication, or Distribution of Geospatial Information

3.7. Unenforceable jurisdictional scope

3.8. Negative implications for rights of citizens

3.9. Overly broad powers and responsibilities of the Apex Committee and Enforcement Authority, and lack of adequate oversight

3.10. Remove the Security Vetting Authority’s power of delegation

3.11. Negative implications for innovation and India’s digital economy

3.12. Disproportionate penalty for acquisition of geospatial information

3.13. Improper and inconsistent usage of terms in the draft bill

3.14. Lack of reference to technical implementation guidance

CIS' General Comments to the PDP Bill 2019

CIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy

Conclusion

CIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public Wi­Fi Networks

Preliminary Comments

Q1. Are there any regulatory issues, licensing restrictions or other factors that are hampering the growth of public Wi-Fi services in the country?

Q2. What regulatory/licensing or policy measures are required to encourage the deployment of commercial models for ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas?

Q3. What measures are required to encourage interoperability between the Wi-Fi networks of different service providers, both within the country and internationally?

Q4. What measures are required to encourage interoperability between cellular and Wi-Fi networks?

Q5. Apart from frequency bands already recommended by TRAI to DoT, are there additional bands which need to be de-licensed in order to expedite the penetration of broadband using Wi-Fi technology? Please provide international examples, if any, in support of your answer.

Q6. Are there any challenges being faced in the login/authentication procedure for access to Wi-Fi hotspots? In what ways can the process be simplified to provide frictionless access to public Wi-Fi hotspots, for domestic users as well as foreign tourists?

Q7. Are there any challenges being faced in making payments for access to Wi-Fi hotspots? Please elaborate and suggest a payment arrangement which will offer frictionless and secured payment for the access of Wi-Fi services.

Q9. Is there a need for ISPs/ the proposed hub operator to adopt the Unified Payment Interface (UPI) or other similar payment platforms for easy subscription of Wi-Fi access? Who should own and control such payment platforms? Please give full details in support of your answer.

Q10. Is it feasible to have an architecture wherein a common grid can be created through which any small entity can become a data service provider and able to share its available data to any consumer or user?

Q11. What regulatory/licensing measures are required to develop such architecture? Is this a right time to allow such reselling of data to ensure affordable data tariff to public, ensure ubiquitous presence of Wi-Fi Network and allow innovation in the market?

Q12. What measures are required to promote hosting of data of community interest at local level to reduce cost of data to the consumers?

Q13. Any other issue related to the matter of Consultation.

CIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks

1. Preliminary

2. General Responses

3. Specific Responses

Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?

Q2. Would you like to suggest any alternate model?

Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?

Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?

Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.

Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?

Endnotes

CIS submission to the UNGA WSIS+10 Review

CIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights

CIS Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks