Centre for Internet and Society

Digital Markets and India: Demystifying the Draft DCB

Abhineet Nayyar and Isha Suri (in alphabetical order) — 2024-04-15T06:15:21Z

This document summarises the proceedings of the Roundtable on the draft Digital Competition Bill (DCB) [hereinafter referred to as ‘the Roundtable’]. The Roundtable was conducted online on April 1, 2024, and included representation from academia, law, civil society, and policy organisations. The primary objective of the Roundtable was to discuss the recent report published by the Committee on Digital Competition Law (CDCL) in March 2024 along with the draft of the DCB.

The event was organized by Abhineet Nayyar and Isha Suri.

The Roundtable began with a brief presentation by Abhineet Nayyar (Centre for Internet and Society - CIS) providing an overview of the various important themes identified by CIS during the course of their research. This introduction was followed by Roundtable discussions moderated by Isha Suri (CIS), focusing on important areas identified by CIS for the course of this discussion.

This summary seeks to crystallise the learnings that emanated from this Roundtable to inform the discourse and contribute to the ongoing public consultation for the draft DCB, due by April 15, 2024.

I. Ex-ante or ex-post

The initial parts of the discussion focused on the shift from a largely ex-post model to an ex-ante model to competition regulation in India. It was briefly summarised during the discussion that while the extant Competition Act of 2002 relied on ex-post methods to recognise anti-competitive practices, the proposed DCB adopts an ex-ante approach similar to what has been adopted or is being deliberated in other jurisdictions. Few participants highlighted the benefits and costs of switching from the former to the latter and highlighted specific learnings for digital markets in India, while some were sceptical of this shift towards an ex-ante model, given its potentially detrimental impact on MSMEs and lack of enforcement capacity in India.

The discussion began with the participants highlighting the gaps in the extant ex-post regulatory framework, including delayed enforcement and disposal of appeals, and its under-reliance on private enforcement techniques that increase the ecosystem’s dependence on CCI as a central node. Simultaneously, however, several participants also warned against potential issues in the ex-ante approach proposed under the draft DCB. While some of these concerns related to the general ineffectiveness of ex-ante regulations – as highlighted, for example, in data protection and broadcasting – many participants deliberated on specific sections of the draft DCB. It was also pointed out that telecom regulation does have ex-ante provisions to address competition concerns within the sector. One participant, for instance, highlighted the proposed bill’s wide scope and the risk it poses for an under-resourced regulatory regime.

Overall, the group emphasised the need to carefully consider the particulars of the ex-ante approach proposed under the draft DCB. While there was a broader consensus that this approach may address some issues with digital markets particularly, the discussion brought to the fore many concerns with how this approach is currently being articulated. In addition to the bill’s wide scope, the Roundtable also discussed the necessity for an impact assessment study to understand its effects better. Other concerns regarding the proposed threshold values and the draft DCB’s focus on ‘contestable’ markets were also tabled during the discussion.

II. Building Regulatory Capacity

The participants discussed existing regulatory capacity in light of the proposed ex-ante approach under the draft DCB. Several participants highlighted factors that currently inhibit CCI’s capacity, the foremost of them being the Commission’s reliance on enforcement by bureaucrats with time-bound deputations affecting continuity and sustained capacity. In the absence of professional capacity, particularly in digital markets, the wide scope proposed by the draft DCB is only likely to further test CCI’s ability to deliver on its mandate. Moreover, in discussing how to build CCI’s professional capacity, a participant also highlighted the risk of regulatory capture by the private sector if one were to follow a ‘revolving door’ approach.

Participants then delved into potential solutions for CCI’s constrained capacity. In addition to staffing the Commission with subject matter experts, a participant also stated that given the political economy, it may be prudent to design the regulatory ecosystem to work around the problem of legacy issues of lack of professional capacity and independence. The participants also briefly discussed the role of impact assessment in resolving this problem, specifically by including the effect of the draft DCB on CCI’s already strained capacity.

III. Proposed Threshold Values

Deliberations began with the rationale for the Threshold Values (TVs) proposed by the draft DCB. Several participants shared their reservations about the bill’s reliance on international standards, especially for metrics such as market capitalisation and global turnover. Some also identified certain areas where the proposed bill seeks to identify TVs that are more relevant to the Indian market. For example, a participant highlighted that the draft DCB, in Section 3(4) chooses to identify and calculate business users and end users for each of the core digital services separately.

In addition to discussing the rationale behind TVs, many participants also suggested avenues for potential improvement. For instance, one of the participants recommended the identification of threshold values for each of the core digital services, as opposed to the current service-agnostic thresholds. It was posited that the expedited timeline of three months may have constrained the committee from recommending nuanced thresholds suited for Indian contexts since that would require market studies or commissioned (independent) research for evidence gathering and analysis.

Some participants were optimistic that the currently open consultation process may leave room for further negotiation on the prescribed TVs. This includes, among other things, identifying more representative calculation methods for arriving at appropriate values and incorporating global best practices.

IV. Remedies and Penalties

The participants sought to ascertain the effectiveness of penalties in the form of fines as a tool for deterring abusive conduct by dominant entities in general, and digital behemoths, more specifically. On one hand, some participants highlighted the lack of evidence to support the assumption that currently imposed fines deter such abuse in the market. For instance, one of the participants referred to a recent incident where the Dutch competition regulator imposed a €5 million fine for every week Apple failed to comply with an antitrust decision by the regulator. In the end, Apple had accumulated fines worth €50 million, instead of allowing dating app providers to use alternative modes of payment, ostensibly indicating how companies perceive penalties as yet another operating cost.^{^[1]}

On the other hand, a few participants also underlined the need to look at ‘penalties’ as a part of a larger toolkit and not as a standalone deterrent. In this context, the draft DCB’s focus on settlements and commitments, and criminal penalisation were also highlighted by some attendees; while others pointed out the need for an institutional redesign – for example, by reviewing the current appellate process, or by potentially reintroducing the Competition Appellate Tribunal (COMPAT).

Additionally, the question of penalties led to a discussion on the calculation of the quantum of fines and the process followed therein. Stressing the need for more elaborate penalisation guidelines, one participant questioned CDCL’s choice of capping penalties at 10% of the enterprise’s global turnover, especially for industries that have comparatively higher profit margins. It was also pointed out that there is no empirical evidence suggesting the efficacy of the 10% cap, as a sufficient amount.

The discussion also briefly delved into the issue of structural remedies as a tool for correcting harms in digital markets, given the presence of strong network effects and winner-take-all outcomes. Even though there was not a deep dive into the issue of structural remedies, per se, a participant indicated that certain obligations under the DCB, such as the one on tying and bundling comprise a form of structural reform.

V. Digital Mergers and Acquisitions

Unlike the Competition Act 2002, the draft DCB explicitly excludes combination review from its scope, instead relying on the 2023 amendment to the Act. It was pointed out during the discussion that recent amendments in the merger review process such as the inclusion of deal value thresholds should check anticompetitive mergers. However, as highlighted by a few participants during the Roundtable – even though the amendment would potentially enable CCI to investigate digital M&As, the Commission would still have to rely on theories of harm established under the extant Act, which largely examines price-based effects of mergers. For instance, one participant highlighted the role of price-based assessments informing CCI’s working in many merger review cases and pointed out the limitations of these assessments in examining combinations in the digital market.

On the other hand, many obligations identified and elaborated under the proposed DCB are, in fact, better suited to support CCI’s regulation of such digital M&As. Another participant pointed out that while sections 3 and 4 of the extant Act can still, theoretically, allow CCI to borrow from the draft bill, the proposed regulatory landscape does not ensure this synergy between the two pieces of legislation.

VI. Gaps in the Consultation Process

Finally, the discussion highlighted the consultation process adopted by the CDCL during the drafting of this bill. While there was a general agreement that the process was not very representative, different participants brought up diverse perspectives. One participant, for instance, underlined the importance of including MSMEs in the drafting process, given their deep reliance on digital tools and technologies. Other attendees also echoed this viewpoint, highlighting that although the CDCL incorporated inputs from BigTech companies and industry associations, the perspectives of consumers, technology experts, and platform workers were missing from the list of stakeholders consulted during the process.

There was cautious optimism in the room that subsequent drafts of the Bill might address some of these concerns by including a diverse set of stakeholders and incorporating a bottom-up consultative process.

^{^[1]} https://www.reuters.com/technology/dutch-regulator-rejects-apples-objections-against-fines-2023-10-02/

To download the PDF, click here and the Presentation here

This report has been authored by (Abhineet Nayyar and Isha Suri)

For more details visit https://cis-india.org/raw/digital-markets-and-india-demystifying-the-draft-dcb

Notes for India as the digital trade juggernaut rolls on

basu — 2022-02-09T15:04:36Z

Sitting out trade negotiations could result in the country losing out on opportunities to shape the rules.

The article by Arindrajit Basu was published in the Hindu on February 8, 2022

Despite the cancellation of the Twelfth Ministerial Conference (MC12) of the World Trade Organization (WTO) late last year (scheduled date, November 30, 2021-December 3, 2021) due to COVID-19, digital trade negotiations continue their ambitious march forward. On December 14, Australia, Japan, and Singapore, co-convenors of the plurilateral Joint Statement Initiative (JSI) on e-commerce, welcomed the ‘substantial progress’ made at the talks over the past three years and stated that they expected a convergence on more issues by the end of 2022.

Holding out

But therein lies the rub: even though JSI members account for over 90% of global trade, and the initiative welcomes newer entrants, over half of WTO members (largely from the developing world) continue to opt out of these negotiations. They fear being arm-twisted into accepting global rules that could etiolate domestic policymaking and economic growth. India and South Africa have led the resistance and been the JSI’s most vocal critics. India has thus far resisted pressures from the developed world to jump onto the JSI bandwagon, largely through coherent legal argumentation against the JSI and a long-term developmental vision. Yet, given the increasingly fragmented global trading landscape and the rising importance of the global digital economy, can India tailor its engagement with the WTO to better accommodate its economic and geopolitical interests?

Global rules on digital trade

The WTO emerged in a largely analogue world in 1994. It was only at the Second Ministerial Conference (1998) that members agreed on core rules for e-commerce regulation. A temporary moratorium was imposed on customs duties relating to the electronic transmission of goods and services. This moratorium has been renewed continuously, to consistent opposition from India and South Africa. They argue that the moratorium imposes significant costs on developing countries as they are unable to benefit from the revenue customs duties would bring.

The members also agreed to set up a work programme on e-commerce across four issue areas at the General Council: goods, services, intellectual property, and development. Frustrated by a lack of progress in the two decades that followed, 70 members brokered the JSI in December 2017 to initiate exploratory work on the trade-related aspects of e-commerce. Several countries, including developing countries, signed up in 2019 despite holding contrary views to most JSI members on key issues. Surprise entrants, China and Indonesia, argued that they sought to shape the rules from within the initiative rather than sitting on the sidelines.

India and South Africa have rightly pointed out that the JSI contravenes the WTO’s consensus-based framework, where every member has a voice and vote regardless of economic standing. Unlike the General Council Work Programme, which India and South Africa have attempted to revitalise in the past year, the JSI does not include all WTO members. For the process to be legally valid, the initiative must either build consensus or negotiate a plurilateral agreement outside the aegis of the WTO.

India and South Africa’s positioning strikes a chord at the heart of the global trading regime: how to balance the sovereign right of states to shape domestic policy with international obligations that would enable them to reap the benefits of a global trading system.

A contested regime

There are several issues upon which the developed and developing worlds disagree. One such issue concerns international rules relating to the free flow of data across borders. Several countries, both within and outside the JSI, have imposed data localisation mandates that compel corporations to store and process data within territorial borders. This is a key policy priority for India. Several payment card companies, including Mastercard and American Express, were prohibited from issuing new cards for failure to comply with a 2018 financial data localisation directive from the Reserve Bank of India. The Joint Parliamentary Committee (JPC) on data protection has recommended stringent localisation measures for sensitive personal data and critical personal data in India’s data protection legislation. However, for nations and industries in the developed world looking to access new digital markets, these restrictions impose unnecessary compliance costs, thus arguably hampering innovation and supposedly amounting to unfair protectionism.

There is a similar disagreement regarding domestic laws that mandate the disclosure of source codes. Developed countries believe that this hampers innovation, whereas developing countries believe it is essential for algorithmic transparency and fairness — which was another key recommendation of the JPC report in December 2021.

India’s choices

India’s global position is reinforced through narrative building by political and industrial leaders alike. Data sovereignty is championed as a means of resisting ‘data colonialism’, the exploitative economic practices and intensive lobbying of Silicon Valley companies. Policymaking for India’s digital economy is at a critical juncture. Surveillance reform, personal data protection, algorithmic governance, and non-personal data regulation must be galvanised through evidenced insights,and work for individuals, communities, and aspiring local businesses — not just established larger players.

Hastily signing trading obligations could reduce the space available to frame appropriate policy. But sitting out trade negotiations will mean that the digital trade juggernaut will continue unchecked, through mega-regional trading agreements such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). India could risk becoming an unwitting standard-taker in an already fragmented trading regime and lose out on opportunities to shape these rules instead.

Alternatives exist; negotiations need not mean compromise. For example, exceptions to digital trade rules, such as ‘legitimate public policy objective’ or ‘essential security interests’, could be negotiated to preserve policymaking where needed while still acquiescing to the larger agreement. Further, any outcome need not be an all-or-nothing arrangement. Taking a cue from the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand, India can push for a framework where countries can pick and choose modules with which they wish to comply. These combinations can be amassed incrementally as emerging economies such as India work through domestic regulations.

Despite its failings, the WTO plays a critical role in global governance and is vital to India’s strategic interests. Negotiating without surrendering domestic policy-making holds the key to India’s digital future.

Arindrajit Basu is Research Lead at the Centre for Internet and Society, India. The views expressed are personal. The author would like to thank The Clean Copy for edits on a draft of this article.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on

Media Market Risk Ratings: India

Torsha Sarkar, Pranav M Bidare, and Gurshabad Grover — 2022-01-25T13:29:06Z

The Centre for Internet and Society (CIS) and the Global Disinformation Index (GDI) are launching a study into the risk of disinformation on digital news platforms in India, creating an index that is intended to serve donors and brands with a neutral assessment of news sites that they can utilise to defund disinformation.

Introduction

The harms of disinformation are proliferating around the globe—threatening our elections, our health, and our shared sense of facts.

The infodemic laid bare by COVID-19 conspiracy theories clearly shows that disinformation costs peoples’ lives. Websites masquerading as news outlets are driving and profiting financially from the situation.

The goal of the Global Disinformation Index (GDI) is to cut off the revenue streams that incentivise and sustain the spread of disinformation. Using both artificial and human intelligence, the GDI has created an assessment framework to rate the disinformation risk of news domains.

The GDI risk rating provides advertisers, ad tech companies and platforms with greater information about a range of disinformation flags related to a site’s content (i.e. reliability of content), operations (i.e. operational and editorial integrity) and context (i.e. perceptions of brand trust). The findings in this report are based on the human review of these three pillars: Content, Operations, and Context.

A site’s disinformation risk level is based on that site’s aggregated score across all of the reviewed pillars and indicators. A site’s overall score ranges from zero (maximum risk level) to 100 (minimum risk level). Each indicator that is included in the framework is scored from zero to 100. The output of the index is therefore the site’s overall disinformation risk level, rather than the truthfulness or journalistic quality of the site.

Key Findings

In reviewing the media landscape for India, the assessment found that:

Nearly a third of the sites in our sample had a high risk of disinforming their online users.

Eighteen sites were found to have a high disinformation risk rating. This group includes sites that are published in all the three languages in our scope: English, Hindi and Bengali.
Around half of the websites in our sample had a ‘medium’ risk rating. No site performed exceptionally on all fronts, resulting in no sites having a minimum risk rating. On the other hand, no site performed so poorly as to earn a maximum risk rating.

Only a limited number of Indian sites present low levels of disinformation risks.

No website was rated as having a ‘minimum’ disinformation risk.
Eight sites were rated with a ‘low’ level of disinformation risk. Seven out of these websites served content primarily in English, one in Hindi.

The media sites assessed in India tend to perform very poorly on publishing transparent operational checks and balances.

Over one-third of the sites in our sample published little information about their ownership structure, and also failed to be transparent about their revenue sources.
Only ten of the sites in our sample publish any information about their policies on how they correct errors in their reporting.

Association with traditional media did not play a significant factor in determining risk of disinformation.

On average, websites associated with TV or print did not perform any differently when compared to websites that solely serve digital content.

The findings show that on the whole, Indian websites can substantially increase their trustworthiness by taking measures to address these shortfalls in their operational checks and balances. For example, they could increase transparency on the structure of their businesses and have clear policies on how they address errors in their reporting. Both of these measures are in line with universal standards of good journalistic practices, as agreed by the Journalism Trust Initiative.

Click to download the full report here. To read the report in Hindi, click here. The authors extend their thanks to Anna Liz Thomas, Sanah Javed, Sagnik Chatterjee, and Raghav Ahooja for their assistance.

For more details visit https://cis-india.org/internet-governance/blog/gdi-and-cis-torsha-sarkar-pranav-m-bidare-and-gurshabad-grover-july-12-2021-media-market-risk-ratings-india

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Digital Native: Getting through an election made for the social media gaze

nishant — 2019-04-28T04:12:45Z

In the poll season, social media platforms thrive on wounded outrage disguised as politics.

The article by Nishant Shah was published in Indian Express on April 21, 2019.

There is palpable excitement as the most populous democracy in the world goes out to vote. Last election, which saw the saffron sweep, we realised the role of social media platforms in electoral politics. From the controversial selfie by the aspiring Prime Minister flaunting the lotus symbol, that was reported as violating the advertisement rules set by the Election Commission, to the mass mobilisation of ideology-based voters, orchestrated by automated bots and the hashtag brigades of #acchedin, there was no denying that digital strategies are going to form the backend of a robust political campaign.

In a country of hypervisible lynch mobs staged via WhatsApp, polarised hatred exacerbated by armies of trolls, and the fluency with which hate speech has been normalised on the tweetosphere, social media and digital apps are front and centre in this election. People are coming out of voting booths and, even before the exit pollsters catch them, they are making Snapchat videos and “I voted” selfies, clearly identifying the parties they support. The verified social media accounts of leading political parties are doubling down on their poll promises of a communal purge of “infiltrators”, divine curses for the heretic who doesn’t vote for the “party of gods”, and threats of profiling if a community voted for the correct party and subsequent dire consequences. The door-to-door campaigning of the past has obviously been replaced by the tweet-to-tweet mixture of threats, cajoling, and blood lust that seems to set the tone for our current political climate.

At the same time, the manifestos of the two leading coalitions, as well as the affidavits of the people running for office, are under deep public scrutiny. The BJP, in a Freudian blooper, announced itself as working for violence on women, incurring the sarcastic wrath of Twitter. One minister, who has been running through various cabinet positions, including education, was called to task to explain her wide repertoire of unverified degrees that change every voting season. Complaints against suspicious Electronic Voting Machines (EVMs) have made themselves heard loudly on social-media discussion forums. And lately, the YouTube videos of people allegedly showing the easy removal of the indelible ink from the voting fingers, exploded into public view, jeopardising the integrity of the one-person-one-vote paradigm.

Social media, it would seem, is everywhere. And its ubiquity is ensuring that all stakeholders of the electoral process are performing for the social media gaze. Our leaders are talking in tweet-sized morsels, hoping to get their last messages in. The organisers of the massive process have taken to debunking false claims, providing verified information, and guiding people to their voting processes. The voters are not only wearing their party colours, but also canvassing for their favourite leaders, either through proclamations of patriotism or through emotional messages of voting against hate and discrimination. Voting groups are scrutinising and discussing the party manifestos and also the unexpected alliances coming into being in the quest of reaching the majority mark.

For more details visit https://cis-india.org/raw/indian-express-april-21-2019-nishant-shah-getting-through-an-election-made-for-social-media-gaze

Digital native: Free speech? You must be joking!

nishant — 2017-06-08T01:16:01Z

India’s digital landscape is dotted with vigilante voices that drown out people’s right to free speech.

The article was published in the Indian Express on May 14, 2017.

Freedom of speech and expression has always been a tricky issue. While all of us are generally in favour of defending our rights to speak what is in our hearts, we are not equally thrilled about the speech of others that we might not enjoy. While we know that free speech and expression are not absolute — there are blurred lines of things that are offensive, might cause harm, and are directed with malice at different individuals or collectives — we also generally accept that this is a freedom that marks the maturity and sustainability of a stable democratic system.

Thus, even when confronted with speech and expression that might be undesirable: a political view that contradicts ours, an expression of blasphemy or profanity, a voice of dissent that questions the status quo, or an unsavoury information tidbit that mocks at somebody we admire, we generally take it in good stride, and learn to deal and engage with these actions. We do this, because we know that trying to curtail somebody else’s rights to free speech, would eventually restrict our own capacity for it, thus reducing the scope of an engaged and critical society. Especially in countries like India, where everybody has an opinion, where people offer critiques over chai and join heated debates over paan, there’s no denying that we are fond of our rights and capacity to speak
our minds.

However, within Digital India, these things seem to be changing fast. Every day we wake up to the cacophonous clamour of social media to realise that increasingly we are becoming an intolerant society filled with vigilantes bent on stopping people from saying things that we might just not like. In the ongoing saga of shrinking spaces of free speech, we now add the shameful incident at the Embassy of Sweden in India. On May 8, following mass populist trolling and complaints from the Twitteratti, the Embassy disinvited two women print and TV journalists — Swati Chaturvedi and Barkha Dutt — and cancelled their event, ironically, in the honour of World Press Freedom, on the topic of women’s participation in the online public space, to talk about trolls.

I shall wait here for the bitter irony to sink in: two of the strongest women voices in Indian public media, were disinvited to speak from an event where they were to talk about their experience of being trolled, harassed, bullied and intimidated in the newly emerging digital media landscape. Instead of giving them a voice, sharing their experiences, and engaging with their stories, the hypermasculine army of right wing vigilantes who object to these women’s history of critique of the current government and its leaders, decided to show their Twitter might, and celebrated as they succeeded in putting one more nail in the coffin of free and fearless speech in the country.

Some Twitter users went ahead and tagged their favourite leaders — @Narendramodi and @manekagandhibjp. They demanded, using their freedom of voice, to stop others from speaking. Social media networks have often been celebrated as alternative spaces where new, and unexpected voices can express their opinions without the fear of physical retribution or penalisation. While this has been consistently proven wrong by government authorities who have regularly policed, penalised and punished voices of dissent or disfavour, that at least is something we can notice, challenge and contest through legal redressal. However, with this new mob justice where the volume of voices engineered to amplify their disapproval, coupled with threats of violence and economic downfall (the users this time threatened to make a list of Swedish products and boycott them) is a recurring and disturbingly new phenomenon.

Crowds have always had the power to demand and leverage change of their liking. However, on social media, this can take up more sinister forms, because a handful of people through Twitter bots and chat scripts can create the illusion of a hugely amplified voice that can then be used to threaten and restrict the scope of free speech. The mass bullying effect needs a strong counterpoint in the form of better internet governance policies and regulations that nurture safe spaces for the tinier voices to be heard.

At the same time, however, the stifling attempts require another strategy — the need to speak up against such acts of intimidation and silencing, not only from the regular people on the web, but from the officials and leaders who have sworn to protect our constitutional rights. And this is, perhaps, where our leaders are failing us. Because, in an age of hypervisibility, where every step they take is a selfie moment, where every move they make makes it to the headlines, and they take pride in documenting their life in exceedingly boring detail, it creates a deafening silence when the leaders remain mute to the slow dissipation of the rights to free speech and expression by the angry mobs of networked digitality.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-may-14-2017-digital-native-free-speech-you-must-be-joking

Amutha Arunachalam - Stand Shielded of Digital Rights (Delhi, May 05, 4 pm)

sumandro — 2017-05-03T13:30:32Z

We are proud to announce that Amutha Arunachalam will be the speaker at the May #FirstFriday event at the CIS Delhi office. Amutha is Principal Technical Officer in the Council Of Scientific and Industrial Research. The talk will be on digital signatures, traceability of time-stamps, and setting up an Indian Standard (Digital) Time. If you are joining us, please RSVP at the soonest as we have only limited space in our office.

Amutha Arunachalam

Principal Technical Officer, Council of Scientific and Industrial Research

Amutha Arunachalam entered the Indian Government service as an Intelligence Officer in Ministry of Home Affairs in 1988 after working at the Indian Institute of Technology Madras in Fibre Optic communication Laboratory. She later moved to the Council of Scientific and Industrial Research in the field of Information Technology. She managed the IT infrastructure of the CSIR lab (Central Road Research Institute) till 2006 and moved to CSIR Head Quarters and contributed in the ICT refurbishment drive, mainly in the IT with a major contribution in establishing DATA Centre, implementing network security, linking CSIR HQ to the National Knowledge Network facility extended by National Information Centre(NIC) before joining UIDAI.

In UIDAI (National Identity Project) she managed the Data Center operations that includes critical CIDR (Central Identification Repository) and was responsible for setting up Infrastructure to roll out Disaster recovery centre, Aadhaar Enrolment Service, Benchmarking of UIDAI Enrolment , Authentication Applications and setting up of Backend infrastructure of the Authentication Service for Roll out to citizens. After the five year Deputation at UIDAI (Feb 2016), she is currently posted in the Council of Scientific and Industrial Research working in the Area of Policy in Cyber Security for CSIR, Enhancing Research with collaborative, networking and Building unified CSIR Ecosystem with Enterprise platform.

RSVP

Location

For more details visit https://cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05

Regulating Bitcoin in India

vipul — 2017-04-20T13:17:37Z

The article discusses the possible contours of future bitcoin regulation in India. Bitcoin, often considered a ‘notorious’ virtual currency limited only to techies or speculators, is currently fighting a battle to become a bona fide mainstream means of exchange.

While most currencies in the real world have the backing of a central authority of some kind (such as a sovereign or a Central Bank) infusing them with an air of legitimacy, Bitcoin has no such central authority which issues or controls it. Additionally, the distributed and decentralised nature of the Bitcoin network makes regulation a tricky issue. This article seeks to touch upon the issue of Bitcoin regulation and makes certain broad suggestions for the future. It is a follow-up to a previous article by this author discussing the legal treatment of Bitcoin under Indian law, available at http://cis-india.org/internet-governance/bitcoin-legal-regulation-india.

The Reserve Bank of India (RBI) has not exactly been shy in recognising and even regulating technological advances in the financial sector as is evident from their detailed guidelines on Internet Banking,[1] Prepaid Payment Instruments[2] Account Aggregator Regulations,[3] and the consultation paper on proposed regulations for P2P lending platforms,[4] etc. However, though the RBI has acknowledged the existence of Bitcoin (it issued a note cautioning the public against dealing in virtual currencies including Bitcoin way back in 2013[5] and again in 2017[6]), there have been no clear guidelines regarding the same. Nevertheless, Bitcoin has come a long way since its inception and a consensus is emerging amongst the more technically inclined individuals that Bitcoin is infact here to stay.

Even if a sceptical view is taken that Bitcoin may not last for a long time, that does not mean that regulation is useless as there is already a large amount of money invested in Bitcoin entities in India and Bitcoin exchanges seem to be betting big on this sector really taking off - especially in the backdrop of the government’s recent push towards a more digital and less cash dependent economy.

While the Indian government is trying to hard sell the idea of digital payments, primarily using existing banking channels as well as the relatively new National Payments Corporation of India (NPCI) and the various applications that are cropping up around the NPCI’s UPI platform, one must note that going digital could involve high administrative costs. These costs are typically charged by banks and intermediary merchants, and may not be palatable to all stakeholders, as was evident in the recent fracas between petrol pump owners and banks over proposed transactional charges on card payments.[7]

It is this vacuum that alternatives such as prepaid payment instruments and virtual currencies can fill while addressing the concern of high administrative charges, which is likely to be a major hurdle in going digital. Administrative charges for most of these instruments are significantly lower than what existing payment channels charge for digital transactions.[8]

Legality of Bitcoin and the need for Regulation

Bitcoin technology is being widely embraced all over the world, including neighbouring China which has become one of the biggest markets for the uniquely decentralised currency. However the biggest hurdle that Bitcoin enthusiasts see in mainstreaming this technology is the fact that most countries are treading too cautiously around Bitcoin and therefore do not have regulation governing them.

The creation and transfer of Bitcoin is based on an open source cryptographic protocol and is not managed by any central authority.[9] It is the decentralized nature of this virtual currency that makes regulation a major challenge. This does not mean that regulators are not capable of regulating Bitcoin, in fact attempts have been made in several jurisdictions but these are mostly in the discussion stage, for eg. the Washington Department of Financial Institutions (“DFI”) introduced a bill in December, 2016 which proposes amendments to certain portions of the Washington Uniform Money Services Act and includes provisions specific to digital currencies;[10] the U.S. District Court for the Southern District of New York has in a decision in September, 2016 taken the view that Bitcoin is money under the plain meaning of Section 1960, the federal money transmission statute.[11]

This article does not intend to undertake a discussion on how Bitcoin is dealt with in various jurisdictions, but instead is aimed at suggesting a possible way forward for Indian regulators to regulate Bitcoin in a manner that satisfies the regulatory zeal towards security as well as ensures that the technology does not get stifled through overregulation. It is important that the regulators create a balanced regulation because an impractical ecosystem for Bitcoin exchanges and their users, may lead to traders seeking alternative methods of purchasing Bitcoin such as P2P trading, over-the-counter (OTC) markets and underground trading platforms, which are significantly more difficult to regulate.[12]

Suggestions for Regulation

Since Bitcoin is a decentralised cryptocurrency, it is impossible to regulate it through one single centralised point for all transactions. Neither is it feasible to regulate each and every Bitcoin user. A pragmatic compromise between these two extremes could be to regulate the points at which fiat currency or valuable goods enter the Bitcoin system, i.e. the Bitcoin exchanges where people may buy and sell Bitcoin for actual real world money, or websites which offer Bitcoin as a means of payment. Such an approach would reduce the number of points of supervision and lead to effective enforcement of the regulations. The regulations may require any entity providing services such as buying and selling of Bitcoin for actual money, trading in Bitcoin (such as non-cash exchanges) or providing other Bitcoin related services (such as Bitcoin wallets, merchant gateways, remittance facilities, etc.) to be registered with a central government agency, preferably the Reserve Bank of India.

One legal issue regarding the regulation of companies transacting in Bitcoin is whether the RBI has the authority or jurisdiction to regulate Bitcoin in the first place. Without getting into the arguments regarding whether it is a dangerous trend or not, an easy way in which the RBI could ensure it has the authority to regulate Bitcoin would be to follow the path that the RBI adopted while regulating Account Aggregators under the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 wherein the RBI declared Account Aggregators as Non Banking Finance Companies under section 45-I(f)(iii) thereby getting the authority to regulate and supervise them under section 45JA of the Reserve Bank of India Act, 1934.

The Regulations, once issued by the Reserve Bank of India, can prescribe mandatory registration, capital adequacy provisions, corporate governance conditions, minimum security protocols, Know Your Customer (KYC) requirements and most importantly provide for regular and ongoing reporting requirements as well as supervision of the Reserve Bank of India over the activities of Bitcoin companies.

Any proposed Bitcoin regulatory framework would seek to address certain issues; for the purposes of this article, we will assume that the following three issues are the ones that must necessarily be addressed by a regulatory framework:

Security of the consumer’s property and prevention of fraud on the consumer. In the technology sector this translates into specific emphasis on increased security (against hacking) for accounts that the consumers maintain with the service provider.
India has robust exchange control laws and the inherently decentralised and digital nature of Bitcoin can enable transfer of value from one jurisdiction to another without any oversight by a central agency, potentially violating the exchange control laws of India.
Bitcoin has for long been associated with criminal and nefarious activities, infact many believe that the famous black market website “Silk Road” played a big role in making Bitcoin famous[13] and therefore preventing Bitcoin from being used for illegal activities (or creating a mechanism to ensure a digital trail to help investigations post facto) would be a major issue that the regulations would seek to tackle.

Given the above assumptions, let us examine whether the Regulations suggested above can satisfactorily address the concerns of security of consumers, exchange control, and keeping a tab on criminal activities.

If the regulations provide for minimum capital adequacy requirements as well as registration by the RBI or some other central agency, then the chances of consumers being duped by “fly-by-night” operators would be significantly reduced. The Regulations can also provide for minimum security protocols to be maintained by the companies, which protocols can themselves be developed in concert with Bitcoin experts. Critics may point to the hacking of various Bitcoin exchanges in the recent past, including that of MtGox, in which Bitcoin worth millions of dollars were siphoned off, and argue that the security protocols may not be enough to prevent future instances of hacking. But that is true even for the current security protocols for online banking; and that has not prevented a large number of banks from providing online banking facilities and the RBI regulating the same. The other vital issue that legally mandated security protocols would address (and potentially solve) is the issue of liability in case of hackings. Regulations may provide clarity on this issue and protect innocent customers from negligent companies while at the same time protecting entrepreneurs by defining and limiting the liability for bona fide and vigilant companies.

The other issue that may be of major concern to the authorities is exchange control. India has extremely specific exchange control laws, and if any person in India wants to transfer any amount to any person overseas, the only legal way to do so is through a bank transfer, which requires filling paperwork giving the reason for the transfer (although the RBI and banks usually don’t ask for any proof for small amounts upto a few lakhs). This means that all transfers outside India are done through proper banking channels and are therefore under the supervision of the RBI. However the decentralised nature of Bitcoin enables individuals to transfer money outside the borders of India without going through any banking channels and hence stay completely outside the purview of the RBI’s supervision. Such a system which lets users transfer money beyond national borders outside legal banking channels could be easily misused by nefarious actors and this is exactly what happened as international drug cartels turned to Bitcoin and other digital currencies to move their ill gotten wealth beyond the borders of various countries.[14] Regulating the entities which provide Bitcoin wallets and Bitcoin exchanges will ensure that the RBI can exercise its supervisory jurisdiction over Bitcoin transactions of individual customers even though these transactions do not go through the regular banking channels. The Regulations could impose an obligation on the companies to provide information on any suspicious activities or provide greater information about accounts which see very high volumes, etc. to ensure that Bitcoin is not used to finance organised crime. Thus, the regulations could have provisions that would require the companies providing the Bitcoin wallets or exchanges to flag and monitor customers whose trading accounts or Bitcoin wallets have transactions of an amount greater than a specified limit. This would provide the RBI with the ability to enquire as to the reasons for such high volumes and weed out illegal transactions while at the same time allowing bona fide transactions to continue.

Very closely linked to the issue of exchange control and supervision of transactions is the issue of checking the furtherance of criminal activities using the apparent anonymity offered by Bitcoin. However if the RBI has regulatory oversight over all the Bitcoin companies that are operating in India, then it would be possible for it to keep an eye on most Bitcoin transactions in India as long as the wallet that originates or terminates the transaction has been provided by a Bitcoin service provider located in India. An argument may be made that a criminal may use the services of Bitcoin wallet services provided by companies outside India and therefore outside the purview of the RBI and its regulations. However this argument may not be as plausible as it may seem at first look; if we assume that for any criminal activity the ultimate goal is to get the money in the form of recognizable legal tender (preferably cash or money in a bank account) then it stands to reason that the Bitcoin in the wallet would be exchanged for currency at some point or the other in the chain, which can only be done through a Bitcoin exchange if the transaction is of a fairly high value (which most criminal transactions are) and these exchanges as well as the accounts maintained by them will be under the purview of the RBI, thus providing the law enforcement agencies with the final link in the chain of transactions. Further, the public nature of the blockchain (the ledger where each Bitcoin trade is registered and verified) also makes it possible for the enforcement agencies to follow the trail of money for each and every Bitcoin or part thereof.

Conclusion

From the discussion above, we see that the major arguments that have been given by sceptics regarding Bitcoin and its attractiveness to criminals due to its decentralised nature are actually not very viable on a closer look. Bitcoin and the blockchain technology are extremely important steps in the direction of better and more efficient financial transactions in the global economy, which is why a number of mainstream banks are also showing a keen interest in the blockchain technology.[15] Regulations governing Bitcoin or virtual currencies would clear the air regarding their legal status so that consumers as well as entrepreneurs and investors can invest more money in this technology which could potentially change the way financial transactions are carried out across jurisdictions.

[1] https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0

[2] https://rbi.org.in/scripts/NotificationUser.aspx?Id=10799&Mode=0

[3] https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=10598

[4] https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf

[5] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=30247

[6] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=39435

[7] http://timesofindia.indiatimes.com/business/india-business/petrol-pumps-wont-accept-cards-from-monday-to-protest-banks-transaction-fee/articleshow/56402253.cms

[8] For example, currently the network fee for a person to person Bitcoin transfer is 0.0001 Bitcoin, which comes to roughly Rs. 6 per transaction irrespective of the amount involved.

[9] The processing of Bitcoin transactions is secured by servers called Bitcoin “miners”. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peer filesharing technology, also known as the “blockchain”. The integrity and chronological order of the blockchain is enforced with cryptography. In addition to archiving transactions, each new ledger update creates some newly-minted Bitcoins.

[10] https://www.virtualcurrencyreport.com/2017/01/washington-department-of-financial-institutions-proposes-virtual-currency-regulation/

[11] https://www.virtualcurrencyreport.com/2016/09/sdny-opinion-re-bitcoin/. For a discussion on how different States and agencies in the United States deal with Bitcoin, please see Misha Tsukerman, “THE BLOCK IS HOT: A SURVEY OF THE STATE OF BITCOIN REGULATION AND SUGGESTIONS FOR THE FUTURE, Berkeley Technology Law Journal, Vol. 30:385, 2015, p. 1127, available at http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2084&context=btlj .

[12] http://themerkle.com/why-china-isnt-interested-in-banning-bitcoin-importance-of-regulation/

[13] See generally, Nathaniel Popper, “Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money”, Harper Collins, 2015.

[14] https://www.bloomberg.com/view/articles/2013-11-18/are-bitcoins-the-criminal-s-best-friend-

[15] http://www.morganstanley.com/ideas/big-banks-try-to-harness-blockchain.

For more details visit https://cis-india.org/internet-governance/blog/regulating-bitcoin-in-india

WISER Lecture : Sumandro Chattapadhyay on Deregulation by Code

praskrishna — 2017-03-29T11:48:08Z

University of the Witwatersrand organized a talk by Sumandro Chattapadhyay on Derugulation by Code on March 8, 2017 in Johannesburg.

On November 08, 2017, the Government of India initiated a demonetisation process. It involved cancellation of Rs. 500 and Rs. 1,000 currency notes as legal tender, establishing of a time bound process for the notes to be returned to the banks, announcement of specific emergency services (such as hospitals and utilities) for which the canceled notes could still be used, and introduction of a new Rs. 2,000 note. While the purpose of the demonetisation move was publicly articulated in terms of removal of unaccounted wealth held in cash form, the state narrative quickly moved to being primarily focused on promotion of various forms of digital payments, especially mobile-based payments. The notion of a "WhatsApp moment" in Indian banking in particular, and in Asian banking in general, has been in circulation since 2015. Nandan Nilekani, a significant technocrat politician of India who has been CEO of Infosys (a major Indian IT company) and the Chairman of the UID/Aadhaar project, was one of the first persons to take note of this upcoming "revolution". In a lecture given by him on August 21, 2015, he described the technological and market forces, enabled by policy decision, that are going to disrupt the Indian banking landscape.

Sumandro's lecture discussed the linkages between this WhatsApp moment and the demonetisation move, and locate them in the context of institutional and technological changes happening in the Indian banking sector since 2008. The talk focused on the development and proliferation of the Unified Payments Interface - an universal, private-owned, government-backed, mobile-to-mobile payment infrastructure - as the key instrument through which the ongoing deregulation of banking in India is being driven.

For more details visit https://cis-india.org/internet-governance/news/wiser-lecture-sumandro-chattapadhyay-on-deregulation-by-code

EVMs: How transparent is the Indian election process?

praskrishna — 2017-03-17T01:57:19Z

Electronic Voting Machines (EVMs) have become a bone of contention after the results of the Assembly elections in five states were declared last Saturday and the BSP president Mayawati alleged tampering. The Congress party and the Aam Aadmi Party (AAP) have called for a probe into her allegation. Social media too is abuzz with messages and videos showing how the machines can be allegedly manipulated to sway the votes in favour of a particular candidate.

The article by Smriti Sharma Vasudeva was published in the Statesman on March 14, 2017. Pranesh Prakash was quoted.

Overnight, several videos on Whatsapp have surfaced wherein people can be seen explaining the "mechanism" on how to alter the votes polled for a candidate in another candidate's favour. Several similar posts and articles are doing the rounds on Facebook.

BBC added fuel to the fire when it shared a 2010 article on how 'US "Scientists" hack India Electronic Machines' . The article details how scientists at a US university say they have developed a technique to hack into Indian electronic voting machines. While the article was posted on the BBC website a day after the election results were declared, it drew considerable flak from users on Facebook who criticised the website for its 'irresponsible' act of sharing an article with a "click bait" headline just to grab eyeballs.

Amid all this frenzy, the Election Commission of India has issued statements clarifying how the entire process is transparent and fool proof and tampering with the EVMs is a far-fetched thing given the checks and balances in place. For instance, the EVMs undergo the process of randomisation wherein which machine will go to which constituency and to which booth is not known to anyone till the last moment. Similarly, before the polling starts, mock polling takes place in the presence of representatives of all the political parties and then each of these machines are tested and a satisfactory report is generated and only after that polling begins.

However, all these checks and balances still do not ensure a fool proof system if experts are to be believed.

Pranesh Prakash, Policy Director for The Centre for Internet and Society, a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives, said: "The Electronic Voting Machines used in India are the simplest, with no large operating system requirements and are not networked. Thus, from a software design perspective, these are really good and the chances of these being tampered with are bleaker. However it doesn't mean these are fool proof. Most of the developed countries do not trust these machines and these are definitely not secure enough for democratic elections.

"While there are many advantages of using EVMs in the electoral process over the traditional ballot papers, still there are many ways in which one can tamper with these machines without any technical ingenuity. The best way is to make use of the EVMs and ensure that the Voter Verified Paper Audit Trail (VVPAT) are effectively utilised to make it an overall effective system".

Recently, the Supreme Court had mandated that VVPAT machines should be used in all the polls and thus the Election Commission had installed VVPAT machines in several constituencies. However, not sure of the efficacy of this system, the Election Commission had itself raised apprehensions regarding performance of the paper-trail machine, which gives a receipt to the voter, verifying the vote went in favour of the candidate against whose name the button was pressed on the electronic voting machine.a

For more details visit https://cis-india.org/internet-governance/news/the-statesman-smriti-sharma-vasudeva-march-14-2017-evms-how-transparent-is-the-indian-election-process

A Pathfinding Approach for Digital India

Shyam Ponappa — 2017-03-03T16:39:37Z

It's not only the installation of the OFC, but of ensuring quality and reliability.

The article was published in the Business Standard on January 31, 2017 and reproduced on Organizing India Blogspot on February 1, 2017.

Most people believe an optical fibre cable (OFC) connection is necessary for broadband. While largely true, this is often financially viable only in urban agglomerations. What is less known is that trading companies use wireless links between New York and Chicago for high-speed electronic trades.[1] For people outside urban clusters, wireless is a less expensive alternative to fibre. They get only a few megabits per second, but realistically, ubiquitous broadband at 2 Mbps would be great.

Three factors are driving internet access and usage in India. An overriding factor is the growth of wireless devices and traffic as a global phenomenon. Cisco estimated in June 2016 that in 2015, wired access comprised 52 per cent of IP traffic, but would reduce to one-third by 2020, while wireless access would increase to two-thirds. This trend is reinforced by another factor: Innovation that lowers costs and improves performance in mobile wireless (Chart 1).

Chart 1: Mobile Innovation Lowers Costs and Improves Performance

Sources: Cisco Visual Networking Index; International Telecommunication Union; IE Market Research; Motorola, Deutsche Bank; Qualcomm
Note: Data speed indicated the maximum downlink speed, not average observed speeds. The average observed speeds depend on many factors, including infra, subscriber density and device harware and software

The third factor is the combination of the geographic spread of our population, the concentration of broadband penetration (Chart 2), and the limited coverage of OFC networks. While major cities and their connecting links are covered by OFC, less populated and less commercially attractive areas between them are not. In hilly terrain, there is considerable difficulty in laying OFC, which extends far beyond cost. In urban areas, cost can be a deterrent because we lack reasonable, uniform charges for rights-of-way. Such procedures and practices are difficult to institute and enforce, but are essential for robust, viable OFC networks.

Chart 2: Broadband Penetration

Source: http://www.thehindu.com/sci-tech/technology/internet/The-India-wide-web/article14588938.ece

It's not only the installation of the OFC, but of ensuring quality and reliability. OFC networks in India apparently suffer from 12 to 14 cuts per km per month, whereas the international benchmark is 0.7 cuts per km km per month. Apart from more frequent repairs, the capital expenditure in India is nearly three times as high as in Australia or the US.[2]

Estimates for installing OFC using standard procedures vary from about Rs 1 lakh to Rs 4 lakh per km. However, there have been attempts at getting costs down by radical changes in approach. For example, Andhra Pradesh considered an OFC installation of 22,500 km estimated Rs 4,700 crore. By stringing fibre overhead along electric cables, however, the estimate was cut to Rs 333 crore, reducing costs from Rs 21 lakh to under Rs 1.5 lakh per km. It remains to be seen how this network will perform in terms of quality and reliability. Also, wireless technology is needed to extend connectivity from the fibre to villages, and cellular network costs rise with less bandwidth. For instance, one estimate is that excluding spectrum costs, a network using 5 MHz costs nearly 70 percent more than using 20 MHz.

For all these reasons, we need concerted action to redesign our approach to broadband, covering the fundamentals of infrastructure, spectrum and market design. The exponential growth in mobile services has reached a plateau, and is complicated by the taint of the 2G spectrum scams. This has resulted in a mindset combining witch-hunting and paranoia in the press, the public, government departments, and the judiciary. This is not conducive for the coordinated, collective strategy and action that is required to extricate ourselves. Several proven wireless technologies are not permitted in India, although the Telecom Regulatory Authority of India has recommended their use. Methods to increase connectivity like those listed below are urgently needed, with requisite environmental safeguards such as the use of renewable energy.

60 GHz (V band) wireless gigabit for short-haul;
70 and 80 GHz (E band) for multi-gigabit backhaul up to 5 km;
TV White Space for the middle mile from the fibre to users in villages up to 8-10 km away in a single hop;

Additional steps, e.g.:

Increasing unlicensed spectrum in the 5.8 GHz band from 50 MHz to 80 MHz to enable 866 Mbps per channel, or more for gigabit capacity;

Enabling secondary sharing of spectrum bands such as TV White Space, which has the possibility of existing Indian IPR establishing domestic manufacturing and dominating this niche;

It is evident that despite intense efforts by the people involved, our existing approach is simply not getting us to where we need to be. This has been repeated by government and private sector representatives many times. There’s no substitute for developing a sound approach, collectively and participatively, with professional facilitation, cutting across government, industry (operators and equipment providers), users, and the judiciary, to devise whatever solutions will deliver better results. We have to move away from adversarial deadlock.

A good way to begin is by accepting facts, and considering the evidence before dismissing points of view. For licensing, we know that government collections from revenue sharing far exceed the auction fees foregone (“Breakthroughs Needed for Digital India”). We have the experience of building other infrastructure such as roads and airports on revenue-sharing principles. We have to take a similar systematic, phased approach to designing and implementing broadband networks. Policies on infrastructure resource use including spectrum need to be rationalised, and the sector organised through participative path-finding and problem solving. We have to build national champions in manufacturing to keep costs affordable, for instance, using TV White Space. India could set the standard with its IPR and products where OFC is infeasible or unviable for connectivity to villages and rural clusters. Both the administrative and political leadership need to do this, working with all stakeholders, and not treating any of them as adversaries, or cronies.

[1]. ‘Information Transmission between Financial Markets in Chicago and New York’, Gregory Laughlin, Anthony Aguirre, and Joseph Grundfest, Cornell University Library, arXiv.org

[2]. Conference presentation, Sterlite, http://www.trai.gov.in/sites/default/files/Sterlite-Badri.pdf

For more details visit https://cis-india.org/telecom/blog/business-standard-january-31-2017-and-organizing-india-blogspot-february-1-2017-shyam-ponappa-a-pathfinding-approach-for-digital-india

Seminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)

sumandro — 2017-01-23T13:17:19Z

The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.

Cross-posted from Centre for Financial Accountability.

Programme Schedule

09.30 - Registration

10:00 - Introduction to the Seminar & Setting the Context

Madhuresh Kumar, National Alliance of People’s Movements

10:15–11:30 - Session 1 - Understanding the Political Context of FinTech

B P Mathur, Former Dy CAG

Prabir Purkayastha, Free Software Movement of India and Knowledge Commons

C P Chandrasekhar, Centre for Economic Studies and Planning, JNU

11:30-11:45 – Tea / Coffee break

11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?

Ashim Roy, New Trade Union of India

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Ravinder Gupta, General Secretary, State Bank of India Officers Association

13:15-14:00 – Lunch

14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech

Indira Rajaraman, Former Director, RBI

Tony Joseph, Sr. Journalist

15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc

Sumandro Chattapadhyay, the Centre for Internet and Society

Gopal Krishna, ToxicsWatch

17:00 – Tea

For more details visit https://cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017

The Dangers Of Aadhaar-Based Payments That No One Is Talking About

praskrishna — 2017-01-17T14:39:53Z

Less than three months ago, India’s banking sector was hit by a data breach which compromised 32 lakh debit cards and led to fraudulent transactions worth Rs 1.3 crore.

The article by Mayank Jain was published by Bloomberg on January 17, 2017. Sunil Abraham was quoted.

The incident started a debate around security of payment systems. But the debate had just about begun when the government’s demonetisation decision dragged attention away from it. Now as the dust settles and as the government starts to push newer means of digital payments, the focus is back on the security of systems being seen as an alternative to cash.

One such system is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.

In theory, it sounds simple.

The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.

The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.

National Payments Corporation of India has developed this payments infrastructure over the existing Aadhaar-Enabled Payments System, the railroad on which the public distribution system has been functioning for years now.

Amitabh Kant, chief executive officer of the government policy think tank NITI Aayog said, earlier this month, that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.

A Double-Edged Sword

While payments authenticated by biometrics sound like a good idea in a country where less than one in three people actually own a smartphone, there are fears that integrating biometrics with digital payments could prove to be a security headache.

The first part of the problem is that Aadhaar, while effective, is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.

The possibility of transaction failures due to a biometric mismatch are real, admitted a former high-ranking official from the Unique Identification Authority of India (UIDAI) who spoke to BloombergQuint on the condition of anonymity.

Officially, the false reject rate – rejection of a biometric when it’s actually correct – is set at a maximum of 2 percent for devices that get certified from the UIDAI. On the ground, however, failure rates vary widely, said the official quoted above.

According to the official statistics on UIDAI, more than 16 lakh Aadhaar-authentication requests failed in the past week. The type of errors encountered ranged from the biometric data not matching the database to demographic details not checking out.

The failure rates on Aadhaar Enabled Payment System for interbank transactions (which is a part of all Aadhaar authentication requests) were found to be as high as 60 percent by the Watal Committee on digital payments which published its report in December.

Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.

Biometrics aren’t an exact science, the official quoted above said, while adding that possible glitches have to be weighed against the benefits of offering a widely accessible non-cash mode of payment to citizens.

How Easy Is It To Beat The System?

Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said that one way to assess how secure a system is to understand the cost and effort that goes into breaching it.

In the case of Aadhaar-based payment systems, the costs may not be high.

“There’s the gummy finger method which essentially requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there,” said Abraham in a phone conversation with BloombergQuint. “An average person can’t clone a smart card. Just fevicol and glue can help you make a gummy finger. The biometric lobby will say that advanced scanners defeat the gummy finger attack but more advanced scanners are also more expensive.”

Also, using more sensitive devices could push up the instance of false rejection of transactions, said Abraham.

There are other concerns. Like the fact that devices used for Aadhaar identification could store personal information, which, in turn, could be susceptible to a breach.

There are five main components in an Aadhaar app transaction – the customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself. There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer’s data is vulnerable to attack.
Bhairav Acharya, Program Fellow, New America

Acharya, who works at a U.S.-based think tank called New America and focuses on cyber-law, said the key concern is that Aadhaar data can be stolen and misused.

“The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.”

The biometric data collected on the authentication device at a merchant location can potentially be stored on the device as well as the smartphone of a merchant for a long time. Abraham added that there is a possibility that non-certified devices will enter the market, which can store data and use it in the future to do fraudulent transactions.

The concerns over potential misuse of biometric data by private agencies has also been highlighted by the Supreme Court of India. Earlier this month, the apex court refused to expedite the hearing on a petition regarding Aadhaar being utilised for multiple use cases by private companies. It, however, observed that private agencies collecting biometric data “is not a great idea”.

Deficient Privacy Laws

Apar Gupta, a Delhi-based lawyer working on cyber security, says that the lack of strong privacy protecting provisions is another concern that should be kept in mind while moving towards an Aadhaar-based payment system.

“The data stays for a long time with the stakeholders in the system. The requesting agency can keep it for seven years and the UIDAI can store it for five years. There are insufficient safeguards and there’s an absence of privacy law and an independent privacy regulator,” he said.

Acharya agreed.

India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system, according to Acharya.

“Moreover, current laws and policies regarding the Aadhaar project, particularly the centralised database, are inadequate from the point of view of data security and end-user privacy,” he said.

Abraham of CIS said the issue is wider than Aadhaar. The problem is the lack of a strong data security law.

We only have a minimal data security law under the Section 43A of the Information and Technology Act which only applies to the private sector. There’s no law that applies to the government. Even 43A has not been applied consistently. There’s no place for you to go and complain if your identity has been compromised.
Sunil Abraham, Executive Director, Centre for Internet & Society

Gupta noted that, in the event of an identity threat, avenues of recourse are also limited. He said the best option is an appeal in the civil court, which is a long drawn out process.

In final analysis, according to Abraham, credit and debit cards are easier to secure as access can be revoked quickly.

“The trouble with biometrics is that the chain of trust is harder to establish because too many people can get access to biometrics and then you need to devise these convoluted solutions like hardware secure zones,” Abraham said.

“So the advantage of going with a smart card is that it can be easily re-secured, but with biometrics, once I compromise it, it’s lifelong.”

For more details visit https://cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Fake Narendra Modi apps aplenty, but it’s up to users to protect themselves

praskrishna — 2016-12-10T04:24:24Z

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

The article was published by Indian Express on December 2, 2016. Pranesh Prakash was quoted. Also see Nandini Yadav's blog post in BGR on December 3, 2016.

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

A “Narendra Modi” app, purportedly offered by the Government of India, caught the attention of Internet expert Pranesh Prakash on Thursday as the app developer was found to be using a Bangladesh-based web host and e-mail address. Suggesting that this could be the work of a con-artist, Prakash underlined that granting access to fake apps could lead to security breach. The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded. The original NaMo, however, only gets access to read, modify and delete the user’s media files. The “fake” app was downloaded more than 1 lakh times and has an average rating of 4.4 from over 2,000 reviews. A simple search on the play store throws up dozens of Narendra Modi apps, some even calling themselves fake apps. The original app was published by Narendramodi.in and Government Of India. But there are scores of other apps trying to imitate the original.

Pranesh, who is Policy Director at The Centre for Internet and Society, also questioned how users can differentiate between fake and genuine apps when even the official app was registered using a gmail address. While the Government of India Narendra Modi app has been published using info@narendramodi.press, the one by Narendramodi.in has been published using a simple Gmail app. He also highlighted how the play store was flooded with fake banking apps, with one such “SBI app” gaining full access to the user’s files. Incidentally, the fake Modi Ki Note app which has been in the limelight since the demonetisation on high value notes and issue of new ones itself has many duplicates.

In the last two days, the Congress and its vice-president Rahul Gandhi fell victim to hacking as their verified Twitter accounts were compromised. Profane content was shared from both accounts, targeting the Gandhi and his family. This lead to the Congress questioning Prime Minister Narendra Modi’s digital India push as security remains a huge concern.

For more details visit https://cis-india.org/internet-governance/news/indian-express-december-2-2016-fake-narendra-modi-apps-aplenty-but-it-is-up-to-users-to-protect-themselves