Centre for Internet and Society

Platforming precarity: Data narratives of workers sustaining urban platform services

2024-10-15T02:42:26Z

CIS conducted quantitative surveys with over 800 workers employed in the app-based taxi and delivery sectors across 4 cities in India as part of the ‘Labour Futures’ project supported by the Internet Society Foundation. The surveys covered key employment indicators, including earnings and working hours, work-related cost burdens, income and social security, and platform policies and management. Findings from these surveys are presented as data visualisation briefs centring workers’ everyday experiences. These data briefs form a foundational evidence base for policy and action around labour rights, social protection, and urban inclusion in platform work.

It has been over a decade since app-based delivery and taxi sectors began operations in India, and have since expanded to several metropolitan and smaller cities. These sectors together account for the largest proportion of the platform workforce in India. Workers’ organising and collective action have long revealed extractive labour practices in the platform economy. Their demands call for the recognition of their labour rights by policymakers and platforms, an end to exploitative working conditions, and the introduction of effective policy that protects their rights and wellbeing.

In 2021-22, the labour research vertical at the Centre for Internet and Society conducted quantitative surveys with over 800 workers in the app-based taxi services and app-based delivery services sectors. Spanning four cities (Delhi-NCR, Mumbai, Guwahati, Lucknow), the surveys gathered comprehensive data on the conditions of work in the platform economy in these cities, within its two dominant sectors.

The survey covered key labour indicators—(i) the conditions of work for workers, including recruitment, wages, incentive structures, and work-related cost burdens (ii) workforce management, including hours spent working for the platform, surveillance and control measures, and (iii) workers’ coverage under income security, social security and social protections, including provident funds, health and accident insurance, and pensions.

Key Findings

The generation of city-level data aimed to support policymaking and advocacy towards achieving just outcomes for workers in the rapidly platformising Indian economy. These survey findings speak to i) top-down approaches of regulatory, legislative, and judicial action through evidence-building, and ii) bottom-up approaches of mobilisation and advocacy campaigns of workers’ collectives.

The city-wise data briefs highlight region-specific differences and similarities shaped by histories and newer developments of labour platforms operating in the urban economy. Across the four survey cities, the data briefs reveal the ways in which precarity materialised in platform work. Workers grappled with numerous socioeconomic vulnerabilities that influenced their entry and continued employment in platform work. They faced low-wage outcomes, worsened by a reduction in bonuses, and high operational work-related expenses. Earnings remained low and uncertain despite workers putting in immensely long hours working for platforms. Worsening these burdens was widespread income insecurity that workers faced in both app-based taxi and delivery sectors.

Mapping delivery and taxi platform services across cities

The taxi services sector in all cities was dominated by two large platforms—Uber and Ola Cabs. These platforms had established a highly concentrated labour market for taxi workers. The exception to this was the taxi platform labour market in Guwahati, where the local platform, PeIndia, employed 35% of taxi workers in the city.

The delivery services sector in all cities had a high concentration of pan-India platforms. Food delivery services were concentrated by Swiggy and Zomato across cities. E-commerce delivery services had a diversity of platforms including Amazon, Flipkart, E-kart Logistics, and Shadowfax, as well as grocery delivery services like Big Basket, Dunzo, and Jio Mart.

Economic necessity and a lack of alternative employment pushing workers into precarious platform work

The pathway to precarious platform work was distress-driven, borne out of low wages in previous salaried work, or a lack of alternative employment. A large proportion of workers were previously engaged in salaried employment, who then shifted to platform work, marking increased informality and precarity in their employment status. In Mumbai, over 64% of workers were in salaried employment previously, and this also the case for over 50% of workers in Guwahati, and over 42% of workers in Delhi-NCR. In Lucknow and Delhi-NCR, pandemic-driven unemployment was a key driver for a staggering proportion of workers who joined platform work as a distress employment source. Over 30% of workers in Lucknow and Delhi-NCR were previously unemployed.

These socioeconomic vulnerabilities influenced workers entry and continued employment in platform work. Key factors for workers entering were the lack of alternative employment sources and the hope for better pay and potential job flexibility. The lack of alternative jobs was a major push into platform work for workers in Delhi-NCR and Lucknow—over 60% of workers in Delhi-NCR and over 50% of workers in Lucknow. At least 40% of workers across cities mentioned the expectation of better pay as a major reason to start platform work, while potential job flexibility was also a key reason for workers in Mumbai and Guwahati. However, as the findings below show, workers’ expectations were unmet.

Externalised joining, statutory, and operational costs

High joining, statutory, and operational costs were offloaded onto workers to access and continue platform work. This was especially the case for taxi workers who owned their vehicles, and had to incur vehicle investment costs and downpayment, as well as statutory costs that included operating permits, road tax, vehicle insurance, and fitness fee. Across all cities, average monthly expenses for taxi workers were above INR 30,000. For delivery workers, average monthly expenses mostly comprised fuel costs, and were around INR 5,500 in Guwahati and Lucknow, and around INR 6,700 in Delhi-NCR and Mumbai. These high externalised costs reveal the economic vulnerabilities inherent within platform work.

Compounding these costs, platforms in the taxi services sectors also charged commissions unevenly and in varying fee structures—ranging from 20% to 30% of the fare in Mumbai and Lucknow, and going as high as 35% in Delhi-NCR and Guwahati. It is important to note that high commissions persist despite the mandate under the Motor Vehicle Aggregator Guidelines, 2020 to cap commissions and other platform charges at 20% of the fare.

Platforms’ offloading of costs to workers have resulted in workers’ having to rely on informal leasing, debt, and subcontracting arrangements. These arrangements were seen across all cities, where workers in the city were either renting the vehicle they were driving, paying a commission to a vehicle owner, paying off vehicle EMIs on someone else’s behalf, or were paid a fixed salary by a vehicle owner. Notably, in Lucknow, around 35% of taxi workers were engaged under these informal arrangements.

Insufficient incomes and economic vulnerabilities

Workers' experiences, across cities, highlight how a majority contended with low-wage outcomes. Earnings remained low and uncertain for workers despite the fact that they were putting in long work hours. Several factors contributed to this insufficiency and uncertainty in workers’ earnings: stringent platform requirements around high acceptance rates and ratings, which were important determinants, decreased flexibility, and high offloaded work-related expenses.

Across cities, earnings for delivery workers were considerably lower than those for taxi workers. When earnings were adjusted for standard weekly work hours (48 hours/week), over 50% of delivery workers in Mumbai, Guwahati, and Lucknow were earning less than the corresponding state-wise minimum wages. Further, over 75% of delivery workers in these cities were earning below estimated state-wise living wages. Platform work was also insufficient in meeting essential living needs for taxi workers in Mumbai, Guwahati, and Lucknow. Around 30% of taxi workers (23% in Guwahati) were earning less than minimum wages, and around 50% (80% in Mumbai) were earning less than estimated living wages. Earnings for both delivery and taxi workers in Delhi-NCR were substantially lower than minimum wage and living wage standards. 69% of workers in the taxi services sector and 87% of workers in the delivery services sector earned less than the minimum wage in Delhi. Moreover, 92% of workers in the taxi sector and 97% of workers in the delivery sector earned lower than the estimated living wage.

These insufficient incomes were particularly damaging to workers’ lives and livelihoods, considering their high dependence on income from platform work. An overwhelming proportion of workers (over 94% across all cities) were engaged in platform work as their main source of income, as opposed to part-time employment. They also faced significant economic burdens such as being sole earners in their household, having multiple financial dependents, having financial commitments to provide remittances back home, and so on. Worsening these burdens was widespread income insecurity that workers faced across all cities—for over 43% of workers (up to 65% in Guwahati), earnings from platform work were insufficient for covering basic household expenses.

Workplace risks and ineffective redressal mechanisms

Workers in both sectors were working immensely long hours in order to try and make adequate earnings while working for platforms, working several hours above standard weekly work hours (48 hours/week) typically prescribed by occupational health standards. Across all cities, delivery workers spent a median of over 60 weekly hours working for platforms, and taxi workers spent a median of around 84 weekly hours.

Alongside the adverse health impacts of long work hours, workers faced grievous workplace risks, including risks of physical assault, theft, poor road safety, and harsh weather conditions. Around 75% of delivery and taxi workers faced these issues in Mumbai and Lucknow. An even greater proportion of workers were exposed to these risks in Delhi-NCR (84%) and Guwahati (90%).

Despite several workplace risks, platforms remained unaccountable for their failure to guarantee safe working conditions. Across all cities, less than 10% of workers found that their platform took steps to improve working conditions. Workers’ overall experience with platform grievance redressal mechanisms was mixed. For instance, in Lucknow, only around 25% of workers who raised grievances did not receive a resolution. In contrast, 50% of taxi workers in Delhi-NCR did not receive a resolution, as was the case for 76% of taxi workers in Mumbai. Workers have limited recourse when their grievances go unanswered. Platforms, however, wield significant control over terms of work, making it difficult for workers to challenge unfair decisions.

Low coverage and accessibility of social protection mechanisms

Social security covered by platforms typically included health insurance and accident insurance. Workers faced significant gaps in insurance coverage, and these gaps were particularly glaring in the taxi services sector. Across cities, health and accident insurance coverage for taxi workers was below 10% (an exception was 11% of workers covered by accident insurance in Delhi-NCR). It is important to note that this low coverage exists despite the Motor Vehicle Aggregator Guidelines, 2020 mandating provision of health insurance and term insurance from platforms.

Delivery workers had a relatively higher percentage of insurance coverage from platforms, although coverage varied across cities. Health insurance coverage was low for delivery workers in Delhi-NCR (21%) and Guwahati (14%), but higher for workers in Lucknow (34%) and Mumbai (44%). In the case of accident insurance, insurance was covered by platforms for over 40% of delivery workers in Delhi-NCR and Lucknow, while a greater proportion of workers were covered in Mumbai (63%) and Guwahati (72%). Even though delivery workers were covered by platform-provisioned insurance, claiming benefits was an unreliable and time-consuming process. Workers who attempted to access benefits faced several obstacles, including poor awareness of available schemes, inadequate coverage, and little to no platform support in navigating complex claims procedures.

The inadequacy of platform-provisioned insurance was exacerbated by the exclusion of workers from government social protection mechanisms. In Delhi-NCR, Guwahati, and Lucknow, over 35% of workers in both sectors were left outside of social protection from governments. In Mumbai, over 66% of workers were excluded.

Contributors

Conceptualisation + planning: Aayush Rathi, Abhishek Sekharan, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Writing: Aayush Rathi, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Data analysis: Abhishek Sekharan, Chetna V M, and Nishkala Sekhar

Data visualisation: Sriharsha Devulapalli

Design + design direction: Annushka Jaliwala and Yatharth

Review: Aayush Rathi and Abhineet Nayyar

Survey design + planning: Abhishek Sekharan and Ambika Tandon

Survey implementation: Abhishek Kumar

Research advice: Nora Gobel and Uma Rani Amara

We are deeply grateful to the workers who participated in the surveys for generously sharing their time, experiences, and insights with us.

This work was supported by the Internet Society Foundation, as part of the “Labour Futures” project at the Centre for Internet and Society.

This work is shared under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0)

To know more about this work, please write to us at chiara@cis-india.org

Explore more of CIS’ research on labour and digitalisation at platformwork.in

For more details visit https://cis-india.org/raw/platforming-precarity-data-narratives-workers

Legal Advocacy Manual

Radhika, Shruti Trikanad and Torsha Sarkar — 2024-07-01T08:16:07Z

The Legal Advocacy Manual summarizes the key legal and constitutional questions and jurisprudence related to laws that affect the right to freedom of expression and privacy online, including internet shutdowns, content takedown, online surveillance and device seizure.

Click to download the manual.

For more details visit https://cis-india.org/internet-governance/blog/legal-advocacy-manual

A Guide to Navigating Your Digital Rights

Anamika Kundu, Radhika, Shruti Trikanad, Torsha Sarkar — 2024-07-01T08:18:17Z

The Digital Rights Guide gives practical guidance on the laws and procedures that affect internet freedoms. It covers the following topics:

Internet Shutdowns
Content Takedown
Surveillance
Device Seizure

The Digital Rights Guide can be viewed here.

For more details visit https://cis-india.org/internet-governance/blog/digital-rights-guide-1

The Platform Economy’s Gatekeeping of Class and Caste Dominance in Urban India

Ambika Tandon and Aayush Rathi — 2024-04-19T03:11:44Z

Ambika Tandon and Aayush Rathi contributed an essay on how gated society management apps like MyGate and NoBrokerHood feed on caste and income inequalities in new datafied forms. The essay features in The Formalization of Social Precarities, an anthology edited by Murali Shanmugavelan and Aiha Nguyen and published with Data & Society.

Ashrit is an experienced platform worker. He has been a delivery worker for three years, job-hopping frequently. Ashrit has worked as a package delivery worker for three platforms: two courier services and a hyperlocal grocery delivery company, which promises compressed ten-minute deliveries over short distances. While navigating the city, he often deals with omnipresent surveillance tools deployed in apartment complexes owned by upper-class and dominant-caste homeowners. Ashrit is used to being screened at every apartment complex he enters, including having his picture taken and verifying details such as his name, mobile number, and the platform he is delivering for. The everydayness of constant identity verification means that Ashrit is not bothered much by it — he said he doesn’t mind the process so much as the delay it causes when customers forget to approve his entry.

MyGate is one such company offering “gated community management,” claiming to service over 25,000 gated societies in India. A competing application, NoBrokerHood, services over 18,000 societies. Apps of this nature have sprung up across urban India in the past five years, offering “society management” services to a niche market of gated societies. Their bouquet of services includes everything from property listings with a commission rate for the platform, security services, accounting services for maintenance and related expenses, and in-app discussion forums for residents. These apps market digital security, which allows residents to regulate entries and exits and make a database of all non-resident visitors in the society. The objective of these apps is to legitimize surveillance as a way of ensuring safety in gated societies. Through a preliminary search online, we found over 20 different companies specializing in digital solutions for gated societies. The industry even had a business exposition in Mumbai on “Housing Society Management,” focused on technology solutions for gated societies.

This study uses the framework of platform urbanism to understand surveillance platforms. Platform urbanism analyzes the growing power of digital platforms in cities. Urban geographers have argued that platforms are a symptom of current models of capitalism, which exploit “idle resources” to produce new forms of urban spaces and value where they might not have existed earlier. Airbnb and Uber are often used as examples of this new form of extraction and value creation from existing assets by monetizing empty rooms and car seats. We argue that platforms offering surveillance services are another instance of this wider landscape of platform urbanism, manufacturing the need for surveillance systems in elite urban enclaves. We use this case study to show that platforms monetize not just idle resources but social inequality and stratification to generate value and capital.

Click to download the full essay

For more details visit https://cis-india.org/raw/the-platform-economys-gatekeeping-of-class-and-caste-dominance-in-urban-india

Online Gender Based Violence on Short Form Video Platforms

Divyansha Sehgal and Lakshmi T. Nambiar — 2024-04-11T03:24:55Z

An inquiry into platform policies and safeguards. This report explores how short-form video platforms in India address online gender based violence (oGBV) by analysing their terms of service, community guidelines (CG), and reporting workflows.

Executive Summary

Being a woman or from a gender minority online is a harrowing experience. From early instances of sexual harassment in text-based internet communities in the 1990s, to apps such as Bulli Bai, and harassment in the Metaverse more recently, online gender-based violence (oGBV) is a pervasive problem, affecting 23 per cent of women globally. In India, nearly half of the women surveyed reported facing online harassment, leading to reduced online participation. Other consequences of oGBV include mental health issues, withdrawal from online spaces, and, offline violence.

In 2018, the UN Special Rapporteur on violence against women & girls, and its causes and consequences recognised online violence against women and the need to counter it, defining it as "any act of gender-based violence against women that is committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the Internet, social media platforms or email, against a woman because she is a woman, or affects women disproportionately."

This report explores how short-form video platforms in India address oGBV by analysing their terms of service, community guidelines (CG), and reporting workflows. Recognising the role of intermediaries is crucial in understanding challenges and developing effective strategies to combat oGBV. We selected three Indian video-sharing platforms based on their download numbers, as well as Instagram reels (given their popularity in India).

The CG and terms of use of these platforms were measures against a typology of oGBV we put together based on a literature review.

The guidelines of the platforms included in the study demonstrated minimal recognition of the gendered effects of potential behaviours related to oGBV. None of the platforms had a separate policy or section dedicated to oGBV, and the policies were found to be ambiguous at several points, leaving them open to interpretation by moderators. Josh was particularly noted to have extremely poor coverage overall. Certain forms of oGBV, such as harassment, non-consensual information sharing, and extortion, were addressed to a slightly higher degree in the guidelines of Instagram, Moj, and Roposo. Some exemplary aspects are highlighted in our findings section. However, other forms, such as attacks on communication channels, omissions by regulatory actors, surveillance and stalking, and online domestic violence found little to no mention across policies, despite the likelihood of these issues manifesting offline as well. Further, policy provisions failed to address the needs of gender minorities. Reporting mechanisms were found to be lacking or inconsistent, and failed to consider the networked nature of harassment.

The harms of gendered violence are well-known and documented. The lack of clarity on implementation and policy is no longer an oversight but an active choice to disregard users.

Attributions

Co-authors: Divyansha Sehgal and Lakshmi T. Nambiar
Conceptualisation: Ambika Tandon, Torsha Sarkar
Review: Amrita Sengupta and Divyank Katira
Research Assistance: Cheshta Arora
Design: Anagha Musalgaonkar

The report can be downloaded here.

For more details visit https://cis-india.org/raw/online-gender-based-violence-on-short-form-video-platforms

India’s parental control directive and the need to improve stalkerware detection

divyank — 2024-04-04T14:20:41Z

We analyse a child-monitoring app being developed by the Indian government and question whether it is an effective way to enact parental controls. We highlight how such monitoring apps are often repurposed for digital stalking and play a role in intimate partner violence. We also evaluate the protection provided by antivirus tools in detecting such stalkerware apps and describe how we collected technical evidence to help improve the detection of these apps.

This post was reviewed and edited by Amrita Sengupta.

Stalkerware is a form of surveillance targeted primarily at partners, employees and children in abusive relationships. These are software tools that enable abusers to spy on a person’s mobile device, allowing them to remotely access all data on the device, including calls, messages, photos, location history, browsing history, app data, and more. Stalkerware apps run hidden in the background without the knowledge or consent of the person being surveilled.[1] Such applications are easily available online and can be installed by anyone with little technical know-how and physical access to the device.

News reports indicate that the Ministry of Electronics and Information Technology (MeitY) is supporting the development of an app called “SafeNet”[2] that allows parents to monitor activity and set content filters on children’s devices. Following a directive from the Prime Minister’s office to “incorporate parental controls in data usage” by July 2024, the Internet Service Providers Association of India (ISPAI) has suggested that the app should come preloaded on mobile phones and personal computers sold in the country. The Department of Telecom is also asking schools to raise awareness about such parental control solutions.[3][4]

The beta version of the app is available for Android devices on the Google Play Store and advertises a range of functionalities including location access, monitoring website and app usage, call and SMS logs, screen time management and content filtering. The content filtering functionality warrants a separate analysis and this post will only focus on the surveillance capabilities of this app.

Applications like Safenet, that do not attempt to hide themselves and claim to operate with the knowledge of the person being surveilled, are sometimes referred to as “watchware”.[5] However, for all practical purposes, these apps are indistinguishable from stalkerware. They possess the same surveillance capabilities and can be deployed in the exact same ways. Such apps sometimes incorporate safeguards to notify users that their device is being monitored. These include persistent notifications on the device’s status bar or a visible app icon on the device’s home screen. However, such safeguards can be circumvented with little effort. The notifications can simply be turned off on some devices and there are third-party Android tools that allow app icons and notifications to be hidden from the device user, allowing watchware to be repurposed as stalkerware and operate secretly on a device. This leaves very little room for distinction between stalkerware and watchware apps.[6] In fact, the developers of stalkerware apps often advertise their tools as watchware, instructing users to only use them for legitimate purposes.

Even in cases where stalkerware applications are used in line with their stated purpose of monitoring minors’ internet usage, the effectiveness of a surveillance-centric approach is suspect. Our previous work on children’s privacy has questioned the treatment of all minors under the age of 18 as a homogenous group, arguing for a distinction between the internet usage of a 5-year-old child and a 17-year-old teenager. We argue that educating and empowering children to identify and report online harms is more effective than attempts to surveil them.[7][8] Most smartphones already come with options to enact parental controls on screen time and application usage[9][10], and the need for third-party applications with surveillance capabilities is not justified.

Studies and news reports show the increasing role of technology in intimate partner violence (IPV).[11][12] Interviews with IPV survivors and support professionals indicate an interplay of socio-technical factors, showing that abusers leverage the intimate nature of such relationships to gain access to accounts and devices to exert control over the victim. They also indicate the prevalence of “dual-use” apps such as child-monitoring and anti-theft apps that are repurposed by abusers to track victims.[13]

There is some data available that indicates the use of stalkerware apps in India. Kaspersky anti-virus’ annual State of Stalkerware reports consistently place India among the top 4 countries with the most number of infections detected by its product, with a few thousand infections reported each year between 2020 and 2023.[14][15][16[17] TechCrunch’s Spyware Lookup Tool, which compiles information from data leaks from more than nine stalkerware apps to notify victims, also identifies India as a hotspot for infections.[18] Avast, another antivirus provider, reported a 20% rise in the use of stalkerware apps during COVID-19 lockdowns.[19] The high rates of incidence of intimate partner violence in India, with the National Family Health Survey reporting that about a third of all married women aged 18–49 years have experienced spousal violence [20], also increases the risk of digitally-mediated abuse.

Survivors of digitally-mediated abuse often require specialised support in handling such cases to avoid alerting abusers and potential escalations. As part of our ongoing work on countering digital surveillance, we conducted an analysis of seven stalkerware applications, including two that are based in India, to understand and improve how survivors and support professionals can detect their presence on devices.

In some cases, where it is safe to operate the device, antivirus solutions can be of use. Antivirus tools can often identify the presence of stalkerware and watchware on a device, categorising them as a type of malware. We measured how effective various commercial antivirus solutions are at detecting stalkerware applications. Our results, which are detailed in the Appendix, indicate a reasonably good coverage, with six out of the seven apps being flagged as malicious by various antivirus solutions. We found that Safenet, the newest app on the list, was not detected by any antivirus. We also compared the detection results with a similar study conducted in 2019 [21] and found that some newer versions of previously known apps saw lower rates of detection. This indicates that antivirus solutions need to analyse new apps and newer versions of apps more frequently to improve coverage and understand how they are able to evade detection.

In cases where the device cannot be operated safely, support workers use specialised forensic tools such as the Mobile Verification Toolkit [22] and Tinycheck [23], which can be used to analyse devices without modifying them. We conducted malware analysis on the stalkerware apps to document the traces they leave on devices and submitted them to an online repository of indicators of compromise (IOCs).[24] These indicators are incorporated in detection tools used by experts to detect stalkerware infections.

Despite efforts to support survivors and stop the spread of stalkerware applications, the use of technology in abusive relationships continues to grow.[25] Making a surveillance tool like Safenet available for free, publicising it for widespread use, and potentially preloading it on mobile devices and personal computers sold in the country, is an ill-conceived way to enact parental controls and will lead to an increase in digitally-mediated abuse. The government should immediately take this application out of the public domain and work on developing alternate child protection policies that are not rooted in distrust and surveillance.

If you are affected by stalkerware there are some resources available here:
https://stopstalkerware.org/information-for-survivors/
https://stopstalkerware.org/resources/

Appendix

Our analysis covered two apps based in India, SafeNet and OneMonitar, and five other apps, Hoverwatch, TheTruthSpy, Cerberus, mSpy and FlexiSPY. All samples were directly obtained from the developer’s websites. The details of the samples are as follows:

Name

File name

Version

Date sample was obtained

SHA-1 Hash

SafeNet

Safenet_Child.apk

0.15

16th March, 2024

d97a19dc2212112353ebd84299d49ccfe8869454

OneMonitar

ss-kids.apk

5.1.9

19th March, 2024

519e68ab75cd77ffb95d905c2fe0447af0c05bb2

Hoverwatch

setup-p9a8.apk

7.4.360

5th March, 2024

50bae562553d990ce3c364dc1ecf44b44f6af633

TheTruthSpy

TheTruthSpy.apk

23.24

5th March, 2024

8867ac8e2bce3223323f38bd889e468be7740eab

Cerberus

Cerberus_disguised.apk

3.7.9

4th March, 2024

75ff89327503374358f8ea146cfa9054db09b7cb

mSpy

bt.apk

7.6.0.1

21st March, 2024

f01f8964242f328e0bb507508015a379dba84c07

FlexiSPY

5009_5.2.2_1361.apk

5.2.2

26th March, 2024

5092ece94efdc2f76857101fe9f47ac855fb7a34

We analysed the network activity of these apps to check what web servers they send their data to. With increasing popularity of Content Delivery Networks (CDNs) and cloud infrastructure, these results may not always give us an accurate idea about where these apps originate, but can sometimes offer useful information:

Name Domain IP Address[26] Country ASN Name and Number

SafeNet safenet.family 103.10.24.124 India Amrita Vishwa Vidyapeetham, AS58703

OneMonitar onemonitar.com 3.15.113.141 United States Amazon.com, Inc., AS16509

OneMonitar api.cp.onemonitar.com 3.23.25.254 United States Amazon.com, Inc., AS16509

Hoverwatch hoverwatch.com 104.236.73.120 United States DigitalOcean, LLC, AS14061

Hoverwatch a.syncvch.com 158.69.24.236 Canada OVH SAS, AS16276

TheTruthSpy thetruthspy.com 172.67.174.162 United States Cloudflare, Inc., AS13335

TheTruthSpy protocol-a946.thetruthspy.com 176.123.5.22 Moldova ALEXHOST SRL, AS200019

Cerberus cerberusapp.com 104.26.9.137 United States Cloudflare, Inc., AS13335

mSpy mspy.com 104.22.76.136 United States Cloudflare, Inc., AS13335

mSpy mobile-gw.thd.cc 104.26.4.141 United States Cloudflare, Inc., AS13335

FlexiSPY flexispy.com 104.26.9.173 United States Cloudflare, Inc., AS13335

FlexiSPY djp.bz 119.8.35.235 Hong Kong HUAWEI CLOUDS, AS136907

To understand whether commercial antivirus solutions are able to categorise stalkerware apps as malicious, we used a tool called VirusTotal, which aggregates checks from over 70 antivirus scanners.[27] We uploaded hashes (i.e. unique signatures) of each sample to VirusTotal and recorded the total number of detections by various antivirus solutions. We compared our results to a similar study by Citizen Lab in 2019 [28] that looked at a similar set of apps to identify changes in detection rates over time.

Product

VirusTotal Detections (March 2024)

VirusTotal Detections (January 2019) (By Citizen Lab)

SafeNet [29]

0/67 (0 %)

N/A

OneMonitar [30]

17/65 (26.1%)

N/A

Hoverwatch

24/58 (41.4%)

22/59 (37.3%)

TheTruthSpy

38/66 (57.6%)

0

Cerberus

8/62 (12.9%)

6/63 (9.5%)

mSpy

8/63 (12.7%)

20/63 (31.7%)

Flexispy [31]

18/66 (27.3%)

34/63 (54.0%)

We also checked if Google’s Play Protect service [32], a malware detection tool that is built-in to Android devices using Google’s Play Store. These results were also compared with similar checks performed by Citizen Lab in 2019.

Product

Detected by Play Protect (March 2024)

Detected by Play Protect (January 2019) (By Citizen Lab)

SafeNet

no

N/A

OneMonitar

yes

N/A

Hoverwatch

yes

yes

TheTruthSpy

yes

yes

Cerberus

yes

no

mSpy

yes

yes

Flexispy

yes

yes

Endnotes

1. Definition adapted from Coalition Against Stalkerware, https://stopstalkerware.org/

2. https://web.archive.org/web/20240316060649/https://safenet.family/

3. https://www.hindustantimes.com/india-news/itministry-tests-parental-control-app-progress-to-be-reviewed-today-101710702452265.html

4. https://www.hindustantimes.com/india-news/schools-must-raise-awareness-about-parental-control-in-internet-usage-says-dot-101710840561172.html

5. https://github.com/AssoEchap/stalkerware-indicators/blob/master/README.md

6. https://cybernews.com/privacy/difference-between-parenting-apps-and-stalkerware/

7. https://timesofindia.indiatimes.com/blogs/voices/shepherding-children-in-the-digital-age/

8. https://blog.avast.com/stalkerware-and-children-avast

9. https://safety.google/families/parental-supervision/

10. https://support.apple.com/en-in/105121

11. R. Chatterjee et al., "The Spyware Used in Intimate Partner Violence," 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 441-458.

12. https://www.computerweekly.com/news/252492575/Use-of-abusive-stalkerware-against-women-skyrocketed-in-2020

13. D. Freed et al., "Digital technologies and intimate partner violence: A qualitative analysis with multiple stakeholders", PACM: Human-Computer Interaction: Computer-Supported Cooperative Work and Social Computing (CSCW), vol. 1, no. 2, 2017.

14. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/03/07160820/The-State-of-Stalkerware-in-2023.pdf

15. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/07152747/EN_The-State-of-Stalkerware_2022.pdf

16. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf

17. https://media.kasperskycontenthub.com/wp-content/uploads/sites/100/2020/03/25175212/EN_The-State-of-Stalkerware-2020.pdf

18. https://techcrunch.com/pages/thetruthspy-investigation/

19. https://www.thenewsminute.com/atom/avast-finds-20-rise-use-spying-and-stalkerware-apps-india-during-lockdown-129155

20. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10071919/

21. https://citizenlab.ca/docs/stalkerware-holistic.pdf

22. https://docs.mvt.re/en/latest/

23. https://tiny-check.com/

24. https://github.com/AssoEchap/stalkerware-indicators/pull/125

25. https://stopstalkerware.org/2023/05/15/report-shows-stalkerware-is-not-declining/

26. IP information provided by https://ipinfo.io/

27. https://docs.virustotal.com/docs/how-it-works

28. https://citizenlab.ca/docs/stalkerware-holistic.pdf

29. Sample was not known to VirusTotal, it was uploaded at the time of analysis

30. Sample was not known to VirusTotal, it was uploaded at the time of analysis

31. Sample was not known to VirusTotal, it was uploaded at the time of analysis

32. https://developers.google.com/android/play-protect

For more details visit https://cis-india.org/internet-governance/blog/india2019s-parental-control-directive-and-the-need-to-improve-stalkerware-detection

How the Telecom Act undermines personal liberties

Rajat Kathuria and Isha Suri — 2024-02-20T00:54:29Z

In this article, Prof. Rajat Kathuria and Isha Suri analyse whether the law has enough safeguards and an independent regulatory architecture to protect the rights of citizens. The authors posit that the current version leaves the door open for an overenthusiastic enforcement machinery to suppress fundamental rights without any meaningful checks and balances.

The Telecommunications Act cements government’s power to suspend internet services, does not establish independent oversight mechanism for interception, suspension orders. The article originally published in the Indian Express can be read here.

“Is Big Brother watching you? At the press of a button a civil servant can inspect just about every detail of your life your tax, your medical record and periods of unemployment. That civil servant could be your neighbour. There is mounting concern over this powerful weapon that the computer revolution has put in the government’s hand. But no civil servant will be allowed to examine personal files from another department, without written authority from a Minister. I shall be announcing legislation enabling citizens to take action against any civil servant who gains unauthorised access to his file.” (Yes Minister). The year is 1980, the computer revolution is just about beginning and questions of surveillance have become pertinent; safeguards in the form of separation of powers between the executive and legislative are announced by the Minister for the protection of citizens.

Although theatrical, Yes Minister can yet be invoked to characterise governments in most parliamentary democracies especially India’s.

More than four decades on, the Indian Parliament witnessed the smooth passage of several pieces of legislation, including the Telecommunications Act (TA) 2023, which justifiably seeks to bury remnants of colonial-era laws. While the modern digital age creates conditions for unprecedented surveillance reflecting the Benthamite tenet of maximum monitoring at minimum cost, the question on everyone’s minds is whether the law has enough safeguards and an independent regulatory architecture to protect the rights of citizens.

Before contemplating this weighty query, let us set the narrative in context with a quick recap of the major markers in digital governance in India that have concluded, at least for the moment, in the passing of TA 2023.

The institutional regime for telecommunications dates back to the late 1990s and was created more by accident and less by design. The Telecom Regulatory Authority of India (TRAI) became necessary because private sector investment came in when the public sector operator was both player and referee. Massive litigation followed, leading to the setting up of TRAI. Within a few years, the Telecom Dispute Settlement Appellate Tribunal (TDSAT) was carved from TRAI to fast-track excessive litigation. In between, there was the dissolution of the first TRAI, only confirming who the “boss” was.

The desire to serve in regulatory regimes has surely been tainted by the goal of securing sinecures. This is not just an Indian phenomenon. For example, the Biden administrators wish they continue in office for long. It is in the nature of such positions that many of those appointed will never again be in a position of authority. There have been few instances after its dissolution that TRAI has taken on the government. The relationship between the legislature and the executive is complex but suffice it to say that such a separation in telecom is met much more in the breach.

The regulatory regime for telecom described above notifies subordinate legislation, enforces and adjudicates disputes — it performs the role of the executive and the adjudicator. One key safeguard for the protection of ordinary citizens is, therefore, already undermined. The separation of powers remains on paper and the exercise of authority through delegated rule-making ensures the government can intervene with little resistance.

In this background, TA 2023 poses challenges. Although undoing colonial-era laws is one of the stated goals, the re-purposing of some existing provisions and ambiguous drafting does little justice to that aim. For example, the definition of telecommunication services has been left open to interpretation. Internet-based services like WhatsApp and Gmail are, therefore, likely to fall under the Act’s ambit. Provisions empowering the government to notify standards and conformity measures or ask for alternatives to end-to-end encryption such as client-side scanning could undermine privacy. Further requiring messages to be disclosed in an “intelligible format” is irreconcilable with end-to-end privacy engineering. Tinkering with end-to-end encryption for compliance could create potential points of vulnerability.

The grounds on which such information may be sought, outlined in Section 20 (2) include sovereignty and integrity of India, security of the state and public order. Prima facie these appear reasonable. However, the current phrasing leaves room for expansive interpretation by overenthusiastic enforcement machinery — it could go beyond the letter of the law to please political masters. Research conducted in 2021 by Vrinda Bhandari and others found that many orders issued under the guise of public order restrictions would not qualify as legal per se. The Act cements the government’s power to suspend internet services (Section 20(2)(b)) and does not include procedural safeguards envisaged in the Supreme Court’s Anuradha Bhasin judgment such as the proportionality test, exploration of suitable alternatives and the adoption of least intrusive measures.

The Act also does not establish an independent oversight mechanism for interception and suspension orders related to telecommunications. These rules, framed in 1996 in line with the directions of the Supreme Court in PUCL v. Union of India and requiring a committee consisting exclusively of senior government officials, reflect inadequate separation. In the UK the law mandates approval of interception warrants by judicial commissioners. Separation of powers is however not a panacea; it is just a necessary condition for the effective functioning of institutions. We must also observe the counsel of John Stuart Mill for the maintenance of institutional integrity namely, not “to lay [their] liberties at the feet of even a great man, or to trust him with powers which enable him to subvert [their] institutions” — JS Mill, quoted by BR Ambedkar on November 25 1949, requoted by sitting Chief Justice of India on Constitution Day (November 26, 2018).

Kathuria is Dean, School of Humanities and Social Sciences and Professor of Economics at the Shiv Nadar Institution of Eminence and Suri is Research Lead, CIS.

For more details visit https://cis-india.org/telecom/blog/indian-express-january-25-2024-how-the-telecom-act-undermines-personal-liberties

Comments to the Telecommunications Bill, 2023

Isha Suri, Nishant Shankar, Shweta Mohandas, and Vipul Kharbanda — 2024-01-06T01:21:55Z

The Parliament has passed the Telecommunications Bill, 2023 which seeks to replace the Indian Telegraph Act, 1885. The Centre for Internet & Society (CIS) submits its comments to the bill.

The comments were reviewed by Tanveer Hasan. Click to download the PDF

Key concerns

Definition of Telecommunication Service

The definition of the terms telecommunication (section 2(p) and telecommunication service (section 2(t)) is extremely broad and would effectively include transmission of any signal by any electromagnetic systems. This wide definition increases the scope of the Bill to include almost all kinds of means of communication used in modern times including messaging services, email, OTT services, among others. Even if one were to accept the argument that the scope of the Bill has been deliberately kept wide so that the government has the power to regulate all means of telecommunication in order to prevent mischief and illegal activities, the problem arises with the onerous language of section 3(1) which makes it compulsory to obtain an authorisation from the Central Government for any and all telecommunication services, unless specifically exempted under section 3(3).

In simpler words the Bill not only seeks to regulate all communication services, but requires government permission to provide such services in the first place. Such an approach has the very likely potential to hamper future telecom innovation especially in light of the fact that the penalty for not obtaining permission is imprisonment upto 3 years as well as fine of upto Rs. 2 crores.

Such a wide definition leads to ambiguity and lack of regulatory certainty to businesses as well as users participating in the ecosystem. This proposal triggers immediate concerns, particularly a confusing definition of telecommunication services which may also incorporate the provision of a broad range of digital and online services. Such a wide definition could lead to confusion and arbitrary implementation on one hand, and if made applicable to the content layer of the internet architecture stifle innovation in the digital ecosystem due to onerous licensing/registration requirements on the other hand. It is also pertinent to note that some of the internet-based services listed in the definition in 2(21) are already regulated under the Information Technology (IT) Act 2000. For example, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulates intermediaries, including the significant social media intermediaries (SSMI) such as Facebook and Twitter. Putting an additional regulatory burden on these service layer companies will hamper innovation and competitiveness of the sector and also amount to regulatory overreach.

Power of authorisation and assignment

Section 3 (7) - Any authorised entity which provides such telecommunication services as may be notified by the Central Government, shall identify the person to whom it provides telecommunication services through use of any verifiable biometric based identification as may be prescribed.

All services do not require a biometric based identification of the person. While there is a legitimate need to verify a person in the case of financial transactions, however a similar level of scrutiny is not warranted for applications that a person might use once, or applications that do not pose a threat. For example the need to verify a person through Know Your Customer (KYC) or otherwise for an application to order food, or an application which is meant for communication can be excessive regulation. In addition to the enhanced burden of collecting and storing this data that will come on the telecommunication service, there will also be the added requirement to maintain strict data protection and security measures under the Digital Personal Data Protection Act 2023. Furthermore, as has been seen in multiple instances of data breaches and cyber security attacks such as the one at AIIMS^{^[1]}, Justpay^{^[2]} demonstrate that both public and private organisations can be affected by cyber attacks. It is therefore advisable to reduce the number of entities that store and collect sensitive personal data such as biometric information in the interest of privacy as well as national security.

The Supreme Court while looking at the constitutionality of the Aadhaar Act upheld the need for banking and financial institutions to require an individual’s Aadhaar number stating the legitimate aim of preventing money laundering; however, the Court struck down the provision that required any private entity to collect Aadhaar details. Justice Bhushan held that the collection by private entities violated the right to privacy, by failing the first prong of the test laid down in Puttaswamy judgement, the test of legality.^{^[3]}

More importantly, through the requirement of ‘verifiable biometric based identification’, the Bill is likely to nudge telecom service providers to incorporate Aadhar Based identification, even though the Indian Supreme Court in 2018 held that the mandatory linking of mobile connections with biometric identification is unlawful.

Standards, Public Safety, National Security and Protection of Telecommunication Networks

Power to notify standards

Section 19 (f) The power to notify standards and conformity measures on encryption is a sweeping power that allows the central government to potentially request for backdoors on encryption, or ask for alternatives to end to end encryption such as client side scanning, which have been critiqued^{^[4]} as measures that undermine privacy for all users. If the objective is to provide recommendations for certain encryption techniques when dealing with sensitive government data, a more specific compliance certification can be issued to such firms. For example, the United States government mandates certain government agencies to comply with the Federal Information Processing Standards (FIPS)^{^[5]} which also apply to non-government firms holding government contracts. Standards like FIPS recommend specific cryptographic modules to ensure secure communication of sensitive data. Such conditions and cases must be explicitly scoped in defining the standard setting powers of government with regard to encryption, in consultation with the industry and civil society organisations.

Provisions for public emergency or public safety

Section 20(2) (a) - Messaging apps such as WhatsApp and Signal enable end to end encryption, where messages are encrypted on endpoints such as user devices. Service providers and intermediaries cannot decrypt messages. Requiring messages to be amenable to disclosure in an 'intelligible format' is technically impossible within the end to end paradigm of privacy engineering^{^[6]}. Technical means of disclosing the contents of messages can either reside on a user’s device, in a middle-box that mediates communication, or on servers where some computation can occur. Restructuring end-to-end encrypted communication networks to facilitate these technical means of disclosure would result in the creation of potential points of vulnerability and encryption backdoors. These vulnerabilities can be exploited by malicious actors and backdoors act as ‘intentional vulnerabilities’^{^[7]} that can be used for excessive surveillance of communication that users believe to be private.

Section 20 (2) states the grounds for which such information may be sought. These include sovereignty and integrity of India, defence and security of the State, friendly relations with foreign States, and public order. Prima facie, these may appear to be reasonable grounds for facilitating government access, however, the current phrasing is too wide and leaves room for an expansive interpretation. This is particularly true for maintenance of “public order” that is routinely invoked in a variety of situations.^{^[8]} According to research conducted in 2021 by Vrinda Bhandari and others on the “Use and Misuse of Section 144 found orders issued under the guise of public order restrictions to regulate a variety of activities, many of which would not qualify as illegal activities per se. For instance, orders were issued to prohibit flying of hot air balloons, unmanned aerial vehicles, unmanned aircraft systems, use of “special” or “metallic” manjhas to fly kites and carrying tiffin boxes inside cinemas.^{^[9]} And tracing encrypted messages to thwart such perceived public order threats would be excessive and disproportionate. The order to intercept, detain, disclose or suspend a communication made between private individuals, acts as a violation of privacy and provides extensive grounds to surveil people.^{^[10]}

These grounds may be used to intercept or monitor all communication where a particular word or set of words is used. And its implementation would require communication of all users to be monitored effectively leading to a lower degree of privacy for all users^{^[11]} - including internet communication based apps due to definitional ambiguity. The Supreme Court has held that any infringement of the right to privacy should be proportionate to the need for such interference.^{^[12]} The judgement in the Puttaswamy case provides some guidance to assess the limits and scope of the constitutional right to privacy in the form of the three prong test. The test requires the existence of a law, a legitimate state interest and the restriction (to privacy) should be ‘proportionate'. This provision violates a user’s fundamental right to privacy since it fails to meet the proportionality requirement as laid down by the Supreme Court.

Section 20 (2) (b) provides for suspension of telecommunication service or class of services on similar grounds. The Bill empowers the DoT to suspend telecommunication services and if applicable to internet based communication services such as WhatsApp, Signal, among others without the need for any judicial oversight or procedural safeguards as enunciated by the Supreme Court in Anuradha Bhasin vs Union Of India. The provision must incorporate an independent oversight mechanism for such orders and also incorporate safeguards laid down by the Supreme Court in the Anuradha Bhasin judgement^{^[13]} to prevent arbitrary, frequent, and prolonged suspension of telecommunication services in India.

Protection of users

Measures for protection of users

Section 28 - This section should also provide mechanisms for de-registering from “specific messages” . While this section mentions the need for prior consent of users for receiving the specified messages/ class of specified messages, it should look at the full spectrum of rights the Digital Personal Data Protection Act 2023 provides, which includes the right to withdraw consent. Hence we suggest that Section 28(3) adds that the authorised entity providing telecommunication services shall establish an online mechanism for withdrawal of consent, in addition to grievance redressal.

Duty of users

Section 29 - While listing out the duties of the users the Act puts the onus on the user to furnish correct information. It fails to take into account instances where the information is fed into the system by third parties, due to issues of access and literacy on the part of the users. While the section heading states “duty of the user” the preceding text “no user shall” has the potential to penalise users for acts carried out without a malicious intent. Additionally, there is also a need to look at how notices and terms and conditions of most telecommunication services are primarily in English, making it even more difficult for a large number of Indian users to read and hence understand the requirements. Furthermore, the associated penalty for failing to comply with these provisions are, i.e. up to INR 25,000 for the first offence and for the second or subsequent offences, up to INR 50,000 for every day till the contravention continues. Considering the low digital literacy rates, the government would be well advised to reconsider imposition of such hefty fines.

If applicable on internet based services, this will also impact the ability of a user to retain anonymity over the internet. Individuals may choose to remain anonymous online for a number of reasons. It is important to understand that an individual may remain anonymous for a variety of legitimate purposes such as expressing opinions about their employers and whistleblowers, providing anonymous tips to newspapers or law enforcement, expressing political opinions and criticism that may be subject to persecution, or simply someone saying something that they may be embarrassed about. ^{^[14]} In India, in particular, an individual’s caste can be identified from their name, and they may choose to remain anonymous or adopt a pseudonym to escape centuries of stigma and discrimination that their communities have faced. The broad definition of telecommunication services as elaborated above places restrictions on anonymity online and severely degrades an individual’s ability to exercise their fundamental right to freedom of expression.

^{^[1]}Business Today Desk, “Cyber attack at AIIMS Delhi: Hackers demand Rs 200 cr in crypto, says report” Business Today, 22 November 2022, https://www.businesstoday.in/latest/in-focus/story/cyber-attack-at-aiims-delhi-hackers-demand-rs-200-cr-in-crypto-says-report-354475-2022-11-28.

^{^[2]}Ashwin Manikandan, Anandi Chandrashekhar, “Juspay Data Leak fallout: RBI swings into action to curb cyberattacks”, The Economic Times, 6 January 2021, https://economictimes.indiatimes.com/tech/technology/juspay-data-leak-fallout-rbi-swings-into-action-to-curb-cyberattacks/articleshow/80125430.cms

^{^[3]} “Judgement in Plain English Constitutionality of Aadhaar Act”, “Supreme Court Observer, accessed 22 December 2023,https://www.scobserver.in/reports/constitutionality-of-aadhaar-justice-k-s-puttaswamy-union-of-india-judgment-in-plain-english/

^{^[4]} “Why Adding Client-Side Scanning Breaks End-To-End Encryption”, The Electronic Freedom Foundation, accessed 22 December 2023, https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption.

^{^[5]} “Compliance FAQs: Federal Information Processing Standards (FIPS)”, NIST, accessed December 22 2023. https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips

^{^[6]} “Personal Data in the Cloud Is Under Siege. End-to-End Encryption Is Our Most Powerful Defense.”, Lawfare, accessed 22 December 2023, https://www.lawfaremedia.org/article/personal-data-in-the-cloud-is-under-siege.-end-to-end-encryption-is-our-most-powerful-defense

^{^[7]} “Breaking Encryption Myths”, Global Encryption Coalition, accessed 22 December 2023, https://www.globalencryption.org/2020/11/breaking-encryption-myths/

^{^[8]} Smriti Parsheera “Political misinformation is a problem. But asking WhatsApp to risk user privacy is the wrong solution”, The Indian Express, October 28 202 https://indianexpress.com/article/opinion/editorials/remedy-worse-than-malaise-9002600/.

^{^[9]} Vrinda Bhandari, et al, The Use and Misuse of Section 144 Cr.P.C, https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID4404496_code2801004.pdf?abstractid=4389147&mirid=1&type=2

^{^[10]}CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022 “Centre for Internet and Society, accessed 22 December 2023 https://cis-india.org/telecom/blog/cis-comments-to-draft-indian-telecom-bill-2022#:~:text=Comment%3A%20The%20draft%20bill%20attempts,power%20over%20the%20local%20government.

^{^[11]} The Telecommunications Bill, 2023, PRS Legislative Research, accessed 22 December 2023, https://prsindia.org/billtrack/the-telecommunication-bill-2023

^{^[12]} Justice K.S. Puttaswamy (Retd) vs Union of India, W.P.(Civil) No 494 of 2012, Supreme Court of India, September 26, 2018.

^{^[13]} Writ Petition (Civil) NO. 1031 OF 2019, accessed 22 Decmber 2023, https://main.sci.gov.in/supremecourt/2019/28817/28817_2019_2_1501_19350_Judgement_10-Jan-2020.pdf.

^{^[14]}Palme, Jacob, and Mikael Berglund. "Anonymity on the Internet." Accessed 22 December 2023: 2009.

For more details visit https://cis-india.org/telecom/blog/cis-comments-to-the-telecommunications-bill-2023

Health Data Management Policies - Differences Between the EU and India

shweta — 2023-07-10T16:36:25Z

Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

This issue brief was reviewed and edited by Pallavi Bedi

Introduction

Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

Background

EU Health Data Space

The EU Health Data Space (EUHDS) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.^{^[1]} The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.^{^[2]}

India’s health data policies:

The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.^{^[3]} Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.^{^[4]}

The National Health Authority (NHA) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (DISHA) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.^{^[5]} However since its call for public consultation no progress has been made on this front.

Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers.

In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data.

Comparison of the Health Data Management Approaches
Interoperability with Data Protection Legislations

At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.

The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries^{^[6]} that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.^{^[7]} In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill.

Definitions and Scope

The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679^{^[8]}, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices.

In India the Health Data Management Policy 2022, defines “Personal Health Records” (PHR) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.

Health data and wearable devices

One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS.

In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem^{^[9]} mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.^{^[10]} However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.^{^[11]}

Multiple use of health data

The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.

While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request.

In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee^{^[12]} for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context.

The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated.

However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared.

Recommendations for India
Need for a data protection legislation:

While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality.

Secondary use of data

While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems,

train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data.

Conclusion

While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority.

^{^[1]} “European Health Data Space”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en

^{^[2]}“European Health Data Space”

^{^[3]} “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf

^{^[4]} “National Digital Health Blueprint”

^{^[5]} “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data

^{^[6]}“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf

^{^[7]}The Digital Personal Data Protection Bill 2022

^{^[8]} Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

^{^[9]} For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.

^{^[10]} For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.

^{^[11]}“Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023
https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch

^{^[12]} The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.

For more details visit https://cis-india.org/internet-governance/blog/health-data-management-policies

The Centre for Internet and Society’s comments and recommendations to the: The Digital Data Protection Bill 2022

Shweta Mohandas and Pallavi Bedi — 2023-01-20T02:35:30Z

The Centre for Internet & Society (CIS) published its comments and recommendations to the Digital Personal Data Protection Bill, 2022, on December 17, 2022.

High Level Comments

1. Rationale for removing the distinction between personal data and sensitive personal data is unclear.

All the earlier iterations of the Bill as well as the rules made under Section 43A of the Information Technology Act, 2000^{^[1]} had classified data into two categories; (i) personal data; and (ii) sensitive personal data. The 2022 version of the Bill has removed this distinction and clubbed all personal data under one umbrella heading of personal data. The rationale for this is unclear, as sensitive personal data means such data which could reveal or be related to eminently private data such as financial data, health data, sexual orientations and biometric data. Considering the sensitive nature of the data, the data classified as sensitive personal data is accorded higher protection and safeguards from processing, therefore by clubbing all data as personal data, the higher protection such as the need for explicit consent to the processing of sensitive personal data, the bar on processing of sensitive personal data for employment purposes has also been removed.

2. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified.^{^[2]} It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.

The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within which the Board shall be established and specific Rules and regulations notified. Considering that certain provisions have been deferred to Rules that have to be framed by the Central government, the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill. Provisions such as Section 10(1) which deals with verifiable parental consent for data of children, Section 13 (1) which states the manner in which a Data Principal can initiate a right to correction, the process of selection and functioning of consent manager under 3(7) are few such examples, that when the Act becomes applicable, the data principal will have to wait for the Rules to Act of these provisions, or to get clarity on entities created by the Act.

The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.

We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Board. This is important to give full and effective effect to the right of privacy of the individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.

The Board must ensure that Data Principals and Fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment into force. This will allow the Data Fiduciaries to align their practices with the provisions of this new legislation and the Board will also have time to define and determine certain provisions that the Bill has left the Board to define. Additionally enforcing penalties for offenses initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders which now could include data principals as well, from paying a high price. This will relieve the fear of smaller companies and startups and individuals who might fear processing data for the fear of paying penalties for offenses.

3. Independence of Data Protection Board of India.

The Bill proposes the creation of the Data Protection Board of India (Board) in place of the Data Protection Authority. In comparison with the powers of the Board with the 2018 and 2019 version of Personal Data Protection Bill, we witness an abrogation of powers of the Board to be created, in this Bill. Under Clause 19(2), the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members shall be such as may be prescribed by the Union Government at a later stage. Further as per Clause 19(3), the Chief Executive of the Board will be appointed by the Union Government and the terms and conditions of her service will also be determined by the Union Government. The functions of the Board have also not been specified under the Bill, the Central Government may assign the functions to be performed by the Board.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate, ability to act swiftly, and resources. The political nature of personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Board are independent of the Executive.

Chapter Wise Comments and Recommendations

CHAPTER I- PRELIMINARY

● Definition: While the Bill has added a few new definitions to the Bill including terms such as gains, loss, consent manager etc. there are a few key definitions that have been removed from the earlier versions of the Bill. The removal of certain definitions in the Bill, eg. sensitive personal data, health data, biometric data, transgender status, creating a legal uncertainty about the application of the Bill.

With respect to the existing definitions as well the definition of the term ‘harm’ has been significantly reduced to remove harms such as surveillance from the ambit of harms. In addition, with respect of the definition of the term of harms also, the 2019 version of the Bill under Clause 2 (20) the definition provides a non exhaustive list of harms, by using the phrase “harms include”, however in the new definition the phrase has been altered to “harm”, in relation to a Data Principal, means”, thereby removing the possibility of more harms that are not apparent currently from being within the purview of the Act. We recommend that the definition of harms be made into a non-exhaustive list.

CHAPTER II - OBLIGATIONS OF DATA FIDUCIARY

Notice: The revised Clause on notice does away with the comprehensive requirements which were laid out under Clause 7 of the PDP Bill 2019. The current clause does not mention in detail what the notice should contain, while stating that that the notice should be itemised. While it can be reasoned that the Data Fiduciary can find the contents of the notice throughout the bill, such as with the rights of the Data Principal, the removal of a detailed list could create uncertainty for Data Fiduciaries. By leaving the finer details of what a notice should contain, it could cause Data Fiduciaries from missing out key information from the list, which in turn provide incomplete information to the Data Principal. Even in terms of Data Fiduciaries they might not know if they are complying with the provisions of the bill, and could result in them invariably being penalised. In addition to this by requiring less work by the Data Fiduciary and processor, the burden falls on the Data Principal to make sure they know how their data is processed and collected. The purpose of this legislation is to create further rights for individuals and consumers, hence the Bill should strive to put the individual at the forefront.

In addition to this Clause 6(3) of the Bill states “The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution of India.” While the inclusion of regional language notices is a welcome step, we suggest that the text be revised as follows “The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English and in any language specified in the Eighth Schedule to the Constitution of India.” While the main crux of notice is to let the person know before giving consent, notice in a language that a person cannot read would not lead to meaningful consent.

Consent

Clause 3 of the Bill states “request for consent would have the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.” Ideally this provision should be a part of the notice and should be mentioned in the above section. This is similar to Clause 7(1)(c) of the draft Personal Data Protetion Bill 2019 which requires the notice to state “the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;”.

Deemed Consent

The Bill introduces a new type of consent that was absent in the earlier versions of the Bill. We are of the understanding that deemed consent is used to redefine non consensual processing of personal data. The use of the term deemed consent and the provisions under the section while more concise than the earlier versions could create more confusion for Data Principals and Fiduciaries alike. The definition and the examples do not shed light on one of the key issues with voluntary consent - the absence of notice. In addition to this the Bill is also silent on whether deemed consent can be withdrawn or if the data principal has the same rights as those that come from processing of data they have consented to.

Personal Data Protection of Children

The age to determine whether a person has the ability to legally consent in the online world has been intertwined with the age of consent under the Indian Contract Act; i.e. 18 years. The Bill makes no distinction between a 5 year old and a 17 year old- both are treated in the same manner. It assumes the same level of maturity for all persons under the age of 18. It is pertinent to note that the law in the offline world does recognise that distinction and also acknowledges the changes in the level of maturity. As per Section 82 of the Indian Penal Code read with Section 83, any act by a child under the age of 12 shall not be considered as an offence. While the maturity of those aged between 12–18 years will be decided by court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industry

There is a need to evaluate and rethink the idea that children are passive consumers of the internet and hence the consent of the parent is enough. Additionally, the bracketing of all individuals under the age of 18 as children fails to look at how teenages and young people use the internet. This is more important looking at the 2019 data which suggests that two-thirds of India’s internet users are in the 12–29 years age group, with those in the 12–19 age group accounting for about 21.5% of the total internet usage in metro cities. Given that the pandemic has compelled students and schools to adopt and adapt to virtual schools, the reliance on the internet has become ubiquitous with education. Out of an estimated 504 million internet users, nearly one-third are aged under 19. As per the Annual Status on Education Report (ASER) 2020, more than one-third of all schoolchildren are pursuing digital education, either through online classes or recorded videos.

Instead of setting a blanket age for determining valid consent, we could look at alternative means to determine the appropriate age for children at different levels of maturity, similar to what had been developed by the U.K. Information Commissioner’s Office. The Age Appropriate Code prescribes 15 standards that online services need to follow. It broadly applies to online services "provided for remuneration"—including those supported by online advertising—that process the personal data of and are "likely to be accessed" by children under 18 years of age, even if those services are not targeted at children. This includes apps, search engines, social media platforms, online games and marketplaces, news or educational websites, content streaming services, online messaging services.

The reservation to definition of child under the Bill has also been expressed by some members of the JPC through their dissenting opinion. MP Ritesh Pandey stated that keeping in mind the best interest of the child the Bill should consider a child to be a person who is less than 14 years of age. This would ensure that young people could benefit from the advances in technology without parental consent and reduce the social barriers that young women face in accessing the internet. Similarly Manish Tiwari in his dissenting note also observed that the regulation of the processing of data of children should be based on the type of content or data. The JPC Report observed that the Bill does not require the data fiduciary to take fresh consent of the child, once the child has attained the age of majority, and it also does not give the child the option to withdraw their consent upon reaching the majority age. It therefore, made the following recommendations:

Registration of data fiduciaries, exclusively dealing with children’s data. Application of the Majority Act to a contract with a child. Obligation of Data fiduciary to inform a child to provide their consent, three months before such child attains majority Continuation of the services until the child opts out or gives a fresh consent, upon achieving majority. However, these recommendations have not been incorporated into the provisions of the Bill. In addition to this the Bill is silent on the status of non consensual processing and deemed consent with respect to the data of children.

We recommend that fiduciaries who have services targeted at children should be considered as significant Data Fiduciaries. In addition to this the Bill should also state that the guardians could approach the Data Protection Board on behalf of the child. With these obligations in place, the age of mandatory consent could be reduced and the data fiduciary could have an added responsibility of informing the children in the simplest manner how their data will be used. Such an approach places a responsibility on Data Fiduciaires when implementing services that will be used by children and allows the children to be aware of data processing, when they are interacting with technology.

Chapter III-RIGHTS AND DUTIES OF DATA PRINCIPAL

Rights of Data Principal

Clause 12(3) of the Bill while providing the Data Principal the right to be informed of the identities of all the Data Fiduciaries with whom the personal data has been shared, also states that the data principal has the right to be informed of the categories of personal data shared. However the current version of the Bill provides only one category of data that is personal data.

Clause 14 of the Bill talks about the Right of Grievance Redressal, and states that the Data Principal has the right to readily available means of registering a grievance, however the Bill does not provide in the Notice provisions the need to mention details of a grievance officer or a grievance redressal mechanism. It is only the additional obligations on significant data fiduciary that mentions the need for a Data Protection officer to be the contact for the grievance redressal mechanism under the provisions of this Bill. The Bill could ideally re-use the provisions of the IT Act SPDI Rules 2011 in which Section 5(7) states “Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ' from the date of receipt of grievance.”

The above framing would not only bring clarity to the data fiduciaries on what process to follow for a grievance redressal, it also would reduce the significant burden of theBoard.

Duties of Data Principals

The Bill while entisting duties of the Data Principal states that the “Data Principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board”, however it is very difficult for a Data Principal to and even for the Board to determine what constitutes a “frivolous grievance”. In addition to this the absence of a defined notice provision and the inclusion of deemed consent would mean that the Data Fiduciary could have more information about the matter than the Data Principal. This could mean that the fiduciary could prove that a claim was false or frivolous. Clause 21(12) states that “At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.” In addition to this Clause 25(1) states that “ If the Board determines on conclusion of an inquiry that non- compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.” The use of the term “person” in this case includes data which could mean that they could be penalised under the provisions of the Bill, which could also include not complying with the duties.

CHAPTER IV- SPECIAL PROVISIONS

Transfer of Personal Data outside India

Clause 17 of the Bill has removed the requirement of data localisation which the 2018 and 2019 Bill required. Personal data can be transferred to countries that will be notified by the central government. There is no need for a copy of the data to be stored locally and no prohibition on transferring sensitive personal data and critical data. Though it is a welcome change that personal data can be transferred outside of India, we would highlight the concerns in permitting unrestricted access to and transfer of all types of data. Certain data such as defence and health data do require sectoral regulation and ringfencing of the transfer of data.

Exemptions

Clause 18 of the Bill has widened the scope of government exemptions. Blanket exemption has been given to the State under Clause 18(4) from deleting the personal data even when the purpose for which the data was collected is no longer served or when retention is no longer necessary. The requirement of proportionality, reasonableness and fairness have been removed for the Central Government to exempt any department or instrumentality from the ambit of the Bill. By doing away with the four pronged test, this provision is not in consonance with test laid down by the Supreme Court and are also incompatible with an effective privacy regulation. There is also no provision for either a prior judicial review of the order by a district judge as envisaged by the Justice Srikrishna Committee Report or post facto review by an oversight committee of the order as laid down under the Indian Telegraph Rules, 1951^{^[3]} and the rules framed under Information Technology Act^{^[4]}. The provision states that such processing of personal data shall be subject to the procedure, safeguard and oversight mechanisms that may be prescribed.

^{^[1]} Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

^{^[2]} Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6) The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f) security safeguards under section 31; (g) research purposes under section 45;(h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

^{^[3]} Rule 419A (16): The Central Government or the State Government shall constitute a Review Committee.

Rule 419 A(17): The Review Committee shall meet at least once in two months and record its findings whether the directions issued under sub-rule (1) are in accordance with the provisions of sub-section (2) of Section 5 of the said Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and orders for destruction of the copies of the intercepted message or class of messages.

^{^[4]} Rule 22 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009: The Review Committee shall meet at least once in two months and record its findings whether the directions issued under rule 3 are in accordance with the provisions of sub-section (2) of section 69 of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue an order for destruction of the copies, including corresponding electronic record of the intercepted or monitored or decrypted information.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-recommendations-to-digital-data-protection-bill

CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022

Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas, and Vipul Kharbanda — 2022-11-22T13:22:24Z

The Department of Telecommunications, Government of India invited comments on the Draft Indian Telecommunication Bill, 2022. The Centre for Internet & Society (CIS) submitted its comments.

Reviewed by Pallavi Bedi

Preliminary

The Centre for Internet and Society (CIS) is a non-profit organization that undertakes interdisciplinary research on the internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around the internet, technology, and society in India, and elsewhere. Over the last decade, CIS has worked extensively on policy issues related to telecommunication, internet access, digital inclusion, and so on.

In the past, CIS has responded to various public consultations pertaining to telecommunication such as the Telecom Regulatory Authority of India (TRAI) consultation on 5G Auctions^{^[1]}, TRAI consultation on regulation of over-the-top (OTT) services^{^[2]}, to name a few .

We appreciate the efforts of the Department of Telecommunications (DoT) for having consultation on the “Draft Indian Telecommunication Bill 2022”. We are grateful for the opportunity to put forth our views and comments to the draft bill.

Summary of Recommendations

At the outset, we recommend that in the interest of transparency and accountability, prior to enacting important legislations like the Telecom Bill, the government would be well-advised to conduct an “impact assessment” exercise such as “regulatory impact assessment” and put the report in public as practised in jurisdictions such as the European Union.^{^[3]} We would also recommend the government to disclose responses and submissions that it receives during the process to ensure a transparent and consultative process of policymaking.

We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach.

The draft bill’s attempt to provide for a non-discriminatory and an affordable Right-of-way (RoW) regime is appreciable. However, the central government has been given an overriding power over the local government which has constitutional powers with regard to permissions in their jurisdiction. The bill must clarify the modalities to ensure coordination between centre, state, and local authorities.

We recommend that clause 46 of the draft bill which significantly dilutes TRAI’s power should be deleted. Moreover, the government must work towards further strengthening TRAI by hiring subject matter experts to ensure that India has a powerful sector regulator which is well prepared to usher in the next wave of innovation.

We recommend that the Bill be inline with the Puttaswamy Judgement, and that of Anuradha Bhasin vs Union of India. The Bill, while paying close attention to the protection of users and duty of the user, fails to uphold rights of the user such as the right to privacy and the freedom of speech and expression.

As per clause 29, the objectives for which Telecommunication Development Fund (TDF) can be utilised is broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation which has thus far remained a significant challenge with the universal funds (USOF) regime.

The bill does not have any provisions upholding the principles of net neutrality. The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

Detailed Response

Preamble

No comments

Chapter 1: Short Title, Extent and Commencement

No comments

Chapter 2: Definitions

➔ 2(9): “message” means any sign, signal, writing, image, sound, video, data stream or intelligence or information intended for telecommunication.

Comment: The terms “intelligence” and “data stream” are not clear in the definition and these terms have not been defined elsewhere in the bill. Moreover, the definition of message is broad and may have implications with regard to surveillance and privacy of users, when read with clause 4(8) and clause 24(2)(a).

Recommendation: We recommend that the terms “intelligence” and “data stream” are defined under the bill, in order to reduce chances of excessive surveillance and to maintain the informational privacy of the individual. Additionally the definition could have an expansive list of what could constitute a message in order to prevent mission creep.

➔ 2(18): “telecommunication equipment” means any equipment, appliance, instrument, device, material or apparatus, including customer equipment, that can be or is being used for telecommunication, and includes software integral to such telecommunication equipment;”

Comment: The inclusion of customer equipment in the definition of telecommunication equipment has implications. The definition of the “customer equipment”^{^[4]} as provided in clause 2(5) of the Bill is broad enough to include personal devices such as phones, routers, among others. As per clauses 23 to 26 the Central Government has wide ranging powers with respect to telecommunications equipment and telecommunications networks such as issuing various directions for telecommunications networks and even has the power to take over such networks. As the definitions currently stand, these provisions would automatically become applicable to customer equipment as well which may be a violation of the right to privacy of the citizens of the country.

Moreover, according to 3(2)(c), possession of wireless equipment requires authorization. On reading 3(2)(c) with the definitions of wireless equipment in 2(23) and customer equipment in 2(5), an argument could be framed that the customer equipment could technically also require a licence, and so would the software integral to such equipment. If customer equipment is in fact included in telecom equipment and software integral to it is also included therein, then arguably even Android OS or other OS can be licensable.

Recommendation: Thus, we suggest that the government should remove customer equipment from the definition of telecommunication equipment.

➔ 2(21): “telecommunication services" means service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite based communication services, internet based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top (OTT) communication services) which is made available to users by telecommunication, and includes any other service that the Central Government may notify to be telecommunication services;”

Comment: Clause 2(21) expands the scope of “telecommunication services” significantly. The overly-broad definition of “telecommunication services”, and what constitutes a “message”^{^[5]}, brings within its ambit a host of internet services including but not limited to email, instant messaging, social media services, and even payments and e-commerce transactions. Neither the bill, nor the accompanying explanatory note provides a satisfactory rationale for an all-encompassing definition of “telecommunication services”. The explanatory note attached to the bill suggests that legislations in Australia, EU, UK, Singapore, Japan, and USA have been examined while drafting this bill. However, our research^{^[6]} suggests that none of these jurisdictions define “telecommunication services” so expansively and seek to regulate entities offering only internet based services companies through licensing, in particular. It may also be worthwhile to note that TRAI recommended against such an approach and also clarified that there is no issue of financial arbitrage.^{^[7]} However, the bill attempts to bring OTT communication services within the purview of licensing. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach. There can be major implications of expanding the definition of telecommunication services, some of which are listed below:

● The draft bill has stringent provisions on surveillance and shutdowns [clause 23 to clause 28]. These clauses would be naturally applicable to the expanded bucket of telecommunication services. This has serious implications on user’s right to privacy and freedom of expression online. For example, the bill gives the government the power to surveil citizens over apps such as WhatsApp, Telegram, to name a few, and even email. [some of this will be delved into greater detail in the foregoing sections]

● Some of the internet-based services listed in the definition in 2(21) are already regulated under the Information Technology (IT) Act 2000. For example, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulates intermediaries, including the significant social media intermediaries (SSMI) such as Facebook and Twitter. Putting an additional regulatory burden on these service layer companies in the form of licensing, as envisaged in clause 3 and clause 4 of the bill would hamper the innovation in the sector. Furthermore, it has been observed that the compliance burden of regulations is higher on small businesses in cases where regulations impose identical requirements on entities regardless of the firm size.^{^[8]} Therefore, inserting such a requirement would have a detrimental impact on innovation because excessive compliance requirements would act as a significant entry barrier for smaller firms.

Moreover, there is significant overlap between various services that are mentioned in the definition of telecommunication services which may lead to significant challenges. As these services are not defined elsewhere in the bill, it leaves scope for ambiguity. The bill makes a mention of “over-the-top (OTT) communication services” without defining it. We argue that making a distinction between communication and non-communication OTT services is superficial and does not take into account today’s realities where categorising applications into different categories is extremely difficult. A majority of the OTT applications such as e-commerce, healthcare, food delivery, payments, and so on, provide integrated communication channels. Disaggregation and making an artificial distinction of such apps into communication (with licensing requirements) and non-communication (without licensing requirements) would result in fragmentation of the internet which is definitely not a desirable outcome.

The “same-service same-rules” argument put forth by Telecommunication Service Providers (TSPs/ telcos) for the regulation of OTT apps which provide communication services [generally referred to as OTT communication services] at par with them is flawed for the reasons elaborated herein below:

● It is well recognized that there are significant differences at the technical and architectural level between TSPs and OTT apps which provide communication services . Regulating OTT apps which provide communication services at par with TSPs just on the basis of functionality without considering the inherent technical and architectural differences between them is a definite recipe for failure.

● Moreover, even at the functional level, OTT communication apps offer several additional features which are not available in the traditional TSP services.^{^[9]} Due to this, establishing functional equivalence between TSP’s services and OTT communication services is not only technically unfeasible but also unnecessary since those apps are better regulated by MEITY.

● Furthermore, TSPs enjoy privileges which OTTs don't. For example, TSPs have exclusive rights to spectrum, right of Way (RoW), numbering resources, to name a few. TSPs have control over underlying broadband infrastructure which OTTs and other internet-based service companies do not have.

As opposed to what has been suggested in the bill i.e, licence all telecommunication services [clause 3(2)(a)] including the internet-based services, it may be prudent to explore alternative approaches to regulate this space. For instance, a “two-layered framework”^{^[10]} for regulatory intervention can be considered. In this two-layered framework, the first layer would be the network layer consisting of the network and infrastructure; and the second layer would be the service layer consisting of applications and services. The services in the second layer can be further refined into the following three categories: (i) services provided over a non-Internet Protocol (IP) based architecture e.g Public Switched Telephone Network (PSTN) voice calls provided over a circuit switched network; (ii) specialised services that are provided over an IP based architecture in a closed network including facility-based services e.g., facilities-based VoLTE calls to PSTN and IPTV; (iii) IP-based/ Internet-based services such as OTTs. The gist^{^[11]} of the framework is:

The network layer may be regulated by way of licensing.

Non-IP Services and Specialised services may be regulated by way of licensing.

Internet-based services should be regulated by instruments other than licensing. Such instruments should preferably be in the form of legislations like the IT Act and its rules thereunder.

While there can be approaches apart from the one described above to regulate internet-based services such as the OTT and those approaches can be discussed and debated, putting licensing requirements for every internet-based service is not the way forward.

Recommendation: We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. In the interest of transparency and accountability, prior to enacting such a legislation the government would be well-advised to conduct a “regulatory impact assessment” exercise and put the report in public, as done in jurisdictions such as the European Union.

Chapter 3: Licensing, Registration, Authorization and Assignment

Clause 4. Licensing, Registration Authorization and Assignment

➔ 4(6): “The possession and use of any equipment that blocks telecommunication is prohibited, unless authorised by the Central Government for specific purposes.”

Comment: While assuming jurisdiction over equipment capable of blocking telecommunication via this clause is a welcome step, it is not clear why equipment capable of intercepting telecommunications has been kept out of the scope of this clause. Since unlawful and unauthorised interception of telecommunications is a violation of the fundamental right to privacy of an individual,^{^[12]} it is imperative that the scope of this clause be increased to include interception equipment as well. Furthermore, the latter part of the provision mentions “specific purposes” without adequate checks and balances in place. As such, the specific purposes must be defined exhaustively to ensure that this power is not misused.

➔ 4(7): "Any entity which is granted a licence under sub-clause (2) of clause 3, shall unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed."

Comment: All services do not require a verification of the identity of a person. There is a legitimate need to verify a person in the case of financial transactions, however a similar level of scrutiny is not warranted for applications that a person might use once, or applications that do not pose a threat to anyone. For example the need to verify a person through Know Your Customer (KYC) or otherwise for an application to order food, or an application which is meant for communication can be excessive regulation. Furthermore, number based internet communication apps such as Whatsapp require users to sign in through a mobile number, which have already gone through a KYC process. Therefore, dual KYC would be redundant and serve no purpose.

The Supreme Court while looking at the constitutionality of the Aadhaar Act upheld the need for banking and financial institutions to require an individual’s Aadhaar number stating the legitimate aim of preventing money laundering; however, the Court struck down the provision that required any private entity to collect Aadhaar details.^{^[13]} Justice Bhushan held that the collection by private entities violated the right to privacy, by failing the first prong of the test laid down in Puttaswamy, the test of legality.^{^[14]}

Recommendation : Clause 4(7) should be deleted.

➔ 4(8) “The identity of a person sending a message using telecommunication services shall be available to the user receiving such message, in such form as may be prescribed, unless specified otherwise by the Central Government.”

Comment: Although the intent behind this provision may have been to curb the menace of anonymous harassment of users, a blanket requirement to reveal the identity of the sender of a message in every instance may be considered a violation of the right to privacy of the sender. . There are clearly a number of competing rights involved here and the issue needs to be addressed in a more nuanced manner. Additionally there are a number of services such as chat applications providing support for mental health, that allow users to be anonymous in order to remove the concern and stigma around seeking help. A requirement that the user's name be revealed in these applications could hinder the functioning of these services as well as prevent more people from seeking help.

Anonymity was also explained in the Puttaswamy Judgment where it was stated that - “Privacy involves hiding information whereas anonymity involves hiding what makes it personal. An unauthorised parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy.” In his judgement, Justice F. Nariman talks about different aspects of the right to privacy in the Indian context and observes “Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognises that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right”.^{^[15]}

In this backdrop it is perhaps preferable that the issue be addressed through separate guidelines rather than through a blanket direction in the Statute. Recently the Department of Telecom sent a reference to the TRAI for framing a mechanism for using KYC based identification.^{^[16]} It would be advisable if the TRAI in its response also takes into account the competing rights involved in this issue of caller identification and suggests a framework that addresses these concerns as well.

Retaining anonymity on the internet: Individuals may choose to remain anonymous online for a number of reasons. This includes employees expressing opinions about their employers and whistleblowers, people providing anonymous tips to newspapers or law enforcement, people expressing political opinions and criticism that may be subject to persecution, or simply someone saying something that they may be embarrassed about.^{^[17]} In India, in particular, an individual’s caste can be derived from their name, and they may choose to remain anonymous or adopt a pseudonym to escape centuries of stigma and discrimination that their communities have faced. Religious, gender and sexual minorities may also make this choice for similar reasons. The broad definition of telecommunication services in the bill places restrictions on anonymity online and severely degrades an individual’s ability to exercise their fundamental right to freedom of expression.

Right to privacy: The overly broad definition of “telecommunication services” and what constitutes a “message” also brings a number of digital services under the ambit of this bill. This can include email, instant messaging, social media services, and even payments and e-commerce transactions. Mandating identification of individuals as they navigate these services, which they require to go about their daily lives, creates an unprecedented potential for surveillance and abuse of personal information. To evaluate the legal validity of this infringement on privacy, we can utilise the necessity and proportionality tests put forth by the Puttaswamy Judgment. The explanatory note accompanying the bill states that the purpose of this provision is to “prevent cyber frauds”, establishing a legitimate aim for mandating identification. However, it fails to justify whether this is the least intrusive means necessary to achieve the stated aim. Law enforcement agencies have access to a wide variety of metadata, such as IP addresses, already collected by digital services today, which can be used to identify individuals committing cyber crimes. Furthermore, as the internet is a global network, bad actors can evade identification by routing their internet traffic through another country by using services such as Virtual Private Network (VPNs), proxies and onion routing. Well resourced actors can simply hire someone in another country to communicate on their behalf. The infringement upon the right to privacy by this provision is also disproportionate to the objective sought. By mandating storage of personally identifiable information that is not required for the operation of the wide range of services that fall under the ambit of this bill, it allows not only for state surveillance, but also creates the possibility of misuse by criminal actors and hostile states who may gain unlawful access to this information through data breaches. Overall, this provision can easily be circumvented by the bad actors it intends to catch, leaving us with a surveillance mechanism that is ripe for misuse against ordinary, law-abiding citizens.

Misunderstanding how the internet works: This draft bill assumes and propagates a centralised view of the internet. Unlike traditional telecommunication services, which require access to a finite spectrum or other physical infrastructure, the internet allows any individual or organisation to self-host their own communication service. Several organisations and technologically savvy individuals host their own email services, instant messaging services, blogs and social media networks. It is unclear how the licensing provisions in this bill apply to people developing and hosting their own communication equipment.

Recommendation : Clause 4(8) should be deleted.

Clause 5. Spectrum Management

➔ 5(2)(b): “administrative process for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1; or”

Comment: Even though the draft bill seeks to provide an explicit statutory framework and predictability for spectrum management policy in India, it appears that for the large part it would be relying on spectrum auctions for assignment of spectrum. While the bill provides for administrative allocation of spectrum for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1, the explanatory note provided for the draft bill indicates auction to be the predominant method for spectrum assignment. Even though the explanatory memorandum cannot be used for legal interpretation, it can be used to indicate that for the foreseeable future the government intends to allocate spectrum predominantly through auctions. While it can be argued that an auction based regime ensures transparency, it also creates significant barriers to entry for smaller operators. It is also pertinent to mention that in the seven auctions held since 2010, the government has successfully sold 100 percent of the auction only once. Relying solely on auctions since 2010 has led to unsold spectrum, lost revenue, and deferring of the rural digital ecosystem.^{^[18]} Therefore, auctions should be supplemented with “administrative allocation” and other innovative approaches to ensure that affordable broadband connectivity does not remain within the remit of a few. For instance, Canada has initiated a consultation on a non-competitive local licensing framework in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands, and one of its objectives is to facilitate broadband connectivity in rural areas.^{^[19]} Therefore, we would like to recommend the DoT to explore other forms of spectrum assignment and not rely solely on auctions to ensure efficient utilisation of available spectrum and to also ensure affordable access to hitherto underserved regions.

Moreover, the bill does not provide clarity with regard to unlicensed spectrum for public Wi-Fi, and assignment of shared spectrum for satcom services.^{^[20]} Spectrum allocation for satcom becomes all the more important as the draft bill seems to give a preference to auction for spectrum assignment, while the global practice on spectrum assignment for satcom has been administrative allocation.

Furthermore, clause 5(2)(b) read with Schedule 1 suggests that BSNL and MTNL can acquire spectrum through an administrative process in view of public interest or necessity. However, we would like to submit that spectrum assignment to BSNL and MTNL may no longer serve the public interest and it only protects a very small interest group. For context, BSNL and MTNL have a combined market share of only 9.83%, as per TRAI subscription data of Aug 31, 2022.^{^[21]} For such a small subscriber share, it cannot be argued that these PSUs serve a public interest. The government can easily migrate these subscribers to the other three telcos. Moreover, this also provides the PSUs with an unfair advantage over its competitors and distorts the level playing field, thereby creating competition concerns in the market.

➔ 5(8): “The Central Government may, to promote optimal use of the available spectrum assign a particular part of a spectrum that has already been assigned to an entity (“primary assignee”), to one or more additional entity/ entities (“secondary assignees”), where such secondary assignment does not cause harmful interference in the use of the relevant part of the spectrum by the primary assignee, subject to the terms and conditions as may be prescribed.”

Comment: “Secondary assignment” of spectrum and the shift from “right to exclusive use” to “right to protection from interference”, as envisaged in 5(8) is a progressive move towards efficient utilisation of spectrum.

CIS, in its past submission^{^[22]} to the TRAI had highlighted the merits of a “use-or-share” approach in spectrum. The chasm that exists between expensive exclusive spectrum licensing and the licence-exempt ecosystem can be bridged by enshrining “use-it-or-share-it” provisions in spectrum licences. As such, ‘use-it-or-share-it’ rules enable the regulator to grant secondary access to licensed or governmental spectrum that is unused or underutilised.^{^[23]} ‘Use-it-or-share-it’ rules expand the productive use of spectrum without risking harmful interference or undermining the deployment plans of primary licensees. Clauses such as 5(8) enable “use-or-share” provisions are a step in the right direction.

➔ 5(9): “The Central Government, after providing a reasonable opportunity of being heard to the assignee concerned, if it determines that spectrum that has been assigned, has remained unutilized for insufficient reasons for a prescribed period, may terminate such assignment, or a part of such assignment, or prescribe further terms and conditions relating to spectrum utilization.”

Comment: There is lack of coherence between 5(8) and 5(9) when read together. 5(8) and 5(9) should be put as sub-clauses under a parent clause to ensure clarity.

We believe that the provision must be articulated clearly to state that licensees would first be given an opportunity to share spectrum and in cases where the entity fails to do so within a reasonable amount of time, the spectrum licence would be cancelled to prevent wilful spectrum hoarding. The Independent Communications Authority of South Africa (ICASA) in the 2nd Information Memorandum has expressed similar provisions with clarity. While, we feel five years may be an unnecessarily long timeframe for the government to enact spectrum sharing provisions, the language put forth by ICASA captures the essence of our argument:

“11.6.2 In cases where the spectrum is not fully utilised by the licensee within 5 years of issuance of the Radio Frequency Spectrum Licences, the Authority will initiate the process for the Licensee:

11.6.2.1 to share unused spectrum in all areas to ECNS licensees who may, inter alia, combine licensed spectrum in any innovative combinations in order to address local and rural connectivity in some municipalities including by entrepreneurial SMMEs;

11.6.2.2 to surrender the radio frequency spectrum licence or portion of the unused assigned spectrum in accordance with Radio Frequency Spectrum Regulations, 2015”

Recommendation: Clause 5(8) and 5(9) must be brought under one clause and it must be clarified that licence holders would lose their licence in case they fail to successfully incorporate spectrum sharing.

Clause 7. Breach of Terms and Conditions

➔ 7(1): “In case of breach of any of the terms and conditions of licence, registration, authorization or assignment granted under this Act, the Central Government may, after providing an opportunity of being heard to the party concerned, do any one or more of the following: ……”

Comment: Usually the consequences of breach are specifically illustrated in the licence. Listing the consequences of breach in the statute itself may lead to lack of clarity unless the terms of licence are also referenced. It could also be argued by a defaulting licensee that the powers listed in clause 7(1) are exhaustive and the Central Government cannot add any other conditions for breach of the conditions of the licence as in the licence agreement and any such conditions not specified in clause 7(1) are void and ultra vires the Statute.

Recommendation: In order to avoid such a situation, the clause should clearly state whether the powers listed in clause 7(1) are in addition to the terms and conditions that may be specified in the licence.

Chapter 4: Right of Way for Telecommunication Infrastructure

Comment: The draft bill attempts to provide for a non-discriminatory and an affordable Right-of-way regime, which is appreciable. However, the provision suggests that the central government has an overriding power over the local government. Provided that the Constitution of India defines certain powers which reside with the local authority in terms of providing permissions in the local areas, it is unclear from the bill on how the coordination between various authorities will take place. We recommend that there needs to be a mechanism that ensures coordination between centre, state, and local authorities.

❖ 14(3) : “In the event the person under sub-clause (1) does not provide the right of way requested, and the Central Government determines that it is necessary to do so in the public interest, it may, either by itself or through any other authority designated by the Central Government for this purpose, proceed to acquire the right of way for enabling the facility provider to establish, operate, maintain such telecommunication infrastructure, in the manner as may be prescribed.”

Comment: The right of the Central Government to acquire the right of way should be in lieu of adequate and appropriate compensation to be paid to the property owner. This requirement should be clearly mentioned in sub-clause (3). The clause as it currently stands only mentions the Central Government’s right to acquire but contains no mention of said acquisition being in lieu of adequate and proportionate compensation.

Chapter 5. Restructuring, Defaults in Payment and Insolvency

➔ 19(1): “Any licensee or registered entity may undertake any merger, demerger or acquisition, or other forms of restructuring, subject to provisions of applicable law, after providing notice to the Central Government of the same.”

Comment: Sub-clause (1) only requires that the Central Government be given a notice in case of merger, demerger, acquisition or restructuring of the licensee. Although sub-clause (2) requires that the successor entity shall comply with all the terms and conditions of the licence, considering the strategic nature of the telecommunications sector^{^[24]} it would be advisable to change the requirement of notice to a requirement of permission from the Central Government for restructuring the business rather than a mere notice requirement. In order for this requirement to not be a hindrance to the growth of the industry there could be a provision for deemed approval if the approval is not granted within a particular period of time.^{^[25]}

Recommendation: Any merger in the sector must be approved by the DoT. In order to ensure that this does not lead to unnecessary delays, a deemed approval route may be considered.

Chapter 6: Standards, Public Safety and National Security

❖ 24(2): “On the occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, for reasons to be recorded in writing, by order:

(a) direct that any message or class of messages, to or from any person or class of persons, or relating to any particular subject, brought for transmission by, or transmitted or received by any telecommunication services or telecommunication network, shall not be transmitted, or shall be intercepted or detained or disclosed to the officer mentioned in such order; or

(b) direct that communications or class of communications to or from any person or class of persons, or relating to any particular subject, transmitted or received by any telecommunication network shall be suspended”.

Comment: The pre-conditions for interception contained in the Bill are similar to those contained in the Telegraph Act, 1885, i.e. “occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”. Although more stringent, these conditions are different from those contained in the Information Technology Act, 2000 which does not contain the added safeguard of there being a “public emergency or in the interest of public safety”.^{^[26]} With consumers spending more and more time on the internet and using internet based technologies and applications for communications, there is significant regulatory overlap between the Telecommunications Bill and the Information Technology Act, 2000. It is therefore advisable that the interception and blocking provisions under both the legislations should be aligned and standardised.

The judgement in the Puttaswamy case provides some guidance to assess the limits and scope of the constitutional right to privacy in the form of the three prong test. The test requires the existence of a law, a legitimate state interest and the restriction (to privacy) should be ‘proportionate'. The order to intercept, detain, disclose or suspend a communication made between private individuals, acts as a violation of privacy and to ensure that this does not provide extensive grounds to surveil people, the three prong test especially the grounds of proportionality combined with the necessity provision are essential to ensure that this provision is not used disproportionately.

More recently in Anuradha Bhasin vs Union Of India the Supreme Court stated “A public emergency usually would involve different stages and the authorities are required to have regards to the stage, before the power can be utilised under the aforesaid rules. The appropriate balancing of the factors differs, when considering the stages of emergency and accordingly, the authorities are required to triangulate the necessity of imposition of such restriction after satisfying the proportionality requirement.” The court while passing the judgement also stated “The concept of proportionality requires a restriction to be tailored in accordance with the territorial extent of the restriction, the stage of emergency, nature of urgency, duration of such restrictive measure and nature of such restriction. The triangulation of a restriction requires the consideration of appropriateness, necessity and the least restrictive measure before being imposed.”^{^[27]} The judgement while examining the duration of the suspension mentioned that any order which suspends the internet must adhere to the principle of proportionality and must not extend beyond necessary duration.

Recommendation: There is a need to look at the implications of such an order enabling blocking or suspension of services post the Puttaswamy judgement where informational privacy, and dignity were considered as some of the aspects of privacy. While this clause uses the test of necessity and expediency, we suggest that along with these two the clause also introduce the three prong test laid out in Puttaswamy I. In addition to this since this legislation has been drafted subsequent to the Anuradha Bhasin judgement the provisions of the legislation must be in conformity with the same in order to avoid confusion and reduce litigation.

Chapter 7: Telecommunication Development Fund

➔ Clause 29: “The sums of money received towards the Telecommunication Development Fund under clause 27, shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament, to the Telecommunication Development Fund from time to time for being utilised to meet any or all of the following objectives:

(a) support universal service through promoting access to and delivery of telecommunication services in underserved rural, remote and urban areas;

(b) research and development of new telecommunication services, technologies, and products;

(d) support pilot projects, consultancy assistance and advisory support towards provision of universal service under sub-clause (a) of this clause; and

(e) support introduction of new telecommunication services, technologies, and products.”

Comment: Clause 27 of the draft bill proposes to rename the Universal Service Obligation Fund (USOF) to Telecommunication Development Fund (TDF) and expand its scope to include underserved urban areas in addition to rural and remote areas. This has been done, ostensibly to expand the scope of current USOF to include within its ambit underserved urban areas, research and development, and skill development, among others.^{^[28]} While there is a need to spend the vast amount of unspent balance within the USOF, and spending it on skill development, investments in innovative low cost-technology that enables affordable broadband connectivity for all is important, the manner in which the TDF is currently defined is loose and vague. In order to ensure that the fund is spent to include digitally marginalised groups only, the purpose for which the TDF can be used needs to have an “exact” and “specific definition”. The purpose should be narrowly defined to include only those activities that have the potential to mitigate and bridge the many digital divides that exist in our country because in its absence TDF may be misused to subsidise urban middle class users as opposed to originally intended beneficiaries - the hitherto marginalised sections of the society.

Furthermore, the Bill suggests that the money received towards the TDF shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament. This is a relic of the erstwhile USOF policy funds, and allocations are made on a demand and review basis. One of the reasons that India has an unspent balance of nearly INR 50,000 crore in USOF is owing to a delay in its implementation due to bureaucratic delays since all credits to this fund require parliamentary approvals.^{^[29]} In order to ensure that funds received through USOF/TDF are utilised efficiently, the government must ring fence these funds and ensure that they are only spent on the objectives envisaged under the TDF. Furthermore, funds collected for this purpose must not be credited to the Consolidated Fund of India since requiring additional approvals delays implementation of the fund. For instance, the rural road fund is ring fenced which has ensured smoother flow of funds.^{^[30]} Moreover, auction proceeds, and other levies on the sector such as service tax and GST are already credited to the Consolidated Fund of India, therefore the government can afford to ring fence funds collected for universal service as opposed to crediting them to the Consolidated Fund of India.

Recommendation: The objectives for which the TDF can be utilised is vague and too broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. This would go a long way in ensuring that the funds are not misspent on providing subsidies to users that may not be in need for such a subsidy. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation.

Chapter 9: Protection of users

➔ Clause 34 : “In the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, no user shall furnish any false particulars, suppress any material information or impersonate another person while establishing identity for availing telecommunication services.”

Comment: The intent behind this provision appears to be to prevent misrepresentation or identity and the giving of false information for availing telecom services. Whilst it is understandable that there may be privacy issues involved in the matter of revealing one’s identity for availing telecommunications services, the requirement to provide correct identity documents is a well established and accepted norm in the industry today which is manifest in the KYC requirements that have to be fulfilled by every customer. Therefore there is no need to qualify the obligation to provide true and accurate documents with the phrase “in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”.

Chapter 10: Miscellaneous

➔ Clause 46: Amendment to Act 24 of 1997

Comment: Clause 46 of the Bill significantly dilutes the power of TRAI and effectively renders the Regulator to the role of the government’s rubber stamp through proposed amendments to clause 11^{^[31]} of the TRAI Act. Section 11 of the TRAI Act as it currently stands requires DoT to solicit recommendations from TRAI on issues pertaining to licensing, new services, and spectrum management, where the powers vest with the government. However, if the Bill becomes a law, this would not be mandatory on the government’s part. It may or may not seek the Regulator’s recommendations, thus eroding the transparency which was built in the process of policymaking. Consequently, as per the current Bill, the government will effectively be the licensor, operator, and the Regulator. Since the government owns BSNL/MTNL (a telecom operator) the role of an independent regulator assumes even more significance. Even without the proposed amendments, the Indian regulator has been largely ineffective since it lacks significant functional autonomy including negligible penalisation powers, limited role in its hiring decisions, and lack of financial autonomy since it needs DoT’s approvals for its budget.^{^[32]} Even in its present form, TRAI has lesser power as compared to many regulators across the globe. For instance Federal Communications Commission (FCC) of the USA, Ofcom of the UK, and regulators in Pakistan, Bangladesh, and Sri Lanka have powers over spectrum and licensing, while TRAI has only recommendatory powers.^{^[33]} With the advent of 5G, the lines between telecom and digital services are likely to blur even more and in order to ensure that we are able to exploit the vast potential this new wave of innovations could unleash, it is important to have skilled policymakers well-versed with technology at the helm of affairs. Amidst this backdrop, it is important to invest in enhancing TRAI’s competence by hiring subject matter experts, and ensuring that TRAI functions as an independent and transparent regulator.

Furthermore, the bill empowers the government to set up an alternate dispute resolution mechanism effectively making the role of Telecom Disputes Settlement and Appellate Tribunal (TDSAT) redundant. Currently, TDSAT is the first body which looks into any dispute between two (i) telecom operators, (ii) telecom operators and the government, and (iii) between operators, the government and as well as the regulator. Only once the TDSAT has passed orders on such disputes can they be appealed in the Supreme Court. Therefore, clauses diluting the power of TRAI must be deleted. The government must also clarify what it means by an alternate dispute resolution mechanism, and the role it envisages for TDSAT.

Lastly, TRAI process is consultative by design providing various stakeholders with an opportunity to participate in the policymaking process. However, the proposed bill does not have any provisions mandating the DoT to hold transparent stakeholder consultations.

Recommendation: Clause 46 of the proposed bill should be deleted. Furthermore, the government must work towards further strengthening TRAI by hiring subject matter experts and further empowering TRAI by giving it penalising powers. Also, TRAI must be responsible for conducting spectrum audits and ensuring that licensees are adhering to licensing conditions.

➔ 46(k): “Provided further that the Authority may direct a licensee or class of licensees to abstain from predatory pricing that is harmful to the overall health of the telecommunication sector, competition, long term development and fair market mechanism” shall be inserted.”

Comment: The Bill through clause 46 (k) empowers the TRAI to decide on ‘predatory pricing’, which falls within the remit of the Competition Commission of India (CCI) which could potentially create jurisdictional overlaps between the two regulators. Even in the past, there has been friction between the two regulators on whether TRAI has jurisdiction to decide on matters relating to competition and predatory pricing in telecom tariffs.^{^[34]} In Competition Commission of India v. Bharti Airtel Limited & Ors^{^[35]}, Supreme Court of India rejected the contention by the incumbent dominant operators (IDOs) that TRAI, as the sectoral regulator, had exclusive jurisdiction to rule on competition-related aspects in the industry. It ruled that if TRAI had determined that the IDOs had formed a cartel or colluded to block Jio’s entry, the CCI then would have jurisdiction to decide whether the IDOs’ actions had an appreciable adverse effect on competition. While TRAI’s powers of sanction were limited by the TRAI Act, the CCI had the power to prescribe and enforce structural remedies to promote genuine competition in the telecom sector. The court prescribed comity between TRAI and the CCI in the discharge of their roles.^{^[36]} Over time, the telecom sector has evolved from being a rudimentary voice service to being a complex data-centric converged service, and even though overlapping jurisdictions cannot be completely wished away,^{^[37]} there is a need for clearly defined roles for various ministries and regulators. And there will also be a need to adopt a consultative approach towards policymaking through inter-departmental consultations, an area that India has thus far been lacking in. As evidenced by the International Telecommunication Union’s (ITU) Global ICT Regulatory Outlook 2020, which ranks India at 94 (out of a total of 193) countries in terms of the maturity and collaborative approach shown by telecom regulatory bodies, lower than countries such as Japan, Singapore, Korea, Pakistan, Kenya, and Nigeria.^{^[38]}

Therefore, inserting such a provision may create more chaos and regulatory uncertainty. It is advisable that the government ensures there are no jurisdictional issues between the two regulators by clearly defining the role of TRAI and inserting provisions to facilitate inter regulatory consultation mechanism.

➔ Clause 48: “If the person committing an offence under this Act is a company, the employee(s) who at the time the offence was committed, was responsible to the company for the conduct of the business relating to the offence, shall be liable to be proceeded against and punished accordingly.”

Comment: While there is a need to ensure that offenders and violators of provisions under this Act are provided with penalties, there is a need to look at ways to ensure that the fear of penalties does not stifle innovation. This legislation intends to bring into its ambit a number of new stakeholders who might not be able to comply with all the requirements due to the inexperience, which could lead to inadvertent offences and violations. The current wording of clause 48, does not make any distinction between offences that were done with prior knowledge and malafide intentions and those done without knowledge of its commission.

Recommendation: We suggest that the Act keeps the wordings in line with similar legislations such as the draft Personal Data Protection Bill 2019. The revised text could have a proviso that reads as “Nothing contained in sub-clause (1) shall render any such person liable to any punishment provided in this Act, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.”

Keeping in mind the existing burden of work both on the executive and the judiciary, and the time sensitive nature of the provisions of the Bill there is a need to look at different, swift, and inexpensive strategies. One possible way could be through Informal Guidances, similar to Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law.^{^[39]} As there will be a number of new players that will be under the Bill, it would be useful for entities to get guidance. Another possible step could be to use Undertakings, where the regulator enforces the errant party to seek contractual undertakings to take certain remedial steps.^{^[40]}

➔ Clause 51: “Notwithstanding anything contained in any law for the time being in force, where the Central Government, a State Government or a Government of a Union Territory is satisfied that any information, document or record in possession or control of any licensee, registered entity or assignee relating to any telecommunication services, telecommunication network, telecommunication infrastructure or use of spectrum, availed of by any entity or consumer or subscriber is necessary to be furnished in relation to any pending or apprehended civil or criminal proceedings, an officer, specially authorised in writing by such Government in this behalf, shall direct such licensee, registered entity or assignee to furnish such information, document or record to him and the licensee, registered entity or assignee shall comply with the direction of such officer.”

Comment: The requirement to provide information or document even for “pending or apprehended civil or criminal proceedings” is too wide and could be misutilised, specially given the fact that there is no judicial authority making the determination that the information or document is required for such proceedings. Even in clause 91 of the Cr.P.C. , the requirement to provide documents or information is only for existing investigations, inquiries, trials or proceedings. Therefore the requirement to provide information, document or record for apprehended civil proceedings should be deleted.

Additional Comments

➔ Comment: The bill fails to incorporate net neutrality requirements

Technological convergence and vertical integration within the sector make adherence to net neutrality critical to keep discrimination and anti-competitive conduct in check. While extant TRAI regulations, forbid TSPs from discriminating on the basis of content, sender or receiver, protocols or user equipment based on prior arrangements, by slowing down one application or providing fast lanes to another. However, there is lack of clarity on how adherence to net-neutrality principles is currently being monitored. In 2020, TRAI had recommended setting up a Multistakeholder body for monitoring adherence to net neutrality by licensees.^{^[41]} However, the draft bill fails to codify net neutrality requirements and as such non-discriminatory treatment of traffic does not find a mention in the bill or the explanatory note accompanying it.

Recommendation: The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

➔ Comment: There is no provision in the bill that requires the government to report vital statistics and other information relating to the sector. We understand that both TRAI and DoT have taken efforts in publishing those statistics through DoT dashboard and reports such as the annual report, performance indicator reports, and subscriber reports. But, putting reporting requirements in the statute would be better.

Recommendation: In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

^{^[1]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/blog/response-to-trai-consultation-auction-of-spectrum-in-frequency-bands-identified-for-imt-5g

^{^[2]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/internet-governance/blog/response-to-trai-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

^{^[3]} “Impact Assessments”, European Commission, accessed 10 November 2022,<https://ec.europa.eu/info/law/law-making-process/planning-and-proposing-law/impact-assessments_en#:~:text=Impact%20assessments%20examine%20whether%20there,support%20the%20decision%2Dmaking%20process.>

^{^[4]} Clause 2(5) defines customer equipment as follows: “ “customer equipment” means equipment deployed on the premises of a person, other than the equipment of the licensee or registered entity, to originate, route or terminate telecommunication, or equipment used by such person for accessing telecommunication services;”

^{^[5]} As defined in clause 2(9) of the draft bill.

^{^[6]} Japan: "Telecommunications service" means intermediating communications of others through the use of telecommunications facilities, or any other acts of providing telecommunications facilities for the use of communications by others; Singapore: “telecommunication service” means any service for telecommunications but excludes any broadcasting service; UK: “electronic communications service” means a service of any of the types specified in subsection (2A) provided by means of an electronic communications network, except so far as it is a content service. Those types of service are— (a)an internet access service; (b)a number-based interpersonal communications service; and (c)any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting.

^{^[7]} Muntazir Abbas, “Regulating OTT players complicated: Trai”, The Economic Times, 30 January 2020,<https://economictimes.indiatimes.com/industry/telecom/telecom-policy/regulating-ott-players-complicated-trai/articleshow/73759307.cms?from=mdr >

^{^[8]} Justin Douglas and Amy Land Pejoska, Regulation and Small Business, <https://treasury.gov.au/sites/default/files/2019-03/p2017-t213722-Roundup_Sml_bus_regulation-final.pdf>

^{^[9]} See, for instance, “Features, Whatsapp (2020), <https://www.whatsapp.com/features>; “Signal

Messenger Features”, Signal (2020)

^{^[10]} CIS has recommended this “two layered framework” in its previous submissions to TRAI.

^{^[11]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society.

^{^[12]} “Internet Privacy in India”,Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india

^{^[13]}Justice K. Puttaswamy and Others v. Union of India and Others 1 SCC 1 (2019)

^{^[14]}“Judgement in Plain English Constitutionality of Aadhaar Act”, “Supreme Court Observer, accessed 10 November 20222,https://www.scobserver.in/reports/constitutionality-of-aadhaar-justice-k-s-puttaswamy-union-of-india-judgment-in-plain-english/

^{^[15]} “Right to Encrypt : Subset of Right to Privacy?”, SFLC, accessed 10 November 20222,https://sflc.in/right-encrypt-subset-right-privacy

^{^[16]} PTI, “Trai to moot mechanism for KYC-based caller name display”,The Economic Times, 20 May 2022,https://economictimes.indiatimes.com/industry/telecom/telecom-news/trai-to-moot-mechanism-for-kyc-based-caller-name-display/articleshow/91695117.cms?from=mdr

^{^[17]} Palme, Jacob, and Mikael Berglund. "Anonymity on the Internet.” <https://people.dsv.su.se/~jpalme/society/anonymity.pdf >

^{^[18]} Rajat Kathuria, Isha Suri “Why spectrum needs a change in approach”, Indian Express, 20 October 2022, https://indianexpress.com/article/opinion/columns/why-spectrum-needs-a-change-in-approach-8235997/

^{^[19]} Consultation on a Non-Competitive Local Licensing Framework, Including Spectrum in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands - Spectrum management and telecommunications

^{^[20]} Aneesh Phadnis“Extant rules choke growth, telecom bill needs review: Broadband India Forum”, Business Standard, 23 September2022<https://www.business-standard.com/article/companies/extant-rules-choke-growth-telecom-bill-needs-review-broadband-india-forum-122092301265_1.html >

^{^[21]} Highlights of Telecom Subscription Data as on 31st August, 2022, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/PR_No.67of2022.pdf

^{^[22]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society.

^{^[23]} Calabrese, M. (2021). Use it or Share It: A New Default Policy for Spectrum Management. Available at SSRN 3762098. <https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3762098_code2826029.pdf?abstractid=3762098&mirid=1 >

^{^[24]} “Guidelines for Implementation of New Public Sector Enterprises (PSEI Policy for CPSEs in Non-Strategic Sector' regarding”, “Government of India Ministry of Finance Department of Public EnterPrises, 10 November 2022, https://dpe.gov.in/sites/default/files/DPE_OM_DTD_13.12.21_Guidelines_on_New_PSE_Policy_0.pdf, Economic Survey 2021-2022, India Budget, accessed 10 November 2022, <https://www.indiabudget.gov.in/economicsurvey/ebook_es2022/index.html#p=86 >

^{^[25]} A similar approach has been taken in the new Occupational Safety, Health and Working Conditions Code, 2020 for registration of establishments under clause 3(3) of the Code.

^{^[26]} Sections 69 and 69A of the Information Technology Act, 2000.

^{^[27]} Anuradha Bhasin vs Union Of India, 3 SCC 637 (2020)

^{^[28]} Explanatory Note to the draft Indian Telecommunication Bill, 2022, Pg. 14.

^{^[29]}“USOF Scheme for Aspirational Districts in 5 states”, “Drishti IAS”, accessed 10 November 2022, https://www.drishtiias.com/daily-updates/daily-news-analysis/usof-scheme-for-aspirational-districts-in-5-states

^{^[30]}“What BharatNet can learn from the rural-roads scheme: involve states, local bodies, private sector” “ Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/telecom/blog/what-bharatnet-can-learn-from-the-rural-roads-scheme-involve-states-local-bodies-private-sector

^{^[31]} Functions of Authority, clause 11, TRAI Act, 1997.

^{^[32]} Pratap Vikram Singh, “Trai, try again: India’s toothless telecom regulator fights for more powers”, Aug 31, 2021, The Ken, <https://the-ken.com/story/trai-try-again-indias-toothless-telecom-regulator-fights-for-more-powers/>

^{^[33]} Ibid.

^{^[34]} “PTI” “Have power to settle competitive tariff issues: TRAI to CCI”, Aug 7, 2017, The Economic Times, https://economictimes.indiatimes.com/news/economy/policy/have-power-to-settle-competitive-tariff-issues-trai-to-cci/articleshow/59959144.cms?from=mdr

^{^[35]} CIVIL APPEAL NO(S). 11843 OF 2018

^{^[36]} Ibid at Para 90

^{^[37]} “Market Study on the Telecom Sector”, Jan 22, 2021, Competition Commission of India

^{^[38]} Global ICT Regulatory Outlook 2020 - Pointing the way forward to collaborative regulation (2020), ITU, https://www.itu.int/dms_pub/itu-d/opb/pref/D-PREF-BB.REG_OUT01-2020-PDF-E.pdf

^{^[39]}Informal Guidance Scheme of SEBI: Understanding the Concept and Analyzing the Guidance Provided by SEBI, Vijay Kumar Singh https://www.researchgate.net/publication/228226352_Informal_Guidance_Scheme_of_SEBI_Understanding_the_Concept_and_Analyzing_the_Guidance_Provided_by_SEBI>

^{^[40]} We have made similar recommendations to the Personal Data Protection Bill 2019, on the offences and penalties under the Bill. The comments can be viewed here: <https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019>

^{^[41]}Recommendations On Traffic Management Practices (TMPs) and MultiStakeholder Body for Net Neutrality, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/Recommendations_22092020_0.pdf

The comments were drafted by Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas and Vipul Kharbanda, and reviewed by Pallavi Bedi. Click to download the submission here

For more details visit https://cis-india.org/telecom/blog/cis-comments-to-draft-indian-telecom-bill-2022

Demystifying Data Breaches in India

Pawan Singh — 2022-10-17T16:14:03Z

Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

Edited by Arindrajit Basu and Saumyaa Naidu

India saw a 62% drop in data breaches in the first quarter of 2022. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 report by Surfshark, a Netherlands-based VPN company. Another report on the cost of data breaches researched by the Ponemon Institute and published by IBM reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.

These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.

Data Breaches and their Predecessor Forms

The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.

Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns a 2002 case concerning the theft and sale of source code by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a cybercrime involving the illegal sale of the source code of a software package, as software theft of intellectual property in the context of outsourcing and as an instance of industrial espionage in poor nations without laws protecting foreign companies. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery. The BPO boom in India brought with it employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.

In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it India’s first outsourcing cyberfraud and a well planned scam, a cybercrime in a globalized world, and a case of financial fraud and a scam that required no hacking skills, and a case of data theft and misuse. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.

Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “BPO Blot in British Backlash: Indian Sells Secret Data,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “scam” involving the leakage of credit card information. The use of the term ‘leak’ appears consistently across other media accounts such as a 2005 story on Karan Bahree in the Times of India and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the fraudsters as a leak of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “outsourcing crime”.

The other case concerned four former employees of Parsec technologies who stole classified information and diverted calls from potential customers, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.

In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in implicitly racial terms of cultural trust, as a matter of ethics and professionalism and in the language of scandal in some cases.

These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group, launched a National Skills Registry for IT professionals to enable employers to conduct background checks in 2006.

These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.

The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.

The Delhi MMS Case

The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing had already done the rounds. The MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as a scandal that shocked the country, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a 2009 Bollywood film, Dev D and another 2010 film, Love, Sex and Dhokha,

Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.

Aadhaar Data Security and Other Data Breaches

Aadhaar was challenged in the Indian Supreme Court in 2012 when it was made mandatory for welfare and other services such as banking, taxation and mobile telephony. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the 2017 Puttaswamy ruling holding privacy to be a constitutional right subject to limitations and the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service.

While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with most organizations claiming it to be mandatory for various purposes. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses.

In 2015, the Indian government launched its ambitious Digital India Campaign to provide government services to Indian citizens through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.

In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as data leak and exposure (of 11 crore Indian farmers’ sensitive information) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of Aadhaar-related data security incidents. These cases represent a mix of data frauds involving fake identities, theft of thumb prints for instance from land registries and inadvertent data leaks in numerous incidents involving government employees in Jharkhand, voter ID information of Indian citizens in Andhra Pradesh and Telangana and activist reports of Indian government websites leaking Aadhaar data.

Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.

From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went undetected for nearly three months. Another data leak in 2018 concerned a system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some prominent data breaches included a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.

The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a shadow economy or the dark web. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include 8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users, 180 million Domino’s pizza orders (name, location, emails, mobile numbers), and Flipkart’s Cleartrip users’ data. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.

The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.

The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in quantitative terms of financial loss as well as the magnitude and the number of breaches certainly highlights the gravity of these incidents but harm to individual users is often not addressed.

Evolving Terminology and the Source of Data Harms

The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.

THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.

The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.

In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on Aadhaar and how Indians don’t care about their privacy.

The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.

The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the extensively documented cases of Aadhaar-related issues in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.

Future Directions of Research

This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.

Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.

For more details visit https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india

Getting the (Digital) Indo-Pacific Economic Framework Right

arindrajit — 2022-10-03T14:56:22Z

On the eve of the Tokyo Quad Summit in May 2022, President Biden unveiled the Indo-Pacific Economic Framework (IPEF), visualising cooperation across the Indo-Pacific based on four pillars: trade; supply chains; clean energy, decarbonisation and infrastructure; and tax and anti-corruption. Galvanised by the US, the other 13 founding members of the IPEF are Australia, Brunei Darussalam, India, Indonesia, Japan, Republic of Korea, Malaysia, New Zealand, Philippines, Singapore, Thailand and Vietnam. The first official in-person Ministerial meeting was held in Los Angeles on 9 September 2022.

The article was originally published in Directions on 16 September 2022.

It is still early days. Given the broad and noncommittal scope of the economic arrangement, it is unlikely that the IPEF will lead to a trade deal among members in the short run. Instead, experts believe that this new arrangement is designed to serve as a ‘framework or starting point’ for members to cooperate on geo-economic issues relevant to the Indo-Pacific, buoyed in no small part by the United States’ desire to make up lost ground and counter Chinese economic influence in the region.

United States Trade Representative (USTR) Katherine Tai has underscored the relevance of the Indo-Pacific digital economy to the US agenda with the IPEF. She has emphasized the importance of collaboratively addressing key connectivity and technology challenges, including standards on cross-border data flows, data localisation and online privacy, as well as the discriminatory and unethical use of artificial intelligence. This is an ambitious agenda given the divergence among members in terms of technological advancement, domestic policy preferences and international negotiating stances at digital trade forums. There is a significant risk that imposing external standards or values on this evolving and politically-contested digital economy landscape will not work, and may even undermine the core potential of the IPEF in the Indo-Pacific. This post evaluates the domestic policy preferences and strategic interests of the Framework’s member states, and how the IPEF can navigate key points of divergence in order to achieve meaningful outcomes.

State of domestic digital policy among IPEF members

Data localisation is a core point of divergence in global digital policymaking. It continues to dominate discourse and trigger dissent at all international trade forums, including the World Trade Organization. IPEF members have a range of domestic mandates restricting cross-border flows, which vary in scope, format and rigidity (see table below). Most countries only have a conditional data localisation requirement, meaning data can only be transferred to countries where it is accorded an equivalent level of protection – unless the individual whose data is being transferred consents to said transfer. Australia and the United States have sectoral localisation requirements for health and defence data respectively. India presently has multiple sectoral data localisation requirements. In particular, a 2018 Reserve Bank of India (RBI) directive imposed strict local storage requirements along with a 24-hour window for foreign processing of payments data generated in India. The RBI imposed a moratorium on the issuance of new cards by several US-based card companies until compliance issues with the data localisation directive were resolved. Furthermore, several iterations of India’s recently withdrawn Personal Data Protection Bill contained localisation requirements for some categories of personal data.

Indonesia and Vietnam have diluted the scopes of their data localisation mandates to apply, respectively, only to companies providing public services and to companies not complying with other local laws. These dilutions may have occurred in response to concerted pushback from foreign technology companies operating in these countries. In addition to sectoral restrictions on the transfer of geospatial data, South Korea retains several procedural checks on cross-border flows, including formalities regarding providing notice to individual users.

Moving onto another issue flagged by USTR Tai, while all IPEF members recognise the right to information privacy at an overarching or constitutional level, the legal and policy contours of data protection are at different stages of evolution in different countries. Japan, South Korea, Malaysia, New Zealand, Philippines, Singapore and Thailand have data protection frameworks in place. Data protection frameworks in India and Brunei are under consultation. Notably, the US does not have a comprehensive federal framework on data privacy, although there are patchworks of data privacy regulations at both the federal and state levels.

Regulation and strategic thinking on artificial intelligence (AI) are also at varying levels of development among IPEF members. India has produced a slew of policy papers on Responsible Artificial Intelligence. The most recent policy paper published by NITI AAYOG (the Indian government’s think tank) refers to constitutional values and endorses a risk-based approach to AI regulation, much like that adopted by the EU. The US National Security Commission on Artificial Intelligence (NSCAI), chaired by Google CEO Eric Schmidt, expressed concerns about the US ceding AI leadership ground to China. The NSCAI’s final report emphasised the need for US leadership of a ‘coalition of democracies’ as an alternative to China’s autocratic and control-oriented model. Singapore has also made key strides on trusted AI, launching A.I. verify – the world’s first AI Governance Testing Framework for companies that wish to demonstrate their use of responsible AI through a minimum verifiable product.

IPEF and pipe dreams of digital trade

Some members of the IPEF are signatories to other regional trade agreements. With the exception of Fiji, India and the US, all the IPEF countries are members of the Regional Comprehensive Economic Partnership (RCEP), which also includes China. Five IPEF member countries are also members of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) that President Trump backed out of in 2017. Several IPEF members also have bilateral or trilateral trading agreements among themselves, an example being the Digital Economic Partnership Agreement (DEPA) between Singapore, New Zealand and Chile.

All these ‘mega-regional’ trading agreements contain provisions on data flows, including prohibitions on domestic legal provisions that mandate local computing facilities or restrict cross-border data transfers. Notably, these agreements also incorporate exceptions to these rules. The CPTPP includes within its ambit an exception on the grounds of ‘legitimate public policy objectives’ of the member, while the RCEP incorporates an additional exception for ‘essential security interests’.

IPEF members are also spearheading multilateral efforts related to the digital economy: Australia, Japan and Singapore are working as convenors of the plurilateral Joint Statement Initiative (JSI) at the World Trade Organization (WTO), which counts 86 WTO members as parties. India (along with South Africa) vehemently opposes this plurilateral push on the grounds that the WTO is a multilateral forum functioning on consensus and a plurilateral trade agreement should not be negotiated within the aegis of the WTO. They fear, rightly, that such gambits close out the domestic policy space, especially for evolving digital economy regimes where keen debate and contestation exist among domestic stakeholders. While wary of the implications of the JSI, other IPEF members, such as Indonesia, have cautiously joined the initiative to ensure that they have a voice at the table.

It is unlikely that the IPEF will lead to a digital trade arrangement in the short run. Policymaking on issues as complex as the digital economy that must respond to specific social, economic and (geo)political realities cannot be steamrolled through external trade agreements. For instance, after the Los Angeles Ministerial India opted out of the IPEF trade pillar citing both India’s evolving domestic legislative framework on data and privacy as well as a broader lack of consensus among IPEF members on several issues, including digital trade. Commerce Minister Piyush Goyal explained that India would wait for the “final contours” of the digital trade track to emerge before making any commitments.

Besides, brokering a trade agreement through the IPEF runs a risk of redundancy. Already, there exists a ‘spaghetti bowl’ of regional trading agreements that IPEF members can choose from, in addition to forming bilateral trade ties with each other.

This is why Washington has been clear about calling the IPEF an ‘economic arrangement’ and not a trade agreement. Membership does not imply any legal obligations. Rather than duplicating ongoing efforts or setting unrealistic targets, the IPEF is an opportunity for all players to shape conversations, share best practices and reach compromises, which could feed back into ongoing efforts to negotiate trade deals. For example, several members of RCEP have domestic data localisation mandates that do not violate trade deals because the agreement carves out exceptions that legitimise domestic policy decisions. Exchanges on how these exceptions work in future trade agreements could be a part of the IPEF arrangement and nudge states towards framing digital trade negotiations through other channels, including at the WTO. Furthermore, states like Singapore that have launched AI self-governance mechanisms could share best practices on how these mechanisms were developed as well as evaluations of how they have helped policy goals be met. And these exchanges shouldn’t be limited to existing IPEF members. If the forum works well, countries that share strategic interests in the region with IPEF members, including, most notably, the European Union, may also want to get involved and further develop partnerships in the region.

Countering China

Talking shop on digital trade should certainly not be the only objective of the IPEF. The US has made it clear that they want the message emanating from the IPEF ‘to be heard in Beijing’. Indeed, the IPEF offers an opportunity for the reassertion of US economic interests in a region where President Trump’s withdrawal from the CPTPP has left a vacuum for China to fill. Accordingly, it is no surprise that the IPEF has representation from several regions of the Indo-Pacific: South Asia, Southeast Asia and the Pacific.

This should be an urgent policy priority for all IPEF members. Since its initial announcement in 2015, the Digital Silk Road (DSR), the digital arm of China’s Belt and Road Initiative, has spearheaded massive investments by the Chinese private sector (allegedly under close control of the Chinese state) in e-commerce, fintech, smart cities, data centres, fibre optic cables and telecom networks. This expansion has also happened in the Indo-Pacific, unhampered by China’s aggressive geopolitical posturing in the region through maritime land grabs in the South China Sea. With the exception of Vietnam, which remains wary of China’s economic expansionism, countries in Southeast Asia welcome Chinese investments, extolling their developmental benefits. Several IPEF members – including Indonesia, Malaysia and Singapore – have associations with Chinese private sector companies, predominantly Huawei and ZTE. A study evaluating Indonesia’s response to such investments indicates that while they are aware of the risks posed by Chinese infrastructure, their calculus remains unaltered: development and capacity building remain their primary focuses. Furthermore, on the specific question of surveillance, given evidence of other countries such as the US and Australia also using digital infrastructure for surveillance, the threat from China is not perceived as a unique risk.

Setting expectations and approaches

Still, the risks of excessive dependence on one country for the development of digital infrastructure are well known. While the IPEF cannot realistically expect to displace the DSR, it can be utilised to provide countries with alternatives. This can only be done by issuing carrots rather than sticks. A US narrative extolling ‘digital democracy’ is unlikely to gain traction in a region characterised by a diversity of political systems that is focused on economic and development needs. At the same time, an excessive focus on thorny domestic policy issues – such as data localisation and the pipe dream of yet another mega-regional trade deal – could risk derailing the geo-economic benefits of the IPEF.

Instead, the IPEF must focus on capacity building, training and private sector investment in infrastructure across the Indo-Pacific. The US must position itself as a geopolitically reliable ally, interested in the overall stability of the digital Indo-Pacific, beyond its own economic or policy preferences. This applies equally to other external actors, like the EU, who may be interested in engaging with or shaping the digital economic landscape in the Indo-Pacific.

Countering Chinese economic influence and complementing security agendas set through other fora – such as the Quadrilateral Security Dialogue – should be the primary objective of the IPEF. It is crucial that unrealistic ambitions seeking convergence on values or domestic policy do not undermine strategic interests and dilute the immense potential of the IPEF in catalysing a more competitive and secure digital Indo-Pacific.

Table: Domestic policy positions on data localisation and data protection

For more details visit https://cis-india.org/internet-governance/blog/directions-cyber-digital-europe-arindrajit-basu-september-16-2022-getting-the-digital-indo-pacific-economic-framework-right

Surveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar

Shruti Trikanad and Vrinda Bhandari — 2022-08-09T08:17:32Z

Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.

In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report here.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar

Surveillance Enabling Identity Systems in Africa

Shruti Trikanad and Vrinda Bhandari — 2022-08-09T08:13:34Z

For more details visit https://cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa

Name	Domain	IP Address[26]	Country	ASN Name and Number
SafeNet	safenet.family	103.10.24.124	India	Amrita Vishwa Vidyapeetham, AS58703
OneMonitar	onemonitar.com	3.15.113.141	United States	Amazon.com, Inc., AS16509
OneMonitar	api.cp.onemonitar.com	3.23.25.254	United States	Amazon.com, Inc., AS16509
Hoverwatch	hoverwatch.com	104.236.73.120	United States	DigitalOcean, LLC, AS14061
Hoverwatch	a.syncvch.com	158.69.24.236	Canada	OVH SAS, AS16276
TheTruthSpy	thetruthspy.com	172.67.174.162	United States	Cloudflare, Inc., AS13335
TheTruthSpy	protocol-a946.thetruthspy.com	176.123.5.22	Moldova	ALEXHOST SRL, AS200019
Cerberus	cerberusapp.com	104.26.9.137	United States	Cloudflare, Inc., AS13335
mSpy	mspy.com	104.22.76.136	United States	Cloudflare, Inc., AS13335
mSpy	mobile-gw.thd.cc	104.26.4.141	United States	Cloudflare, Inc., AS13335
FlexiSPY	flexispy.com	104.26.9.173	United States	Cloudflare, Inc., AS13335
FlexiSPY	djp.bz	119.8.35.235	Hong Kong	HUAWEI CLOUDS, AS136907

Product	VirusTotal Detections (March 2024)	VirusTotal Detections (January 2019) (By Citizen Lab)
SafeNet [29]	0/67 (0 %)	N/A
OneMonitar [30]	17/65 (26.1%)	N/A
Hoverwatch	24/58 (41.4%)	22/59 (37.3%)
TheTruthSpy	38/66 (57.6%)	0
Cerberus	8/62 (12.9%)	6/63 (9.5%)
mSpy	8/63 (12.7%)	20/63 (31.7%)
Flexispy [31]	18/66 (27.3%)	34/63 (54.0%)

Product	Detected by Play Protect (March 2024)	Detected by Play Protect (January 2019) (By Citizen Lab)
SafeNet	no	N/A
OneMonitar	yes	N/A
Hoverwatch	yes	yes
TheTruthSpy	yes	yes
Cerberus	yes	no
mSpy	yes	yes
Flexispy	yes	yes