Democratic governments must be accountable to the public and provide a rationale for disrupting Internet services in a timely manner. In the interest of transparency, all governments should document the reasons, time, alternatives considered, decision-making authorities and the rules under which the shutdowns were imposed and release the documents for public scrutiny. This is the way civil society can hold governments to the high standards of transparency and accountability that befits a democracy.Indiscriminate Internet blockades are not likely to safeguard public order in today’s time and age. Indiscriminate shutdowns have high social and economic costs and are often ineffective. A proportionality and necessity test and cost-benefit analysis to determine the right course of action are essential at this juncture. Indian civil society needs to push for a transparent and accountable system which ensures better Internet governance.Read the whole post here.

Rohan is a technology policy analyst at The Takshashila Institution.

This article was first published in Deccan Chronicle.

Mastodon is what’s happening in India right now. Indian Twitter users are moving to the platform and have taken to using hashtags such as #CasteistTwitter and #cancelallBlueTicksinIndia. A key reason for this to transpire is that Twitter has been, to put it mildly, less than perfect, in moderating content in India. There is the incident with lawyer Sanjay Hegde that caused this to blow up, along with accusations that Twitter had been blocking hundreds and thousands of tweets in India since 2017 with a focus on accounts from Kashmir.Enter Mastodon. The platform, developed by developer Eugen Rochko, is opensourced, so no one entity gets to decide what content belongs on the communities there. Also, the data on Mastodon is not owned by one single corporation, so you know that your behavior on there is not being quantified and being sold to people who would use that to profile and target you.Plus, each server (community) has a relatively small size with a separate admin, moderator, and by extension, code of conduct. All of this sounds wonderful. The character count is also 500 words as opposed to 280 (if that is the sort of thing you consider to be an advantage).Mastodon is moving the needle forward by a significant increment when it comes to social networking. The idea is for us to move towards a future where user data isn’t monetised and people can host their own servers instead. As a tech enthusiast, that sounds wonderful and I honestly wish that this is what Twitter should have been.Keeping all of that in mind, I don’t think I will be joining Mastodon. Hear me out. A large part of it is not because Mastodon does not have its own problems, let’s set that aside for now and move on to the attention economy. Much like how goods and services compete for a share of your wallet, social media has for the longest time been competing for attention and mind-space. Because the more time you spend on the platform, the more ads you will see and the more money they will make. No wonder it is so hard to quit Instagram and Facebook.Joining a new platform for social media today is an investment that does not make sense unless the other one shuts down. There is a high chance of people initially quitting Twitter, only to come back to it while being addicted to another platform. The more platforms you are on, the thinner your attention is stretched. That is objectively bad for anyone who thinks they spend a lot of time on their phone.If you’re lucky to be one of the few people who do not suffer from that and are indifferent to the dopamine that notifications induce in your brain, this one doesn’t apply to you. Then there is the network effect and inertia. I for one, am for moving the needle forward little by little. But here, there is little to gain right now, with more to lose.Network effects are when products (in this case, platforms), gain value when more people use them. So, it makes sense for you to use WhatsApp and not Signal, as all your friends are on WhatsApp. Similarly, it makes sense for you to be on Twitter as your favorite celebs and news outlets are on there. Mastodon does not have the network effect advantage, so most people who do not specifically have their network on Mastodon, do not get a lot of value out of using it.In addition, there is inertia. Remember when we set aside Mastodon’s problems earlier, here is where they fit in. Mastodon is not as intuitive as using Twitter or Facebook. That makes it a deal-breaker for people of certain ages and also happens to be a significant con for people who don’t want to spend a non-trivial chunk of their time learning about servers, instances, toots, and so on.There also isn’t an official Mastodon app, however, there are a bunch of client apps that can be used instead, most popular among them is Tusky, but reviews will tell you that it is fairly buggy and that is to be expected. There is so much right with Mastodon. It is a great working example of the democratisation of social media. It also happens to exist in an age where it would be near impossible to get funding for or to start a new social media platform. The problem is that for people who don’t explicitly feel the need or see the value in joining Mastodon, are unlikely to split their attention further by joining a new platform. The switching costs, network effects, and inertia are simply too high.Rohan is a policy analyst at The Takshashila Institution and the co-author of Data Localization in a Globalized World: An Indian Perspective.This article was first published in Deccan Chronicle.

Advancements in Artificial Intelligence (AI) technologies over the next decade will have a profound impact on the nature of warfare. Increasing use of precision weapons, training simulations and unmanned vehicles are merely the tip of the iceberg. AI technologies, going forward, will not only have a direct battlefield impact in terms of weapons and equipment but will also impact planning, logistics and decision-making, requiring new ethical and doctrinal thinking. From an Indian perspective, China’s strategic focus on leveraging AI has serious national security implications.Read the full article on the Deccan Herald website.

As a global community, we should have a more visible and informed choice in what content we want to consume.The full article is available here.Rohan is a Policy Analyst at The Takshashila Institution.

Over the course of the last few weeks, we have seen Facebook and Twitter take opposing views on the issue of political ads. While the issue itself does not have an immediate implication for Indian politics, the decisions of the two companies, their actions throughout the episode and reactions to them are emblematic of the larger set of problems surrounding their policies. They serve as a reminder that we should not expect these platforms to be neutral places in the context of public discourse solely through self-regulation.

In late October, Facebook infamously announced that it would not fact-check political ads. Shortly after that, Twitter’s CEO Jack Dorsey announced via Twitter that the company would not allow any political ads after November 22. And though Twitter is not alone in this approach, its role in public discourse differs from other companies like LinkedIn, TikTok etc. that already have similar policies. Google is reportedly due to announce its own policy soon. At face-value, it may seem that one of these approaches is far better than the other, but a deeper look brings forth the challenges both will find hard to overcome. Google, meanwhile, announced a new political ads policy on November 20. Its policy aims to limit micro-targeting across search, display and YouTube ads. Crucially, it reiterated that no advertisers (political or otherwise) are allowed to make misleading claims.

Potential for misuse

To demonstrate the drawbacks of Facebook’s policy, US lawmaker Elizabeth Warren’s Presidential campaign deliberately published an ad with a false claim about Facebook CEO Mark Zuckerberg. In another instance, Adriel Hampton, an activist, signed up as a candidate for California’s 2022 gubernatorial election so that he could publish ads with misleading claims (he was ultimately not allowed to do so).

While Twitter’s policy disallows ads from candidates, parties and political groups/ political action committees (PACs), Facebook claims it will still fact-check ads from PACs. For malicious actors determined to spread misinformation/disinformation through ads, these distinctions will not be much of an impediment. They will find workarounds.

While most conversation has been US-centric, both companies have a presence in over 100 countries. A significant amount of local context and human-effort is required to consistently enforce policies across all of them. The ongoing trend to substitute human oversight with machine learning could limit the acquisition of local knowledge. For e.g. does Facebook's policy of not naming whistle-blowers work in every country it has a presence in?

Notably, both companies stressed how little an impact political ads had on their respective bottom-lines. Considering the skewed revenues per user for North America + Europe compared with Asia Pacific + rest of the world, the financial incentive to enforce such resource-intensive policies equitably is limited. Both companies also have a history of inconsistent responses to moral panics resulting in an uneven implementation of their policies.

A self-imposed ban on political ads by Facebook and Twitter in Washington to avoid dealing with complex campaign finance rules has resulted in uneven enforcement and a complicated set of rules that have proven advantageous to incumbents. In response to criticism that these rules will adversely impact civil society and advocacy groups, Twitter initially said ‘cause-based ads’ won’t be banned and ultimately settled on limiting them by preventing micro-targeting. Ultimately, both approaches are likely to favour incumbents or those with deeper pockets.

Fixing Accountability

The real problems for Social Media networks go far beyond micro-targeted political advertising and the shortcomings across capacity, misuse and consequences apply there as well. The flow of misinformation/disinformation is rampant. A study by Poynter Institute highlighted that misinformation/disinformation outperformed fact-checks by several orders of magnitude. Research by Oxford Internet Institute and Freedom House has revealed the use disinformation campaigns online and the co-option of social media to power the shift towards illiberalism by various governments. Conflict and toxicity now seem to be features meant to drive engagement. Rules are implemented arbitrarily and suspension policies are not consistently enforced. The increased usage of machine learning algorithms (which can be gamed by mass reporting) in content moderation is coinciding with the reduction in human oversight.

Social Media networks are classified as intermediaries which grants them safe-harbour, implying that they cannot be held accountable for content posted on them by users. Intermediary is a very broad term covering everything from ISPs, Cloud services to end-user facing websites/applications across various sectors. Stratechery, a website which analyses technology strategy, proposes a framework for content moderation such that both discretion and responsibility is higher the closer a company is to an end-user. Therefore, for platforms like Facebook/Twitter/YouTube etc. there should be more responsibility/discretion than ISPs/Cloud services providers. It does not explicitly call for fixing accountability, which cannot be taken for granted.

Unfortunately, self-regulation has not worked in this context and their status as intermediaries may require additional consideration. Presently, India’s proposed revised Intermediary Guidelines already tend towards over-regulation to solve for the challenges posed by Social Media companies, adversely impacting many other companies. The real challenge for policy-makers and society in countries like India is to strike the balance between holding large Social Media networks accountable while not creating rules that are so onerous they can be weaponised into limiting freedom of speech.

(Prateek Waghre is a Technology-Policy researcher at Takshashila Institution. He focuses on the governance of Big Tech in Democracies)

This article was originally published on 21st November 2019, in Deccan Herald.

Recent developments in online advertising have been uplifting. Facebook (and by extension, Instagram) has been running a policy that is meant to block predatory ads that target people who are overweight or have skin conditions, pushing unusual and often medically dangerous miracle cures. Google, which makes over $100 billion in online ad revenue, has also released a statement declaring a ban on ads that are selling treatments that have no established biomedical and scientific basis. Twitter also declared that it won’t be accepting ads from state-controlled media entities.This is not to say that the advertising policies of these companies are perfect, as incidents reported by The Verge and CNBC will tell you. However, things have been improving at a steady pace as far as advertising policies are concerned.A major catalyst for this change has been the 2016 US election that saw the potential of online advertising abused for targeting voters. Since then, there has been bipartisan support in the US to achieve greater transparency in online advertising. This includes disclosing who paid for public ads, how many people saw those ads, and how the purchaser can be contacted.There are two problems with the support for greater transparency in advertising. Firstly, the bi-partisan push never ended up becoming law. Secondly, even if it did end up becoming law, its impact would have been limited to the US.It is an interesting story why we still lack a law that enforces greater transparency in advertising, and much of it revolves around Facebook, with its conclusion set to impact other players in online advertising. The bill, called the Honest Ads Act, was introduced in the Senate in 2017.Had it become law, it’s success or failure would have given other countries a template to work with to achieve greater transparency in advertising. As of now, that will need to continue without precedent. Days after the bill was introduced, Facebook announced that it would be updating its Advertising Transparency and Authenticity Efforts.Mark Zuckerberg declared his support for the Honest Ads Act through a separate Facebook post, stating, “Election interference is a problem that’s bigger than any one platform, and that’s why we support the Honest Ads Act”. Important side note, Twitter also announced its decision to back the Act, but the focus here is on Facebook because of its size, position, and role in the 2016 US election.Once Facebook expressed its support for the act, and declared the intent to self-regulate according to the bill, the issue lost momentum. At the time, Zuckerberg’s testimony at Capitol Hill was impending, and the news cycle shifted its attention. Senate Majority Leader Mitch McConnell, brought in the first amendment into the argument, saying he was sceptical of proposals (like the Honest Ads Act) that would penalize American citizens trying to use the internet and to advertise. At this point, you could just make the argument that in retrospect, Facebook could have supported the Honest Ads Act by not declaring its support.Regardless, the implications of these events impacted players across a wide spectrum. Because there was no legal requirement to do so, other avenues of online ads (read, Twitter, Google) did not need to comply with a set standard that could be used as a yardstick to judge them against. In addition, the problem with the freedom of speech argument is that transparency in ads is not directly impacting free speech. You could extend the same argument to revoke the laws that mandate transparency in TV and radio ads in the US. So where is the crackdown on transparency in TV and Radio?The Honest Ads Act is relevant as it had the potential to set the tone for how transparent the regulation should be in other countries.The US is not the most significant user base for these platforms. And as you might expect, having transparency in political ads could be useful for other countries that also hold elections. For example, India has over 270 million Facebook users, a significant percentage of whom participated in the general elections. Understandably, advertising on social media sites such as Facebook was an integral part of most campaign strategies. So, it would help to have a law that helps voters identify who is paying for what political ad, and conversely, which of them might be facts, and which of them might be false propaganda.Asking online ad companies such as Facebook to regulate themselves will have exactly the effect that it is having now. They will move towards better ad and transparency policies at their own pace, influenced by what the prevailing narrative is. And for most countries, that is not enough.Having a law in countries where these platforms operate is more efficient. It is not just the United States that needs its ads to be honest.The writer is a Research Analyst with Takshashila Institution, Bengaluru.This article was first published in Deccan Herald.

This article was first published in Deccan Herald on 11th November, 2019. 

This article was first published in The Deccan Chronicle. Views are personal.

The writer is a Policy Analyst at The Takshashila Institution.

The personal data protection bill is yet to become a law and the debate is still rife on the costs and benefits of data localisation. It is yet to be seen officially if the government is going to mandate localisation in the data protection bill and to whom it is going to apply. Regardless of whether or not data localization ends up enshrined in the law, it is worth taking a step back and asking why the government is pushing for it in the first place.

For context, localisation is the practice of storing domestic data on domestic soil. One of the most credible arguments for why it should be the norm is that it will help law enforcement. Most platforms that facilitate messaging are based in the US (think WhatsApp and Messenger). Because of the popularity of these ‘free services,’ a significant amount of the world’s communication takes place on these platforms. This also includes communication regarding crimes and violation of the law.

This is turning out to be a problem because in cases of law violations, communications on these platforms might end up becoming evidence that Indian law enforcement agencies may want to access. The government has already made multiple efforts to make this process easier for law enforcement. In December 2018, the ministry of home affairs issued an order granting powers of “interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer,” to ten central agencies, to protect security and sovereignty of India.

But this does not help in cases where the information may be stored outside the agencies’ jurisdiction. So, in cases where Indian law enforcement agencies want to access data held by US companies, they are obliged to abide by lawful procedures in both the US and India.

The bottleneck here is that there is no mechanism that can keep up with this phenomenon (not counting the CLOUD Act, as India has not entered into an executive agreement under it).

Indian requests for access to data form a fair share, owing to India’s large population and growing internet penetration. Had there been a mechanism that provided for these requests in a timely enforcement through the provision of data. Most requests are US-bound, thanks to the dominance of US messaging, search, and social media apps. Each request has to justify ‘probable cause by US standards.’ This, combined with the number of requests from around the world, weighs down on the system and makes it inefficient. People have called the MLATs broken and there have been several calls for reform of the system.

A comprehensive report by the Observer Research Foundation (ORF) found that the MLAT process on global average takes 10 months for law enforcement requests to receive electronic evidence. 10 months of waiting for evidence is simply too long for two reasons. Firstly, in cases of law enforcement, time tends to be of the essence. Secondly, countries such as India have a judicial system with a huge backlog of cases. 10month-long timelines to access electronic evidence make things worse.

Access to data is an international bottleneck for law enforcement. The byproduct of the mass adoption of social media and messaging is that electronic criminal evidence for all countries is now concentrated in the US.

The inefficiency of MLATs is one of the key reasons why data-sharing agreements are rising in demand and in supply, and why the CLOUD Act was so well-received as a solution that reduced the burden on MLATs.

Countries need to have standards that can fasten access to data for law enforcement, an understanding of what kinds of data are permissible to be shared across borders, and common standards for security.

India’s idea is that localizing data will help with access to it for law enforcement, at least eventually down the line. It may compensate for not being a signatory to the Budapest Convention. It is unclear how effective localisation will be. Facebook’s stored in India is Facebook’s data.

Facebook is still an American company and should still be subject to US standards of data-sharing, which are one of the toughest in the world and include an independent judge assessing the probable cause, refusing bulk collection or overreach. This is before we take into account encryption.

For Indian law enforcement, the problem in this whole mess is not where the data is physically stored. It is the process that makes access to it inefficient. Localisation is not a direct fix, if it proves to be one at all. The answer lies in better data-sharing arrangements, based on plurilateral terms. The sooner this realized, the faster the problems can be resolved. data still

Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.

This article was first published in the Deccan Chronicle.

Pegasus, the software that infamously hacked WhatsApp earlier this year, is a tool developed to help government intelligence and law enforcement agencies to battle cybercrime and terror. Once installed on a mobile device, it can collect contacts, files, and passwords. It can also ‘overcome’ encryption, and use GPS to pinpoint targets. More importantly, it is notoriously easy to install. It can be transmitted to your phone through a WhatsApp call from an unknown number (that does not need to be picked up), and does not require user permissions to get access to the phone’s camera or microphone. All of that makes it a near complete tool for snooping.While Pegasus is able to hack most of your phone’s capabilities, the big news here is that it can ‘compromise’ end to end (E2E) encryption. The news comes at attesting time for encryption in India, as the government deliberates a crackdown on E2E encryption, a decision that we will all learn about more on Jan 15, 2020.Before we look at how Pegasus was able to compromise E2E encryption, let’s look at how E2E encryption works and how it has developed a place for itself in human rights.E2E is an example of how a bit of math, applied well, can secure communications better than all the guns in the world. The way it works on platforms such as WhatsApp is that once the user (sender) opens the app, the app generates 2 keys on the device, one public and one private. The private key remains with the sender and the public key is transmitted to the receiver via the company’s server. The important thing to note here is that the message is already encrypted by the public key before the message reaches the server. The server only relays the secure message and the receiver’s private key then decrypts it. End to end encryption differs from standard encryption because in services with standard encryption (think Gmail), along with the receiver, the service provider generally holds the keys, and thus, can also access the contents of the message.Some encryptions are stronger than others. The strength of an encryption is measured through how large the size of the key is. Traditionally, WhatsApp uses a 128-bit key, which is standard. Here you can learn about current standards of encryption and how they have developed over the years. The thing to keep in mind is that it can take over billions of years to crack a secure encryption depending on the key size (not taking into account quantum computing):Key Size         Time to Crack56-bit                 399 Seconds128-bit               1.02 x 1018 years192-bit               1.872 x 1037 years256-bit               3.31 x 1056 yearsE2E encryption has had a complex history with human rights. One the one side, governments and law enforcement agencies see E2E encryption as a barrier when it comes to ensuring the human rights of its citizens. Examples of mob lynching being coordinated through WhatsApp, such as these, exist around the world.On the other hand, security in communications and the anonymity it brings, has been a boon for people who might suffer harm if their conversations were not private. Think peaceful activists who utilize it to fight for democracy around the world, most recently, Hong Kong. Same goes for LGBTQ activists and whistleblowers. Even diplomats and government officials operate through the seamless secure connectivity offered by E2E encryption.The general consensus in civil society is that E2E encryption is worth having as an increasing amount of digital human communications move online to platforms such as WhatsApp.How does Pegasus fit in?End to end encryption ensures that your messages are encrypted in transit and can only be decrypted by the devices that are involved in the conversation. However, once a device decrypts a message it receives, Pegasus can access that data which is at rest. So it is not the end to end encryption that is compromised, but your devices security. Once a phone is infected, Pegasus can mirror the device, literally record the keystrokes being typed by the user, browser history, contacts, files and so on.The strength of end to end encryption lies in the fact that it encrypts data in transit well. So unless you have the key for decryption, it is impossible to trace the origin of messages as well as the content that is being transmitted. The weakness for end to end encryption here, as mentioned above, is that it does not apply to data at rest. If it were still encrypting data at rest, messages received by users would not be readable.At this point, the question about how secure apps such as WhatsApp, Signal, and Telegram really are, is widely debateable. While the encryption is not compromised, the larger system is, and that has the potential to make the encryption a moot point.WhatsApp came out with an update that supposedly fixed the vulnerability earlier this year, seemingly protecting communications on the platform from Pegasus.What does this mean for regulation against WhatsApp?The Pegasus story comes at a critical time for the future of encryption on WhatsApp and on platforms in general. The fact that WhatsApp waited ~6 months to file the lawsuit against the NSO will not help the platforms credibility on the traceability and encryption debate. This also brings into question the standards for data protection Indian citizens and users should be subject to. The data protection bill is yet to become law. With the Pegasus hack putting privacy front and center, the onus should ideally be on making sure that Indian communications are secure against foreign and domestic surveillance efforts.

A bit of math can better secure your communications than all the guns in the world combined. That is the beauty of end to end encryption which currently runs on WhatsApp. It makes messages shared between people private so that only the sender and the recipient can view what is being said. On a related note, the notification of the intermediary guidelines is likely to be completed by 15 January 2020. These updated guidelines are going to determine the future of end to end encryption.The major trade-off here is privacy versus security. The government’s argument is that it needs to access communications between its citizens for the purposes of security. The spread of false news on WhatsApp has instigated lynch mobs and resulted in 27 reported deaths in 2017. That is exactly why in December 2018, the Ministry of Home Affairs issued an order granting powers of "interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer", to ten central agencies. But platforms using end to end encryption means that the interception of information might not be of much use if the government does not have a key for the encryption. The amendments in the intermediary guidelines call for allowing platforms such as Telegram and WhatsApp to, “..enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised”.The other side of the coin here is privacy. There is no way where platforms take away encryption from criminals but leave it intact for others. If intermediaries allowed traceability and compromised end to end encryption, the sender of each message would be identifiable to WhatsApp and by extension, the government. And while the encryption provides a shield of anonymity to trolls and spreaders of misinformation, it also gives assurance to people who would otherwise have been silenced or suppressed. Think whistleblowers and political protesters. End to end encryptionWe need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).allows those people to avoid the fear of being targeted. Also, encryption on content extends into more routine aspects of life. For instance, WhatsApp is a platform where people can talk about personal and sensitive parts of their life, such as a disease or mental health issues, and rest assured that Facebook, the internet, and the government won’t target you using that information. At a personal level, the fact that end to end encryption keeps communications private between the participants is reason enough not to break it. In the age of the contemporary internet, privacy is a luxury that is being provided at scale.In addition, there are a host of questions on the side of implementation. For instance, the guidelines are applicable to all intermediaries that have more than 50 lakh users. There is no clarity on whether that means all registered users, daily active users or even monthly active users. Moreover, how will the government know if platforms have met that threshold and keep track of all the intermediaries that pop up on the App Store/Play Store? More fundamentally, who is an intermediary? Does Google Docs count as a platform, as it also has a chat feature? Are online games also subject to this?Even if all of these are resolved, the 50 lakh threshold might mean that criminals can just move to smaller, lesser-known platforms that offer end to end encryption, taking away significantly from the effectiveness of the exercise.Adjusting the trade-off between privacy and security is a thankless task that more often than not is likely to be decided by the values and interests of the people in power. The job at hand here is to make sure that a robust set of processes are set in place if end to end encryption is to be broken. We need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).There needs to be transparency around the process that lets people know who is seeking the data. Standards need to exist around the specificity of what accounts and data can be targeted to prevent requests for bulk data. The request for access should be backed up by justification of credible facts, all of which should be subject to review by an independent entity or a judge.None of these provisions currently exist around the intermediary guidelines, and neither is there an indication that it is being considered. The cons of enabling traceability and breaking end to end encryption outweigh the pros subjectively.However, if the government is going to go ahead with this and include the clause in the January 2020 notification, then it should do this right by placing adequate oversight and safeguards in the amendments.This article was first published in Asian Age.(Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.)

The manner in which the Indian state has treated telecom is indicative of the disdain it has for a sector that has underpinned the country’s rise to an aspiring global power in the last 25 years. If we have to fix the problems we’ve created, it’s important to enumerate the big policy mistakes we have made. Between a rapacious bureaucracy, corrupt politicians, rent-seeking crony businesses and an economics-agnostic judiciary, we have created the conditions for a telecom crisis.Read more

Even as India pushes for data decryption access from Big Tech for better law enforcement, there is a larger issue of how Big Tech is not quite the paragon of virtue when it comes to upholding user privacy.

If the Indian government does get social media platforms to part with user data, it should remember that with great power over the citizens comes a greater responsibility towards the citizens.

This article was first published in The Hindu. Views are Personal.

The big decision here is whether or not India wants to share its data with anyone under any circumstances.India recently started sharing maritime data with countries in the Indian Ocean Region. The Information Fusion Centre is actively interacting with the maritime community and has already built linkages with 18 countries and 15 multinational/maritime security centres. On that note, it is worth relooking at India’s approach to data sharing and cross-border data flows.Technology is now a variable that defines relations between countries. Over the year, we have seen an increasing number of instances that reaffirm the existence of high-tech geopolitics. First, there was the US-imposed ban on Huawei technologies. Then the Americans considered imposing caps on H1-B visas for countries that implemented data localisation. One of the most important recent developments was at this year’s G20 summit where Japan’s Shinzo Abe presented the idea to have a multilateral broad framework for the sharing of data. It is worth analyzing India’s response to it.The agreement is called the Osaka Track. The idea is that member countries should be able to share and store data across borders without having to worry about security risks. The agreement has many notable signatories, such as the US, EU, and China. It is India’s response that is interesting. India, for better or worse, has not been big on data sharing. So much so, that recent news claimed that the government was considering getting a domestic messaging service for official communication. With this context in mind (as well as the draft e-commerce policy, data protection bill, and the RBI data localization notification), India refused to join the Osaka Track as a signatory. The questions for India here are, what does this mean for the future of Indian data, and how India is likely to conduct itself in this world of high-tech geopolitics?India’s reasons for not signing the pact are two-fold. Firstly, as the sentiment goes, data is national wealth. The idea here is to keep all data possible within Indian borders. Much like you would do be inclined to do with actual wealth. Secondly, as an official stated, India needs to better understand what free flow of data might mean. Having said that, India then wants to look at its domestic requirements and would like to see the issue of cross-border data flows discuss the same on a WTO (World Trade Organisation) platform. What the foreign policy is broadly saying here (to my understanding) is that it is not in India’s best interests to share its data right now. However, once the government has a better understanding of the Osaka Track, they might reconsider.In the broader global context, the Osaka Track is a step towards an emerging pattern. Data flows are likely to be increasingly regulated through economic blocs and not nations. Europe’s General Data Protection Regulation and Convention 108+ are the best examples of this. The Osaka Track was an opportunity for India to follow this trend and facilitate trans-border data flows. India’s rejection of it does not mean that other opportunities will not present themselves. Should India decide that data sharing is in its best interests, there are other platforms to make it happen on its own terms. One option to pursue this route would be to establish a data sharing law and standards under Bay of Bengal Initiative for Multi-Sectoral Technical and Economic Cooperation (BIMSTEC). Sharing costs of storage and following common processing standards would give India an edge in data geopolitics. Just because it would make powerhouses such as the US rethink applying sanctions to all of BIMSTEC instead of India alone. BIMSTEC, of course, is also interchangeable. India could take the lead and establish a data sharing policy with SAARC (South Asian Association for Regional Cooperation) or with a different combination of countries it might prefer. The big decision here is whether or not India wants to share its data with anyone under any circumstances.If India is to treat data as wealth and not share it across borders, it may be time to consider what that might mean. An increasing number of government policies are treating data as an asset that should not be shared. Doing so is likely to come at the cost of being ostracised by the US. However, if India is to go ahead with this, it makes sense as citizens to ask the government how data is going to be used to achieve progress.While there are a lot of policy proposals on how data should be regulated in India, there aren’t many on how it is going to be used for economic development. Sharing data with countries and/or companies can often crowdsource the initiative for development, as it seems to be doing for security at The Information Fusion Centre. As Microsoft’s collaboration with the Telangana government proved by using data to optimise agricultural yields. However, if India decides to cut itself off as evidenced by the refusal to sign the Osaka Track, it is best to ask how crowdsourcing the initiatives will be substituted. While options to do so domestically might exist (such as releasing community data for entrepreneurs and Indian companies), there need to be indicators that they are being considered or carried out on a national level. Because if data is national wealth, then there needs to be a plan on how it should be used to achieve economic development and progress for the nation.This article was first published in the Asian Age. Views are personal.

RBI recently came up with a Draft Enabling Framework for Regulatory Sandbox in financial technology. For context, a sandbox is a framework that allows testing of innovations by private firms in a controlled environment. As far as developments in the fintech regulation space go, this is a good one. A sandbox allows players to run a pilot test on new products and services at a smaller scale with less capital than usually required. According to the draft, RBI will consider testing for innovative products and services in the following areas, Retail payments, Money transfer services, Marketplace lending, Digital KYC, Financial advisory services, Wealth management services, Digital identification services, Smart contracts, Financial inclusion products, Cybersecurity products. Some of these, especially the digital KYC and financial inclusion, are more front-facing than others. There is also a separate clause for innovative technologies that include, Mobile technology applications (payments, digital identity, etc.), Data Analytics, Application Program Interface (APIs) services, Applications under blockchain technologies, Artificial Intelligence and Machine Learning applications. A notable exemption from the sandbox is cryptocurrencies. This is keeping in line with the report of the Inter-ministerial group that recommended banning private cryptocurrencies and proposed a fine of up to ₹25 crore as well as up to 10 years imprisonment. It echoes the stance of the report that encourages developments in blockchain and the distributed ledger technology in general. This is likely due to concerns that private cryptocurrencies can lead to macroeconomic instability and finance terror groups, both of which are fair concerns. There have been claims that the sandbox is available for a limited set of customers, only 10-12 companies. It is unclear whether that hypothesis is true. The eligibility criteria as specified in the draft states that the focus of the sandbox will be to encourage innovations where there is an absence of governing regulations; there is a need to temporarily ease regulations for enabling the proposed innovation; the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way. This does not directly translate into having only 10-12 players. This should also act as a win for Facebook, and in all probability, WhatsApp. It is an open secret that WhatsApp has been keen to launch a payments service in India, dubbed ‘WhatsApp Pay’. However, over recent times, the regulatory climate has proved to be unfavourable to bring those efforts to fruition. The regulatory sandbox may serve as the ideal testing ground for the service before its release. A successful stint in the sandbox is not a guarantee to achieve regulatory approvals however, as the draft states. Companies and their services can perform well and still be denied clearance to launch at a national level. That is something firms like WhatsApp and Facebook will have to deal with. Any financial services that pass the sandbox will need to clear regulatory hurdles such as data localization guidelines laid out by RBI and the data protection bill (if and when it becomes law). There are two key things to keep in mind here. Firstly, the sandbox is likely to be of help to both newcomers into the market as well as incumbents who plan to try out new ideas in fintech. This includes innovative efforts to increase financial inclusion through services that rely on machine learning and AI. Thus, it is a boost to the fintech landscape overall and also on India’s AI front. The latter of which could use an injection in homegrown talent, applications, and infrastructure. Secondly, returns from the sandbox have the potential to pay off dividends in the short to long term, depending on how long the program lasts. The RBI, also to their credit has provided a set of risks and limitations in the draft. It includes the possibility of innovators losing time and flexibility because of due process. The need for regulatory approvals after sandbox testing and legal issues leading to consumer losses is also included. None of these risks is an argument for not having the sandbox. The sandbox proposed is an objectively good idea. Countries around the world, including Thailand, Singapore, and the US have tried it. In a fintech space that is growing and needs new innovation to foster better development in areas such as financial inclusion and creditworthiness, this is a welcome step. It is too early to say whether the idea will be successful, or whether it will face implementation challenges or end up leading to unintended consequences, such as favouring the incumbents over startups or making participation exclusive to a limited set of players. The idea is still in the draft stage and it could be a while before it is successfully carried out. The bottom line here is that despite all these considerations, it is better to have a sandbox than not have one.This article was first published in Deccan Chronicle. Views are personal.

With the developments in Kashmir and the economy dominating so much of the national discussion, it can be hard to keep track of what is happening with tech policy. One thing that might slip through the cracks is the changes in the Data Protection Bill. According to a recent report by Medianama, the ministry of electronics and information technology, or MEITY, is privately seeking responses to new questions from select stakeholders.The Data Protection Bill is going to be profoundly important in India’s tech policy landscape, going forward. It will tackle issues around data privacy, data protection, and data processing, all of which have never been discussed at length in Indian law. Based on inputs received from the Srikrishna Committee report, it will also focus on data localisation. So when MEITY initially asked for feedback on the draft data protection bill, it received over 600 comments from individuals and organisations. For this round of comments, the ministry has reached out to only 10-15 stakeholders.This raises a host of questions and concerns about the process. First, as Medianama puts it, why the secrecy? With over 600 comments being submitted, the bill is clearly an issue with a significant amount of public interest. MEITY and its bureaucracy could argue that 600 submissions are a lot to process, and not all the comments are relevant to the process. But for a piece of legislation this important, it is surely better to have too many inputs instead of picking and choosing which voices you would like to elevate. There is also not a lot of transparency in the process. How does one figure out the basis on which these 10-15 stakeholders were selected? This is not to imply that the participants asked for feedback are not a decent sample of stakeholders. But this could have been done better had a rationale/basis behind the selection been provided.Not knowing why some people have been selected and the others ruled out matters more when the bill has sweeping changes. The new version of the bill is reportedly going to address issues in e-commerce and community data. Both these topics were not a part of the Srikrishna Committee or the October consultation process. It is unclear what the bill’s stance might be on both these matters. To make an educated guess on e-commerce, the bill might condense and borrow aspects from the draft e-commerce policy from earlier this year. It is anyone’s guess what those aspects might be, but it does narrow down the list. As for community data, there does not exist such a precedent. It is frankly shocking that the consultation has been labelled as “clarifications” in the bill. If entire new industries are being addressed under the document, then surely it should be classified as additions/revisions, and thus call for comments from all stakeholders. It might not have been acceptable to have a selection of stakeholders for a round of clarifications on data protection. And that is even more so when it comes to picking and choosing stakeholders regarding legislation that has such substantial changes.This lack of transparency also makes one question the importance given to the comments submitted earlier. There is clearly value in having documents that present the perspectives of stakeholders across the industry, academia, and civil society. But given the recent turn of events, who can say whether these perspectives have been reflected in the new version that is being circulated for feedback. The idea here is not to give credit to organisations/individuals who may have caused tangible changes in policy. Instead, it is to ensure that the process that goes into finalising the document is truly multilateral.The final version of the policy will still have winners and losers. No legislation is objectively perfect. This is especially true in technology, where most laws find it hard to keep up with rapid advances in the industry. If the industry wins through lax laws on data privacy, civil society arguing for stronger privacy laws will de facto lose. What the consultations should then aim for is to reflect that different views on subjects were considered before making trade-offs in favour of one over the other.What makes this situation even more bizarre is that up until this point, the process has been fairly transparent. The Srikrishna Committee’s recommendations were comprehensive and publicly available. As was the first round of comments in October 2018, even though the comments submitted were not made available to the public. Why then has the second round of inputs been restricted to just a few people without any explanation? Not allowing public comments while adding e-commerce and community data to the mandate is going to have negative implications when the bill finally comes out. A large share of stakeholders in academia, industry, and civil society are going to have fundamental disagreements on the way this was carried out, as well as its contents.Indian policy towards all things technology is slowly catching up with advancements. As new legislation comes out regarding other emerging technologies such as artificial intelligence, fintech, and the Internet of Things, it would make sense to involve multiple perspectives while designing it. Failure to do so is likely to have an adverse impact on the adoption of these technologies and, by extension, India’s development.This article was first published in Deccan Chronicle. Views expressed are personal.