“…Regulations need to be evolved for cloud computing in India for Regulation of Investigatory Powers, Regulation on Stored Communication, Mandatory guidelines for National Security for cloud operation and Lawful interception and monitoring by Law Enforcement Agencies, State Privacy Laws and Fair Credit Reporting Act etc.”
A fairly harmless sounding consultation paper from the Indian Telecom regulator TRAI on cloud computing (pdf), but cloaked within in its verbosity are topics that could change the way the Internet functions in India: over 119 pages, within mentions of privacy and data protection, there is the potential for forced data localization and the prevention of cross border data transfer; within mentions of tax benefits is the potential for additional taxation of cloud services. Over and above that, the encryption issue makes a comeback after the DEITY’s remarkably daft encryption policy last year. On security, the TRAI paper says: “The Government will have to ensure a strict and vigilant interception system in cloud computing environment”
There’s a point where the TRAI also points towards the possibility of licensing “intermediate service providers”, without exactly specifying what kind of entities they are referring to. Since this term appears only once in the paper, and the preceding section refers to lawful interception of cloud services, we’re assuming that this refers to licensing of cloud companies.
For a regulator which appeared to be avoiding broad consultations and taking up issues one by one, this is a bit of a disappointment. It’s hard to find an online service today that doesn’t deploy cloud based services, and this consultation thus has the potential to effect every Internet business, and thus availability of services to users in India. The questions raised by the TRAI don’t entirely cover the issues they’ve raised in the paper, so expect some of the responses to take them up.
Key issues covered in this consultation paper (Note: selective quoting)
1. The need for regulation of cloud services: The TRAI points out several issues that suggest that regulations need to be evolved for cloud services:
1.1 Privacy and Data protection: The TRAI raises the privacy issue, saying:
– that data uploaded to cloud needs regulation since it covers more than just “personal data”. Many countries don’t cover cloud computing, and even the EU data protection laws only cover personal data. (Editor’s note: India doesn’t have a privacy law, and doesn’t believe there’s a fundamental right to privacy.)
– Data protection depends on jurisdiction in which the service provider is located or the data is stored. “…the level of protection will be based on local laws or service provider’s sole discretion if no laws, are available.”
1.2 Data ownership issues: “…the terms and conditions of service offered by CSP (Cloud service provider) may sometimes suggest some medium of ownership rights, even without legal transfer. This may lead to data security threats emerging from the possibility of misuse of data by CSP for marketing or data mining purposes.”
1.3 Data location issues:
– Customer data is being held in multiple jurisdictions, which is “affected, directly or indirectly, by subpoena law-enforcement measures”.
– A cloud provider may, without notice to a user, move the user’s information from one jurisdiction to another jurisdiction or even sub-contract the cloud services.
– The legal location of information placed in a cloud could be one: the location of the computer on which the information is stored; the location of a communication that transmits the information; a location where the user has communicated or could communicate with the provider or possibly other locations.”
1.4. Cross-border movement of data: The laws of user’s country may restrict cross-border transfer/disclosure of certain information. Data on the cloud may be subject to third party/government access without user’s knowledge. Data stored in another country may be more accessible to the government under local law.
2: Lawful Interception: “The Government will have to ensure a strict and vigilant interception system in cloud computing environment so as to meet the above requirements. With more and more happenings in the cloud – the previous methods of Lawful intercept are no longer valid and as such need new thinking as:
– Machines and data are no longer physically in one place or national boundary
– Encryption and security of data are far stronger and of industrial grade…” (and that’s a problem)
3. Hosting data in India and restricting flow of some types of data: Among the measures that the TRAI suggests for overcoming jurisdictional issues, is to mandate that cloud service providers host data centers only in India. It also points towards the need to monitor domestic Internet traffic for national security reasons, concerns about foreign surveillance, saying that “the Indian government has for years supported the idea of foreign firms storing data within the country.”
“Another alternative may be to impose restriction on cross border movement of some critical information like tax returns, financial transactions, health records etc.” Later in the paper, concerns of cost of hosting in India are raised and set aside: “The costs of hosting cloud services for a CSP in India are way more than hosting them abroad. But the idea of keeping confidential national information in data centres located abroad raises security concerns.”
4. Taxation of cloud services: “A major challenge in the taxation of cloud offerings is in the tax classification of cloud services themselves. It is to be considered as to what tax regime should be employed for cloud service providers in India and whether tax benefits shall be given to them, for promoting adoption of cloud services in the country.” However, the TRAI does mention tax benefits for cloud computing in multiple countries, such as special tax and cash incentives for using local data centers, VAT holidays, reduced income tax based on profits.
Note that taxation of cloud services have now been addressed by the equalization levy.
5. Introduction of licensing or operational restrictions for intermediate service providers:”The Government could introduce some form of licensing or operational restrictions on intermediate service providers. Complying with new rules under the amended Information Technology Act, 2000 requires providers of sensitive information to verify the information which can become onerous given that data may be held in fragmented corners of the cloud. For this, the Laws need to be reviewed and new policies should be introduced to effectively and efficiently deal with matters involving confusion with respect to the basic and highly important issue of jurisdiction.”
– Responses to: A. Robert J. Ravi, Advisor (QoS) TRAI at email@example.com
– Download the paper here
– Deadlines: Last date of sending comments is 8th July, 2016; counter comments by: 22nd July, 2016
Question 1. What are the paradigms of cost benefit analysis especially in terms of:
a. accelerating the design and roll out of services
b. Promotion of social networking, participative governance and e-commerce.
c. Expansion of new services.
d. Any other items or technologies. Please support your views with relevant data.
Question 2. Please indicate with details how the economies of scale in the cloud will help cost reduction in the IT budget of an organisation?
Question 3. What parameters do the business enterprises focus on while selecting type of cloud service deployment model? How does a decision on such parameters differ for large business setups and SMEs?
Question 4. How can a secure migration path may be prescribed so that migration and deployment from one cloud to another is facilitated without any glitches?
Question 5. What regulatory provisions may be mandated so that a customer is able to have control over his data while moving it in and out of the cloud?
Question 6. What regulatory framework and standards should be put in place for ensuring interoperability of cloud services at various levels of implementation viz. abstraction, programming and orchestration layer?
Question 7. What shall be the QoS parameters based on which the performance of different cloud service providers could be measured for different service models? The parameters essential and desirable and their respective benchmarks may be suggested.
Question 8. What provisions are required in order to facilitate billing and metering re-verification by the client of Cloud services? In case of any dispute, how is it proposed to be addressed/ resolved?
Question 9. What mechanism should be in place for handling customer complaints and grievances in Cloud services? Please comment with justification.
Question 10. Enumerate in detail with justification, the provisions that need to be put in place to ensure that the cloud services being offered are secure.
Question 11. What are the termination or exit provisions that need to be defined for ensuring security of data or information over cloud?
Question 12. What security provisions are needed for live migration to cloud and for migration from one cloud service provider to another?
Question 13. What should be the roles and responsibilities in terms of security of (a) Cloud Service Provider(CSP); and (b) End users?
Question 14. The law of the user’s country may restrict cross-border transfer/disclosure of certain information. How can the client be protected in case the Cloud service provider moves data from one jurisdiction to another and a violation takes place? What disclosure guidelines need to be prescribed to avoid such incidents?
Question 15. What polices, systems and processes are required to be defined for information governance framework in Cloud, from lawful interception point of view and particularly if it is hosted in a different country?
Question 16. What shall be the scope of cloud computing services in law? What is your view on providing license or registration to Cloud 61 service providers so as to subject them to the obligations thereunder? Please comment with justification.
Question 17. What should be the protocol for cloud service providers to submit to the territorial jurisdiction of India for the purpose of lawful access of information? What should be the effective guidelines for and actions against those CSPs that are identified to be in possession of information related to the commission of a breach of National security of India?
Question 18. What are the steps that can be taken by the government for: (a) promoting cloud computing in e-governance projects. (b) promoting establishment of data centres in India. (c) encouraging business and private organizations utilize cloud services (d) to boost Digital India and Smart Cities incentive using cloud.
Question 19. Should there be a dedicated cloud for government applications? To what extent should it support a multi-tenant environment and what should be the rules regulating such an environment?
Question 20. What infrastructure challenges does India face towards development and deployment of state data centres in India? What should be the protocol for information sharing between states and between state and central?
Question 21. What tax subsidies should be proposed to incentivise the promotion of Cloud Services in India? Give your comments with justification. What are the other incentives that can be given to private sector for the creation of data centres and cloud services platforms in India?