Some concerns about the TRAI consultation on Open Data, based on my reading of the paper:
1. Concerns about jurisdiction: There are two concerns around jurisdiction issues here:
- Whether the TRAI can even look at privacy and data protection: The TRAI’s remit is to look into the conduct of telecom service providers, including ISPs. Maybe I missed something, but the TRAI Act (act, amendment) talks about license condition for a service provider, interconnection issues, spectrum management, quality of service etc. Nowhere does this cover issues related to content or storage or transfer of data, even though that does impact telecom subscribers. Ecommerce fraud also impacts telecom subscribers. Fake News also impacts telecom subscribers. How is privacy and data protection a TRAI mandate? It is a Ministry of Electronics and IT (MEITY) mandate, and they’ve set up their own committee. That said, the TRAI has allegedly exceeded its remit in the past: it looked at competition issues, much to the chagrin of the Competition Commission of India. Question remains: can the TRAI issue an order governing data protection? Probably not. They will probably issue recommendations and submit them to MEITY.
- Whether the TRAI can make recommendations for controlling Internet companies and their usage of data: The paper goes into data collection from “content and application service providers, device manufacturers, operating systems, browsers”, and asks for recommendations related to issues. If you remember, with the Differential Pricing (Net Neutrality consultation), the TRAI order covered tariff plans from telecom operators, banning zero rating, and not the activities of Internet companies. Telecom is governed by the TRAI and the Ministry of Communications, while the Internet, by MEITY. This explains why the paper is titled “Privacy, Security and Ownership of the Data in the Telecom Sector”. However, if you read the questions for the consultation, 9 out of 12 questions relate more to Internet businesses than telecom operators.
2. Reminds us of the first Net Neutrality consultation paper: This reminds us of the first Net Neutrality consultation paper (an abridged version here), where the TRAI had gone beyond telecom and looked at Internet issues. To paraphrase statements from that consultation:
- “To participate in online commerce, individuals have to submit personal data online, which can be of great value to criminal elements. These sites can be hacked and denial of service attacks can adversely impact the economy. This can be addressed with legal surveillance.”
- The transfer of personal information is a risk because of the open architecture of the Internet. According to MetaIntell, today more than 92% of such Internet/OTT apps use non-secure communication protocols.
“geo-location details, authentication, personal information, banking information etc. and data analytics can lead to a user’s private information being harnessed for commercial gains, e.g. advertisement targeted to a user. This compromises the user’s free will.”
User information is being extracted for carrying out marketing activities. “It is said that Big Data can even predict an individual’s future actions. Several concerns are being raised and most important is privacy of an individual. Big Data (not Big Brother) is watching.”
- The ‘always online’ state of mobile phones exposes users to cybercrime. Most applications can trace the user’s location for underlying processes (such as GPS apps finding the nearest restaurants etc). This information may be used to commit a crime, or the location itself may be the target of a crime. Such threats can impact the nation’s security and financial health.
- Most of the time users believe that apps downloaded from an official app site can be trusted even though these stores do not guarantee trustworthiness of the products or items on sale or offer. These apps are hosted in such app markets without any risk assessment and can impact the device and a company’s internal network.
- Internet apps bring “all manners of nuisance” including viruses, worms, malware, spyware or trojan horses etc.Hacking and theft are common occurrences. Recently even unreleased films from Sony were leaked by hackers.
3. TRAI has bigger ambitions? Does TRAI want to be the data controlling authority of India? Or an internet regulator? Consider following two questions in the consultation paper:
- What, if any, are the measures that must be taken to encourage the creation of new data based businesses consistent with the overall framework of data protection?
- Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?
Why does the TRAI need to encourage data startups, or advise the government on setting up a data sandbox? Should we expect an ordinance from the government of India, or a law, changing the mandate of the TRAI? Given the TRAI’s current role (based on what I understood from the TRAI Act), this is clearly beyond its remit.
4. Same service same rules again? The TRAI asks whether there is a need for parity in the data protection norms applicable to telecom operators and “other communication service providers offering comparable services (such as Internet based voice and messaging services).” This is the same telecom operator same-service-same-rules tripe that we heard from telecom operators for over year and a half when it came to Net Neutrality. The TRAI needs to look at content and its transmission separately. ISPs are exchanges of data, and the security of data in transit may be looked at by the TRAI. If telecom operators run content or IP based messaging and calling services, that’s the remit of the Ministry of IT, and not a telecom concern.
5. What the paper should look at: There are enough issues when it comes to data protection in telecom, which haven’t been addressed for years:
- Enforcing Encryption in telecom: As SFLC.in pointed out in this great post on the legal position of encryption in India, “The terms and conditions of the license agreement between the DoT & the ISPs permit use of encryption technologies only up to 40 bits with RSA algorithms or its equivalent without any prior approval from the DoT.” The TRAI ought to allow higher encryption norms, even if that means that national security agencies cannot set up GSM sniffers outside your homes to listen to your calls. You cannot make people more secure by making them more vulnerable.
- Banning Deep Packet Inspection: Reuters, in August last year, quoted Mukesh Ambani as saying that “For Reliance… data is the new oil, and intelligent data is the new petrol”, and then an unnamed senior Reliance executive as saying that “It’s called Deep Packet Inspection, and what you can do with the analytics of that is mind-boggling”. Deep Packet inspection involves telecom operators and ISPs inspecting each packet of data being used, linking it to its source, and creating profiles and details of browsing behaviour. Remember that with all ISPs doing this, because they are gateways to the Internet, you don’t have a choice. You can’t choose a safer ISP because there isn’t one.
- ISPs inserting code into consumer data connections: ISPs are inserting codes into consumer data connections. MTNL Delhi, my ISP, inserts code on website links and pages, such that if you click on a page or a link on the page, a new site opens up. Currently, MTNL is working with a provider called Phozeca.com (my browsing data goes to mtnl.phozeca.com) which has helped with my decision to use a VPN. Airtel was found to be using supercookies to track browsing behaviour.
- Reporting mechanisms: Telecom companies do store personal data, and while it may not be the TRAI’s remit, but telecom operators do not take consent, do not disclose, as to what data they are collecting and storing of consumers. I’m reminded of a deal between Airtel and Vserv in 2013, wherein Airtel was anonymising and allowing Vserv to get advertisers to target advertisers to target users “down to a particular city, ARPU range, data usage patterns (if she’s consuming less or more than 5 MB of data), content consumption preferences (cricket, music, football, language) based on the content consumed on the network.” We don’t know what Airtel is collecting, how they’re collecting it, nor do we have the means to prevent this.
6. Consent architecture and Indiastack: One of the questions appears to be right out the IndiaStack playbook, and its pitch for enabling a consent architecture for personal data. The TRAI asks whether “Q4. Given the fears related to abuse of this data, is it advisable to create a technology enabled architecture to audit the use of personal data, and associated consent? Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?” Fits perfectly: DoT mandates Aadhaar linkage for mobile numbers, and TRAI suggests technology based consent architecture for users to consent to share personal data. Maybe we should clarify whether Q4 is a rhetorical question.
That said, beyond these issues, the paper appears to be well thought out, and should serve as a framework for the MEITY committee to look into. The other important thing about the TRAI is that theirs is an open and public consultation, and aside from the final ruling, the process is more transparent than any other in India.
The Consultation on Data Protection
Download the paper: here.
Deadline: Comments by 08 September 2017. Counter comments by 22 September 2017
Email: firstname.lastname@example.org or email@example.com
Personal Data, user rights and consent
Q2. In light of recent advances in technology, what changes, if any, are recommended to the definition of personal data? Should the User’s consent be taken before sharing his/her personal data for commercial purposes? What are the measures that should be considered in order to empower users to own and take control of his/her personal data? In particular, what are the new capabilities that must be granted to consumers over the use of their Personal data?
Q3. What should be the Rights and Responsibilities of the Data Controllers? Can the Rights of Data Controller supersede the Rights of an Individual over his/her Personal Data? Suggest a mechanism for regulating and governing the Data Controllers.
Data protection: Internet and data startups
Q5. What, if any, are the measures that must be taken to encourage the creation of new data based businesses consistent with the overall framework of data protection?
Q9. What are the key issues of data protection pertaining to the collection and use of data by various other stakeholders in the digital ecosystem, including content and application service providers, device manufacturers, operating systems, browsers, etc? What mechanisms need to be put in place in order to address these issues?
Q6. Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?
Telecom and user data
Q8. What are the measures that should be considered in order to strengthen and preserve the safety and security of telecommunications infrastructure and the digital ecosystem as a whole?
Q10. Is there a need for bringing about greater parity in the data protection norms applicable to TSPs and other communication service providers offering comparable services (such as Internet based voice and messaging services). What are the various options that may be considered in this regard?
Q11. What should be the legitimate exceptions to the data protection requirements imposed on TSPs and other providers in the digital ecosystem and how should these be designed? In particular, what are the checks and balances that need to be considered in the context of lawful surveillance and law enforcement requirements?
Data localisation and jurisdictional issues
Q12. What are the measures that can be considered in order to address the potential issues arising from cross border flow of information and jurisdictional challenges in the digital ecosystem?
Auditing of use of personal data and regulatory intervention
Q4. Given the fears related to abuse of this data, is it advisable to create a technology enabled architecture to audit the use of personal data, and associated consent? Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?
Q7. How can the government or its authorized authority setup a technology solution that can assist it in monitoring the ecosystem for compliance? What are the attributes of such a solution that allow the regulations to keep pace with a changing technology ecosystem?
Q1. Are the data protection requirements currently applicable to all the players in the eco-system in India sufficient to protect the interests of telecom subscribers? What are the additional measures, if any, that need to be considered in this regard?