Some concerns about the TRAI consultation on Open Data, based on my reading of the paper:
1. Concerns about jurisdiction: There are two concerns around jurisdiction issues here:
Whether the TRAI can even look at privacy and data protection: The TRAI’s remit is to look into the conduct of telecom service providers, including ISPs. Maybe I missed something, but the TRAI Act (act, amendment) talks about license condition for a service provider, interconnection issues, spectrum management, quality of service etc. Nowhere does this cover issues related to content or storage or transfer of data, even though that does impact telecom subscribers. Ecommerce fraud also impacts telecom subscribers. Fake News also impacts telecom subscribers. How is privacy and data protection a TRAI mandate? It is a Ministry of Electronics and IT (MEITY) mandate, and they’ve set up their own committee. That said, the TRAI has allegedly exceeded its remit in the past: it looked at competition issues, much to the chagrin of the Competition Commission of India. Question remains: can the TRAI issue an order governing data protection? Probably not. They will probably issue recommendations andsubmit them to MEITY.
Whether the TRAI can make recommendations for controlling Internet companies and their usage of data: The paper goes into data collection from “content and application service providers, device manufacturers, operating systems, browsers”, and asks for recommendations related to issues. If you remember, with the Differential Pricing (Net Neutrality consultation), the TRAI order covered tariff plans from telecom operators, banning zero rating, and not the activities of Internet companies. Telecom is governed by the TRAI and the Ministry of Communications, while the Internet, by MEITY. This explains why the paper is titled “Privacy, Security and Ownership of the Data in the Telecom Sector”. However, if you read the questions for the consultation, 9 out of 12 questions relate more to Internet businesses than telecom operators.
2. Reminds us of the first Net Neutrality consultation paper:
This reminds us of the first Net Neutrality consultation paper (an abridged version here), where the TRAI had gone beyond telecom and looked at Internet issues. To paraphrase statements from that consultation:
“To participate in online commerce, individuals have to submit personal data online, which can be of great value to criminal elements. These sites can be hacked and denial of service attacks can adversely impact the economy. This can be addressed with legal surveillance.”
The transfer of personal information is a risk because of the open architecture of the Internet. According to MetaIntell, today more than 92 percent of such Internet/OTT apps use non-secure communication protocols.
“geo-location details, authentication, personal information, banking information etc. anddata analytics can lead to a user’s private information being harnessed for commercial gains, e.g. advertisement targeted to a user. This compromises the user’s free will.”
User information is being extracted for carrying out marketing activities. “It is said that Big Data can even predict an individual’s future actions. Several concerns are being raised and most important is privacy of an individual. Big Data (not Big Brother) is watching.”
The ‘always online’ state of mobile phones exposes users to cybercrime. Most applications can trace the user’s location for underlying processes (such as GPS apps finding the nearest restaurants etc). This information may be used to commit a crime, or the location itself may be the target of a crime. Such threats can impact the nation’s security and financial health.
Most of the time users believe that apps downloaded from an official app site can be trusted even though these stores do not guarantee trustworthiness of the products or items on sale or offer. These apps are hosted in such app markets without any risk assessment and can impact the device and a company’s internal network.
Internet apps bring “all manners of nuisance” including viruses, worms, malware, spyware or trojan horses etc.Hacking and theft are common occurrences. Recently even unreleased films from Sony were leaked by hackers.
3. TRAI has bigger ambitions? Does TRAI want to be the data controlling authority of India? Or an internet regulator? Consider following two questions in theconsultation paper:
What, if any, are the measures that must be taken to encourage the creation of new data based businesses consistent with the overall framework of data protection?
Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?
Why does the TRAI need to encourage data startups, or advise the government on setting up a data sandbox? Should we expect an ordinance from the government of India, or a law, changing the mandate of the TRAI? Given the TRAI’s current role (based on what I understood from the TRAI Act), this is clearly beyond its remit.
4. Same service same rules again?
The TRAI asks whether there is a need for parity in the data protection norms applicable to telecom operators and “other communication service providers offering comparable services (such as Internet based voice and messaging services).” This is the same telecom operator same-service-same-rules tripe that we heard from telecom operators for overyear and a half when it came to Net Neutrality. The TRAI needs to look at content and its transmission separately. ISPs are exchanges of data, and the security of data in transit may be looked at by the TRAI. If telecom operators run content or IP based messaging and calling services, that’s the remit of the Ministry of IT, and not a telecom concern.
5. What the paper should look at: There are enough issues when it comes to data protection in telecom, which haven’t been addressed for years:
Enforcing Encryption in telecom: As SFLC.in pointed out in this great post on the legal position of encryption in India, “The terms and conditions of the license agreement between the DoT & the ISPs permit use of encryption technologies only up to 40 bits with RSA algorithms or its equivalent without any prior approval from the DoT.” The TRAI ought to allow higher encryption norms, even if that means that national security agencies cannot set up GSM sniffers outside your homes to listen to your calls. You cannot make people more secure by making them more vulnerable.
Banning Deep Packet Inspection: Reuters, in August last year, quoted Mukesh Ambani as saying that “For Reliance… data is the new oil, and intelligentdata is the new petrol”, and then an unnamed senior Reliance executive as saying that “It’s called Deep Packet Inspection, and what you can do with the analytics of that is mind-boggling”. Deep Packet inspection involves telecom operators and ISPs inspecting each packet of data being used, linking it to its source, and creating profiles and details of browsing behavior. Remember that with all ISPs doing this, because they are gateways to the Internet, you don’t have a choice. You can’t choose a safer ISP because there isn’t one.
ISPs inserting code into consumer data connections: ISPs are inserting codes into consumer data connections. MTNL Delhi, my ISP, inserts code on website links and pages, such that if you click on a page or a link on the page, a new site opens up. Currently, MTNL is working with a provider called Phozeca.com (mybrowsing data goes to mtnl.phozeca.com) which has helped with my decision to use a VPN. Airtel was found to be using super cookies to track browsing behavior.
Reporting mechanisms: Telecom companies do store personal data, and while it may not be the TRAI’s remit, but telecom operators do not take consent, do not disclose, as to what data they are collecting and storing of consumers. I’m reminded of a deal between Airtel and Vserv in 2013, wherein Airtel was anonym sing and allowing Vserv to get advertisers to target advertisers to target users “down to a particular city, ARPU range, data usage patterns (if she’s consuming less or more than 5 MB of data), content consumption preferences (cricket, music, football, language) based on the content consumed on the network.” We don’t know what Airtel is collecting, how they’re collecting it, nor do we have the means to prevent this.
6. Consent architecture and Indiastack:
One of the questions appears to be right out the IndiaStack playbook, and its pitch for enabling a consent architecture for personal data. The TRAI asks whether “Q4. Given the fears related to abuse of this data, is it advisable to create a technology enabled architecture to audit the use of personal data, and associated consent? Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?” Fits perfectly: DoT mandates Aadhaar linkage for mobile numbers, and TRAI suggests technology based consent architecture for users to consent to share personal data. Maybe we should clarify whether Q4 is a rhetorical question.
That said, beyond these issues, the paper appears to be well thought out, and should serve as a framework for the MEITY committee to look into. The other important thing about the TRAI is that theirs is an open and public consultation, andaside from the final ruling, the process is more transparent than any other in India.- Media Nama