Wednesday, June 20, 2018

"Looking Beyond Tactical Protectionism", Vivan Sharan for The Mint, 12 June 2018
In the run-up to the 2019 Lok Sabha elections, the protectionist din is growing louder in India. This is not unexpected, since, despite liberalization, we have not fully embraced an open-market identity. And despite our growing aspirations of becoming a stakeholder at the global economic high table, most political parties still seem to lack a cogent economic vision. Consequently, those in the protectionist camp have strengthened their attack on foreign companies, particularly on digital economy firms. Such companies are the softest targets, because they tend to lack the institutional experience, and sometimes even the will, to take political positions in emerging markets. However, in the spirit of debate, some rebuttals are in order.
Let us analyse the most common protectionist proposition first: that government should create different compliance burdens for foreign and Indian firms. This stems from the assumption that owing to superior technology and abundant capital, foreign-owned firms can easily outmanoeuvre domestic incumbents, if they compete on a level playing field. Therefore, like China, we should put strict conditions on foreign direct investment (FDI).
However, it makes no sense to allow, or even want, FDI, if we simultaneously want to put fetters on such capital. Industry can only prosper if we make clear choices, as evidenced in the case of telecom, the poster-child of India’s economic liberalization. In this industry, the extant national policy and licence conditions do not envision different requirements for foreign and Indian companies.
Moreover, India must account for a larger share of global value chains (GVCs), currently estimated to be only 2% of the total, before we can start selectively evoking the China model. We must harness inward investments to strategically generate this value. Many companies in the information technology (IT) and IT-enabled services space are now struggling to achieve this objective through outmoded cost-arbitrage-based business models. Ironically, some of them, unable to keep pace with innovation, are now asking for protection. This demand may be at the cost of the same market logic that created them—the ability to competitively serve global markets, with minimum government intervention.
A second, more compelling, proposition of the protectionist camp is that India should adopt a preferential approach towards strategic government procurements in the digital industries. Proponents of this approach are quick to cite examples such as the US government’s Defence Advanced Research Projects Agency (Darpa), which played a role in the invention of the modern internet. Darpa works closely with the US private sector, and, in doing so, promotes indigenous innovation. However, unlike Darpa, which is well-funded, with over ₹20,000 crore or so a year at its disposal, it is hard to name Indian government departments that have seen an increase in real expenditure over the last three decades.
In an effort to promote self-reliance, India has been trying to create preferential private sector partnerships in the defence industry for over a decade. Most recently, strategic partnerships were defined and envisioned under the defence procurement policy, 2016. However, this potentially meaningful modality of deep public-private partnerships has been throttled by reticence on part of the unions representing public sector enterprises, as well as an all-pervasive lack of trust in the private sector. These are challenges within government. The solutions cannot possibly lie outside, or in the politics of protectionism.
Lastly, the newest avatar of protectionism is manifesting itself in the so-called “data economy”, the data-driven subset of the digital economy. A legitimate hypothesis is that as India transitions from data-poor to data-rich, owing to factors such as increased internet penetration and the Jan Dhan-Aadhaar-Mobile (JAM) trinity, the data-linked rights of citizens must be secured better. However, the protectionist camp goes on to offer a tenuous extension of this hypothesis: India should mandate localization of all data owned by foreign companies, again inspired by China.
There are several technical arguments in favour of cross-border data flows, but let us forget those. The central issue is that, analogous to the case for enhancing contribution to GVCs for goods and services, India will have to service global data flows if it is to become a hub for data-driven industries.
Despite large volumes, the potential for earning large value from the domestic data market remains limited. Low average revenues per user in telecom and low transaction values in digital payments are indicative of this “high-volume and low-value” paradigm. The need for data services to achieve scale is almost a prerequisite to their survival.
Unlike China, we do not have a large enough economic footprint to deter advanced countries from taking reciprocal measures against our “tactical protectionism”. And unlike in the US, our institutions and businesses do not generate enough surpluses to invest in cutting-edge research. Our markets are shallow, and our technological self-reliance has to be earned through internal reform. So, if we are to be protectionist, we must at least adopt a strategic lens—investments cannot be turned away for meeting political ends.
Vivan Sharan is a partner at Koan Advisory Group, New Delhi. The views expressed are personal. Comments are welcome at

"Now to Make Sense in India", Vivan Sharan and Samir Saran for the Economic Times, 30 March 2018
India currently faces multiple headwinds to industrial growth. These include muted private investment, protectionism emanating from OECD countries, and growing automation within production supply chains. In this context, GoI has done well to signal positive intent and political will to keep the economic engine churning by improving the business environment.
Commerce minister Suresh Prabhu’s revitalisation of the commerce agenda exemplifies this constructive approach.
India’s institutions, with their capacity deficits and coordination failures, require precisely this form of hands-on leadership where the prohibitive barriers posed by the need for inter-ministerial coordination are absent.
One area that fits squarely within the commerce ministry’s domain is FDI policy, a low-hanging fruit for Prabhu. The caveat is that some sector-specific FDI policies are jeopardised by legacy policy positions of other line ministries. Nevertheless, a large share of FDI in recent years has accrued to the services sector.
India’s economic growth seems increasingly contingent on a policy environment that supports investments at critical intersections of global value chains (GVCs) — such as services that add value to manufacturing, or those that facilitate better access to international markets.
All of this necessarily means more consultative reforms, and less idiosyncratic bureaucracy. The Single Brand Retail Trading (SBRT) policy announced earlier this year is the most visible example of the dissonance between 21st-century goals and a20th-century mindset. While this policy allows 100% FDI into singlebrand retail through the automatic route (the earlier limit was 49%), it falters on nuance.
For example, the erstwhile policy had prescribed that 30% of goods purchased by the retailer receiving FDI must be sourced domestically. While promoting local companies is a laudable goal, the means to achieve this was flawed. Little interest in new investment or manufacturing was generated.
Consequently, the Department of Industrial Policy and Promotion allowed retailers to offset local sourcing norms through exports. This step allows brands retailing their own products to source locally from India and integrate with GVCs. There’s just one glitch: the policy allows this only for an arbitrary period of five years.
Why switch to domestic procurement after five years? Why not promote manufacturing-linked exports as a specific category to offset domestic procurement requirements?
Bureaucrats, in all their wisdom, have also introduced a concept of ‘incremental sourcing’, which is impossible to interpret. It suggests that the percentage of sourcing in every year will be entirely discounted in the following year. So, companies would have to grow exponentially every year just to keep up with the exports-equivalent of the sourcing requirement. More importantly, this would automatically disqualify any company that intends to invest in new facilities and begin operations at full capacity.
Why treat value-added activity the same as trading? Further, incremental sourcing may work with one sector, and not with another. This is another failure to appreciate nuance. Perhaps there is an ex ante expectation that retail brands will not make large manufacturing investments (as they would have to start operations at scale, and not incrementally). This is a flawed expectation.
The logic behind allowing FDI in SBRT is to create the right incentives for domestic manufacturing, not the conditions for policy arbitrage by firms only interested in some form of trading. There is an opportunity here to signal a preference and strategic coherence. Companies should be encouraged to make in India, and export to the world.
The policy also restricts offsetting through entities that are not directly related, or a part of, the group companies that have received FDI. Nearly all global corporations work through agents and franchisees to complete specialised functions, such as manufacturing, retailing and exports.
GVCs are replete with examples of exceptionally sophisticated, multientity supply chains. So, the fear of policy misuse should be addressed through appropriate indemnifications and penalties in case of breach, rather than guidance on how to structure compliance.
Also, the policy ostensibly links the prospects of e-commerce retail to the opening of brick-and-mortar stores first, contradicting the very basis of GoI’s ‘Digital India’ programme. Investing in online business should be encouraged, not delayed.
Prabhu expects India’s GDP to touch $5 trillion within a decade. He expects asignificant share of this growth to come from efficiencies born of better logistics and digitisation. He intends to leverage India’s growing internal market, pool of tech-savvy workers and rapid digitalisation, towards enhanced integration into GVCs. Bureaucrats in the commerce ministry would do well to support this vision. And they can begin with fixing extant FDI policies.
**Saran and Sharan are vice-president and visiting fellow, respectively, Observer Research Foundation, New Delhi.

Vivan Sharan speaks to NewsX on the Cambridge Analytica Controversy, 22 March 2018

"The future of the Indian workforce: A new approach for the new economy", Occasional Paper for the Observer Research Foundation, 21 March 2018

India is at a crossroads. It has the largest young workforce anywhere in the world, and is the fastest growing economy today. At the same time, the economy is not creating enough jobs, and therefore not fully harnessing its “demographic dividend” in preparation for the “Fourth Industrial Revolution”. To create more and better jobs, certain fundamental realities need to be recognised – the untapped opportunities in the services sector, the imperatives of policy and regulatory stability, and the welfare needs of a new workforce. After briefly analysing the supply-side context (the characteristics of the so-called “demographic dividend”), this paper outlines a basic strategic roadmap for the demand side with a focus on constituents of the new economy (the industries that will have to generate new employment). It concludes with recommendations that can help bridge supply-side gaps, and demand-side imperatives.

Rise of Competition Jurisprudence, Vivan Sharan and Mohit Kalawatia write for The Pioneer, 01 March 2018

The increasing prominence of large online businesses has made competing authorities around the world devote more time in the ‘new economy’, characterised by rapid-scale innovation. In this context, the Competition Commission of India’s (CCI) decision in the recently resolved case on Google, throws light on the approach likely to be followed by our anti-trust regulator going forward.
The CCI, in its order dated February 8, 2018,  imposed a Rs 1.3 billion fine on Google for abusing its dominant position in ‘online general web search’, and the ‘online advertising search’ markets.
Special characteristics of the Internet economy, and the methodology to determine the existence of dominant position, are important points of departure before abuse of dominance is established as it was in the Google case.
Many online businesses seem to follow a counter-intuitive business model, and often make big sums of money without selling anything to the retail user; and even though there are fewer barriers to online distribution, then there are offline, such companies can still dominate online markets by capturing consumers within their expansive ecosystems.
Special characteristics: It is said that in the new Internet economy, where many products (and services) are made available for free, consumers are often themselves the product. In this respect, the CCI judgement echoes Prime Minister Narendra Modi’s remark at Davos, that “business models based on collection and processing of data will shape the world”, and it further opines that even though Google provides its search services for free, users offer indirect consideration to the company by allowing it to collect and use their information; consequently facilitating generation of advertising revenues.
The CCI also acknowledges the impact of ‘network effects’ on online businesses. That is, a user’s benefit from a product or service increases with the number of other users within the network — consequently opening new avenues for market dominance. Such effects are particularly important in two-sided markets where users on each side of the market derive benefits from the expansion of users on the other side.
For example, commuters, who use radio-taxi platforms, will be more attracted to a platform which has a larger driver network, and therefore, lower waiting time for users. Specifically,  the CCI points out that anti-trust assessments relying solely on the provision of ‘free’ services to one side of the market, may fail to see the complete picture.
The presence of network casts special responsibility on businesses which have a dominant position in online market. Simultaneously, it is important that the CCI continues to draw a distinction between the inherent nature of competition in a network industry, on account of the structural features of the market in question, and a situation wherein a firm adopts exclusionary practices to abuse its dominant market position.
To be clear, dominance in and of itself is not a sin and is not penalised by any statute, only its abuse is.
Determining abuse: The CCI normally commences its inquiries by delineating a ‘relevant market’. Notably, there has been a dichotomy in CCI’s approach while ascertaining relevant markets in the new economy. For instance, in the context of e-commerce related judgements, the CCI has previously adopted a wide approach and described online and offline markets as constituents of the same market. In contrast, for the Google case, it adopted a narrower approach, distinguishing online and offline markets.
Given that there are often several intersections between online and offline businesses, the CCI may be tempted to maintain such subjectivity going forward. In an ideal world, a clear direction of competition jurisprudence would serve as guidance to market participants.
After delineating a relevant market, the next step to determine abuse involves ascertaining market dominance. In this context, competition law prescribes that the CCI should consider factors like market share, size and resources of the firm in question, size and importance of competitors, vertical integration of the service network and entry barriers. However, in practice, the CCI gives asymmetric importance to market share as an indicator of dominance, as also evidenced by the investigations on Google.
An overall inability to ascertain market structure has served as an analytical limitation to CCI investigations in the past (for instance on predatory pricing). This approach may need some reimaginin  as it fails to take into account that the Internet economy is characterised by short innovation cycles and, therefore, large market shares may often be ephemeral.
 Conversely, aspects such as vertical integration may need more attention, given that dominance is also a function of how ‘fairly’ an online business is able to capture and control its users.
In the age of big data and artificial intelligence, it is reasonable to expect that businesses with large data sets and computing power will integrate with specialised services and create a new paradigm of dominance wherein it would be very hard for new market entrants to ever usurp their edge.
Regulating competition without stifling the nascent Internet economy in India will no doubt be a tightrope walk for the CCI. For instance, an overly narrow approach for determining relevant markets can kill innovation and too wide an approach can stifle competition. Both will have adverse impacts on consumer welfare.
Similarly, vertical integration and provision of bundled or stacked services, already veil real instances of abuse globally.
While jurisprudence from foreign shores can offer some limited insights as a regulator that is central to the sustainable growth of India’s new economy — where politicians tend to look for our economic salvation, the CCI has the opportunity to craft an exceptionally nuanced and transparent approach. Towards this, more market insights and rigorous economic analyses must necessarily accompany our competition jurisprudence.
The CCI must build internal capacity and find ways to proactively and dynamically engage with industry and civil society experts on new questions concerning the new economy.
(Vivan Sharan and Mohit Kalawatia are technology policy experts. Views expressed are personal)

Wednesday, January 31, 2018

Vivan Sharan and Sidharth Deb write on "Maintain the Integrity of India's Telecom Ecosystem", in DailyPioneer, on 22 January 2018

Last week, the New York Times reported that telecom behemoth AT&T caved in to pressure from US authorities to rescind its agreement with Huawei Technologies to distribute its ‘Mate 10’ smartphone. The move stems from concerns voiced by US lawmakers to the Federal Communications Commission, pertaining to Huawei’s role in supporting Chinese cyber espionage activities. This situation has consequences for India, a market where Huawei is among the dominant telecom equipment suppliers already, and where it seeks to build its smartphone business.
Reports suggest that Washington is urging AT&T to end commercial ties with Huawei, and is also considering ways to halt Chinese telecom operator, China Mobile Ltd, from entering the American market. Further, Republican lawmakers have also introduced a Bill, which could bar the US Government from contracting or utilising Huawei and ZTE — another Chinese telecom firm — owing to national security threats. This is not the first time the US has acted on such threats. In 2012, the US House of Representatives commissioned an investigation into national security threats faced from both Huawei and ZTE — particularly threats posed to the resilience of critical information infrastructures.
From an Indian perspective, these developments mirror domestic security concerns and implicate flagship development schemes like ‘digital India’. Huawei has also placed bids with the Indian Government for infrastructure projects for the ‘Smart Cities’ initiative, and sells about one million phones locally under its ‘honor’ brand, annually. Enabling policy and market conditions have allowed India to generate over 1.2 billion mobile phone connections and it is consequently the second largest smartphone market in the world, with over 300 million devices. However, for such a massive digitalisation drive to be sustainable in the long term, ecosystem integrity in the telecom sector is a prerequisite.
Indian decision-makers must remain mindful of the dominance of Chinese firms in India’s smartphone and network equipment markets. For instance, by the first quarter of last year, such firms had already captured more than half of India’s smartphone market. Similarly, security experts have previously voiced concern that over 60 per cent of software and hardware utilised for telecom, including what is used by BSNL, is sourced from either Huawei or ZTE. These concerns are compounded by the fact that in 2014, Huawei had been probed for allegedly compromising BSNL’s network. In 2010, a comprehensive joint report by the Information Warfare Monitor and the Shadow Server Foundation found that Chinese cyber espionage activities (similar to subsequent US concerns) have systemically compromised critical networks in India. Evidently then, instances of cyber security threats originating from China are not new for India.
More recently, the Indian Air Force has also been reacting to national security threats posed by Chinese smartphones. For instance, in the wake of findings made by security solutions firm F-Secure, revealing that Xiaomi phones relay sensitive user information to servers in China, Air Force personnel were advised not to use the company’s products. China’s State Security Law explicitly allows any state organ of the Chinese Government to access any electronic communications or related data, stored by companies that are headquartered within its borders. Further, it has also emerged that both Xiaomi and major smartphone brand One Plus devices have been found to contain pre-installed backdoors which make their devices vulnerable to hacking. One Plus has also been found to collect sensitive user information, including IMEI numbers, phone numbers and names of mobile network operators, without prior informed consent — contravening accepted data collection and processing norms.
The (in)security of India’s smartphone ecosystem came up at the highest levels of Government and law enforcement last year. In the context of data security, the nodal Computer Emergency Response Team ie  CERT-In, directed 21 smartphone manufacturers, mostly Chinese, to furnish details with respect to security practices, frameworks, standards and processes, followed by the concerned enterprises. Moreover, in the wake of the border standoff at Doklam, the Ministry of Defence advised military personnel to uninstall and remove around 42 mobile applications (predominantly Chinese), classifying them as spyware.
Most advanced jurisdictions are dealing with such threats through appropriate standard setting and testing procedures. Similarly, India’s Ministry of Communications released a notification in September last year, mandating prior testing and certification of equipment for telecom networks. However, these rules shall only become enforceable in October 2018, by which time, Chinese dominance of telecom supply chains will only be reinforced.
Emergent security requirements should reflect international standards designed by expert organisations like the ISO, IEC, IETF, and IEEE. Unfortunately, India’s participation at such standard development organisations, especially in the context of network and information security, remains less than desirable. Given that Chinese industry is actively influencing standard setting conversations, as observed with Huawei’s attempted agreements with AT&T, to develop 5G network standards, it becomes imperative that India targets strategic capacity-building on this front, along with industry counterparts from friendly countries. International summits, such as the one in Davos, should be treated as opportunities to build requisite relationships in this regard.
Most importantly, India lacks testing processes to ensure that smartphone devices adhere to cybersecurity standards. The current testing and certification framework under the Ministry of Electronics and Information Technology’s ‘Compulsory Registration Order’, only envisions phone safety through the prism of generic safety requirements, like fire, heat and chemical hazard testing. This void, if not mitigated at the earliest, poses a grave threat and amplifies opportunities for bad actors, either state or non-state, to disrupt India’s communications channels and potentially compromise data privacy. Recent reports suggest that the Government has recognised this gaping hole in current policy and is actively developing cyber security standards for mobile devices to be published for consultations this year. Reports also suggest that the Ministry of Home Affairs is developing a Cyber-Forensics Lab to help secure digital ecosystems.
While designing standards and testing requirements, India can learn from the approaches taken by other members of the international community. For instance, jurisdictions like the UK and Singapore, develop device and application cybersecurity standards using principles of Security-by-Design (updated throughout product lifecycles). More specifically, testing benchmarks tend to be based on international computer security certification standards developed by the ISO and IEC, namely the Common Criteria for Information Technology Security Evaluation. Further, in order to ensure robustness of such processes, both these countries have embraced working arrangements with security experts.
India must follow an inclusive and strategic approach to protect its telecom ecosystem, without compromising on the growth of markets, or the enthusiasm for flagship schemes which can give impetus to private investments. Indian law enforcement agencies are already used to working with non-government institutions and external experts and, therefore, there is a template available for a dynamic private-public partnership approach to cyber security. However, a formal and inclusive feedback loop is also needed for facilitating information exchange, confidence building with industry, and strengthening institutional capacities. To this end, India would do well to borrow from experiences of friendly countries rather than reinventing the wheel.
(The writers are technology policy consultants at Koan Advisory Group, New Delhi. Views expressed are personnel)

Oped by Vivan Sharan coauthored with Arvind Gupta on "How we can deal with the cyber threats in our pockets", Mint, 15 December, 2017

Smartphones have become ubiquitous, and are forcing us to re-imagine the contours of privacy and data protection. This is for several reasons: we carry our phones everywhere we go, we use them for accessing critical services including banking and payments, we use them to store personal and sensitive data, to access our social networks and emails, and many “apps” are connected to servers and facilities that consumers and governments, often have no line of sight to.
Unsurprisingly, reports of phone hacks, theft of personally identifiable information and user-tracking, misguidance of consumers and evasion of law, by stakeholders within the digital ecosystem, has become an everyday phenomenon. The Indian smartphone user is particularly vulnerable. 
The sheer pace of expansion of the smartphone market in India is unparalleled. Over 110 million new smartphones are added here every year—making India the world’s second largest smartphone market. Smartphone penetration is a key metric against which the success of India’s digital economy is often measured.
The rapid scaling up of sales of electronic goods and services that our aspirational market allows calls for greater vigilance, as there are limited disincentives to errant behaviour. Chinese handset brands for instance, command more than half of India’s smartphone market share, and are often pre-loaded with bundled apps. Reports of malware and backdoors embedded in these nifty smartphones and apps, are particularly troubling.
The prospect of free products and services are very compelling for the best of consumers. Consequently, Indians are voracious consumers of “free” apps—from Facebook and Google-run apps, which dominate digital advertising and direct their energies and algorithms to monetizing user data, to more pernicious Chinese-made apps like UC Browser, which have been linked to serious surveillance concerns.
The common thread in this spectrum is that most free apps seek to exploit user data and get omnibus permissions to do so from their users. Informed consent is the permission granted by users to app providers, in full knowledge of the possible consequences of the use of their data. Juxtaposed against complex terminology and lack of awareness about potential pitfalls, this “opt-in” framework may itself require revisiting. 
Another Chinese app, which leverages the rather innate urge to take “selfies”, has an exclusive version for India, and is so attractive to consumers that many handset makers are bundling it with devices. This is despite evidence to suggest that the app leaks sensitive personal information to Chinese servers.
It gains extensive access to personal data and numerous features of smartphones: access to users’ GPS location, cell carrier information, Wi-Fi connection data, SIM card information and identifiers like the IMEI number, which can be used to track and actively monitor its users. 
The government seems acutely aware of these context-specific risks, and has constituted cyber-security and data protection committees and working groups, which may help ring-fence the digital ecosystem. The B.N. Srikrishna Committee which has been tasked with creating a data protection framework for India is one such example.
However, laws and regulations cannot substitute for greater consumer awareness—apps will continue to try to exploit lack of user awareness, even after obtaining legal sanction. And since technology will always outpace regulations, apps and phones can exploit national security vulnerabilities just as easily. 
In 2014, the Indian Air Force red-flagged the use of Chinese origin smartphones by its personnel and their family members due to a “flaw” in the operating system causing automatic and unencrypted transfer of user data to servers located in China. This data leak could have revealed and compromised the location and movements of air force personnel and their families, jeopardising lives and the safety of security infrastructure.
More recently, Indian troops posted along the Line of Actual Control have been issued a cybersecurity advisory to delete 44 apps, mostly of Chinese origin, to guard against espionage. 
The national threat from bundled apps also extends to the content ecosystem. Bias in both the sequencing and substance of online content, available on apps such as UC News, can influence opinions of citizens at large. The US is finding out that Facebook campaigns were manipulated by Russian intelligence operatives the hard way. And Facebook is attempting to respond and show a higher degree of responsibility towards consumers by “flagging” paid advertisements.
However, can anyone expect similar apologetic behaviour by Chinese-origin apps and handset makers, even if found guilty of spreading false news, malware, spyware and so on? We wouldn’t hold our breath.
For netizens of a “mobile-first” economy, much greater caution and sensitivity is warranted. It is necessary for both policymakers and ordinary citizens to understand the security implications of using foreign origin smartphones with bundled, pre-installed apps.
We must not be na├»ve recipients of digital Trojans—and must begin to put a price on our data and privacy. We can start to do so by making informed consumption choices and nurturing a healthy scepticism of “free lunches”. 
Arvind Gupta is head, Digital India Foundation, and Vivan Sharan is a technology policy expert based in New Delhi.