Sunday, March 12, 2017

Vivan Sharan at the CASBAA OTT Summit, 01 March

Vivan Sharan spoke on the future telecom and content services at the OTT summit convened by the Cable and Satellite Broadcasting Association of Asia (CASBAA) at Singapore on March 01, along side Hian Goh, Partner at NSI Ventures and Yinglan Tan, Partner at Sequoia. 

Does Age Matter or Agenda? Youth Politics in India, NewsX 19th Feb

Vivan Sharan on NewsX, discussing "youth in politics -- does age matter or agenda", on 19th February 2017:

Five Ideas That Should Guide a Net Neutrality Regime in India, The Wire, 13 February 2017

Five Ideas That Should Guide a Net Neutrality Regime in India

The Telecom Regulatory Authority of India (TRAI) expects to conclude public consultations on ‘net neutrality’ this month, culminating a process that began last year, with the regulator prohibiting “discriminatory tariffs for data services on the basis of content”. While considered a victory for neutrality evangelists, who want the internet to be free of monopolistic interests, it left several questions unanswered.
The central question is: under what circumstances can a network operator discriminate against applications or content available on the internet (a network of networks)? TRAI has the motivation to resolve this and other related questions, and the power to issue quality of service (QOS) regulations for telecom services (that run most Internet networks in India), as well as wider policy prescriptions that the Department of Telecommunications (DOT) may subsequently actualise.
In the latest round of consultations, it has emerged that TRAI is keen on contextualising its prescriptions, to fit India’s realities – which is a good sign. To this end, we propose that there are at least five fundamental realties that the regulator should consider (a) the prospects of consolidation in the telecom sector which may lead to long overdue rationalisation of revenue streams, (b) the absence of competition at the last mile of the distribution chain, (c) the imperative to connect the millions of unconnected Indians to the Internet, (d) the preponderance on wireless connectivity which requires greater traffic management (QOS) than wired connectivity, owing to limited spectrum and (e) technological ‘convergence’ of content delivery platforms. The following five ideas derive from these five realities, not necessarily in sequence.
First, innovations in network technology must be allowed to keep pace with consumer demand trends. Today, a large proportion of demand for data is linked to seamless access to video content, which accounted for 65% of total Internet traffic in Asia in 2015. And India’s inherent advantage in producing video content, with a vibrant media and entertainment industry, is clear. Technology has enabled entrepreneurs to develop content without investing heavily in production equipment. With low entry barriers, video content can become ubiquitous, and creative industries can potentially flourish with convergence of delivery platforms if requisite policy support is forthcoming. Therefore, even as the network will evolve over time, network regulations must be light touch and demand-led.
Second, a golden median between an ex-ante and ex-post approach is possible to achieve, if flexibility is at the core of regulatory ethos. Traditionally, internet service providers (ISPs) have favoured the ex-post approach as it makes strategic sense for large regulated companies: it gives them greater room to manoeuvre in terms of QOS, and large companies have the capacity to pursue resource-intensive litigation. Content providers on the other hand, have more to gain with a stronger ex-ante approach as it provides market certainty and predictability. Specifically, such an approach can help content providers avoid expropriation by ISPs (downstream monopolies beset the broadcasting supply chain for instance, a fact acknowledged in previous TRAI consultations), while ensuring some transparency in otherwise opaque traffic management operations.
Regulations need not reflect this binary. In fact, it is undesirable to emphasise one approach over the other. This would make little sense considering the pace of change in technology and economic incentives versus the inherent rigidities associated with regulatory precedents set in courts. TRAI must recognise that old norms may not fit next-generation innovations and that courts are not the best place to decide technological pathways. Any ex-post-facto approach should rely on technical expertise, extensive peer review and investigation. At the same time, a rigid ex-ante approach defies the very virtue sought to be protected by proponents of a free Internet – unfettered innovation.
India should adopt bright lines for ex-ante regulation, that should in turn be malleable and reflect the needs of a future population. That is, at the heart of the regime should be a recognition of the need for QOS, subject to regular review. This would ensure that broadband demand is not artificially suppressed owing to inadequate infrastructure; at the same time, norms should not encourage de-facto reliance on QOS, over improvements in network infrastructure. Net neutrality principles should instead help test whether a purported discriminatory practice is a deliberate attempt to reduce the quality or availability of a service, and responses to each principle should be verifiable.
Third, in lieu of verifying whether a practice is deliberate or not, TRAI must collaborate with independent actors for big data analysis. Statistical tests can be applied to samples of data received from ISPs as well as users, to ascertain the reasonability of traffic management practices. For instance, a practice may be reasonable, if data proves it to be exceptional and temporary. There is little doubt that such a measurement is not easy and will necessarily involve monitoring agencies and end users – but at least the scarcity of data is not a binding constraint, as operators maintain meticulous QOS logs. Although difficult to envision today, it is expedient to explore a co-regulatory model wherein end users – individuals or institutions – can empirically verify the claims of ISPs. Without such recourse, any transparency and disclosure requirements for checking adherence of networks to ex-ante principles will be unverifiable and, therefore, redundant.
Fourth, an effective network neutrality framework must centre on efficiency, which is where engineering and economics converge. For instance, large content providers are increasingly reliant on content distribution networks (CDNs) which are clusters of servers that bring content geographically closer to consumers, and concomitantly provide better QOS. There is a concern that CDNs can lead to de-facto prioritisation of data flows. There are two ways of looking at this: the first is that CDNs allow larger content providers which have deep pockets to invest in delivery infrastructure, to capture markets. The second, more palatable answer is, that while all data of a similar class should flow equally in a network, data that is closer to consumers, should naturally reach faster. Enhanced efficiency should not be penalised. Only economies that embrace Schumpeterian disruptions, that help deliver goods and services to consumers cheaper and faster, both online and offline, can remain globally competitive.
Fifth, following from the CDN example, it may also be inferred that a general principle could be developed wherein organic prioritisation of data flows is acceptable whereas forced prioritisation (based on modification of traffic protocols) is not. That is network engineers should not unreasonably discriminate between data flowing from point A to point B. If a third point C is physically closer to point B, the data from point C should be treated the same as data from point A, and it should organically reach the consumer faster. Such a framework may foster much needed last mile competition by lowering transit costs incurred by smaller ISPs on core networks.
The global discourse on net neutrality is by no means settled. Even as India makes its first holistic attempt to create a suitable regime, there are apprehensions that the US, under a new administration, may undo its extant framework which had set a benchmark. Nonetheless, perceived positions of other countries should not be a deterrent as our appetite for data is growing exponentially and a nuanced regime balanced by Indian realities can spur access and innovation.
Vivan Sharan is a Partner, and Prachi Arya is Head of Legal, at Koan Advisory Group, New Delhi.

Koan Advisory Co-Hosts a Payments Security Roundtable on 03 February

Indian consumers using digital payment methods face risks pertaining to data security and privacy at multiple stages of the transaction process. In the context of demonetisation and the concomitant emphasis on digital payment onboarding, the potential impact of cybercrime is acute. 

To identify key challenges relating to this, the Observer Research Foundation (ORF) and Koan Advisory co-hosted a round-table discussion on Securing Digital Payments: Imperatives for a Growing Ecosystem, on 3rd February.

The discussion was held under Chatham House Rules. The driving questions are appended below:

Driving Questions
1.       What are the most pressing security challenges to digital payment gateways?
2.       How does the proliferation of mobile devices and platforms affect the security of the ecosystems?
3.       Can regulatory systems in place to protect the digital payments ecosystem be harmonised? How can non-governmental stakeholders best contribute to the regulatory/ security audits process?
4.       Does the RBIs Vision-2018 for payment systems appropriately contextualise domestic security concerns? What are the pertinent recommendations within the Watal Committee Report?
5.       What are the largest infrastructural liabilities in the payment ecosystem? How can single points of failure within different payment networks be identified and ring-fenced?

Moving Towards a Secure Digital Economy, Mint, January 26

Moving towards a secure digital economy

The velocity of digitisation and technology adoption must necessitate a response different from what was the norm in the ‘public sector era’
Samir Saran and Vivan Sharan
Even as incessant political bickering is polarizing opinion on demonetisation, India is making a significant transition to a digital payments ecosystem. This project endeavours to breach the urban-rural divide, geographical exclusions of the real world, and income criteria that privileged only a few with access to certain private and public services. This new digital payments ecosystem is brutal in its attempt to alter the way India transacts, trades and is taxed.
A wider adoption of digital payments will invariably change the dimensions of risks, crime and security as well. If pickpockets were a common menace some decades ago, cybercriminals may dominate conversations in the days ahead as they eye digital and online transactions. While the “pickpocket” had to select a relatively “fat target” to make the effort and risk worthwhile, the cyber thief will have a low-risk environment (lack of forensic capabilities, human capacities and attribution challenges) and an expansive reach of technology that will make even “petty pickings” attractive. And although cybercrime will affect us all, it will harm the poor disproportionately. It could ravage the small savings of many, deprive them of their meagre means and, most importantly, result in erosion of trust in the financial ecosystem currently being built. It is, therefore, important that the government pay heed to small fraud.
An early warning of this was provided by the frisson of panic that followed the cautionary message from the newly launched Bharat Interface for Money application (BHIM app) on 4 January 2017: “Users please beware: Decline all unknown payment requests you may get! We will work on an update, which will allow you to report spam.” This response is inefficient and leaves the ecosystem vulnerable to malicious intent.
Governments around the world and here in India must respond to this new dimension, where “petty cash is big money” and digital pickpockets pose a range of threats to individuals, institutions and economic stability itself. Most governments have left themselves with little time to create the requisite mitigation capabilities. The velocity of digitization and technology adoption must necessitate a response from policymakers different from what was the norm in the “public sector era”, where Centrally controlled banks and enterprises offered a modicum of stability, privacy, and security (with less efficiency). To achieve this, a comprehensive approach for securing the digital ecosystem must be devised and some actions must be taken immediately.
First, there are a multiplicity of stakeholders operating networks and tools that pose varying degrees of risk. This, in turn, demands differentiated security responses. These include the Reserve Bank of India (RBI)-run National Electronic Funds Transfer (Neft) and Real Time Gross Settlement (RTGS), the National Payment Corporation of India’s (NPCI’s) Immediate Payment Service (IMPS) on which the Unified Payments Interface (UPI) currently operates, traditional card networks, mobile payments solutions, various banking apps. In a report released in December 2016, the Union ministry of finance’s committee on digital payments suggested a hierarchical approach based on the level of “systemic risk” posed by different tools and networks. This must form the design basis going forward.
Second, while industry is consulted by expert committees such as the one referenced above, an inclusive multi-stakeholder consultative process must become the norm for policymaking itself, to avoid arbitrariness. This can be done by instituting multi-stakeholder consultations that are transparent and inclusive. This is the model India has agreed is best suited to govern the Internet internationally, and it’s time to adopt consonant processes at home.
Third, while the “mobile” is being hailed as a replacement for physical wallets as well as a proof of identity through its widespread use in second-factor authentication of digital payments, government and users should be circumspect about the risks involved. For instance, there is evidence to suggest that distributed denial-of-service (DDoS) attacks—in which a multitude of compromised systems attack a single target, causing denial of service for users of the targeted system—are increasingly targeting the applications layer rather than the network layer of the Internet. In layman terms this means a sophisticated mode of cybercrime is being unleashed on unsuspecting users of mobile applications and popular software.
Mature hardware-based solutions, such as tamper-proof Universal Integrated Circuit Cards and Embedded Secure Elements, are being tested against the latest forms of cyberattack. Software-based solutions such as Host Card Emulation are also relatively secure but require upgrades through the cloud, placing large data demands on the user and testing the service capabilities of the issuer.
Globally payment solutions that have been able to integrate hardware- and software-based security exist, but domestic mobile payments providers are relying largely on software-based security solutions. And while the Indian government’s Computer Emergency Response Team, RBI and NPCI are undertaking security audits of payment solutions, it is important that users be given standardized information to make informed choices, particularly when the digital adoption drive is at its height.
Lastly, it may be useful for the government to think of the digital payments ecosystem, now anchored by the NPCI, as analogous to the Internet. And much like the Internet, the National Financial Switch (the infrastructure backbone of all Indian ATMs, operated by the NPCI) must acquire robust redundancies offered by private-sector partnerships in order not to be a vulnerable single point of failure—which can potentially be compromised by self-styled “legions” of hackers. The NPCI should be managed through multi-stakeholder groups that can help with standard-setting, and can ensure that the payments ecosystem serves the common citizen, making even a small transaction online.
Samir Saran and Vivan Sharan are, respectively, vice-president at the Observer Research Foundation and founding partner at the Koan Advisory Group.

Submission to TRAI on the pre-consultation on Network Neutrality, 05 July 2016

Please click on the link below to access the submission: