Wednesday, January 31, 2018

Vivan Sharan and Sidharth Deb write on "Maintain the Integrity of India's Telecom Ecosystem", in DailyPioneer, on 22 January 2018

Last week, the New York Times reported that telecom behemoth AT&T caved in to pressure from US authorities to rescind its agreement with Huawei Technologies to distribute its ‘Mate 10’ smartphone. The move stems from concerns voiced by US lawmakers to the Federal Communications Commission, pertaining to Huawei’s role in supporting Chinese cyber espionage activities. This situation has consequences for India, a market where Huawei is among the dominant telecom equipment suppliers already, and where it seeks to build its smartphone business.
Reports suggest that Washington is urging AT&T to end commercial ties with Huawei, and is also considering ways to halt Chinese telecom operator, China Mobile Ltd, from entering the American market. Further, Republican lawmakers have also introduced a Bill, which could bar the US Government from contracting or utilising Huawei and ZTE — another Chinese telecom firm — owing to national security threats. This is not the first time the US has acted on such threats. In 2012, the US House of Representatives commissioned an investigation into national security threats faced from both Huawei and ZTE — particularly threats posed to the resilience of critical information infrastructures.
From an Indian perspective, these developments mirror domestic security concerns and implicate flagship development schemes like ‘digital India’. Huawei has also placed bids with the Indian Government for infrastructure projects for the ‘Smart Cities’ initiative, and sells about one million phones locally under its ‘honor’ brand, annually. Enabling policy and market conditions have allowed India to generate over 1.2 billion mobile phone connections and it is consequently the second largest smartphone market in the world, with over 300 million devices. However, for such a massive digitalisation drive to be sustainable in the long term, ecosystem integrity in the telecom sector is a prerequisite.
Indian decision-makers must remain mindful of the dominance of Chinese firms in India’s smartphone and network equipment markets. For instance, by the first quarter of last year, such firms had already captured more than half of India’s smartphone market. Similarly, security experts have previously voiced concern that over 60 per cent of software and hardware utilised for telecom, including what is used by BSNL, is sourced from either Huawei or ZTE. These concerns are compounded by the fact that in 2014, Huawei had been probed for allegedly compromising BSNL’s network. In 2010, a comprehensive joint report by the Information Warfare Monitor and the Shadow Server Foundation found that Chinese cyber espionage activities (similar to subsequent US concerns) have systemically compromised critical networks in India. Evidently then, instances of cyber security threats originating from China are not new for India.
More recently, the Indian Air Force has also been reacting to national security threats posed by Chinese smartphones. For instance, in the wake of findings made by security solutions firm F-Secure, revealing that Xiaomi phones relay sensitive user information to servers in China, Air Force personnel were advised not to use the company’s products. China’s State Security Law explicitly allows any state organ of the Chinese Government to access any electronic communications or related data, stored by companies that are headquartered within its borders. Further, it has also emerged that both Xiaomi and major smartphone brand One Plus devices have been found to contain pre-installed backdoors which make their devices vulnerable to hacking. One Plus has also been found to collect sensitive user information, including IMEI numbers, phone numbers and names of mobile network operators, without prior informed consent — contravening accepted data collection and processing norms.
The (in)security of India’s smartphone ecosystem came up at the highest levels of Government and law enforcement last year. In the context of data security, the nodal Computer Emergency Response Team ie  CERT-In, directed 21 smartphone manufacturers, mostly Chinese, to furnish details with respect to security practices, frameworks, standards and processes, followed by the concerned enterprises. Moreover, in the wake of the border standoff at Doklam, the Ministry of Defence advised military personnel to uninstall and remove around 42 mobile applications (predominantly Chinese), classifying them as spyware.
Most advanced jurisdictions are dealing with such threats through appropriate standard setting and testing procedures. Similarly, India’s Ministry of Communications released a notification in September last year, mandating prior testing and certification of equipment for telecom networks. However, these rules shall only become enforceable in October 2018, by which time, Chinese dominance of telecom supply chains will only be reinforced.
Emergent security requirements should reflect international standards designed by expert organisations like the ISO, IEC, IETF, and IEEE. Unfortunately, India’s participation at such standard development organisations, especially in the context of network and information security, remains less than desirable. Given that Chinese industry is actively influencing standard setting conversations, as observed with Huawei’s attempted agreements with AT&T, to develop 5G network standards, it becomes imperative that India targets strategic capacity-building on this front, along with industry counterparts from friendly countries. International summits, such as the one in Davos, should be treated as opportunities to build requisite relationships in this regard.
Most importantly, India lacks testing processes to ensure that smartphone devices adhere to cybersecurity standards. The current testing and certification framework under the Ministry of Electronics and Information Technology’s ‘Compulsory Registration Order’, only envisions phone safety through the prism of generic safety requirements, like fire, heat and chemical hazard testing. This void, if not mitigated at the earliest, poses a grave threat and amplifies opportunities for bad actors, either state or non-state, to disrupt India’s communications channels and potentially compromise data privacy. Recent reports suggest that the Government has recognised this gaping hole in current policy and is actively developing cyber security standards for mobile devices to be published for consultations this year. Reports also suggest that the Ministry of Home Affairs is developing a Cyber-Forensics Lab to help secure digital ecosystems.
While designing standards and testing requirements, India can learn from the approaches taken by other members of the international community. For instance, jurisdictions like the UK and Singapore, develop device and application cybersecurity standards using principles of Security-by-Design (updated throughout product lifecycles). More specifically, testing benchmarks tend to be based on international computer security certification standards developed by the ISO and IEC, namely the Common Criteria for Information Technology Security Evaluation. Further, in order to ensure robustness of such processes, both these countries have embraced working arrangements with security experts.
India must follow an inclusive and strategic approach to protect its telecom ecosystem, without compromising on the growth of markets, or the enthusiasm for flagship schemes which can give impetus to private investments. Indian law enforcement agencies are already used to working with non-government institutions and external experts and, therefore, there is a template available for a dynamic private-public partnership approach to cyber security. However, a formal and inclusive feedback loop is also needed for facilitating information exchange, confidence building with industry, and strengthening institutional capacities. To this end, India would do well to borrow from experiences of friendly countries rather than reinventing the wheel.
(The writers are technology policy consultants at Koan Advisory Group, New Delhi. Views expressed are personnel)

Oped by Vivan Sharan coauthored with Arvind Gupta on "How we can deal with the cyber threats in our pockets", Mint, 15 December, 2017

Smartphones have become ubiquitous, and are forcing us to re-imagine the contours of privacy and data protection. This is for several reasons: we carry our phones everywhere we go, we use them for accessing critical services including banking and payments, we use them to store personal and sensitive data, to access our social networks and emails, and many “apps” are connected to servers and facilities that consumers and governments, often have no line of sight to.
Unsurprisingly, reports of phone hacks, theft of personally identifiable information and user-tracking, misguidance of consumers and evasion of law, by stakeholders within the digital ecosystem, has become an everyday phenomenon. The Indian smartphone user is particularly vulnerable. 
The sheer pace of expansion of the smartphone market in India is unparalleled. Over 110 million new smartphones are added here every year—making India the world’s second largest smartphone market. Smartphone penetration is a key metric against which the success of India’s digital economy is often measured.
The rapid scaling up of sales of electronic goods and services that our aspirational market allows calls for greater vigilance, as there are limited disincentives to errant behaviour. Chinese handset brands for instance, command more than half of India’s smartphone market share, and are often pre-loaded with bundled apps. Reports of malware and backdoors embedded in these nifty smartphones and apps, are particularly troubling.
The prospect of free products and services are very compelling for the best of consumers. Consequently, Indians are voracious consumers of “free” apps—from Facebook and Google-run apps, which dominate digital advertising and direct their energies and algorithms to monetizing user data, to more pernicious Chinese-made apps like UC Browser, which have been linked to serious surveillance concerns.
The common thread in this spectrum is that most free apps seek to exploit user data and get omnibus permissions to do so from their users. Informed consent is the permission granted by users to app providers, in full knowledge of the possible consequences of the use of their data. Juxtaposed against complex terminology and lack of awareness about potential pitfalls, this “opt-in” framework may itself require revisiting. 
Another Chinese app, which leverages the rather innate urge to take “selfies”, has an exclusive version for India, and is so attractive to consumers that many handset makers are bundling it with devices. This is despite evidence to suggest that the app leaks sensitive personal information to Chinese servers.
It gains extensive access to personal data and numerous features of smartphones: access to users’ GPS location, cell carrier information, Wi-Fi connection data, SIM card information and identifiers like the IMEI number, which can be used to track and actively monitor its users. 
The government seems acutely aware of these context-specific risks, and has constituted cyber-security and data protection committees and working groups, which may help ring-fence the digital ecosystem. The B.N. Srikrishna Committee which has been tasked with creating a data protection framework for India is one such example.
However, laws and regulations cannot substitute for greater consumer awareness—apps will continue to try to exploit lack of user awareness, even after obtaining legal sanction. And since technology will always outpace regulations, apps and phones can exploit national security vulnerabilities just as easily. 
In 2014, the Indian Air Force red-flagged the use of Chinese origin smartphones by its personnel and their family members due to a “flaw” in the operating system causing automatic and unencrypted transfer of user data to servers located in China. This data leak could have revealed and compromised the location and movements of air force personnel and their families, jeopardising lives and the safety of security infrastructure.
More recently, Indian troops posted along the Line of Actual Control have been issued a cybersecurity advisory to delete 44 apps, mostly of Chinese origin, to guard against espionage. 
The national threat from bundled apps also extends to the content ecosystem. Bias in both the sequencing and substance of online content, available on apps such as UC News, can influence opinions of citizens at large. The US is finding out that Facebook campaigns were manipulated by Russian intelligence operatives the hard way. And Facebook is attempting to respond and show a higher degree of responsibility towards consumers by “flagging” paid advertisements.
However, can anyone expect similar apologetic behaviour by Chinese-origin apps and handset makers, even if found guilty of spreading false news, malware, spyware and so on? We wouldn’t hold our breath.
For netizens of a “mobile-first” economy, much greater caution and sensitivity is warranted. It is necessary for both policymakers and ordinary citizens to understand the security implications of using foreign origin smartphones with bundled, pre-installed apps.
We must not be na├»ve recipients of digital Trojans—and must begin to put a price on our data and privacy. We can start to do so by making informed consumption choices and nurturing a healthy scepticism of “free lunches”. 
Arvind Gupta is head, Digital India Foundation, and Vivan Sharan is a technology policy expert based in New Delhi.

Vivan Sharan speaks to Secretary TRAI, at CII Big Picture, 4-5 December 2017

A very wide range of subjects were covered in the fireside chat, including the case for Indian exceptionalism in the digital domain, Net Neutrality, OTT Regulations, Data Protection, Supply Chain Integrity, Multistakeholderism and the importance of Public Consultations. 

Vivan Sharan speaks to NewsX on Ivanka Trump's visit to the Global Entrepreneurship Summit, India, 29 November 2017

Vivan Sharan speaks to NewsX on Ivanka Trump's visit to India. 

Koan Advisory's counter-comments on TRAI's consultation on Privacy, Security and Ownership of data, 27 Nov 2017

Koan Advisory's counter-comments on TRAI's consultation on Privacy, Security and Ownership of data:

Response to TRAI Consultation on Privacy, Security and Ownership of the Data in the Telecom Sector, 06 November 2017

Koan Advisory's response to the TRAI consultation on  Privacy, Security and Ownership of the Data in the Telecom Sector:

Implications of Whatsapp Outage, Vivan Sharan speaks to NewsX, 03 November 2017

Vivan Sharan discusses implications of the Whatsapp outage last year with NewsX

Vivan Sharan's Oped on "Data economy: Well-heeled e-platforms", with Arvind Gupta, for Economic Times, 01 November 2017

From languishing at the bottom of world data consumption per capita rankings, India is now among the top five countries with over 450 million Internet users. This rapid digitalisation has led to the creation of new online services that are changing the way people search for information, interact with each other, pay for things and consume content.
Simultaneously, the convergence of offline business with online technologies, and the horizontal integration within online markets has led to the stacking of services on top of each other, and the creation of large online ‘platforms’. Such platforms are changing traditional assumptions about market dominance and abuse, both concepts at the heart of competition law.
For instance, previous discussions of dominance considered the question of abuse of ‘relevant markets’ as away of helping regulators assess when rules regarding fair competition were violated. However, platforms often integrate across a number of markets, making such comparisons difficult. India must address the actualisation of ‘winner takes all’ online markets, lest concentrated markets compromise generation of jobs, monetisation of intellectual properties and unfettered innovation — all prerequisites to becoming a successful data economy. In doing so, a delicate balance must be struck between ex-ante and ex-post regulations. Ex-ante regulations (such as license conditions) can harm all of these objectives by limiting the degrees of freedom that entrepreneurs have to innovate. So, governments have adopted a range of approaches to regulating new markets and services such as taxi aggregation and cryptocurrencies.
Conversely, over-dependence on ex-post regulation, such as competition law, can result in the establishment of ‘facts on the ground’ that favour firms that have established near monopoly positions. However, by the time policymakers and regulators understand the implications of a new platform, the platform owner is likely to have built powerful entry barriers in many online markets.
Warning signs of the consequences of discriminatory behaviour by online platforms are already palpable. If a new delivery startup is to be introduced, it would almost certainly have to negotiate service agreements with mapping services offered by one of the large platforms.
Moreover, increasing numbers of acquisitions and investments by large platforms are continually expanding the scope of their business interests. This bears resemblance to the vertical integration between telecom companies and Internet-based services that continues to roil the discourse on network neutrality. Network neutrality is the principle that similar classes of data must move impartially on the Internet, no matter the destination or the source.
The consequent limitation of gatekeeping abilities of network operators —telcos in India’s case — is the desired outcome of such a principles-based framework.
The exemplary role of the Indian telecom regulator in aiming to establish a robust network neutrality framework has been commended globally. India should take the lead in establishing complementary norms for ‘platform neutrality’ to ensure that online markets, like networks, remain fair.
One way of doing this could be through a light-touch framework analogous to the ‘Most Favoured Nations’ principle of the WTO. Signatories to the WTO can’t normally discriminate between different trading partners. Similarly, a framework for platform neutrality could ensure that online platforms do not discriminate in the levels of technical access or pricing offered to competing services — thereby maintaining their own role as intermediaries.
This would also ensure that both consumers and innovators benefit from a balanced paradigm, in which the scope for cartelisation is minimised, and possibilities of innovation-led disruptions maximised.
(Gupta is Head, Digital India Foundation. Sharan is a technology policy expert)