The personal data protection bill is yet to become a law and the debate is still rife on the costs and benefits of data localisation. It is yet to be seen officially if the government is going to mandate localisation in the data protection bill and to whom it is going to apply. Regardless of whether or not data localization ends up enshrined in the law, it is worth taking a step back and asking why the government is pushing for it in the first place.

For context, localisation is the practice of storing domestic data on domestic soil. One of the most credible arguments for why it should be the norm is that it will help law enforcement. Most platforms that facilitate messaging are based in the US (think WhatsApp and Messenger). Because of the popularity of these ‘free services,’ a significant amount of the world’s communication takes place on these platforms. This also includes communication regarding crimes and violation of the law.

This is turning out to be a problem because in cases of law violations, communications on these platforms might end up becoming evidence that Indian law enforcement agencies may want to access. The government has already made multiple efforts to make this process easier for law enforcement. In December 2018, the ministry of home affairs issued an order granting powers of “interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer,” to ten central agencies, to protect security and sovereignty of India.

But this does not help in cases where the information may be stored outside the agencies’ jurisdiction. So, in cases where Indian law enforcement agencies want to access data held by US companies, they are obliged to abide by lawful procedures in both the US and India.

The bottleneck here is that there is no mechanism that can keep up with this phenomenon (not counting the CLOUD Act, as India has not entered into an executive agreement under it).

Indian requests for access to data form a fair share, owing to India’s large population and growing internet penetration. Had there been a mechanism that provided for these requests in a timely enforcement through the provision of data. Most requests are US-bound, thanks to the dominance of US messaging, search, and social media apps. Each request has to justify ‘probable cause by US standards.’ This, combined with the number of requests from around the world, weighs down on the system and makes it inefficient. People have called the MLATs broken and there have been several calls for reform of the system.

A comprehensive report by the Observer Research Foundation (ORF) found that the MLAT process on global average takes 10 months for law enforcement requests to receive electronic evidence. 10 months of waiting for evidence is simply too long for two reasons. Firstly, in cases of law enforcement, time tends to be of the essence. Secondly, countries such as India have a judicial system with a huge backlog of cases. 10month-long timelines to access electronic evidence make things worse.

Access to data is an international bottleneck for law enforcement. The byproduct of the mass adoption of social media and messaging is that electronic criminal evidence for all countries is now concentrated in the US.

The inefficiency of MLATs is one of the key reasons why data-sharing agreements are rising in demand and in supply, and why the CLOUD Act was so well-received as a solution that reduced the burden on MLATs.

Countries need to have standards that can fasten access to data for law enforcement, an understanding of what kinds of data are permissible to be shared across borders, and common standards for security.

India’s idea is that localizing data will help with access to it for law enforcement, at least eventually down the line. It may compensate for not being a signatory to the Budapest Convention. It is unclear how effective localisation will be. Facebook’s stored in India is Facebook’s data.

Facebook is still an American company and should still be subject to US standards of data-sharing, which are one of the toughest in the world and include an independent judge assessing the probable cause, refusing bulk collection or overreach. This is before we take into account encryption.

For Indian law enforcement, the problem in this whole mess is not where the data is physically stored. It is the process that makes access to it inefficient. Localisation is not a direct fix, if it proves to be one at all. The answer lies in better data-sharing arrangements, based on plurilateral terms. The sooner this realized, the faster the problems can be resolved. data still

Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.

This article was first published in the Deccan Chronicle.

Pegasus, the software that infamously hacked WhatsApp earlier this year, is a tool developed to help government intelligence and law enforcement agencies to battle cybercrime and terror. Once installed on a mobile device, it can collect contacts, files, and passwords. It can also ‘overcome’ encryption, and use GPS to pinpoint targets. More importantly, it is notoriously easy to install. It can be transmitted to your phone through a WhatsApp call from an unknown number (that does not need to be picked up), and does not require user permissions to get access to the phone’s camera or microphone. All of that makes it a near complete tool for snooping.While Pegasus is able to hack most of your phone’s capabilities, the big news here is that it can ‘compromise’ end to end (E2E) encryption. The news comes at attesting time for encryption in India, as the government deliberates a crackdown on E2E encryption, a decision that we will all learn about more on Jan 15, 2020.Before we look at how Pegasus was able to compromise E2E encryption, let’s look at how E2E encryption works and how it has developed a place for itself in human rights.E2E is an example of how a bit of math, applied well, can secure communications better than all the guns in the world. The way it works on platforms such as WhatsApp is that once the user (sender) opens the app, the app generates 2 keys on the device, one public and one private. The private key remains with the sender and the public key is transmitted to the receiver via the company’s server. The important thing to note here is that the message is already encrypted by the public key before the message reaches the server. The server only relays the secure message and the receiver’s private key then decrypts it. End to end encryption differs from standard encryption because in services with standard encryption (think Gmail), along with the receiver, the service provider generally holds the keys, and thus, can also access the contents of the message.Some encryptions are stronger than others. The strength of an encryption is measured through how large the size of the key is. Traditionally, WhatsApp uses a 128-bit key, which is standard. Here you can learn about current standards of encryption and how they have developed over the years. The thing to keep in mind is that it can take over billions of years to crack a secure encryption depending on the key size (not taking into account quantum computing):Key Size         Time to Crack56-bit                 399 Seconds128-bit               1.02 x 1018 years192-bit               1.872 x 1037 years256-bit               3.31 x 1056 yearsE2E encryption has had a complex history with human rights. One the one side, governments and law enforcement agencies see E2E encryption as a barrier when it comes to ensuring the human rights of its citizens. Examples of mob lynching being coordinated through WhatsApp, such as these, exist around the world.On the other hand, security in communications and the anonymity it brings, has been a boon for people who might suffer harm if their conversations were not private. Think peaceful activists who utilize it to fight for democracy around the world, most recently, Hong Kong. Same goes for LGBTQ activists and whistleblowers. Even diplomats and government officials operate through the seamless secure connectivity offered by E2E encryption.The general consensus in civil society is that E2E encryption is worth having as an increasing amount of digital human communications move online to platforms such as WhatsApp.How does Pegasus fit in?End to end encryption ensures that your messages are encrypted in transit and can only be decrypted by the devices that are involved in the conversation. However, once a device decrypts a message it receives, Pegasus can access that data which is at rest. So it is not the end to end encryption that is compromised, but your devices security. Once a phone is infected, Pegasus can mirror the device, literally record the keystrokes being typed by the user, browser history, contacts, files and so on.The strength of end to end encryption lies in the fact that it encrypts data in transit well. So unless you have the key for decryption, it is impossible to trace the origin of messages as well as the content that is being transmitted. The weakness for end to end encryption here, as mentioned above, is that it does not apply to data at rest. If it were still encrypting data at rest, messages received by users would not be readable.At this point, the question about how secure apps such as WhatsApp, Signal, and Telegram really are, is widely debateable. While the encryption is not compromised, the larger system is, and that has the potential to make the encryption a moot point.WhatsApp came out with an update that supposedly fixed the vulnerability earlier this year, seemingly protecting communications on the platform from Pegasus.What does this mean for regulation against WhatsApp?The Pegasus story comes at a critical time for the future of encryption on WhatsApp and on platforms in general. The fact that WhatsApp waited ~6 months to file the lawsuit against the NSO will not help the platforms credibility on the traceability and encryption debate. This also brings into question the standards for data protection Indian citizens and users should be subject to. The data protection bill is yet to become law. With the Pegasus hack putting privacy front and center, the onus should ideally be on making sure that Indian communications are secure against foreign and domestic surveillance efforts.

[Co-authored with Murali Neelakantan]With a decade-long history of deliberations, the DNA Technology (Use and Application) Regulation Bill 2018 is no stranger to the halls of Parliament. It is currently being scrutinised by the Parliamentary Committee on Science and Technology, after it was reintroduced in the Lok Sabha earlier this year.The Bill seeks to regulate DNA laboratories and proposes to establish a DNA databank, although there are already many unregulated DNA databases with various authorities. There seems to be widespread support for use of DNA evidence, primarily on the understanding that (i) it is “new scientific technology” used widely around the world; (ii) India needs modern weapons to fight crime; and (iii) similar laws exist in other countries, including the US, the UK, Ireland and South Africa, for helping convict criminals and acquit innocent persons.However, there are three broad areas of concern – capacity, training and consent – that authorities need to iron out before unleashing the DNA Bill in India. (Read more)

Central to the drama of 2019 is the Election Commission, an institution that India used to be proud of but which, in my view, no longer deserves the praise. I am referring to neither the allegations of tampered Electronic Voting Machines (EVMs), nor the Election Commission’s weak-kneed approach towards insisting that the BJP follow the Model Code of Conduct (MCC). The Election Commission’s biggest failing is the exceedingly long duration of the election.Read more

The Print’s daily roundtable TalkPoint posed a question connected to the unofficial trip of twenty-seven European Union MPs to Jammu and Kashmir: Modi govt allows mostly far-Right EU MPs to J&K: Smart diplomacy to counter Western liberals?The Indian government has lost the plot if this unofficial trip is being held to ‘counter Western liberals’. The opinion of Western liberals or conservatives is inconsequential for the situation in J&K at this point.The fact remains that the situation there is not normal. It is in a volatile security situation abetted by Pakistan, exacerbated by the absence of legitimate political channels, prolonged restrictions on communications, a weak economic infrastructure, and an inadequate administrative capacity. The real challenge before the government then is to manage this security situation while rebooting the economic and political mechanisms quickly. Even a favourable report by this MEP delegation will have zero impact on solving this challenge. In fact, it will lead to rounds of trips and counter-trips, needless distractions given the delicate and tense situation on the ground.Even from a moral standpoint, this visit is problematic as Indian politicians have been disallowed from visiting the valley. Several local politicians still remain under detention.Hence, the visit is unlikely to change perception domestically or internationally. Moreover, it goes against the long-held Indian position that political developments in J&K are an internal matter of the Republic of India.Read the entire discussion on ThePrint.in website here.

A bit of math can better secure your communications than all the guns in the world combined. That is the beauty of end to end encryption which currently runs on WhatsApp. It makes messages shared between people private so that only the sender and the recipient can view what is being said. On a related note, the notification of the intermediary guidelines is likely to be completed by 15 January 2020. These updated guidelines are going to determine the future of end to end encryption.The major trade-off here is privacy versus security. The government’s argument is that it needs to access communications between its citizens for the purposes of security. The spread of false news on WhatsApp has instigated lynch mobs and resulted in 27 reported deaths in 2017. That is exactly why in December 2018, the Ministry of Home Affairs issued an order granting powers of "interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer", to ten central agencies. But platforms using end to end encryption means that the interception of information might not be of much use if the government does not have a key for the encryption. The amendments in the intermediary guidelines call for allowing platforms such as Telegram and WhatsApp to, “..enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised”.The other side of the coin here is privacy. There is no way where platforms take away encryption from criminals but leave it intact for others. If intermediaries allowed traceability and compromised end to end encryption, the sender of each message would be identifiable to WhatsApp and by extension, the government. And while the encryption provides a shield of anonymity to trolls and spreaders of misinformation, it also gives assurance to people who would otherwise have been silenced or suppressed. Think whistleblowers and political protesters. End to end encryptionWe need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).allows those people to avoid the fear of being targeted. Also, encryption on content extends into more routine aspects of life. For instance, WhatsApp is a platform where people can talk about personal and sensitive parts of their life, such as a disease or mental health issues, and rest assured that Facebook, the internet, and the government won’t target you using that information. At a personal level, the fact that end to end encryption keeps communications private between the participants is reason enough not to break it. In the age of the contemporary internet, privacy is a luxury that is being provided at scale.In addition, there are a host of questions on the side of implementation. For instance, the guidelines are applicable to all intermediaries that have more than 50 lakh users. There is no clarity on whether that means all registered users, daily active users or even monthly active users. Moreover, how will the government know if platforms have met that threshold and keep track of all the intermediaries that pop up on the App Store/Play Store? More fundamentally, who is an intermediary? Does Google Docs count as a platform, as it also has a chat feature? Are online games also subject to this?Even if all of these are resolved, the 50 lakh threshold might mean that criminals can just move to smaller, lesser-known platforms that offer end to end encryption, taking away significantly from the effectiveness of the exercise.Adjusting the trade-off between privacy and security is a thankless task that more often than not is likely to be decided by the values and interests of the people in power. The job at hand here is to make sure that a robust set of processes are set in place if end to end encryption is to be broken. We need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).There needs to be transparency around the process that lets people know who is seeking the data. Standards need to exist around the specificity of what accounts and data can be targeted to prevent requests for bulk data. The request for access should be backed up by justification of credible facts, all of which should be subject to review by an independent entity or a judge.None of these provisions currently exist around the intermediary guidelines, and neither is there an indication that it is being considered. The cons of enabling traceability and breaking end to end encryption outweigh the pros subjectively.However, if the government is going to go ahead with this and include the clause in the January 2020 notification, then it should do this right by placing adequate oversight and safeguards in the amendments.This article was first published in Asian Age.(Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.)

The manner in which the Indian state has treated telecom is indicative of the disdain it has for a sector that has underpinned the country’s rise to an aspiring global power in the last 25 years. If we have to fix the problems we’ve created, it’s important to enumerate the big policy mistakes we have made. Between a rapacious bureaucracy, corrupt politicians, rent-seeking crony businesses and an economics-agnostic judiciary, we have created the conditions for a telecom crisis.Read more

Two global rankings were announced recently. One was the 2019 "Doing Business" report published by the World Bank, which was earlier called the "Ease of Doing Business" (EODB) India jumped to 63 from 77 last year. The improvement is dramatic, and in just five years India has improved its global position from 142 to 63. It is in line with Prime Minister Modi's goal of being among the top 50 countries of the world by next year.Read more

Despite holding two grand events in the last month, India has not gained anything significant on the diplomatic front. Neither ‘Howdy Modi’ in Houston nor Modi-Xi summit in Mamallapuram resulted in resolving outstanding issues in the bilateral relationships with the United States (US) and China... Therefore, what exactly did these two grand events achieve? Who was the real audience for both these events?Read the full article here.

Even as India pushes for data decryption access from Big Tech for better law enforcement, there is a larger issue of how Big Tech is not quite the paragon of virtue when it comes to upholding user privacy.

If the Indian government does get social media platforms to part with user data, it should remember that with great power over the citizens comes a greater responsibility towards the citizens.

This article was first published in The Hindu. Views are Personal.

According to a report in The Hindu Sunday, Home Minister Amit Shah has asked the Bureau of Police Research and Development to move ahead on reforming the Indian Penal Code and the Code of Criminal Procedure. When Macaulay drafted it in the 1830s, it was an exceptional piece of work. In the following decades, the colonial government modified it to serve its interests. While courts and legislatures have made many changes to the IPC over the past century, it now lacks overall coherence and comprehensiveness.Read more 

Septuagenarians in India using in-vitro fertilisation (IVF) technologies have met with mixed responses.

While IVF is becoming the most common infertility treatment, many countries, including the US, UK and Australia, have recommended age limits for accessing the technology.

India, however, currently has no laws restricting IVF access for women of advanced ages. Consequently, in the last three months, at least two IVF-assisted births by women in their 70s have been reported from Tamil Nadu and Rajasthan.The idea of a 70-year-old woman giving birth to a child shocks the sensibilities of a lot of people. Though there is no legal age restriction, the state-funded Indian Council of Medical Research (ICMR) advises an upper age limit of 50 years. In 2017, the ICMR proposed the IVF Bill to regulate access to IVF based on age, but the Bill is yet to be taken up by the Parliament. (Read more)

The big decision here is whether or not India wants to share its data with anyone under any circumstances.India recently started sharing maritime data with countries in the Indian Ocean Region. The Information Fusion Centre is actively interacting with the maritime community and has already built linkages with 18 countries and 15 multinational/maritime security centres. On that note, it is worth relooking at India’s approach to data sharing and cross-border data flows.Technology is now a variable that defines relations between countries. Over the year, we have seen an increasing number of instances that reaffirm the existence of high-tech geopolitics. First, there was the US-imposed ban on Huawei technologies. Then the Americans considered imposing caps on H1-B visas for countries that implemented data localisation. One of the most important recent developments was at this year’s G20 summit where Japan’s Shinzo Abe presented the idea to have a multilateral broad framework for the sharing of data. It is worth analyzing India’s response to it.The agreement is called the Osaka Track. The idea is that member countries should be able to share and store data across borders without having to worry about security risks. The agreement has many notable signatories, such as the US, EU, and China. It is India’s response that is interesting. India, for better or worse, has not been big on data sharing. So much so, that recent news claimed that the government was considering getting a domestic messaging service for official communication. With this context in mind (as well as the draft e-commerce policy, data protection bill, and the RBI data localization notification), India refused to join the Osaka Track as a signatory. The questions for India here are, what does this mean for the future of Indian data, and how India is likely to conduct itself in this world of high-tech geopolitics?India’s reasons for not signing the pact are two-fold. Firstly, as the sentiment goes, data is national wealth. The idea here is to keep all data possible within Indian borders. Much like you would do be inclined to do with actual wealth. Secondly, as an official stated, India needs to better understand what free flow of data might mean. Having said that, India then wants to look at its domestic requirements and would like to see the issue of cross-border data flows discuss the same on a WTO (World Trade Organisation) platform. What the foreign policy is broadly saying here (to my understanding) is that it is not in India’s best interests to share its data right now. However, once the government has a better understanding of the Osaka Track, they might reconsider.In the broader global context, the Osaka Track is a step towards an emerging pattern. Data flows are likely to be increasingly regulated through economic blocs and not nations. Europe’s General Data Protection Regulation and Convention 108+ are the best examples of this. The Osaka Track was an opportunity for India to follow this trend and facilitate trans-border data flows. India’s rejection of it does not mean that other opportunities will not present themselves. Should India decide that data sharing is in its best interests, there are other platforms to make it happen on its own terms. One option to pursue this route would be to establish a data sharing law and standards under Bay of Bengal Initiative for Multi-Sectoral Technical and Economic Cooperation (BIMSTEC). Sharing costs of storage and following common processing standards would give India an edge in data geopolitics. Just because it would make powerhouses such as the US rethink applying sanctions to all of BIMSTEC instead of India alone. BIMSTEC, of course, is also interchangeable. India could take the lead and establish a data sharing policy with SAARC (South Asian Association for Regional Cooperation) or with a different combination of countries it might prefer. The big decision here is whether or not India wants to share its data with anyone under any circumstances.If India is to treat data as wealth and not share it across borders, it may be time to consider what that might mean. An increasing number of government policies are treating data as an asset that should not be shared. Doing so is likely to come at the cost of being ostracised by the US. However, if India is to go ahead with this, it makes sense as citizens to ask the government how data is going to be used to achieve progress.While there are a lot of policy proposals on how data should be regulated in India, there aren’t many on how it is going to be used for economic development. Sharing data with countries and/or companies can often crowdsource the initiative for development, as it seems to be doing for security at The Information Fusion Centre. As Microsoft’s collaboration with the Telangana government proved by using data to optimise agricultural yields. However, if India decides to cut itself off as evidenced by the refusal to sign the Osaka Track, it is best to ask how crowdsourcing the initiatives will be substituted. While options to do so domestically might exist (such as releasing community data for entrepreneurs and Indian companies), there need to be indicators that they are being considered or carried out on a national level. Because if data is national wealth, then there needs to be a plan on how it should be used to achieve economic development and progress for the nation.This article was first published in the Asian Age. Views are personal.

Ten years ago, the question was whether India and China should sign a bilateral free trade agreement (FTA). Today, it is whether India should join the Regional Comprehensive Economic Partnership (RCEP). There are two different but interconnected issues: the dominance of Chinese manufacturers in the export of goods; and the impenetrability of the Chinese market to Indian and other foreign companies. On the other hand, joining the RCEP might compel New Delhi to launch the second-generation economic reforms.Read more

हे पुस्तक वाचून असा कोणाचाही गैरसमज होऊ शकतो की, हे पुस्तक केवळ राजकारणाविषयीच असावे, पण तसे नाही. इराक व इराणमधल्या समाजजीवनाकडे टिकेकर अगदी विचक्षण दृष्टीने पाहत होते. त्यामुळेच ते लिहितात की, इराणमध्ये वाहने रस्त्याच्या उजव्या बाजूने चालवली जात असली, तरीही इराकमध्ये ब्रिटिश सत्तेचा पराभव असल्याने वाहने डाव्या बाजूने चालवावीत असा नियम आहे. इराकमध्ये खजुराशिवाय इतर कोणतेही झाड दिसत नाही. तसेच बसरा शहरात कोठेही गटारे नाहीत व अगदी मोठ्या कालव्यांतसुद्धा घाणेरडे पाणी असते. लोकांच्या स्वच्छतेच्या सवयीविषयी टिकेकर लिहितात की, ‘अरब म्हणजे अगोदरच गलिच्छ व अमंगळ लोक. त्यात इकडील थंडीचे निमित्त मिळाले की, सहा-सहा महिने त्यांना स्नान मिळत नाही’. इराणमध्येही असाच प्रकार होता. तिथे तर एकाच कालव्यात एकमेकांपासून काही फूट अंतरावरच कपडे धुणे, भांडी घासणे व पाणी पिणे असे तिन्ही उद्योग बिनदिक्कतपणे चालले असायचे.पूर्ण लेख वाचण्यासाठी इथे क्लिक करा.

The hopes of a harmonious, balanced relationship between India and China post-Wuhan have not been realised. In fact, little has changed in the overall trajectory of the Indo-China bilateral relationship of limited co-operation and strategic competition. Therefore, the Mamallapuram summit will make for good optics for both Xi Jinping and Narendra Modi, but it is doubtful whether there will be a tangible outcome for the two countries.Read the full article here.

The Print’s daily roundtable TalkPoint posed a question connected to the Narendra Modi-Xi Jinping informal summit in Mamallapuram: What can Modi-Xi agree on to call their Mamallapuram meeting a success?Manoj Kewalramani, Fellow-China Studies at The Takshashila Institution, was among the discussants. Manoj argued:My expectations from the Modi-Xi summit are very low for mainly two reasons. First, it is essentially an informal summit with no clearly-defined agenda, therefore, there will be only a few concrete outcomes from the meet. Second relates to the situation between the two countries on fundamental issues in the last 6-8 months.China has been very slow to move on issues important to India such as membership in the United Nations Security Council or the Nuclear Suppliers Group. And it also took the Kashmir issue to the UN where it has zero locus standi. Even trade relations between India and China have been strained. So, the current environment is not conducive to this summit. However, it is always a good idea to keep engaging in dialogue.To call this meeting a success, Modi and Xi must arrive at the conclusion that both India and China are rising powers and not let their differences turn into disputes. Regarding the border issue, the best-case scenario would be a discussion on new confidence-building measures between the militaries of both countries to maintain peace and tranquillity. I see no concrete direction on trade besides the broad rhetoric on the matter. What one can also expect is people-to-people contact and talk about fostering a cultural relationship between the two ancient civilisations to ensure that India-China relations are organic as opposed to only being diplomatically driven by leaders at the top.Read the entire discussion on ThePrint.in website here.

While India and China will hold the second informal summit between Prime Minister Narendra Modi and President Xi Jinping today and tomorrow, events over the past few weeks have dampened the prospects of forward movement on the boundary dispute. The first informal summit between Xi and Modi in Wuhan in 2018 had provided a tentative new template for first stabilising and then advancing the bilateral relationship, which had come under increasing strain.Read the full article in Deccan Herald here

Okay, the Indian economy is in a slowdown and it is absolutely important for us to quickly get back onto the path of high growth. Economic output is the sum of consumer expenditure, investment, government expenditure and net exports. The best way to increase growth is to increase all four of the above. There is a need for technical discussion among macroeconomists, financial analysts, business journalists and policymakers, but it cannot be the only show in town.Read more

The Quadrilateral Security Dialogue (Quad) received an upgrade last week when the foreign ministers of Australia, Japan, India and the US met at the sidelines of the United Nations General Assembly. The Quad was conceived in 2007 to address the unconventional threats in the Asia-Pacific region. But China viewed this grouping as a ganging-up of the US and its allies to contain its rise. It protested against this arrangement and asked each country to explain the grouping’s objectives.Read more...