There is something a little puzzling about the international response to the Wuhan novel coronavirus – nCoV-2019 – outbreak: the actions taken by the United States, Singapore, Australia, New Zealand, Russia, and other countries exceed what the World Health Organisation has recommended. Is the WHO underplaying the risks of a global epidemic or are these countries over-reacting?

The WHO has declared the Wuhan coronavirus outbreak a Public Health Emergency of International Concern (PHEIC), which under International Health Regulations is “an extraordinary event which is determined to constitute a public health risk to other States through the international spread of disease and to potentially require a coordinated international response”. It implies that there is a risk of trans-border spread of a disease necessitating international coordination. Such a declaration obliges all countries to take appropriate countermeasures and share outbreak-related information with the WHO on a regular basis.

Read more

This article originally appeared in Deccan Chronicle.In the lead-up to the 2020 Budget, the industry looked forward to two major announcements with respect to cybersecurity. First, the allocation of a specific ‘cyber security budget’ to protect the country’s critical infrastructure and support skill development. In 2019, even Rear Admiral Mohit Gupta (head of the Defence Cyber Agency) had called for 10% of the government’s IT spend to be put towards cyber security. Second, a focus on cyber security awareness programmes was seen as being critical especially considering the continued push for ‘Digital India’.On 1^st February, in a budget speech that lasted over 150 minutes, the finance minister made 2 references to ‘cyber’. Once in the context of cyber forensics to propose the establishment of a National Police University and a National Forensic Science University. Second, cyber security was cited as a potential frontier that Quantum technology would open up. This was a step-up from the last two budget speeches (July 2019 and February 2019) both of which made no references to the term ‘cyber’ in any form. In fact, the last time cyber was used in a budget speech was in February 2018, in the context of cyber-physical weapons. When combined with other recent developments such as National Security Council Secretariat’s  (NSCS) call for inputs a National Cyber Security Strategy (NCSS), the inauguration of a National Cyber Forensics Lab in New Delhi, and an acknowledgement by Lt Gen Rajesh Pant (National Cyber Security Coordinator) that ‘India is the most attacked in cyber sphere’ are signals that the government does indeed consider cyber security an important area.While the proposal to establish a National Forensic Science University is welcome, it will do little to meaningfully address the skill shortage problem. The Cyber Security Strategy of 2013 had envisioned the creation of 500,000 jobs over a 5-year period. A report by Xpheno estimated that there are 67,000 open cyber security positions in the country. Globally, Cybersecurity Ventures estimates, there will be 3.5 million unfilled cyber security positions by 2021. 2 million of these are expected to be in the Asia Pacific region.It is unfair to expect this gap to be fulfilled by state action alone, yet, the budget represents a missed opportunity to nudge industry and academia to fulfilling this demand at a time when unemployment is a major concern. The oft-reported instances of cyber or cyber-enabled fraud that one sees practically every day in the newspaper clearly point to a low-level of awareness and cyber-hygiene among citizens. Allocation of additional funds for Meity’s Cyber Swachhta Kendra at the Union Budget would have sent a strong signal of intent towards addressing the problem.Prateek Waghre is a research analyst at The Takshashila Institution, an independent centre for research and education in public policy.

The debate and protests around the Citizenship Amendment Act and the National Register of Citizens have dominated headlines around the nation, and rightfully so. While public attention and the news cycle continue to revolve around the issue, the Ministry of Electronics and Information Technology (MeitY) has released a Personal Data Protection Bill.

Since reading the bill, Justice B.N. Srikrishna (chair of the committee that drafted the initial report on data protection) has claimed it to have the potential to turn India into an Orwellian State. The statement is based on legitimate grounds, and that should give most people sleepless nights.

The Personal Data Protection Bill does give the government the power to exempt itself from the legislation. It also gives the State significant powers to demand data, and also places significant restrictions on cross-border data flows.

All of this is troubling on multiple levels and is being written about in columns and articles throughout India’s tech policy space. What is not getting enough attention, however, is that the bill is also bad news for the Indian economy, that too when it is the last thing India needs right now.

There are several counts on which the bill, in its current form, will have a negative impact on the economy. Most importantly among them, is the timeline for enforcement. The 2018 version of the Bill, provided for a period for adjustment and compliance before the enforcement of Bill’s provisions. Section 97’s transitional provisions provided industries a period of 18 months before mandating compliance.

Having a defined period of time that affords the industry the space to be in compliance is an objectively good policy. You could have a debate on how long that period should be, but it should be common ground to have a transition plan. For example, Europe’s Data Protection Law, the GDPR, was adopted in April 2016 but was enforced almost 2 years later, in May 2018.

What this tells us is that policy does not work like a light switch. Flicking it on does not always magically make sure that it will have the intended effects. The current version of the Bill does away with a transitional period altogether. This gives any company that collects data no time to adhere to the bill’s requirements. If implemented without a transition period, the bill would provide the government with grounds to penalise companies and impose punishments for not complying with directives that did not exist a day before the bill was introduced. Bangalore, being the hub of the Indian IT sector is likely to be impacted the most, with Mumbai, Hyderabad, and Delhi-NCR in tow.

Not only does the bill offer no transition period, but it also makes it a lot harder to carry out data processing outside of India. If companies want to outsource data processing of personal sensitive data to a different country, they need to do so under an intra-group scheme with the Data Protection Authority (DPA).

There are two things to consider here. Firstly, the DPA will be set up following the bill. Staffing it and providing it with the correct infrastructure and resources could take months from when the bill is enforced. Since there is no transition period, until the DPA is formed, companies who outsource data for processing would legally not be able to do so.

Secondly, even if the DPA is formed, there must be thousands of companies that would want to apply for an intra-group scheme, with new companies forming every month. It would put a lot of undue strain on the DPA to individually assess each company’s proposal and include them in an intragroup scheme.

This redundancy is going to impact small and medium enterprises a lot more than big firms. Big companies are likely to be able to afford to build processing capacity in India or afford costlier versions to maintain their standards. Small and medium enterprises, especially Indian firms, are not always going to have the money to comply within the given timeframe.

On a related note, the bill also creates three tiers of data, personal, personal sensitive, and critical personal data. While the first two are defined within the bill, critical personal data is not. As you would expect, critical personal data is going to be the tier with the most restrictions and burden of compliance.

For instance, while personal and personal sensitive data can be subject to cross-border transfers, critical personal data is not. So it puts any company that deals with data under a lot of anxiety. It would force them to stay in limbo until the third tier is defined, and will have an impact on how they go about their day-to-day business.

The digital economy is inextricably linked with the traditional economy. All of this, removing a runway for compliance, placing redundancy-ridden restrictions on the cross-border flow of personal sensitive data, and not defining critical personal data is bound to have a negative impact on the Indian economy. If the bill is passed in its current form, we are looking at FDI drying up within this sector. Big companies might have deeper pockets, but localisation laws will also go a long way to make sure that they keep their India-bound spending and outsourcing in check. On the other hand, it is also likely to incentivise small companies and startups to register their businesses elsewhere. All of this is coming at a time when the Indian economy needs it the least.

The redundancy is going to impact small and medium enterprises a lot more than big firms. Big companies are likely to be able to afford to build processing capacity in India or afford costlier versions to maintain their standards. Small and medium enterprises, especially Indian firms, are not always going to have the money to comply within the given timeframe.

Rohan is a Policy Analyst at The Takshashila Institution. Views are personal.

This article was first published in Deccan Chronicle.

This post was originally published on MedianamaBy Rohini Lakshané and Prateek WaghreThe Supreme Court gave a judgement on January 10, 2020, directing the Central government to review the total suspension of Internet services in Jammu and Kashmir imposed since August 5, 2019, and to restore essential services. In response, the government of Jammu and Kashmir issued a whitelist comprising 153 entries on January 18 and increased the number of entries to 301 on January 24. What would the experience of an ordinary resident of Jammu and Kashmir be like under the whitelist arrangement? We conducted a preliminary analysis to empirically determine whether the 301 whitelisted websites and services would be practically usable and found that only 126 were usable to some degree.Before we delve further into the analysis, it is pertinent to understand the background and context in which an ordinary resident of Jammu and Kashmir may access the Internet. India has experienced the highest number of intentional Internet shutdowns across the world since 2012. . Kashmir has been facing the longest intentional Internet shutdown ever recorded in a democratic country. Voice and SMS functionality, without Internet connectivity, was reactivated on postpaid mobile connections in Jammu and Kashmir on October 14, 2019. People in the Kashmir valley can access the Internet only through the 844 kiosks run by the government.

Under three orders (dated January 14, 18, and 24) issued by the government of Jammu and Kashmir:

1. 2G Internet connectivity would be reinstated on postpaid mobile connections in 10 districts of Jammu Division and 2 of Kashmir Division.
2. “The internet speed shall be restricted to 2G only.”
3. 400 additional Internet kiosks are to be installed in Kashmir.
4. Social media websites, peer-to-peer (P2P) communication apps, and Virtual Private Networks (VPNs) services have been explicitly prohibited.
5. ISPs are to provide wired broadband to companies engaged in “Software (IT/ ITES) Services”.
6. For wired connections, Paragraph II of the order dated January 24 states, “For fixed-line Internet connectivity: Internet connectivity shall be [made] available only after Mac-binding.”
7. Voice and SMS functionality would be restored on prepaid mobile connections across all districts of Jammu and Kashmir.
8. For providing internet access on locally-registered pre-paid mobile connections, telecom service providers or “TSPs shall initiate a process of verification of credentials of these subscribers as per the norms applicable for postpaid connections”.
9. “The ISPs shall be responsible for ensuring that access is allowed to whitelisted sites only.”
10. The order dated January 14 states that it “may be subject to further revision” after which the department would conduct “a review of the adverse impact, if any, of this relaxation on the security situation.” According to the order released on January 24, “the law enforcement agencies have reported no adverse impact so far. However, they have expressed apprehension of misuse of terror activities and incitement of general public…”
11. “Whitelisting of sites shall be a continuous process,” which could be interpreted to mean that the government would periodically update the list.

Thus, an ordinary internet user in Jammu and Kashmir accessing the Internet under this whitelist arrangement would be doing so via 2G mobile connections or Internet kiosks placed inside government offices.

Questions raised by a selection of entries in the whitelist

1. In the orders dated January 14 and 18, the Government of Jammu and Kashmir cites the use of the Internet for the following activities as some of the reasons for implementing the total Internet blackout in Kashmir: “terrorism/terror activities”, activities of “anti-national elements”, “rumour-mongering”, “spread of propoganda/ ideologies”, “targeted messaging to propagate terrorism”, “fallacious proxy wars”, “causing disaffection and discontent” among people, and the “spread of fake news”. In light of this explanation, what were the process and criteria applied to select these specific URLs/ services/ websites to be on the whitelist?
2. What were the process and criteria, if any, to reject websites and services that are similar to those whitelisted and those that provide the same or comparable services? For example, some travel aggregator websites (MakeMyTrip, Goibibo, Cleartrip, Trivago, Yatra, etc) have been included but not others (Agoda, Expedia, Kayak, Hotels.com). Online shopping/e-commerce websites Flipkart, Amazon, Myntra, and Jabong feature in the whitelist but not Snapdeal, Ebay, and others.
3. How were the residents of Jammu and Kashmir informed about this whitelist, that these specific services/ websites had become accessible? News websites and social media websites are still blocked. The orders will appear in an issue of the gazette, which is just one source of information and not accessible by everybody.
4. In view of all the above questions, how do the authorised government officers “ensure implementation of these directions in letter and spirit”, as stated in paragraph 7 of the order dated January 14?

Role of Internet Service Providers (ISPs)

The whitelist and its accompanying orders raise some concerns about ISPs’ implementation of the whitelist.

1. In the case of the entries that contain neither URLs nor qualifying information about including subdomains or about permitting mobile applications, it should not be left to the discretion of an Internet Service Provider (ISP) to determine the appropriate URLs or the appropriate mode of access (mobile or desktop application, mobile or desktop version) of a whitelisted service or website. ISPs are intermediaries and are not authorised to take a judgement call on the orders they receive from the government. Moreover, the whitelist orders explicitly state that the onus of ensuring that sites outside the whitelist remain inaccessible is on the ISPs  (“The ISPs shall be responsible for ensuring that access is allowed to whitelisted sites only.”)
2. In the case of invalid or indeterminate URLs, how are whitelisted entries to be implemented? What are the options for an ISP to seek clarifications about these from the government?
3. ISPs have been directed to provide wired broadband to companies in Jammu and Kashmir engaged in “Software (IT/ ITES) Services”. In view of the fact that the terms IT (information technology) and ITES (information technology-enabled services) cover a broad range of commercial activities, how is this directive going to be operationalised?
4. In a recently published paper analysing how ISPs in India block websites, researchers at the Centre for Internet and Society (CIS) found that ISPs and governments were not willing to disclose the URLs that were blocked. The study also found that less than 30% of blocked URLs were common across the ISPs included in the study, and different ISPs used different techniques to implement blocklists. This is indicative of arbitrary action on the part of individual ISPs. It is also likely that Internet users have limited recourse owing to the lack of transparency in censoring websites. When combined with the need for ISPs to exercise their own discretion/ judgement in implementing these orders (as argued in 1), there is plenty of potential for inconsistent enforcement by ISPs.
5. It is unclear how ISPs will actually implement this whitelist. If the filtering is done at the DNS layer, then the number of practically unusable websites will likely be higher than what we encountered, since the DNS resolution process itself is likely to be broken for any website that returns anything other than an A record/ IP Address.

Findings and Analysis

1. Entries with no URL

1. Media service providers/streaming services: There are 7 streaming services on the list: Amazon Prime, Netflix, Sony Liv, Zee 5, Hotstar, Voot, and Airtel TV. They support viewing on desktop browsers and mobile apps. This may be a reason why the whitelist only states their names and not the corresponding URLs. Assuming that these services are enabled for use on both desktop and mobile applications, they will still be practically unusable because:

1. Only 2G speeds are currently permitted in Jammu and Kashmir. 2G speeds are too slow for streaming audio-video and multimedia content.
2. Streamed content is delivered over CDN (content delivery network) URLs, none of which are present on the current whitelist.

2. JioChat: JioChat is an iOS and Android instant messaging app that supports voice and video calling. It is the only service on this whitelist that supports these functionalities. It is unlikely that this app would be practically usable for video/voice calls because 2G speeds are too slow for it.

2. Government-owned eTLDs

The whitelist includes three entries for government-owned eTLDs (effective top-level domains, also known as “public suffixes”): “Gov.in”, “Nic.in”, and “Ac.in”. The entries do not contain URLs or qualifying information about including subdomains. It should be explicitly stated if ISPs are expected to allow gov.in, nic.in, ac.in, and all their subdomains. For example, gov.in houses four levels of subdomains. Currently, it is unclear how ISPs will interpret and implement this since the entries in the whitelist do not contain adequate information. The directory of Indian government websites is available at http://goidirectory.nic.in.

3. Banking and Finance Services

Log-in pages are on domains or subdomains different from those listed in the whitelist, which is why these services are not practically useful regardless of whether the actual whitelisted URL is accessible/usable. For example,

1. The website of ICICI Bank https://www.icicibank.com is whitelisted. However, the URL to log-in to personal banking at ICICI is on a subdomain of the website, https://infinity.icicibank.com, which is not whitelisted. So, individuals with an account at ICICI Bank, will not be able to access their accounts online.
2. While https://www.hdfc.com has been whitelisted, HDFC Bank’s personal banking services are on a different domain, https://www.hdfcbank.com, which will also remain inaccessible.

VPNs and proxy services are prohibited, so an ordinary user would be unable to circumvent restrictions imposed by the whitelist.Of the 15 websites categorised under “Banking” in the whitelist, only 2 (www.jkbankonline.comand www.westernunion.com) had accessible log-in pages/sections and all 15 had at least one identifiable issue when they were accessed with the whitelist restrictions in place.

4. CDN, Sub-Domains, and Third-Party Content

The State of the Web maintained by http Archive indicates that the median number of requests on a webpage for mobile devices is approximately 70. These requests are spread across subdomains of the website, domains owned by content delivery networks (CDNs) such as akamaized.net, cloudfront.net, cloudflare.net, etc., and third-party domains such as Google Analytics, tag managers, real user monitoring tools, advertisers, and so on. The whitelist approach interferes with these requests and more often than not, results in an adverse impact on the functioning of the website itself. In our analysis, we observed that this affected websites to varying degrees:

1. Minimal visible impact
2. Some images don’t load
3. All images don’t load
4. Critical functions become unresponsive, such as search in the case of some OTAs (online travel agents)
5. The entire layout scheme breaks

Example 1: Consider www.amazon.in. The request map shows that a significant number of requests are made to domains other than www.amazon.in. Since these requests will be blocked, the website will barely function for the user accessing behind the whitelist. This is evident from the screenshot of the landing page.

Request map for www.amazon.in

Screenshot of www.amazon.in

 Example 2: In the case of the website of the Indian Railways, www.irctc.co.in, once again, the request map indicates a large number of requests to other domains. This results in breaking the layout of the page (as is evident in the screenshot), as well as the operation of the website.

Request map for www.irctc.co.in

Screenshot of www.irctc.co.in

Example 3: The website of the Public Works Department of the Government of Jammu and Kashmir, www.jkpwdrb.nic.in, sends no requests to other domains as indicated by the request map and thus the whitelist restrictions have no visible impact. It should be noted that this kind of website setup is uncommon.

Request map for www.jkpwdrb.nic.in

Screenshot of www.jkpwdrb.nic.in

5. Search Engines

The updated list in the January 24 order contains 10 hostnames classified as search engines and www.bing.com classified under utilities.

1. The whitelist did not include Indian subdomains (google.co.in, in.search.yahoo.com) which means that users may not be able to access them, whether they type it manually or get redirected to the Indian domain of the search engine based on language or browser settings.
2. The list included Canadian and UK subdomains for Google. It also included the Canadian and French-Canadian versions of Yahoo Search. There was also no justification provided for the exclusion of Indian locales while including non-Indian locales.
3. We also found that while conducting a search was possible, a user could only successfully navigate to results from websites that were on the whitelist (subject to how they worked as determined by our testing). For websites not on the whitelist, the information contained in the snippets was readable on the search results page, but not beyond it.

So we have categorised search engines as ‘partially usable’.

6. News/Technology Updates

The updated list in the January 24 order also contains 74 websites categorised as “ews”  (60) and “Technology Updates” (14).

1. There was a mix of regional, national and international websites.
2. Audio/podcast and video content for all of these sites were either delivered from subdomains/CDN domains or YouTube and hence did not work.
3. International publications such as The Washington Post, Wall Street Journal, and The New York Times allow limited views before enforcing a paywall. However, their sign-in pages were not accessible. In such cases, even if the websites were minimally visually affected, they were categorised as ‘practically not usable’.
4. For the remaining, we observed that the impact to page layout varied in degrees:
   1. All pages and UI elements were broken.
   2. Only the Home page was broken.
   3. Only subsection pages were affected.
   4. Only article pages were not affected.

The categorisation between usable, partially usable, and not usable was done on the basis of how easy or difficult it was to consume content and navigate within each website.

Screenshot indicating broken page layout

7. Additional Observations

1. Mail: The whitelist included 4 webmail services. However, none were usable since the sign-in pages required navigating to domains that were not on the whitelist. They have been categorised as ‘practically not usable’.
2. Entertainment: The updated list from the January 24 order also included 7 entertainment sites along with URLs which made testing them possible (this in contrast to the 6 listed in the January 18 order that did not include URLs and only named the services). Only one (https://wynk.in) of these was able to stream content successfully. It was categorised as ‘practically usable’ even though it may be difficult to stream content on a 2G network. 6 out of 7 have been categorised as ‘practically not usable’. It should be noted that such content is typically consumed on apps that were not tested as a part of this exercise. Apps generally use different hostnames to request resources.
3. Official websites of apps: The whitelist includes Gingerlabs.com, the official website for the note-taking mobile app Notability. Another entry, Kinemaster.com is the official website of the eponymous video-editing app for Android and iOS. The website enables users to get user support and interact with the community of users. For the purpose of this analysis, the websites were tested and categorised as per their usability. It should be noted that new downloads would not be possible since the Apple App Store and Google Play Store are not included in the whitelist. It is also unclear if users who already have these apps installed will be able to use them since the apps may not use the same domain(s) to make requests.
4. URLs that contain paths: Two URLs on the whitelist contain specific paths (www.marutisuzuki.com/MarutiSuzuki/Car and https://www.heromotocorp.com/en-in/). It is unclear how ISPs could whitelist these two entries without whitelisting the domains Marutisuzuki.com and Heromotocorp.com.

Summary of Findings

Number of entries in the whitelist	301
Number of duplicate entries	13
Number of invalid URLs	4
Number of entries with no specified URL and no qualifying information about the website/service	8
Number of inconclusive/indeterminate entries	6
Number of URLs after validation and de-duplication	270
Number of websites that are practically usable	58	Most of these websites are largely comprised of textual information.
Number of websites that are practically partially usable	68	Some important features are adversely affected.
Total number of websites usable to some degree	126
Number of URLs in the list (no protocol or http) that default to https	94 out of 270	These may not work in actual use cases because of the redirect to https.

 

Usability by ‘Field’	Practically Usable?
Field (as specified in the whitelist)	Could Not Test	No	Partially	Yes
Automobiles	1	1	1	1
Banking		8	7
Education		25	14	7
Employment		1	1	1
Entertainment	7	8	1	2
Mail	1	3
News	6	18	17	19
NGOs			1	4
Search Engines	1	4	5
Services	4	5	1	3
Technology Updates		8	4	2
Travel	3	13	1	3
Utilities	8	49	15	15
Weather				1
Web Service		1	1
Total	31	144	68	58

*The detailed results from testing all entries in the first version of the whitelist as recorded on January 22 and 23, IST is available here. We updated the set of results on 26 January to reflect the next version of the whitelist, available here. This version carries over all entries of the previous one unchanged.

Method

Testing URLs on an Unrestricted Internet Connection

To test if all entries in the list were functioning, we first accessed them using an India IP address on an unrestricted 4G connection. The ones that were not functional were categorised as:

1. Invalid URL: 4 URLs are invalid. One (www.hajcommitee.gov.in) contains a typographical error. 3 others are badly formed (https://www.google.com > Gmail; https://oppo-in; www.google.com > chrome [sic]).
2. Duplicate URL: 13 URLs were found to be duplicates of other entries. 3 URLs are present on the list along with their respective redirected versions. For instance, www.trivago.com redirects to https://www.trivago.in, both of which are present on the whitelist. We excluded the former from our analysis and considered the redirected version. The other two instances are Airtel.in and Cleartrip.com.
3. Entries with no URL specified: We have excluded 8 entries that are names of services and not URLs. 7 of these are media services providers such as Netflix and Amazon Prime.
4. Inconclusive entry/indeterminate URL: 6 URLs returned an error message and were excluded. 3 of those — Gov.in, Nic.in and Ac.in ⸺ did not include a protocol (http:// or https:// or the www. prefix). The DNS registration for Gov.in and Nic.in had also expired as indicated by WHOIS at the time of writing this analysis.

The results have been logged and categorised according to this schema in the detailed analysis (available here):

Is the URL accessible?	This column logs the results of a preliminary check for URLs that lead to error messages, such as broken links and websites/ webpages that are misconfigured. The results are categorised as:Yes: The URL is accessible invalid URL; Duplicate URL; No URL specified; Inconclusive entry/ Indeterminate URL: The URL or whitelist entry is not accessible for reasons described above.
Does the URL redirect to another?	The column indicates whether a URL redirects to another URL by default. Categorised as: Yes/ No
Redirects to	This column specifies the redirect target URL if it exists. Categorised as:No redirect https: The initial URL on the whitelist either contains http or no protocol is specified. It redirects by default to its https version, with the rest of the URL being identical.For example, www.moneycontrol.com on the whitelist redirects by default to https://www.moneycontrol.com.<URL>: The initial URL on the whitelist redirects by default to a URL with a different path or prefix. In such cases, the redirect target URL is specified here.For example, https://www.icicidirect.com redirects to https://www.icicidirect.com/idirectcontent/Home/Home.aspx
Remark/Observation	Observations based on the testing so far.

Whitelist Testing

The 270 URLs that remained were put through whitelist testing via a Chrome browser extension called Whitelist Manager, via a 10 Mbps connection. This extension can be configured to restrict users from accessing any URLs except whitelisted ones.The results have been logged and categorised according to this schema (available here):

Page Layout	This column logs how the page appears visually to the viewer. Classified as either Intact or Broken. Intact: The website was visually identical with and without the whitelist restriction in place. Broken: Its appearance was significantly altered when accessed with the whitelist restrictions. Inaccessible due to redirects: The website automatically redirected to another domain that was not on the whitelist. No further analysis was possible in such cases.
Images loading?	Categorised as Yes/ No/ Partial. Yes: All Images appeared on the website even with the whitelist restrictions. No: No images appeared on the website with the whitelist restrictions. Partial: Some images on the website loaded with the restrictions.
Has sign-in?	This column logs whether the website provides its users with an option to sign-in for its services or for personalised content. Categorised as Yes/No.
Sign-in section visible?	This records if the sign-in page accessible or the sign-in section on the website is functional with the whitelist restrictions in place. Yes: Sign-in page was under the whitelisted domain OR sign-in section of the website was responsive even if the page layout was broken No: Sign-in required accessing a non-whitelisted domain OR sign-in section of the website was non-responsive. Partial: The website also provided 3rd Party authentication options via Facebook/Google etc. which were not accessible. Note: The actual sign-in process was not tested for every website. There is potential for additional website failures if this relies on calls to non-whitelisted domains.
Other functions affected?	A subjective assessment of whether other parts of the website were impacted by the whitelisting restrictions. If any were found, these were listed in the ‘Specify’ column. This assessment should be considered indicative and not exhaustive.
Practically usable?	A subjective assessment of whether the website could still be used or not. Yes: Main features were not affected OR the website offered limited functionality, to begin with that wasn’t impacted. No: Website is unusable as some key features are not functional OR visual elements were missing/ broken to such an extent that it could not be used in any meaningful way. Partial: Some features (mainly textual information) were still functional.

Limitations of Our Method

1. We tested the whitelisted entries for usability via a whitelist management extension for the Chrome browser. Results may differ if another whitelist management software were used on a different browser. However, the difference will not be large and significant enough to change our final assessment of whether the website was usable or not.
2. We conducted the tests on a 10 Mbps connection. We did not use the bandwidth throttling feature on Chrome since the primary intent was to determine whether the sites were accessible or not. In the actual use case, people will visit the whitelisted entries via 2G connections with which the websites that we were able to access may not be reachable in a reasonable amount of time.
3. We did not sign-in to any of the websites, try to write and send an email, carry out a financial transaction or upload a document such as a tax filing. Doing these activities may significantly alter the final assessment regarding their usability.
4. 94 URLs (http or no protocol specified) redirect by default on an unrestricted connection to their https version. We have thus tested the https versions only. This was done due to a limitation of the Chrome browser extension we used for the testing. (Refer to Column E entitled “Does the URL redirect to another?” in the spreadsheet containing detailed analysis.) However, these 94 URLs may not function in the actual use case in Kashmir depending on the ISPs’ implementation of the whitelist.
5. We focused on visual elements and usability only. We ignored the impact on analytics, monitoring tools as long as it did not impact the ability of an end-user to navigate the website. This is, however, bound to be a matter of concern for website operators.

*Rohini Lakshané is a researcher and technologist. She is Director (Emerging Research), The Bachchao Project.Prateek Waghre is a Research Analyst at The Takshashila Institution, a centre of education and research in public policy.

The outbreak of the novel coronavirus infection emanating from the wildlife and seafood markets in China’s Wuhan city reminds me of the severe acute respiratory syndrome, or SARS, epidemic that hit the world 17 years ago. I lived in Singapore at that time, and it was a traumatic experience.

The SARS virus, like the Wuhan coronavirus, originated in China and spread around the world through air travel. The Singapore economy depends on tourism, trade, and business travel, so closing the borders was not an option. When it emerged that the SARS virus transmits through humans, it looked like Singapore would be severely affected. The city-state is densely populated, most people take crowded buses and trains to work, and a lot of places — offices, shopping malls, schools, public buildings — are centrally air-conditioned. We went through weeks and months of anxiety and paranoia.

Read more

Amid CEO Jeff Bezos’s visit to India, Amazon’s India website displayed a full-page letter highlighting how Amazon was committed to its small and medium scale business partners. Bezos also announced that Amazon will invest an “incremental US $ 1 billion to digitise micro and small businesses in cities, towns, and villages across India, helping them reach more customers than ever before”. However, as Bezos tried to bring on his ‘charm offensive’ to India, stating how he was inspired by the “boundless energy and grit” of the Indian people, not everyone seemed amused. On the one hand, we had the Union Commerce Minister stating that “Amazon is not doing India a favour by investing..it is probably because it wants to cover its losses incurred to deep discounting”, on the other hand, we had small and medium retailers protesting against the visit holding posters of ‘Go Back Amazon’. The retailers claimed that Amazon was doing more damage to their business than good.What is the truth?A typical brick and mortar retailer’s capability to sell is constrained by its access to consumers which in turn is confined by geography. The retailer’s market is restricted to people living in the vicinity of the shop. On the other hand, Amazon offers retailers access to millions of consumers across India. This expansion of the market is not only beneficial to the retailers but also to the final consumers who now have a plethora of products to choose from.   However, Amazon, apart from being a marketplace connecting sellers and buyers, is also a player on its own platforms. It sells various products from soaps, shirts, and underwear to tech accessories, and kitchen supplies of its own private label brands such as Solimo, Amazon Essentials, Symbol, Amazon Basics, among others. This violates the neutrality of the platform.Think of the last time you went to the second page of Amazon listings to buy a product. Can’t remember, right? Most of us tend to buy products, especially the standard, and low-value ones from the first five or six listings shown. Amazon has an incentive to and has been accused of favouring its own products above the ones sold by sellers. The reduction in traffic and sales observed by the sellers forces them to buy listing advertisements on Amazon. The protests were a manifestation of the low-bargaining power that individual sellers have against the world’s biggest e-commerce company.Now consider the information that Amazon has in terms of what products are sold where, at what price points, which are the major players in different segments, and so on. Studies show that Amazon uses its marketplace as a tinkering lab and leverages the information asymmetry to launch the most successful products on the platform, under its own label. Once, Amazon’s private-label launches the product, it undercuts the retailers on price and favourably places the products on the website effectively killing competition.  The current standard of ‘consumer welfare’ pegged on short-term price effects is inadequate for managing the above results. The de-facto ‘consumer welfare’ standard popularised by Robert Bork through his book, ‘The Antitrust Paradox’ argues that the goal of antitrust laws should be maximising consumer welfare and protecting the competition, not the competitors. Since, there is no clear evidence of Amazon raising prices in the short-term after launching a product, proving consumer harm is difficult. Therefore only considering the consumer welfare standard would be insufficient. As Lina M Khan points out that the structure of companies such as Amazon “create anti-competitive conflicts of interests” and provides opportunities to “cross-leverage market advantages across distinct lines of business.” Also, with Big-Tech companies such as Amazon, backed by ever-flowing streams of venture-capital money, many ill-effects might be seen in the longer term. We should also be cognisant of the fact that sellers are also customers for Amazon. Therefore, consumer welfare should also apply to sellers.As the Competition Commission of India conducts its investigations, it should examine all the new challenges posed by the likes of Amazon and be cautious in its approach and propose a path where the penalties laid down for Amazon are not a slap on the wrist. Instead, the way forward is where healthy competition can be sustained as well as the bargaining power of the sellers on the platforms is increased. This article was originally published in the Deccan Herald.

Research institutions around the world on average have 28.4 percent women employees. Indian research institutions have been unable to make even this poor benchmark. Women make up only 14 percent of 2.8 lakh scientists, engineers, and technologists in research and development institutions in India. In the past few decades, while the number of women enrolled in science higher education has steadily increased, the number of women entering the science workplace has not shown a commensurate rise. This suggests that women are either not willing to continue in science jobs or are not being provided suitable opportunities to do so.

Pros of gender-balanced in scientific campuses

There is a school of thought that women bring a distinctly different perspective to science than men. Studies have shown that diverse groups have more collective intelligence than groups made up of men only. The implication is that gender-balanced teams are likely to be more productive and “smarter” as compared to all-male teams. It, therefore, makes sense that we would like more laboratories to try and achieve an equal male: female ratio. (Read more)

India’s position on the Huawei question should be closer to that of the US and Japan (a ban from 5G critical infrastructure) rather than that of Kenya or the Netherlands (a conditional yes to Huawei). That’s because China is, after all, India’s adversary and its biggest strategic challenge. Given this situation, handing over critical communications infrastructure to companies closely connected with the Chinese party-state does not make any strategic sense.Even if Huawei is serious about commitment to mitigate security concerns, bestowing an adversary with geopolitical leverage is a poor strategy. Just like India is unlikely to give control of its major ports infrastructure to any Chinese company, our critical communications infrastructure also needs to be guarded.From the economic angle, it’s probably true that banning Huawei and ZTE will result in some economic costs to India and Indians. To reduce this impact, India can consider a two-fold strategy. When it comes to critical network infrastructure, Chinese companies could be banned. On the other hand, India could welcome Huawei/ZTE 5G mobile phones with open arms because cheap 5G phones will benefit crores of Indians.What needs to be internalised is that the question of 5G network infrastructure is too important an issue to be left to a DoT decision alone. It requires a holistic assessment of security, economic, and strategic concerns and must be taken by the cabinet committee on security. In our view, strategic concerns far outweigh the economic benefits and security fears.Read the full article on The Telegraph here.(Image source: Christoph Scholz on Flickr)

Even if we ignore the fact that the Indian economy is in a severe slowdown, we should not forget even for a moment that India’s per capita GDP is around $2000, it needs to create around 2 crore jobs every year, and needs every little point of economic growth that it can get.So, in terms of the level of income, India is in the same league as Congo, East Timor, Nicaragua, and Nigeria. Two of India’s subcontinental neighbours, the Maldives and Sri Lanka, are far ahead of us. At around $10,000, the average income in China is 400 per cent higher than India’s. Given our tax/GDP ratios, the Indian government’s combined expenditure on everything — including health, education, defence, rural development, and social welfare — is a paltry $300 per year.Read more

Let’s first parse what Ambedkar had warned against in his final speech to the Constituent Assembly in November 1949: “We must…hold fast to constitutional methods of achieving our social and economic objectives. It means we must abandon the bloody methods of revolution. It means that we must abandon the method of civil disobedience, non-cooperation, and satyagraha. When there was no way left for constitutional methods for achieving economic and social objectives, there was a great deal of justification for unconstitutional methods. But where constitutional methods are open, there can be no justification for these unconstitutional methods. These methods are nothing but the Grammar of Anarchy and the sooner they are abandoned, the better for us.” (Emphasis mine.)The key sentence in this important paragraph is the one where he points out that when there is no way left for constitutional methods, public protests are justified. After the Supreme Court repeatedly failed to uphold basic fundamental rights and balance the Narendra Modi government’s overreach, there is a question mark on whether there is any way left for constitutional methods. The religion-based criteria in the CAA is unconstitutional. When citizens wanted to protest against the bill, many state governments imposed prohibitory orders under Section 144 of the IPC and arrested protesters. Internet access was shut down in many places across the country. In some places, police action was blatantly unconstitutional.Read more

The accepted conventional wisdom is that economic reforms in India happen only in a crisis or by stealth. The big example of the former is the 1991 reforms, when the country faced a huge foreign exchange crisis, resulting partly from the fiscal profligacy of the previous decade. Another example is from 1999 when the telecom sector was in near bankruptcy, and that crisis led to the shift away from fixed fee for spectrum to revenue sharing. In both cases, there was considerable opposition to those reforms, but they were pushed through because the crisis left no other choice. Otherwise, more often than not, it has been economic reform by stealth. These are introduced without fanfare, often in the form of an executive decision rather than legislation. For instance, the expansion of the list of items under the Open General Licence for imports, which is a reform of protectionism, or the reduction in the set of industries reserved for small-scale businesses. A more recent example of a contentious reform was the insertion of an electoral bond scheme in the Finance Bill of 2018. There was hardly any debate. Reform by stealth offers the advantage of going in either direction. In 2013, faced with a potential currency crisis, the Reserve Bank of India (RBI) quietly retracted the limits on the liberalized remittance scheme (LRS), a reversal of an earlier step towards capital account convertibility, the journey towards which was also characterised by stealth. We might as well accept that India will never have reforms backed by conviction or ideology. Mostly, the moves are reluctantly made and the resistance is from industry or trade unions, not politicians.Read More

The Bill, in its current form, more or less tries to hand the government a blank cheque when it comes to accessing citizens’ data.The Ministry of Electronics and Information Technology (MEITY) is set to brief the Joint Parliamentary Committee on the Data Protection Bill on January 14. As MEITY itself has drafted the Bill, it is unlikely that it will suggest major changes. But the hearing is crucial because it has the potential to alter the course of India’s privacy framework.The Bill heavily favours the state. It allows the government to staff the Data Protection Authority (DPA) to be set up under the law; enables the Centre to demand non-personal data and allows for processing of personal data, while also giving the Government the power to exempt any of its agencies from the legislation.There is a lot to discuss but a few issues stand out in relation to the DPA, and the right of the state to access a citizen’s data.Let us begin with the DPA. The Bill has a broad scope and mandate, and once the Parliament passes the bill into law, the DPA’s work will begin. The Bill outlines the DPA’s duty as protection of the interests of data principals (people whose data is in question), prevention of any misuse of personal data, ensuring compliance (with the Act), and promoting awareness about data protection. The first of these duties is interesting as it gives the DPA a broad mandate to act as a representative on behalf of the people and their data.The body will be expected to meet global standards or even better it. It is important that those standards exist and be maintained. India is in a unique position to draft a law on data protection in which it can learn from the experiences of other countries. It is only fair that India adopts a similar or even higher standard for the law.The thing to notice here would be how the DPA is staffed, particularly who the chairperson and six members will be, and how they will be appointed. In its current form, the Bill states that one of the six members should have ‘qualification and experience in law’. However, the need of the hour is to not have senior or retired bureaucrats in the DPA but experts who are acquainted with technology, law, and privacy.The Bill had broadly three trade-offs to manage: Define the powers of the state when it comes to data, set privacy standards around the personal (characteristic, trait, attribute orany other feature used for profiling) and personal-sensitive (financial data, health data, sex life, genetic data) data of citizens and outline the roles and responsibilities of data fiduciaries.The big-ticket item here is that the Bill has heavily favoured the government when it comes to access to data and processing it. There are two reasons why I say that. Firstly, Chapter 3 of the Bill lays out the grounds that allow the government to process personal data for a certain amount of functions. The text of the clauses is fairly broad. For instance, the first clause allows for the processing of personal data for the provision of any service or benefit to a data principal from the state. Although as a proponent of privacy, I am thankful it does not apply to sensitive or critical data and wish it stays that way.Secondly, Chapter 14 gives the state, in consultation with the DPA, the power to demand non-personal or anonymised data from fiduciaries to enable better targeting of services or form evidence-based policy-making. Given the prevailing environment, one could fit a lot of ground under the umbrella of evidence-based policy-making and abuse that provision if it’s not defined well.In all fairness to the Bill, it has tried to formulate checks and balances when granting the executive these powers. Two instances come to mind here. Firstly, in granting powers to demand non-personal or anonymised data, it requires the government to consult with the DPA. But given that the DPA will be structured by people recommended and appointed by the central government, the process may end up being redundant. Secondly, the Bill also puts a check on the DPA when it asks the Authority to “specify the manner in which the data fiduciary or data processor shall provide the information sought, including the designations of the officer or employee of the Authority who may seek such information, the period within which such information is to be furnished and the form in which such information may be provided”. (Chapter 9)In spite of all this, I still think that the Bill more or less tries to hand the government a blank cheque when it comes to access to data. As we head into deliberations around this issue, I would argue that there is a chance that this cheque will get blanker. For people who highly value privacy, the good news is that we still have the landmark Puttaswamy judgement that establishes the fundamental right to privacy under the right to life and personal liberty. Moreover, the regulatory climate is shaping into one where judgement will be needed more than ever. Especially with the government giving itself the powers to access data through the Bill, through recommending and appointing members in the DPA, through allowing agencies to intercept and access data, and through pushing for allowing traceability in communications through amendments to the IT act.The personal data protection Bill is an essential step towards regulating a new space. However, given the draft version available, it also seems to be the beginning of a new tug of war for access to data. Through the bill, the government has the power to push to erode privacy. The Puttaswamy Judgement allows for privacy to be encroached upon if the encroachment has a basis in law, corresponds to a legitimate aim of the state and is proportionate to the objective it seeks to achieve. We are looking at the state’s actions being assessed through these three criteria for months and years to come.(Rohan Seth is a technology policy analyst at The Takshashila Institution)This article was first published in Deccan Herald.

States around the world are divided along the lines of how they should view the internet. On one end of the spectrum, there are calls to treat the internet somewhat as a fundamental right. For instance, the UN subscribes to this view and is publicly advocating for internet freedom and protection of rights online. On the other end of the spectrum, there is India, where after over a hundred shutdowns in 2019 alone, you could arguably define access to the internet as a luxury.

In my personal opinion, shutting down the internet for a certain area is an objectively horrible thing to do. It’s no wonder that states tend to not take this lightly. Even in Hong Kong, after months of protests, the government felt it okay to issue a ban on face masks in public gatherings. However, when it came to the internet, the government looked at censoring the internet, not shutting it down. The difference is that under censorship, access to certain websites or apps is restricted, but there is reasonable scope for the protesters to contact their families and loved ones. The chronology will tell you that even internet censorship as a measure was considered after weeks of protests.

In the case of India, that is among one of the first things the government does. So when India revoked Kashmir’s autonomy on August 5, 2019, the government shut down the internet the same day. It has been almost 150 days at the time of writing with no news of access to the internet being restored in Kashmir valley. Naturally, people are now getting on trains to go to nearby towns with internet access to renew official documents, fill out admission forms, check emails, or register for exams.

There are multiple good arguments as to why the internet should not be shut down for regions. They cost countries a lot of money once implemented.

According to a report by Indian Council for Research on International Economic Relations, During 2012-17,

16,315 hours of Internet shutdown cost India’s economy around $3 billion, the 12,600 hours of mobile Internet shutdown about $2.37 billion, and the 3,700 hours of mobile and fixed-line Internet shutdowns nearly $678.4 million.

Telecom operators have also suffered because of the Article

370 and the CAA bi-products of the internet shutdown with The Cellular Operators Association of India (COAI) estimating the cost of internet shutdowns being close to `24.5 million for every hour of internet shutdown. Then consider the impact shutting down the internet has on the fundamental right to the freedom of speech and expression and the impact it has on the democratic fabric of our country.

In the case of India, internet shutdowns are also a bad idea because they reinforce the duration of shutdowns and also make themselves more frequent.

Let me explain the duration argument first. Shutdowns tend to happen in regions that are already unstable or maybe about to become so. For better or for worse, the violence and brutality resulting from the instability are captured and shared through smartphones. While those videos/photos may not be as effective as independent news stories, when put on social media they combine to build a narrative. And soon enough the whole is greater than the sum of its parts, creating awareness among people who had little or none before. The problem is that the longer the instability and the internet shutdown lasts, the more ‘content’ there is to build a narrative. In the case of Assam and even more so in Kashmir, this is exactly what has happened. At this point, if the government rescinds the shutdown in either of those places, it faces the inevitable floodgates opening on social media. And the longer this lasts, the more content is going to be floated around.

Secondly, internet shutdowns make internet shutdowns more frequent. After revoking access to the internet a certain number of times, the current administration seems to have developed a model/doctrine for curbing dissent.

Step 1 in that model is shutting down the internet. This has led to shutdowns being normalized as a measure within the government. So it’s no longer a calculated response but a knee-jerk reaction that seems to kick the freedom of expression in the teeth every time it is activated.

The broader point here is that taking away the internet is an act of running away from backlash and discourse.

To carry it out as an immediate response to protests is in principle, turning away from the democratic value of free speech. It’s hard to believe that it may be time for the world’s largest democracy to learn from Hong Kong (a state which uses tear gas against its people and then tries to ban face masks) when it comes to dealing with protesters.

(The writer is a technology policy analyst at the Takshashila Institution.)

This article was first published in Deccan Chronicle.

There are some keynotes in the tech world that serve as highlights of the year. There is Apple’s iPhone event and WWDC where Apple traditionally deals with software developments. Then there is Google’s IO, and also the Mobile World Congress. Virtually all of these are guaranteed to make the news. Earlier last year, it was an Amazon event that captured the news (outshining Facebook’s Oculus event that was held on the same day in the process).During the event, Amazon launched 14 new products. By any standards, that is a lot of announcements, products, and things to cover in a single event. And so it can be a bit much to keep up with and make sense of what’s happening at Amazon. The short version of the developments is that Amazon is trying to put Alexa everywhere it possibly can. It’s competing with Google Assistant and Siri, as well as your daily phone usage. It wants you to check your phone less and talk to Alexa more.It would explain why Amazon has launched ‘echo buds’. They have Bose’s ‘Noise Reduction Technology’ and are significantly cheaper than Apple’s Air Pods. There is also an Amazon microwave (also cheaper than its competition), as well as Echo Frames, and an “Alexa ring”, called Loop. The Echo speaker line has also been diversified to suit different pockets (and has also included a deepfake of Samuel Jackson’s voice, which is amusing and incentive enough to prefer Alexa over other voice assistants unless competition upstages them). Amazon launched a plug-in device called Echo Flex (which seems to be ideally suited for hallways, in case you want access to Alexa while going from one room to another and are not wearing your glasses, earphones, or ring). Aside from a huge number of available form factors in which they can put Alexa in, the other thing about these products is how they are priced. You could make the argument that the margins are so little that the pricing is predatory (a testament to what can be accomplished when one sacrifices profit for market share). Combine that with how they will be featured on Amazon’s website and you can foresee decent adoption rates, not just in the US, but also globally should those products be available.In the lead-up to the event, Amazon also launched a Voice Interoperability Initiative. The idea is that you can access multiple voice assistants from a device. Notably, Google Assistant and Siri are not part of the alliance, but Cortana is. You can check out a full list here. The alliance is essentially a combination of the best of the rest. It aims to compensate for the deep system integration that Alexa lacks but Google Assistant and Siri have on Android and iOS devices.Besides making Alexa more competitive, the broader aim for the event is to make Amazon a leader in ambient computing. Amazon knows that it is going to be challenging to have people switch from their phones to Alexa and so likely wants marginal wins (a practice perfected in-house). That’s why so many of their announced products are concepts, or ‘day 1’ products available on an invite-only basis. The goal is to launch a bunch of things and see what sticks and feels the most natural to fit Alexa in so that they can capitalize on it later.It is Amazon’s job to make a pitch for an Alexa-driven world and try to drive us there through its products and services, but not enough has been said about what it might look like once we are in it. An educated guess is that user convenience will eventually win in such a reality. As will AI, with more data points coming in for training. This is likely to come at a cost of privacy depending on Amazon’s compliance with data protection laws (should they become a global norm).To be fair to Amazon, the event had some initial focus on privacy which then shifted to products. However, the context matters. For better or worse, these new form factors are a step ahead in collecting user data. Also, the voice interoperability project might also mean that devices will have multiple trigger words and thus, more accidental data collection. To keep up with that, Amazon will need to improve its practices on who listens to recordings and how.Amazon’s event has given us all things Alexa at very competitive rates, which sounds great. If you are going to take away one thing from the event, let it be that Amazon wants to naturalise you talking to Alexa. Its current strategy is to surround you with the voice assistant wrapped in different products. If it can make you switch to talking to Alexa instead of checking your phone, or using Google Assistant or Siri even 4 times a day, that is a win they can build on.

Cross-strait ties are likely to get far more frosty, with serious implications for the security dynamic in East Asia, after Tsai Ing-wen’s victory in Taiwan’s presidential election.In many ways, Saturday’s was a historic election. Nearly 75 percent of the 19.31 million eligible voters cast their ballot, with Tsai bagging over 57 percent of the vote. Her nearest rival, the Kuomintang’s (KMT) Han Kuo-yu, could only manage 38.6 percent of the vote. Also elected were 113 new members to Taiwan’s legislature, the Legislative Yuan. Tsai’s pro-independence leaning Democratic Progressive Party (DPP) lost seven seats in the legislature but managed to retain its majority, winning 61. The KMT, on the other hand, gained three seats, increasing its 2016 tally to 38.Read the full article in The Indian Express.

Faiz? Faiz who? What has he got to do with improving the grade point average, landing a job at Google, securing funding for a startup, or getting a full scholarship for grad school at a top US university? Since no professor, interviewer, or grad school selection committee member cares much about Faiz (even on the off chance that they know about him), the relevance of Faiz to an engineering student is zero. Since some of these students go on to become faculty, teaching the next generation of students who have the same objective functions, few professors know about Faiz either. Why are we surprised that our engineering colleges are unFaized?

It’s not just the Indian Institutes of Technology (IITs). It’s not only our engineering colleges. Medical, science, business, and commerce colleges likely suffer from the same Faiz ignorance. Sure there might be the odd physiotherapist here or an unnecessarily better-read physics student there, but, by and large, we should not be surprised if students and faculties at our top colleges do not know about Faiz. To be fair, students at professional colleges are not totally disinterested in arts and culture. Many watch Bollywood and Netflix shows. They follow cricket and football. They also read, as the sales figures of books of Chetan Bhagat and Amish Tripathi attest.Read more

After Russia tested RuNet, what are the chances that India will try its hand at NayaBharatNet?

In the final weeks of the last year, there were reports that Russia successfully tested RuNet, its ‘domestic internet’ that would be cut off from the global internet. Specifics of the exercise are not known – whether for example, it was really successful and what challenges it faced – but it made for an ominous end to a decade that has been marked by a growing disillusionment with the concept of the internet as a liberating force.

This was always on the cards when Russia and China started working together in the lead-up to the former’s Yarovaya law, which imposed geographical restrictions on the transfer of Russian users’ data. In December 2019, Russia had also passed a law making it mandatory for devices sold in the country to be embedded with Russian apps from July 2020. While it does not specify which devices and apps are covered, critics of the law are concerned that its vague nature opens the door for it to be misused to force the installation of spyware.

Russia is not alone in this quest though, China is the pioneer, and others like North Korea and Iran are along for the ride as well. After a week-long nationwide internet shutdown in response to protests and an exercise by government officials to collate critical ‘foreign’ websites sparking speculation about the creation of a ‘whitelist’ of allowed sites, Iran’s National Intranet Network (NIN) is once again in the spotlight. This was followed by a statement from President Rouhani that the network was being strengthened so that people will not need foreign networks to meet their needs. North Korea too has a tightly controlled domestic internet, Kwangmyong, whose content is largely controlled by the state.

China’s great firewall (GFW) has been around for over a decade and is not a unitary system as it is often made out to be. It uses a combination of manual and automated techniques to block global content but largely works on the principle of blacklisting unwanted websites/content. Many international websites do work but are extremely slow because of the scanning and filtering that inbound internet traffic to the country is put through. For a website to operate from inside Mainland China, a number of local permits are required depending on the industry. Much of the internet backbone is state-controlled. It has continued to tighten the noose through a combination of restrictive regulation and stricter interpretation of existing rules.

A highly restrictive Cybersecurity law passed in 2015 called for mandatory source code disclosures. In 2016, working with ISPs it set out specifications for an Information Security Management System that aimed to automate the ability of provincial authorities to monitor/filter internet traffic. In 2017, it tweaked licensing rules to ensure that permits would only be issued to domains that are registered to a Mainland China-based company. The extent to which these rules are enforced may vary, but it leaves a ‘Sword of Damocles’ in the state’s toolkit that it can drop whenever it chooses to do so. By constantly increasing the costs of doing business for non-Chinese companies, it has achieved ‘chinternet’ without explicitly cutting the cord – yet.

Fears of a ‘splinternet’ along national boundaries or ‘balkanisation’ of the internet are not new. But the likelihood is now higher than ever before as governments try to take control over cyberspace after ceding space in its early years. Research by the Oxford Internet Institute and Freedom House which have revealed the use of disinformation campaigns and the co-option of social media for manipulation and surveillance by various governments. The United Nations General Assembly passed a resolution in support of a Russia-backed Open-Ended Working Group (OEWG) which has drawn criticism from others on the ground that it prioritises cyber sovereignty and domestic control of the internet over human rights. Countries that advocate a free-and-open internet are in a bind over whether to participate in the group or cede control in the global norm-setting process. Continued passage of regulation by various countries that have extraterritorial application will fragment the internet and strengthen the constituency favouring cyber sovereignty.

‘NayaBharatNet’ a possibility?

India has yet to articulate its position on some of the divisive issues concerning global norms in cyberspace, yet it has repeatedly stressed the principle of cyber sovereignty positioning it alongside the Sino-Russian camp. While it seems to have softened its position on data localisation, for now, similar rhetoric about national sovereignty and security has been used by Russia and China in the past.

Authoritarianism by the Indian state is also surely on the rise – events that unfolded in 2019 provide ample empirical evidence for this. The fact that various police departments are proactively taking to social media channels to threaten/deter posts that run contrary to the state’s narrative (Is this confirmed about police depts?) and the frequent use of internet shutdowns show that the desire to control the internet is extremely strong. International criticism has repeatedly been portrayed as mischief by a ‘foreign hand’. The creation of a strictly regulated domestic digital echo chamber is not unimaginable in this context. In fact, it is a logical next step as the current tactics are bound to have diminishing returns over time.

Today, the economy (political or otherwise) for such a move does not exist. The IT Industry

would obviously vigorously oppose it. And unlike China, the telecommunication backbone infrastructure is not state-owned, but the sector as a whole is probably the weakest it has ever been and tending towards a monopoly/duopoly. It also has a history of being regulated with a heavy hand.

Until now, India has followed a policy of denying cyber intrusions or claiming that no significant harm was done. However, in the aftermath of ‘undeniable’ real-world harm inflicted by a cyber attack, the Overton window could move towards supporting such an initiative for national security and could very well be exploited. Sometime in the not-so-distant future, we could all be communicating using Kimbho on NayaBharatNet.

(Prateek Waghre is a research analyst at The Takshashila Institution)

This article was originally published in Deccan Herald.

The Modi government has perhaps calculated that its majority in Parliament, its dominance of public discourse, its control of the law-enforcement machinery, and the popularity of its agenda among large sections of the people will allow it to prevail over the protesting citizens. After all, how long can disparate, politically unorganised groups of students, young people, urban middle classes, and members of the Muslim community afford to protest? Yet, so far, attempts to deter protesters with prohibitory orders, detentions, and police actions have triggered more protests. As more news trickles out of Uttar Pradesh, the world would probably recoil in horror at the manner in which the BJP government there appears to have used disproportionate force in quelling protests by Muslims in the state. In the coming days and weeks, at least, more consciences are likely to be pricked. The protests will grow and spread.Read more