by Ranjeet Rane
As the dust settles around the Indian Air Force (IAF) notification against the use of Chinese mobile phones by its officers and personnel, yet another opportunity to discuss and work upon the larger issues of data sovereignty, user data privacy and lawful interception may be lost. The issue at hand goes beyond the “Chinese spying” rhetoric. The IAF advisory and subsequent denial about the same only highlights the incoherent approach adopted by the Indian policy makers towards understanding the changing dynamics of a “data ecosystem” in a world that is fast embracing the “Internet of Things”. A “data ecosystem” encompasses all the processes relating to user data generation, storage, transmission and third party access/consumption.
A four layered model can be used to demonstrate the possible approach that can be adopted while working on a holistic policy for the rapidly evolving data ecosystem in India.
The outermost layer is that of Data Sovereignty. Policy discourse is presently centered around this concern. Security and Law Enforcement agencies have constantly been demanding “India based servers” (read Data centers) from data intermediaries. The Blackberry case was perhaps the most notable example in the last few years that centered around the issue of Data Sovereignty. This demand for data centers within geographical boundaries of India is based on two reasons. The first is that Indian IT laws are not applicable to data stored outside of India. Security and Law enforcement agencies often face procedural delays if access to data is sought for prosecution needs. The other reason is concerning third party access to such data. While the IAF advisory against communication devices that have a “China connect” is the most recent example of this, similar advisories have been issued by the Army as well as the Intelligence Bureau. Curiously, most of these are based on third party vulnerability reports released by private cyber security firms.
This brings to fore the need to have in place a “testing environment” that conducts routine vulnerability assessments within the data ecosystem. This could then be evolved into a certifying authority for “Data Integrity” Standards across various data intense technologies. Coupled with an agency like CERT-In it can be utilized to institutionalizethe Government oversight that is currently missing in this domain. Further this will make it easier for the data intermediaries to establish service credentials, maintain high quality of service along with mandatory documentation and periodic review of steps taken to ensure data integrity. By enabling intermediaries to follow predefined standards, the Government may indirectly boost user confidence that will help in strengthening the fundamentals of the data ecosystem.
Lawful Interception is the next sphere of this model. The NDA government has been vocal about strengthening internal security mechanisms in the country by reviving programs like the Central Monitoring System, NETRA and NATGRID. It will rely heavily on lawful interception towards meeting the objectives of these programs. The focus on blanket surveillance techniques will not be in the benefit of the data ecosystem in the long term. By increasing end user apprehension and making it difficult for the intermediaries to comply with government requests for interception, the government will continue to alter the way users perceive threats to data privacy.
The Government needs to move out from the shadow of the colonial Telegraph Act 1885 if it wishes to have a measure of success in these programs. It needs to put in place an accountable system where legitimate requests for interception would be vetted, documented and realized in public domain at regular intervals. This will increase the end user confidence in using services within the data ecosystem. This will also make it easier for the intermediaries to comply with genuine requests of interception and user information. One of the long pending steps in this regards is the National Telecom Security Policy. While its draft has been around for quite some time, it has been caught in the turf war between various ministries seeking exclusivity over interception requests by agencies under them.
Setting up of a data center is dependent primarily on its utility for users in a geographical region. India has the highest number of active users on Facebook outside of the USA. Similarly India has the highest number of users for messenger applications and other OTT applications. This large user base needs to be projected as the first reason for intermediaries to invest in setting up data centers in India. By encouraging the establishment of data centers in India, the government will be able to find partners for its National Fiber Optic Network, a project to ensure last mile connectivity to remote locations. It will also act as a counter to the perceived threat of Chinese spying in the region.
By choosing to “Store in India”, intermediaries of the data ecosystem will be able garner user trust and at the same time aid the growth of the other layers of the ecosystem. It is important that the policy makers take a relook at the various telecom and communications policies framed in the last decade and make a serious effort to integrate these in the “data ecosystem” that is flourishing in India. Unless a holistic approach is adopted to look at the issues in the data ecosystem, we might lose out on an excellent opportunity to project India as a “data hub” in the coming decade.
In my next post I shall discuss the role of data intermediaries in the data ecosystem, impact of regulatory intervention and highlight the importance of keeping end User Privacy at the core of this model.
Ranjeet Rane is a research assistant on cyber-security at the Takshashila Institution.