'FB & Google have already monopolised Indian cyberspace'
In an interview with Catch, Sunil Abraham, executive director of Center for Internet & Society, puts the recent US-India cyber relationship framework into perspective. Abraham also talks about how Indian surveillance policies are outdated and why the country has failed to check the hegemonic tendencies of companies like Facebook and Google.
US-India signed a cyber relationship framework earlier this month. Could you explain some of the takeouts that may have important implications in the near future?
In the framework, both sides have made a "commitment to the multi-stakeholder model of Internet governance" - in immediate practical terms that means India will accept the Internet Assigned Numbers Authority (IANA) transition proposed for the Internet Corporation for Assigned Names and Numbers (ICANN).
Unfortunately, as my colleague Pranesh Prakash points out "U.S. state control over the core of the internet's domain name system is not being removed by the transition that is currently underway."
India along with Brazil and other emerging powers should have insisted that the question of jurisdiction be addressed before the transition. We must remember, that the multi-stakeholder model is just a fancy name for open and participatory self-regulation by the private sector. While the multi-stakeholder model is useful as a complement to traditional state-led regulation, it cannot be used to protect human rights or ensure the security of a nation state.
What are some aspects of Intellectual Property Rights that should be looked at, in the context of the framework?
There is some language around Intellectual Property Rights (IPR) that should be examined carefully too. The US corporations benefit from a maximalist IP
regime. But Make in India, Digital India and Startup India all depend on flexibilities to the IP regime and therefore India should refuse signing
Trans-Pacific Partnership (TPP) obligations like the "Digital 2 Dozen" which the US is actively proselytizing across the Pacific.
If we make that mistake, we will make zero progress in indigenous security research and product development and also many other areas of our economy, health sector and education sector will be severely compromised. Therefore it would be best to keep IP rights expansion and enforcement out of the framework for the US-India Cyber Relationship.
The PIL seeking a ban on WhatsApp was refused by the SC recently. Encrypted messaging services like Telegram however, have been used in the past by terror groups. What's your take on such end-to-end encryption services?
Privacy and security are two sides of the same coin. You cannot have one without the other. End-to-end encryption is the basis for online privacy. End-to-end encryption is a pre-requisite for many legitimate actions of law abiding citizens online such as commerce, banking, tele-medicine, protection of intellectual property, witness/source protection, client confidentiality etc. Therefore, banning end-to-end encryption would mean the death of individual privacy and national security.
If the government wants to promote cyber security it should promote the use of end-to-end encryption amongst law abiding citizens.
Terrorist have to be stopped through targeted profiling, surveillance and interception. Big data analytics may be useful to watch for patterns in the meta data but there is no replacement for good old fashioned police work.
Once suspects have been identified the encrypted channels can be compromised by:
1. Placing trojans on the end-user devices
2. Performing man-in-the-middle attacks and
3. Using brute force attacks with super computers.
Snowden's revelations have made it very clear that blanket and mass surveillance does not help foil terror attacks or stop organised crime. So far, research and government reports from across the world indicate that only a minority of terrorists use encryption. However, this situation may change.
We don't have any proper encryption policy under the IT Act yet. What's taking so long and what are the key points that any policy in this matter must include in future?
We need many different types of encryption policies. We need a policy that mandates encryption and digital signature for all government personnel and also for all government transactions.
We need policies that promote research and development in cryptography and mathematics. We need to update our criminal procedure code so that encrypted communications and data can be targeted by law enforcement and used effectively in the criminal justice process.
However, we should not have any broad encryption policy that tries to regulate encryption as a technology. That would be a highly regressive move and will be impossible to enforce. That would breed contempt for rule of law.
Surveillance and the tech around it has been contentious for various governments. Where do we stand vis-a-vis regulating surveillance measures by the state?
Our surveillance and interception laws are outdated. They need to be modernized to deal with advancements in technology and also global developments when it comes to data protection and privacy law.
In fact, our organisation was part of a global effort called Necessary and Proportionate which identified 13 principles to modernise surveillance which are connected to various aspects such as Legality, Legitimate aim, Competent judicial authority, Integrity of communications and systems and more. Some of these principles may have to be customised for the Indian context.
With a sluggish US market, India has the biggest potential for companies like FB & Google, next only to China. Do you feel that in the quest to take over the Indian market, FB & Google are going to monopolise cyberspace in India?
I have news for you - they have already monopolised Indian cyberspace. They have completely wiped out competition in certain domains.
One of the many reasons they have done this is because we don't have laws and regulations to temper their hegemonic tendencies. For example, we could use data portability and interoperability mandates for social media to spark competition in markets where there are entrenched monopolies.
Competition law can be used to protect other firms from abuse of market power. Consumer protection law and privacy law could be used to ensure that user's rights are not compromised in the race for market share. In addition, a modern privacy law compliant with the best practices in the European Data Protection Regulation 2016, would allow emerging Indian companies to compete with giants like Facebook and Google on a level playing field.
More in Catch - Belgium now has robot receptionists. Can your office do this?