On March 27, 2015, Telecom Regulatory Authority of India (TRAI) published a consultation paper on Regulatory Framework for Over-the-top (OTT) services. This consultation paper has 20 specific questions against which responses are sought from the public. From DSCI perspective, Questions 6 and 7, in particular, are of significant concern. On Question 6, DSCI is of the view that security concerns should be viewed from a risk point of view that should not only cover communication services, but entire gamut of services that run over the Internet. On Question 7, DSCI comments with justifications on how should OTT players offering application services ensure security, safety and privacy of the consumers, besides ensuring protection of consumer interest.
Addressing security concerns with regard to OTT players providing communication services
Besides security concerns, question 6 also concerned security conditions such as maintaining data records, logs etc. need to be mandated for such OTT players and how could compliance with these conditions be ensured if the applications of such OTT players reside outside the country.
DSCI response
- Security concerns should be viewed from a risk point of view that should not only cover communication services, but entire gamut of services that run over the Internet.
- From national security viewpoint, law of the land should be enforceable on all service providers who are providing services in India or to Indian citizens or residents, and be subjected to the territorial jurisdiction of India. But as a general principle, subjecting the private sector to the requirements of data/infrastructure localization in name of national security will prove to be counterproductive for variety of reasons including:
Localization requirements prohibits organizations from achieving economies of scale and leveraging global souring hyper specialization benefits, resulting in increasing cost of services that could be passed on to consumers
- It threatens major new advances in technology and innovation
- It threatens open architecture of the Internet If similar policy directions are followed by other countries, it will severely hit established
- Indian IT-BPM industry sector including the emerging cloud industry which is major contributor to the national GDP
- Since many OTTs are located outside the country, there are various understandable national concerns such as threat to national security through cyber espionage and spread of social disharmony, difficulty in conducting cybercrime investigations and getting lawful access to data, difficulties in performing cyber forensics, privacy violations by foreign governments and companies, difficulties for intelligence agencies to perform surveillance and interception, among others that are challenging the sovereign rights of the nations. These national concerns esp. those relating to national security are genuine and important, and must be respected by the OTT players. For example, the OTT players should support Law Enforcement Agencies (LEAs) of different countries in crime investigations (access to data records, evidence) and forensics. The support should be transparent and timely, respecting the laws of the country from where request has originated, irrespective of the location of the data storage. While many of these issues and concerns need global discussions and solutions, the knee-jerk reaction of governments which favours data localization / regulation of OTTs is a matter of great concern.
- To overcome the challenges identified above, governments including India should work with the other nations in plurilateral, multilateral and bilateral forums to discuss and come out with solutions. In the age of Internet, global cooperation is quintessential and therefore India should take leadership in identified forums to ensure that its issues are addressed. For example, India should take up reform of Mutual Legal Assistance Treaty (MLAT) with the U.S. or negotiate a special process for speedy data sharing on crime investigations with the U.S. as presently the Indian LEAs face issues when getting access to data records required from datacentres in the U.S. for investigating crimes that happened in India. India should strengthen bilateral, multilaterals, plurilaterals, international treaties and other such mechanisms, and look to improve existing procedures for quick and effective information sharing and getting lawful access to data.
Also, Indian LEAs should also be effectively resourced and trained to raise legal requests for gaining lawful access to data from service providers and through the MLAT route. Further, there is also a dire need to improve procedures and frameworks for data sought by LEAs from OTT service providers both in India and abroad. This can be done by establishing institutional frameworks possibly by establishing nodal agencies for seeking such information and standardizing disclosure norms across the service providers.
- While the Indian legal framework through section 67C of the IT (Amendment) Act, 2008 has provision for mandating timeframe and specified format for retention of data records, logs etc. for intermediaries including the OTT players, no specific requirements have been detailed through the issuance of rules u/s 67C. However, various sectorial regulators have issued regulations/guidelines for data retention for organizations under their purview. Issuing rules under section 67C at the earliest will help standardize industry practices and expectations of LEAs on data retention.
- The Indian legal framework and the LEAs should take cognizance of the nature of evolving technology architectures such as no storage of data on servers of the OTT service providers, dynamic allocation of encryption keys, etc. so as not to scuttle innovation or unnecessarily create hurdles for the OTT players.
Exploring ways by which OTT players offering app services ensure security, safety and privacy of the consumer, besides protecting consumer interest
DSCI Response
- India has second largest Internet population, and is home to fourth largest start-up ecosystem in the world, and the reason for this has been minimum government interference in operations and governance. Given majority of users access Internet services through their mobile devices, there is a need to secure the entire ecosystem, to improve resilience.
- There is no need to create special legal framework for OTTs to govern security, safety and privacy of consumers. The Indian legal & policy framework already has provisions for the same – IT Act, National Cyber Security Policy, Consumer Protection Act, among others. Such legal and policy provisions can be surely be strengthened wherever necessary – either in content or enforcement. For example, as per section 43A of IT (Amendment) Act, 2008, only “Sensitive Personal Data or Information (SPDI)” is to be protected using “Reasonable Security Practices” by “Body Corporates”. There also exist a patchwork of legislations governing privacy aspects in India. But there is no comprehensive privacy law in India unlike many other countries. India should enact comprehensive privacy law that has been in making for long. Much work has already been done in this regard by development of privacy framework by Justice AP Shah Committee. Similarly, the government is yet to release the encryption policy under section 84A of the IT (Amendment) Act, 2008 to “for secure use of the electronic medium and for promotion of e-governance and e-commerce.” Increasing the encryption standards in the country will enhance security, safety and privacy of consumers.
- Incorporation of security and privacy aspects should be market driven, with practices and procedures evolved from global best practices. Ensuring consumer security and privacy is in OTT providers’ best interests, as security and privacy are turning out to be important customer considerations. From security viewpoint, policy initiatives and guidelines should provide direction for securing data, without prescribing technology or standards to be adopted. Organizations should be allowed flexibility to implement the security measures that are most appropriate to mitigating the risks, and reduce vulnerabilities. Technology neutral policies allow OTT players to deploy technology and processes best suited to protect information in their specific case. Cyber threats evolve rapidly and, therefore, OTT players should have the flexibility to change the solutions they use to better protect their customers.
- Development and adoption of standards, testing and certification mechanisms for security and privacy aspects (e.g. privacy seals or ratings of mobile apps) should be encouraged. For example, lot of work in being undertaken at international standard development organizations (SDOs) to develop standards in the privacy space including in areas of privacy notice and consent. India should participate in such forums to ensure its requirements and concerns are addressed.
- In addition to steps taken by the government and by businesses, consumers also have an important role to play when it comes to protecting their information. Consumer education is pivotal in ensuring privacy and security. DSCI framed these responses in consultation with the Industry. Inputs were also sought on topics developing regulatory framework for OTT players, Net Neutrality in Indian context, differential pricing for different form of services, framework to encourage India specific OTT apps etc.