tl;dr
IFF has submitted comments pursuant to the Telecom Regulatory Authority of India's (TRAI) “Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges” (Consultation Paper). Our comments are threefold. They call for urgency in the creation of a multi-stakeholder body for the enforcement of net neutrality. We then caution against regulating CDNs given existing market efficiency. Finally, we urged the TRAI to recast focus towards telecom companies practises for data protection standards rather than adopting flawed technical systems of consent (eg. DEPA).
A significant public consultation
On December 16, 2021 the TRAI issued a, “Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges”. The paper seems to have been prompted out of an economic policy objective of spurring domestic growth in these sectors. At the same time it contains several proposals on the sharing of telecom data, principally KYC records of customers.
Given such framing, obvious issues of innovation that serve users, net neutrality and data protection emerge for consideration. We believe this is an important consultation and given it’s seriousness intend to also file counter-comments. At the same time we encourage members of the general public and, -- academics, network engineers, technologists and digital rights groups to participate. Our submissions which are attached below fall within three primary buckets in which we have provided comments specific to digital rights. Broadly these concern questions on CDN regulation, issues of privacy and net neutrality.
CDNs: If ain’t broke, don’t fix it
“Since commercial arrangements between internet companies, CDNs, and ISPs/TSPs are not disclosed, monitoring of such arrangements and traffic patterns would help in ensuring net-neutrality principles and fair competition.” (Page 97, para 3.38, TRAI Consultation Paper)
For those who may not be familiar with CDNs, you can check out this video. As Mozilla defines CDN, it “is a group of servers spread out over many locations. These servers store duplicate copies of data so that servers can fulfil data requests based on which servers are closest to the respective end-users. CDNs make for fast service less affected by high traffic.” Today a significant amount of web traffic is served through CDNs, including for sites like Facebook, Amazon and Netflix. Hence, as internet traffic volumes steadily increase, primarily due to video streaming services, the growth and traffic management practises of CDNs.
In this Consultation Paper, TRAI inquires whether there’s a need to regulate the CDN industry to promote growth and fair competition. We made the following recommendations:
- Evidence based policy making for CDNs : The TRAI as well as global regulators have stayed away from regulating CDNs as they have observed the market is competitive and provides user benefit. Here, there is a lack of existing evidence (real data) on any prospective harms, specifically in the Indian market. Hence, a common recommendation to several questions posed is for a deeper study prior to devising regulation and maintaining a policy of forbearance.
- Query information from telecom companies: In addition to independent CDNs, many TSPs also have their own CDNs or enter into private agreements with CDNs like Akamai or Cloudflare. However, trend mapping becomes difficult in these cases as there’s a lack of disclosure. Hence, TRAI should seek more information by using existing powers for a reporting mechanism for TSPs. This should include regular disclosure of privately negotiated interconnection agreements and paid peering/transit arrangements.
Better transparency from telecom companies is better for all of us. This brings us to net neutrality.
Delay and dithering in net neutrality enforcement
“While the ISPs are subjected to net-neutrality-specific licence terms and conditions, a formal mechanism to enforce the same on CDN players does not exist” (Page 96, para 3.37, TRAI Consultation Paper
IFF owes its birth to the Net Neutrality movement, SaveTheInternet.in. Here we welcome further action around enforcement. India today on paper has the globally leading regulations for Net Neutrality. However, without the body that is supposed to enforce it has still not been established! For this, we made the following recommendations:
- Setting up the multi-stakeholder body: We commend TRAI’s recommendation to the Department of Telecommunications to set-up a multi-stakeholder body (MSB) for the enforcement of net neutrality principles. However, to our surprise, the DoT expressed its disinclination to establish a MSB owing to COVID-19 driven budget constraints. This lack of an institutional mechanism may pose a threat to safeguarding an open and free internet as TSPs may abuse interconnection agreements to violate net neutrality principles. Hence, we firmly believe TRAI should urgently establish a multi-stakeholder body for more research-based policy determination on the issue.
- Lack of existing enforcement: It will also help check technical forms of discrimination, like website blocking, slowing down of web services, etc. that are prohibited by the Unified Access Service Agreements. Additionally, it will promote a level playing field for all CDN players in light of the oligopolist, three player telecom market with Reliance Jio, Bharti Airtel and Vodafone Idea dominating the market.
Privacy is a right, not a commodity!
“Data digitization would further help data principals in data sharing to gain beneficial terms or conditions from businesses, information bartering, selling data outright (via consent managers or independently), etc.” (Page 75, para 2.116, TRAI Consultation Paper)
The consultation paper contains several proposals for the commercialization and sale of telecom data that poses significant concerns. While the consultation paper notes the various provisions of the Personal Data Protection bill, 2019, and the Data Protection Bill, 2021, it is important to consider these are legislative proposals without the force of law (for a detailed analysis of the 2021 bill, see here, here, here and here).
- Privacy protections by telecom companies: Till a data protection law if formulated that can form a Data Protection Authority that can protect users across sectors, we believe the TRAI can at the least commence querying information in the telecom sector. One of the first items it can approach are the existing privacy policies of telecom companies that are one sided contracts of adhesion. They are vague and poorly support telecom subscribers. These policies are not under any overview and concerning given the DOT’s parliamentary response in the Budget session confirming the extension of storage of telecom data for two years and at the same time stating it does not review the privacy policies or practises of telecom companies.
- Staying away from “DEPA”: We cautioned against the consent architecture being proposed through the application of the DEPA framework. Our primary submission is that it lacks any legal backing, and thus doesn’t provide for any remedies. Additionally, the technical architecture as proposed within the consultation paper is as per an infographic from “iSPIRIT Developers”. This “consent architecture” is more about data exploitation that meaningful consent that is backed with legal guarantees. For instance it aims to facilitate the sharing of telecom data with other service providers for purposes such as credit scoring for “flow-based credit” or, “insurance”. Telecom data aggregation will pose certain risks without an enforceable data protection law or authority to monitor and provide legal remedies.
- Surveillance reforms: In reference to a section in the consultation paper titled ‘Issues not explicitly covered in the Data Protection Bill’ (section 5.13), we suggested (again) that TRAI may work towards strengthening the opaque, antiquated and deficient regulatory system of surveillance. This can proceed from a review of safeguards under the UAS licence and whether they meet the standards of the Supreme Court’s Right to Privacy Judgement.
- Data monetisation: We cautioned against formulating policies aimed at, “data monetisation”. Here, the market objectives may create a perverse incentive for greater amounts of data collection and retention beyond the purpose consented by users. The harm will be greater if this is formalised as a stream of revenue generation for the government leading to increased surveillance over citizens. Put quite simply, data monetisation without a data protection law is hazardous and nothing more than data maximisation.
Next steps and how can you participate!
The counter comments phase of the consultation remains open till February 24, 2022. For this stage, we encourage you to read our submission, support it by sending an email to TRAI and offering suggestions. Please feel free to shoot us an email on [email protected] if you think we may have missed something or wish to provide any inputs. Due to the consultation's technical nature, we would be especially keen on inputs from technical experts such as network engineers.
Important Documents
- IFF’s comments on TRAI’s Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India dated 10th February, 2020 (link)
- TRAI’s Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India dated 16th December, 2021 (link)
- IFF’s comments on TRAI’s Consultation Paper on Traffic Management Practises (TMPs) and Multistakeholder Body for Net Neutrality dated 13th February, 2020 (click here)Read more on net neutrality (link)
Note: This post was drafted by Shivangani Misra, a Capstone Fellow hosted at IFF, and reviewed by IFF staffer Anushka Jain.