Rootconf For members

Impact of (draft) Telecom Bill on consumers and businesses

Challenges of spam, encryption, KYC, and user privacy

Jul 2023

17 Mon

18 Tue

19 Wed

20 Thu

21 Fri 05:00 PM – 07:00 PM IST

22 Sat

23 Sun

Make a submission

Blume Villa, Bengaluru

Tickets

Pinned update

Telecommunications Bill, 2023 introduced in Lok Sabha On 18th December 2023, the Telecommunications Bill, 2023 was introduced in the Lok Sabha based on a recommendation made by the President. Amidst existing con… more

Context of the Draft Telecom Bill - Key Issues & Concerns
The draft Telecom BIll, published by the Indian government in September 2022, aims to bring significant changes to the telecom sector by replacing outdated laws, including the century-old Indian Telegraph Act of 1885. The telecom bill is expected to be introduced in the upcoming monsoon session of Parliament, and is likely to have a significant impact on businesses and consumers if adopted in its current form.

The bill deals with several key issues, including licensing norms, spectrum allocation, consumer protection and surveillance. Some of the key proposals include:

A mandatory licensing regime that would include communication services like Whatsapp, Signal and Telegram; video conferencing applications like Skype, Zoom and Google Meet; M2M services including IoT applications; media and broadcasting; and other data-led services.
An extension of the government’s broad powers to intercept and monitor messages and to suspend telecom services in the case of public emergencies or threats to public safety.
Promoting infrastructure development and domestic manufacturing in the telecom sector through R&D activities, and streamlining the spectrum allocation process
Strengthening the consumer protection framework by imposing strict regulations on service quality and introducing grievance redressal mechanisms

Some of these proposals raise serious concerns with respect to consumer privacy, ease of doing business and the overall impact on innovation.
Keeping this in mind, Hasgeek aims to foster greater engagement between policymakers and the technology community with a series of deliberations on the bill.

Why it is important to engage on this issue?

The telecom industry is experiencing significant changes driven by technologies such as 5G, IoT, and AI, enabling innovative services and new business models. Telcos are diversifying into content and payments, while startups are entering sectors like agriculture and healthcare. An effective telecom bill is crucial to capitalise on these opportunities, incentivise innovation, and maintain operational efficiency.

However, the draft telecom bill raises serious concerns. It could increase costs for telecom operators and startups, hinder access to affordable services, and impede progress towards universal access goals. Moreover, the draft bill compromises user privacy. It expands government surveillance powers, introduces new identity verification norms, and weakens privacy rights. Additionally, the bill allows for arbitrary internet shutdowns during emergencies, without adequate safeguards.

To ensure a thriving telecom sector, it is essential to strike a balance between regulatory oversight and safeguarding user rights. For this to happen, policymakers, the technology community, users and civil society need to have a deeper dialogue on the proposed telecom bill.

This event is free to attend.
Rootconf is a community funded organization. If you like the work that Rootconf does, and want to support meet-ups and activities in different cities in India, consider contributing by picking up a membership.

Who should attend this discussion?

Startup teams building products across the infrastructure, application and services layers
Investors tracking the telecom, IT and media sectors in India
Individual consumers who will be directly affected if the bill is adopted
Civil society actors engaged in defending the rights of users
Think tanks developing a research agenda on these issues
Policymakers including government officials and regulators in the telecom sector
Lawyers and policy advisors advising clients on the impact of the bill

Key outcomes for participants

Join a forum for startups, technologists, industry representatives, and policymakers to engage on the issues with the Bill.
Make a submission to the government during the session as the (draft) Telecom Bill may be tabled at the monsoon session of the Parliament.

Agenda & Speakers

This is an in-person event

Context setting discussion and recap of the discussion at the online event between Kunal Raj Barua and Mousomi Panda from the Aapti Institute, and Amlan Mohanty.
Panel discussion on the technical impact of India’s Telecom Bill on spam, encryption, KYC, and user privacy with Kunal Raj Barua (Senior Manager, Aapti Institute), Rishu Mehrotra (Technology Leader, Merkle Science), Nikhil Narendran (Partner, Trilegal), and Vivek Jathanna (Vice President - New Initiatives, Exotel). The discussion will be moderated by Amlan Mohanty.

Contact: Join the Rootconf Telegram group at https://t.me/rootconf or follow @rootconf on Twitter.
For inquiries, contact Rootconf at +91-7676332020.

Hosted by

Rootconf

We care about site reliability, cloud costs, security and data privacy

All submissions

Report: Impact of (draft) Telecom Bill on Consumers and Businesses

Submitted Aug 16, 2023

The Draft Indian Telecommunication Bill, 2022 was released by the Department of Telecommunications in September 2022 for public feedback. The Bill is likely to have a significant impact on businesses and consumers if adopted in its current form, and to discuss these concerns, Rootconf organized a series of discussions. On 21st July 2023, stakeholders and civil society representatives came together for an offline event to discuss key concerns and share their recommendations. The panelists in this event were:

Kunal Raj Barua (Senior Manager, Aapti Institute),
Rishu Mehrotra (Technology Leader, Merkle Science),
Nikhil Narendran (Partner, Trilegal), and
Vivek Jathanna (Vice President - New Initiatives, Exotel)

Kunal Raj Barua and Mousomi Panda from the Aapti Institute also presented their report on the Bill. The event was moderated by Amlan Mohanty (Lawyer and tech policy advisor).

This report summarizes the key points and recommendations that were discussed during this event.

Update 1: Following this series of discussions and awareness being raised around concerns regarding the broad definition of technologies falling under the purview of this Bill to include over-the-top (OTT) platforms, on 5th August 2023, the Union Cabinet relaxed regulations on OTT communication services. This was one of the key issues in the draft Bill which, as a result of public consultations and efforts by tech communities and civil society actors, was considered by the Cabinet. Read more here.

Update 2: On 18th December 2023, the Telecommunications Bill, 2023 was introduced in the Lok Sabha based on a recommendation made by the President. Amidst existing concerns regarding the Bill such as increased surveillance, a return to license raj, privacy violations, censorship, etc., it is being introduced as a finance bill. Currently, it also meets the requirements for being declared a money bill, which would enable the Lok Sabha to pass the Bill without approval from the Rajya Sabha.

I. Background and context

Regulatory considerations: The Bill consists of a wide definition for what telecom services comprise of. There are four elements in the definition which includes email, internet based communication services, over the top communication services, and voice, video, and data communication services. This means that the government can license any of these services under the Bill. However, from a technical point of view, regulated licensing should only apply to scarce resources.
Implications: The implications of licensing include financial obligations due to expensive licenses, making changes to one’s infrastructure network to be able to provide access to the government to data flowing through their networks, as well as the possibility that the government can use its licensing power to suspend one’s services. Such a licensing regime would create a roadblock for technological innovations in this field and would risk the creation of a monopoly since only the well-established market leaders would be able to comply with the regulations without significantly harming their business. Moreover, the objective and purpose of expanding the licensing agreements has not been articulated clearly.
Impact on end users: Licensing obligations should apply to the primary entity and not float downstream to the end user. Essentially, the telecom operator should be the only entity that is required for licensing and a licensee cannot be the end users of the telecom operator, regardless of whether they are enterprise or retail.

This event consisted of discussions around KYC, spam, and encryption. The aim for introducing KYC in telecom services is that the identity of a person who is initiating any communication must be identified and it should be made available to the recipient. From a technical point of view, this raises a lot of concerns regarding the personal details that will be used for identification, the effects on internet based communication services and anonymous and pseudo anonymous platforms, etc. Secondly, it has been widely recognized that spam involved in new and emerging communications is an important issue. However, the technical requirements to solve this issue are still unclear. Lastly, the issue of encryption requires further clarity on the impact of the Telecom Bill on encrypted communications. There is also a broader discussion about how around the world, there is increasing pressure from policy makers and governments to weaken encrypted communications for security purposes. While this Bill was an opportunity for reform on the surveillance powers of the government, instead, the Bill proposes to limit the access to encrypted modes of communication and other types of privacy preserving technologies for users, and potentially increases costs for users.

II. Presentation of report on the draft Telecom Bill by Aapti Institute

Following the brief introduction, speakers from the Aapti Institute presented their report on “Unpacking the Key Costs and Consequences of the New Telecom Bill”. The monetary and non-monetary implications of the draft bill on the various types of the stakeholders (businesses, users, and the government) have been summarized below:

1. Impact on Businesses

Some of the key and significant costs impacting businesses include:

Licenses and Fees
Telecommunication Development Fund (TDF)
Spectrum Costs
User Verification Costs (all of the services not only have to identify the users, but also undertake due diligence and data management for user verification, which requires significant technological upgradation)
Interception Costs
Compliance and Legal Cost

Some of the key non-monetary implications for businesses include the privacy and the business features of these platforms, frictions within the regulatory body, reduced time and capital to improve quality of services, and also the reduced efficiency and operational flexibility for many of these business platforms.

2. Monetary Impact on Users

The key monetary concerns for users are around affordability and access. Rising business costs could mean that the users will have to pay significantly higher to be able to continue using these communication services. While it is assumed that user verification does not have a significant cost, it does have a potential monetary and non monetary implication, which could also mean that people from vulnerable communities find it harder to use these platforms. Moreover, there are also provisions of fines for misrepresentation which may happen when multiple users share an online service.

The non-monetary implications for the user would be the lack of privacy or anonymity, the lack of platform choices, the awareness burden on the users, and the resultant high cost of information. There is a large amount of user hesitancy to continue on the platforms which are not considered to be private or secure enough. One of the other biggest concerns apart from privacy and anonymity is also about the data rights of the user, considering the weak cybersecurity guidelines and the lack of a data protection bill as of now in India. This is a cause of concern for data protection, data leakages, and misuse of personal data.

3. Impact on Government

Potential monetary concern for the government includes:

Cost burden and capacity of government bodies and jurisprudence due to monitoring and auditing the large pool of service providers
Regulation of ‘all telecommunication services’ would require a significant amount of capacity building
Role of intermediary bodies and improved data management structures for interception and decryption of messages, and also user verification
Improved protection protocols for citizens

A key non-monetary concern for the government remains the geopolitical sensitivities with the global service provider using which many of the affected business platforms connect Indian users with users who are based in other countries, which may have a different data protection regime. This would make it very difficult for businesses to undertake many of these provisions as there may be conflicts with regulations in other countries. Apart from that, there are also national security considerations around user data. In the bill, national security is being thought about from the perspective of the state. However, security also needs to be understood from the perspective of user rights, which means that there needs to be a balance between user rights and the national interests of the government.

The Aapti Institute report makes the following recommendations:

Classification of entities by layer, and service type
Finding minimum effective regulation, based on classification may be examined
Considering adjacent and supportive practices of data management to balance national security, while protecting secure communications
Enhancing collaboration between the private and public sectors

To access this report, please click here.

III. Panel discussion on the impact of the (draft) Telecom Bill on consumers and businesses

Key concerns and recommendations

Multiple avenues for conducting KYC verification should be established and not only at the top level, but throughout.
Using technology to develop a system to figure out if there are repeat offenders who are submitting fake documents and different name matches leading to fraud, and try to figure out a better way to handle KYC processes.
Centralized database for KYC, such as DigiLocker, instead of building separate databases for fintechs, telcos, etc. Additionally, developing better cybersecurity infrastructure to support the same.
Telecommunications is something that affects people across socio-economic differences and the infrastructure should be developed such that it can accomodate those differences and provide ease of service for all users, especially those from marginalized backgrounds. The telecommunication sector is a lot more nuanced compared to other sectors because it includes connectivity, identity, as well as service provision. Hence, a more holistic approach needs to be adopted.
Number masking is no longer a privacy related feature, but is a use case that enables a customer’s and agent’s experience and gives an advantage and necessary control quality checks for the buyer.
A suggestion regarding KYC was that other unique identifiers such as device IDs can be used instead of personal identifiers to avoid surveillance and traceability of the individual.
While traceability is required from a national security perspective, in the wrong hands, it can essentially lead to unraveling of all personal information for someone. Moreover, it is important to develop the cybersecurity infrastructure, ensure that checks and processes are in place to avoid data breaches and misuse of data, etc.
The definition section needs to be completely overhauled and reworked from scratch.
The problem with any licensing model is the fact that there is lack of transparency. Under this Bill, if OTTs come on the licensing model, then the transparency that currently exists will also be lost.
Asking telcos to do KYC pushes them further back from innovating which is already quite slow given the fast pace at which technologies such as 5G are being developed combined with the existing overburdening of regulations. This applies to all such startups as well. Moreover, the infrastructure to carry out stringent KYC processes requires far more resources and capital than what small and mid-sized telcos and startups can afford.
In a situation where there is too much specification regarding licensing, companies start to follow the “cut-copy-paste” model, which is counter-productive.
OTT platforms should also be regulated, but not licensed.
With respect to surveillance, it is something that is required for national security reasons. However, the way in which the Supreme Court required transparency around any national security activities in the physical world, that same has not been done for the digital world. There needs to be various levels of accountability in the entire process, starting from accessing one’s data to investigate allegations.
Using technology, identity and verification can be seen as a service to identify spam and fraud. Blockchain is decentralized and offers some of the capabilities required for KYC, which can be further developed to keep a track of repeat offenders.

IV. Key takeaways

From a social perspective, the intended audience for this KYC process needs to be taken into account, i.e. marginalized communities. The various infrastructural, accessibility, and resource-related challenges need to be solved first, before implementing KYC rules across all telecom companies.
From a technical perspective, some of the key attributes that came up to help create a baseline ecosystem around the regulatory requirements were ensuring scalability, interoperability, decentralization and using privacy preserving technologies for identity verification.
From a regulatory perspective, instead of having a “same service, same rules” approach, the regulations should have a “same service, same safeguards” approach to ensure that users are protected.