Impact of (draft) Telecom Bill on consumers and businesses

The Draft Indian Telecommunication Bill, 2022 was released by the Department of Telecommunications in September 2022 for public feedback. The Bill is likely to have a significant impact on businesses and consumers if adopted in its current form, and to discuss these concerns, Rootconf organized a series of discussions. On 21st July 2023, stakeholders and civil society representatives came together for an offline event to discuss key concerns and share their recommendations. The panelists in this event were:

• Kunal Raj Barua (Senior Manager, Aapti Institute),
• Rishu Mehrotra (Technology Leader, Merkle Science),
• Nikhil Narendran (Partner, Trilegal), and
• Vivek Jathanna (Vice President - New Initiatives, Exotel)

Kunal Raj Barua and Mousomi Panda from the Aapti Institute also presented their report on the Bill. The event was moderated by Amlan Mohanty (Lawyer and tech policy advisor).

This report summarizes the key points and recommendations that were discussed during this event.

Update 1: Following this series of discussions and awareness being raised around concerns regarding the broad definition of technologies falling under the purview of this Bill to include over-the-top (OTT) platforms, on 5th August 2023, the Union Cabinet relaxed regulations on OTT communication services. This was one of the key issues in the draft Bill which, as a result of public consultations and efforts by tech communities and civil society actors, was considered by the Cabinet. Read more here.

Update 2: On 18th December 2023, the Telecommunications Bill, 2023 was introduced in the Lok Sabha based on a recommendation made by the President. Amidst existing concerns regarding the Bill such as increased surveillance, a return to license raj, privacy violations, censorship, etc., it is being introduced as a finance bill. Currently, it also meets the requirements for being declared a money bill, which would enable the Lok Sabha to pass the Bill without approval from the Rajya Sabha.

I. Background and context

1. Regulatory considerations: The Bill consists of a wide definition for what telecom services comprise of. There are four elements in the definition which includes email, internet based communication services, over the top communication services, and voice, video, and data communication services. This means that the government can license any of these services under the Bill. However, from a technical point of view, regulated licensing should only apply to scarce resources.

2. Implications: The implications of licensing include financial obligations due to expensive licenses, making changes to one’s infrastructure network to be able to provide access to the government to data flowing through their networks, as well as the possibility that the government can use its licensing power to suspend one’s services. Such a licensing regime would create a roadblock for technological innovations in this field and would risk the creation of a monopoly since only the well-established market leaders would be able to comply with the regulations without significantly harming their business. Moreover, the objective and purpose of expanding the licensing agreements has not been articulated clearly.

3. Impact on end users: Licensing obligations should apply to the primary entity and not float downstream to the end user. Essentially, the telecom operator should be the only entity that is required for licensing and a licensee cannot be the end users of the telecom operator, regardless of whether they are enterprise or retail.

This event consisted of discussions around KYC, spam, and encryption. The aim for introducing KYC in telecom services is that the identity of a person who is initiating any communication must be identified and it should be made available to the recipient. From a technical point of view, this raises a lot of concerns regarding the personal details that will be used for identification, the effects on internet based communication services and anonymous and pseudo anonymous platforms, etc. Secondly, it has been widely recognized that spam involved in new and emerging communications is an important issue. However, the technical requirements to solve this issue are still unclear. Lastly, the issue of encryption requires further clarity on the impact of the Telecom Bill on encrypted communications. There is also a broader discussion about how around the world, there is increasing pressure from policy makers and governments to weaken encrypted communications for security purposes. While this Bill was an opportunity for reform on the surveillance powers of the government, instead, the Bill proposes to limit the access to encrypted modes of communication and other types of privacy preserving technologies for users, and potentially increases costs for users.

II. Presentation of report on the draft Telecom Bill by Aapti Institute

Following the brief introduction, speakers from the Aapti Institute presented their report on “Unpacking the Key Costs and Consequences of the New Telecom Bill”. The monetary and non-monetary implications of the draft bill on the various types of the stakeholders (businesses, users, and the government) have been summarized below:

1. Impact on Businesses

Some of the key and significant costs impacting businesses include:

• Licenses and Fees
• Telecommunication Development Fund (TDF)
• Spectrum Costs
• User Verification Costs (all of the services not only have to identify the users, but also undertake due diligence and data management for user verification, which requires significant technological upgradation)
• Interception Costs
• Compliance and Legal Cost

Some of the key non-monetary implications for businesses include the privacy and the business features of these platforms, frictions within the regulatory body, reduced time and capital to improve quality of services, and also the reduced efficiency and operational flexibility for many of these business platforms.

2. Monetary Impact on Users

The key monetary concerns for users are around affordability and access. Rising business costs could mean that the users will have to pay significantly higher to be able to continue using these communication services. While it is assumed that user verification does not have a significant cost, it does have a potential monetary and non monetary implication, which could also mean that people from vulnerable communities find it harder to use these platforms. Moreover, there are also provisions of fines for misrepresentation which may happen when multiple users share an online service.

The non-monetary implications for the user would be the lack of privacy or anonymity, the lack of platform choices, the awareness burden on the users, and the resultant high cost of information. There is a large amount of user hesitancy to continue on the platforms which are not considered to be private or secure enough. One of the other biggest concerns apart from privacy and anonymity is also about the data rights of the user, considering the weak cybersecurity guidelines and the lack of a data protection bill as of now in India. This is a cause of concern for data protection, data leakages, and misuse of personal data.

3. Impact on Government

Potential monetary concern for the government includes:

• Cost burden and capacity of government bodies and jurisprudence due to monitoring and auditing the large pool of service providers
• Regulation of ‘all telecommunication services’ would require a significant amount of capacity building
• Role of intermediary bodies and improved data management structures for interception and decryption of messages, and also user verification
• Improved protection protocols for citizens

A key non-monetary concern for the government remains the geopolitical sensitivities with the global service provider using which many of the affected business platforms connect Indian users with users who are based in other countries, which may have a different data protection regime. This would make it very difficult for businesses to undertake many of these provisions as there may be conflicts with regulations in other countries. Apart from that, there are also national security considerations around user data. In the bill, national security is being thought about from the perspective of the state. However, security also needs to be understood from the perspective of user rights, which means that there needs to be a balance between user rights and the national interests of the government.

The Aapti Institute report makes the following recommendations:

• Classification of entities by layer, and service type
• Finding minimum effective regulation, based on classification may be examined
• Considering adjacent and supportive practices of data management to balance national security, while protecting secure communications
• Enhancing collaboration between the private and public sectors

To access this report, please click here.

III. Panel discussion on the impact of the (draft) Telecom Bill on consumers and businesses

Key concerns and recommendations

• Multiple avenues for conducting KYC verification should be established and not only at the top level, but throughout.
• Using technology to develop a system to figure out if there are repeat offenders who are submitting fake documents and different name matches leading to fraud, and try to figure out a better way to handle KYC processes.
• Centralized database for KYC, such as DigiLocker, instead of building separate databases for fintechs, telcos, etc. Additionally, developing better cybersecurity infrastructure to support the same.
• Telecommunications is something that affects people across socio-economic differences and the infrastructure should be developed such that it can accomodate those differences and provide ease of service for all users, especially those from marginalized backgrounds. The telecommunication sector is a lot more nuanced compared to other sectors because it includes connectivity, identity, as well as service provision. Hence, a more holistic approach needs to be adopted.
• Number masking is no longer a privacy related feature, but is a use case that enables a customer’s and agent’s experience and gives an advantage and necessary control quality checks for the buyer.
• A suggestion regarding KYC was that other unique identifiers such as device IDs can be used instead of personal identifiers to avoid surveillance and traceability of the individual.
• While traceability is required from a national security perspective, in the wrong hands, it can essentially lead to unraveling of all personal information for someone. Moreover, it is important to develop the cybersecurity infrastructure, ensure that checks and processes are in place to avoid data breaches and misuse of data, etc.
• The definition section needs to be completely overhauled and reworked from scratch.
• The problem with any licensing model is the fact that there is lack of transparency. Under this Bill, if OTTs come on the licensing model, then the transparency that currently exists will also be lost.
• Asking telcos to do KYC pushes them further back from innovating which is already quite slow given the fast pace at which technologies such as 5G are being developed combined with the existing overburdening of regulations. This applies to all such startups as well. Moreover, the infrastructure to carry out stringent KYC processes requires far more resources and capital than what small and mid-sized telcos and startups can afford.
• In a situation where there is too much specification regarding licensing, companies start to follow the “cut-copy-paste” model, which is counter-productive.
• OTT platforms should also be regulated, but not licensed.
• With respect to surveillance, it is something that is required for national security reasons. However, the way in which the Supreme Court required transparency around any national security activities in the physical world, that same has not been done for the digital world. There needs to be various levels of accountability in the entire process, starting from accessing one’s data to investigate allegations.
• Using technology, identity and verification can be seen as a service to identify spam and fraud. Blockchain is decentralized and offers some of the capabilities required for KYC, which can be further developed to keep a track of repeat offenders.

IV. Key takeaways

1. From a social perspective, the intended audience for this KYC process needs to be taken into account, i.e. marginalized communities. The various infrastructural, accessibility, and resource-related challenges need to be solved first, before implementing KYC rules across all telecom companies.
2. From a technical perspective, some of the key attributes that came up to help create a baseline ecosystem around the regulatory requirements were ensuring scalability, interoperability, decentralization and using privacy preserving technologies for identity verification.
3. From a regulatory perspective, instead of having a “same service, same rules” approach, the regulations should have a “same service, same safeguards” approach to ensure that users are protected.