Against the backdrop of the recent Union Budget announcements and priority initiatives of the government such as Digital India, cashless economy, smart cities, among others, it wouldn’t be wise to discount the role of IT and telecommunications. In fact, the success of these and similar initiatives hinges largely on telecom, internet infrastructure and connectivity. Factors such as the explosion of connected devices, thanks to IoT, coupled with the renewed focus on as AI, VR, robotics, device-agnostic tech solutions, as outlined by the government in the Budget, will add much-needed fillip to the telecommunications industry in the near future. Telecom has always been the backbone of India’s economic growth and, given the dynamics, it will continue to be so as we tread further into the future; protecting the industry is no longer a matter of choice.
In the Budget, the finance minister committed that all railway stations and trains will have Wi-Fi connectivity, NITI Aayog will establish a national programme to direct efforts in AI, Aadhaar linking will be given further boost, 5G adoption will be accelerated and the Department of Telecommunications will support the establishment of indigenous test bed at IIT Chennai. The government also pledged to invest heavily in robotics, Big Data, quantum computing and IoT, doubling its allocation to centres of excellence under the Department of Science and Technology. The industry welcomes these steps and the focus has firmly shifted globally towards creating a safe and secure cyberspace.
As we get more and more connected, networks, infrastructure and devices will be increasingly vulnerable. There are loopholes that cyber criminals eye aggressively. Any large dataset stored in a single space is a virtual honey pot for cyber criminals. Globally, governments and other stakeholders, including the industry and civil society, are looking at newer norms of data privacy. Even in countries where the right to privacy is not enshrined in the Constitution, businesses are demanding a stronger, legal framework, but not at the cost of prying and stifling regulation, where governments demand back doors and trap doors. Instances of breaches have multiplied many times over, as data is the new oil. Most of these vulnerabilities arise out of inadequate in-house controls and because of citizens’ lack of awareness. From conducting transactions to e-banking, we carry our world with us in our mobile phones and this alone makes security and privacy real concerns. Most mobile phones come with a default PIN and password protection capabilities. However, considering the rising number of unauthorised usages, breaches and misuse of sensitive information, it wouldn’t be wrong to conclude that either consumers do not use them or there are loopholes.
India is the world’s second-largest telecom market, after China, and has witnessed stellar growth—it has surpassed the US to become the second-largest smartphone market, with over 40 million units shipped in the third quarter of 2017 (23% growth). The market is estimated to grow even faster, given the influx of connectivity-dependant technologies. On one hand, the mobile phone market is undergoing consolidation on top of the aggressive 4G roll-out, and on the other the industry is preparing for 5G. In such a scenario, collection and processing of personal data should be allowed with minimal restrictions, provided it is coupled with user transparency, empowerment and control, and organisational accountability.
Data-driven innovation and privacy are compatible; data-driven innovation cannot be scaled without adequate privacy safeguards and gaining users’ trust. It is critical to empower the users without over-regulating data collection. Privacy framework should be outcome-driven—legislation alone is not enough unless supported by adequate implementation, including an effective grievance redressal system and user awareness. Instead of a prescriptive law that is weakly enforced, we should aim for a light touch law that is strongly enforced.
Given the volume of transactions happening electronically and considering the multiple players involved in each transaction, it may not be practically possible to create a centralised ex ante compliance system. The policy must take into account the fact that digital economy is thriving in part because most businesses work hard to maintain user trust and confidence. Brand safety is perhaps a motivation that is bigger than fear of regulations. Instead of government monitoring, the legislator should be encouraged to endorse a culture of corporate accountability—it would limit the ex ante enforcement approach to a minimum. This has been the approach of other privacy enforcement authorities who have seen how effective privacy and data protection are better achieved by incentivising companies to adopt best practices and demonstrate that they are accountable to their users.
The transition from 2G to 3G took more than a decade. However, since then, the industry had made rapid strides and 4G has eclipsed 3G. Now, 5G is on its way. It will deliver data transfer speeds that are up to 200 times faster than 4G. It will make it possible for users to enjoy rich 4K video and more immersive virtual and augmented reality experiences. 5G will seamlessly facilitate data-heavy tasks and streamline everything from IoT and self-driving cars to robotics. The industry has added several lakh base transceiver stations pan-India—now they number over 17 lakh—and is promising over `74,000 crore by way of investment.
Last year, globally, millions of people were affected as hackers stole information via phishing emails, watering hole attacks and ransomware. Businesses lost cash, reputation and sensitive information, and individuals suffered due to breaches in bank accounts. Data security and privacy are a growing concerns—everyone with a device or on a network is at risk.
Most data breaches can be prevented or at least the impact can be minimised if the industry and end-consumers come together and take corrective measures. Instead of using static passwords, consumers can use two-factor authentication when conducting sensitive online transactions on their mobile devices. Passwords can be guessed, forgotten, stolen or eavesdropped, whereas two-factor authentication is more secure. Similarly, it is advisable to use secure Wi-Fi networks. Wireless transactions are not always encrypted. Emails and many applications do not encrypt data that they transmit over the network, making them vulnerable.
Moreover, several mobile devices contain malware, which consumers download unknowingly. These malware are often disguised as games, security patches, utility or other useful applications. Add to that lack of encryption, and your device and the sensitive information it holds are in for unauthorised access. Then there are issues such as lack of legitimate and well-engineered security software, outdated operating systems, lack of consistent security updates, outdated software patches and lack of firewalls.
The government can take steps in terms of rolling out reformative measures, incentivising businesses and SMEs through policies and regulations that are industry-friendly, creating a mass awareness programme in addition to the National Digital Literacy Mission. An increased investment in R&D for the digital economy and a responsive and nimble legal framework is needed. Deploying more foolproof and advanced security-enabled government infrastructure would also help ensure data privacy. The Cyber Swachhta Kendra is a commendable initiative.
Instead of prescribing privacy practices in the form of administrative requirements like format of notice and other codes of practice, including assessment/audit standards, the privacy framework should define the broad principles and requirements, and allow organisations to design their own privacy programmes in compliance with these principles. The focus should be to improve internal governance mechanisms in organisations without introducing bureaucracy. While organisations should be allowed to self-regulate, they should be held accountable for any violations. In case of any breach or complaint, the onus to prove due diligence should lie with the organisations. A multi-stakeholder consultative model is best suited for a country like India where all stakeholders can work with the government and do their bit for a safe and secure connected India.