Category Archives: Internet Governance

Consent to Cookie: Analysis of European ePrivacy Regulations

This article is an analysis of the newly passed ‘Regulation on Privacy and Electronic Communications’ passed by the European Union.

A huge part of our daily life now revolves around the usage of websites and communication mediums like Facebook, WhatsApp, Skype, etc. The suddenness with which these services have become popular left law-making authorities with little opportunity to give directions to these companies and regulate their actions. For the large part these services worked on the basis of self-regulation and on the terms and conditions which consumers accepted. These services gave people access to their machinery for free, in return for personal data about the consumer. This information is later sold to advertisers who later on send ‘personalised’ advertisements to the consumer on the basis of the information received.

With growing consciousness about the large-scale misuse that can take place if the data falls into wrong hands, citizens have started to seek accountability on part of these websites. With increasing usage of online services in our daily lives and growing awareness about the importance of privacy, the pressure on governments to make stricter privacy laws is increasing.

The nature of data that these services collect from the consumer can be extremely personal, and with no checks on the nature of data that can be collected, there is a possibility for abuse. It can be sold with no accountability in the handling of such information. Regulations such as those related to data collection, data retention, data sharing and advertising are required, and for the most part have been lacking in almost all countries. The European Union however has been in a constant tussle with internet giants like Google, Facebook and Amazon, over regulations, as though these companies have operations in Europe, they are not under its jurisdiction. In fact they are not under the jurisdiction of any countries except the ones they are based in. The EU on 10 January 2017 released a proposal on the Privacy of individuals while using Electronic communications which will come into force in May 2018.

The objective of the ‘Regulation on Privacy and Electronic Communications’ is to strengthen the data protection framework in the EU. The key highlights of the data protection laws are as follows:

  • Unified set of Rules across EU – These rules and regulations will be valid and enforceable across the European Union and will provide a standard compliance framework for the companies functioning in the Union.
  • Newer Players – Over-the-top services are those services which are being used instead of traditional such as SMS and call. The law seeks to regulate these Over-The-Top services (OTT) such as WhatsApp, Gmail, Viber, Skype, etc., and the communication between Internet-of-Things devices which have been outside the legal framework as the existing laws and regulations are not wide enough in scope to cover the technology used.
  • Cookies – A cookie is information about the user’s activity on the website, such as what is there in the user’s shopping cart. The new regulations make it easy for the end-users to give consent for end-users for cookies on web browsers and making the users more in control of the kind of data that is being shared.
  • Protection against spam – The proposal bans unsolicited electronic communication from mediums like email, phone calls, SMS, etc. This proposal basically places a restriction on spam, mass sending of mails or messages with advertisements with or without the end-user consenting to receive those advertisements.
  • Emphasis on Consent – The regulation lays strict emphasis on the idea of user-consent in terms of any data being used for any purpose that is not strictly necessary to provide that service. The consent in this case should be ‘freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action’.
  • Limited power to use metadata – Unless the data is necessary for a legal purpose, the service provider will either erase the metadata or make the data anonymous. Metadata is data about data – it is used by the Internet Service Providers, websites and governments to make a summary of the data available to create patters or generalised behaviour to use specific data easily.

The Regulation has far-reaching effects in terms of taking into its fold businesses which were earlier not a part of the regulations and would cover any technological company which provides electronic communications services in the Union. This would require businesses to sustain costs to redesign their communication system and ensuring that their future software updates are designed in such a way that the users’ consent is taken.

The main argument raised by the proposal in favour of bringing in the new Regulation is that an increasing number of users want control over their data and want to know where their data is going and who it is accessed by. This is because of the growing consciousness about the far-reaching effects of providing huge quantities of personal information to private entities with little or no check on the use of the data.

The biggest relief given to both the users and service providers was the change in the cookie policy. The previous regulation made it mandatory for the website to take consent before any cookie was placed on the user’s computer. This would have led to the user being bombarded with requests on the computer. The new regulation lets the user choose the settings for the cookies from a range of high-to-low privacy while installing the browser and after every six months they would receive a notification that they can change the setting.

There is however the issue of how the websites will know that the user has opted out of receiving targeted advertisements. There is a possibility of using a tool called Do-No-Track – a tool when turned on sends out signals to a web browser, that the user does not wish to be tracked. The system was utilised in the past, but given the lack of consensus in the industry as to the method of usage and the fact that a large number of websites simply ignored the DNT signals, it lost its utility. This Regulation will give the much necessary push for the usage of this system as would be useful, because if a user chooses not be tracked the websites have to respect that choice.

The Regulation also makes consent the central feature of communications system. Earlier consent was said to be implied, that if the individual is using the operators service was considered as consent to allowing the operator to collect information about the end-user. This could have a huge effect on the way these entities earn revenue where in some cases the sole method of earning revenue is advertising. Technology companies have to dole out huge amounts of money to pay to run their servers and for the staff which works on maintaining the website and researching on newer technology to improve their services. Companies which are dependent on advertising could lose a large amount of the revenue which they get if a large number of its users opt-out of providing information and receiving targeted advertisements.

Several critics from the industry argue that the new framework will make it extremely difficult for the operators as they do not necessarily classify data. The multiple layers of data and information collected are simply classified as ‘analytics’. The websites do not always know the purpose the data is going to be used until after it is used. This would make it difficult for the operator when it comes to deciding what comes under the law. In addition, the operators depend on third-parties to collect the information for them. The regulation makes it abundantly clear that the information to be collected should be the bare minimum that is required to provide the services and data that is required for web audience measuring. The third-parties also would be protected under this law, if the information collected by the website necessary to provide those services or if the user has already given consent. A more transparent system instead would make the system accountable as it would give a factual basis to assess whether the operator is complying with reasonable ethical standards.

The users also have an option under the law not to receive unsolicited calls, messages and mails. These kinds of calls, messages and mails are a huge nuisance with the companies doing this facing no liability. Only UK among the countries in the EU has strict laws and hefty fines for such kind of direct advertisements. This system would require the prior consent of the user when obtaining the information and before the sending of advertisements, and inform them about the nature of marketing and the nature of withdrawal. Even though consent is given to the operator the law mandates the communication of the procedure of opting opt-out to the user in clear terms. The operator will also have to have a prefix for all the marketing calls. This is similar to India, where the TRAI initiated Do-Not-Disturb system gives the user an option to block different kinds of unsolicited and automated advertisements through calls and messages.

The Regulation can form a benchmark for the other countries. The regulation with its central focus being the privacy and consent of the user, places a requirement for transparency and accountability of the operator – a necessary condition to run any organisation providing such services. While the changes may seem radical in terms of the costs that the industry as a whole may incur, given the sensitive nature of the information that they deal with, such regulations will and should become a norm for all the players in the market and any new players who wish to join it.

Advertisements

TRAI’s Consultation Paper on Net Neutrality and the Regulatory Approach to Net Neutrality in India

Net neutrality is the principle of non-discrimination of all data on the Internet, regardless of the Internet Service Provider (ISP). Regardless of the source or content of the data, all data itself must be treated equally. There has been a growing movement for the recognition and acceptance of net neutrality as a principle not just by the people but by the Government itself, leading to the desire for regulations and policies that protect net neutrality. The Telecom Regulatory Authority of India (TRAI) recognising the same, held pre-consultations and drafted a consultation paper on the specific issue of net neutrality.

In this consultation paper the TRAI focused on a few core issues regarding net neutrality specifically in India, that being of the definition and principles of net neutrality, transparency, traffic management and policy and regulatory approaches to the entire issue. The consultation paper serves as recognition of the important legal and policy questions to address as well as to provide a clearer understanding of net neutrality itself. The opinions of the multiple stakeholders, including Telecom Service Providers (TSPs), content providers and academicians, were taken into account as well.

When discussing the policy and regulations approaches that India could take, the consultation paper was interestingly far more ambivalent than in any of the other sections of the paper. The paper provided three different approaches towards regulation: cautious observation, tentative refinement and active reforms towards regulations and laws relating to net neutrality.

There is a larger question first, of whether the government should indeed regulate the Internet and enforce principles like net neutrality. The Electronic Frontier Foundation (EFF) raised this issue when the Federal Communications Committee (FCC) in the United States passed the Open Internet Order of 2010, an order mandating, among other things, net neutrality. Yet, as was pointed out by Pranesh Prakash of the Centre for Internet and Society, there is a need for regulation. It prevents monopolization and aids in ensuring certain goals such as universality and maximum utility. Without regulations, net neutrality in particular would be an ancillary consideration for ISPs, with practices such as throttling more favourably looked upon. There are of course problems with regulation, both in the forms of bias present in the government and that of over-regulation, however with adequate stakeholder representation this can be mitigated. The consultation paper by TRAI has fulfilled this aspect, and the same ideally will strike the correct balance with regards to regulations.

Countries around the world enforce (or don’t) net neutrality in different ways. The United States creating regulations rose from their belief that the internet is a utility and not a luxury (to the point of being court mandated). Their regulations, as with the Open Internet Order, were thus more citizen focused (how effective it is or actually focused on citizen needs is a separate question). Currently however Trump is rolling back any regulations that were unpopular with big telecom companies. The European Union in 2015 ensured net neutrality but it has been criticised for being plagued with loopholes. In China, considering that the regional ISPs are all owned by the government, there is apparently net neutrality ensured by the government.

India on the other hand is caught in a somewhat nascent stage with regards to regulations. Initially there was close to no government action in favour of net neutrality, but on February 8th 2016, the TRAI barred telecom service providers from charging differential rates for data services in response primarily to the actions by Facebook and Airtel, essentially upholding the principle of net neutrality. Yet, in the absence of a legal framework, as pointed out in the consultation paper, there is still scope for violating the principle of net neutrality by private ISPs. It is at this juncture that the consultation paper poses the questions as to what manner of governance would be most suitable.

The current policy adopted by the TRAI, as well as other countries, is to simply wait and watch. The TRAI would simply observe the practices of the service providers, providing them the freedom to take action as they see fit. This is problematic considering that violations occur currently and in the absence of any legal frameworks they can continue to do this unchallenged. Predictability in the form of a lack of retribution leads to further abuse.

The other option identified by the TRAI is self-regulation. Here all licensed ISPs would follow a voluntary form of adherence to the core principles of net neutrality, with the TRAI providing overall guidance, monitoring the ISPs. This sort of model is well practiced in Europe, including in Denmark, Sweden and the UK, however there are indeed pitfalls of this measure as well. The lack of uniformity is a cause for concern, ranging from transparency to traffic management, and thus leads to a lack of optimisation. When taking multiple countries into account, this effect is magnified multifold, especially in Europe with a large number of highly developed small nations. However, this method has had success in Norway. Applying it to India however, much like most other Western concepts applied to India, causes problems due the differences in context. It becomes easier to provide small corporations this power over a relatively small number of people, however in a country as large as India, with a larger number of big corporations, the same becomes far more difficult. This is not to say that it is misguided or impossible, merely that it is not as easy nor may it be as successful as it would have been in Norway.

The TRAI plans to act upon any notification of abuse of net neutrality or discrimination in either of the two options but there are significant problems, some of which the TRAI themselves identified. The first problem the TRAI identified is a failure or delay in identifying cases of discrimination, a problem that is extremely difficult to counter. Users rarely have opportunity to actually identify and understand the discrimination, and bodies like the TRAI do not have the resources to cover the entirety of the nation. The second issue is the lack of power the TRAI itself possesses. In the absence of any legal frameworks, the TRAI cannot unilaterally impose its will with ease. Further, relating to the third problem identified, this lack of law leads to uncertainty, and uncertainty is a disincentive for businesses to enter the market. In addition, the lack of an adequate definition of what net neutrality is as well the limits of what is required in terms of transparency and traffic management. While these are sought to be addressed by the consultation paper, it cannot singlehandedly solve these issues.

The consultation paper provides for a course of action that can be taken in the case of active reforms, primarily in the form of licensing, regulations and legislative changes. Licensing allows for a form of control, as only those ISPs who abide by the standards set out by the TRAI would be provided the licenses. Australia, through the ACMA and Bangladesh, through the BTRC, both provide licenses to ISPs. For licensing to be successful however there must first be an accurate definition and understanding as to what constitutes the core of net neutrality, and thus the limits that must be placed on ISPs to protect the same. Further, licensing all ISPs is a laborious task, and after licensing monitoring is even more difficult. While there is an association for ISPs, it is essentially defunct (as can be ironically seen from their very site). The TRAI simply does not have the resources to look into all ISPs and whether they maintain the conduct required by their license. Further, the TRAI needs some regulatory power in the form of the law in order to actually make decisions or levy punishments. Explicitly laying down what is permitted in a license is only the first step.

Regulations in the form of Quality of Service requirements could lead to a reduction in discrimination on the basis of quality. This regulation could include certain aspects such as preventing throttling and blocking, or other forms of preferential treatment, as well as laying down a particular standard that is to be met, regardless of content. It would also allow for a mandatory level of transparency. While this action is likely to be helpful, it is not the perfect solution. Creating the standard itself is difficult, enforcing it is even more so. It further does not combat the entirety of the discriminations that occur, and acts more as a stopgap.

Legislative changes are the most effective towards attaining active reforms, though as pointed out earlier, providing the government this power is not a unilaterally positive action. Yet if the TRAI has this legislative power to back its actions, or even another external, quasi-judicial body to act in its stead, this would lead to enforceability, leading to a greater incentive to follow the principle of net neutrality.

In terms of regulations and policy approaches, the TRAI sticks to these issues. In the paper, the importance of monitoring is also brought up, however there is a distinct lack of both innovative solutions and a recognition of the specific domestic issues India faces. Instead the paper focuses more on the approaches of foreign countries, hoping that a patchwork solution will work for all.

In conclusion, the paper raises certain questions which are to be answered in future consultations. The questions of which body should be given the power of monitoring and supervision, collaboration with other stakeholders and the manner in which the legal framework should be evolved are all directly relevant and extremely pertinent towards creating an effective upholding of net neutrality. Hopefully, these questions and the multiple issues and problems of the measures raised in the paper will be addressed during the actual consultations on the 15th of February, 2017.

For Further Reading:

IFF Summary on TRAI’s Paper – https://internetfreedom.in/iffs-summary-of-trais-new-net-neutrality-paper/

Vox – Saving Net Neutrality through Republican Legislation – http://www.vox.com/new-money/2017/1/26/14383040/thune-net-neutrality-bill

International Telecommunications Union – Discussion paper on regulations of Net Neutrality – https://www.itu.int/ITU-D/treg/Events/Seminars/GSR/GSR12/documents/GSR12_Webb_NetNeutrality_1.pdf

 

The Internet Finds Itself in a Web – What the U.S Withdrawal from ICANN and its Transition Signify

The following post is by Madhulika Srikumar, a fourth year student at GNLU, Gandhinagar. She has an avid interest in the debate on ownership of Internet, Internet security and freedoms, and has worked earlier on issues relating to ICANN and Internet Jurisdiction. She brings us an interesting commentary on the US withdrawl from ICANN, and how it  may affect Internet Governance as it currently exists.

The Internet finds itself in a “web” these days, a web of polarizing powers and conflicting interests; a web that could possibly result in changing the Internet as we know it. Attempting to untangle this web is no mean feat.

The Internet is best defined by the values that formed it. These values are of “open” code or software that govern the Internet, whose source is available to all and can be taken, modified and improved. It is these ideals that many still hope to preserve in today’s Internet governance. Continue reading The Internet Finds Itself in a Web – What the U.S Withdrawal from ICANN and its Transition Signify

ICANN and a Changing Internet

(ImageSource: https://flic.kr/p/5kN3ek)

(This post was earlier published on SpicyIP)

ICANN and a Changing Internet

Ever since Swaraj covered the new domain names being permitted by ICANN back in 2011 on SpicyIP, there have been a few quite crucial developments. Before moving on to these developments, a quick background of some relevant points.

Part I: Introduction – background 

The Domain Name System is the current back bone of accessing the internet. It essentially acts as an address book of the Internet for computers, translating human-readable website addresses such as ‘spicyip.com’ to their unique numerical IP addresses that the browser can read, thereby allowing it to access the requested content. The human readable part of a domain name is divided into two parts – the name of the website, and the ‘TLD’ that comes after it. For instance, in ‘wordpress.com’, ‘wordpress’ is the name of the website, and ‘.com’ is the ‘TLD’. A very handy guide to the Domain Name System is available here, courtesy of the Internet Society. Continue reading ICANN and a Changing Internet