(Former Secretary, IT and Telecom, GoI; Ex-President NASSCOM)
Shri Vinit Goenka
(Governing Council member, CRIS, Ministry of Railways, GoI; Secretary, CKS)
Dr Avik Sarkar
(Visiting Professor, ISB Mohali; former Head, Data Analytics Cell, NITI Aayog)
Dr Kuldeep Ratnoo
(Director, India Policy Foundation)
Dr Kuldeep Ratnoo
I welcome everyone on behalf of India Policy Foundation (IPF) and Centre for Knowledge Sovereignty (CKS) to today’s webinar. Today we plan to discuss a very critical issue about securing the digital boundaries of India. As we all know, 21 years ago, Pakistani Army intruded into Indian Territory and occupied some posts vacated by Indian Army during winters. To evict the intruders, Indian Army had to launch an operation. In the process, Indian Army had to sacrifice several young talented officers and jawans. Several lives were lost and huge amount of resources were put into that particular war to protect our boundaries.
In the recent times, we have also read about Chinese intrusion into Indian Territory. And as we know, 20 soldiers and officers again had to sacrifice their lives protecting Indian boundaries. While there is a lot of talk and emphasis on protecting our physical boundaries, there is not much discussion or even awareness regarding the digital space or the digital boundaries. We have organized this webinar today to take this discussion forward. IPF, in association with CKS, has decided to bring it to the notice of intellectuals, policy makers and others.
Today, for this webinar, we are very lucky to have Shri R Chandrasekhar ji amongst us. Shri Chandrasekhar ji has been an IAS officer. He was Secretary, Information Technology. He was also Secretary for Telecom. He was President of NASSCOM. He is also advising government on its various programmes. Most importantly, he played the critical role in launching the e-Governance in India all the three steps – right from the citizen centric centers to state level centers. So, we are very lucky to have Shri Chandrsekhar ji with us.
We are also very lucky to have Dr Avik Sarkar with us. Dr Avik Sarkar earlier worked for corporate sector. He worked abroad in Singapore too. Then he was brought in to head the Data Analytics Cell of the Niti Aayog. He worked there for few years. And now he is into academics. He is a faculty at the Indian School of Business, Mohali. I welcome you Dr Sarkar.
We also have amongst us Shri Vinit Goenka. He has been working in the field of data sovereignty, data security etc. He has been Member, Governing Council, Centre for Railway Information Systems (CRIS) and he has also been Member, Task Force on IT in Ministry of Shipping. He has co-authored a book on data sovereignty. He has been the person who has been taking these issues forward and who gave us an idea that IPF should also take it forward. We are very lucky to have you here and we look forward to take this issue forward.
We welcome you all. We have been joined by very eminent people, prominent academicians, retired bureaucrats, and very senior social activists also. On behalf of IPF, I welcome you all. I also welcome honorable Shri Dattatreya ji Hosabale who has also joined as a listener.
Regarding the topic, do we really have to put priority on securing our digital boundaries? Now the issue is how to we define the digital boundaries and how to ensure the protection of these digital boundaries. So, I request Shri Chandrasekhar ji to introduce the topic, to guide us, to enlighten us. This is a very broad topic. And I had a brief chat with him before and he agreed that this is not something that can be covered in a webinar. But this is an initiative, this is a step which we are taking forward. And we hope that under the guidance of eminent people and learned experts, we will definitely be able to create awareness about it, among the policy makers, among the eminent citizens and make government also see the importance of securing our digital boundaries. I request Shri Chandrasekhar ji to begin the discussion.
Shri Rentala Chandrashekhar
Thank you Kuldeep ji and namaskar to all of you present here. It is indeed a privilege for me to speak before such an eminent group of people on a very important topic. As Kuldeep ji was mentioning, this is a very important topic which has not been sufficiently explored or sufficiently discussed. So, I am delighted to share some thoughts and perspectives combining all the experiences in the various capacities that I have been.
The first and foremost question is what does this expression ‘securing digital boundaries’ mean? Because in the physical world it is very clear as everyone can see where the boundary is and it is all very visible. But if you look at the digital medium, then this is not the case at all. In fact, in the digital medium which is completely global medium because of the internet, the flow of data and the flow of value generation from that data are massive. They are global. They are seamless and they are pretty much instantaneous. So, it is fundamentally different in that sense from the physical boundaries.
The second point I want to lay at the outset is that the data and the value which I talked about flows through several layers. There is a telecom layer, there is a software platform layer, there are applications and then of course there are firewalls and encryptions and so on which are spread all across this medium. Within this, you have lawful interception by states and unlawful interception by hackers. All of this exists in the medium and we have to take cognizance of that.
If you look at the physical infrastructure, you have telecom, hardware, computers, IoT devices which are physically located within the country as far as the digital space is concerned. But if you look at the virtual parts of it – the software platforms, the software management, the updates to the software, the hardware management – all of this in today’s world are typically done remotely and that remotely can be from a different country and often is. So, that is another dimension we need to keep in mind.
If you look at hardware manufacturing for example, both telecom hardware as well as the computer hardware, today it is driven by the global supply chains – very well connected and highly efficient global supply chains. And they have three characteristics – one is very high volume because they have global volume; very high velocity because the movement is very fast, typically the inventory is only of a few hours, not even days; it is low margin in most of the cases expect when you have a propriety product and some unique technology involved. So, high volume, high velocity and low margin are the characteristics of a lot of this hardware.
The other implication of this is that all the countries in this space are interdependent. And it is without any exception. It includes the US as well as China and is therefore a myth to think that any country is completely autonomous and is self-contained. So, against this background, what does the expression ‘securing digital boundaries’ mean? That is the first question we should look at.
To my mind, firstly the data which includes digital data and, in this context, we are talking only about digital data. So, digital data which relates to Indian citizens and originating in India, from transactions in India belong to the country which has a natural right over it. That should be taken as a starting assumption. Consequently, all the data and all the value addition to that data should be subject to the laws of India. I am choosing these words carefully because the value addition does not always accrue to the country but it is subject to the laws of the country. That is an important distinction that has to be kept in mind.
So, basically securing digital boundaries to my mind means that ensuring the laws of India apply to such data and the value addition that arises from the data. And within this are contained issues like privacy, individual data security, national security, taxation and of course the foundation of it is the jurisdiction of the country in addressing such disputes. It also means that access to data when required by the government in accordance with the provisions of law should be possible without being subject to the laws of another country. The key word here is access, not ‘possession’ or ‘location’. Sometimes, there is an illusion that if the data is located here, it is entirely in our control. But because of the reasons that I just mentioned, that is not always the case. The data might be subject to control from elsewhere, it might be subject to encryption, it might be on a platform you have no access to. So, the key question is about access and that is what the focus has to be. Location is only one aspect of it and not the be all and end all of it.
What is the purpose of acquiring this kind of control when we are talking about sovereignty? Number one is the purpose of acquiring such control is to ensure that by formulating suitable policies within the country, we can maximise the economic benefits to the country and to its people from the digital economy. But subject to security and privacy considerations. These are not completely independent variables and sometimes there is a tradeoff between these and at such points a conscious decision has to be taken after considering all the factors. So, when we talk about digital boundaries and achieving this kind of control, we have to keep in mind, a control over all the layers – the telecom layer, the software platforms, the apps and wherever firewalls and encryption are involved. And to acquire such control, one needs to have adequate foothold in each of these layers.
Now, this adequate presence or adequate control does not mean complete indigenization or erecting walls and saying that no one can come in. In fact, in the strange digital world with the strange laws that it has, that can actually make you more insecure in some cases and not more secure. So, how do you become self-reliant in this kind of an environment and what does that self-reliance actually mean? Because self-reliance is still important but it does not mean a complete autonomy from everyone else outside or preventing anyone else from outside from coming in. If you look at the data economy which is linked to value addition which is linked to technology development and innovation which is in turn linked to IPR (Intellectual Property Rights), all of these will need to be bound together in an economically sensible and rational manner. And to the extent that the laws and regulations ignore the economic forces as well as the global ecosystem, the chances of those laws being effectively implemented definitely becomes much lower. So, we need to look at the enforceability and implementability of the laws given the complexity of this medium.
Let me take two examples as it is not possible to cover the entire range of issues that I outlined. One in the case of the hardware and the other in the case of the software. Let us take the example of 5G in telecom which today is much discussed all across, especially in the context of the recent Chinese incursion as well as the dominance they have achieved in the telecom space especially companies like Huawei which by many account have the most advanced technology in 5G and at a very competitive rate making them a fearsome competitor in the global arena. And given the kind of vulnerabilities which I have mentioned which arise at all of these layers and telecom is the base on which it rests. So, if that is vulnerable and that is susceptible, then we are going to be significantly compromised on national security. It is also important to understand that it is not only with Chinese equipment that we are vulnerable, we will be vulnerable with any equipment of any country. But we will be vulnerable towards one particular company and possibly towards that country if the company is working in close tandem with their own government.
So, from a national security perspective and in the current context, obviously allowing Chinese equipment or Huawei equipment to come in is seriously jeopardizing our own security. But we should also keep in mind the consequences of not allowing it and how to deal with those consequences. Not allowing it almost seems an imperative at this point. In the world today as all of us recognize, there are no friends. At the end of the day, you are on your own and you have to rely on your own capabilities and strengths. So, the moment you shut out what should be the cheapest or most competitive option, immediately the benefit and advantage will be taken by others who are in the fray. Therefore, you need to have a strategy to ensure that you are not taken for a ride in terms of economics. Because at the end of the day, India is a very price sensitive country. The whole telecom revolution in India would not have happened if it did not come to the current price point. So, we need to have a counter strategy for that and building indigenous capability is a big part of that.
While doing so,I think we need to keep in mind two things. One is that the standards that will have to be followed will need to be international standards in order for all of this structure and equipment to be interoperable globally. And there is a whole set of dynamics which goes into international standards and how those are influenced etc. But that is a much bigger game in which a lot of big countries and companies are involved. Whatever it is, we are a part of this world and we cannot go away from these standards and island ourselves. Otherwise, we will not even have the benefit of global volumes and therefore not have a lower price etc.
How do we really get a foothold in this area? We do have very limited capabilities at the moment. But I want to make it clear that we have significant capabilities. There are some good companies in India and some good public sector organizations which have strong capability. But taken together, they don’t straddle the entire space and therefore we have vast gaps in our capability and definitely in the area of 5G, we need to look at what those gaps are.
Secondly, we need to be careful while looking at claims of 5G technologies and see whether they are comprehensive. Because 5G can be defined in many different ways and you can say that something is 5G covering some parts of 5G but not all of it. That is the way in which 5G with complete integration with the applications and uses operates. We should be very discriminating from the point of view of what is it that works in the best interests of the country.
From my perspective, I think we need to work with some allies to navigate this space. First, we need to look at those Indian companies and organizations that are in India in the public sector as well as in the private sector and overseas. And how this strategy can be built with their involvement, participation and inputs. Because at the end of day, as was said by one of our WTO trade negotiators, putting walls does not help companies which are not yet born, it only helps companies which are already there. So, we need to work with companies which are already there as the first layer.
The second layer is to look at foreign companies which are here in India because a lot of them are led by Indians whose heart beats for India. And I have seen in my interactions with them that many of them are prepared to help. They may be working for a foreign company but they are here in India and it doesn’t take a whole lot to decide who our friends could be over there. So, that is the second concentric layer that we can actually count on.
The third is Indians in foreign companies. People of Indian origin, they may not even be Indian nationals today but they occupy very important positions. And that is an asset. How we use and leverage the asset is a question but that is the third concentric circle. So, we need to look at some of these strengths and then build our strategy based on these three concentric circles. This is just one example of the complications involved in a hardware like 5G.
Let me turn to a different example of e-commerce platforms and the commercial aspects. And how enabling and enhancing is the digital and data economy. E-commerce is a good example of how the wheels of digital economy function. And it brings up all the issues of start-ups, competition or platform economy etc. The key question for us should be how do you foster the growth of the digital and the data economy? In all sectors of the economy – in agriculture, in banking and financial services, in healthcare, in education? And what should our policies look like to maximise growth and the value to the country? Here again, there needs to be some important tradeoffs made and again since we cannot shut ourselves off completely from the world, we need to look at the dangers of different kinds of companies and the different kinds of monopolies that they may acquire within the economy.
And I do want to mention that dominance of the market per se is not bad. If you look at the competition law and the competition theory also, dominance per se is not bad. But it is the abuse of dominance which causes injury to consumers which is harmful and that is where the CCI (Competition Commission of India) comes in. But if I were to put a hierarchy to all of this, the worst situation would be to have a foreign monopoly in the country which is where the market is completely dominated by a company which is a foreign company and over which there is no control. But equally, even if it is not a foreign monopoly, even if it is a domestic monopoly, I think the dangers are quite substantial. And to some extent, if you have competition, even if it is foreign competition or a mix of foreign and domestic competition, that could arguably be a better situation than being in a complete domestic monopoly. And of course, there are other layers like state monopoly and only domestic competition. But our goal perhaps should be to ensure that there is adequate competition because that is the best tracker of consumer interests.
If you look at the pre-liberalisation economy, I believe that what was harmful was less the kind of protectionism which was there and more the prevention of competition because of the licensing raj. And if we had encouraged all our domestic competition with free movement of technology, then we might have been in a better place even under such a restricted regime. If you look at regulation today, there is a lot of emphasis on personal data protection. Now you have a committee reporting on non-personal data protection which has stirred up a hornet’s nest because it is ignoring certain fundamental economic dynamics and arguing for making available data at no cost to both the government and even to competitors. This I think is definitely not in consonance with the way the economic forces work or the way the economy works.
Then one more example, I just want to refer to briefly is that if you look at the hardware, sometimes we are focused on getting visible hardware manufacturing in India. But if the value addition is not significant, then I think we need to ask the question as to how relevant this is. If you look at mobile phone manufacturing for example, even if we have a substantial mobile phone manufacturing and we do have it, it is good. But how much of support we gave, how much of money we poured into it is a big question. And while, some amount of protection and growth is important, government offering huge subsidies to those areas at the cost of other areas which might better be supported with that money certainly does lead to a question of what the tradeoffs and value judgements are.
The last point I want to make is that a lot of this data is vitally important because a lot of the new technologies are built on data -artificial intelligence, machine learning, big data and data analytics. All of these rest on that. And therefore, we need to figure out how we actually create the IPRs or have a mechanism in which we do it jointly with partners where each one has a stake in it and a share in it. None of this is possible in the digital space unless we have the necessary strength in research. One of the weaknesses that we have had as a country is the very low research spend of most companies. And even in the government, the research spend has been limited. In this area, a lot of the research actually happens in the private sector. So, that is something we need to think about.
But a key aspect of this is that in many countries, critical technologies in the digital area have come because of defence demand. Currently, our defence requirements, notwithstanding being one of the largest importers of defence equipment in the world, are very loosely connected with the private sector. And it is by no stretch of imagination a driver of research in the private sector. Thankfully, that is changing now under the current set of policies but still very slowly. And I do worry that there isn’t adequate clarity as of now in terms of how exactly this dynamic will work out. But I think we are headed in the right direction.
So, the bottom line of all of this is that securing our digital boundaries is critical – both for our economy as well as our national security. But in today’s world, it is a complex issue and one needs to approach with a clarity on the definition, a clarity on the ends that we are trying to achieve and by means of a carefully calibrated strategy which is based on alliances and partnerships – who can we trust, who can we build a long-term partnership with, which is not based on dependence. But which is based on one level on the trust and alliance but on another level, having a gun to each one’s head so that you can’t completely pull the trigger without harming yourself. That is the way in which in today’s interdependent world, these alliances are built up. But our laser sharp focus has to be on continuously building national capability across the spectrum of digital technologies – either ourselves or through these carefully structured partnerships.
Dr Kuldeep Ratnoo
Thank you very much Sir! In the very brief duration, you have touched upon the larger issues and provided insight into what digital security means and how we can go ahead to secure it.
Now I will request Vinit ji to share his thoughts. Shri Vinit Goenka has been working in the field of data sovereignty. Earlier, he was with the corporate sector. Then he resigned and became a political activist and then he worked with government departments. Of late, he is mainly interested in and working to ensure and to spread awareness about data sovereignty and data security.
Vinit ji, there are issues. See, India is such a vast country and such a diverse country. Of late, we have been moving in the direction of digitization –in finances, in technologies, in education and every sphere. At the same time, having such a large population, we are also highly vulnerable in terms of digital security. People are not very aware. Even technologically also, we are not very sophisticated and prepared. You have been working in the field of data security. So, how do you see all these issues in terms of defending the digital boundaries, the challenges which we are having in terms of not only the enemies who are based outside and are trying to cause problems within India. And as you know, we have discussed this earlier also, whatever digital medium we have been using are not in our control. So, enemy countries and enemy people – there could be digital terrorists also. You have been working in this field to ensure a safe interaction in social media platforms also. So, I request you to provide all the perspectives to ensure digital security.
Shri Vinit Goenka
Thank you Kuldeep ji and to all the people who are here. I happened to be in a conference where serving Inspector General of Maharashtra was participating. And this gentleman used to head the cyber cell of the Maharashtra police. This meeting happened in November 2019. He quoted one example and said he was facing challenge in Aarey colony environment protest. Now, I come from Mumbai. I was born near to that place. It is a small place and I know that there are activists who are trying to protect that piece of greenery. They may not agree with the government’s view but I know each of them personally for three decades. I know that they are very nice people, they are nationalists and they are not against the country. They may not like your ideology, they may not like the central government’s ideology or they may not like individuals in the ministries, but they are good people.
There were tweets which were coming up and this officer brought up these tweets. These tweets were in Marathi, the native language which not only talked about the issue but challenged the state and there were some words, which were undermining the entire authority of the state. It was something very divisive and was not being heard till then. I called up the activists and asked them why are they propagating this and they said it is not them but the general public which is doing it. So, I had the reason to ask this officer how come people talk about this particular issue? To this, he replied that none of the tweets have come from Maharashtra or even India and they are all originating from Pakistan. You can see that it is a weaponisation of a tool called social media. And that too in a native language, something which we can not imagine. The impact is very big.
I will give you another example. One of the economists in a show said that India imports around Rs 5.2 lakh crore worth goods from China and exports only Rs 1 lakh crore worth goods leaving a trade deficit of Rs 4.2 lakh crore. The Rs 4.2 lakh crore trade deficit may sound very big but one of the components is almost around Rs 23 crore. This may sound very miniscule but we need to understand where this Rs 23 crore goes. If you know about Maharashtra, there is a place called Pandharpur and every year there is a wari. This means pilgrims go there on a particular day – Ashadhi Ekadashi and they pray to Vithoba Dev. The pilgrims have a small thing called ‘taal’ in their hands which they play while on the pilgrimage. These used to be made by the blacksmiths in Maharashtra. Somebody understood that so many ‘taals’ are required every year and the cost of one ‘taal’ is not more than Rs 60-70 per piece. So, the ‘taals’ were dumped at Rs 40 per piece in those locations where they were brought. This was much lower than the cost of manufacturing. This has happened because there is state sponsorship to this in China. The dumping is never done on items which are very big and grab immediate attention. They are done when the items are less than Rs 50 crore so that the attention won’t go there. How do they do this? How do they understand this market? How do they flood this market? How do they erode the manufacturing capability of the natives?
Here, I will have to go back to a conversation which I had with the Vice Chancellor of Gautam Buddha University. He gave me an example. He said that we opened the floodgates somewhere in the early nineties and started importing technology. We encouraged people to manufacture or integrate refrigerators in India. I am 1971 born. So, I saw a fridge that was bought by my father which we used to repair every two years. Suddenly these refrigerator companies came which would assemble things in India. So, we started importing the compressor which meant we did not need manufacturing units in India. As there were no manufacturing units, nobody was employing people coming from universities. So, universities stopped teaching about compressors or heat exchange. What is the result of this?
Today if you see in India, if we decide to manufacture compressors, there is no one who can teach about the technology involved. Result is even if you want to migrate to indigenous technology, you will have to create curriculum, you will have to train teachers which will take not less than a decade. Who decides this? To answer this, we will have to understand one thing called colonization and in the book on data sovereignty, we as authors divided colonization into three parts. One is military colonization which we have seen for 2000 years. People came with sticks, swords, guns and cannons. What happened to those who were colonized? You will have to see the GDP and export data of 1840s versus 1940s. The drastic fall shows that colonizer would take the advantage.
Then in the last 100 years, colonization migrated from military colonization to energy colonization. And we saw that the countries which exported oil, which exported petroleum products to the user country. And especially we as India who imports a large chunk of energy are dictated terms. We also saw economies which were not exporting oil to us and we were not importing oil from, yet they dictated terms to us. They were also dictating what technology will be used in automobiles. So, even when there are alternates to petroleum products, there are alternates to hydro carbon, we were using it because those who were getting benefits out of that economy had forced us to use it. This was energy colonization.
The last two decades, 20 years, we have seen a new type of colonization called data colonization. What happens in this? Somebody plays with your data, understands the data and retains the data. So, when you generate data, whether it is your personal data, whether it is in structured form, semi-structured form or it is a non-structured form, it is collected somewhere. Somebody who has the power of computing – whether it is cloud computing, data analytics or quantum computing – he can generate reports or information sets which will be used to take decisions. And we all know that if information is available, decision making is better. Informed decisions make perfect decisions. Somebody decided to take the decisions while we were becoming a victim of this part where we were having an advantage till 1995 -97 - 98, yet we decided to open the floodgates.
I come from Mumbai and in Mumbai there is a place called SEEPZ. Here, there are five buildings. The name of the building is Standard Design Factory (SDF). When I joined SEEPZ in 1995, they were all software hubs. So, I asked why do you call this as SDF? Then they said, there used to be factories in that place long before. When I asked how long before, they replied till 1989-90. So, we realise that the moment you open the floodgates with multilateral agreements like WTO, we lose the edge. That was the first time we realised that colonization has started. They replaced the domestic indigenous production. Over a period, we became service guys and our policies were framed like that. And we were given an advantage. It is always advantageous to buy economical goods from an outsider rather than making your own products. And then compulsions at home made us go away from business. Resultant is that we made a lot of imports.
What is today’s import? We are importing social media. According to the researchers, 91 per cent of the data that comes to India is trivial data. Most of that is porn which is absolutely not necessary, impacts the culture of this country and also impacts the capability to generate economical assets by the youth because they would waste their time there. And only nine per cent of the data which is economically viable, knowledgeable, which is needed for business and other activities are imported.
Now, let me open the eyes of many of you. Out of this nine per cent, not even one per cent of data can be imported by us without paying for it and without seeking the permission of the person who holds the data. They are not freely available. They are knowledge, they are IPRs protected by the respective countries. Whereas we have been told that we get 91 per cent data for free, which is absolutely of no use. That is dumping.
Now, let us compare 20 years where he had the advantage, lost the advantage and came to this situation versus what Chinese did. Now, many of us do not like Chinese. We all have some kind of anger against Chinese. Maybe because of the recent issues or maybe because what we have been learning from childhood. But what they did are two simple theories. One theory was Great Wall and the second theory was penetration or encroachment. What was Great Wall? Every sixth person who is born is a Chinese. So is Indian. But we never thought of it as 15 per cent is ours and 15 per cent is theirs. Chinese put a Great Wall and said, you cannot access the Chinese people, the Chinese economy and understand what is their pattern of buying.
So here, when my sister sends me a rakhi, she first puts it on social media and then the courier comes to me. Now, somebody who wants to analyse it would know what type of rakhi has been purchased by Indian girls. And somebody may decide to manufacture only that type of rakhis and Indian traditional businesses which make rakhis may not have access to this kind of data. This may be a small business but it is killed. So, this kind of wall does not give access. We called them communists, protectionists etc. But if you ask other countries also, many of them go to Vietnam, go to Europe, they have also put in some kind of walls. They may not have that kind of wall which the Chinese put, but they have also put protections for themselves. And we let our entire digital borders open.
And what did the Chinese do next? They did something called penetration and encroachment. When I say Chinese, please compare this with other countries also. As rightly pointed out by Chandrasekhar ji, we do not have any friends in this digital economy. The first penetration they did was economic. Like the example I gave you, even a small business like ‘taal’ which was just a Rs 25 crore economy, they encroached and wiped out that business from India. The second strategy was to dump things. Now if the Chinese dump things here or if you see what happened in the case of the agricultural molecule, endosulphan. Somebody came and just replaced that. I remember my father used to buy one particular pesticide which used to take care of everything in the house. But slowly, nobody understood and we thought that it is only the problem of agriculture sector. We kept saying that it is only a matter of Rs 300 crore and questioned the need of raising hue and cry. We killed not only Excel Care Crop Ltd but also other pesticide making companies. What we did is we started importing these molecules and we have a pesticide each for every insect now.
The farmer who is not educated or is less educated, who is already being challenged to understand the other things will now have to understand 42 molecules to get rid of the pests as opposed to what used to be just one pesticide for all. These kinds of penetrations were planned not only by China but other economies as well. They may be sounding friends to us right now, but they may not be friends when it comes to business.
And how did they do the third penetration? They did it in your language, your native language. Tik-Tok came to us not in English, it came to us in Malayalm, Telugu, Assamese etc. It also came to us in languages like Irani which only a small pocket of people in Maharashtra speak. When these encroachments happen, it leads to lot of business loss.
So, data becomes very important. I will give you two small examples. I have a friend who is from Coimbatore. He is into the business of cable TV. Somehow his business was getting challenged, so he was unable to pay the manufacturer of the set top boxes. One fine day all his subscribers got a message that this cable TV subscriber has not paid our money, so we are stopping the services. How is it possible for the manufacturer who sits in Delhi to do this? There is a backdoor in the small set top box which made it possible. Tomorrow, they could have used the same feature to flash a message against this country. They could have played with the democracy of the country.
I also heard another example from Lt Gen Vinod Bhatia (Retd.) and which I will have to share here. There was a tunnel which was being dug and while digging the tunnel, machines which are worth a few hundred crores were being used. All of a sudden, the machine stopped functioning. Engineers tried to repair it; it did not get repaired. Finally, they had no option but to go to the manufacturer of the drill machine. The manufacturer said, some of your payment is pending, please pay that and the machine will start. Payments were done and the machine started. I asked Lt Gen Vinod Bhatia, what is the concern? He said the concern is, if they have control of the machine, they would also have access to the data which is generated by the IoT which is situated in that particular machine – the geospatial data, the latitude and longitude of the drilling position. They would know what we are drilling, where we are drilling and for what we are drilling.
Understand if your tractors have this device, they would know four months in advance what you are going to sow and reap. So, they would know what is the supply of a particular food grain in your country, what is your need and demand and then the gap would be analysed by them and they may choose to dump a food grain which is far cheaper than what you are producing here in India. Thereby, they can create another kind of hierarchy.
To sum up, whosoever controls data, controls everything. They control the economy and the mind of the people who are using this data. The people who generate this data are basically the slaves or victims against whom this particular data will be used. So, it is necessary to not only keep the data in our physical control which is localization but also have a sovereign right over this so that the data does not go out.
I personally do not believe in any kind of orange, red or green data which is being discussed. Internal vigilance is the price of this liberty and that is what is missing. I always wonder one thing when I study China versus Indian losses. The length of the Great Wall of China goes in thousands of kilometers whereas the gap of the Khyber Pass where all these attackers came in is only few kilometers. I always wonder, their ancestors would build that thousands of kilometers of wall, but why did my ancestors not create that 2-3 kilometers of wall? My civilization would have been saved, my country would have been four times bigger than the country which is right now and my religion would have been bigger than what it is right now. Probably that vigilance was not there.
So, digital boundaries have to be defined. Whether it is civilian data, strategic data or important or non-important data. It is a national issue. It is not a local subject. There has to be some kind of law which needs to be passed where we have a Data Commission or Data Authority which talks about this. We also have to fix the responsibilities of the authorities which store this data. The current committee which is been appointed absolutely did not consider it. See all the people who are there. All of them have worked in multi nationals and their interests align with one particular country. Today, we may be happy with that but tomorrow it will be the biggest challenge. We do not have anybody in that particular committee who have served this nation as an army officer, police officer or a law enforcement agency officer. We do not have anybody from academics who understands data in that particular perspective. So, I have my own reservations on that particular committee.
Data localization is not a protectionist move. Let me stress in bold highlighted words, DATA PRIVACY IS A VERY BIG MYTH IF YOU DO NOT HAVE STRINGENT DATA PROTECTION LAWS. And data protection is a very big myth if you do not have sovereignty – if you do not have data within your own country. The person who has the data will use the data and how will you know how the data is being used?
So, if you really want to make sure that the way I am cursing my ancestors for not building the three kilometers of wall in the Khyber Pass does not happen with the next generation, then we should take decisions at the right time. I always feel pained when I see my own colleagues going to the television and blaming Nehru and all the other yesteryear prime ministers that they have not taken decisions because of which we suffered in the northern part of India. Even if it is true, do you really want that after 30 or 40 years, some other spokesperson of some political party come and blame you for not taking decisions when you were the decision maker? So, I think probably we will have to take care that history will never forgive us if we don’t take these decisions today. My request to everyone is it is not about today’s economy as it is the result of our past leaders. Same way, the future will be bleak if you commit mistakes now. So, data is very sensitive, data would generate sets of information which will help the decision maker to take decisions and we will have to control that. Whether it sounds good or whether it sounds bad, whether it is in the agreement of the multilateral agreements we have signed in WTO, RCEP, or any other, we will have to rethink about this. Even if we have a favourable government, we will have to push through this particular fight. We will have to make sure that our interests are protected, our coming generation’s interests are protected and they do not blame us the way we blame people who were there 30 or 40 years before us in power.
Dr Kuldeep Ratnoo
Thank you Vinit ji. Thank you very much for giving us an insight into the issues you have been studying and which you have been working on related to data security, data sovereignty and data localization. Now I would request Dr Avik Sarkar.
Dr Sarkar has been working in the field of data, data analytics, public policy related to data. Dr Sarkar, my request to you is to kindly enlighten us and provide us very critical information in a very limited period which we have today – What is the importance of data? How is data being collected and how it has become a very deadly tool not only for economic exploitation or economic superiority but in terms of strategic issues also, what is the importance of data, how can we protect it and what are the policy initiatives been taken? Could you please elaborate on that?
Dr Avik Sarkar
Thank you Kuldeep ji for the invitation. It is always good to talk to the esteemed group of people. Today we are talking about boundaries and the data that we are talking about are of Indian citizens or data that is generated in India. So that is the data we want to secure. As both the other speakers have pointed out, how can we use that for our economic development and also set a roadmap so that this data can be used by Indian companies or for the development of the Indian economy in the long run. I think that is some of the elements that we need to look into as we go ahead.
Data access is an important criterion. As many of you would have seen that as a part of any investigation or data analysis, there is a lot of data requests that goes to global companies like Facebook, Twitter, Google etc. As Vinit ji was talking about, the tweets coming from people in not so friendly countries across the borders, if you can actually intervene when the first tweet is generated from such a location, then you can act on that and delete the tweet immediately. So, for that what is required is that, if there is a request from the Indian government to access that data and to know where the owner of the data or the tweet is coming from, if you can know that in a short time – say 5-10 minutes, then we can actually stop it from spreading.
I will take the example of Facebook. Every year, Facebook puts the data requests that they get from different countries and the fulfilment rate. If you see, the fulfilment rate of US is above 90 per cent but for the data requests that have been made by India, it is only around 40 per cent. So, that is one of the most important things because we know that it is a notorious thing that is going on in Facebook and we want to stop it. But we can do nothing much about it till the parent company gives access to that data. The Data Privacy Bill that is currently under the Parliamentary Committee will take care of some of the issues. Though there is nothing mentioned about the timeline for the data access that has to be given, this is an issue where we will see much more discipline among the internet companies once the Data Privacy Bill comes into force and the data authority is used and they can work with these people.
Often when we talk about access to data, if you analyse the data of only one or two people, it doesn’t give you a trend. To understand the trends from the data, you need to access huge amounts of data. This is something that the Non-personal Data Private Bill has started talking about. It is talking in a language which might not be accepted by these private companies. For example, Google came up with Google mobility trend. So, there were various areas that people used to go to and what Google did during the Covid-19 pandemic is that they have shown that there is a normal time at which people visit a particular place on a monthly and daily basis and how during the pandemic, the number came down for a lot of areas. In certain areas, the number of people was drastically coming down. So, these are the type of insights that the policy makers need to know.
There was a huge debate happening over the migrants going back to different places. And till now, we are using a state government machinery and the MGNREGA jobs to understand how many people have gone back to the different areas and how they are doing their work. There is a depth of mobile phone data which is lying with Indian companies like Airtel, Jio or Vodafone which can be used to find out where people have gone to. For example, say their permanent location was in Mumbai or Delhi and now they are based in some other location. So, this sort of mobility data is of huge benefit. It is very useful in a lot of cases.
When the Uttarakhand disaster happened in 2013, I had worked on those data for the recovery of people from that location. Like you were able to figure out how many people are stranded there just based on their mobile phone records. These are some of areas where you need access to huge volumes of data to use it for your governance purpose or social benefit purpose and things of that nature.
The other aspect that comes up is the aspect about innovation and IPR. As a country, we have to make the data sharing with start-ups much easier so that they can come up and innovate on that data and create more indigenous products. That is one of the very important things and we have to promote that.
As Mr Chandrasekhar pointed out, lack of research is a very crucial factor we have to look into. I will take an example. In telecom infrastructure, there are four companies – two European companies (Nokia network, Ericsson) and two Chinese companies (Huawei and ZTE). They have been doing business for the last 30 years and India has not tried to even enter this field. We are completely relying on those players and not even trying to create indigenous solutions to this. When you create something, it might be expensive, it might take you some time to get the market share. But then the trial is not there, the effort is missing and there is very little government intervention also happening in those areas.
So, if you talk about a tractor or any other machines getting details in India, we are doing very little innovation in this field which needs to be promoted. Like building indigenous manufacturing in India which is India-led is also one of the important things. I think these are some of the key aspects that I would like to focus on.
Dr Kuldeep Ratnoo: Do you feel there is a need for national Digital Security Commission which can work among various agencies and departments? Should we create our own networks, solutions and platforms?
Shri Chandrasekhar: On the first question, given the cross connecting and sweeping nature of the digital medium, any action to secure this space has to be coordinated across governments. It cannot be just an action done by the security agencies or by the armed forces or any other agency. So, a kind of a cyber command is absolutely critical. Different countries have looked at that. But the practical problem would be to get all of these agencies together and more importantly, getting people from these agencies who are sufficiently knowledgeable. A term stuck in my mind is the ‘divergence between knowledge and authority.’ People who have the knowledge do not have the authority and people who have authority don’t necessarily have knowledge. So, the best is to put together a cyber command and assign tasks to different entities based on a strategy or plan which is worked out. The National Cyber Coordination Centre is in place now. But that is completely different from the concept of the central cyber command. These examples are there in the US and some of the European countries and most certainly we should be thinking about it.
Coming to the second question, China was able to shut themselves off and build a firewall because they work in a different way, they are not a democracy. Also, in a country like China individual privacy is not accorded very high pedestal. So as far as the development of these technologies is concerned, it was a fantastic situation where all the personal data could be used. So, when it comes to India, every country will have to look for set up that is consistent with the ethos it has. We have a slightly different ethos where individual privacy has a certain place, where competition has a certain place and the combination of private and public sector has its own space. Recently, the government has made it clear that as a strategy the government would like to step away from business and leave it to the private sector especially in certain critically identified areas. The default is it is the private sector which has to do it.
The question that arises is how to enable private sector companies in India to build those platforms that can rival the global platforms that we are currently seeing within the country. While we are recognized as a fairly large player in the global IT space, we have to build too many products. So, how do we reverse this and to what extent does protectionism form part of the strategy? While we have banned 59 Chinese apps, the result of this is that it will shift to other platforms which are still non-Indian. And whether that makes us sufficiently self-reliant and secure is a question.
The other question is should we go so far as to put some kind of an embargo the way China has done? Once again, our position is different. People of Indian origin are heading different companies. Its not that they are working for India or the companies are working for India, certainly not. But one has to consider the fact that it does have some material bearing on the way we can leverage these things. The second thing is that India and US do have some kind of partnership. There may be friction in many areas but we do have a partnership in the technology space. The question here is can we have a strategy where we work along with US and build a certain capability in which both have a say and which rivals some of these products? Of course, it is always better to do it alone but given our technology capability, it might not be possible at present.
Some of these partnerships will have to be done with friends but knowing that there are no real friends. So, at the end of the day, you will do it with friends but each of the friends will have such a hold over the other that they cannot think of separation. The bottom line of what I am saying is that the best course for us may not be to block these entities but to create conditions in which there could be Indian entities also which are creating platforms in competition with these companies. And there we need to look at issues like market dominance or abuse of dominance. I am afraid that if there is no direct government support, the commercial factors and the network system which gives these platforms a global presence will completely eliminate all Indian players from the market. We have to have a combination of cooperation and restriction within a certain space.
Shri Ajay Vir Jhakar: Should we tax data to get revenue for the country? The way Jio is partnering with foreign firms to gain monopoly in various markets, should that data be stored in India?
Shri Goenka: I think data should be taxed primarily due to two reasons –it contributes to the development of the economy and there are records maintained on how and where the transactions take place. For example, I have been fighting a battle where Twitter took money from those supporting the Khalistani movement and promoted their tweets. Till the time it was a mere tweet, it could still be debated that it falls under the category of freedom of expression. But the moment Twitter took money, it became an abettor of terrorism. So, it is important for taxation to be there for use of data.
Dr Sarkar: I agree that tax is a good thing to have. But my challenge with it is that if we are talking about one type of data and if that is given to Facebook, they have hundred other types of data and they can use it for big economic gains. If it is shared with a start-up that does not have access to any other type of data, they might be able to make only Re 1 from it. So, my challenge is at what rate can we tax other people? The other challenge is that if you are taking data of citizens of India, then based on government and some mutually agreed rules, you should be making data available for some economic benefit. That can happen only if there is a dedicated cell or a data ministry at the all India level. Right now, there is no assigned entity for data that has set a protocol for the use of data in the country.
Shri Chandrasekhar: If we look at agriculture, then we need to take into account that creation and generation of data is not a costless exercise at all. Then there is an economy which thrives by way of value addition. So, the principle that we have in GST also is that all value addition is taxed and all of these transactions which take place with the data requires investment and that economy should be allowed to grow. Sometimes we are too focused on what the government should do but the fact is these are basic economic forces that are working and there is value addition on the data and it needs to be taxed. There is no exemption to those under GST.
The other important question which was raised was where should the data be stored? It is difficult to give a blanket answer. But I think that one should be careful about data and the mandate should be that it should be held within India. Certain sensitive data should be held within India without debate. But for other kinds of data, we need to convince ourselves of the risks if the data is not held within India because there are certain efficiencies which are available. When we talk about data localization, we are imposing some additional costs which do have implications for the commerce that surrounds it. So, while as a general proposition the restrictions need not be put across the board, it is only when we recognize there is such a problem that restrictions can be put. I would say that we should not very casually resort to measures which interfere with the economics of the data economy.
Shri Goenka: I agree with my fellow panelists. But let me give two examples which impacts upon today’s topic. Today’s China and Israel were formed in 1950s. Despite this, how did these two economies overtake us in technology? So, many times this compromise of going together with a powerful economy makes us subdued. There are five Es – Education, Engineering, Engagement, Elimination and Ensuring – that made Israel what it is today. What Israel did was simple: developed centres of excellence. They dedicated one lab for one particular technology. They funded engineering, they engaged with other agencies, they have elimination of competition which lands there and they have ensured that their firms get a fair chance. So, we will have to think if it is knowledge and authority which makes it or belief in our systems? We will have to believe in this country. We can also have negative taxation as we have seen in many cases. Government can create data sources to understand what is the supply mechanism, where is the source and what is the utilization. My request is that when the policy makers make policy, they should protect our country’s interests.
Shri Dattareya: The need for all round awareness regarding data security, data protection, data sovereignty etc. cannot be understated. Awareness and activism amongst the professional establishments, academicians, researchers, social activists etc. and a comprehensive legislation are the only bulwark against data misuse. Unfortunately, the establishment which is so sensitive about Official Secrets mostly ignores the huge and significant data flow outside the country unchecked.
Dr Sarkar: I think awareness is one of the biggest issues about data sharing. A lot of the data leakages that we see happening around is also because people are unaware and they have been carelessly sharing data. Even when we use our own laptops or desktops, we never encrypt our systems. These are very basic things which are not communicated to a lot of people.
Shri Sudanshu Singh: People have been talking about digital divide. Here, there is no protocol for sharing machine readable data. Your opinion.
Dr Sarkar: I agree with this. We do not have any protocol for machine readable data. The Ministry of Statistics Reports that have been published today are all pdf files. We do not have data in excel format that can be used for analysis immediately. There is a large lacuna that lies there in data sharing formats. When there are international formats and established formats that exist like APIs for sharing data, this sort of formats is not at all used by the state governments or even the central government officials for data sharing. The people who are within the government will have to work towards publishing data in machine readable formats.
Dr Gopal Parihar: We have allowed many foreigners to gather data from kumbh mela which they later on use for AI. Isn’t this a breach of privacy?
Dr Sarkar: A lot of the time when we are recording stuff in such events, they take up blanket approval that it is for personal purposes. But there arises an issue if they are using for commercial or terrorist purposes like what happened in the Mumbai attacks.
Shri Chandrasekhar: I am not aware of any guidelines with regard to recording of any public events. Quite often, it is left to the state governments and local authorities as to how these permissions are given. It will be difficult to monitor how this data will be eventually used. So, we need to debate if these permissions should be given. If photography is prohibited, it can be enforced. But when it is not, the question is how do you enforce these restrictions? In events like this that can create an inimical situation, there has to be a ban on photography and videography. And only people who are authorized can take videography and that too after appropriate permissions. At the points of entry, these things should be verified. I don’t think we can have a blanket arrangement in a country like ours.
Prof Sushant Mishra: When researchers come and collaborate with the government, what kind of clearances are required?
Shri Chandrasekhar: I think in cases of research and academic institutions, generally speaking, authorities are more liberal in according such approvals. However, I think it is absolutely important to ensure that the purpose is verified or first stipulated and use for any other purpose should not be allowed without approval of the authorities concerned. By and large, some of the reputed institutions definitely do adhere to these guidelines. That is why it is also important that those to whom such permissions are given are reputed institutions for whom an agreements or consent means what it says. So, limitation of purpose is an important aspect of it and ensuring that any deviation from it is only after the approval of the authorities concerned. Some of this research is also used by the authorities themselves for better planning, for future improvements in the arrangements and so on. So, when the approvals are given, the assumption also needs to be that the authorities are seeking access both to the data as well as the information that is abstracted from the data that is being collected.
Dr Sarkar: In the proposed Data Privacy Bill, there are a few exemptions like personal use, journalistic use, research purposes. So whenever, you use “research” per se, you get leeway into getting the data. It is usually expected that if you are collecting data in the name of research, you will remain ethical and will not use it for commercial purposes. Otherwise, research cannot happen.
Shri Chandrasekhar: I think we also need to distinguish between privacy in a public space and privacy in your private transactions. I think the concept in law at least is quite different. You are not entitled to privacy if you are walking on the streets. There are cameras everywhere and they take your picture. To that extent your privacy is not applicable. At the same time, it doesn’t mean it can be invasive. Everything has to be seen in the context in which it is occurring and has to be seen in the context of the law.
Ms Lekshmi Parmeswaran: A significant portion of India is still literate or semi-literate. In such a situation, what is being done to spread cyber awareness among them?
Shri Chandrasekhar: We are living in an environment where very well-educated people are falling prey to all kinds of scam and all kinds of security breaches including financial security breaches. So, anybody can fall prey if you are gullible enough. Second is that increasingly we are having people who are not literate or semi-literate using the advent of voice-based and picture-based services. That is drawing many more people. So, icon-based menus, visual-based content and voice-based commands. All of these are enabling literate and semi-literate people to come online and in fact become literate by virtue of coming online. So, the old concept of becoming literate first and then becoming cyber literate is giving way to the reverse. Which is to first become cyber literate and then to get normal literacy. So, a lot of this education and awareness has to be done in a context. For example, if you are communicating this as a general lesson, first of all there is no guarantee that people will be listening or will absorb it. But if you are transacting with a bank for example, then the messages coming from the institution offering that service do certainly help. So, whatever service is being accessed by the user, the caution should be in the context of that service and it should be obligated by law that such restrictions should be there in much the same manner that when people go for a public issue, there is a statutory warning. Apart from that, general public awareness campaigns as a part of literacy are being done by the government but not on a sufficient scale. That is again something which needs to be extended.
Dr Ratnoo: Thanks a lot to all the panellists! Now I request our Chairman Prof Kapil Kapoor sir to give his remarks on today’s webinar.
Prof Kapoor: I have been listening with great interest and it has been a very fine learning experience for me. We had three very learned speakers and I felt that they complemented each other. Chandrasekhar ji in the beginning gave us a complete lesson of the digital boundaries. Then Vinit Goenka ji spoke about the threat to those boundaries and Avik Sarkar spoke about how those threats can be met or minimized. So, there is a wonderful circularity about today’s session. On behalf of IPF, it is my honour and privilege to thank the three speakers very much. I have a few thoughts which I would like to share.
I think our country has failed, our policy makers have failed in two or three ways. First, unlike China we did not really understand the importance of allowing even the foreign technologies or platforms to operate in Indian languages. For example, Microsoft when it went to China was asked to operate in Chinese language and if they were unwilling, they were told not to come. So, nativization of western technology that China did and secondly, protection of infrastructure of their small manufacturing industry. They transformed from painting of small flowers and trees to manufacturing of hardware equipment. They maintained it. But we destroyed our village handicraft and industry considerably.
Secondly, we told Microsoft, please come. Come in English, we will teach everybody English. Today, you have problem of literacy and cyber literacy because the language of the technology is still mostly English.
Thirdly, I think our rulers failed to cultivate self-confidence in the people and have a lack of self-respect in our own abilities. So, we became great borrowers. We borrowed everything. Instead of inventing and creating which would have been possible if we had self-respect and self-confidence and if we had operated in our own languages.
I think we were basically oral people. I remember that the Marwaris did all their transactions orally and the word of mouth was honoured. They left no traces of their transactions or businesses to be tapped or hijacked. I remember that three years back, there was a news that the diamond merchants of Surat transported the diamonds from city to another with non-descript incognito people. There is no written documentation. There is just trust. They cannot be tracked or traced. Now from our oral culture, we have moved to this western visual culture. I think digital knowledge as one Japanese professor pointed out digital knowledge is only quantifiable measurable information; it is not knowledge. It is important only in three areas – economics/commerce, defence and internal security. As far as the public use of the platforms like social media is concerned, they are misused by the enemies of the country. But an Indian using social media is not a risk at all.
Indians are basically talkative people. We talk too much on the mobiles. If you go outside, you rarely find a person in public talking on the mobile phone. But here, you find people shouting on their mobile phones even in public. We also need a little bit of cultural reversion. We have to remind people that for India, silence was the greatest virtue and not speech. Walls are not just physical boundaries but also cultural boundaries. Those will be filled through proper education which right now we don’t have.
I would close my reflections by saying that it was a wonderful session today and I learnt a lot. Thank you very much!
Dr Kuldeep Ratnoo: Thank you Prof Kapoor, Shri Chandrasekhar ji, Dr Sarkar ji, Vinit ji, and to all the participants who have been listening with interest. I know this is a very serious issue and requires many more deliberations and discussions. So, we will continue to have such discussions. Thanks again!
(Report prepared by Lekshmi Parameswaran. Inputs by Vikrant Tyagi)