Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

IANA Transition completed

By Aarti Bhavana

The much-discussed IANA transition has finally been completed, now that the U.S. Government’s contract with ICANN for IANA Functions has expired. This brings to an end the governmental oversight of these functions, a plan outlined back in 1998, and transfers it to a global multistakeholder community. The Centre for Communication Governance’s coverage of the transition over the last two years can be accessed here. In addition, our recent report on multistakeholderism discusses the role Indian stakeholders have played in ICANN over the last 5 years. It is a useful introduction to the way policy is made in ICANN’s multistakeholder model.

In March 2014, National Telecommunications and Information Administration (NTIA) under the U.S. Department of Commerce announced its intent to transfer the oversight of key Internet domain name functions to a global multistakeholder community. In the months that followed, working groups were set up to develop proposals both for the stewardship transition, as well for enhancing ICANN’s accountability. Both proposals were finalized and sent to the ICANN Board of Directors to be transmitted to NTIA. On 9^th June 2016, after careful evaluation, the NTIA announced that the proposals met the criteria outlined by the NTIA in March 2014.

Despite meeting all the requirements set out, the weeks leading up to today have been far from smooth. Last week, the U.S. Senate Judiciary Sub-committee held a hearing on “Protecting Internet Freedom: Implications of Ending U.S. Oversight of the Internet.” The opposition from the Republicans, led by Sen. Cruz, has also been supported by Donald Trump. There were also attempts to delay the transition by including a rider in the U.S. Government funding bill. This was ultimately not added, leaving the path clear for the transition.

However, in a dramatic twist two days ago, four U.S. states filed a lawsuit in Texas to block the transition. The motion for a temporary injunction was heard by the federal court a few hours ago, and denied. This officially brings a two year long process to a successful end. Many Indian stakeholders participated in the transition process as members of the multistakeholder community. However, as our report on multistakeholderism shows, there is scope for greater Indian engagement with ICANN and its policy processes.

In the midst of this celebration, it must be remembered that the work is not over. Efforts at increasing ICANN’s accountability are still ongoing with Work Stream 2, and consist of several critical topics like transparency, diversity and human rights that require the same level of effort as the transition. As discussed in our report‘s on ICANN Chapter, accountability is an issue on which ICANN has faced serious complaints in the past. The next stages of the transition offers stakeholders an opportunity to address these questions.

 

Implications of the US-India Cyber Relationship Framework

By Lily Xiao

On 7 June 2016, ongoing discussions between Prime Minister Narendra Modi and President Barack Obama culminated in the US-India Cyber Relationship Framework, expected to be signed within 60 days. As part of a deepening strategic partnership between the US and India, the Framework establishes a bilateral commitment to an open, interoperable, secure and reliable cyberspace environment, and bilateral measures to combat cybercrime. As India’s interests find commonality with those of the US, this post considers what implications the Framework has for India’s foreign policy on Internet governance.

Cybersecurity measures and the Budapest Convention

The Framework instructs on the implementation of a range of bilateral and cooperative cybersecurity measures. They include information sharing, on a real or near real time basis regarding malicious cybersecurity threats; developing joint mechanisms for practical cooperation to mitigate cybersecurity threats; cooperation in research and development; and improving the capacity of law enforcement agencies through joint training programs.

These measures bear some resemblance to Article 23 of the Convention on Cybercrime or Budapest Convention, which was drafted by the Council of Europe in 2001. Article 23 stipulates that signatories ‘shall cooperate with each other… to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence’. The US has suggested that India should join the Budapest Convention, and reiterates this bid in the Framework to ‘[promote] the applicability of international law to state conduct in cyberspace and further exploring how it applies to state conduct in cyberspace’.

However up until now, India has refused to sign the Budapest Convention because they were not involved or consulted in its drafting. While the insistence of the US may be a political factor India considers, this does not change the crucial problem India has with the Budapest Convention; namely that it does not sufficiently reflect India’s priorities regarding cybersecurity. In order to prevent cyber attacks, most notably from China, India’s priority is to establish an equitable and inclusive multilateral instrument, which is created with active participation from all signatories, not just those in Europe.Multilateral cooperative agreements are the most viable solution to combat cybercrimes, because the Internet, by is nature, is unconstrained by state borders, making cybercrimes difficult to attribute to a single country of origin. Thus, bilateral agreements, like the one initiated by this Framework with the US, can only go so far in combatting cybercrime.

India’s recommitment to multi-stakeholderism

In August 2015, India came out in favour of multi-stakeholderism, the model of Internet governance in which all stakeholders have an equal role to play. The Framework indicates the apparent convergence of the US and India’s approaches to Internet governance, citing bilateral support for the multi-stakeholder model of Internet governance that is ‘transparent and accountable to its stakeholders including governments, civil society and the private sector, and promotes cooperation among them’. Questions over India’s commitment to multi-stakeholderism were raised following the joint statement released in April 2016 with Russia and China. Understandably, the US had concerns following the release of this joint statement, which may have led them to ensure the language of the Framework was clearly in support of multi-stakeholderism. The consequences of this Framework for India’s relationship with Russia and China will be considered later.

However, India’s implementation of multi-stakeholderism is not without limitations.The Minister for Communications and IT has stated thatIndia’s approach to multi-stakeholderism is qualified by national security matters, as the government’s role should be given primacy over other stakeholders in this regard.Additionally, India has yet to develop consistent and wide-ranging domestic mechanisms for implementing multi-stakeholderism, which would allow India to increase its participation in Internet governance at the international level.By including a bilateral commitment to multi-stakeholderism and continued dialogue and engagement in the Internet governance fora, the Framework can be interpreted as the US addressing India’s hesitations regarding the multi-stakeholder model. However, whether the approaches of India and the US towards Internet governance truly converge outside of this Framework remains to be seen.

Conflicting interests of Russia and China, and India as a swing state

The Framework comes after the aforementioned joint statement issued by Russia, China and India earlier this year. Paragraph 12 of this joint statement emphasised the need for a ‘broader international universal regulatory binding instrument under the UN’to tackle cybercrime, suggesting a preference for a multilateral governance model with entrenched state sovereignty. In the same paragraph, the Ministers emphasised the need to ensure Internet governance will be based on ‘multilateralism, democracy, transparency with multi-stakeholders in their respective roles and responsibilities’. This language is nearly identical to that used in the outcome document from WSIS +10 High Level Meeting, which stipulates ‘the management of the Internet as a global facility includes multilateral, transparent, democratic and multi-stakeholder processes’. The only qualifying phrase in the joint statement that indicates the reluctance of Russia and China to embrace multi-stakeholderism is that multi-stakeholders ought to be considered ‘in their respective roles and responsibilities’.

Therefore, while the debate over Internet governance is framed as one between the increasing acceptance of multi-stakeholderism, and those who hold out for a state-centric governance model, the language used in diplomacy between the two sides is remarkably similar. As a ‘swing state’ in this diplomatic arena, India holds power as being politically valuable to both sides of the debate. If India can continue to take advantage of the flexibility in discourse of multi-stakeholderism by appealing to both the US, and Russia and China, it can act successfully as a ‘swing state’. However, if, and when India and the US commit to the agreement this Framework pertains to, India should ensure that its bilateral relationship with the US does not impede its relationship to Russia and China.

Conclusion

This Framework is part of a wider arrangement for the US-India relations to deepen ties and to look to each other as ‘priority partners’ in the Asia-Pacific and Indian Ocean region.It remains to be seen whether all these provisions regarding cybersecurity will be included in the final signed agreement, but if they are included, it may contribute to the further acceptance of multi-stakeholderism on a global scale, and be an indication of cybersecurity norms to be taken up by other governments.

Global Public Interest and ICANN

By Gangesh Varma

Global Public Interest is a difficult term to define. Any attempt to define it has always been met with resistance, or dissatisfaction. Yet, it features prominently in ICANN’s universe – through its bylaws, documents and contracts. In this post, I recapitulate the discussions surrounding global public interest within ICANN’s remit, the subject of a high interest session at ICANN 55 earlier this month.

Debates surrounding the term were revived during deliberations of the Cross-Community Working Group on Enhancing ICANN’s Accountability (CCWG-Acct). It was among the most difficult issues discussed due to diverging perspectives from various stakeholders. One of the recommendations of the CCWG-Acct is to embed the concept in the core values of ICANN’s bylaws as follows:

“Seeking and supporting broad informed participation and reflecting the functional, geographic, and cultural diversity of the Internet at all levels of policy development and decision making to ensure that the bottom-up, multistakeholder policy development process is used to ascertain the global public interest and that those processes are accountable and transparent.”[1] [Emphasis added]

ICANN’s struggle with global public interest is not new or isolated to the transition process. In 2013-14, a Strategic Panel led by Nii Quanyor examined this topic. The Report of the Panel attempted a broad definition of global public interest as follows:

“ICANN defines the global public interest in relation to the Internet as ensuring the Internet becomes, and continues to be, stable, inclusive, and accessible across the globe so that all may enjoy the benefits of a single and open Internet. In addressing its public responsibility, ICANN must build trust in the Internet and its governance ecosystem.”[2]

This broad and aspirational definition formulated by the Strategy Panel, did not receive complete support from the Community. However, it was not entirely rejected. This was the basis of further effort to source an understanding of the concept from the various departments within ICANN. The Development and Public Responsibility Programs Department at ICANN conducted a survey across the organization. It compiled resources and research on this subject to facilitate a discussion within ICANN’s multistakeholder Community i.e. the Supporting Organizations (SOs) and Advisory Committees (ACs).

Following this stock-taking, the session at Marrakech also updated the Community on a workshop organised on this subject at the Internet Governance Forum last year. The workshop discussed the idea of global public interest with reference to critical internet resources[3].  It highlighted the various traditional understandings of “in public interest” that is usually associated with developing regulation. It also focussed on the linkages between public interest and human rights including concepts like social justice, equal access, cultural diversity etc. It highlighted the regional perceptions of public interest and its possible contribution to conceptualizing ‘global public interest’. One of the key takeaways from the IGF workshop that resonated at the session in Marrakech was the idea that public interest is an aspirational goal, and cannot be fully achieved.

The diverging views are broadly in two categories. First, public interest as a concept that has a specific definition that can be articulated and achieved in each case. Second, is a broader perception of public interest. Here, it is perceived to be a purely aspirational goal, which must not be defined because it varies with context and is easily susceptible to exceed ICANN’s limited mission. While fears of such ‘mission creep’ are not unfounded, it must be noted that public interest appears not only in ICANN’s bylaws, but also as a criteria in some of its contracts. This compels a clearer and more tangible definition of the concept.

ICANN can take a two-prong approach to this challenge. First, is to pursue a definition for the broad aspirational goal that can be applied across its operations. As suggested during the session at Marrakech, the starting point could be definition of the Strategy Panel. This can be further refined and developed with the support of principles from the NETmundial meeting that were achieved through a global multistakeholder process. The Report titled “The Public Core of the Internet” is a resource that can help create the idea of critical internet resources as a global public good. This would protect the core infrastructure of the internet from unwarranted interventions by states or other stakeholders. Inspiration can be drawn from similar concepts in international environmental law, particularly that of the ‘common heritage of mankind’.  The second prong, would focus on key instances of specific use of public interest criteria in ICANN’s contracts and operations. Here, developing a tangible and functional definition using the inventory created is necessary. Lessons can be drawn from conceptualization of public interest in disciplines like international investment laws.

Currently, ICANN has turned to its SOs and ACs to consider this arduous task of defining global public interest. The idea of setting a Cross Community Working Group has been suggested, and a mailing list for discussions has been set up.The Wiki page  made is an invaluable resource for anyone to begin their engagement in this discussion.

—

[1] See page 5, and 19 of Annex 05

[2] See Page 4 of Report of Strategy Panel on the Public Responsibility Framework available here

[3] During the WSIS Process, the United Nations Working Group on Internet Governance described critical Internet resources as including the administration of the Domain Name System, the Internet Protocol addresses, administration of the root server system, technical standards, peering, and interconnection, as well as telecommunication infrastructure, including innovative and convergent technologies.

Implementing Enhanced Cooperation

By Puneeth Nagaraj

One of the important outcomes of the WSIS+10 review was the establishment of the CSTD (Commission on Science and Technology for Development) Working Group on Enhanced Cooperation (WGEC). Subsequently, the establishment of the WGEC was announced in February with Peter Major as its chair and the nomination process to the WGEC will conclude shortly. The WGEC will be constituted by the end of the month. This affords us an opportunity to reflect on the meaning on Enhanced Cooperation (EC) and how it can be implemented.

The notion of Enhanced Cooperation can be found in paragraphs 69-71 of the Tunis Agenda. However, the term itself has been used extensively within the European Union since the Treaty of Amsterdam in 1997. In the EU, the term refers to a certain number of EU Member States (usually 9) that are allowed to establish advanced integration or cooperation without the involvement of other members. In the context of the WSIS, debate has raged on for the last decade over the exact meaning of the term. The reference in the Tunis Agenda to EC leaves room for a lot of ambiguity. During the WSIS+10 negotiations, many delegations debated over whether EC is already taking place or if structures need to be put in place to implement it. Below are three ideas for the implementation of Enhanced Cooperation.

Stakeholder Participation

First is clarifying the roles of different stakeholder groups, in various Internet Governance fora. Engaging with the WSIS+10 Review has shown us that despite the emerging consensus on multistakeholder models of governance, there can be significant barriers to the participation of stakeholder representatives. The Review, unlike the Geneva and Tunis Summits was not an open process, driven primarily by Member States. Hence, the space afforded to other stakeholders was limited. This is against the ideal of “full participation of all stakeholders” as per the Tunis Agenda (para 31). To this end, establishing clear terms of civil society engagement in the various Internet Governance institutions should be an important function of the WGEC.

Funding Mechanisms

Second, both the Tunis Agenda and the WSIS+10 outcome document call for innovative funding mechanisms to facilitate ICT4D programmes. With the failure of the Digital Solidarity Fund, most ICT related development programmes are predominantly funded by Official Development Assistance (ODA). An oft ignored part of the WISS process is the governance of funding mechanisms. An allied issue is the delineation of the various UN bodies involved in the SDG process as they relate to ICTs. The WSIS+10 Outcome document stressed the overlaps with the SDG process but did not describe how this synergy was to be achieved. In the absence of an explicit ICT related goal in the SDG process, identifying the roles of organizations like the ITU, UNESCO, UNCTAD among others in fulfilling this dual mandate will be an important aspect of Enhanced Cooperation. The ITU has taken an important first step in identifying the overlaps between the WSIS Action lines and the SDGs. It is up to the WGEC to expand upon this effort and create synergy between the two processes.

Human Rights

Third, the crux of Enhanced Cooperation is in developing global public policy principles (Tunis Agenda para 70). One of the positive outcomes of the WSIS+10 review was the incorporation of a separate section on human rights. This recognition will be meaningless without embedding human rights into all global IG institutions. ICANN has recently, very encouragingly approved its human rights mandate. As the IGF also undergoes a transformation through the renewed Working Group on Improvements to the Internet Governance Forum, this is an important moment to establish public policy principles as they relate to human rights. The WGEC is the best place to create principles or governance frameworks to support human rights and other public interest issues. The UN HRC and Special Rapporteurs on Free Speech and Privacy have made important strides in this area. The WGEC should attempt to synthesize these efforts to produce adaptable standards for various IG institutions.

Puneeth Nagaraj is a Project Managers at the Centre for Communication Governance at National Law University Delhi

Three Questions on Digital Trade

By Puneeth Nagaraj

The inclusion of an e-commerce chapter in the recently concluded TPP Agreement has sparked off a debate around the world on internet issues being a part of trade agreements. In my last post I had looked at the efforts of civil society groups trying to engage with various trade negotiation processes through the EFF Meeting in Brussels. In this piece, I identify three issue areas that borrow from both trade and internet governance worlds to form some of the foundational concerns in this emerging area.

1. Incorporating Internet Governance norms

One of the criticisms of the inclusion of internet related provisions in trade agreements has been the way it is framed. As provisions that govern e-commerce, TPP and similar new generations trade agreements adopt a commoditized approach to internet regulation. This may not be a problem in and of itself. But, in the absence of hard law rules internationally on many internet-related issues, there is a danger that the trade law rules could become the default international rules on many of these issues. The TPP for instance contains provisions that could potentially impact privacy, the disclosure of source codes and network neutrality.

However, these issues are being resolved at either the national or regional levels through public consultations, guidelines and even legislations. One such example is the recent debate in India over network neutrality. To create a regulatory environment that gives states enough space to make rules on such issues, such domestic or regional rules as standards should be incorporated in future agreements. This will ensure that laws that are enacted from an internet governance standpoint are not superseded by commercial rules.

2. Human Rights and Social Obligations

The problem with trade rules that often take a commoditized approach to privacy and network neutrality is that they are either human rights or have human rights implications. Privacy has over the last few years been recognised internationally as a human right. Network neutrality on the other hand has significant free speech implications and can also affect the right to access which is also being seen as a right. There has been discussion in the past for an “Internet Bill of Rights”. While this is yet to take any tangible form at the international level, there are a group of human rights -like free speech, privacy and the right to, access to name a few- that have taken on greater importance in the context of the internet.

The recognition or mention of these rights in trade agreements will, 1) ensure that these rights aren’t eroded and 2) encourage the diffusion of human rights through trading partners. This is not without precedent. The EU has for long incorporated human rights provisions in its engagement with third parties. On environment and labour issues, both the EU and US trade agreements over the last decade have included “Social Standards” that must be enforced domestically by the trading partner. Extending this treatment to internet rights will only be a continuation of existing trade policy.

3. Excluding Developing Countries from Rule Making

The biggest impact of these agreements is the shift of the trade regime away from a multilateral setting like the WTO. By negotiating plurilateral and mega-regional agreements between a small group of countries, the TPP, TISA and TTIP (to name a few) are making new rules on trade and creating higher standards. But this also means that a large majority of countries are excluded from these rules which are likely to become the new standards for trade and also potentially affect development goals.

E-commerce chapters in the TPP and TISA (proposed) are the best examples of this phenomena. The internet over the last decade has been an engine of growth across the world and especially in developing countries. A significant part of this has been through the exchange of goods and services online. In the absence of rules to govern the internet internationally, all countries are at a relatively equal footing to benefit from the digital economy. However, as these new generation agreements create new rules and standards for participation in the digital economy, it could also potentially create barriers for developing countries to participate in it. While there is no obvious solution to this issue, keeping the internet open and accessible should go some way in resolving it.

Resolving the above three questions should bring coherence to policy debates around e-commerce rules in trade agreements. The debate is complicated as it involves the overlap of two competing global regimes. But there are policy gaps that can be filled by engaging on the above issues in a meaningful way.

Puneeth Nagaraj is a Project Managers at the Centre for Communication Governance at National Law University Delhi

The World Economic Forum and Internet Governance

By Gangesh Varma

The World Economic Forum (WEF) held its annual meeting at Davos from 20-23 January, 2016. The theme of the meeting was ‘The Fourth Industrial Revolution’ which referred to advent of new technologies that converge “the physical, digital and biological worlds” to create seamless ‘cyber-physical systems’. Some of the main sessions and discussions were on the digital economy, privacy, internet fragmentation etc. While these are concerns that affect internet users currently, they will determine the future of the Internet and its users.

The WEF’s interaction with the Internet and its governance is not restricted to these discussions at the annual meetings. It was instrumental in launching the NETMundial Initiative (NMI) in collaboration with the Internet Corporation for Assigned Names and Numbers (ICANN), and the Brazilian Internet Steering Committee (CGI.br). The WEF which was founded in 1971 has always promoted a ‘stakeholder’ management approach, which essentially based corporate success on managers taking account of all interests. This would mean not merely restricting it to immediate interests such as shareholders, clients and customers, but employees and the communities within which they operate, including government. The natural extension of this can be seen in the WEF’s strong support for a multi-stakeholder approach to internet governance. This can be seen from its various reports and initiatives like the NMI and the Future of the Internet.

As the internet permeates deeper into the socio-economic fabric of human society it impacts various sectors. As a consequence, global fora that did not traditionally discuss the internet are impacted by it. This results in a growing number of fora that eventually discuss internet governance or any of its components. Among these, the WEF as a platform for collaboration may be considered old, but it was formally recognized as an international organization only last year. In the larger matrix of internet governance institutions and processes the WEF is merely one more addition. However, the WEF comes with extensive criticism for being a platform that is limited to an elite few while its relevance has often been debated. It has been called out for its hypocrisy while talking climate change, gender parity and inequality.

These ironies undermine the legitimacy of the discussions and outputs from such fora. It also affects the multistakeholder initiatives they support. An interesting study hypothesizes the situation of a ‘cyber davos’ in 2025 where the world’s largest internet companies and leaders gather to celebrate the first anniversary of the internet Free Trade Agreement (iFTA) . The group that conducted this study identified some of the potential threats of such a scenario as:

• Increased dominance of big business in global Internet governance
• Less economic innovation and creation of monopolies,
• Marginalization of civil society groups in Internet governance policy making,
• Exclusion of developing countries from Internet governance policy making,
• Increase of income inequality domestically, and between the Global North and South and
• Democratic institutions weakened by excessive lobbying

Unsurprisingly, these potential risks do not seem too far into the future if the multi-stakeholder approach is not reformed. In fact they resonate with most critiques of multi-stakeholder models. The support for multi-stakeholder approaches has grown as evidenced by the agreed outcome document of the WSIS+10 Review Process. However, the negotiations and consultations have revealed many aspects that need reform. ICANN’s CEO, Fadi Chehadé’s pitch at Davos was on the enormous impact of the Internet on global economic growth, and the importance of the Internet as an engine of growth. Fadi is scheduled to leave ICANN in March, 2016 and enter his role as Senior Advisor to the Executive Chairman of the WEF. One can only hope that while the WEF addresses its critics, it will also invest in reforming the multi-stakeholder approach it promotes in the internet governance arena.

A New Agenda for Digital Trade: Ideas from Brussels

By Puneeth Nagaraj

This author was one of the participants in the strategy meeting at the invitation of the Electronic Frontier Foundation

The Strategy Meeting on Catalyzing Reform of Trade Negotiation Processes was held last week in Brussels. Convened by the Electronic Frontier Foundation (EFF), it brought a diverse group of actors to chart an agenda to engage with trade negotiations in the emerging area of Digital Trade. Representatives from civil society groups, academia and the private sector met together to suggest solutions to make trade negotiations more transparent and accessible.

The meeting was prompted by the recent conclusion of the Trans Pacific Partnership and its inclusion of an e-commerce chapter. The TPP is the first of many new generation trade agreements- which include both mega regional and plurilateral agreements- which are increasingly making trade rules that affect the internet. Given that there is a global internet governance regime which does not create any hard law obligations, there is a danger of the trade law regime becoming the de facto international rules on the subject.

To address this pressing concern, the EFF convened policy practitioners and experts from both the internet governance and trade fields. Participants highlighted the need for research at the intersection of these diverse fields to understand the impact of trade agreements on the internet and the information society. The larger and more immediate concern of all participants was of the confidentiality under which these negotiations are being conducted. This is also at odds with the participatory norms of various internet governance institutions which count for openness, transparency and accountability as their governing ideals.

Aside from the diverging approaches to participatory norms and governance, trade agreements are also at odds with internet governance frameworks. For instance, many internet governance fora are multistakeholder platforms which allow for the participation of the civil society, private sector and technical communities on equal footing with governments. Trade agreements or even institutions like the World Trade Organization are multilateral and allow for very little access to other stakeholders.

The approach of trade agreements to substantive issues reduce the regulatory space available on many internet-related rules. Trade agreements aim to promote trade through liberalization. This often leads to a commercialised or commoditised approach to many of the issues they make rules on. This is evidenced from the debates and cases on issues like environment and intellectual property where policies of national governments taken in public interest have come in to question. Such a commoditized framework of rules has already been extended to the internet by the TPP. It is perhaps telling that the chapter that deals with internet related issues is called the ‘E-commerce’ chapter. However, many of the provisions of the chapter go beyond e-commerce and contains rules on issues like privacy, data transfers and net neutrality- which are core internet governance issues. Coupled with a dispute resolution mechanism, the trade regime on the internet could potentially subsume internet related policy making at the international level.

With these problems in mind, the participants at the meeting, had to come up with workable strategies to engage with trade negotiations on internet-related issues. The meeting split into breakout groups that looked at 3 broad issues: 1) transparency and new norms, 2) advocacy and liaison with allies and 3) civil society funding, capacity building and coordination. Some solutions like creating a civil society coordination group and creating a space for multistakeholder engagement were on process. Others, like creating expert groups and producing research at the intersection of these two new areas were on substance.

The strategy meeting was very useful in terms of bringing together a group of experts from two different fields. It also made everyone alive to the challenges that lay ahead in the intersectional area of internet and trade. The strategies that were suggested also reflected this diversity of thought with a mix of ideas from the trade and internet governance worlds.  The meeting concluded with efforts to draft a common statement which left the participants with a rich agenda for future work on internet and trade issues.

Puneeth Nagaraj is a Project Managers at the Centre for Communication Governance at National Law University Delhi

Wuzhen 2015: Evaluating China’s Competing Vision of the Internet

By Puneeth Nagaraj

The 2^nd World Internet Conference (WIC) was held in the town of Wuzhen in China from 16^th-18^th December, 2015. Organized by the Chinese government since 2014, the WIC is China’s attempt to present an alternate vision of internet governance, with its pitch for increased ‘cyber-sovereignty’. This is in contrast to the prevailing notion across the world that internet should be governed by a multistakeholder model. The WIC is part of China’s effort to establish a stronger presence in the internet governance sphere, with many in China likening Wuzhen to an ‘internet Davos’.

One of the ways the Chinese government is attempting to make its presence felt is by attracting high profile names to the WIC. The 2^nd edition made news for the presence of Fadi Chehade, the ICANN CEO.  Chehade was also appointed to the High Level Advisory Committee of the WIC’s organizing Secretariat, a move that has come in for criticism from some quarters. He is among a list of appointees that include Jack Ma of the Alibaba group and Werner Zorn, the “father of the German Internet”. But the 2^nd edition was notable for its absentees as much as it was for those who attended it. The resistance to an event like the WIC is based on China’s idea of cyber-sovereignty and fears of creating a walled internet that limits access to the internet based on jurisdiction.

In his speech at the opening ceremony of the WIC, Chinese President Xi Jinping- on whose account the conference was suddenly moved from October to December– reiterated China’s case for sovereign control of the internet. China has traditionally made the contested claim that the notion of sovereign control of the internet is based on the principle of sovereign equality, as enshrined in the UN Charter. This position is completely in opposition to the idea that all stakeholders should play an equal role in the governance of the internet given the historical role of the different stakeholders in the creation and development of the internet.

However, China’s claim to sovereignty over the internet is not without its supporters. For instance, the ITU Secretary General Zhao Houlin spoke at the WIC of the difference between internet governance which should involve all stakeholders and cybersecurity where states should play a dominant role. This is also consistent with ITU’s position as a multilateral institution which facilitates inter-state discussions on issues like cybersecurity.

On the issue of cybersecurity, China’s position is on firmer ground. The Outcome Document of the recently concluded WSIS 10-year review, points to the consensus among States of the ‘leading role’ played by States in cybersecurity matters. The High Level Meeting of the WSIS Review which happened at the same time as the WIC presented the best evidence of this position. Countries from across the board pushed for language that reiterated the central role of States in cybersecurity issues, rejecting suggestions for a more human rights compatible approach that took on board other stakeholders. Thus, the opposition to China’s push for greater prominence in the internet sphere is not based merely on its support of cyber-sovereignty.

Rather, the resistance stems from a deeper of mistrust of China based on the government’s domestic stranglehold over the internet. Activists have long protested China’s blocking of many popular services like Google, Facebook and Twitter which continue to remain unavailable in China. Ironically, it has been reported that international participants of the 2^nd WIC were surreptitiously given access to these sites through special devices and ‘cheat codes’.

Yet, commentators are divided over whether the wider international community must engage with an event like the WIC. Some advocate a healthy scepticism towards China’s own policies, but point to the benefits of engaging directly with the Chinese government on what is meant to be an international platform for internet governance. Others argue that despite the marginal benefits of engaging with China, large scale attendance of the WIC would grant legitimacy to the arguably repressive policies Chinese government.

Criticism notwithstanding, China is committed to making WIC a platform where a competing vision of internet governance can gain traction. Whether this actually happens depends on 1) how open and accessible the next editions of the WIC are to the wider internet community; and 2) how willing the Chinese government is to engage in other internet governance fora that are more multistakeholder than multilateral. China has already succeeded in similar initiatives in other issue domains like trade where it hosts an annual trade fair that is widely attended. Appointing a High Level Advisory Board comprising of the CEO of a multistakeholder institution like ICANN and an internationally well regarded figure like Jack Ma (who is part of the coordination council of the NetMundial initiative) seems like a step in the right direction. It remains to be seen if this will lead to other such moves or if the WIC will be confined to a corner of the internet governance map.

Puneeth Nagaraj is a Project Managers at the Centre for Communication Governance at National Law University Delhi

No Recognition for the New Generation of Digital Rights

By Puneeth Nagaraj and Gangesh Varma

The original article was published on The Wire on 5th January, 2016.

Plenty of Loose Ends. Credit: Pascal Charest/Flickr CC BY-NC-ND 2.0

The international community’s attempt to shape a new agenda for the Information Society by taking forward the Declaration of Principles and the Tunis Agenda adopted over a decade ago has produced a mixed bag that disappoints more than it pleases.

The WSIS was a two-phase summit which was initiated in 2003 at Geneva and had its second phase in 2005 at Tunis. The summit was a reaction to the growing importance of information and communication technologies (ICTs) in development and a recognition of the crucial role the Internet played in shaping the landscape of the information society. The first phase in Geneva focused on a wide range of issues affecting the information society including human rights, and ICTs for development. The Tunis Agenda in 2005 was focused on developing financing mechanisms for ICT for development and governance of the Internet. The Tunis Agenda was also the first time a globally negotiated instrument articulated a definition of Internet governance and incorporated the notion of multistakeholder governance. However, it was a negotiated outcome in the debate between multilateral and multistakeholder models in global governance. This resulted in the inclusion of the ambiguous concept of  ‘Enhanced Cooperation’ which was conceived as a device to discuss unresolved contentions.

The ten-year review in 2015 was meant to take stock of the changes in the information society since Tunis and create a new agenda for the next decade. The conclusion of the high level meeting with an agreed outcome document means the negotiations were completed successfully. But the outcome itself is a qualified success at best.

Outcome document

The review process has revealed that while there are new concerns that have emerged from the evolution of the Internet and its uses, the underlying debates still remain the same. For instance, human rights and cybersecurity were both issues that were covered by the Tunis Agenda. But the fact that they have their own sections in 2015 highlights the increased importance of both these issues. Internet governance, on the other hand is an issue that has not moved in the last 10 years.

World leaders at WSIS 2003, Geneva, where the original Declaration of Principles were adopted. Credit: Jean-Marc Ferré

The inclusion of a separate section on human rights has received praise from all quarters. It is also a testament to the increasing importance of human rights in the information society. The acknowledgement of human rights resolutions from other fora like the Human Rights Council and human rights instruments like the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights is encouraging. This means that nations have an additional mandate to respect human rights obligations while dealing with the Internet and ICT issues. At the same time, it must be noted that no reference was made to the International Covenant on Economic, Social and Cultural Rights which is especially pertinent for countries from the Global South.

It is also disappointing that the document fails to recognise a new generation of ‘digital rights’ that have increased in importance over the last decade. There is only a passing reference to privacy and there is no mention of network neutrality at all. It appears from the statements at the General Assembly that countries like the US and UK were not very keen on privacy and network neutrality. On the other hand, many European countries, notably the Netherlands, were pushing for stronger language on these issues. The outcome text is a negotiated compromise on many issues and the human rights language is the best example of this. But the fact that it ignores widespread public sentiment on issues that will be at the forefront over the next decade is worrying.

On Internet governance, the outcome text calls for immediate, concrete action on Enhanced Cooperation and greater participation in Internet governance institutions. But if this section of the outcome document is compared with the Tunis Agenda, it would seem like nothing has changed in the last decade. The outcome document is an attempt to update many foundational concepts in Internet governance such as Enhanced Cooperation and multistakeholderism. India for its part, reiterated support for a multistakeholder model but also drew attention to the importance of greater representation and participation of actors from the developing world in multistakeholder platforms.  One such platform is the Internet Governance Forum (IGF), whose mandate was extended for another 10 years. Unfortunately the conditionalities of the extension, including showing tangible outcomes on issues like accountability and representation, were diluted during the final negotiations. The outcome document thus failed to adequately address many pressing issues like the need for greater accountability and meaningful participation on Internet governance platforms.

Increasing threats to cybersecurity and the difficulty in dealing with cybersecurity is a concern that all countries were alive to. For developing countries, the capacity to deal with such threats heightened the importance of this issue. The outcome document reflects this position with a separate section on cybersecurity. It recognises the central role of states in dealing with cybersecurity issues, but also acknowledges the role other stakeholders have to play. The role that cybersecurity measures have to play in securing development projects through ICTs and the Internet has also been highlighted. However, the cybersecurity language fails to acknowledge the need to create a safe and secure Internet ecosystem for all users. As it stands, this section takes a securitised view of the Internet. This is unfortunate given that an earlier version of the document circulated last week took a more nuanced approach that focussed on the cyberspace as a safe platform whereas the outcome document takes a protectionist approach . However, like the human rights text, it appears that this was a casualty of negotiated compromise.

India’s Role

India played a critical role in negotiations, and contributed to an international agreement around the idea that all stakeholders, and not just governments, need to be a part of conversations about Internet governance. Speaking at the high level meeting of the 10-year review of the World Summit on Information Society (WSIS), the Indian delegation emphasised the role the Internet and ICTs have played in the country’s remarkable growth story over the last decade. India, along with other developing nation delegations were also quick to point out there is still a lot of work to be done in connecting the four billion people worldwide who have no access to the Internet.

Broadly speaking, India played a crucial role in these negotiations as a key swing state. On many contentious issues, the country played a facilitative role. On issues where the stated government policy aligned with the middle ground, like multistakeholderism and human rights, India took strong positions that helped achieve consensus. This was evident from its statement at the General Assembly supporting multistakeholderism but calling for greater representation. Similarly, India supported the outcome document on many issues like Internet governance, access and development but highlighted its own priorities in the process.

India’s role in bringing the WSIS negotiations to a successful conclusion has not gone unnoticed. Its unequivocal positions on contentious issues have come in for praise in the international community. However, the most difficult part of the process lies ahead in realising the WSIS vision and achieving the SDGs (sustainable development goals) over the next decade. India certainly has a big role to play in fulfilling both these international mandates and domestic development goals. It remains to be seen if it can rise to the challenge.

Puneeth Nagaraj and Gangesh Varma are Project Managers at the Centre for Communication Governance at National Law University Delhi