#37: Varieties of tech and their regulations
Some data protection better than none, Missile designs and variants, Splinternet: A second cut.
Cyberpolitik: Some data protection better than none
— Shailesh Chitnis
It's been a tortuous journey for India's data privacy bill. After years of deliberation following the 2017 Puttaswamy judgement, the draft Data Protection Bill was shelved this August, just days before being out to vote. The bill's provisions were so contentious that both businesses and privacy rights advocates were united in their condemnation of the bill.
Last week, the government released a much-shortened draft of the bill, reworked it said, to account for the objections. This time around, technology companies are happy. But those worried about data misuse and lack of government accountability have even more to fret about.
What's different in 2.0?
The draft of the Digital Personal Data Protection Bill (DPDP) of 2022 has some notable changes from its previous avatar.
The draft bill has softened provisions concerning data localisation. Instead of mandating that digital platforms retain Indian consumers' data within India, the bill allows for cross-border data flows within "trusted geographies". The definition of these geographies is something that the bill has left open and will be laid down at a later date.
The climb down by the government on this issue is welcome. Enforcing data localisation requirements on technology platforms was never going to be practical or economical. It would have also created disparity by increasing costs for smaller players.
The bill removes any distinction between sensitive personal information and personal information. The implication is that your phone number, email id etc., are treated on par with your health or bank records. Depending on the data type, there isn't any notion of graded security or compliance requirements. This is troubling as it is not on par with best practices for data legislation.
The bill has formalised the role of "consent managers". These digital platforms intermediate between consumers and businesses, allowing users to manage their data consent.
The draft bill has also increased the limits for non-compliance or data breaches significantly. For instance, the fine for lax security practices resulting in data breaches has been increased from Rs. 5 crores to Rs. 250 crores. However, the bill has eliminated any recourse for a data principal (the consumer) from seeking a penalty from the data fiduciary (the business) for damages resulting from data violations.
Codifying the surveillance state
But the most significant change in the draft bill is the extent to which the centre is exempt from any provisions. While the previous version required the government to demonstrate grounds for an exemption, the draft does away with this language. More troubling is that any instrumentality of the state is now outside the purview of this bill.
Further, the bill introduces the concept of deemed consent for situations where the data principal is assumed to have given consent based on their actions. For most of the scenarios outlined, the notion of deemed consent seems reasonable. However, in the final clause of this section, the bill allows the data fiduciary to assume consent for "any fair and reasonable purpose". This broad categorisation gives both the government and businesses justifications to collect user data under the guise of deemed consent.
Finally, the constitution of the Data Protection Board, the body tasked with regulating this bill, is entirely under the Union government's purview. This is a problem. Conceptually, the DPDP bill has taken a principles-based approach in defining data regulation. As a result, the bill is much shorter and is focused on defining the spirit of the regulation and leaves the actual implementation and interpretation to the Data Protection Board. Data regulation is a new area for India, and an independent board is necessary to define the frameworks and adjudicate corner cases. With the board completely under the Union government, it's hard to see the board rule on topics that are critical of the government.
Glass half-full view
And yet, despite all its flaws, passing the bill would be a good start. This bill is the first step in formalising India's data ecosystem. The growth of Aadhaar-based transactions, UPI and other experiments in the digital stack has led to an explosion in the amount of data generated. In the absence of any regulation, consumers have no recourse if their data is misused. The bill is also friendly to technology companies that now have clarity on the proper use of the data.
If, and it is a big if, India gets an independent regulator, much in the mould of the Telecom Regulatory Authority of India (TRAI), (especially the one in the early days of the mobile rollout), consumers and businesses will get a regulator that's agile to changing norms and technology.
(For a discussion on the bill and its implications, please listen to the accompanying podcast episode of All Things Policy.)
Antariksh Matters: Missile designs and variants
— Pranav R Satyanath
Last week, watchers of Russia’s missiles and rocket programmes were greeted with some never-before see pictures of R-36M2 (NATO designation SS-18 Mod 5 “Satan”), a “heavy” ICBM, currently serving as the backbone of Russia’s land-based nuclear arsenal. For the first time in 40 years, the public was given an unprecedented look at the upper-stage of the heavy ICBM. While we know quite a lot about American missile designs, including images and descriptions of the deployed Minuteman IIII, we have known very little about Soviet/Russian missiles — until now. A blogger who goes by the handle MilitaryRussia.ru recently posed snapshots of the footage aired on Russian television. What we see is fascinating.
The first image is of the R-36M2’s fairings, which house the upper stage of the missile and the ancillary systems that support the upper stage. The missile is designed to carry up to 14 nuclear warheads and are carried by the missile bus through an innovative two-level system. The first level carries first seven while the second level carries the rest. The two-level approach to packaging allows for the warhead bus to be relatively compact and potentially reduce the radar signature of the bus. This design is quite different from the American counterpart, the LGM-118A Peacekeeper (also called the MX or “Missile Experimental in the early days), a solid-fuelled ICBM designed to carry 10 nuclear warheads. The warhead bus has a relatively large diameter, with all ten warheads placed in a circular arrangement.
Upper stage of the R-36M2 ICBM
Warhead bus from the LGM-118A Peacekeeper ICBM
Soviet-era missiles were historically designed to carry a single high-yield warhead instead of several lower-yield warheads. The missiles were also propelled by storable hypergolic propellants, since Soviet design bureaus were more accustomed to building such type of missiles and rockets. The Americans were quick to leave behind liquid propellants for solid-fuel missiles. The comparison of Soviet and American missile dimensions is shown in an old (and somewhat misrepresenting) US Department of Defense diagram.
Comparison of US and Soviet missile dimensions
While some might consider such details to be fun facts from history, we must also remember that legacy deigns continue to have an impact on the missile designs of the present. The RS-28 Sarmat, which is set to replace the R-36M2, is also a liquid-fuelled missile that can potentially carry 14 warheads, sharing several features from its predecessor. The next-generation American ICBM called “Sentinal,” is currently in development. Although we know very little about its design, we know for certain that it will be a solid-fuelled missile capable of carrying multiple warheads, similar to the Minuteman III and the Peacekeeper.
Matsyanyaaya: Splinternet: A second cut
— Priyanshi Goel
In the previous edition of Technopolitik, we covered a fascinating paper that analyses the history and future of “splinternet”. In this edition, a student of of Takshashila’s Graduate Certificate in Technology and Policy (GCTP) is providing a fresh look at the paper. Read it below!
The fragmentation of the Internet can be discussed in the context of its different layers: content, logic and infrastructure. The content on the Internet, as the name suggests, is the information that most of us see on our screens. In this context, the Internet was always fragmented. The Great Chinese firewall is a case in point.
The infrastructure of the Internet, which primarily consists of telecom hardware, was also broadly fragmented since most of it was largely state-owned till the 1990s and had its own standards.
The logic layer constitutes the transportation, network, application and network access functions of the Internet. These include the Internet Protocol (IPv4, IPv6), the Domain Name System, the Border Gateway Protocol, and the Public Key Infrastructure. So far, the logic layer of the Internet has largely maintained its globalised nature. The prospect of fragmentation of the logic layer of the Internet is the focus of a report by ETH Zurich titled “One, Two, or Two Hundred Internets?”.
The report clearly distinguishes between the fragmentation and bifurcation of the Internet.
“Internet bifurcation and fragmentation are related and not entirely mutually exclusive developments. If fragmentation is a move towards 193 “national internets”, bifurcation is simply the extension of Internet nationalism to the two superpowers.”
The emphasis on bifurcation has largely been placed in the context of US competition with China since it is the only country that can engage in a full-stack internet competition with the US.
The report particularly emphasised future internet architectures, which can compete with each other or enable Internet fragmentation. One such clean slate architecture is the ‘NEW Internet Protocol (IP)’, rebranded as “Future Vertical Communication Networks”, proposed by Chinese tech giant Huawei.
NEW IP, in broad terms, is a proposed version of routing, which enables future Internet services relevant to application areas such as the Industrial Internet, smart agriculture, cloud driving, holographic communication, and IP mobile backhaul transport in 5G and beyond 5G networks. It is argued that the current Internet architecture has no mechanism to provide end-to-end guarantees of throughput, maximum latency (in-time), and precise latency (on-time, no “jitter”). The NEW IP aims to enable such guarantees through a new contract field inserted between the header and the payload of data packets. Moreover, it contains a flexible addressing scheme to enable communications between heterogeneous networks.
While the idea looks promising and largely technical, it has become a point of contention, with several political under-moorings. Objections have been raised by RIPE (the regional Internet registry for Europe), the IETF, the Internet Society, ICANN, and the European Telecommunications Network Operators (ETNO).
One of the most fundamental concerns stems from general distrust towards Huawei and its relationship with the Chinese Communist Party (CCP). Though China has yet to campaign for the NEW IP at the ITU openly, it is unlikely that Huawei would have proposed this idea without the nod from CCP.
The fact that the idea has been proposed at the International Telecommunication Union (ITU) and not Internet Engineering Task Force (IETF) has become another point of contention. To point out a difference, ITU is a specialised UN agency for ICT governance and largely consists of member states. On the other hand, IETF is a non-profit standards-setting organisation of technocrats and civil society. This has raised debates on Multistakeholder vs Multilateral governance of internet architectures. Other issues include the notion that, perhaps, the idea that current IP infrastructure is inadequate to meet the needs of future Internet is overstated, the lack of specifications from Huawei causing uncertainty on operational readiness of the idea, increased intelligence in the network creating greater surveillance capacity in nation states, and protocol fragmentation that may arise from decadeslong migration to new IP, requiring tens of billions of IP-enabled nodes to interwork and interconnect with the new system.
Another point of discussion in the report is around SCION (Scalability, Control, and Isolation On Next-generation networks), another clean-slate inter-domain routing architecture focused on security and high availability developed at ETH Zürich.
“SCION is the switch from governance mechanisms with global scope to clusters of autonomous systems with shared local governance institutions. It calls these clusters isolation domains (ISDs)….ISDs can but do not have to correspond to the political borders of states.”
It promises to provide an alternative to Border Gateway Protocol (BGP), with greater path control, flexible end-host addressing, variable levels of trust in web public key infrastructure (PKI) and a clean slate DNS called RHINE. In other words, SCION can be regarded as an attempt at a new internet.
SCION is largely seen as a fragmentation-enabling architecture due to three reasons:
“First, the fact that RHINE is designed to be able to operate with multiple competing DNS roots is not merely adding transparency about alternative DNS roots. It adds interoperability and thereby makes it easier to implement national DNS roots.”
“Second, a decrease in compliance cost with data localisation laws might lead to induced political demand and even enable new types of laws that would route data away from geopolitical fault lines and essentially create a whitelist or blacklist of countries and regions.”
“Third, making end-host addressing more flexible can enable more privacy in liberal countries. However, it could also make it easier for states to implement laws that strongly bind Internet users to their real-world identity, thereby enabling domestic surveillance and censorship.”
Moreover, the very idea of an alternative DNS root, RHINE, seems sufficient to make the west a bit uncomfortable.
The issue of fragmentation of the Internet has been analysed on two platforms- flexible addressing and interoperability. Regarding flexible addressing, the report argues that both NEW IP and SCION act as a counteract to internet fragmentation by handling h IPv4 and IPv6 addresses. At the same time, the flexible addressing mechanism in NEW IP creates concerns for privacy, which can well be exploited by authoritarian states.
It has also been pointed out that while SCION’s DNS RHINE improve the interoperability of different naming structures, it can also create incentives for national DNS and hamper the development of global Internet brands. On interoperability, the report contests the idea that these new architectures would be intentionally created to be non-interoperable with existing IP suits. It has been pointed out that network effects favour non-interoperability only for the dominant player in the market, which can kill the new competitors by refusing to cooperate with them. Neither the NEW IP nor the SCION is in that position at this point in time.
In fact, at this point, the report added that the US, and not China, may favour non-interoperability to preserve its dominant position in internet technology. “The US aims to maintain its globally dominant position on the infrastructure, logic, and content layers through the legal non-interoperability of bottlenecks of the tech stack with key Chinese companies …. The main reason why it works is not network effects in the narrow sense but the vertical network effects of the entire US-ICT stack…. Not all these subfunctions (of everyday ICT functions) are equally technologically complex and concentrated; however, the US is dominant across enough bottlenecks that it can leverage legal non-interoperability with secondary sanctions on them against any competitor that produces leading technology on a specific subfunction.”
In this sense, the report takes an objective and balanced view of the prospects of internet fragmentation. While highlighting the technicalities involved in the issue, it avoids painting a doomsday picture of the situation and generates a sense of caution on current developments in internet architecture.