The telecom regulator may soon propose a simple regulatory framework for cloud computing
India may not take a heavy-handed approach in regulating cloud computing. The telecom regulatory authority of India (TRAI) is expected to submit its recommendations on cloud computing to the department of telecommunications (DoT) in the next couple of months, says an official aware of the matter. In its submission, the regulator is considering industry-friendly rules governing cloud technology – in line with the goals of the national telecom policy (NTP), 2012, which envisions India as “a global leader in the development and provision of cloud services”.
The TRAI and the ministry of electronics and information technology (MeitY) are the two government bodies that have been working in parallel to create an enabling environment for cloud computing for the last five years. But the two have not been working in tandem. Both are working separately on cloud computing framework, each with little or very less communication with the other, creating confusion in the industry and among users.
As per the 2012 telecom policy, the government proposes to take “new policy initiatives to ensure rapid expansion of new services and technologies at globally competitive prices by addressing the concerns of cloud users and other stakeholders”.
In 2012, the DoT had written to TRAI seeking its views on issues around cloud computing such as interoperability, security, quality of service and industry incentive. Four years later, in June last year, the regulator issued a consultation paper on cloud computing, requesting feedback on a set of 21 questions. Various industry associations, including Nasscom and the Cellular Operators Association of India (COAI), had appealed against heavy-handed regulation in their submissions to the TRAI.
Major concerns related to cloud computing
Interoperability: It is essentially the ability to communicate across different systems. For the cloud, it means software and applications should be portable, able to run across different service providers. Each cloud service provider creates its own processes for a user, leading to issues such as vendor lock-in, portability and inflexibility to use multiple vendors.
Data security: Deletion of records without back-up of original content poses a threat to data security. Lack of proper data protection techniques and legal laws are major factors that deter organisations or users from using the cloud.
Data privacy: Data on cloud is usually distributed, raising concerns around jurisdiction, data exposure and privacy.
Data ownership: Terms and conditions of CSPs may sometimes suggest some medium of ownership rights, even without legal transfer. It leads to data security threats emerging from the possibility of misuse of data by CSP. It leads to several challenges, including vendor lock-in.
Lawful interception: With numerous developments in cloud computing, previous methods of lawful intercept are no longer valid; it needs new thinking. As there is an issue of multi jurisdiction, there should be an alternate way to impose restriction on cross-border movement of some critical information like tax returns, financial transactions and health records.
Source: TRAI consultation paper on cloud computing, 2016
Keeping in mind the concerns raised by the industry, TRAI is planning to mandate registration of cloud service providers (CSPs). For this, companies based abroad may have to set up an office in India. TRAI, however, may not propose licensing of CSPs – an option stated in the consultation paper.
According to TRAI’s consultation paper, the CSPs come under the Telegraph Act, which defines cloud as “a means to send and receive data operating by way of a closed network or the internet”. Hence, it could be subjected to licensing provisions, which involves stringent legal and security compliances, keeping licencees on their toes.
The regulator, the official says, would not mandate interoperability standards; it would leave it to the market forces. In order to protect the interests of small and medium enterprises that may not understand technology, TRAI would formulate a model service level agreement (SLA), which will incorporate factors such as redundancy, latency, 24x7 availability, security and privacy.
“It is not much of a challenge for informed consumers, especially the large corporations. They sign SLAs, which take care of most of the issues around security, data protection and vendor lock-in, among others. For the uninformed customers, the regulator believes that interoperability should be part of SLAs, as information asymmetry is high between the buyer and seller,” the official says.
The regulator doesn’t recommend data localisation, that is, hosting of data centres within the country. Major internet and cloud corporations are based in North America and Europe, and so are their data centres. The access to data is governed by the respective laws of the host countries. For the Indian law enforcement agencies (LEAs), obtaining data from these corporations takes a long time, hampering their work.
To address the challenges faced by the LEAs, the regulator would propose instead expansion of the mutual legal assistance treaty (MLAT). The MLATs are mainly related to criminal extradition. But provisions related to sharing of information are not entirely covered under MLATs. “These agreements should be made more exhaustive,” the official says. India has signed MLAT deals with 39 countries, including the US and the UK.
“The government should not hinder the growth of cloud technology through localisation policy. It is, moreover, not easy to dictate such a policy to major corporations,” the official says.
Also, the obligations under Article 14 of the WTO General Agreement on Trade in Services caution governments against localisation policy. Yet the regulator may recommend hosting of the government and highly sensitive data in India, the official says.
In a first, the TRAI would propose that the instructions seeking user data from CSPs should come from a judge and not a secretary of the government of India. “In the US, the instructions for seeking information come from judges and not secretaries. TRAI is proposing somewhat this kind of mechanism,” the official says.
The MeitY, on the other hand, has kept away from formulating legal provisions concerning cloud computing so far. Currently, the ministry is preparing a second list of empanelled CSPs. The list includes Airtel, Reliance Jio and Amazon Web Services. It has also formulated a model SLA and guidelines for user government agencies that will enable them in the procurement of cloud services.
Last year, it brought out the first list of empanelled CSPs. These CSPs can be approached by the government user agencies for rolling out their applications and services.
Initially, MeitY began its policy work on cloud in 2013 when it formed a working group headed by Infosys co-founder Kris Gopalakrishnan for making government the enabler for the cloud ecosystem and adopting a cloud policy intervention for legal and regulatory framework. The group had submitted its report in about two years. Around the same time, officials in charge of the cloud initiative either left or were transferred to other projects. The details of the working group’s report are not known yet.
The ministry had also planned to set up an architecture management office (AMO) and cloud management office (CMO) for project design and implementation. Three years later, it is yet to form these bodies, and a policy on cloud. According to a ministry official, MeitY may consider setting up a CMO. Whether it would address legal and regulatory aspects remains to be seen.
The cloud ecosystem, however, is a combination of organisational, legal, regulatory, infrastructure and technological aspects. “All have to be dealt with simultaneously,” says a former senior MietY official.
In terms of technology, interoperability standards play a crucial role when users want to use multiple clouds or when they want to switch from one service provider to another. In its absence, integration between software hosted in different clouds would be a major challenge.
There is also a need for an exit policy and migration – when a user wants to switch service providers, the user must be assured by the existing CSP that its data has not been illegally stored and that the migration to the new service provider is done without any hassles.
Cloud computing also requires amendments to the IT Act, 2000, for issues related to security, liability, data ownership and access to LEAs, the official says. Lastly, there is need for synergy at the higher levels between the communications ministry and MeitY so that CSPs and users have clarity on rules and regulations.
(The article appears in the August 1-15, 2017 issue of Governance Now)