Regulating OTT Communication Apps
We know that the Draft Telecom Bill 2022, has stirred a debate on reigning the OTT communication apps under the telecom regulatory framework. But the real question here is — why does the GOI feel the need of doing so when all OTTs are already regulated under the IT Act (Section 79) and the Intermediary Guidelines Rules of 25th Feb 2021? And that too when GOI is not interested in bringing OTT communication apps at par with Telecom, especially in the dimension of collecting license fees and legal interception? In my view, what the GOI is really interested in is ensuring that the OTT app providers verify their customers, on the same lines as the telecom service providers do. The purpose of this note is to understand how bringing the OTT communication apps under the Telecom Act will enable the GOI to achieve its objective, and whether there are any technical limitations that need to be overcome.
Information Technology Act
Key Provisions
Section 1(w) of the IT Act defines an intermediary as follows.
8 [(w) “intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places, and cyber cafes;]
However, Section 79 of the IT Act provides some comfort to the intermediaries by exempting them from liability under the IT Act in cases as described in Sub Section (2).
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or
(b) the intermediary does not —
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
Further, the “intermediaries” are regulated under the Intermediary Guidelines and Digital Media Ethics Code Rules, of 2021. The provisions of these rules which are relevant to this discussion are listed in Part II under the heading — Due Diligence by Intermediaries and Grievance Redressal Mechanism, described under.
3(1)(a) — the intermediary shall prominently publish on its website, mobile-based application, or both, as the case may be, the rules and regulations, privacy policy, and user agreement for access or usage of its computer resource by any person;
3(1)(b)the rules and regulations, privacy policy, or user agreement of the intermediary shall inform the user of its computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that —
The key rules under 3(1)(b) and are reproduced below.
3(1)(b)(vi) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading in nature but may reasonably be perceived as a fact;
3(1)(b)(vii) impersonates another person;
Then under Clause3(1), an intermediary is empowered to remove users from the network if found violating these rules as described below —
3(1)(c )— an intermediary shall periodically inform its users, at least once every year, that in case of non-compliance with rules and regulations, privacy policy, or user agreement for access or usage of the computer resource of such intermediary, it has the right to terminate the access or usage rights of the users to the computer resource immediately or remove non-compliant information or both, as the case may be;
Key Takeaways
A) Both OTT communication service and telecom service are categorized as intermediaries and have to comply with all the provisions of the IT Act of 2020. But unlike the OTT providers, the telecom service providers are additionally regulated by the Indian Telegraph Act of 1885.
B) There are no provisions in the IT Act that mandates an intermediary to verify its customers before they are allowed entry into its network. However, the Telecom Act has such provisions.
The Telecom Act
KYC Provisions
Till march 2017, as per DoT’s directions, the telecom operators boarded new customers using aadhar based eKYC. The process was fast and easy and saved the telecom operators lot of time and money.
Then on 23rd March 2017, the DoT (based on the SC judgment dated 6th Feb 2017 — Lokniti Foundation vs Union of India) issued a direction to all access service providers to also verify their existing customers using eKYC. The idea was to fish out all grey and dark elements from the network and map SIMs to real people holding Aadhar numbers.
The came SC judgment of 26th Sep 2018 (PUTTASWAMY vs UOI), wherein SC Supreme Court clearly said it’s not mandatory to make Aadhaar Card a means to identify oneself everywhere. But it can be made mandatory by bringing a law, if important.
On 26th Oct 2018, the DoT issued a direction and discontinued the process of verifying customers using aadhar based eKYC. This was done with the purpose of complying with the SC judgment above.
Then on 4th July 2019, the parliament passed a new law, which amended the Telegraph Act of 1885 (Part III, Section 24)— making eKYC using aadhar mandatory.
Then on 21st Sept 2021, the DoT issued new KYC reforms as a part of the telecom package, that further empowered the operators to leverage eKYC for outstation customers and bulk users.
Then on 3rd Oct 2022, the UIDAI launched Aadhaar Paperless Offline e-KYC to allow Aadhaar number holders to voluntarily use it for establishing their identity in various applications in a paperless and electronic fashion, while still maintaining privacy, security, and inclusion.
From the above, one can clearly see that Aadhar-based authentication has not only evolved into an accepted mechanism but also has undergone an elaborate process of legal scrutiny for allowing such services where “mapping the user’s identity” is a real concern of the state.
OTT & Telecom
On 29th Oct 2022, I had written a note wherein I compared the OTT communication services with that of the telecom. On this note, I concluded that regulating OTT in the same line as telecom is not just imprudent, but also totally unnecessary and inefficient.
But let’s understand the GoI’s concerns.
A) OTT apps like Whatsapp have become more pervasive than normal voice calls. Why? These calls sound clear and are of better quality, and provide services — like conferencing (voice and video) that are more powerful and seamless if compared with normal voice telephony, thereby making conventional voice-based telephony totally redundant.
B) Though OTT users are mapped to the same telephone number which is already aadhar verified, however, once the verification is completed, it is not mandatory for the OTT user to remain on the telecom network for them to keep using the service. They can be on a Wifi network or keep using the service even when the number (to which it was originally mapped) gets deactivated by the TSP.
The objective — If the eKYC of both systems, the OTT and the Telecom was mapped to a single number, and both operate in tandem, then once one is removed from the system the impact on the other percolates instantaneously.
Technical Issues
Technically both OTT and Telecom work differently. A telecom call is physically mapped to the SIM and the network, whereas an OTT call, is mapped to an IP address. OTT sees the telecom network as a pure IP data network, whereas conventional voice users see the telecom network as a managed data network where the services like voice, SMS, and local content (allowed under the Net Neutrality rules) get priority.
Controlling Access — Telecom vs OTT
To block a telecom call, you just have to block the SIM binding of the handset, whereas to block an OTT user one has to block the IP address. These IP addresses are dynamically assigned, and therefore it will be impossible for the GoI to block OTT users unless the OTT provider has direct access to the SIM each time a call is invoked.
Another way to block an OTT call is to force a User to log in each time he is planning to use the service. Hence, if DoT wants to take out an OTT user it can ask the OTT provider to disable his login credentials.
Controlling Access — OTT Service (Issues)
Now the real question one needs to ask is, can an OTT provider be allowed direct access to the SIM of the mobile? If yes what kind of security concerns it might raise? Also, how many such OTT players will get such access, and who will not? How will the GoI prevent such apps to function who are not granted access to the SIM?
If users mapped to a login ID, is forced to login each an every time, will it not make the service less seamless to the customer? Else a blocked user will continue to use the services till the time he is forced to login again. Also, how will the incoming call to a user be disallowed who has been blocked but is curretly logged in?
These are difficult questions, and I am sure many of these will be technically feasible to implement, but not before the existing system has gone through a major overhaul. Such a task will need time, but more importantly, will have cost implications — not only in India but globally. Hence, before we take the decision of folding the OTT-based communication apps under the Telecom Act, the implications — i.e cost-benefit equation, need to be studied carefully.
Conclusion
It is clear from the above discussion that the decision to bring an OTT app provider under the framework of telecom licensing will not be easy. The implications are huge — not only in India but around the world. On one hand, India is making its digital pipe thicker & faster (with 5G and additional spectrum), and on the other hand, excessive controls on the users will dampen user experience. A close analogy will be asking folks to drive at 40 Kmph on highways that can support speeds of 150 Kmph to prevent fatal accidents. If such a restriction is imposed then making such a huge investment to build the super highway looks totally redundant. No? I am sure both GoI and the OTT providers will collaborate and find a solution that will serve both purposes so that consumers’ interests — the sole purpose of this exercise, are protected.
(Views expressed are my own and do not reflect that of my employer)
PS: Find the list of other relevant articles in the embedded link.
