CIS Submission to TRAI Consultation on Proliferation of Broadband through Public Wi­Fi Networks

Preliminary Comments

Even in the early to mid-seventies, many Indians who wanted to own a radio receiver were expected to get a license from the government. If not then they were in violation of the law and there was nothing the government could do to enforce policies for their benefit. The deregulation of radio ownership has been key to its unfettered adoption and popularity today. Similarly, Wi-Fi, a radio transceiver must be deregulated further to bridge India's digital divide.

Before addressing specific questions posed by the Paper, we would like to make the following observations:

1. The Paper considers only commercial models for the provision of public Wi-Fi networks. This is a problematic assumption as it ignores the potential of not-for-profit models that involve grassroots communities, academia and civil society.
2. The Paper is infused with a vision and philosophy that is reminiscent of a colonial, license raj, centralized, top-down, command and control based, state monopoly paradigm. This is diametrically opposed to the foundational ethos of the Internet.
3. The Paper assumes that more regulation is required in order to ensure mass adoption of public Wi-Fi. In fact, the exact opposite is true - the rapid proliferation of broadband through public Wi-Fi networks will only be accomplished by aggressive deregulation.
4. The technological architecture being advanced by the Paper signals support of governance cum surveillance projects such as Aadhaar aka UID, India Stack, UPI and related projects which only undermine cyber-security and interferes with healthy competitive market dynamics between commercial and non-commercial actors. Again this is diametrically opposed to the foundational ethos of the Internet and a modern democratic information society.

Q1. Are there any regulatory issues, licensing restrictions or other factors that are hampering the growth of public Wi-Fi services in the country?

The most pressing issue which is hampering the growth of public Wi-Fi services in the country is that of over regulation. Under the current regulatory framework, public Wi-Fi is subject to licensing requirements, data retention, and Know-Your-Customer ("KYC") policies. The next issue is paucity of spectrum. So far the approach has been to assign exclusive property rights to certain frequencies and also raise billions of US Dollars through spectrum auctions based on the Supreme Court's understanding of spectrum as a national resource. Given the advancements in transceiver technologies, such as cognitive radios, it is possible for us to transcend the grid-lock of property rights and embrace paradigms like shared and unlicensed spectrum. Innovative technologies and neutral allocation of unlicensed spectrum will result in the growth of public and community wireless networks including those built on the Wi-Fi standard.

Q2. What regulatory/licensing or policy measures are required to encourage the deployment of commercial models for ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas?

The regulatory approach should be to deregulate the radio transceiver as much as possible so as to encourage innovation with lower barriers for participation.

The question falsely assumes that only commercial players can provide public Wi-Fi, Para 1.9 of the Paper only identifies scenarios where Unified License (UL) holders can take advantage of unlicensed spectrum to provide public Wi-Fi services. It fails to recognize that civil society, academia, and grassroots communities can also bring about ubiquitous city-wide Wi-Fi networks and expansion to remote and rural areas. For example, Village Telco and mesh networks are community-driven Wi-Fi models that are allowing a large number of individuals to gain access to Internet services using a public spirited or peer-to-peer philosophy.^[1]

In terms of regulatory measures, CIS would recommend minimal and proportionate regulation, i.e. the regulation of entities involved in the provision of public Wi-Fi networks based on their capacity to harm the public interest and/or individual rights. By this we mean that only public Wi-Fi networks that have a large number of users (say, more than 5,000 individual users) should be subject to any regulation. Small-scale public Wi-Fi network providers, like public Wi-Fi networks in small villages or apartment complexes, should be left to self-regulation. Regulatory burdens which serve no purpose only deter these providers from providing such services at all.

Regulation must be technology-neutral, and should focus on the entities using these technologies who are capable of unlocking good or causing harm. This neutrality should be reflected in the name of the policy: "community-networking policy" and not "community Wi-Fi policy". The necessary changes must also be incorporated in the Paper and the draft policy to make this clear. The current definition of Wi-Fi is closely coupled with certain frequencies, and public wireless networks should be promoted regardless of technology and specific frequency bands.

In cases where private data services, (such as mobile telephony/ other private application specific data infrastructures) which may have been granted permission to deploy on an open-unlicensed or delicensed part of the spectrum, experience interference from a Public Wi-Fi setup. On the same frequency band, we call for the Public Wi-Fi to be given priority. This will prevent spectrum squatting.

Q3. What measures are required to encourage interoperability between the Wi-Fi networks of different service providers, both within the country and internationally?

This is a requirement for elite parts of society only but not a deal breaker for the provision of public Wi-Fi in India. There are a variety of existing market-based approaches. The further deregulation of Wi-Fi will result in the rise of public, community and non-commercial players which in turn will lead to further innovation and competition when it comes to interoperability across disparate Wi-Fi networks and providers.

Q4. What measures are required to encourage interoperability between cellular and Wi-Fi networks?

No measures are required. Millions of consumers in India already are able to interoperate between cellular networks and their home and office networks as they are in charge of the authentication or they have left these networks open. The reason they are unable to operate more easily with other networks is due to data retention, and KYC policies. Even in countries with much more challenging national security concerns, the data retention and KYC policies are not so strict. We are paying a terrible price in terms of broadband adoption because of our flawed approach to surveillance and cyber security. The answer here lies in deregulation of existing requirements, especially for community based organisations, NGOs, research institutions, educational institutions, galleries, museums, archives and public libraries. This will address the needs of those who cannot pay and are vulnerable. For those who can pay - commercial actors will innovate and provide the high-quality interoperability that they seek - this will not require any action on the part of the government.

Q5. Apart from frequency bands already recommended by TRAI to DoT, are there additional bands which need to be de-licensed in order to expedite the penetration of broadband using Wi-Fi technology? Please provide international examples, if any, in support of your answer.

In a 2012 policy brief on unlicensed spectrum^[2], CIS recommended the changes, listed below [in italics]. Since then, more modern approaches may have emerged which merit revisiting this question. These advances also merit delicensing bands more aggressively as the proprietary approach becomes more and more dated. This approach should also be technology neutral and must find a balance between proprietary, unlicensed, and shared spectrum.^[3]

1. Frequencies in the 6, 11, 18, 23, 24, 60, 70, and 80 GHz bands, to facilitate replicating examples like Webpass (USA) which has radios capable of delivering up to 2Gbps both upstream and downstream.^[4]
2. Frequencies in the 5.15 GHz-5.35 GHz bands, as well as 5.725-5.775 GHz bands are unlicensed for indoor use only. These bands should be unlicensed for outdoor use as well in order to facilitate the creation of wider wireless communication networks and the use of innovative technologies.
3. There should be more unlicensed spectrum in the 2.4 GHz range, beyond what is already unlicensed, for the expansion of wireless communication networks.
4. The 1800-1890 MHz band, which is earmarked for the operations of low power cordless communication in India, should be unlicensed in line with international practices. Many bands for this use have already been unlicensed in Europe and the United States. ^[5]
5. 50 Mhz in the 700Mhz - 900Mhz band, earmarked for broadcast should be made available to better utilize available spectrum, almost 100Mhz is currently unused in most parts of the country.

Q6. Are there any challenges being faced in the login/authentication procedure for access to Wi-Fi hotspots? In what ways can the process be simplified to provide frictionless access to public Wi-Fi hotspots, for domestic users as well as foreign tourists?

The challenge here is that of over regulation and the belief that elaborate KYC requirements will solve problems of national security. What these requirements achieve is a lot of inconvenience for the general population while criminals are able to evade detection through fake IDs, burner phones, etc. as KYC requirements only create barriers without security payoffs. The fact that jurisdictions such as the UK, and other countries in Europe allow for purchase of SIM cards without KYC norms goes to show that there are effective ways of gathering intelligence that do not involve a KYC regime.

In terms of authentication, a healthy ecosystem will allow for both anonymous access to Wi-Fi hotspots as well as access through authentication.

There is a need for deregulation in order to allow anonymous access. For access through authentication, some providers may wish to have light KYC norms whereas others may choose to have rigorous KYC norms that are integrated with Aadhaar, India Stack, etc. The decision should ultimately be taken by the provider and thus deregulation is the key. The most frictionless model is the unauthenticated model that allows anonymous access, followed by a light KYC regime, and the model with the most friction is that with intensive KYC requirements.

The existing customer log-in procedure requirements that have been laid down by the Department of Telecommunications (DoT), Ministry of Communications, Government of India, which necessitate a user to provide a photo ID or to avail a one-time password (OTP) through SMS should be done away with for two reasons. First, it does not allow for a user to access the public Wi-Fi network without authentication and this leads to a loss of anonymity over that network when the user accesses any Internet-based services. Secondly, it assumes that all people will have access to mobile phones/smartphones. So far as the Indian scenario is concerned, this is certainly not the case in many households where only the head of the family, who is more often than not a male member, has access to such devices. Many individuals also use much simpler devices which may not be able to receive OTPs (see Raspberry Pi models, for example). Such a requirement would, in effect, deprive a large number of individuals from accessing public Wi-Fi services and would defeat the purpose of even setting up such networks.

Q7. Are there any challenges being faced in making payments for access to Wi-Fi hotspots? Please elaborate and suggest a payment arrangement which will offer frictionless and secured payment for the access of Wi-Fi services.

This question is backed by three assumptions. First, it assumes that only commercial provision of Wi-Fi is possible. Second, it assumes that "a (singular) payment arrangement" is the preferred approach. Third, it assumes that it is possible for regulators to predict the most appropriate business / technological model for payments online. This is best left to competition between commercial and noncommercial players in the market. The existing regulations from the RBI and laws that govern electronic transactions are sufficient. No specific regulations are required for access to Wi-Fi hotspots.

Q8. Is there a need to adopt a hub-based model along the lines suggested by the WBA, where a central third party AAA (Authentication, Authorization and Accounting) hub will facilitate interconnection, authentication and payments? Who should own and control the hub? Should the hub operator be subject to any regulations to ensure service standards, data protection, etc.?

"A central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Any attempt to foist that on Indian citizens will lead to a slowing down of wireless broadband adoption. From a cyber-security perspective this can only lead to large-scale and irreversible disasters and on the contrary policy measures should be taken to prevent centralization. For Indian cyberspace to be a resilient and free market, competition amongst both commercial and noncommercial players must be enabled for Authentication, Authorization and Accounting.

Q9. Is there a need for ISPs/ the proposed hub operator to adopt the Unified Payment Interface (UPI) or other similar payment platforms for easy subscription of Wi-Fi access? Who should own and control such payment platforms? Please give full details in support of your answer.

As we submitted in response to the earlier question: "a central third party AAA (Authentication, Authorization and Accounting) hub" is antithetical to the foundational ethos of the Internet. Aadhaar aka UID, India Stack and the Unified Payment Interface (UPI) are similar state sanctioned monopolies that only increase fragility and interfere with the functioning of markets. Also this question assumes that citizens will have to pay for access to WiFi. Therefore, we recommend that the government does not regulate payments beyond the existing measures in Banking Law.

Q10. Is it feasible to have an architecture wherein a common grid can be created through which any small entity can become a data service provider and able to share its available data to any consumer or user?

The government or the regulator should not be making recommendations on technical architectures. All that is required to the lift all limits on reselling or sharing data via law.

Q11. What regulatory/licensing measures are required to develop such architecture? Is this a right time to allow such reselling of data to ensure affordable data tariff to public, ensure ubiquitous presence of Wi-Fi Network and allow innovation in the market?

CIS would ask for forbearance in this regard, as anything else will be a case of over regulation.

Q12. What measures are required to promote hosting of data of community interest at local level to reduce cost of data to the consumers?

There are two measures that can be taken. The first is to change the public procurement policy to promote openness in the form of free and open source software, open standards, open content, open access, open educational resources and open data.

The second is to use public funds to shape the market and create publicly licensed material, or material available under exceptions and limitations of copyright law. To promote hosting data of community interest at a local level, public funds must be used to create intellectual property that can be freely licensed to the public. India already has a progressive copyright law, and the exceptions available under it should be seeded by the government through public funding. These exceptions include the statutory exception of copyright cess/ levy to broadband bills, exceptions for the disabled, libraries and archives and also education.

Q13. Any other issue related to the matter of Consultation.

Figure 2.2 of the Paper depicts Wi-Fi Monetization Pyramid based on Cisco's Wi-Fi Opportunity Pyramid.[2] As pointed out earlier, this ignores the possibility of non-commercial models. To quote Bruce Schneier, "surveillance is the business model of the Internet" ^[6] and this business model is one that should not be encouraged. The pyramid only allows for a for-profit model and it is inherently based on needless surveillance of users. While monetization may be one of the main incentives, it is by no means the only way to sustain such public Wi-Fi networks and for this reason, CIS recommends that such a depiction be discarded.

The balancing of this monetization pyramid is one of the requirements to put in place an effective public Wi-Fi network structure. Another issue arises with respect to the definition of Wi-Fi. Currently, spectrum is limited to the 2.4 GHz or the 5 GHz bands but this has been expanded upon to encompass the LTE (4G) Core during the GSMA, Wireless Broadband Alliance and Wi-Fi Alliance 3GPP following the Mobile World Congress in 2013. Such a set-up would allow for frequency hopping between bands and to prevent (or allow) this, the definition of Wi-Fi in the context of public Wi-Fi networks must be clarified.