Vivan SharanOct 23, 2018 13:34:03 IST
The digital economy is receiving a lot of attention of late. The recently approved National Digital Communications Policy 2018, an imminent data protection law, and policy conversations on e-commerce are examples of this. The public interest implications of rapid internet adoption are driving this momentum. Internet adoption displays an S-shaped curve globally – representing initial moderate growth, steep growth in the middle-phases and stable growth towards the end. The plummeting cost of data and devices seem to have catapulted India to the middle of this curve, a path of frenetic activity, and equally of heightened risks.
In many ways, the pace and pattern of internet adoption in India seem to mirror the process of urbanisation which has been equally feverish for longer. The prospects of efficiency, connectivity and progress have driven urban migration, and are the drivers of digital migration as well. A citizen experiencing in-situ urbanisation is similar to a digital native experiencing swift and inexorable technological change. Finding itself amidst such fundamental transitions, the Indian State is trying to discover legitimate levers of regulatory control, balancing consumer aspirations with the security and stability of the digital ecosystem.
This balancing act is going to be particularly hard when it comes to regulating device ecosystems. Smartphones are at the epicentre of consumer aspirations, with low-cost Chinese brands accounting for nearly 60 percent of the Indian smartphone market. These brands manage to offer hardware specifications comparable to higher-end smartphones and remain profitable despite unfavourable customs duties for equipment imports and lack of a localised components base. But there is a trade-off. Specifically, low-cost brands derive their margins by bundling applications, operating systems, and user consent – a combination that facilitates cross-subsidisation at the cost of ecosystem integrity, as explained below.
Firstly, many low-cost smartphone brands pre-bundle third-party applications that range from news aggregators to social media services. Such pre-installed software, also called “bloatware” in technology circles, not only takes up an asymmetric amount of processing memory relative to functionality, it often creates ecosystem vulnerabilities. For instance, according to a Pew Research Center study, the most common permission sought by application providers is to access information related to Wi-Fi connections. Such requests can enable access to device data from an entire network, with only one user’s permission. Digital advertising, unfortunately, thrives on such unethical collection of data. And the companies that make data-collection applications, in turn, cross-subsidise device makers. This grand-bargain of pre-bundling deprives users of any choice in the matter.
A second challenge is the prevalent practice of pre-bundling of older generation operating systems (OS) on low-cost smartphones. Again, owing to their own unit economics, smartphone makers often make important qualitative choices of behalf of unsuspecting users. This is problematic because low-cost devices running old software on cheap chipsets, often form the weakest link in interconnected digital communications ecosystems. This challenge is exacerbated by the fact that a single OS provider accounts for 90 percent of the mobile-OS market in India. Earlier this year, a comprehensive study by German researchers found that low-cost smartphone brands running this OS often failed to update relevant software patches that guarantee user-security.
Additionally, there is little monetary incentive for OS providers to indefinitely support their old products. Low-cost device manufacturers, on the other hand, benefit from installing old systems, which are naturally cheaper as the level of support offered by OS providers is minimal. Indians have already suffered significant financial harm owing to the prevalent use of outdated OS on ATM machines. Consequently, the Reserve Bank of India mandated “immediate action” to control vulnerabilities from unsupported versions of OS running on ATMs, in June this year.
Lastly, some smartphone manufacturers bundle the consent provided by users while first accessing their devices, with blanket permissions given to pre-bundled software, aggravating the aforementioned risks. India’s imminent data protection law is expected to mandate separation of such consent requests from the standard device-level service terms and conditions. Although this is a commendable step, it may not reduce take-it-or-leave-it consent propositions. This is because consumers tend to value convenience over security, expecting established brands to underwrite their security.
It is evident that disallowing pre-bundling practices may lead to higher costs being passed on to consumers. This may not be a politically acceptable outcome. Therefore, India must rely on setting requisite quality standards for smartphones. Several international templates exist for this, such as ISO-approved Common Criteria standards. However, the sheer pace of digital adoption means that enforcement of such standards will remain challenging until the requisite testing infrastructure is developed. In fact, implementation of a comprehensive regime for mandatory certification and testing of smartphones and other devices, envisioned by the Department of Telecom, has been inordinately delayed owing to this infrastructural gap. This is an opportunity for building deeper public-private partnerships for Digital India, much like Smart-Cities, and scaling up testing infrastructure. Industry must participate meaningfully in building such capacity, a process that perhaps remains contingent on the State articulating a multi-stakeholder approach towards digital economy regulation.
Vivan Sharan is a Partner at Koan Advisory Group, New Delhi. The views expressed here are personal.