“Internet was born free but is found everywhere in Chains” was a statement made by Naavi in 2002. Several articles were showcased discussing the developments at that time which may make interesting reading even today. I hope for students of the philosophy of Cyber Space, these articles may be interesting.
However during the last nearly 2 decades, things have changed in our society. Many of the apprehensions expressed at that time have become true today. The borderless state of Internet and the Anonymity inherent in its design has now given way to Cyber crimes of unlimited proportions across the globe forcing rethinking on the “Security issues in Internet”.
While there is one segment of the law makers who still swear by Privacy and Freedom of Speech over Internet, there is an equally strong lobby who swear by the need for Security. At present laws are trying to balance these requirements though not with complete success.
China started a trend of creating a firewall to segregate Chinese Internet space from the rest through creation of its own search engine, its own social media etc making the Google and Facebook redundant.
Now Russia seems to have taken a further step by creating a specific law to build a “Cyber Border” for Russia.
The concept of each sovereign country defining its own Cyber Space and legal jurisdiction over it started long back when Cyber Crimes investigations cut across borders. So far attempts have been made to bridge this jurisdictional gap by creating MLATs for Cyber Crimes to address the issue of cross border jurisdiction.
However, it is now reported that Russia is adopting law to isolate “Runet” from Internet. Naavi has in recent times veered to the view that there is a need for setting up a “Digitally Identified Network” within “Internet” which we can call “Internet-S” where S stands for Secure. The idea is that every Netizen of Internet-S is identified by a system as good as a legally recognized digital signature system with the backing of a sovereign Government. In this world, every Netizen’s activity is mapped to an identified individual.
The Concept of “Regulated Anonymity” which we have discussed repeatedly in Naavi.org advocates that anonymity and privacy in transactions with others can be protected without sacrificing national security if we can create “Trusted Identity Intermediaries” who issue proxy identities but protect national interest under a proper regulated process.
This concept has now become a legal possibility in India with the proposed PDPA 2018 in the form of Data Fiduciaries, though I am personally not sure if this possibility would be recognized by other Privacy professionals in India and the law makers.
Data Localization requirements under the Indian laws also assert the concept of “Data Sovereignty” through PDPA 2018. (Proposed Personal Data Protection Act)
In the meantime, what has happened in Russia is to be recognized as a significant step of redefining the way Internet functions as a “Federation of Net Societies allied with sovereign Governments in the physical space”.
According to the new law reported to have been adopted by the State Duma, in order to protect the Country from external threats, Russia wants to create a “Sovereign Cyber Space” over which it has complete control. (See Report here)
Some of the key provisions in this law include the introduction of a system that will channel Russian internet traffic through government-controlled routing points as well as granting unlimited powers to Roskomnadzor, which will be able to cut off non-complying internet providers. The country’s telecom watchdog will set up a monitoring center that will detect threats and issue instructions. Roskomnadzor will also create and maintain a national domain name system (DNS).
The new legislation is designed to ensure that online data transfers between Russian citizens, businesses and organizations are executed within the country instead of being routed internationally.
The Runet law is scheduled to enter into force in November this year, with the rules governing Russian domains and cryptographic protection of information expected to be introduced on January 1, 2021.
As could be expected, there is an opposition to the proposal which is accused as a measure of censorship. The counter argument is very forceful but it is not clear if the opposition would be able to scuttle the law. Most probably Mr Putin would push through this legislation which will become a fore runner to other countries passing similar laws.
If such a law is brought in India particularly in the present regime of Mr Modi, there would be an immediate outcry from the opposition. Many of the IS professionals would also feel that this is an extreme step that would curtail the freedom of expression on the Internet and the Democracy. Probably they may be right and India would not go the extent of passing such laws.
But it is necessary for us to recognize that most of the Democratic countries are hypocritical when it comes to their stand on preservation of “Data Sovereignty”. Today “Data Localization” has become a norm and most countries try to retain data generated within the country confined to its borders. Where countries agree on Cross border data transfers, they impose severe restrictions. Whether they are called Safeharbour agreements or by any other name, they are like signing of “Data Transfer Treaties” at corporate level. Every country wants to have its own laws of data protection applied to personal data generated from within its borders which makes it necessary for data processors to classify personal data in accordance with the privacy protection laws to which it is subject to. (Refer PDPSI Classification and Scope Definition articles).
In a way we have already drawn borders in cyberspace by the data protection laws of each country defining norms for protection of data of their citizens and with data localization within their physical borders. What Russia is set to do is a bolder and more transparent way of expressing that Cyber Space of a Country belongs to its sovereign jurisdiction and anybody entering in and out need to identify themselves and allow being monitored lime an Cyber Passport and Cyber VISA system
PDPA 2018 (Draft) provides a perfect legal ground to implement some of the provisions of this Russian Law without the need for modifications to ITA 2000/8.
We need to watch how things develop in India in the next decade and whether the Russian approach would be replicated in India also either with a separate law (which is difficult) or with a suitable interpretation of the Data Localization requirements under the current laws.