Is dragon jacking up investment in India a threat to data security?

The Securities and Exchange Board of India has reportedly discussed the issue of sudden jump in investments coming from China or via China into Indian stock markets. The SEBI meeting was held on April 13 and its top officials attended the meeting said sources. The meeting was held after the Centre asked SEBI for greater scrutiny and special approvals for new investors domiciled in neighbouring countries.

The issue that was reportedly discussed pertained to acquisition of shares by Chinese investment firms amid the market meltdown in March. A specific point that came up during the meeting was China strategy to take advantage of fall in stock prices in India and specific issue was the acquisition of HDFC shares by People’s Bank of China (PBoC).

This came to light when the HDFC disclosed its shareholding pattern during the March quarter. It is learnt that there are at least 16 Chinese Foreign Portfolio Investment (FPI) registered in India with $1.1 billion invested in market stocks. Of late China has emerged as one of the largest sources of Foreign Direct Investment and Chinese investors have been buying up stake in Indian companies especially startup’s.

India-China Economic and Cultural (ICEC) Council estimates that in the last three years, Chinese and Chinese-origin investors have invested about $3.7 billion (23,600 crore) into Indian startups. China’s investments have traditionally been concentrated in the automobile industry, however, major beneficiaries are around 25 startups, including Ola, Truebil, Ixigo, Paytm, Flipkart and MakeMyTrip.

How China penetrated India?

“Chinese investments in India”, a research paper published by the Gateway House-Indian Council on Global Relations, authors, Amit Bhandari, Fellow, Energy & Environment Studies Programme, Blaise Fernandes, Board Member, Gateway House and President & CEO, the Indian Music Industry and Aashna Agarwal, Former Researcher point out that “Unable to persuade India to sign on to its Belt and Road Initiative (BRI), China has entered the Indian market through venture investments in start-ups and penetrated the online ecosystem with its popular smartphones and their applications (apps)”. The Belt and Road Initiative is a global strategy adopted by Chinese government involving infrastructure development.

Targeting startups

Chinese tech investors have put an estimated $4 billion into Indian start-ups. Such is their success that over the five years ending March 2020, 18 of India’s 30 unicorns are now Chinese-funded. TikTok, the video app, has 200 million subscribers and has overtaken YouTube in India. Alibaba, Tencent and ByteDance rival the U.S. penetration of Facebook, Amazon and Google in India. Chinese smartphones like Oppo and Xiaomi lead the Indian market with an estimated 72 per cent share, leaving Samsung and Apple behind.

There are three reasons for China’s tech depth in India. First, there are no major Indian venture investors for Indian start-ups. China has taken early advantage of this gap. Alibaba’s 2015 investment in 40 per cent of Paytm, a digital payments platform, paid off barely a year later when in November 2016, the government of India demonetized its large currency notes and simultaneously promoted a move to a cashless economy. Paytm benefitted from Alibaba’s superior fintech experience, which it applied to India seamlessly, making it a dominant player.

Second, China provides the patient capital needed to support the Indian start-ups, which like any other are loss making. The trade-off for market share is worthwhile. Third, for China, the huge Indian market has both retail and strategic value. Therefore, companies like Alibaba and Tencent have different considerations and horizons for their investments. In contrast, Western venture money is mostly through funds like Sequoia and SoftBank. China has seen another early opportunity in India — the potential shift to electric mobility, where China has expertise.

India is the world’s fifth-largest auto market; the sector is the country’s most robust and globalised export and it is a bellwether for the economy. China’s BYD has been pushing its electric buses in India, with limited success. In traditional autos, which are 99 per cent of the market, China is using the recognizable, but distressed, global auto brands like Volvo and MG, which it acquired to enter the Indian market. So far, Chinese automakers have invested $575 million in India. The competition in India is fierce, and it’s with Indian and Asian automakers like Suzuki, Hyundai and Toyota, even as U.S. automakers withdraw.

The Belt and Road Initiative carries with it Chinese products and standards, both virtual and physical. India may have sidestepped the physical corridor, but has unwittingly signed up for the virtual corridor. China’s tech giant companies and venture capital funds have become the primary vehicle for investments in the country — largely in tech start-ups. This is different from other emerging markets where Chinese investments are mostly in physical infrastructure.

Chinese FDI into India is about $6.2 billion, but its impact is already outsized. China has investment in other South Asian countries such as Pakistan, Sri Lanka, Myanmar and Bangladesh. Whereas investments in these countries is mostly in physical infrastructure, Chinese funding to Indian tech start-ups is making an impact disproportionate to its value, given the deepening penetration of technology across sectors in India.

TikTok, owned by ByteDance, is already one of the most popular apps in India, overtaking YouTube; Xiaomi handsets are bigger than Samsung smartphones; Huawei routers are widely used. These are investments made by nearly two dozen Chinese tech companies and funds, led by giants like Alibaba, ByteDance and Tencent which have funded 92 Indian start-ups, including unicorns such as Paytm, Byju’s, Oyo and Ola. Significantly, 18 of the 30 Indian unicorns have a Chinese investor. This means that China is embedded in Indian society, the economy, and the technology ecosystem that influences it.

Unlike a port or a railway line, these are invisible assets in small sizes – rarely over $100 million – and made by the private sector, which doesn’t cause immediate alarm. All this adds up to just 1.5 per cent of the total official Chinese (including Hong Kong) FDI into India. This doesn’t cover investments made by funds based out of Singapore and elsewhere, where the ultimate owner is Chinese, so the actual investment in India will be higher.

The single largest Chinese investment in India is the $1.1 billion acquisition of Gland Pharma by Fosun in 2018. This accounts for 17.7 per cent of all Chinese FDI into India, but it is unique. There are five other investments (FDI) by Chinese companies which exceed $100 million. This includes the $300-million investment by MG Motors. China is most active in India in the start-up space. A majority — more than half — of India’s 30 Indian unicorns (start-ups with valuation of over $1 billion) have a Chinese investor.

Why is China seeing such success in Indian tech? It’s because Indian start-ups rely disproportionately on overseas venture capital (VC) funding — all start-ups worth over $1 billion are foreign-funded. Some like Flipkart and Paytm have been acquired outright. India still does not have a Sequoia or Google of its own. India’s Reliance Industries, through Jio, is trying to replicate Alibaba’s successful model in India.

What’s the threat from China?

Chinese investments bring up three concerns for India: data security, propaganda, and platform control. Data security Chinese companies such as Alibaba and Tencent have their own ecosystems, which include online stores, payment gateways, messaging services, etc. An investment by a Chinese firm can pull the Indian company into this ecosystem, which may mean loss of control over data. Typically, in investments by a consortium of venture capitalists, one of the partners takes the lead in advising the start-up.

If Alibaba/Tencent is playing this role, it can encourage the start-up to use pre-existing Chinese solutions for its tech requirements — again leading to loss of control over data. If this process is followed across a range of companies – a taxi service, a hotel aggregator, online retail outlets, and a payment provider — it permits an intrusive, comprehensive profile of an individual and his/her habits. Grindr, a hook-up app for the LGBT community, is an example of how data can be misused. Grindr was acquired in 2016 by Chinese gaming company, Kunlun.

During the Cold War, Stasi and the KGB to target vulnerable officials in the West used homosexual blackmail. There is still considerable stigma attached to homosexuality in India — can a government official be blackmailed with such information? The U.S. government has flagged off ownership of Grindr as a national security risk, and ordered the Chinese owner to divest a majority stake by 2020. Western companies have similar access to private data too — but there is national and global oversight and more transparency in their systems.

The Chinese government keeps a tight control over its media at home. Most of the Western social media apps (Facebook, Twitter) and many of the leading news outlets are banned in China. Large multinational corporations are unwilling to lose the Chinese market and wary of offending the Chinese government. This has given China a veto over free speech in many Western countries, seen recently in the high-profile case of the National Basketball Association (U.S.) speaking out about the protests in Hong Kong.

Investments in Indian social and other media (including those in regional languages) as well as startups could lead to a subtle push toward the Chinese narrative on bilateral issues and disputes with India, a shift to a more favourable depiction of China and suppression of criticism. For instance, TikTok censors topics that are sensitive to the Chinese government. This kind of influencing by a foreign totalitarian government is detrimental to an open and free society.

Platform control

The Internet is split into two major camps: the ‘traditional’ open internet dominated by Western companies, Facebook, Amazon, Netflix and Google (FANGS) and the ‘closed’ Chinese internet — almost an intranet — which restricts outsiders and is closely monitored and controlled by the state. Companies like Alibaba and Tencent are enablers and beneficiaries of this system. By restricting access to foreign players, China was able to create its own champions — which now rival the West’s. If Alibaba, Tencent and other Chinese tech majors replicate their internet ecosystems in India, this can create a systemic risk.

An ecosystem such as this controls access to end-users; it means other companies (retailers, financing firms and media) will have to follow the standards/technologies prescribed to them. Alibaba/Tencent will be in a position like Google — they can decide which firm will succeed or fail by controlling user access, using their own technologies. Imagine: the Indian economy could use Chinese tech for critical applications.

Chinese app in India

Chinese investments in India’s soft power sectors, such as smartphones and apps, glitter like a diamond necklace around India. Here is anecdotal evidence of their reach and capacity to harvest more data than necessary, with recommendations for their regulation While the BJP government focuses on governing border states through a democratic process on its own or through coalitions, the Chinese are blanketing the whole of India, including the border states, through their investments in multiple projects. It will create a diamond necklace around India that is so attractive and insidious that it will make China’s potent Indian Ocean String-of-Pearls strategy seem less threatening.

The last decade has seen heavy investments from Chinese companies into India, over $5 billion in 2018. They are in myriad sectors, such as consumer goods, especially electronics, logistics, retail — that is, normal FDI, mostly. Alarming are the investments by China’s powerful BAT companies (Baidu, Alibaba and Tencent) in soft power projects in India — Artificial Intelligence, the Internet of Things and fintech.8That’s because the People’s Liberation Army of China and the Communist Party of China have a symbiotic relationship with China’s BAT, the makers of strategic domestic and overseas investments.

These investments in India need to be viewed with caution, considering the increased penetration of smartphones and apps, like TikTok, especially in the country’s Tier-II and Tier-III cities, such as Guwahati and Raipur. The potential to influence Indian minds is massive.

By 2024, India’s smartphone users are expected to double to 1.25 billion from 610 million in 2018. Chinese smartphone manufacturers in India already have a 66 per cent share of the smartphone market as of the first quarter of 2019. That’s hardware. As for software — and soft power — the increase in smartphones in India has been accompanied by the rise in the use of smartphone apps. According to App Annie’s The State of Mobile in 2019 report, India saw a 165 per cent increase in app store downloads between 2016 and 2018. A full 50 per cent of top app downloads (combined iOS and Google Play Downloads) in India in 2018 were those with Chinese investments, such as UC Browser, SHAREit, TikTok, and Vigo Video, among others. Such Chinese apps harvest more than normal amounts of data, as compared to other social media apps, thereby posing security concerns for India.

As more young Indians turn into first-time smartphone users, their affordability and data packages will entice them into making frequent use of online services, unaware of the security risks to their data while using the extremely popular Chinese apps. China in India’s digital sector China’s strategic investments in data-oriented services in India raise concerns, making it critical for India’s security agencies to pay attention to these soft power projects in India. They are prevalent at various levels, particularly in the digital sector in India.

A substantial 50 per cent of top app downloads (combined iOS and Google Play Downloads) in India in 2018 included apps with Chinese investments, such as Universal Control Browser (UC Browser), SHAREit, TikTok, Vigo Video, etc. These apps are owned respectively by the Singapore and China mobile-based internet company, Alibaba Group; SHAREit Technologies Co Ltd and ByteDance (TikTok and Vigo Video), which are all multi-billion-dollar global players, alleged to have deep ties with the Chinese government. Browsers: UC Browser, owned by Alibaba, has penetrated the Indian market through a series of significant investments, including via Paytm and its parent company; One97 Communications Limited; and Snapdeal, owned by Jasper Infotech Pvt. Ltd.

As of October 2019, UC Browser has a sizeable market share of 17.09 per cent in the mobile browser market space in India and also leads the mobile phone segment in India with 21.38 per cent market share. Its competitor is Chrome, with a 69.35 per cent market share. UC Browser has recently made a strategic shift from a tool-based product to a content player in India, with dedicated channels, hosting short-form content, including videos, with segments on sports, technology, news, fashion, etc.

Streaming services

In 2018, China’s internet behemoth, Tencent, made an investment of $115 million in India-based music streaming service, Gaana, founded in 2010 by Times Media/Times Internet. Indian fintech unicorn Paytm, in which Alibaba invested $575 million and which runs an e-commerce marketplace, Paytm Mall, in India, and Tencent invested $110 million in the OTT platform MX Player, a video player developed by South Korea-based company, J2 Interactive, which was acquired by Times Internet for $144 million in 2018. In April 2016, Chinese smartphone maker, Xiaomi Inc, invested $25 million in Indian digital media firm, Hungama Digital Media Entertainment. Access to data India is one of the largest and fastest-growing markets for digital consumers, with 560 million internet subscribers in 2018: this is second only to China.

As with the global controversy generated by China’s 5G investments, Chinese investment in India’s digital sector also has data security implications. Chinese apps represent a challenge to the user’s data security, as they require vast amounts of personal data; this is usually a bare minimum to provide users access to their interface.

Chinese apps in India ask for 45 per cent more permissions than the number of permissions requested by the top 50 global apps, a study conducted by Arrka Consulting in India shows. At least six of the 10 most popular Chinese apps, including Helo and SHAREit, as well as browsers such as UC Browser, ask users to provide unnecessary access to camera and microphones on their smartphones. Such apps collect large amounts of personal data from users such as location, profession, friend lists, friends’ interests, cellphone number and photo interest as a bare minimum, thereby stoking privacy concerns in app users. Deactivation of a user’s account does not result in data being returned to the user or it being deleted from the app’s server. These details are often shared with third parties.

Malware or suspicious software

Chinese apps have always raised suspicions about cyber espionage attempts and security risks in India. The Ministry of Electronics and Information Technology reportedly sent notices to TikTok, Bytedance and Helo apps, seeking a response to its data privacy concerns about these apps being used to commit unlawful activities, such as storing users’ data and creating a hub for anti-national activities, such as communal disharmony. In 2017, out of 42 mobile applications, UC Browser, SHAREit, UC News, and others listed by the Ministry of Home Affairs, are claimed to have the potential to carry out a cyber attack against the country.

UC Browser is the second most utilised browser in India after Chrome, with an estimated market share of 17.09 per cent and a user base of more than 300 million. According to a report by the University of Toronto, Alibaba’s UC Browser has “several major privacy and security vulnerabilities that would seriously expose users of UC Browser to surveillance and other privacy violations”.

TikTok’s parent company, ByteDance, has recently launched a new search portal, Toutiao Search; showing results from the web as well as its own platforms. Given the digital boom in India and the estimated 300 million monthly active users in India that ByteDance has across TikTok, Vigo Video and Helo, ByteDance may potentially venture into the search business in India as well.

Framework for security

India’s regulatory authorities need to frame policies with an understanding of the immediate security, technological and geo-economics aspects to China’s expansion. Given China’s established practices of cyber espionage and hacking, it is not unreal to envision a scenario in 2022, where the market share of smartphones of the top three Chinese companies in India is 48.54 per cent, with increasing penetration and cheap data having reached the sensitive border states of India. Some policy recommendations A centralised FDI screening mechanism for the IT-BPO industry:

The investment screening mechanism, recently introduced in EU, the EU Foreign Direct Investment Screening Regulation (FDIR), is a nonbinding cooperation and oversight system which encourages sharing information across member states on the potential of certain investments to affect national security and interests. It empowers the European Commission to weigh in on deals that affect multiple member states or the EU as a whole. The passing of this new EU measure in just 18 months is indicative of heightened concerns over the terms of China’s economic expansion because it makes provisions for dominant characteristics of its investment strategy: a focus on technology and infrastructure sectors, state-linked and funded entities and state-led outward projects.

The EU measure explicitly prevents such bypassing of national screening by investigating deals within the EU that are associated with Chinese firms. Adopting a similar screening mechanism for the IT-BPO industry in India will protect citizens’ sensitive personal information from being shared through apps, browsers, search services and other critical technology and infrastructure in India, keeping in mind direct and indirect Chinese investments in India.

India can devise a body akin to the Committee on Foreign Investment in the United States (CFIUS). It can consist of members from the Ministry of Home Affairs, Department of Telecommunications, Department for Promotion of Industry and Internal Trade, Ministry of Information and Broadcasting, Ministry of Electronics and Information Technology and the National Security Council of India, to review foreign investments in India which calls for the collection of sensitive personal information. This can help tackle security threats in India.

Data localisation policy

A data localisation policy for regulating access to data, mandating data storage needs and controlling cross-border data flows, needs to be put in place. Firms should be required to set up data centres in India to minimize the need for storing sensitive data on foreign servers. An organization collecting sensitive personal data must state: the purpose, the persons or organizations who will be privy to it, the security safeguards and processes it has in place in relation to such information, the processes available to data subjects to access and correct such information, and the contact details of the privacy officers and SRO ombudsmen for filing complaints.

Data localisation steps will be effective in immediately taking down content which can foment sectarian trouble across India or rhetorics in border states such as Jammu & Kashmir, Rajasthan, Punjab, Gujarat, UP, Uttarakhand and the North East. Such a policy will be crucial in handling security concerns in India caused by cyber espionage.

letters@tehelka.com