Government Seeks to Tweak IT Act RulesGoal is to Closely Monitor Content on Social Media Platforms
Some privacy and security experts express serious concerns about a new government proposal calling for social media platforms to remove what it deems "unlawful" content within 24 hours of notice. The proposal also would require the platforms to provide a way to trace the source of that content, which would require that platforms such as WhatsApp would need to break their end-to-end encryption. A few weeks ago, the Australian government also passed an encryption-busting law.
See Also: The Evolution of Email Security
Critics of the proposal question how the government could precisely define what constitutes unlawful content.
For example, Ritesh Bhatia, founder and director of V4WEB, a cybersecurity firm based in Mumbai, contends: "Unlawful content is a subjective matter, as what I find offensive might not be offensive for others. Under such circumstances, what is the basis under which the government can ask to remove a particular content?"
Meanwhile, some privacy experts object to what they see as a proposed curb on freedom of expression and speech, while others raise doubts about the practical implementation of some of the measures suggested.
The government has proposed an amendment of Section 79 of Information Technology Act, 2000 to carry out its social media plans. The Ministry of Electronics and Information Technology has published a draft of revised rules and is seeking feedback.
"The instances of misuse of social media by criminals and anti-national elements have brought new challenges to law enforcement agencies," MeitY says. "These include inducement for recruitment of terrorists, circulation of obscene content, spread of disharmony, incitement of violence, public order, fake news etc. A number of lynching incidents were reported in 2018 mostly alleged to be because of fake news or rumors being circulated through 'WhatsApp and other Social Media' sites."
What the Draft Says
The current law, Section 79 of the IT Act provides immunity to intermediaries, including social media platforms such as Facebook, for any illegal content posted by third parties. Under this section and the Information Technology (Intermediaries Guidelines) 2011, if an intermediary has "actual knowledge" of any illegal content posted, it is obligated to remove such content within 36 hours. Here the Supreme Court defines actual knowledge of illegal content as and when a takedown [of 'unlawful' content] request is accompanied by a court order or government direction. In the absence of these two orders, intermediaries such as Facebook cannot be blamed for hosting wrong content on their website.
However, the new proposal puts the onus of checking content completely on the intermediaries by expecting them to warn users [posting wrong content] repeatedly.
Another proposed new provision, Rule 3(5), would in effect require social media platforms to break end-to-end encryption and introduce systems for retaining data for a specific number of days, says a report by the Indian Express.
The proposed changes would mean that social media platforms with more than "50 lakh users" would be liable to help the government "within 72 hours" of a query. Essentially, help the government track source of a particular content found unlawful. They would also be expected to appoint a 'Nodal person of Contact' for 24X7 coordination with law enforcement agencies and officers to ensure compliance", the report says.
Another part of the MeitY proposal, a draft of The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018, Rule 3(9), would require online platforms to "deploy technology- based automated tools or appropriate mechanisms like artificial intelligence, with appropriate controls, for proactively identifying or removing or disabling access to unlawful information or content."
Privacy and security experts offer their assessments of various components of the proposals.
For example, Bhatia questions the use of new technologies such as artificial intelligence to identify unlawful content. "I doubt if the government knows how to leverage AI," he says. "Plus, there is no clear-cut mechanism to track or define unlawful content. AI is not a foolproof solution, as it needs data to be populated to track any incident or content pattern."
Digital journalist Nikhil Pahwa says the government has ignored important aspects while drafting the new rules.
The purpose of section 79 of the IT Act was never to be an enabler for the activities of security agencies, but to provide security against prosecution after @avnish was arrested by Delhi police for no fault of his many years ago. BJP is ignoring important history here.— Nikhil Pahwa (@nixxin) December 24, 2018
Under the government proposal, social media companies such as WhatsApp would be required to establish a local office as well. But the effectiveness of these moves is questionable. Even in the past, such moves have not proved very effective.
For example in September, WhatsApp announced the appointment of grievance officer, Komal Lahiri, based in the United States. "I am not sure how much one officer sitting in the U.S. will be able to do when it comes to addressing the issue of millions of WhatsApp users in India," says Jiten Jain, CEO at India InfoSec Consortium, a group of leading security experts.
Critics say the proposal to introduce a "traceability requirement," which in effect would require a social media platform to break end-to-end encryption, would require the creation of "backdoors" that could be discovered and exploited by cybercriminals or nation-states.
Prashant Mali, Bombay High Court lawyer and cyber law expert, argues that it would be better to focus on social media platforms' application and physical level security. "It has always been vulnerabilities in the software or hardware that hackers have exploited," he says.
The draft amendments would require that online platforms will keep a record of "unlawful activity" for a period of 180 days, double the 90 days in existing law. It provides for further discretionary retention based on requests from "government agencies". But the term "government agencies" is not defined, and there's no specific conditions or limits for data retention.
So it appears that any government department could require a social media platform to store a users' data indefinitely, without even letting this user know, according to a blog by the Internet Freedom Foundation. "It is important to remember that such retention will be even despite the user deleting the data on the servers of the intermediary," it says.
The government has justified the amendments by arguing that companies such as WhatsApp have been declining requests to trace the origin of messages that may spark communal tension or lead to violence such as lynching.
The Internet Freedom Foundation argues that there are better ways to control misinformation and threats to Indian elections.
"These can be achieved as per our fundamental rights guaranteed under the constitution. Yes, online platforms are problematic; they require fixes. But driving changes through a closed and secretive process in which measures that undermine fundamental rights is a harmful approach for all of us," the foundation writes in its blog.
Bhatia suggests government needs to penalize companies to ensure adherence to its rules. "To ensure highest level of privacy and security, government should follow the GDPR policy and start penalising the companies and compel them to implement technologies and support the cyber- investigation process in case of an eventuality."
(Managing editor Geetha Nandikotkur contributed to this story)