By Dr Kamlesh Bajaj
The Ministry of Electronics and Information Technology recently unveiled draft rules under section 79 of the Information Technology Act to curb fake news and rumours on social media platforms.
These platforms are intermediaries under Section 79. The rules clearly state that an intermediary must inform its users not to host, publish or transmit any content that is harmful, harassing, hateful, paedophilic, etc.; or threatens national security or the sovereignty of India; or incites violence or prevents investigation of any offence.
Also, on coming to know of such content, they must act within 36 hours to disable it, and preserve the necessary records for at least 180 days for the purposes of investigation. The rules empower government agencies to ask an intermediary for any information or assistance for investigative, protective and cybersecurity activities. The onus is on the intermediary to ensure there is no violation of these terms.
The proposed amendments are being viewed as a move to access and trace online content that would turn India into a surveillance state. But freedom of expression has limits and this has been reiterated by all governments. Rumours on social media have had huge repercussions. They have triggered violence and even led to lynching of innocents in India.
While China is seen as an example of surveillance, it’s the western world which is challenging global platforms for lawful access to data.
The Five Eyes — US, UK, Canada, Australia and New Zealand — have demanded access to decrypted data to fight global terrorism, protect national security, and for investigation of serious crimes. In a joint statement in August 2018, they said: “Should governments continue to encounter impediments to lawful access to information … we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
It is clear that governments around the world — not just India — are looking at laws to enable law enforcement agencies access data for national security.
Australia has taken the lead by approving the first anti-encryption law in the democratic world on December 6, 2018. It requires companies to ensure exceptional access to law enforcement agencies, failing which penalties can be imposed on the platforms and their executives sent to jail. UK’s Investigatory Powers Act in 2016, mandated social platforms help agencies with ‘equipment interference’ — a euphemism for decryption. In December 2018, US Deputy Attorney General Rod Rosenstein reiterated his call that technology companies develop “responsible encryption — effective, secure encryption that resists criminal intrusion but allows lawful access with judicial authorisation”.
As is clear from these developments that countries are choosing to pass new and carefully worded laws to deal with the problem of encryption.
It is against this background that the proposed amendments to rules in India must be seen.
India’s proposed rules ask the intermediary to “enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised”.
The government has publicly stated that the goal behind such provisions was not breaking of end-to-end encryption, but merely enabling traceability. The removal of unlawful content and asking intermediaries to retain data for 180 days is in line with the EU Data Retention Directive.
The rules make it obligatory for big social media platforms to be treated as a company for better compliance with Indian laws. However, provisions regarding local incorporation significantly exceed the scope of intermediary rules, and ideally be the subject of a Data Protection Law.
India says intermediaries must deploy technology solutions to monitor content for possible terrorist or other national security challenges, and take proactive actions to disable or remove such content. This is something which many of these platforms are already doing for paedophilic content. For example, YouTube does not upload nearly 80% of content after prior review.
While rules are framed to reinforce the need for social media platforms to provide access to data and metadata to law enforcement agencies, there should be a balance between privacy and surveillance with appropriate oversight, in line with Supreme Court judgements.
As India debates the rules necessary to engage with social media platforms, the West has taken a step forward in line with what President Barack Obama said in Austin, Texas on March 12, 2016. “My conclusion is that you cannot take an absolutist view on this. So, if your argument is strong encryption no matter what, and we can and should, in fact, create black boxes, then that I think does not strike the kind of balance that we have lived with for 200, 300 years.” Let’s remember this as India discusses the rules necessary to engage with social media platforms.
(Dr Kamlesh Bajaj was the founder-director of CERT-In and founder-CEO of Data Security Council of India. He is a Distinguished Fellow, EastWest Institute. Views expressed above are his own)