Above: Illustration by Anthony Lawrence
Proposed changes in IT rules, 2011 will make it contingent on IT intermediaries to remove malicious content within 72 hours of a request from the government
On December 24, 2018, the IT ministry proposed a change in the notification of rules under Section 79 of the Information Technology Act, 2000 (ITA-2000), and placed the draft for public comment. The proposals faced stiff opposition from the industry. It joined hands with political opponents of the government and a huge campaign was built opposing them. The amendments were projected to be an assault on the freedom of expression and the government was literally bludgeoned into silence. The amendments have now been listed for debate and await approval in the current session of Parliament.
These amendments are being proposed to the original rule, namely, the Information Technology (Intermediary Guidelines) Rules, 2011, which were notified in the gazette on April 11, 2011. Ever since the proposed amendments were brought to public notice, there have been discussions on the desirability of introducing them.
In a related development, the Delhi High Court has given an interesting judgment in the case of Baba Ramdev Vs Facebook and others where it said that when objectionable content is uploaded from India, the responsibility of the intermediary to remove it based on court orders will include removal from foreign servers. This is now before the divisional bench of the Court for review and the outcome will have a significant impact on the interpretation of intermediary liabilities as per ITA-2000.
The “fake news” debate, which was one of the primary reasons cited for this amendment, has, to some extent, reduced primarily because the general election is over. It may resurface when the next election is due. Further, the possibility of “deep fake videos” is lurking in the background and will create more problems in the days to come when “fake news” may be put out through celebrities.
Whether it is control of fake news or detection of cyber fraud, “intermediaries” have a key role to play. Without a strong legal deterrent that ITA-2000 and these guidelines represent, national security would be at stake. The government cannot be complacent in delaying the issue of the guidelines anymore.
The Supreme Court has expressed similar views in respect of the curbs placed in J&K, upholding that “security” is an important responsibility of the government and has a legitimate priority over “rights” in certain circumstances. The suggested amendments need to be evaluated in this context.
Under the proposed guidelines, intermediaries, on receipt of appropriate request from the government on issues of cyber security, should provide the necessary assistance within 72 hours. Such notices may be issued under Sections 69, 69A, 69B or even 70B. The government has already designated appropriate agencies under each of these sections along with a due process.
One of the most contentious parts of the guidelines has been the need that when content is hosted on their platform, “the intermediary upon receiving actual knowledge in the form of a court order, or on being notified by the appropriate Government… shall
- a) remove or disable access…immediately, but not later than 24 hours of communication…
- b) archive the information for at least 180 days…or as long as required under law.”
On receipt of an order of the Court or in the process when certain content is sought to be removed, there should be no excuse for the intermediary not to follow the order as it has already been examined by a competent court or authority.
Tech giants are normally willing to accept “right to forget” under General Data Protection Regulation and are prepared to identify and remove the personal information even if it is scattered across an organisation in individual computer devices. Comparatively, removing the hosted content is child’s play.
Another area of concern for intermediaries is the guideline that “the intermediary shall deploy technology-based automated tools or appropriate mechanisms with appropriate controls for proactively identifying and removing or disabling public access to unlawful information or content”. This guideline may require some additional technical measures to be deployed. But in the days of Artificial Intelligence, it is natural for the government to expect that the intermediaries show a sense of social responsibility to ensure that they lend their support to the cause of national security.
When the intermediary is in doubt whether the given content is unlawful or not, he can always introduce appropriate policies and procedures to make a reference to his legal cell. This is part of the “incident management” programme that any sensible content hosting company should be able to implement.
It is clear that the objections raised by the industry in respect of the above are only commercial in nature. National security should not be subordinated to the commercial considerations of intermediaries who do not want to spend money on the suggested technical measures. The cry of “censorship” is only media hype as any contentious issue can be resolved by competent courts.
The other issue which should be noted is the requirement that those intermediaries having a large user base (more than 50 lakh users) need to have a permanent registered office and a nodal officer in India. This is an attempt by the government to ensure that tech giants who benefit from business in India invest in creating jobs also in the country. The objections raised against the amendments are, therefore, unsustainable. It is possible that the amendment may be taken to the Supreme Court but for the government that should hardly matter.
It is pertinent to ask whether the intermediaries are, in fact, observing “due diligence”. Most international tech giants such as Facebook, Twitter and Google do not have a designated “grievance officer” to receive and resolve complaints from the public. In fact, it is even difficult to locate a proper email address where a complaint can be sent. Most intermediaries do not have a published “address” for communication and sending a legal notice is the last resort. Even law enforcement agencies complain that they do not get minimal cooperation from the intermediaries during the investigation of cyber crime.
We must remember that the definition of “intermediaries” in ITA-2000 is broad enough to encompass even mobile apps. Non-compliance with due diligence in this segment is even higher. Recently, it was reported that Uber’s mobile app had bugs that charge customers for cancelled trips and generate false trip maps in certain circumstances. In such fraudulent cases, the company does not provide information on how to register a proper complaint. It also does not disclose if there was a code audit for this reported bug or publication of statistics of wrong debits occurring out of such bugs. Each such incident is actually a “security incident” that the intermediary should report to CERT-IN. However, they fail to do so.
Intermediaries should realise that “due diligence” as prescribed by Section 79 does not end with the publication of a privacy policy. They should follow reasonable security practices which include a grievance redressal system. Without complying with their responsibilities, complaints being raised by them about the amendments do not deserve respect.
It is also true that the CERT-IN rarely questions the intermediaries and does not undertake suo motu audits to ensure that websites or mobile apps process the data properly and follow Section 79’s guidelines. Intermediaries will also be required to comply with the Personal Data Protection Act (PDPA) which is expected to be debated in the same session. This will have a far more significant impact on intermediaries since all of them are also data fiduciaries under PDPA and more importantly, “significant fiduciaries” and “guardian fiduciaries”. There may also be a bill on “Regulation of Newspapers and Periodicals” which include online publications and social media, which will try to regulate news intermediaries in its own ways.
Hence, the intermediary rules are a minor regulation and should pass smoothly in Parliament.
There is no need to get irked over them as they need to be compatible with PDPA and the digital media regulations which will override them.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru