Meity Needs to take assistance of techno legal experts on Section 79

It has become a fashion for some advocates to raise an alarm on anything that the Government does to curb Cyber Anarchy. These people who consider that the Supreme Court is their backyard, keep lodging PILs opposing every action of the Government trying to clog the Indian judicial system and keep the Government from doing anything worthwhile.

I am not against “Criticizing” the Government which I have done in a large measure all through the years. But Criticism should be with an honest desire to improve the Governance and not to put hurdles on normal functioning of the Government. Most of the critics on Section 69 MHA order or Section 79 consultation note are only interested in preventing the Government from pursuing its routine functions.

The Section 79 issue where the MeiTy has issued a note for public comments is yet to reach the Courts since the public consultation process is on. The Ministry has called for a Round Table with public invitation for  participation on Twitter on 5th January 2019. (Link : https://twitter.com/goi_meity/status/1080702303445889025?s=21) .

In the meantime more public debates are likely to help better clarity.

FDPPI (Foundation of Data Protection Professionals in India) will also hold a web based round table next Thursday.

In the meantime, Naavi.org would like to place its views before the professional community so that when they interact with the MeitY on 5th, they can keep the following information in the back of their mind.

But whatever be the decision of the Government with or without public consultation, the matter is likely to be also challenged in the Supreme Court. In order to ensure that media does not hijack the debate with false narratives, we are providing here some additional information for the general understanding of all including the media persons.

What is New in the Guidelines?

For the convenience of all the readers, a comparison of the present guidelines and the proposed guidelines is available here. 

It must be remembered that Section 79 has been in existence since 17th October 2000 but modified on 27th October 2009. The Intermediary guidelines have also been in existence since 27th October 2009 and what we are discussing now is a modification to this.

The Critical Changes

There are three notable changes and two significant changes that need discussion.

The first notable change is that under Rule 3, two new paragraphs have been added to the content guidelines. It suggests that the intermediaries shall advise the users not to host, display, upload, modify, publish, transmit, update or share any information that

– threatens public health or safety; promotion of cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery except for the purpose & in the manner and to the extent, as may be approved under the Drugs and Cosmetics Act, 1940 and Rules made thereunder;

– threatens critical information infrastructure.

The above is an addition to other points already mentioned in the earlier version.

This is the notice to be given to users of an intermediary service and by itself does not criminalize such action.

The suggested list of information which are not to be hosted etc., can be referred to as “Objectionable Content” and it is possible to interpret it as “Placing a curb on freedom of expression”. But we need to debate if it is reasonable and recognize that it is meant to afford protection to the intellectual property rights, crimes against minors, crimes such as defamation, impersonation, obscenity, spreading of virus etc besides the reasonable restrictions under Article 19(2) of the Constitution.

The second notable change is the replacement of Rule 3(4) with new paragraphs (5) and (8). This change is attributed to the Shreya Singhal judgement and inserts the words “When required by lawful order…” the intermediary shall provide information/assistance within 72 hours. It also provides that upon an order from a Court or an appropriate authority, and when it relates to Unlawful acts related to Article 19(2) of the Constitution of India shall remove the content within 24 hours thereafter.

These two new paragraphs are reproduced here.

(5) When required by lawful order, the intermediary shall,

-within 72 hours of communication, provide such information or  assistance as asked for by any government agency or assistance  concerning  security  of  the  State  or cyber  security;  or  investigation  or  detection  or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.

-Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance.

-The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.

(8) The intermediary upon receiving actual knowledge

–in the form of a court order, or on being notified by the appropriate Government or its agency under section 79(3)(b) of Act

–shall  remove  or  disable  access  to  that  unlawful  acts  relatable  to  Article  19(2)  of  the Constitution of India

–such as in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, on its computer resource without vitiating the evidence in any manner,

as far as possible immediately, but in no case later than twenty-four hours in accordance with sub-rule (6) of Rule 3.

Further the intermediary shall preserve such information and associated records for at least ninety days one hundred and eighty days for investigation purposes, or for such longer period as may be required by the court or by government agencies who are lawfully authorised.

The above two requirements are well within the reasonable powers of the Government and the legal provisions including the Supreme Court judgement.

The next important change suggested is that the intermediary shall inform its users,

-at least once every month,

– that in case of noncompliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non compliant information.

This is a question of providing monthly reminders so that if and when this right is exercised, the user is not surprised and run to the Supreme Court with a complaint.

This requirement may require a tweaking of the technology to recognize the “Last Log in” and provide a pop up notice or an e-mail notice.

This would be an interesting development since in many cases the e-mails may bounce because they are false and then the Intermediary should recognize that there is a need to redflag the user. In a way this could put a check on the “Fake Accounts” by putting the intermediary on alert.

I request the Government not to yield if the intermediaries raise an objection on this provision.

Management Localization

One of the significant changes is that intermediaries having more than 50 lakh users now need to have a local establishment with a permanent local address and a nodal officer for 24×7 coordination with law enforcement agencies.

This would be sweet news for the Police because only those who have handled Cyber Crime investigations know how difficult the intermediaries get when a Cyber Crime investigator asks for information. The Google, Face Book and Twitter are in the forefront of such stonewalling of investigations and will obviously oppose this provision tooth and nail.

Again this is an issue on which the Government should not buckle down under pressure.

Proactive Tools

Another significant change is the imposition of a responsibility on the intermediary that they deploy

–technology based automated tools or

–appropriate mechanisms,

–with appropriate controls,

– for proactively identifying and removing or disabling public access to unlawful information or content

Opposition to this change has been mounted on the ground “How do we identify what is unlawful?

I would only like to say …Well, if you know what is lawful, you know what is unlawful and it is the duty of every one of us to know what is lawful.

We are today in the era of Artificial Intelligence. All the major intermediaries are already using AI for profiling the users from the content that they post or access. Despite the privacy regulations like GDPR, the Googles and FaceBooks or Twitters are unlikely to stop profiling and using it for generating revenue through targeted advertising.

If profiling for targeted advertising is possible, it is also possible for profiling for identifying the unlawful activities.

Encrypted Information

Problems will persist with WhatsApp where the company may actually dealing with “encrypted content” and therefore not amenable for content analysis. Considering that the rule talks about “Appropriate Controls”, “appropriate mechanisms”, it is possible for WhatsApp that in the honest case of it not being able to decrypt the message, it should be exempted from the obligation to decrypt content.

Alternatively, if they are technically capable of decryption and content analysis, then they can provide the necessary technology through technical means without any manual intervention so that “Privacy” of honest users is not adversely affected. If the algorithm decrypts and analyses the content for certain key words all within the application space, then confidentiality of information can be maintained to the satisfaction of the users from the “Privacy” perspective.

It may not however be easy to make the Supreme Court understand this concept of “Algorithmic decryption and content analysis not amounting to privacy infringement”.

I hope the techno-legal advisers of MeiTy would be able to provide assistance to the AG when this matter comes up with the Supreme Court. Just as the Supreme Court called upon the Airforce officials in the Rafael matter to understand the technical issues, the Court should not hesitate to ask the assistance of techno legal experts to understand how “Information can be decrypted and searched within the application data space” with only the identified objectionable content being taken out for legal action and leaving others to be kept confidential from the Privacy perspective.

I hope the above factors will be taken note of by the MeitY.

Naavi

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.