Naavi.org | Towards building Cyber Jurisprudence in India

Busted Terror Module busts the Snooping Argument

Posted on December 26, 2018 by 98410spice

With the NIA unearthing what appears to be one of the biggest terror plots which could have hit the country on January 26th, it appears that the arguments against the right of the Government to carry on Cyber Patrolling duties should fizzle out.

To bust such a module one can visualize that a vigilance had been mounted for a long time on social media such as WhatsApp and Telegram besides e-mail, mobile and other CCTV footage etc.

Hopefully the opposition to Section 69 and the MHA notification will now be relegated to the background.

Naavi

Posted in Cyber Law | Leave a comment

New Intermediary Guidelines… Legitimate and Well within the rights of the Government

Posted on December 26, 2018 by 98410spice

[This is in continuation of the Previous Article]

Some times “Experts” also go wrong. Particularly when they look at every Government notification with the colored glasses borrowed from the Political opponents. Today’s Economic Times highlights “Plan to tweak IT rules may widen rift between govt, social media companies” and quotes many experts to support the headline. The ET Bureau credits the article to two journalists Surabhi Agarwal, Megha Mandavia but makes extensive quotes from several experts to say that the recent draft Guidelines under Section 79 released for public comments by MEITY will widen the rift between the Social Media Companies and the Government.

Probably, it is not the Social Media Companies themselves but the Indian media which is painting a scary picture whenever the Government wants to do something good for the society. The media has not come to terms with the Modi Government which unlike the non performing Government of UPA is rolling out one decision after another in quick succession unnerving the political opponents and the media which supports them for their own vested interests.

The same media cried from the roof tops that the draft bill on Personal Data Protection which advocated “Data Localization” will have negative effect on the industry. But today we find that Ctrls plans to invest Rs 2000 crores in new Tier-4 Data Centers in Hyderabad, Chennai and Mumbai, to expand their current infrastructure. Even Microsoft and Amazon are reportedly expanding their data center infrastructure in India. The Market based industry will therefore look at the economic benefits and adapt to the changing requirements though some journalists in India keep raising their voices against such developmental measures to nurture their own constituencies.

The WhatsApp and other social media companies will also adapt to the changing needs since they realize that Modi Government does not budge for such arm twisting tactics executed through the pliant media. The conclusion drawn by ET therefore is not correct. We soon will have WhatsApp India, FaceBook India and Twitter India to start operating from locations within the country not only subjecting themselves to the Indian laws but also creating new employment and business opportunities in the eco system. There will be some negotiations between the Government and these companies not only on the regulations but also on taxation and other matters and these are business negotiations that happen all the time between MNC s and the local Government. Despite the strict “Local Partnership only” policies of the Gulf countries, most international companies have set up shop there. Similarly, the foreign Social media owners will also find a way to operate in India. Hence there will be “No Rift” and even if it arises, it is the right of our Government to do what is good for our citizens and it should not yield to the media pressure.

There will be the community of politician advocates who raise the bogey of “Constitution” and try to make the Supreme Court dictate terms with the Governance of the day. But I think the Court will refuse to be made a pawn in the hands of the politicians working for building their 2019 election campaigns through the Supreme Court.

What Experts Say and Why they are wrong

In many instances, experts are misquoted by journalists who publish quotes in parts and out of context to derive their own meanings. Hence all the quotes attributed to the experts in the article may not be true. However, for the sake of clarity to the public we need to comment on these attributed quotes and record our views.

Quote 1: removing content within 24 hours for reasons such as maintaining public order or defamation may be deemed as infringing upon freedom of expression and invite legal scrutiny.

Comment: This comment refers to rule 8 (proposed) which states as follows.

The intermediary upon receiving actual knowledge in the form of a court order, or on being notified by the appropriate Government or its agency under section 79(3)(b) of Act shall remove or disable access to that unlawful acts relatable to Article 19(2) of the Constitution of India such as

in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, on its computer resource without vitiating the evidence in any manner,

as far as possible immediately, but in no case later than twenty-four hours in accordance with sub-rule (6) of Rule 3.

Further the intermediary shall preserve such information and associated records for at least ninety days one hundred and eighty days for investigation purposes, or for such longer period as may be required by the court or by government agencies who are lawfully authorised.

It is clear from the above that the removal of content only arises when it is lawful and in tune with the constitutional rights. Hence there is no infringement of the freedom of speech. Legal scrutiny is possible because celebrity advocates may move the Court and the Court may be obliged to admit the petitions. But it is unlikely that an honest Court will interfere in such routine rules. Such interference itself will be unconstitutional.

Quote 2: “There is vagueness of rules. They (meaning tech companies including cab aggregators, e-commerce companies, hotel aggregators etc) don’t know whether they are supposed to help intercept or provide a backdoor…”

Law remains vague as long as tech companies fail to either understand themselves or consult an appropriate person for clarification. Law Can never be a “Check list” which a clerk can tick boxes as some tech companies desire.

Vagueness therefore is inherent in any law and it is the responsibility of the judiciary to clarify when required.

(In fact, we may recall that Justice Chelmeshwar in his part of the judgement on Privacy went along to say that even what is written or not written in the Constitution is not sacrosanct and the Court has a right to read words and meanings into the law. I admit that I disagree with this view and also hold the Court inconsistent since the same Judges refused to read down Section 66A and went about scrapping it. But his words are a judge’s view on the sanctity of the written law).

Quote 3: Rule 9, mandates companies to “deploy technology based automated tools” for removing “access to unlawful information or content,” ….”it may be against the Constitution”

Comment: I recall the landmark Yahoo Nazi Memorabalia case in which the French Court ruled that Yahoo shall block French web users from its auction sites which sell Nazi memorabilia using appropriate technical measures failing which they have to pay a daily fine of 100,000 francs.

During the trial, Yahoo!’s lawyers argued that blocking the site from French web surfers would be technically impossible. “The internet has no borders, and there is no effective means of preventing its users from travelling where they like”…they said.

In its ruling, the Paris court said that it is technically possible for Yahoo! France, the company’s local subsidiary, to block at least 90% of French users from the sites in question and ordered Yahoo! to find ways to block French users from its Nazi auction sites.

The arguments that there is technical difficulty and we would not do what the Indian law makers desire is a rogue response which should be politely brushed aside.

Quote 3: WhatsApp can refuse to build technology that will trace messages, leading to a “prolonged tussle” with the government.

Comment: The requirement of the Government under Section 79 to track “Fake News” as a crime after its detection is only for tracing the origin of the message and hence may not need decryption. The decryption would be to prevent offensive messages being circulated, which is under Section 69 of ITA 2000. In the end-to-end encryption originating from the user’s device there is some apparent logic to the argument that WhatsApp may not be able to decrypt.

However, since the encryption algorithm is provided by WhatsApp and it has all the details of the user’s mobile at the time of installation, it is difficult to believe that it cannot recreate the decryption key or is already not storing a copy of the decryption key under its control or cannot do so if it wishes to do.

I therefore donot buy the argument that it is not possible to decrypt the message though I reiterate that the Government has not so far put up this demand as a blanket requirement. Under Section 69, it is only when the competent authority has reasons to ask for the information that the power would be exercised.

I presume that WhatsApp is already under amicable discussion with the Government. On the other hand the problem could be more with Google which has been hiding the e-mail sender’s IP address under the false impression that it is required for the protection of privacy and refusing the information even when the recipient of the message himself is demanding the information. This is an example of deliberate attempt not to cooperate with the law enforcement authorities which has forced the Government of legal measures to drag the foreign companies into the Indian jurisdiction.

In summary I welcome the Government move and agree with some of the experts who have stated that this could result in better tax compliance by the international agencies. There is in my opinion no legal hassle and it is extremely unlikely that the Supreme Court will even admit a petition to block the Government notification if it is finalized on the terms now indicated.

Naavi

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government:
Proactive technology tools to identify violation..new intermediary rules:
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..:
Intermediary Guidelines.. Who is and who is not an intermediary?:
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines:

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Posted in Cyber Law | Tagged intermediary guidelines, sec 79 | 2 Comments

Proactive technology tools to identify violation..new intermediary rules

Posted on December 25, 2018 by 98410spice

[This is in continuation of the previous article on the topic]

Continuing our discussion on the new Intermediary guideline, one other aspect that is attracting attention in the media is the proposed Rule no 9 which states as follows:

“The Intermediary shall deploy technology based automated tools or appropriate
mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”

“Identification” is often discussed in the WhatsApp context as the “Origin” of a message. One of the main concerns of the society in recent days have been the “Forwarding” of messages through the social media leading to fake news generation and incitement of unrest in the society.

The Government has therefore been insisting that messages should be hashed and WhatsApp has to maintain a hash tag with every message.

However, what is of relevance is only the identity of the sender since hash can easily be changed with just an addition of a comma or space.

In the WhatsApp scenario the identity is always linked to the mobile and therefore unless the Mobile Service Provider has not failed in the KYC, identity of the sender is available for the investigating agencies. Whats App also works in “Groups” and hence forwarding from one group to another occurs through the WhatsApp server which knows the identity of both groups and therefore the members of both groups. Hence it is not difficult to tag the messages going into and out of the WhatsApp server with an identity information in a header to be created (outside the boundary of the encrypted message) that can also distinguish between a message sent by a member to other members of the same group and a message sent from one group to another. The header is relevant in inter-group transfers and WhatsApp can enable the header view in its menu such as “Message Info”.

Intermediaries like Google actually try to hide the identity information through a “Proxy” and by interfering in the identification of the message delivery system fail the test of “Intermediary” as discussed in our first article of this series. Gmail is therefore liable for Reasonable Security Practice under Section 43A and cannot claim exemption under Section 79 under the “Due Diligence” clause.

WhatsApp on the other hand does not hide the sender’s identity though many of the users create a profile name and picture which could be misleading. But their mobile number is still available for scrutiny and the Admin is supposed to know the users. It would be better if WhatsApp disables “Join through a Link” and restrict membership of a group only through an invitation from the admin.

While designing the automatic tools, the intermediaries may also as part of the due diligence, introduce measures to identify spoofing by comparing the identity of the sending device with the name as displayed and as resolved from its IP address. This is routinely done in the E Mail scenario and there is no reason why this should not be extended to other cases. It would be the responsibility of each ISP to check the identity of the previous ISP with the IP address as is visible and resolved.

Another aspect that has frequently pointed out the negligence of the intermediaries is in not naming the “Grievance Officer”. At least now, we hope the intermediaries will start this practice.

To summarize, except for the “Need to have a local subsidiary” there is no other major change between the previous version of the guideline and this. There are clarifications which were relevant and some mandates which were anyway part of the interpretation of the due diligence.

We suppose that the intermediaries co-operate with the Government in implementing the guidelines since Intermediaries are the key to Cyber Crime prevention and cannot be allowed to be tools of commission of Cyber Crimes.

(Comments are welcome)

Naavi

Previous Articles:

Shreya Singhal is Back again!

Posted in Cyber Law | Tagged intermediary guidelines, sec 79 | 1 Comment

New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..

Posted on December 25, 2018 by 98410spice

[This is in continuation of the previous article on the subject]

In the 2011 version of the guidelines, the “Due Diligence” included a prompt action to be taken by the intermediary when a complaint is received by them about some contravention occurring on his platform with a message that is either stored or displayed under his control. The guideline stated that” When the intermediary receives actual knowledge”, he has to remove the information within 36 hours from the display but preserve it as evidence for legal purposes.

This applied to mainly websites including Facebook or Twitter which “Publish” Content. Initially some intermediaries interpreted this as if it was a mandate to remove the allegedly offending content within 36 hours and the Government later on clarified that the Intermediary need not take a judgmental view of what is right or wrong but has to wait for a judicial order.

Now the Government says that they are modifying this rule consequent to the Shreya Singhal Judgement. Accordingly the sub section 4 has been removed and a new sub section 4 along with some modifications in sub section 5 has been introduced.

Also the sub section (8) clarifies that the “Actual Knowledge” refers to receiving a Court order or a notification from an appropriate Government agency.

Now, it will be necessary for the Intermediary to send “Monthly Reminders” to the users that in case of non compliance with rules and regulations and user agreement and privacy policy the service access may be terminated.

Comment: While it appears that this will introduce a new responsibility for monthly reminders to the lakhs of subscribers which some of the intermediaries like Facebook, Google or WhatsApp may have, it can be implemented with a monthly customization of access involving a pop up notice instead of sending an e-mail notice.

One advantage of this monthly notification rule is that whenever the policy is changed by the service provider, he will have a monthly window when he can inform the user with a link to the new version of the policy. This will prevent the obnoxious policy of a policy or terms of service being modified without a notice to the users. Though this notice of modification is mandatory for contractual purpose, the proposed monthly alerts can be a good approximation to meeting this obligation of notice of change.

Under Sub rule 5 it is now clarified that the intermediary is obliged to respond to an assistance for information as asked by an appropriate Government agency when required by a “lawful order”. It is necessary that such request is made in writing (including electronic) stating the purpose and the information required and the intermediary shall enable tracing the originator of the message.

Comment: This provision is nothing new since such powers of requesting for information under Sec 69B or CrPC was already available to the law enforcement agencies including the Courts. There is better clarity now.

Though some intermediaries may have some issues in recording IP address and other log information associated with the messages/posts it is easily done as observed by the server of the service provider. Obviously, if the server does an “Anonymization” of the user, then they have the need to answer the law. If the user has spoofed the identity, then the service provider may not be generally liable except to the extent of identifying spoofing attempts as part of the “Reasonable Security Practice”.

For example when a “Phishing” mail is sent by a person from a server which is different from what it appears to be in its name, the e-mail provider or the message receiving server needs to identify that the sending device identity does not match with the published identity and hence the message is suspicious. Already many mail servers have implemented verification of the signature of the previous sender and this system needs to be extended to other cases as part of the compliance requirements. (Look forward to more clarification from my tech friends).

Another interesting aspect of the notification is Rule 7 which states that intermediaries with more than 50 lakh users in India or specifically notified by the Government should be companies incorporated in India, have a permanent registered office and have a nodal point of contact.

Comment: Just as the debate on the Data Localization, I am sure that this rule will be fiercely contested by the industry giants. But this is a clever move of the Government which also has an impact on the “Data Protection regulations”.

I have in the past made references to the non availability of identifiable representatives of Facebook and Google in India when an abuse had to be reported and we have often observed that Police are told by these companies that their services are handled from USA subject to the laws of USA and hence all law enforcement queries have to be directed to them.

This rule therefore is the single most critical measure that may improve the law enforcement capability in India where companies such as Google, Facebook, WhatsApp, PayPal, and many others may have to open their India subsidiaries and be subject to Indian law enforcement supervision.

…. To be continued

Naavi

Previous Articles:

Posted in Cyber Law | 2 Comments

Intermediary Guidelines.. Who is and who is not an intermediary?

Posted on December 25, 2018 by 98410spice

The following are the comments from Naavi.org on the proposed modified rules under Section 79 of ITA 2000/8 released for public comments on 24th December 2018.

After the passage of amendments to ITA 2000 in December 2008, which was notified with effect from 27th October 2000, a notification was released under G S R 314(E) dated 11th April 2011. This notification was called ” Information Technology (Intermediate guidelines) Rules, 2011 and laid out the requirements of “Due Diligence” to be followed by “Intermediaries”.

Who is and Who is Not an “Intermediary”?

The Intermediaries are defined under Section 2(w) as follows:

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

The intermediaries includes the many IT giants such as the Google, Facebook, WhatsApp etc.

Though some of the E Commerce websites may also be treated as “Intermediaries” and Banks have also tried to wear this hat some times to claim exemption of liabilities for cyber crimes, it must be noted that the definition applies to those organizations who process third party information without “initiating the transmission”, “Selecting the receiver of the information” or “Select or modify the information contained in the transmission” . (Refer section 79(2)).

In other words, most of the intermediaries who today interfere with the messages passing through them by trying to use the content for their own benefit including for advertising purposes lose the status of an “Intermediary”. They become users of the information passing through them and would fall under “Due Diligence” or “Reasonable Security Practices” as required under Section 43A of the ITA 2000/8. (This aspect needs to be kept in mind when Section 43A is removed with the introduction of PDPA 2018)

It is not a Section for Exemption..But for defining Due Diligence

While Section 79 has often been interpreted as a section which provides “Exemptions to Intermediaries” from liabilities, it must be remembered that it actually extends all the liabilities under ITA 2000/8 that may be attributed to a computer/human resource owned by an organization to the organization itself and also triggers the liabilities under Section 85, if the conditions under Section 79(3) are not fulfilled.

According to Section 79(1), an intermediary shall not be liable for any third party information, data, or communication link hosted by him only if the provisions of sub-sections (2) and (3), are fulfilled”.

Sub section (2) clarifies who is an intermediary and Sub section (3) talks of conspiracy, abetment and assistance including inducement and threats and the action to be taken on receipt of knowledge.

Before we start discussing the Guidelines issued by the Ministry now, it is essential for all of us to be familiar with Section 79 since the rules are to be interpreted within the provisions of the Act/Section and cannot be ultra vires the Act itself. If the “Rules” try to change the “Act”, it has to be held invalid.

Possibility of Mistakes by the Court

In the course of the discussion of the new rules, some members of the media have referred to the Shreya Singhal judgement which resulted in the scrapping of Section 66A which remains a symbol of the inability of the honourable Supreme Court to appreciate the need of certain parts of the law.

This has been extensively debated earlier and we would not like to digress here except to highlight that Supreme Court is amenable to be misguided by Vocal PIL Advocates into decisions which are short sighted and it has to guard itself against such attempts in every case where a political motivation is evident.

It is often observed that lawyers who are supposed to be “Servants of the Court” and assist the Judges in arriving at a truth through a judgement, often resort to complete falsehoods in trying to justify their client’s interest bordering on committing a “Fraud on the Court”. The Court cannot therefore drop its vigilance and go entirely by the averments of the advocates.

The silence of the defense advocates which lead to some recent wrong decisions was also evident in the withdrawal of some tender notifications by UIDAI on media monitoring which were wrongly projected in the Court as a possible violation of Privacy and the Court appeared to concur with it.

While Courts are required to adjudicate on genuine differences of views on legal issues they often are called upon to adjudicate on differing political views. If the Court is not fully conscious of this possibility, there could be slip ups which come to haunt them later and adversely affect the reputation of the judiciary either for their in efficiency or for bias.

The recent Aadhaar judgement which inter-alia killed the e-Sign system of authentication, which many of the experts who support the judgement never realized, is another example of how the Court may be driven into an incorrect decision with a blinkered vision particularly when the matter can be linked to a “Constitutional Right”.

Now a days, every politician including the enemies of the State have become conscious of their rights under the constitution and drag Supreme Court to sit in judgement of every administrative order issued by the Government. This is a gross misuse of the resources of the Supreme Court.

Though the current CJI has been conscious of the fact that the precious time of the Court is being wasted in politically motivated cases, we need to still witness the courage of the Court to put its foot down on frivolous and politically motivated litigation which are brought up only to gain media attention and score a political point.

The PIL filed by advocate Mr M.L. Sharma on the MHA notification on Section 69 will be a test case on whether the current Supreme Court does exhibit its resolve to focus on the more important matters of the Citizens or devote most of its energies to satisfy the political debates in the garb of upholding the constitutional rights of citizens. (This requires a separate debate which we shall do shortly).

It is one of the strategies of the opposition to engage the Court in such a manner that more important cases gets relegated hopefully until the Government changes. Citizens are watching if the Supreme Court is conscious of this clever manipulations.

We hope there would not be one more PIL on the proposed Section 79 rules and all those who have a view will try to place their comments with the Ministry rather than going straight to the Court.

While we donot expect everybody to accept the views presented here, I suppose these views would be considered before they come to their own conclusions.

So…let us proceed further on the proposed changes in the intermediary responsibilities…

…. To Be Continued

Naavi

Previous Articles:

Posted in Cyber Law | Tagged Intermediary rules, section 79 | 3 Comments

Draft Intermediary Guidelines 2018… Public Comments invited

Posted on December 25, 2018 by 98410spice

The Government of India has released a draft Intermediary guidelines 2018 under Section 79 of Information Technology Act 2000 (ITA 2000/8) for public comments before January 15th. (Refer here).

The notification records that a calling attention motion on “Misuse of Socal Media platforms and spreadig of fake News” was admitted in the Parliament (Rajya Sabha) in 2018 (Monsoon session) and the Hon’ble Minister for Electronics and IT, responding to the calling attention motion on 26/07/2018, made a detailed statement where he inter alia conveyed to the House the resolve of the Government to strengthen the legal framework and make the social media platforms accountable under the law.

The department (MeitY) has now prepared the draft Information Technology (Intermediary Guidelines) Rules 2018 to replace the rules notified in 2011.

Comments and suggestions can be sent to gccyberlaw@meity.gov.in, pkumar@meity.gov.in, and dhawal@gov.in.

The Copy of the proposed guideline is available here.

As has been the trend of politics today, there has already been comments by many politicians that this is an attempt at the Government trying to take control of the social media as a part of the strategy to win elections etc. It appears that the politicians are only exposing their ignorance of law and bias by making extreme comments which are misplaced.

These comments supported by some of the known biased journalists will be spreading disinformation to the extent possible. For the time being let us ignore these comments.

We will try to explain the changes and put out our views in this regard.

Naavi

PS: As per the addendum released on 31/12/2018, the public comments released upto 15th January 2019 would be placed on the website on 18th January 2019 and a 10 day period upto 28th January 2019 would be allowed for receiving counter comments if any…. Group Cordinator, gccyberlaw@meity.gov.in

Posted in Cyber Law | 1 Comment