Proactive technology tools to identify intermediary rules

[This is in continuation of the previous article on the topic]

Continuing our discussion on the new Intermediary guideline, one other aspect that is attracting attention in the media is the proposed Rule no 9 which states as follows:

“The Intermediary shall deploy technology based automated tools or appropriate
mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”

“Identification” is often discussed in the WhatsApp context as the “Origin” of a message. One of the main concerns of the society in recent days have been the “Forwarding” of messages through the social media leading to fake news generation and incitement of unrest in the society.

The Government has therefore been insisting that messages should be hashed and WhatsApp has to maintain a hash tag with every message.

However, what is of relevance is only the identity of the sender since hash can easily be changed with just an addition of a comma or space.

In the WhatsApp scenario the identity is always linked to the mobile and therefore unless the Mobile Service Provider has not failed in the KYC, identity of the sender is available for the investigating agencies. Whats App also works in “Groups” and hence forwarding from one group to another occurs through the WhatsApp server which knows the identity of both groups and therefore the members of both groups. Hence it is not difficult to tag the messages going into and out of the WhatsApp server with an identity information in a header to be created (outside the boundary of the encrypted message) that can also distinguish between a message sent by a member to other members of the same group and a message sent from one group to another. The header is relevant in inter-group transfers and WhatsApp can enable the header view in its menu such as “Message Info”.

Intermediaries like Google actually try to hide the identity information through a “Proxy” and by interfering in the identification of the message delivery system fail the test of “Intermediary” as discussed in our first article of this series. Gmail is therefore liable for Reasonable Security Practice under Section 43A and cannot claim exemption under Section 79 under the “Due Diligence” clause.

WhatsApp on the other hand does not hide the sender’s identity though many of the users create a profile name and picture which could be misleading. But their mobile number is still available for scrutiny and the Admin is supposed to know the users. It would be better if WhatsApp disables “Join through a Link” and restrict membership of a group only through an invitation from the admin.

While designing the automatic tools, the intermediaries may also as part of the due diligence, introduce measures to identify spoofing by comparing the identity of the sending  device with the name as displayed and as resolved from its IP address. This is routinely done in the E Mail scenario and there is no reason why this should not be extended to other cases. It would be the responsibility of each ISP to check the identity of the previous ISP with the IP address as is visible and resolved.

Another aspect that has frequently pointed out the negligence of the intermediaries is in not naming the “Grievance Officer”.  At least now, we hope the intermediaries will start this practice.

To summarize, except for the “Need to have a local subsidiary” there is no other major change between the previous version of the guideline and this. There are clarifications which were relevant and some mandates which were anyway part of the interpretation of the due diligence.

We suppose that the intermediaries co-operate with the Government in implementing the guidelines since Intermediaries are the key to Cyber Crime prevention and cannot be allowed to be tools of commission of Cyber Crimes.

(Comments are welcome)


Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019…

This entry was posted in Cyber Law and tagged , . Bookmark the permalink.

1 Response to Proactive technology tools to identify intermediary rules

  1. Pingback: New Intermediary Guidelines… Legitimate and Well within the rights of he Government |

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.