• brillopedia

INFORMATION TECHNOLOGY RULED 2021: A MENACE TO ENCRYPTION AND PRIVACY

Updated: Dec 19, 2021

Author: Anjali Sinha, LL.M from Amity University, Lucknow.

Co-author: Shefali Sharma, LL.M from Amity University, Lucknow.


The article deals with the functional and constitutional aspects of the New IT Rules, 2021 which lays certain guidelines to regulate the Social Media Intermediaries ,OTT platforms and Digital News. India has a huge number of digital population, which is about 624 million active users as on February 2021. On contrary, there is a rise in cases where the social media is being used as a tool for violating the dignity and integrity of the nation, 'out-of-office' corporate rivalries, malicious and anti-national 'fake news', inciting communal riots, obscene contents etc. The aforesaid abuse is compounded due to lack of a robust complaint and redressal mechanism which is inaccessible to the ordinary social media users.


With the rapid growth of digitalization, cybercriminals keep coming up with even more menacing techniques and hiding their identity. Cyber security venture have confirmed that a cyber attack incident will occur every 11 second in the year 2021, which is almost twice the rate in 2019. Hence, the disclosure of First Originator has become significant. The New IT Rules therefore aims to prevent the abuse of social media platforms by increasing their accountability; and to establish a three-tier redressal system for the efficient grievance resolution.


Introduction

The Information Technology Act, 2000 generally called IT Act 2000 provides legal recognition to transactions involving electronic data and other means of electronic communication, commonly referred to as “electronic commerce”. The Act also aims to facilitate electronic filling of DOCS with government agencies. It has amended various other Acts such as Indian Penal Code of 1960, Indian Evidence Act of 1872, Banker Book Evidence Act 1981, and Reserve Bank of India Act of 1934.


The Central Government is empowered to make rules to carry out the provisions of IT Act by notification in the Official Gazette and in the Electronic Gazette. The aforesaid power is expressly mentioned under section 87 of the IT Act, 2000.


Recently, the Government of India has notified new rules for the protection of digital rights Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. These new rules basically deals with social media as well as over-the-top (OTT) platforms and in supersession of the earlier Information Technology (Intermediary Guidelines) Rules 2011.


With the Pandemic serving as catalyst, cybercriminals keep coming up with even more menacing techniques and hiding their identity. Researchers stated that more than four thousand malicious COVID- related sites were discovered across the internet during the first phase of lockdown. According to the researchers and the cyber security ventures, it is found that a cyber attack incident will occur every 11 second in the year 2021, which is almost twice the rate in 2019. Hence, the disclosure of first originator has become more significant.


The New Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 rules aims to serve the dual-purpose: First, in order to prevent the abuse of social media platforms to increase the accountability of the social media intermediaries (such as Facebook, WhatsApp, Instagram, Twitter) ; and Second, to establish a three-tier redressal system for the efficient grievance resolution of the social media users.


Background of IT Rules

In 2018, the Supreme Court had determined that the Indian Government could frame necessary pointers to eradicate erotica, rape and gang rape imageries, videos and sites in content hosting platforms and alternative applications.


In 2020, Associate in Nursing Ad-hoc committee of the Rajya Sabha submitted its report on the difficulty of social media erotica and its impact on youngsters and society as a full. The report suggested tracing the conceiver of such content.


In 2020, the GOI additionally brought OTT platforms beneath the scope of the knowledge and Broadcasting Ministry.


The New Guidelines

Social Media Intermediaries are categorised into two groups based on the number of users, on the social media platforms. They are as follows:

  1. Social media intermediaries, and

  2. Significant social media intermediaries.

  • For Social Media/Intermediaries:-

  • Due Diligence to be followed by Social Media/ Intermediaries: In case, due diligence is not followed by them, they will not be protected under the safe harbour provisions mentioned under Section 79 of the IT Act.

  • Grievance Redressal Mechanism: Social Media/Intermediaries shall appoint a Grievance Officer. The Officer shall deal with the complaints and shall acknowledge the same within twenty four hours and furthermore resolve it within fifteen days from its receipt.

  • Appointment of Chief Compliance Officer, a Nodal Contact Person and a Resident Grievance Officer. All the aforesaid offices should be resident in India. The Compliance Report need to publish a monthly mentioning the details of complaints received, action taken on the complaints and the details of unlawful content removed.

  • To unveil Identification of the first originator of the information:- The Freedom of Speech and Expression under Article 19 of the Indian Constitution is not an absolute right. It is a fundamental right guaranteed to all the citizens with reasonable restrictions . Article 19(2) imposes ‘reasonable restrictions ‘on the exercise of the right to freedom of speech and expression ‘in the interests of’, the security of the State, friendly relations with the foreign States, public order, decency, morality, sovereignty and integrity of India.

Hence, it is significant for all social media intermediaries providing services primarily in the nature of messaging to enable identification of the first originator of the information.

It is required just for the needs of prevention, detection, investigation, prosecution or punishment of an offence associated with sovereignty and integrity of India, the security of the State, friendly relations and other reasonable restrictions including the offences in relation with rape, sexually explicit material or child sexual abuse material.

  • For OTT Platforms:-

  • Self-Classification of Content into five age based categories- U (Universal), U/A 7+, U/A 13+, U/A 16+, and A (Adult).

  • For content classified as U/A 13+ or higher, a parental lock should be implemented and there is a need for reliable age verification mechanisms for content classified as “A”.

  • For Digital News :-

  • To follow the norms under Press Council of India and the Cable Television Networks Regulation Act 1955.

  • Self-Regulatory Body to oversee the adherence by the publisher to the Code of Ethics and address grievances that have not been resolved within 15 days.

  • Ministry of Information and Broadcasting shall formulate a panel and an oversight mechanism.

Did the Social Media Intermediaries adhere to the new guidelines formulated under the New IT Rules 2021?

On 25th February 2021 the Government gave a span of three months to social media platforms to comply with the new rules in order to regulate the social media intermediaries such as Facebook, WhatsApp and Twitter, which ended on 25th May 2021.


Thereafter the Social Media Intermediaries have requested the Government of India to amend the IT rules and provide the same protection to intermediaries as provided under Section 79( intermediaries not to be liable in certain cases) of the IT Act.


It almost became the state of Social Media Intermediaries versus Government when WhatsApp moved Delhi High Court and challenged the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules to the extent that the Rules requires intermediary platforms to make provisions for identifying the first originator of information.


It pleaded the new IT Rules as Privacy Violation under the Indian Constitution and has argued that the provision was unconstitutional and was against the fundamental right to privacy guaranteed under Part III of the Constitution of India within the ambit of Article 21.

Referring to the landmark judgment of Apex Court Puttaswamy v Union of India a nine judge bench of the Supreme Court of India ruled unanimously that the right to privacy is a Fundamental Right protected under Article 21 of the Constitution of India. The joint judgment mentioned “Essential Nature of Privacy”.


“Dignity cannot exist without privacy. The Constitution of India has recognised the inviolable values of life, liberty and freedom, both dignity and privacy reside with these inalienable values. Privacy is the eventual expression of the sanctity of the individual. It is a constitutional value which bestride across the spectrum of fundamental rights and protects for the individual a zone of choice and self-determination”


Accordingly it was furthermore contended by WhatsApp that the provision of New IT Rules go against the concept of end to end encryption which means no third party and that it would make a compulsion for private companies to collect and store the data of billions of conversations.


On Wednesday 26th May, 2021 The Union ministry of electronics and information technology stated that the government respects the Right to Privacy as a response to the WhatsApp moving Delhi High Court against the New IT Rules.


In the Delhi High Court a Writ Petition has been moved against the Twitter to discharge their “executive, statutory and all other obligations in relation to” and comply with the provisions of Information Technology (Intermediary Guidelines and Digital Ethics Code) Rules 2021 without any delay.


Critical Analysis

The world has witnessed the emergence of anti-encryption legislation that’s inflicting concern amongst those that worth their privacy and need unrepressed communication. The recently notified data Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 haven’t followed the “privacy by design” guideline typically given to corporations that are building their product. Indeed, though the government claims that it’s not curious about the content of the messages, the structure of the foundations suggests otherwise.


The new Rules for intermediaries are brought into force at a time when one is expressing dissent or an opinion contrary to the government is being prosecuted for misdemeanor or being mistreated with charges beneath the Unlawful Activities (Prevention) Act (UAPA). FIRs are being lodged left, right and centre, in what’s an effort to stifle free discussion. Therefore, these Rules, which might commonly appear to be transfer order to a medium that is troublesome to regulate, should be seen with a lens of suspicion.


In addition to general personal information, one should take into account especially the special classes of non-public information (also referred to as sensitive personal data) that are extremely relevant as a result of they’re subject to a better level of protection. These information embrace genetic, biometric and health information, moreover as personal information revealing racial and ethnic origin, policy making, non secular or philosophic convictions or organisation membership.


Question raised

Raghav Ahooja, a student at the Rajiv Gandhi National University of Law, Punjab, United Nations agency writes frequently on the “intersection of law and technology”, means a technical flaw within the framing of the foundations.


Points mentioned

Ahooja says that Ministry of Electronics and Information Technology is currently sceptered to border the foundations, as regulation ‘digital media’ content is that the remit of the Ministry of data and Broadcasting (MIB). Nor will MIB frame the foundations as a result of it’s not the ministry that administers the IT Act, 2000. The Allocation of Business Rules, 1961, clearly defines that ministry will what.


In this case, whereas Ministry of Electronics and Information Technology itself has aforementioned that the a part of the foundations that pertain to digital media shall be administered by MIB, Ahooja says that such a stand is problematic as a result of in law, what can not be done directly, can not be done indirectly.


The IT Act, 2000, doesn’t look for to manage digital media — it doesn’t even outline digital media. Ahooja says that the Supreme Court has within the past control that “if a rule goes on the far side the rule creating power bestowed by the statute, a similar needs to be declared ultra vires (beyond one’s authority).”


Ahooja’s argument is that the foundations can not be created beneath the IT Act (which a lot of relates to cyber crimes). “ The aforesaid abuse is compounded due to lack of a robust complaint and redressal mechanism which is inaccessible to the ordinary social media users in general. Therefore, the rules outstrip and surpass the scope and horizon of the IT Act, and travel on the far of the parent Act. Thus, the foundations are ultra vires the IT Act & are at risk of be challenged in Court on each the grounds,” he says.


It is extremely up to MIB to manage digital media. If it desires to, it should do thus in consultation with Ministry of Electronics and Information Technology, however it should be the MIB that ought to usher in a legislation and find it versed the Parliament, Ahooja says.


Traceability and breaking encryption?

The draft IT Rules, 2021 have, under sub-rule (2) of Rule 5, made it mandatory for an enormous social media intermediary providing services primarily within the character of messaging, like WhatsApp, Signal, Telegram etc., to enable the identification of the first originator of the knowledge . This introduces the necessity of traceability which could break end-to-end encryption. It should be noted that previous proposals which seek to implement traceability during a fashion which is compatible with end to end encryption are shown to be susceptible to an act of disguising a communication from an unknown source as being from a known where bad actors can falsely modify the originator information to frame an innocent person. Further, the originator of the message has no control over who forwards the content, or what percentage times it’s forwarded, or during which fora.


In so far as Rule 5(2) requires modifications to the design of encrypted platforms to enable traceability, it’s beyond the scope of the parent provision that’s Section 79 of the IT Act. Here, it’s important to note that the power to prescribe encryption standards and methods originates from Section 84A of the IT Act, and not Section 79, which may be a safe harbour provision.


Why are Traceability laws introduced? What’s the need to implement ‘The First Originator’ rule?

Last week, a message on WhatsApp got viral which says -Two blue ticks and one red tick means the Government can take action against, while three red ticks will suggest that the government has begun court proceedings against you. A similar message had gone viral last year also. The message challenges that WhatsApp has added some new policies rules in which it can share users data. When the Facebook-owned app has moved to court against the new IT rules of the government, which involve a traceability phrase. While the traceability laws are being challenged, users should note that the WhatsApp continues private and end-to-end encryption, be it either Facebook or WhatsApp or even the government can have control of users data.


Furthermore, It should be noted that all the claims made against this viral message is fraud and that all the calls made in this viral communications are fraudulent.


Now, here comes the very essence of traceability laws which require to find and punish “The First Originator” of originating and spreading the aforesaid fake news to the large number of society.


Controversial: Acceptance and Rejection

Google chief government, Sundar Pichai, has put emphasis and clarity about the company’s plans to travel with India’s new Rules. In step with a report within the Economic Times, Pichai aforementioned the company’s native groups are holding talks with the government , however it’ll accompany native laws. He additionally aforementioned the company can still publish its transparency reports, that embrace information on the legal data requests it gets from government.


The new Rules were proclaimed by India on twenty five February, with the government giving important social media intermediaries three months to travel with them. They have corporations like Google to rent Indian voters in key compliance roles, reply to legal data requests among thirty six hours, and trace texts, posts or tweets to the first conceiver among the country.


Google and Facebook are two of the foremost important corporations that have aforementioned they aim to travel with the laws. WhatsApp, on the other hand sued the Indian government on twenty five could, seeking to dam the foundations from being enforced. The transmission firm, that uses end-to-end cryptography (E2EE) technology to preserve user privacy, argued that the foundations would require it to trace and trace each user’s messages so on be ready for legal requests, that would be a violation of the Supreme Court’s right to privacy ruling of 2017.


The Indian government has claimed the intention behind the foundations isn’t to violate the right to privacy. It aforementioned the foundations are weighed against the check of quotient, that’s in Nursing exception mentioned within the proper to privacy ruling.


Grievance redressal

  • Grievance Redressal Mechanism is Mandatory:

The complaint shall be taken into consideration by the grievance officer within twenty four hours and resolve it within fifteen days from its receipt.

  • Additional Due Diligence for the various Social Media Intermediaries:

Compliance Report: got to publish a monthly compliance report mentioning the small print of complaints received and action taken on the complaints also as details of contents removed proactively.

  • Enabling Identity of the Originator:

Required for the of prevention, detection, investigation, prosecution or punishment of an offence associated with the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order,

Or of instigation of an offence related to above concerned matter or in relation with rape, sexually explicit material or child sexual assault material punishable with imprisonment for a term of not but five years.


Conclusion and Suggestions

Intermediary liability subject to the provisions of Section 79 of IT Act ,is based on the famous legal Principle of vicarious liability, which means that the service providers shall be held accountable for any such act of the user on their platform which will be illegal or against their policies. However, the social intermediaries are expected to demonstrate “due diligence”.


IT Minister Ravi Shankar Prasad’s expressed his views that the new guidelines require social intermediaries platforms to trace offending messages to the “first originator”, and that “it will only be in relation to offences where the punishment is for more than five years, such as security, sovereignty of India, rape, etc.


Referring to the ambit of Right to Privacy in Puttaswamy case and the Traceability laws; N.S. Nappinai, Supreme Court lawyer and cyber law expert opined that the rules don’t necessarily infringe on the Right to Privacy laid by the Supreme Court’s Judgment in Puttaswamy Case 2017. “The word ‘traceability’ by itself raises concerns of privacy but all fundamental rights are circumscribed by the reasonable restrictions, “Even the Puttaswamy judgement of Apex Court recognises that reasonable restrictions are permissible, as long as traceability is not asking for all things or for the metadata to be continuously streamed to authorities.”


Today, the public is looking after the content which reveals the truth of the society, brings out social-political issues, deals with regional varieties and most importantly doesn’t hurt the sentiments of people.


According to experts, in Indian sub-continent a creative freedom is provided to content creators and many opportunities are made available for the OTT platforms.


Two views have arisen as some take it as regulation while the others as a censorship measure in the virtual world. The utmost need as per the present scenario is an unbiased regulation alongwith the new rules to be set up in that direction. The Law and Technology should not act as two intersecting lines, instead a balance is to be made according to the changing needs of the society for the betterment of the nation as a whole. We, the people of India are duty bound to adhere to our fundamental law of land i.e our Constitution of India and contribute in the fair justice delivery system.


References

  1. https://www.livelaw.in/news-updates/government-of-india-writes-to-social-media-platforms-asking-them-about-compliance-with-it-rules-2021-174739

  2. https://www.barandbench.com/columns/the-information-technology-rules-2021-an-assault-on-privacy-as-we-know-it

  3. https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021

  4. https://thewire.in/tech/explainer-how-the-new-it-rules-take-away-our-digital-rights

  5. https://pib.gov.in/PressReleseDetailm.aspx?PRID=1700749

  6. https://globalfreedomofexpression.columbia.edu/cases/puttaswamy-v-india/

  7. https://lawtrend.in/whatsapp-challenges-the-new-it-rules-2021-pleads-privacy-violation