The government has confirmed that it is in the process of formulating new guidelines for intermediaries including social media companies, which mandates the use of technology-based automated tools to identify, remove and trace the origin of unlawful content.
A senior official in Ministry of Electronics and Information Technology (MeitY) on condition of anonymity told Mint that the work is in progress on making changes to the IT rules that will make it mandatory for social media and internet companies to provide traceability of those posting information on their platforms. The official further said that the Supreme Court has been informed of the same.
Responding to a question raised in Rajya Sabha on whether the government is preparing laws to regulate social media and how they are planning to do it, Minister of State for Electronics and IT Sanjay Dhotre told Rajya said on Thursday that the social media companies have to follow certain due diligence as prescribed in the Information Technology (Intermediaries Guidelines) Rules, 2011 notified under section 79 of the IT Act.
Dhotre added that MeitY has proposed to amend the said rules. Some of the key attributes of the proposal include removal of malicious content within 24 hours of receiving a court order, introducing traceability of the originator of the information and deployment of technology-based automated tools for proactively identifying and disabling public access to unlawful information.
The recent privacy concerns involving WhatsApp has strengthened call for making social media companies more accountable. The Facebook-owned messaging service was in the crosshair with the Indian government in October for the spyware attack that was first reported in May and confirmed by the company in October as the handiwork of an Israeli software company NSO Group that makes spyware for government agencies. While WhatsApp took NSO to court in San Francisco, it didn't save them the ire of the Indian government.
Electronics and Information Technology minister Ravi Shankar Prasad express his concern over the breach of privacy and the targeting of Indian citizens.
Speaking on the content take down clause, Ashish Aggarwal, Senior Director and Head - Public Policy, NASSCOM, points out the industry is committed to removing content based on court orders, adding, “In many cases, it does not even require a 24-hour time period. The challenge arises when the request does not come through with complete details or where the authenticity of the person sending the request needs to be established."
Aggarwal feels an IT-based administrative mechanism should be able to address this to a large extent. The guidelines do need to recognise that despite best efforts there could be situations where the time provided may not be sufficient and therefore it should provide for such exceptions.
The traceability clause has emerged as a major bone of contention between the government and privacy advocates worldover. In October, more than 100 civil society organisations including Electronic Frontier Foundation, Digital Rights Watch and Access Now requested Facebook chief executive officer Mark Zuckerberg to not yield to demands by governments of the US, the UK and Australia to provide them backdoor access to all encrypted messages sent on all its platforms.
The Indian government has tried to assuage such fears by reiterating that the traceability clause will be used to trace the origin of messages linked to unlawful activities and doesn't want any of the social media companies to break or lower encryption standards.
However, privacy advocates don’t seem convinced and have been demanding stronger legal frameworks to ensure such powers are used for bonafide reasons only and are not misused to target dissenters.
Early this year, human rights organisation Amnesty International had slammed the government for enforcing traceability on social media companies warning that forcing companies to weaken encryption will affect all users’ online privacy.
Aggarwal opines that requirement of traceability should be on a best effort basis. It should not force the intermediaries to change their encryption policies as that would lead to far greater harm by compromising privacy and security. It is important for the industry and the government to work together, he says.
"Traceability of originator would have to be considered along with lens of users privacy. This might also require technical architectural changes to be carried out by social media platforms. However, there needs to be a fine balance maintained in terms of monitoring for national security and with privacy of citizens," says Vidur Gupta, Partner Advisory Services, Ernst&Young.
One way of enforcing traceability is by building a backdoor, a deliberate weakness in encryption that would allow either the owner of the platform or the government to access data. A commonly used method for building backdoor is the key escrow system, where the government creates and distributes encryption keys to tech companies while retaining the decryption (master) keys in escrow so they can unlock anyone’s personal communication.
Building backdoor can also weaken the security of the social media platform opening it to serious cybersecurity risks. Oded Vanunu, head of products vulnerability research at Check Point warns, “Backdoor can open doors to attacks as cybercrime has reached very high level of sophistication. Cybercriminals have the budgets and knowledge to reverse engineer technologies like nations."