Stress on traceability of encrypted content, harsh content take down timelines and automated content filtering are disproportionate to the intention behind these changes, according to policy experts
The rules also perpetuate a data heavy model that could also increase location tracking, experts added
NEW DELHI: The newly formed intermediary guidelines for India’s IT Act may affect users’ right to freedom of expression and privacy, according to said experts.
“In their current form, these rules will undeniably harm freedom of expression, privacy and security and could be subject to legal challenges. Provisions like traceability of encrypted content, harsh content take down timelines and automated content filtering are blunt and disproportionate to the intention behind these changes," said Udbhav Tiwari, Public Policy Advisor at Mozilla Corporation. “Given the many new provisions, these rules should be withdrawn and be accompanied by wide ranging and participatory consultations with all relevant stakeholders prior to notification," he added.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, require intermediaries, including platforms like Twitter, Facebook, WhatsApp, Telegram, etc, to trace tweets, posts and texts back to their source. Experts said that while this may be easy to comply with for Facebook and Twitter, any platform that employs end-to-end encryption for messaging will have trouble. Facebook’s Messenger and WhatsApp, Telegram and Signal may have to change how they deal with texts.
To be clear, the rules don’t necessarily infringe on the right to privacy laid by the Supreme Court’s Puttaswamy Judgement in 2017. “The word ‘traceability’ by itself raises concerns of privacy but all fundamental rights are circumscribed by reasonable restrictions," said N.S. Nappinai, Supreme Court lawyer and cyber law expert. “Even the Puttaswamy judgement recognises that reasonable restrictions are permissible, as long as traceability is not asking for all things or for the metadata to be continuously streamed to authorities," she said.
IT minister Ravi Shankar Prasad had said that the new guidelines require platforms to trace offending messages to the “first originator", and that “it will only be in relation to issues where the punishment is for more than five years, such as security, sovereignty of India, rape, etc." Even so, Apar Gupta, executive director of the Internet Freedom Foundation, said the new rules come with a lot of “vagueness" regarding location and territoriality. “Quite often platforms don’t gather geographical information by itself. All of this means platforms will have to gather more information, including location data," he said.
According to Gurshabad Grover, senior policy officer at the Center for Internet Society (CIS), data minimisation (reducing collection of data) is a core principle of data protection, but the new rules contradict that. He said traceability of first originator will require private messaging apps to retain more data on users’ texts, which includes metadata about messages, that is currently deleted by many platforms. Signal, for instance, retains nearly no data about users and the texts they send. “Now they will be forced to start retaining to comply with the new demand," Grover added.
The government will have to put in place a mechanism that allows law enforcement requirements to be evaluated on the “anvil of reasonable restrictions", said Nappinai. “Reasoned requests in writing. Evaluation and permission mechanism from an independent body. Even under emergency provisions, there should be checks and balances to ensure they are not misused," she added.
“The new rules will put companies offering end to end encryption in a bit of a pickle," Grover said.