Should Facebook be liable for the content you post? Should Apple build a backdoor to allow access to iPhones? Should the government know who you are texting and should it have access to your messages? On 15 January 2020, the amendments to India’s IT Rules will answer these questions by finalising the intermediary guidelines.
That is also one of the reasons why over the course of 2019, we have talked about whether the government of India should be allowed to break end-to-end encryption. Of course, the topic gained traction after the November Pegasus WhatsApp hack reports. And the Narendra Modi government said the law allows it to intercept and monitor digital content in public interest.
The problem with this whole encryption debate is that it takes up a disproportionate amount of mind space. Don’t get me wrong; encryption is a vitally important issue. However, it is not the only issue that will be covered by the IT amendments.
The January amendments will also decide on these crucial issues.
Also, we will use the words intermediary and platform interchangeably. But for context, a platform is an online service like Facebook or Twitter, while intermediary includes platforms, the servers they are hosted on, and even the cybercafé you might access the platform through.
How many users before a company needs an office in India?
According to the proposed amendments, any intermediary with over 50 lakh users will need to:
- Have a permanent registered office in India
- Appoint a nodal point of contact for the government
- Be included in the Companies Act
This may read fine at first glance. But take another look. Users as a term is vague. Monthly active users? Daily active users? Registered users? You might have an account on Pocket, but never end up using it. Does that mean Pocket now needs to have an office in India and appoint a person in charge of talking to the government on the off chance that 50 lakh people one day decide to use the app?
The other thing here is how does government keep track of the number of intermediaries who have included a nodal point of contact? Apps do not notify the government before they are made available to the people. Instead, they show up on the App Store/Play Store, ready to be used. And how would the government even know when an intermediary has crossed 50 lakh users? Should all intermediary make their user stats public or release a notification when they meet the threshold?
Clearly, these guidelines were drafted just keeping in mind Facebook and WhatsApp. However, they will have anticipated but unintended consequences as far as smaller firms are concerned.
What content belongs on the internet?
The intermediary guidelines also talk at length about content takedowns and what should and should not be allowed to remain on the internet. You could say that the Modi government has written itself a blank cheque in being able to dictate this. Here are just some of the grounds on which companies may be asked to remove content:
- In violation of decency and morality
- Public order
- Impacts the sovereignty and integrity of India
- Security of state
- Friendly relations with the foreign states
- In relation to contempt of court
- Defamation or incitement to offence
A lot of these make sense. We as a society have consensus that child porn, hate crimes, and videos against animal cruelty do not belong on the internet. The government also has every right to argue that content which impacts its security and relations with other states should be taken down. But look at some of the other grounds. Who decides what content is defamatory or blasphemous? For instance, comedy at the expense of someone or something can end up disparaging the subject. Does that mean comedy does not belong on the internet? You could argue a similar case for memes, documentaries and blogs. Based on these grounds, anything that the government of the day doesn’t like can be taken down.
Should we have a best-efforts approach to aiding law enforcement?
Remember the anticipated but unintended consequences? Well, not all intermediaries have the same access to user data. A cloud service provider does not have the same power as a multi-million user platform. So, when law enforcement goes asking for information, they also take into account the asymmetries that exist within the ecosystem.
A best-efforts approach will make sure that requests do not make cloud service providers or even cybercafés liable for sharing data they don’t have access to. Because, if at the end of the day, a request is not technically feasible, all it does is ensure that the matter will be taken to court to place undue stress on the intermediary.
As for whether or not the government should break encryption, I’d strongly recommend against it. Internet shutdowns are bad enough. Imagine if we lived in a world where the government could learn about who you text and what you may be talking about. Recently, American WeChat users were banned for celebrating the Hong Kong election results. Similar instances could end up happening in India and at scale, that could end up being a threat to democracy unlike any we have seen before. To that end, watch out for the guidelines on 15 January, they could set the tone for the rest of the year.
Rohan Seth is Policy Analyst with the Technology and Policy Programme of The Takshashila Institution. Views are personal.