Draft IT rules will have a serious impact on the privacy of citizens
Last month in an affidavit before the Supreme Court, the Ministry of Electronics and Information Technology indicated that it will notify the Information Technology [Intermediaries Guidelines (Amendment) Rules], 2018 (“Draft Rules”) in January 2020. These Draft Rules seek to amend the existing Intermediary Guidelines, which govern the flow of information across the internet.
One of the most controversial aspects of the Draft Rules is the requirement under Rule 3(5) for every intermediary to enable tracing of originators of information on its platform. The purport of the rule is unclear, on whether it prohibits end-to-end encryption entirely or requires the mandatory creation of a backdoor. This issue of traceability and decryption is at the heart of the challenge between Facebook, WhatsApp and the government in the Supreme Court, and will be heard in January 2020, after the draft rules will likely be notified. However, to the extent that Rule 3(5) may require weakening encryption by creating backdoors or key escrow systems, it would seriously undermine the privacy and security of all users. Inbuilt vulnerabilities, which are intended to provide access to law enforcement agencies, can easily be exploited by criminals and hackers as well. There is also the issue of (mis)use of these powers by government agencies, who are empowered to invade the privacy of citizens, without any accompanying accountability.
Rule 3(5) also represents an attempt by the government to subvert the statutory mechanism of interception, monitoring, and decryption under Section 69 of the Information Technology Act, and replace it with a surveillance regime. Traceability and decryption, and the underlying concerns of privacy and security, are complex issues, that require legislative debate and proper consideration. They should not be brought in through the backdoor of the draft rules.
Rule 3(9) of the draft rules mandates intermediaries to deploy “technology-based automated tools or appropriate mechanisms”, with appropriate controls to “proactively” identify and remove or disable public access to “unlawful information or content”. These terms have not been defined, leaving it to the discretion of the intermediaries to decide for themselves what constitutes “unlawful information or content’” and what are the “appropriate” controls that can be used by them. This determination is an usurpation of judicial function, requiring the intermediaries to have a thorough knowledge of the law by intermediaries. This is clearly against the judgment of the Supreme Court in Shreya Singhal (2015), which recognized that unaccountable intermediaries cannot be put in a position to judge the legitimacy or lawfulness of content. Moreover, the focus on ‘proactive’ action will only lead to excessive self-censorship by the intermediaries and result in the take down of protected and innocent speech, resulting in a total chilling effect. Another issue with the draft rules can be found in Rule 3(8) and its stipulation that intermediaries shall preserve information about “unlawful acts relatable to Article 19(2)” for at least 180 days for investigation purposes or “for such longer period as may be required by the court or by government agencies who are lawfully authorized”. Such an open-ended data retention provision has been held to be disproportionate and unconstitutional by the Supreme Court in the Aadhaar judgment (2018).
The draft rules have a serious impact on the privacy and free speech of citizens of India. There are reports that the government may be considering some amendments to these guidelines in light of the concerns raised by civil society. One can only hope that these concerns are addressed when the guidelines are finally notified.
Vrinda Bhandari is an advocate at the Supreme court