Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

• Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
• Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
• Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
• Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
• The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]