Centre for Internet and Society

Department of Telecommunications Order u/s. 69A IT Act Blocking 32 URLS (2014-12-17, compressed version)

pranesh — 2014-12-31T14:48:24Z

On December 17, 2014, the Dept. of Telecommunications blocked 32 URLs (as it was ordered to do so by the by Dept. of Electronics & IT — specifically the Designated Officer under section 69A of the Information Technology Act, 2000 and under the Information Technology (Procedures and Safeguards for Blocking of Access of Information by Public) Rules, 2009), those being: 01) https://justpaste.it/ 02) http://hastebin.com 03) http://codepad.org 04) http://pastie.org 05) https://pasteeorg 06) http://paste2.org 07) http://slexy.org 08) http://paste4btc.com/ 09) http://0bin.net 10) http://www.heypasteit.com 11) http://sourceforge.net/projects/phorkie 12) http://atnsoft.com/textpaster 13) https://archive.org 14) http://www.hpage.com 15) http://www.ipage.com/ 16) http://www.webs.com/ 17) http://www.weebly.com/ 18) http://www.000webhost.com/ 19) https://www.freehosting.com 20) https://vimeo.com/ 21) http://www.dailymotion.com/ 22) http://pastebin.com 23) https://gist.github.com 24) http://www.ipaste.eu 25) https://thesnippetapp.com 26) https://snipt.net 27) http://tny.ct (Tinypaste) 28) https://github.com (gist-it) 29) http://snipplr.com/ 30) http://termbin.com 31) http://www.snippetsource.net 32) https://cryptbin.com

For more details visit https://cis-india.org/internet-governance/resources/2014-12-17_DoT-32-URL-Block-Order_compressed.pdf

Department of Telecommunications Order u/s. 69A IT Act Blocking 32 URLS

pranesh — 2014-12-31T14:36:01Z

For more details visit https://cis-india.org/internet-governance/resources/2014-12-17_DoT-32-URL-Block-Order.pdf

Debate on Section 66A rages on

praskrishna — 2012-12-10T09:44:31Z

Last week, a reputed BPO in Chennai took down its Facebook page and introduced stricter moderation for posts on its bulletin board.

Vasudha Venugopal's article was published in the Hindu on December 10, 2012. Pranesh Prakash is quoted.

The measure, an official said, was aimed at avoiding any "callous remark by any employee." "We have discussions on many raging topics here, and we are just making sure the content is clean with no intended defamation."

The need to present only ‘unobjectionable content’ is just one off-shoot of a controversy that has gripped the country after at least five persons were arrested in recent months for posting their views online. But what started as an outcry by a few voices against the IT Act has now turned into a campaign against the constitutional validity of the Act itself. Last week also saw concerted protests to demand the repeal of Section 66A of the IT Act, under which most of the accused were booked. Human chains and protests were conducted in Chennai, Bangalore, Pune, Hyderabad, Guntur, Kakinada, Vijaywada, Visakhapatnam, Pune, Kozhikode and Kannur, among others.

In the past few months, the debate on the use of Section 66A in particular, and the Act in general, has gathered momentum. The arrests of Jadavpur University professor Ambikesh Mahapatra for circulating a cartoon lampooning West Bengal Chief Minister Mamata Banerjee; cartoonist Aseem Trivedi; businessman Ravi Srinivasan for tweets against Union Finance Minister P. Chidambaram’s son Karti Chidambaram; and the two girls in Maharashtra for criticising the bandh after Shiv Sena leader Bal Thackeray’s death have sparked popular anger.

“Public anger and media attention have been so strong that the government has been forced to retreat, which is a good first step,” says Alagunambi Welkin, president of the Free Software Foundation Tamil Nadu, which organised the protests in Chennai. "The next step would be to plug the loopholes in the IT Act. After all, this same government has declared in various international forums that it is all for promoting openness online."

Activists say that along with the increased pressure on the government, collecting information on cases of the misuse of the Act are the tasks that have to be fulfilled immediately. Human rights activist A. Marx, who has filed a public interest litigation petition against Section 66A, says the selective application of the law is very troubling. From a broader perspective though, this is also an issue of global proportions. Recently, a man in the U.K. was jailed for 18 months after he was found guilty of posting abusive messages on an online memorial. In July this year, a young Moroccan was arrested in Casablanca on the charge of posting “insulting caricatures of the Prophet Mohammed on Facebook.”

As recently as Tuesday, a Shenzen resident was arrested for posting a letter online, accusing a senior village official of corruption, and last week, a man in Kent was arrested for posting an image of a burning poppy on a social network site.

However, Pranesh Prakash, policy director, Centre For Internet And Society, Bangalore, notes that the more problematic parts in India’s laws are ones that result from adaptation. India’s own adaptation of the U.K. law, for instance, considerably increases punishment from six months to three years. However, if it is any consolation, there are voices worldwide being raised on this issue. Till last week, Google’s search page had a message: "Love the free and open Internet? Tell the world’s governments to keep it that way," and a link for comments directed to the Dubai conference, which will see a wide-ranging discussions and key decisions on global internet governance.

For more details visit https://cis-india.org/news/the-hindu-sci-tech-internet-december-10-2012-vasudha-venugopal-debate-on-section-66a

Cybercrime and Privacy

praskrishna — 2010-09-14T13:21:20Z

Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act.

What is Cybercrime?

Looking at the recent Facebook ‘break in’ where 100,000 of users’ information was downloaded and made accessible through a simple search engine, , and the new Microsoft virus that attacked 10,000 machines, it is clear that cybercrime is no longer an issue to be taken lightly. Cybercrime is defined as an unlawful act committed using a computer either as a tool or as a target (or both) for facilitating a crime. Although there is an overlap, some are more likely to use the computer as a tool, and others use it as a target. Examples of the former include: fraud, forgery, DOS, consumption of limited resources, cyberterrorism, IPR violations, software piracy, copyright infringement, trademarks violations, patent violations, cyber squatting, credit card frauds, forgery, EFT frauds, pornography, banking/credit card related crimes, sale or purchase of illegal articles, cyberstalking, phishing, theft, and breaches in privacy, and gambling. Crimes where the computer is made a target include: computer theft, physical destruction or alteration of network components, theft of computer source code, hacking, defacing websites, creation of viruses, destruction or alteration of configuration information and email spamming.

What is India's current legislation on cybercrime?

The Information Technology Act 2000 (amended in 2008)

The Information Technology Act was first drawn up in 2000, and has been revised most recently 2008. The Information Technology (Amendment) Bill, 2008 amended sections 43 (data protection), 66 (hacking), 67 (protection against unauthorised access to data), 69 (cyberterrorism), and 72 (privacy and confidentiality) of the Information Technology Act, 2000, which relate to computer/cybercrimes.

Section 43 [Penalty and Compensation for damage to computer, computer system, etc.] amended vide Information Technology Amendment Act 2008 reads as under:

If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network:

accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008)
downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means (Inserted vide ITAA-2008); and
Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008) he shall be liable to pay damages by way of compensation to the person so affected. (change vide ITAA 2008)

Critique: In comparison to the laws enacted in other countries, this provision still falls short of a strong data protection law. In most other countries data protection laws specify:

the definition and classification of data types;
the nature and protection of the categories of data;
that equal protection will be given to data stored offline and data stored manually;
that data controllers and data processors have distinct roles;
clear restrictions on the manner of data collection;
clear guidelines on the purposes for which the data can be put and to whom it can be sent;
standards and technical measures governing the collection, storage, access to, protection, retention, and destruction of data;
that providers of goods or services must have a clear opt - in or opt - out option; and
in addition, most countries provide strong safeguards and penalties against breaches of any of the above

Section 66 [Computer Related Offences] amended vide Information Technology Amendment Act 2008 reads as under:

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

Explanation: For the purpose of this section,-

the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code;
the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code.

[Section 66 A] [Punishment for sending offensive messages through communication service, etc.]

(Introduced vide ITAA 2008):

Any person who sends, by means of a computer resource or a communication device,-

any information that is grossly offensive or has menacing character; or
any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device;
any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

[Section 66 B] [Punishment for dishonestly receiving stolen computer resource or communication device] (Inserted Vide ITA 2008):
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

[Section 66C] [Punishment for identity theft] (Inserted Vide ITA 2008):

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

[Section 66D] [Punishment for cheating by personation by using computer resource] (Inserted Vide ITA 2008):
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

[Section 66E] [Punishment for violation of privacy] (Inserted Vide ITA 2008):
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

Explanation - For the purposes of this section--

“transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
“capture”, with respect to an image, means to videotape, photograph, film or record by any means;
“private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
“publishes” means reproduction in the printed or electronic form and making it available for public;
“under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that:

he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[Section 66F] [Punishment for cyber terrorism]:
(1) Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –

denying or cause the denial of access to any person authorized to access computer resource; or
attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or
introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or

(B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life’.

Critique: We find the terminology in multiple sections too vague to ensure consistent and fair enforcement. The concepts of ‘annoyance’ and ‘insult’ are subjective. Clause (d) makes it clear that phishing requests are not permitted, but it is not clear that one cannot ask for information on a class of individuals.

Section 67 [Publishing of information which is obscene in electronic form] amended vide Information Technology Amendment Act 2008 reads as under:

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

[Section 67 A] [Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form] (Inserted vide ITAA 2008):
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or
which is kept or used bona fide for religious purposes.

[Section 67 B] Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form:

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic

form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises,

promotes, exchanges or distributes material in any electronic form depicting children in

obscene or indecent or sexually explicit manner or

and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[Section 67 C] [Preservation and Retention of information by intermediaries]:

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Critique: This provision adequately protects both the corporate and the citizen in a positive way.

Section 69 [Powers to issue directions for interception or monitoring or decryption of any information through any computer resource] amended vide Information Technology Amendment Act 2008 reads as under:

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be

intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to –

(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

[ Section 69B] Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security:

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of subsection

(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section,

(i) "Computer Contaminant" shall have the meaning assigned to it in section 43

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Critique: Though we recognize how important it is for a government to protect its citizens against cyberterrorism, we are concerned at the friction between these provisions and the guarantees of free dialog, debate, and free speech that are Fundamental Rights under the Constitution of India.

Specifically:

a) there is no clear provision of a link between an intermediary and the information or resource that is to be monitored.

c)the penalties laid out in the clause are believed to be too harsh, and when read in conjunction with provision 66, there is no distinction between minor offenses and serious offenses.

e) the ITA is too broad in its categorization of acts of cyberterrorism by including information that is likely to cause: injury to decency, injury to morality, injury in relation to contempt of court, and injury in relation to defamation.

Section 72 [Breach of confidentiality and privacy] amended vide Information Technology Amendment Act 2008 reads as under:

Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

[Section 72 A] Punishment for Disclosure of information in breach of lawful contract (Inserted vide ITAA-2008):

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

General Notes and Critiques:

As general notes on the ITA and data protection we find that the Act is lacking in many ways, including:

there is no definition of “sensitive personal data or information” and that term is used indiscriminately without.
the provisions and protections cover only electronic data and not stored data or non-electronic systems of media
in the absence of a data controller, liability is often imposed on persons who are not necessarily in a position to control data
civil liability for data breach arises where negligence is involved
criminal liability only applies to cases of information obtained in the context of a service contract.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008

Computer Related Offences

pranesh — 2013-06-07T10:47:36Z

If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Explanation
For the purposes of this section,

the word “dishonestly” shall have the meaning assigned to it in section 24 of the Indian Penal Code;
the word “fraudulently” shall have the meaning assigned to it in section 25 of the Indian Penal Code.

For more details visit https://cis-india.org/internet-governance/resources/section-66-it-act.txt

Comments to the proposed amendments to The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Divyansha Sehgal and Torsha Sarkar — 2023-02-07T15:21:47Z

This note presents comments by the Centre for Internet and Society (CIS), India, on the proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“proposed amendments”). We thank Isha Suri for her review of this submission.

Preliminary

In these comments, we examine the constitutional validity of the proposed amendments, as well as whether the language of the amendments provide sufficient clarity for its intended recipients. This commentary is in-line with CIS’ previous engagement with other iterations of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

General Comments

Ultra vires the parent act

Section 79(1) of the Information Technology (IT) Act states that the intermediary will not be held liable for any third-party information if the intermediary complies with the conditions laid out in Section 79(2). One of these conditions is that the intermediary observe “due diligence while discharging his duties under this Act and also observe such other guidelines as the Central Government may prescribe in this behalf.” Further, Section 87(2)(zg) empowers the central government to prescribe “guidelines to be observed by the intermediaries under sub-section (2) of section 79.”

A combined reading of Section 79(2) read with Section 89(2)(zg) makes it clear that the power of the Central Government is limited to prescribing guidelines related to the due diligence to be observed by the intermediaries while discharging its duties under the IT Act. However, the proposed amendments extend the original scope of the provisions within the IT Act.

In particular, the IT Act does not prescribe for any classification of intermediaries. Section 2(1) (w) of the Act defines intermediaries as “with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”. Intermediaries are treated and regarded as a single monolithic entity with the same responsibilities and obligations.

The proposed amendments have now established a new category of intermediaries, namely online gaming intermediary. This classification comes with additional obligations, codified within Rule 4A of the proposed amendments, including enabling the verification of user-identity and setting up grievance redressal mechanisms. The additional obligations placed on online gaming intermediaries find no basis in the IT Act, which does not specify or demarcate between different categories of intermediaries.

The 2021 Rules have been prescribed under Section 87(1) and Section 87(2)(z) and (zg) of the IT Act. These provisions do not empower the Central Government to make any amendment to Section 2(w) or create any classification of intermediaries. As has been held by the Supreme Court in State of Karnataka and Another v. Ganesh Kamath & Ors that: “It is a well settled principle of interpretation of statutes that conferment of rule making power by an Act does not enable the rule making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto.” In this light, we argue that the proposed amendment cannot go beyond the parent act or prescribe policies in the absence of any law/regulation authorising them to do so.

Recommendation

We recommend that a regulatory intervention seeking to classify intermediaries and prescribe regulations specific to the unique nature of specific intermediaries should happen through an amendment to the parent act. The amendment should prescribe additional responsibilities and obligations of online gaming intermediaries.

A note on the following sections

Since the legality of classifying intermediaries into further categories is under question, our subsequent discussions on the language of the provisions related to online gaming intermediary are recommended to be taken into account for formulating any new legislations relating to these entities.

Specific comments

Fact checking amendment

Amendment to Rule 3(1)(b)(v) states that intermediaries are obligated to ask their users to not host any content that is, inter alia, “identified as fake or false by the fact check unit at the Press Information Bureau of the Ministry of Information and Broadcasting or other agency authorised by the Central Government for fact checking”.

Read together with Rule 3(1)(c), which gives intermediaries the prerogative to terminate user access to their resources on non-compliance with their rules and regulations, Rule 3(1)(b)(v) essentially affirms the intermediary’s right to remove content that the Central government deems to be ‘fake’. However, in the larger context of the intermediary liability framework of India, where intermediaries found to be not complying with the legal framework of section 79 lose their immunity, provisions such as Rule 3(1)(b)(v) compel intermediaries to actively censor content, on the apprehension of legal sanctions.

In this light, we argue that Rule 3(1)(b)(v) is constitutionally invalid, inasmuch that Article 19(2), which prescribes grounds under which the government restrict the right to free speech, does not permit restricting speech on the ground that it is ostensibly “fake or false”. In addition, the net effect of this rule would be that the government would be the ultimate arbiter of what is considered ‘truth’, and every contradictions to this narrative would be deemed to be false. In a democratic system like India’s, this cannot be a tenable position, and would go against a rich jurisprudence of constitutional history on the need for plurality.

For instance, in Indian Express Newspapers v Union of India, the Supreme Court had held that ‘the freedom of the press rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public.’ Applying this interpretation to the present case, it could be said that the government’s monopoly on directing what constitutes “fake or false” in the online space would prevent citizens from accessing dissenting voices and counterpoints to government policies .

This is problematic when one considers that in the Indian context, freedom of speech and expression has always been valued for its instrumental role in ensuring a healthy democracy, and its power to influence public opinion. In the present case, the government, far from facilitating any such condition, is instead actively indulging in guardianship of the public mind (Sarkar et al, 2019).

Other provisions in the IT Act which permit for censorship of content, including section 69A, permit the government to only do so when content is relatable to grounds enumerated in Article 19(2) of the Constitution. In addition, in the case of Shreya Singhal vs Union of India, where, the constitutionality of section 69A was challenged, the Supreme Court upheld the provision because of the legal safeguards inherent in the provision, including offering a hearing to the originator of the impugned content and reasons for censoring content to be recorded in writing.

In contrast, a fact check by the Press Information Bureau or by another authorised agency provides no such safeguards, and does not relate to any constitutionally recognized ground for restricting speech.

Recommendation

The proposed amendment to Rule 3(1)(b)(v) is unconstitutional, and should be removed from the final draft of the law.

Clarifications are needed for online games rules definitions

The definitions of an "online game" and "online gaming intermediary" are currently extremely unclear and require further clarification.

As the proposed amendments stand, online games are characterised by the user's “deposit with the expectation of earning winnings”. Both deposit and winnings can be “cash” or “in kind", which does not adequately draw a boundary on the type of games this amendment seeks to cover. Can the time invested by the player in playing a game be answered under the “in kind” definition of deposit? If the game provides a virtual in-game currency that can be exchanged for internal power ups, even if there are no cash or gift cards used as payout, is that considered to be an “in kind” winnings? The rules, as currently drafted, are vague in their reference towards “in kind” deposits and payouts.

This definition of online games also does not differentiate between single or multiplayer games, and traditional games like chess which have found an audience online such as Candy Crush (single player), Minecraft (multiplayer collaborative) or chess (traditional). It is unclear whether these games were intended to fall within the purview of these amendments to the rules, and if they are all subjected to the same due diligence requirements as pay-to-play games. This, in conjunction with the proposed rule 6A which allows the Ministry to term any other game as an online game for the purposes of the rules, also provides them with broad, unpredictable powers . This ambiguity hinders clear comprehension of the expectations among the target stakeholders, thus affecting the consistency and predictability of the implementation of the rules.

Similarly, "online gaming intermediaries" are also defined very broadly as "intermediary that offers one or more than one online game". As defined, any intermediary that even hosts a link to a game is classified as an online gaming intermediary since the game is now "offered" through the intermediary. As drafted, there does not seem to be a material distinction between an "intermediary" as defined by the act and "online gaming intermediary" as specified by these rules.

Recommendation

We recommend further clarification on the definitions of these terms, especially for “in kind” and “offers” which are currently extremely vague terms that provide overbroad powers to the Ministry.

Intermediaries and Games

"Online gaming intermediaries" are defined very broadly as "intermediary that offers one or more than one online game". Intermediaries are defined in the Act as "any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message".

According to the media coverage (Barik, 2023) around these amendments, it seems that there is an effort to classify gaming companies as "online gaming intermediaries" but the language of the drafted amendments do not support this. An “intermediary” status is given to a company due to its functional role in primarily offering third party content. It is not a classification for different types of internet companies that exist and thus must not be used to make rules for entities that do not perform this function.

Not all gaming companies present a collection of games for their users to play. According to the drafted definition multiple platforms where games might be present like, an app stores where multiple game developers can publish their games for access by users, a website that lists links to online games, a social media platform that acts as an intermediary between two users exchanging links to games, as well as websites that host games for users to directly access may all be classified as an "online gaming intermediary" since they "offer" games to users. These are a rather broad range of companies and functions to be singularly classified an "online gaming intermediary".

Recommendation

We recommend a thoroughly researched legislative solution to regulating gaming companies that operate online rather than through amendments to intermediary rules. If some companies are indeed to be classified as “online gaming intermediaries”, there is a need for further reasoning on which type of gaming companies and their functions are intermediary functions for the purposes of these Rules.

Comments can be downloaded here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-proposed-amendments-to-it-intermediary-guidelines-and-digital-media-ethics-code-rules

Comments on the Draft Rules under the Information Technology Act

pranesh — 2011-09-21T06:13:42Z

The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.

Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008

Submitted by the Centre for Internet and Society, Bangalore

Prepared by Ananth Padmanabhan, Advocate in the Madras High Court

Interception, Monitoring and Decryption

Section 69

The section says:

Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

(a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Recommendation #1
Section 69(3) should be amended and the following proviso be inserted:

Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.

Reasons for the Recommendation
In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,

“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”.

The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.

To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary.

Recommendation #2
Section 69(4) should be repealed.

Reasons for the Recommendation
The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.

Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.

Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.

This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.

Draft Rules under Section 69

Rule 3
Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:

Provided that in emergency cases –
(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;

the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be.

Recommendation #3
In Rule 3, the following proviso may be inserted:

“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”

Reasons for the Recommendation
Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.

Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.

Recommendation #4
The following should be inserted after the last line in Rule 22:

The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.

Reasons for the Recommendation
The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69.

Blocking of Access to Information

Section 69A

The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section.
The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.

Section 69A(3)
The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

Recommendation #5
The penalty for intermediaries must be lessened.

Reasons for Recommendations
The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.

The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.

Draft Rules under Section 69A

Rule 22: Review Committee
The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.

Recommendation #6
A permanent Review Committee should be specially for the purposes of examining procedural lapses.

Reasons for Recommendation
Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met.

Monitoring and Collection of Traffic Data

Draft Rules under Section 69B

The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.

The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.

Grounds for Monitoring
Rule 4
The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:
(a) forecasting of imminent cyber incidents;
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses/computer contaminant;
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;
(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;
(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
(i) any other matter relating to cyber security.

Rule 6
No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).

Recommendation #7
Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.

Reasons for Recommendations
The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered.

Rule 24: Disclosure of monitored data
Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :
(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.

Recommendation #8
Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi).

Reasons for Recommendations
Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended.

The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.

Manner of Functioning of CERT-In

Draft Rules under Section 70B(5)

Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.
The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:

Definitions
In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Recommendation #9
The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.

Reasons for Recommendation
“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.

Rule 13(4): Disclosure of Information
Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.

Recommendation #10
Burden of necessity for disclosure of information should be made heavier.

Reasons for the Recommendation
Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required.

Rule 19: Protection for actions taken in Good Faith
All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.

Recommendation #11
CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for.

Reasons for the Recommendation
Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.

Draft Rules under Section 52

These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.

Recommendation #12
Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.

Reasons for the Recommendation
It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.

Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.

Draft Rules under Section 54

These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.

Penal Provisions

Section 66A

Any person who sends, by means of a computer resource or a communication device,
    (a) any information that is grossly offensive or has menacing character; or
    (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
    (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may extend to three years and with fine.
Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.

While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.

Recommendation #13
The section should be amended and words which lead to ambiguity must be excluded.

Reasons for the Recommendation
A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary.

Recommendation #14
A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc.

Reasons for the Recommendation
The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.

Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.

Section 66F

The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character.
Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision,
“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

This provision suffers from several defects and hence ought to be repealed.

Recommendation #15
Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:

“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”

Reasons for the Recommendation
The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above.

For more details visit https://cis-india.org/internet-governance/blog/comments-draft-rules

Clarify and define terms in IT rules, panel tells govt.

praskrishna — 2013-04-03T10:02:33Z

In the wake of concerns that the government is increasingly using ambiguously-phrased terms in legal codes to crack down on online speech, the Parliament’s Committee on Subordinate Legislation has asked for greater clarity and definition on terms which can serve as grounds for restrictions.

The article by Prashant Jha was published in the Hindu on April 1, 2013. Pranesh Prakash is quoted.

In 2011, the government issued Intermediary Guidelines under Section 79 of the Information Technology (IT) Act. Rule 3 requires intermediaries – including Internet Service Providers (ISPs), web hosts, cyber cafes, blogging platforms, search engines and others – to inform users not to ‘host, display, upload, modify, publish, transmit or share information’ that is ‘grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, or otherwise unlawful in any manner whatsoever.’ Any person aggrieved by the content can ask intermediaries to take it down, and if they do not do so within 36 hours, they can be legally liable.

‘Remove ambiguities’

The committee has heeded the views of NGOs that these terms have not been defined either in the IT Act or the rules. In a report submitted on March 21, it has drawn the attention of the Ministry of Communication and IT to the ‘reported misuse’ of Section 66A of the IT Act in the absence of precise definitions, and said it was important to remove ‘ambiguities/misgivings in the minds of people.’

In its report, the committee, chaired by MP P. Karunakaran, suggested that the definition of those terms in other laws be incorporated in one place for the ‘convenience of reference’ of intermediaries and general public. It has added that those terms not mentioned in other laws be defined in a way that ‘no new category of crimes or offences is created in the process of delegated legislation.’ The committee said it expected the Ministry to have a fresh look at the guidelines and ‘make amendments to ensure there is no ambiguity.’

Highlighting the significance of the committee’s directive not to create new offences, Pranesh Prakash of the Centre for Internet and Society said that this was recognition that ‘many categories of speech prohibited by the Intermediary Guidelines Rules are not prohibited by the statute, and hence cannot be prohibited by the government through these rules.’

‘Conflicting picture’

The committee has also pointed out that there was a ‘conflicting picture’ regarding the ‘legal enforceability’ of these guidelines. In its response, the Ministry told the committee that these are of ‘advisory’ nature; it is not ‘mandatory’ for the intermediary to disable information and this does not amount to ‘censorship.’ But the rules state the intermediary ‘shall act’ within 36 hours of complaint.

The committee said there was a need for ‘clarity on the aforesaid contradictions,’ particularly on the process of ‘take down of content,’ and install ‘safeguards to protect against any abuse during such process.’

Mr. Prakash of CIS said that this had exposed the ‘government’s Janus-faced stance on the issue of mandatory nature of these rules.’

For more details visit https://cis-india.org/news/the-hindu-april-1-2013-prashant-jha-clarify-and-define-terms-in-it-rules-panel-tells-govt

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act

CIS Welcomes Standing Committee Report on IT Rules

pranesh — 2013-04-03T10:54:52Z

The Centre for Internet and Society welcomes the report by the Standing Committee on Subordinate Legislation, in which it has lambasted the government and has recommended that the government amend the Rules it passed in April 2011 under section 79 of the Information Technology Act.

Click to read the Parliamentary Standing Committee Report on the IT Rules. A modified version was published in CiOL on March 27, 2013.

These rules have been noted by many, including CIS, Software Freedom Law Centre, and Society for Knowledge Commons, and many eminent lawyers, as being unconstitutional. The Standing Committee, noting this, has asked the government to make changes to the Rules to ensure that the fundamental rights to freedom of speech and privacy are safeguarded, and that the principles of natural justice are respected when a person’s freedom of speech or privacy are curtailed.

Ambiguous and Over-reaching Language

The Standing Committee has noted the inherent ambiguity of words like "blasphemy", "disparaging", etc., which are used in the Intermediary Guidelines Rules, and has pointed out that unclear language can lead to harassment of people as has happened with Section 66A of the IT Act, and can lead to legitimate speech being removed. Importantly, the Standing Committee recognizes that many categories of speech prohibited by the Intermediary Guidelines Rules are not prohibited by any statute, and hence cannot be prohibited by the government through these Rules. Accordingly, the Standing Committee has asked the government to ensure "no new category of crimes or offences is created" by these Rules.

Government Confused Whether Rules Are Mandatory or Advisory

The Standing Committee further notes that there is a discrepancy in the government’s stand that the Intermediary Guidelines Rules are not mandatory, and are only "of advisory nature and self-regulation", and that "it is not mandatory for the Intermediary to disable the information, the rule does not lead to any kind of censorship". The Standing Committee points out the flaw in this, and notes that the language used in the rules is mandatory language (“shall act” within 36 hours). Thus, it rightly notes that there is a "need for clarity on the aforesaid contradiction". Further, it also notes that there is "there should be safeguards to protect against any abuse", since this is a form of private censorship by intermediaries."

Evidence Needed Against Foreign Websites

The government has told the Standing Committee that "foreign websites repeatedly refused to honour our laws", however, it has not provided any proof for this assertion. The government should make public all evidence that foreign web services are refusing to honour Indian laws, and should encourage a public debate on how we should tackle this problem in light of the global nature of the Internet.

Cyber Cafes Rules Violate Citizens’ Privacy

The Standing Committee also pointed out that the Cyber Cafe Rules violated citizens’ right to privacy in requiring that "screens of the computers installed other than in partitions and cubicles should face open space of the cyber café". Unfortunately, the Standing Committee did not consider the privacy argument against retention of extensive and intrusive logs. Under the Cyber Cafe Rules, cyber cafes are required to retain (for a minimum of one year) extensive logs, including that of "history of websites accessed using computer resource at cyber café" in such a manner that each website accessed can be linked to a person. The Committee only considered the argument that this would impose financial burdens on small cybercafes, and rejected that argument. CIS wishes the Committee had examined the provision on log maintenance on grounds of privacy as well."

Government’s Half-Truths

In one response, the government notes that "rules under Section 79 in particular have undergone scrutiny by High Courts in the country. Based on the Rules, the courts have given reliefs to a number of individuals and organizations in the country. No provision of the Rules notified under Sections 43A and 79 of the IT Act, 2000 have been held ultra vires."

What the government says is a half-truth. So far, courts have not struck down any of the IT Rules. But that is because none of the High Court cases in which the vires of the Rules have been challenged has concluded. So it is disingenuous of the government to claim that the Rule have "undergone scrutiny by High Courts". And in those cases where relief has been granted under the Intermediary Guidelines, the cases have been ex-parte or have been cases where the vires of the Rules have not been challenged. The government, if it wants to defend the Rules, should point out to any case in which the vires of the Rules have been upheld. Not a single court till date has declared the Rules to be constitutional when that question was before it.

Lack of Representation of Stakeholders in Policy Formulation

Lastly, the Standing Committee noted that it is not clear whether the Cyber Regulatory Advisory Committee (CRAC), which is responsible for policy guidance on the IT Act, has "members representing the interests of principally affected or having special knowledge of the subject matter as expressly stipulated in Section 88(2) of the IT Act". This is a problem that we at CIS also noted in November 2012, when the CRAC was reconstituted after having been defunct for more than a decade.

CIS hopes that the government finally takes note of the view of legal experts, the Standing Committee on Delegated Legislation, the Parliamentary motion against the Rules, and numerous articles and editorials in the press, and withdraws the Intermediary Guidelines Rules and the Cyber Cafe Rules, and instead replaces them with rules that do not infringe our constitutional rights.

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities. It was among the organizations that submitted evidence to the Standing Committee on Subordinate Legislation on the IT Rules.

For more details visit https://cis-india.org/internet-governance/blog/cis-welcomes-standing-committee-report-on-it-rules

CIS Para-wise Comments on Draft Reasonable Security Practices Rules, 2011

Prashant Iyengar — 2012-12-14T10:32:06Z

On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011) in exercise of the powers conferred by Section 87(2)(ob), read with Section 43A of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. Specific Objections

Rule 3

Sensitive personal data or information.— Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :

Password;

...

Call data records;

Comment

We suggest that this list be expanded to include information such as sexual orientation, religion and caste. In addition, “electronic communication records” including emails, chat logs and other communications using a computer should be designated sensitive personal information.

Rule 4

Body Corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall provide for:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;

Purpose, means and modes of usage of such information;

Disclosure of information as provided in rule 6

Comment

We recommend that the privacy policy be made available for view to all individuals to whom the information held by the body corporate pertains. Currently the privacy policy will only be disclosed to the “providers of information” who may not be the individual concerned directly.

Rule 5

Collection of information.—

(1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information.

Comment

We recommend the substitution of the term “individual to whom the data pertains” instead of the phrase “provider of the information”.

(2) Body corporate or any person on its behalf shall not collect sensitive personal information unless—

the information is collected for a lawful purpose connected with a function or activity of the agency; and

the collection of the information is necessary for that purpose.

Comment

We recommend a blanket prohibition of collection of biometric data unless a heightened security interest is demonstrated.

(3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of.

Comment

We recommend a simpler phrase like “The body corporate.. shall take reasonable steps to inform the individual concerned” instead of the current complex phrasing. Reasonableness has generally been interpreted by courts contextually. For instance, the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

(4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Comment

We recommend that this be converted into a mandatory obligation to delete or anonymise the information collected within a stipulated period (say 6 months) after the expiry of use for which it was collected.

(6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.

Comment

Individuals should have the right to review and modify information pertaining to them whether or not they themselves had provided the information to the body corporate. This right should be provided to them wherever the information that pertains to them is incorrect.

(7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out.

Comment

We recommend that the wording be changed to “individual to whom the data pertains” instead of “provider of information”.

For more details visit https://cis-india.org/internet-governance/blog/security-practices-rules

CIS Para-wise Comments on Cyber Café Rules, 2011

Prashant Iyengar — 2012-12-14T10:32:02Z

On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Guidelines for Cyber Cafe) Rules, 2011) in exercise of the powers conferred by Section 87(2) (zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para wise comments for the Ministry’s consideration.

A. General Objections

These rules have no nexus with their parent provision, namely s.79(2). Section 79(1) provides for exemption from liability for intermediaries. Section 79(2) thereupon states:

79. Intermediaries not to be liable in certain cases—

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or
(b) the intermediary does not—

(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users. However, the provisions contained in these rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability for third-party actions.

While the government may have authority to regulate cybercafes, that regulation should not be promulgated as rules under s.79(2). Doing so would be ultra vires s.79(2) itself.

Recommendation

These rules should be deleted in toto.

B. Specific Objections

These specific objections are in addition to the above-stated general objection, and do not detract from out recommendation that these rules should be deleted in their entirety.

Rule 2(c)

(c) “Cyber Cafe” means cyber café as defined in clause (na) of sub-section (1) of section 2 of the Act

Comment

The Act defines a cyber cafe as meaning “any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”. This would include internet access provided in airports, in restaurants, and in many other places where the provisions of these rules (such as those about height of partitions, etc.) just will not be practicable. Thus, this provision will have unintended consequences.

Rule 3

Agency for issuance of license: Appropriate government will notify an agency to issue license to cyber cafes.

Comment

Rule 3 requires the issuing of a license for the establishment of a cyber café. We believe this is unwarranted since cybercafes, like most commercial establishments are already subject to registration and licensing under the “Shops and Establishments Acts” which have been enacted in all states. These Acts already specify an elaborate procedure for the application, registration and monitoring of all establishments and there is no need to multiply the levels of permission a cyber café must obtain. The current rules do not specify an application procedure, fee, and a maximum or minimum time frame within which such a license must be granted or denied nor does it specify the criterion on which such license applications will be evaluated. We think that in the absence of such legislative guidance, this provision is likely to be abused.

Cyber cafes in India contribute greatly to India’s increasing internet penetration and inserting a licensing regime would greatly impede access to the internet.

We believe that cyber cafes should be allowed to be established in the same manner as other shops and establishments, without the requirement of a special license.

Rule 4(2)

...When an user cannot establish his/her identify to the satisfaction of the Cyber Café as per sub-rule (1), he/she may be photographed by the Cyber Café using a web camera installed on one of the computers in the Cyber Café for establishing the identity of the user.

Comment

Sub-Rule 4 (2) Requires that if an individual is unable to establish identity, their photograph must be taken if they wish to use cyber café facilities. We believe that an individual’s photograph should be taken only as a last resort, where identity has been established.

Rule 4(3)

Children without photo identity card shall be accompanied by an adult with any of the documents as prescribed in sub-rule (1).

Comment

We recommend that children below 18 years should be specifically exempt from proving their identities to cyber café owners. Children are usually the quickest to adopt technology, and the requirement of possessing a valid identity might prove to be a deterrent to their developing computer skills. Likewise, being accompanied by an adult is also an onerous obligation since children’s access to the internet would depend on the availability of an adult/parent who may be too busy to accompany the child on every occasion the child wishes to access the internet or use a computer.

To reiterate, we feel that the current provision specially and adversely targets children from poorer classes (since they are most likely to routinely access internet through cyber cafes) and denies them the opportunity of developing their computer skills which are crucial for the growth of the “knowledge economy” that India is trying to head towards.

In addition, we believe that children are more susceptible to exploitation and consequently have a heightened privacy expectation which must be honoured. We recommend that the current sub-rule be deleted and replaced with a clause which specifically exempts children from proving their identity and forbids taking photographs of them under any circumstance.

Rule 5(1)

... Log Register: After the identity of the user has been established as per sub-rule (1) of rule 4 above, the Cyber Café shall record and maintain the required information of each user in the log register for a minimum period of one year. Also, Cyber Café may maintain an online version of the log register.

Comment

Rule 5(1) Provides a minimum period of one year that Cyber Cafes must retain their log registers. The rule does not specify the details which the log register must provide. In the interests of minimising threats to privacy, we recommend that these details recorded be confined only to the name and duration of use.

In addition, we believe that there should also be a coinciding mandatory deletion clause for the log register requiring details to be purged after the minimum retention period.

Rules 5(3)and 6(2)

5(3): “The cyber café owner shall be responsible for storing and maintaining following backups of logs and computer resource records for at least six months for each access or login by any user :

·    History of websites accessed using computer resource at cyber cafe

·    Logs of proxy server installed at cyber café

·    Mail server logs

·    Logs of network devices such as router, switches, systems etc. installed at cyber café

·    Logs of firewall or Intrusion Prevention/Detection systems, if installed.”

6(2): “The screen of all computers, installed other than in Partitions or Cubicles, shall face ‘outward’, i.e. they shall face the common open space of the Cyber Café.”

Comment

We recommend deletion of this rule since it is an unreasonable intrusion into a person’s privacy and an indirect attempt to censor content which users may wish to access. There are many uses of the internet for which a user may legitimately require privacy: For instance, patients, including HIV patients and those with mental illness, may wish to obtain information about their condition. Similarly sexuality minorities may wish to seek support or reach out to a larger community. Enforcing the architecture stipulated in this rule would discourage their access to such vital information. In addition, this architecture would make it easier for cyber crimes such as identity theft to take place since it would be easier to observe the login details of other users at the cyber café.

Rule 7(1)

Inspection of Cyber Café : “An officer, not below the rank of Police Inspector as authorised by the licensing agency, is authorized to check or inspect cyber café and the computer resource or network established therein at any time for the compliance of these rules. The cyber café owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.

Comment

We recommend this clause be omitted since it confers unfettered and unsupervised powers on any Police Inspector to examine any cyber café premises he may choose without any restriction on time.

Additionally, the provisions of Shops and Establishments Acts of most states already prescribe a procedure for inspection of establishments and examination of records. The current rules merely add another layer of supervision to the existing laws without adequate safeguards.

Comment

Sub-Rule 5(3) holds cyber café owners responsible for the storage and maintenance of back up logs concerning the following information: history of websites, logs of proxy servers, mail server logs, logs of network devices, logs of firewalls installed. We believe that the maximum length for retention of this data should be defined and a mandatory deletion clause should be inserted requiring cyber café owners to delete these logs periodically. We further believe that access to the history of websites and mail server logs is a serious invasion of a person’s privacy, and should be omitted from the back up logs.

This is especially so when currently there is no requirement that cyber café owners maintain their logs under conditions of utmost secrecy and confidence.

For more details visit https://cis-india.org/internet-governance/blog/cyber-cafe-rules

CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011

pranesh — 2012-07-11T10:27:26Z

On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011) in exercise of the powers conferred by Section 87(2)(zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. General Objections

A number of the provisions under these Rules have no nexus with their parent provision, namely s.79(2). Section 79(1) provides for exemption from liability for intermediaries. Section 79(2) thereupon states:

79. Intermediaries not to be liable in certain cases—

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users. However, many of the provisions of the Rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability.

B. Specific Objections

Rule 2(b), (c), and (k)

(b) “Blog” means a type of website, usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Usually blog is a shared on-line journal where users can post diary entries about their personal experiences and hobbies;

(c) “Blogger” means a person who keeps and updates a blog;

(k) “User” means any person including blogger who uses any computer resource for the purpose of sharing information, views or otherwise and includes other persons jointly participating in using the computer resource of intermediary

Comments

It is unclear why it is necessary to specifically target bloggers as users, leaving out other users such as blog commenters, social network users, microbloggers, podcasters, etc. It makes the rules technologically non-neutral.

Recommendation

We recommend that these 3 sub-rules be deleted.

Rule 3(2)

3. Due Diligence observed by intermediary.— The intermediary shall observe following due diligence while discharging its duties.

(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that : —

(a) belongs to another person;

(b) is harmful, threatening, abusive, harassing, blasphemous, objectionable, defamatory, vulgar, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) harm minors in any way;

(d) infringes any patent, trademark, copyright or other proprietary rights;

(e) violates any law for the time being in force;

(f) discloses sensitive personal information of other person or to which the user does not have any right to;

(g) causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(h) impersonate another person;

(i) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(j) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

Comments

Firstly, such ‘standard’ terms of use [1] might make sense for one intermediary, but not for all. For instance, an intermediary such as site with user-generated content (e.g., Wikipedia) would need different terms of use from an intermediary such as an e-mail provider (e.g., Hotmail), because the kind of liability they accrue are different. This is similar to how the liability that a newspaper publisher accrues is different from that accrued by the post office. However, forcing standard terms of use negates this difference. Thus, these are impractical.

Secondly, read with the legal obligation of the intermediary to remove such information (contained in rule 3(3)), they vest an extraordinary power of censorship in the hands of the intermediary, which could easily lead to the stifling of the constitutionally guaranteed freedom of speech online. Analogous restrictions do not exist in other fields, e.g., against the press in India or against courier companies, and there is no justification to impose them on content posted online. Taken together, these provisions make it impossible to publish critical views about anything without the risk of being summarily censored.

Thirdly, while it is possible to apply Indian law to intermediaries, it is impracticable to require all intermediaries (whether in India or not) to have in their terms of use India-specific clauses such as rule 3(2)(j). Instead, it is better to merely require them to ask their users to follow all relevant laws.

Individual instances of how these rules are overly broad are contained in an appendix to this submission.

Recommendation

We strongly recommend the deletion of this sub-rule, except clause (e).

Rule 3(3)

(3) The intermediary shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2).

Comments

This sub-rule is ultra vires s.79 of the IT Act, which does not require intermediaries not to “host or publish or edit or store any information”. If fact, s.79(2) merely states that by violating the provisions of s.79(2), the intermediary loses the protection of s.79(1). It does not however make it unlawful to violate s.79(2), as rule 3(3) does. This makes rule 3(3) ultra vires the Act.

Recommendation

This sub-rule should be deleted.

Rule 3(4)

(4) The intermediary upon obtaining actual knowledge by itself or been brought to actual knowledge by an authority mandated under the law for the time being in force in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity. Further the intermediary shall inform the police about such information and preserve the records for 90 days

Comments

This rule is also ultra vires s.69A of the IT Act as well as the Constitution of India. Section 69A states all the grounds on which an intermediary may be required to restrict access to information [2]. It does not allow for expansion of those grounds, because it has been carefully worded to maintains its constitutional validity vis-a-vis Articles 19(1)(a) and 19(2) of the Constitution of India. The rules framed under s.69A prescribe an elaborate procedure before such censorship may be ordered. The rules under s.69A will be rendered nugatory if any person could get content removed or blocked under s.79(2).

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked.

If any person is aggrieved by information posted online, they may seek their remedies—including the relief of injunction—from courts of law, under generally applicable civil and criminal law. Inserting a rule such as this one would take away the powers of the judiciary in India to define the line dividing permissible and impermissible speech, and vest it instead in the whims of each intermediary. This can only have a chilling effect on debates in the public domain (of which the Internet is a part) which is the foundation of any democracy.

Recommendation

This rule should modified so that an intermediary is obliged to take steps towards removal of content only when (a) backed by an order from a court or (b) a direction issued following the procedure prescribed by the rules framed under Section 69A.

Rule 3(5) & (7) & (8) & (10)

(5) The Intermediary shall inform its users that in case of non-compliance with terms of use of the services and privacy policy provided by the Intermediary, the Intermediary has the right to immediately terminate the access rights of the users to the site of Intermediary;

(7) The intermediary shall not disclose sensitive personal information;

(8) Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information, who has provided such information under lawful contract or otherwise;

(10) The information collected by the intermediary shall be used for the purpose for which it has been collected.

Comments

These sub-rules have no nexus with intermediary liability or non-liability under s.79(2). For instance, it is unreasonable to say that an intermediary may be held liable for the actions of its users if it does not inform its users about its right to terminate access by the user to its services. Furthermore, not all intermediaries need be websites, as sub-rule 5 assumes. An intermediary can even be an “internet service provider” or a “cyber cafe” or a “telecom service provider”, as per rule 2(j) read with s.2(1)(w) of the IT Act.

The requirements under sub-rules (7), (8), and (10) are rightfully the domain of s.43A and the rules made thereunder, and not s.79(2) nor these rules.

Recommendation

These sub-rules should be deleted, and sub-rules (7), (8), and (10) may placed instead in the rules made under s.43A.

Rule 3(9)

(9) Intermediary shall provide information to government agencies who are lawfully authorised for investigative, protective, cyber security or intelligence activity. The information shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a written request stating clearly the purpose of seeking such information.

Comments

This provision is ultra vires ss.69 and 69B. Rules have already been issued under ss.69 and 69B which stipulate the mechanism and procedure to be followed by the government for interception, monitoring or decrypting information in the hands of intermediaries. Thus under the Interception Rules 2009 framed under Section 69, permission must first be obtained from a “competent authority” before an intermediary can be directed to provide access to its records and facilities. The current rule completely removes the safeguards contained in s.69 and its rules, and would make intermediaries answerable to virtually any request from any government agency. This is contrary to the legislative intent expressed in Section 69.

Recommendation

We recommend this sub-rule be deleted.

Rule 3(12)

(12) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

Comments

The rules relating to how and when the Indian Computer Emergency Response Team may request for information from intermediaries is rightfully the subject matter of s.70B(5) [3] and the rules made thereunder by virtue of the rule making power granted by s.87(2)(yd). The subject matter of rule 3(12) is not liability of intermediaries for third-party actions, hence there is no nexus between the rule-making power, and the rule.

Recommendations

We recommend that this sub-rule be deleted.

Rule 3(14)

(14) The intermediary shall publish on its website the designated agent to receive notification of claimed infringements.

Comments

It is unclear what “infringements” are being referred to in this sub-rule. Neither s.79 nor these rules provide for “infringements”. The same reasoning applied for rule 3(4) would also apply here. It would be better to require the intermediary to publish on its website a method of providing judicial notice.

Recommendations

Delete, and replace with a requirement for the intermediary to publish on its website a method of providing judicial notice.

Footnotes

For instance, the Section B(1) of the World of Warcraft Code of Conduct “When engaging in Chat, you may not: (i) Transmit or post any content or language which, in the sole and absolute discretion of Blizzard, is deemed to be offensive, including without limitation content or language that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, hateful, sexually explicit, or racially, ethnically or otherwise objectionable.
It is only “in the interest of sovereignty and integrity of India. defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above” that intermediaries may be issued directions to block access to information.
70B(5) sates that the The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-due-diligence

Breaking Down Section 66A of the IT Act

pranesh — 2012-12-14T09:51:17Z

Section 66A of the Information Technology Act, which prescribes 'punishment for sending offensive messages through communication service, etc.' is widely held by lawyers and legal academics to be unconstitutional. In this post Pranesh Prakash explores why that section is unconstitutional, how it came to be, the state of the law elsewhere, and how we can move forward.

Back in February 2009 (after the IT Amendment Act, 2008 was hurriedly passed on December 22, 2008 by the Lok Sabha, and a day after by the Rajya Sabha[1] but before it was notified on October 27, 2009) I had written that s.66A is "patently in violation of Art. 19(1)(a) of the Constitution of India":

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different from the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

I stand by that analysis. But given that it is quite sparse, in this post I will examine s.66A in detail.

Here's what s. 66A of the IT (Amendment) Act, 2008 states:

66A. Punishment for sending offensive messages through communication service, etc.,
Any person who sends, by means of a computer resource or a communication device,—
(a) any information that is grossly offensive or has menacing character;
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device,
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages

shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "electronic mail" and "electronic mail message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message.[2]

A large part of s.66A can be traced back to s.10(2) of the UK's Post Office (Amendment) Act, 1935:

If any person —
(a) sends any message by telephone which is grossly offensive or of an indecent, obscene, or menacing character; or
(b) sends any message by telephone, or any telegram, which he knows to be false, for the purpose of causing annoyance, inconvenience, or needless anxiety to any other person; or
(c) persistently makes telephone calls without reasonable cause and for any such purposes as aforesaid;
he shall be liable upon summary conviction to a fine not exceeding ten pounds, or to imprisonment for a term not exceeding one month, or to both such fine and imprisonment.

Section 66A bears a striking resemblance to the three parts of this law from 1935, with clauses (b) and (c) being merged in the Indian law into a single clause (b) of s.66A, with a whole bunch of new "purposes" added. Interestingly, the Indian Post Office Act, 1898, was never amended to add this provision.

The differences between the two are worth exploring.

Term of Punishment

The first major difference is that the maximum term of imprisonment in the 1935 Act is only one month, compared to three years in s.66A of the IT Act. It seems the Indian government decided to subject the prison term to hyper-inflation to cover for the time. If this had happened for the punishment for, say, criminal defamation, then that would have a jail term of up to 72 years! The current equivalent laws in the UK are the Communications Act, 2003 (s. 127) and the Malicious Communications Act 1988 (s.1) for both of which the penalty is up to 6 months' imprisonment or to a maximum fine of £5000 or both. What's surprising is that in the Information Technology (Amendment) Bill of 2006, the penalty for section 66A was up to 2 years, and it was changed on December 16, 2008 through an amendment moved by Mr. A. Raja (the erstwhile Minister of Communications and IT) to 3 years. Given that parts of s.66A(c) resemble nuisance, it is instructive to note the term of punishment in the Indian Penal Code (IPC) for criminal nuisance: a fine of Rs. 200 with no prison term.

"Sending" vs. "Publishing"

J. Sai Deepak, a lawyer, has made an interesting point that the IT Act uses "send" as part of its wording, and not "publish". Given that, only messages specifically directed at another would be included. While this is an interesting proposition, it cannot be accepted because: (1) even blog posts are "sent", albeit to the blog servers — s.66A doesn't say who it has to be sent to; (2) in the UK the Communications Act 2003 uses similar language and that, unlike the Malicious Communication Act 1988 which says "sends to another person", has been applied to public posts to Twitter, etc.; (3) The explanation to s.66A(c) explicitly uses the word "transmitted", which is far broader than "send", and it would be difficult to reconcile them unless "send" can encompass sending to the publishing intermediary like Twitter.

Part of the narrowing down of s.66A should definitely focus on making it applicable only to directed communication (as is the case with telephones, and with the UK's Malicious Communication Act), and not be applicable to publishing.

Section 66A(c)

Section 66A(c) was also inserted through an amendment moved by Mr. Raja on December 16, 2008, which was passed by the Lok Sabha on December 22, 2008, and a day after by the Rajya Sabha. (The version introduced in Parliament in 2006 had only 66A(a) and (b).) This was done in response to the observation by the Standing Committee on Information Technology that there was no provision for spam. Hence it is clear that this is meant as an anti-spam provision. However, the careless phrasing makes it anything but an anti-spam provision. If instead of "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages" it was "for the purpose of causing annoyance and inconvenience and to deceive and to mislead the addressee or recipient about the origin of such messages", it would have been slightly closer to an anti-spam provision, but even then doesn't have the two core characteristics of spam: that it be unsolicited and that it be sent in bulk. (Whether only commercial messages should be regarded as spam is an open question.) That it arise from a duplicitous origin is not a requirement of spam (and in the UK, for instance, that is only an aggravating factor for what is already a fine-able activity).

Curiously, the definitional problems do not stop there, but extend to the definitions of "electronic mail" and "electronic mail message" in the 'explanation' as well. Those are so vast that more or less anything communicated electronically is counted as an e-mail, including forms of communication that aren't aimed at particular recipients the way e-mail is.

Hence, the anti-spam provision does not cover spam, but covers everything else. This provision is certainly unconstitutional.

Section 66A(b)

Section 66A(b) has three main elements: (1) that the communication be known to be false; (2) that it be for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will; (3) that it be communicated persistently. The main problem here is, of course, (2). "Annoyance" and "inconvenience", "insult", "ill will" and "hatred" are very different from "injury", "danger", and "criminal intimidation". That a lawmaker could feel that punishment for purposes this disparate belonged together in a single clause is quite astounding and without parallel (except in the rest of the IT Act). That's akin to having a single provision providing equal punishment for calling someone a moron ("insult") and threatening to kill someone ("criminal intimidation"). While persistent false communications for the purpose of annoying, insulting, inconveniencing, or causing ill will should not be criminalised (if need be, having it as a civil offence would more than suffice), doing so for the purpose of causing danger or criminal intimidation should. However, the question arises whether you need a separate provision in the IT Act for that. Criminal intimidation is already covered by ss. 503 and 506 of the IPC. Similarly, different kinds of causing danger are taken care of in ss.188, 268, 283, 285, 289, and other provisions. Similarly with the other "purposes" listed there, if, for instance, a provision is needed to penalise hoax bomb threats, then the provision clearly should not be mentioning words like "annoyance", and should not be made "persistent". (At any rate, s. 505(1) of the IPC suffices for hoax bomb threats, so you don't need a separate provision in the IT Act).

I would argue that in its current form this provision is unconstitutional, since there is no countervailing interest in criminalising false and persistent "insults", etc., that will allow those parts of this provision to survive the test of 'reasonableness' under Art.19(2). Furthermore, even bits that survive are largely redundant. While this unconstitutionality could be cured by better, narrower wording, even then one would need to ensure that there is no redundancy due to other provisions in other laws.

Section 66A(a)

In s.66A(a), the question immediately arises whether the information that is "grossly offensive" or "menacing" need to be addressed at someone specific and be seen as "grossly offensive" or "menacing" by that person, or be seen by a 'reasonable man' test.

Additionally, the term "grossly offensive" will have to be read in such a heightened manner as to not include merely causing offence. The one other place where this phrase is used in Indian law is in s.20(b) of the Indian Post Office Act (prohibiting the sending by post of materials of an indecent, obscene, seditious, scurrilous, threatening, or grossly offensive character). The big difference between s.20(b) of the IPO Act and s.66A of the IT Act is that the former is clearly restricted to one-to-one communication (the way the UK's Malicious Communication Act 1988 is). Reducing the scope of s.66A to direct communications would make it less prone to challenge.

Additionally, in order to ensure constitutionality, courts will have to ensure that "grossly offensive" does not simply end up meaning "offensive", and that the maximum punishment is not disproportionately high as it currently is. Even laws specifically aimed at online bullying, such as the UK's Protection from Harassment Act 1997, can have unintended effects. As George Monbiot notes, the "first three people to be prosecuted under [the Protection from Harassment Act] were all peaceful protesters".

Constitutional Arguments in Importing Laws from the UK

The plain fact is that the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional'). Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Art.19(2). That raises the question of how they deal with such broad wording in the UK.

Genealogy of UK Law on Sending 'Indecent', 'Menacing', 'Grossly Offensive' Messages

Quoting from the case of DPP v. Collins [2006] UKHL 40 [6]:

The genealogy of [s. 127(1) of the Communication Act] may be traced back to s.10(2)(a) of the Post Office (Amendment) Act, 1935, which made it an offence to send any message by telephone which is grossly offensive or of an indecent, obscene or menacing character. That subsection was reproduced with no change save of punctuation in s.66(a) of the Post Office Act 1953. It was again reproduced in s.78 of the Post Office Act 1969, save that "by means of a public telecommunication service" was substituted for "by telephone" and "any message" was changed to "a message or other matter". Section 78 was elaborated but substantially repeated in s.49(1)(a) of the British Telecommunications Act 1981 and was re-enacted (save for the substitution of "system" for "service") in s.43(1)(a) of the Telecommunications Act 1984. Section 43(1)(a) was in the same terms as s.127(1)(a) of the 2003 Act, save that it referred to "a public telecommunication system" and not (as in s.127(1)(a)) to a "public electronic communications network". Sections 11(1)(b) of the Post Office Act 1953 and 85(3) of the Postal Services Act 2000 made it an offence to send certain proscribed articles by post.

While the above quotation talks about s.127(1) it is equally true about s.127(2) as well. In addition to that, in 1988, the Malicious Communications Act (s.1) was passed to prohibit one-to-one harassment along similar lines.

The UK's Post Office Act was eclipsed by the Telecommunications Act in 1984, which in turn was replaced in 2003 by the Communications Act. (By contrast, we still stick on to the colonial Indian Post Office Act, 1898.) Provisions from the 1935 Post Office Act were carried forward into the Telecommunications Act (s.43 on the "improper use of public telecommunication system"), and subsequently into s.127 of the Communications Act ("improper use of public electronic communications network"). Section 127 of the Communications Act states:

127. Improper use of public electronic communications network
(1) A person is guilty of an offence if he —
(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b) causes any such message or matter to be so sent.
(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he —
(a) sends by means of a public electronic communications network, a message that he knows to be false,
(b) causes such a message to be sent; or
(c) persistently makes use of a public electronic communications network.
(3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Currently in the UK there are calls for repeal of s.127. In a separate blog post I will look at how the UK courts have 'read down' the provisions of s.127 and other similar laws in order to be compliant with the European Convention on Human Rights.

Comparison between S. 66A and Other Statutes

Section 144, IPC, 1860

Power to issue order in urgent cases of nuisance or apprehended danger

...obstruction, annoyance or injury to any person lawfully employed, or danger to human life, health or safety, or a disturbance of the public tranquillity

Babulal Parate v. State of Maharastra and Ors. [1961 AIR SC 884] (Magistrates order under s. 144 of the Cr. PC, 1973 was in violation of Art.19(1)(a) of the Constitution).

A special thanks is due to Snehashish Ghosh for compiling the below table.

Section	Term(s)/phrase(s) used in 66A	Term(s)/ phrase(s) used in similar sections
Section 66A (heading)	Punishment for sending offensive messages through communication service, etc	Section 127, CA, 2003, "Improper use of public electronic communications network"
Section 66A(a)	Any person who sends, by means of a computer resource or a communication device	Section 1(1), MCA 1988, "Any person who sends to another person..."
Section 66A(a)	Grossly offensive	Section 1(1)(a)(i), MCA 1988; Section 127(1)(a),CA, 2003; Section 10(2)(a), Post Office (Amendment) Act, 1935; Section 43(1)(a), Telecommunications Act 1984; Section 20, India Post Act 1898
Section 66A(a)	Menacing character	Section127(1)(a),CA, 2003
Section 66A(b)	Any information which he knows to be false	Section 1(1)(a)(iii), MCA 1988 "information which is false and known or believed to be false by the sender"; Section 127(2)(a), CA, 2003, "a message that he knows to be false"
Section 66A(b) “purpose of...”	Causing annoyance	Section127(2), CA, 2003
	Inconvenience	Section 127 (2), CA, 2003
	Danger
	Insult	Section 504, IPC, 1860
	Injury	Section 44 IPC, 1860, "The word 'injury' denotes any harm whatever illegally caused to any person, in body, mind, reputation or property."
	Criminal intimidation	Sections 503 and 505 (2), IPC, 1860
	Enmity, hatred or ill-will	Section 153A(1)(a), IPC, 1860
	Persistently by making use of such computer resource or a communication device	Section 127(2)(c), CA, 2003, "persistently makes use of a public electronic communications network."
Section 66A(c)	Deceive or to mislead	-

Notes
MCA 1988: Malicious Communications Act (s.1)
CA: Communications Act 2003 (s.127)
*Replaced by Communications Act 2003

[1]. The Information Technology (Amendment) Bill, 2008, was one amongst the eight bills that were passed in fifteen minutes on December 16, 2008.
[2]. Inserted vide Information Technology Amendment Act, 2008.

This was re-posted in Outlook (November 28, 2012)

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-section-66-a-of-the-it-act

Blocked websites: Where India flawed

praskrishna — 2012-08-27T03:00:16Z

Apart from not giving 48 hours response time, the Indian government has blocked some websites which don't exist or don't have web addresses, says an analyst.

Published in CIOL on August 23, 2012. Pranesh Prakash's analysis is quoted.

India is threatening to block Twitter as the latter has allegedly failed to respond to the government's order to remove some inflammatory posts.

That has come to light as it is being widely covered in media, but there are hundreds of websites which have already been shut, apparently without due notice to the owners.

Apart from Facebook, Twitter and YouTube accounts, the blocked websites include which are sympathetic to Hindu and Muslim radical groups.

In an analysis of 309 websites blocked in the wake of exodus of North eastern people from Bangalore, Pranesh Prakash of the Centre for Internet and Society (CIS), says the government has blocked these sites under the Information Technology Act, but it failed to provide the mandatory 48 hours to respond (under Rule 8 of the Information Technology Procedure and Safeguards for Blocking for Access of Information by Public, Rules 2009).

He writes in his post: "The persons and intermediaries hosting the content should have been notified. Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Internet censorship is acceptable as long as it is in the purview of the law and doesn't encroach one's freedom. In this case, some people and posts debunking rumours have been blocked, says Pranesh.

He points to some discrepancies in the way the websites are blocked:

Some of the items are not even web addresses (e.g., a few HTML img tags were included). Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

He concludes: "All in all, it is clear that the list was not compiled with sufficient care."

For more details visit https://cis-india.org/news/www-ciol-com-aug-23-2012-blocked-websites