On May 25, Twitter users in India were busy faux-dramatically bidding farewell to each other and sharing their Instagram handles for when “Twitter shuts down”.
This doomsday pantomime was motivated by the Indian government’s new rules – the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 under the Information Technology Act, 2000 – that stipulated a number of conditions that social media companies like Twitter, Facebook and others had to comply with by May 25.
Unlike the sensational scenario in the collective imagination of Twitter users, the consequence of non-compliance was not a “shutdown” of social media platforms but simply the loss of status as an “intermediary”. The intermediary status is a “safe harbour” for social media and messaging platforms like Facebook, Twitter and WhatsApp wherein they can avoid liability for the content that their users publish or send on the platform, as long as they comply with certain requirements.
The trouble is that these requirements are onerous in multiple ways. For “significant” social media intermediaries, defined as those having more than five million registered users, these requirements are even more stringent. While the rules are detailed and multifarious (including those focused on digital media organisations), we’ll focus on two aspects applicable to social media and messaging platforms that are of the most serious concern to try and understand their dangers.
To take a step back, it’s worth noting that in the typical style of the Modi government, the consultation process for these rules was more or less an eyewash. Between a “leaked” draft of the rules that were being and the rules being finally notified in February 2021, the Internet Freedom Foundation that while there were some changes and refinements, the “core and substance” of the concerns about these rules remained the same, while adding some new restrictions without public deliberation.
Coming to the rules themselves, the headline item that has garnered the most attention and worry among internet users is the traceability requirement. The new rules stipulate that an intermediary such as WhatsApp or Signal (providing services “primarily in the nature of messaging”) should enable the identification of the “first originator” of a message.
Stripped of context and nuance, the objectives of this stipulation appear laudable. The advocates of traceability will say that it is the only way to combat “fake news” which can be dangerous, and to track down the originator of illegal content, such as child pornography.
The first, and most obvious, counter to this is that the have argued that these attempts are of limited effectiveness. There are several technical and non-technical workarounds and hacks that can be implemented to get around any such tracking. These workarounds would become widely available and used if and when such traceability mandates come into operation.
Even without any of these, with a tracking mechanism functioning exactly as designed, there are many circumstances when this can lead to a dangerous dead-end. Suppose sender X takes a screenshot of a message they saw elsewhere and sends it to someone else on WhatsApp; or copies and pastes a message; or sees something on Twitter and forwards the link on WhatsApp.
In all of these circumstances, the best technology in the world can bring you to X, but no further. And, therefore, no closer to the actual “originator” of the offending content.
Which brings us to the more worrying problem with this system. Knowing the way the Indian criminal justice system functions, it’s entirely possible that X, who is effectively a forwarder and not an originator, could still be arrested or proceeded against under the relevant laws. Because by the operation of the law and the limitations of technology, they willy-nilly become the originator of the message.
The most obvious way to implement traceability would be to break the encryption that forms the backbone of applications like Signal and WhatsApp. Since there is no way these companies can do this for only India, they would have to dispense with encryption worldwide, and there’s little chance this will happen. Neither Signal nor WhatsApp earn much revenue from India and it will probably make more economic sense for them to shut down the service in India rather than compromise the integrity of their product worldwide to comply with these regulations.
While traceability could also possibly be implemented without breaking the end-to-end encryption on the content of the messages, such an enterprise would be massively expensive and challenging because of the sheer volume of metadata that the intermediaries would have to collect and store all over the world. Even here, it’s unlikely this would make economic sense for them to do this.
Whether it is by breaking encryption or by supplying massive amounts of metadata about each message (including the phone number of the sender, the time of sending, the device it was sent from, the location it was sent from), any such traceability move would severely compromise the privacy of users. In a country like India where there is no express law safeguarding the privacy of citizens, allowing such a provision to operate would further compromise what meagre rights the citizens have over their privacy.
The other major sticking point with the IT rules is the requirement that the significant intermediaries submit themselves to a stringent takedown mechanism. Platforms like Facebook and Twitter have to designate a number of senior personnel to be responsible for responding to takedown notices and other diktats from the government. This needs to happen under very short timelines: 36 hours to complete the takedown process. The rules also go on to emphasise that failure to comply with these rules can invite sanction, including criminal prosecution.
The combination of these stipulations loads the deck in favour of the government, irrespective of whether its takedown request is legitimate or not. An intermediary working under a tight timeline, with designated senior personnel under the threat of criminal sanction, is heavily incentivised to simply comply with a government order than exercise the due care and restraint it could under normal circumstances. This sets the stage for rampant government censorship.
The IT rules also contain several more regulations, including the implementation of automatic content removal tools, that are dangerous and have been poorly thought out, without a full evaluation of their consequences on the rights of the users.
Onerous internet regulation is not an exclusive preserve of the Modi government. One need only look back at Section 66A of the IT Act, introduced by the UPA government in 2008, which was struck down by the Supreme Court as violative of the fundamental right to freedom of speech. But these current regulations are a telling commentary on the way this government views the citizenry, and the priorities it has in policymaking.
The BJP came to power, helped to a great degree by its online social media machinery. Over the years, they have exhibited a penchant for disinformation that is almost legendary. By way of posts on social media as well as messages forwarded on messaging platforms like WhatsApp, they have utilised these platforms in unprecedented ways and with unprecedented scale to drive their campaigns. But now that everyone else is also savvy with these techniques, the government appears to want to regulate the industry.
One need only look at this government’s selective application of the UAPA over the past seven years of its rule – largely to imprison without trial (as is the design of the Act) anyone who is critical of the government – to imagine how these IT rules are likely to be applied by this government. With courts around the country exhibiting a great reluctance to uphold the civil liberties of its citizens in such matters, only the most foolish optimist would imagine that these rules would be free of misuse and selective application.
Over the course of the last year, both and downgraded India’s ranking as a democracy, citing the attack on civil liberties by the Modi government. These IT rules are one more instance of such an attack on civil liberties by the government, and could well lead to India’s status as a real democracy being further eroded.