Report on Intermediary Liability in India

The question of when intermediaries are liable, or conversely not liable, for content they host or transmit is often at the heart of regulating content on the internet. This is especially true in India, where the Government has relied almost exclusively on intermediary liability to regulate online content. With the advent of the Intermediary Guidelines 2021, and their subsequent amendment in October 2022, there has been a paradigm shift in the regulation of online intermediaries in India. 

To help understand this new regulatory reality, the Centre for Communication Governance (CCG) is releasing its ‘Report on Intermediary Liability in India’ (December 2022).

This report aims to provide a comprehensive overview of the regulation of online intermediaries and their obligations with respect to unlawful content. It updates and expands on the Centre for Communication Governance’s 2015 report documenting the liability of online intermediaries to now cover the decisions in Shreya Singhal vs. Union of India and Myspace vs. Super Cassettes Industries Ltd, the Intermediary Guidelines 2021 (including the October 2022 Amendment), the E-Commerce Rules, and the IT Blocking Rules. It captures the over two decades of regulatory and judicial practice on the issue of intermediary liability since the adoption of the IT Act. The report aims to provide practitioners, lawmakers and regulators, judges, and academics with valuable insights as they embark on shaping the coming decades of intermediary liability in India.

Some key insights that emerge from the report are summarised below:

Limitations of Section 79 (‘Safe Harbour’) Approach: In the cases analysed in this report, there is little judicial consistency in the application of secondarily liability principles to intermediaries, including the obligations set out in Intermediary Guidelines 2021, and monetary damages for transmitting or hosting unlawful content are almost never imposed on intermediaries. This suggests that there are significant limitations to the regulatory impact of obligations imposed on intermediaries as pre-conditions to safe harbour.

Need for clarity on content moderation and curation: The text of Section 79(2) of the IT Act grants intermediaries safe harbour provided they act as mere conduits, not interfering with the transmission of content. There exists ambiguity over whether content moderation and curation activities would cause intermediaries to violate Section 79(2) and lose safe harbour. The Intermediary Guidelines 2021 have partially remedied this ambiguity by expressly stating that voluntary content moderation will not result in an intermediary ‘interfering’ with the transmission under Section 79(2). However, ultimately amendments to the IT Act are required to provide regulatory certainty.

Intermediary status and immunity on a case-by-case basis: An entity’s classification as an intermediary is not a status that applies across all its operations (like a ‘company’ or a ‘partnership’), but rather the function it is performing vis-à-vis the specific electronic content it is sued in connection with. Courts should determine whether an entity is an ‘intermediary’ and whether it complied with the conditions of Section 79 in relation to the content it is being sued for. Consistently making this determination at a preliminary stage of litigation would greatly further the efficacy of Section 79’s safe harbour approach.

Concerns over GACs: While the October 2022 Amendment stipulates that two members of every GAC shall be independent, no detail is provided as to how such independence shall be secured (e.g., security of tenure and salary, oath of office, minimum judicial qualifications etc.). Such independence is vital as GAC members are appointed by the Union Government but the Union Government or its functionaries or instrumentalities may also be parties before a GAC. Further, given that the GACs are authorities ‘under the control of the Government of India’, they have an obligation to abide by the principles of natural justice, due process, and comply with the Fundamental Rights set out in the Constitution. If a GAC directs the removal of content beyond the scope of Article 19(2) of the Constitution, questions of an impermissible restriction on free expression may be raised.

Actual knowledge in 2022: The October 2022 Amendment requires intermediaries to make reasonable efforts to “cause” their users not to upload certain categories of content and ‘act on’ user complaints against content within seventy-two hours. Requiring intermediaries to remove content at the risk of losing safe harbour in circumstances other than the receipt of a court or government order prima facie violates the decision of Shreya Singhal. Further, India’s approach to notice and takedown continues to lack a system for reinstatement of content.  

Uncertainty over government blocking power: Section 69A of the IT Act expressly grants the Union Government power to block content, subject to a hearing by the originator (uploader) or intermediary. However, Section 79(3)(b) of the IT Act may also be utilised to require intermediaries to take down content absent some of the safeguards provided in Section 69A. The fact that the Government has relied on both provisions in the past and that it does not voluntarily disclose blocking orders makes a robust legal analysis of the blocking power challenging.

Hearing originators when blocking: The decision in Shreya Singhal and the requirements of due process support the understanding that the originator must be notified and granted a hearing under the IT Blocking Rules prior to their content being restricted under Section 69A. However, evidence suggests that the government regularly does not provide originators with hearings, even where the originator is known to the government. Instead, the government directly communicates with intermediaries away from the public eye, raising rule of law concerns.

Issues with first originators: Both the methods proposed for ‘tracing first originators’ (hashing unique messages and affixing encrypted originator information) are easily circumvented, require significant technical changes to the architecture of messaging services, offer limited investigatory or evidentiary value, and will likely undermine the privacy and security of all users to catch a few bad actors. Given these considerations, it is unlikely that such a measure would satisfy the proportionality test laid out by current Supreme Court doctrine.

Broad and inconsistent injunctions: An analysis of injunctions against online content reveals that the contents of court orders are often sweeping, imposing vague compliance burdens on intermediaries. When issuing injunctions against online content, courts should limit blocking or removals to specific URLs. Further courts should be cognisant of the fact that intermediaries have themselves not committed any wrongdoing, and the effect of an injunction should be seen as meaningfully dissuading users from accessing content rather than an absolute prohibition.

This report was made possible by the generous support we received from National Law University Delhi. CCG would like to thank our Faculty Advisor Dr. Daniel Mathew for his continuous direction and mentorship. This report would not be possible without the support provided by the Friedrich Naumann Foundation for Freedom, South Asia. We are grateful for comments received from the Data Governance Network and its reviewers. CCG would also like to thank Faiza Rahman and Shashank Mohan for their review and comments, and Jhalak M. Kakkar and Smitha Krishna Prasad for facilitating the report. We thank Oshika Nayak of National Law University Delhi for providing invaluable research assistance for this report. Lastly, we would also like to thank all members of CCG for the many ways in which they supported the report, in particular, the ever-present and ever-patient Suman Negi and Preeti Bhandari for the unending support for all the work we do.

[September 23-30] CCG’s Week in Review: Curated News in Information Law and Policy

The deadline to link PAN cards with Aadhaar was extended to December 31 this week; the Election Commission ruled that voting rights of those excluded in the NRC process remain unaffected; the Home Minister proposed a digital census with multipurpose ID cards for 2021; and 27 nations including the US, UK and Canada issued joint statement urging for a rules-based order in cyberspace – presenting this week’s most important developments in law, technology and national security.

Aadhaar and Digital IDs

• [Sep 23] Home Minister announces digital census in 2021, proposed multipurpose ID card, Entrackr report; Business Today report.
• [Sep 24] NRIs can now apply for Aadhaar on arrival without 182-day wait, The Economic Times report.
• [Sep 24] Aadhaar will be linked to driving license to avoid forgery: Ravi Shankar Prasad, The Indian Express report.
• [Sep 24] One nation, one card? Amit Shah floats idea of all-in-one ID; here are all the problems with that idea, Medianama report; Money Control report.
• [Sep 24] Explained: Is India likely to have a multipurpose national ID card? The Indian Express report.
• [Sep 24] UIDAI nod to ‘voluntary’ use of Aadhaar for National Population Register rollout, The Economic Times report.
• [Sep 24] Govt must decide on Aadhaar-social media linkage:SC, Deccan Herald report.
• [Sep 25] New law needed for Aadhaar-social media linkage: UIDAI, The Economic Times report; Inc42 report.
• [Sep 26] NPR process to include passport, voter ID, Aadhaar and other details, Business Standard report.
• [Sep 27] Gang involved in making fake Aadhaar cards busted, The Tribune report.
• [Sep 27] What will happen if you don’t link your PAN card with Aadhaar by Sep 20, The Quint report.
• [Sep 27] Explained: The National Population Register, and the controversy around it, The Indian Express report.
• [Sep 27] Aadhaar to weed out bogus social security beneficiaries in Karnataka, Deccan Herald report.
• [Sep 29] Bajrang Dal wants Aadhaar mandatory at dandiya to keep ‘non-Hindus’ out, The Hindustan Times report; The Wire report.
• [Sep 30] Kerala urges Centre to extend deadline to link ration cards with Aadhaar, The News Minute report.
• [Sep 30] PAN-Aadhaar linking deadline extended to December 31, The Economic Times report.

Digital India 

• [Sep 25] India’s regulatory approach should focus on the regulation of the ‘core’: IAMAI, Livemint report.
• [Sep 27] India may have to offer sops to boost electronic manufacturing, ET Tech report; Inc42 report.
• [Sep 27] Digital India, start-ups are priorities for $5 trillion economy: PM Modi, Medianama report.
• [Sep 29] Tech giants aim to skill Indian govt officials in AI, cloud, ET CIO report.
• [Sep 29] India’s share in IT, R&D biz up in 2 years: report, The Economic Times report.

Internet Governance

• [Sep 24] Supreme Court to MeitY: What’s the status of intermediary guidelines? Tell us by Oct 15, Medianama report.
• [Sep 26] Will not be ‘excessive’ with social media rules, ay Govt officials, Inc42 report.
• [Sep 26] Government trying to balance privacy and security in draft IT intermediary norms, The Economic Times report.
• [Sep 27] Citizens, tech companies served better with some regulation: Facebook India MD Ajit Mohan, ET Tech report; Inc42 report.
• [Sep 27] Balance benefits of internet, data security: Google CEO Sundar Pichai, ET Tech report; Business Today report.

Free Speech

• [Sep 25] Jadavpur University calls upon ‘stakeholders’ to ensure free speech on campus, The New Indian Express report.
• [Sep 28] RSS raises objections to uncensored content of Maoj Bajpayee’s “The Family Man”, The Hindu report; Outlook report.

Privacy and Data Protection

• [Sep 23] A landmark decision on Tuesday could radically reshape how Google’s search results work, Business Insider report.
• [Sep 23] Google tightens its voice assistant rules amidst privacy backlash, Wired report.
• [Sep 24] Dell rolls out new data protection storage appliances and capabilities, ZDNet report.
• [Sep 24] ‘Right to be forgotten’ privacy rule is limited by Europe’s top court, The New York Times report; Live Law report.
• [Sep 27] Nigeria launches investigation into Truecaller for potential breach of privacy, Medianama report.
• [Sep 29] Right to be forgotten will be arduous as India frames data protection law, Business Standard report.
• [Sep 30] FPIs move against data bill, seek exemption, ET Telecom report; Entrackr report.

Data Localisation

• [Sep 26] Reconsider imposition of data localisation: IAMAI report, The Economic Times report.
• [Sep 27] Why data is not oil: Here’s how India’s data localisation norms will hurt the economy, Inc42 report.

Digital Payments and Fintech

• [Sep 23] RBI rider on credit bureau data access has Fintech in a quandary, ET Tech report.

Cryptocurrencies

• [Sep 23] Facebook reveals Libra currency basket breakdown, Coin Desk report.
• [Sep 23] The face of India’s crypto lobby readies for a clash, Ozy report.
• [Sep 23] Why has Brazil’s Central Bank included crypto assets in trade balance? Coin Telegraph report.
• [Sep 24] French retailers widening crypto acceptance, Tech Xplore report.
• [Sep 26] Why crypto hoaxes are so successful, Quartz report.
• [Sep 26] South Africa: the net frontier for crypto exchanges, Coin Telegraph report. 
• [Sep 27] The crypto wars’ strange bedfellows, Forbes report.
• [Sep 28] Crypto industry is already preparing for Google’s ‘quantum supremacy’, Decrypt report.
• [Sep 29] How crypto gambling is regulated around the world, Coin Telegraph report.

Tech and Law Enforcement

• [Sep 29] New WhatsApp and Facebook Encryption ‘Backdoors’ – What’s really going on, Forbes report.
• [Sep 28] Facebook, WhatsApp will have to share messages with UK Government, Bloomberg report.
• [Sep 23] Secret FBI subpoenas scoop up personal data from scores of companies, The New York Times report.
• [Sep 23] ‘Don’t transfer the WhatsApp traceability case’, Internet Freedom Foundation asks Supreme Court, Medianama report.
• [Sep 24] China offers free subway rides to citizens who register their face with surveillance system, The Independent report.
• [Sep 24] Facial recognition technology in public housing prompts backlash, The New York Times report.
• [Sep 24] Facebook-Aadhaar linkage and WhatsApp traceability: Supreme Court says government must frame rules, CNBC TV18 report.
• [ep 27] Fashion that counters surveillance cameras, Business Times report.
• [Sep 27] Unnao rape case: Delhi court directs Apple to give Sengar’s location details on day of alleged rape, Medianama report.
• [Sep 27] Face masks to decoy t-shirts: the rise of anti-surveillance fashion, Times of India report.
• [Sep 30] Battle for privacy and encryption: WhatsApp and government head for a showdown on access to messages, ET Prime report.
• [Sep 29] Improving digital evidence sharing, Scottish Government news report; Public technology report.

Internal Security: J&K

• [Sep 23] Government launches internet facilitation centre in Pulwama for students, Times of India report; Business Standard report.
• [Sep 23] Army chief rejects ‘clampdown’ in Jammu and Kashmir, Times of India report.
• [Sep 24] Rising power: Why India has faced muted criticism over its Kashmir policy, Business Standard report.
• [Sep 24] ‘Restore Article 370, 35A in Jammu and Kashmir, withdraw army, paramilitary forces’: 5-member women’s group will submit demands to Amit Shah, Firstpost report.
• [Sep 24] No normalcy in Kashmir, says fact finding team, The Hindu report.
• [Sep 25] End clampdown: Kashmir media, The Telegraph report.
• [Sep 25] Resolve Kashmir issue through dialogue and not through collision: Erdogan, The Economic Times report.
• [Sep 25] Rajya Sabha deputy chair thwarts Pakistan’s attempt at Kashmir at Eurasian Conference, The Economic Times report.
• [Sep 25] Pakistan leader will urge UN intervention in Kashmir, The New York Times report.
• [Sep 25] NSA Ajit Doval back in Srinagar to review security situation, The Hindustan Times report.
• [Sep 27] Communication curbs add fresh challenge to Kashmir counter-insurgency operations, News18 report.
• [Sep 27] Fresh restrictions in parts of Kashmir, The Hindu report.
• [Sep 27] US wants ‘rapid’ easing of Kashmir restrictions, Times of India report.
• [Sep 27] Kashmir issue: Rescind action on Art. 370, OIC tells India, The Hindu report.
• [Sep 28] India objects to China’s reference to J&K and Ladakh at UNGA, The Economic Times report; The Hindu report.
• [Sep 29] Surveillance, area domination operations intensified in Kashmir, The Economic Times report; Financial Express report.
• [Sep 29] Police impose restrictions in J&K after Imran Khan’s speech at UNGA, India Today report.

Internal Security: NRC and the North-East

• [Sep 23] Assam framing cyber security policy to secure data related to NRC, police, services, The Economic Times report; Money Control report.
• [Sep 24] BJP will tell SC that we reject this NRC, says Himanta Biswa Sarma, Business Standard report.
• [Sep 24] Amit Shah to speak on NRC, Citizenship Amendment Bill in Kolkata on Oct 1, The Economic Times report.
• [Sep 26] ‘Expensive’ legal battle for those rejected in Assam NRC final list, The Economic Times report.
• [Sep 27] Scared of NRC? Come back in 2022, The Telegraph report.
• [Sep 27] Voters left out of NRC will have right to vote, rules Election Commission, India Today report; The Wire report.
• [Sep 27] NRC: Assam government announces 200 Foreigners Tribunals in 33 districts, Times Now report; Times of India report.
• [Sep 28] Judge urges new FT members to examine NRC claims with utmost care, Times of India report.

National Security Legislation

• [Sep 23] Centre will reintroduce Citizenship Bill in Parliament: Himanta Biswa Sarma, The Hindu report.
• [Sep 26] National Security Guard: History, Functions and Operations, Jagran Josh report.
• [Sep 28] Left parties seek revocation of decision on Article 370, The Tribune India report.

Tech and National Security

• [Sep 25] Army to start using Artificial Intelligence in 2-3 years: South Western Army commander, The Print report; India Today report; The New Indian Express report; Financial Express report.
• [Sep 23] Modi, Trump set new course on terrorism, border security, The Hindu report.
• [Sep 23] PM Modi in the US” Trump promises more defence deals with India, military trade to go up, Financial Express report.
• [Sep 23] Punjab police bust terror module supplied with weapons by drones from Pak, NDTV report.
• [Sep 26] Lockheed Martin to begin supplying F-16 wings from Hyderabad plant in 2020, Livemint report.
• [Sep 26] Drones used for cross-border arms infiltration in Punjab a national security issues, says Randhawa, The Hindu report.
• [Sep 27] UK MoD sets up cyber team for secure innovation, UK Authority report.
• [Sep 29] New tri-services special ops division, meant for surgical strikes, finishes first exercise today, The Print report.
• [Sep 30] After Saudi attacks, India developing anti-drone technology to counter drone menace, Eurasian Times report.

Tech and Elections

• [Sep 20] Microsoft will offer free Windows 7 support for US election officials through 2020, Cyber Scoop report.
• [Sep 26] Social media platforms to follow ‘code of ethics’ in all future elections: EC, The Economic Times report.
• [Sep 28] Why is EC not making ‘authentic’ 2019 Lok Sabha results public? The Quint report.

Cybersecurity

• [Sep 24] Androids and iPhones hacked with just one WhatsApp click – and Tibetans are under attack, Forbes report.
• [Sep 25] Sharp questions can help board oversee cybersecurity, The Wall Street Journal report.
• [Sep 25] What we know about CrowdStrike, the cybersecurity firm trump mentioned in Ukraine call, and its billionaire CEO, Forbes report.
• [Sep 25] 36% smaller firms witnessed data breaches in 2019 globally, ET Rise report.
• [Sep 28] Defence Construction Canada hit by cyber attack – corporation’s team trying to restore full IT capability, Ottawa Citizen report.
• [Sep 29] Experts call for collective efforts to counter cyber threats, The New Indian Express report.
• [Sep 29] Microsoft spots malware that turns PCs into zombie proxies, ET Telecom report. 
• [Sep 29] US steps up scrutiny of airplane cybersecurity, The Wall Street Journal report.

Cyberwarfare

• [Sep 24] 27 countries sign cybersecurity pledge urging rules-based control over cyberspace in Joint Statement, with digs at China and Russia, CNN report; IT world Canada report; Meri Talk report.
• [Sep 26] Cyber Peace Institute fills a critical need for cyber attack victims, Microsoft blog.
• [Sep 29] Britain is ‘at war every day’ due to constant cyber attacks, Chief of the Defence Staff says, The Telegraph report.

Telecom and 5G

• [Sep 27] Telcos’ IT investments intact, auto companies may slow pace: IBM exec, ET Tech report.
• [Sep 29] Telecom players to lead digital transformation in India, BW Businessworld report.

More on Huawei

• [Sep 22] Huawei confirms another nasty surprise for Mate 30 buyers, Forbes report.
• [Sep 23] We’re on the same page with government on security: Huawei, The Economic Times report.
• [Sep 24] The debate around 5G’s safety is getting in the way of science, Quartz report (paywall).
• [Sep 24] Govt will take call on Huawei with national interest in mind: Telecom Secy, Business Standard report.
• [Sep 24] Huawei enables 5G smart travel system at Beijing airport, Tech Radar report.
• [Sep 25] Huawei 5G backdoor entry unproven, The Economic Times report.
• [Sep 25] US prepares $1 bn fund to replace Huawei ban kit, Tech Radar report.
• [Sep 26] Google releases large dataset of deepfakes for researchers, Medianama report.
• [Sep 26] Huawei willing to license 5G technology to a US firm, The Hindu Business Line report; Business Standard report.
• [Sep 26] Southeast Asia’s top phone carrier still open to Huawei 5G, Bloomberg report.
• [Sep 29] Russia rolls out the red carpet for Huawei over 5G, The Economic Times report.

Emerging Tech and AI

• [Sep 20] Google researchers have reportedly achieved “Quantum Supremacy”, Financial Times report; MIT Technology Review report. 
• [Sep 23] Artificial Intelligence revolution in healthcare in India: All we need to know, The Hindustan Times report.
• [Sep 23] A new joystick for the brain-controlled vehicles of the future, Defense One report.
• [Sep 24] Computing and AI: Humanistic Perspectives from MIT, MIT News report.
• [Sep 24] Emerging technologies such as AI, 5G posing threats to privacy, says report, China Daily report.
• [Sep 25] Alibaba unveils chip developed for artificial intelligence era, Financial Times report.
• [Sep 26] Pentagon wants AI to interpret ‘strategic activity around the globe, Defense One report.
• [Sep 27] Only 10 jobs created for every 100 jobs taken away by AI, ET Tech report.
• [Sep 27] Experts say these emerging technologies should concern us, Business Insider report.
• [Sep 27] What is on the horizon for export controls on ‘emerging technologies’? Industry comments may hold a clue, Modaq.com report.
• [Sep 27] India can become world leader in artificial intelligence: Vishal Sikka, Money Control report.
• [Sep 27] Elon Musk issues a terrifying prediction of ‘AI robot swarms’ and huge threat to mankind, The Daily Express (UK) report. 
• [Sep 27] Russia’s national AI Centre is taking shape, Defense One report.
• [Sep 29] Explained: What is ‘quantum supremacy’, The Hindu report.
• [Sep 29] Why are scientists so excited about a new quantum computing milestone?, Scroll.in report.
• [Sep 29] Artificial Intelligence has a gender bias problem – just ask Siri, The Wire report.
• [Sep 29] How AI is changing the landscape of digital marketing, Inc42 report.

Opinions and Analyses

• [Sep 21] Wim Zijnenburg, Defense One, Time to Harden International Norms on Armed Drones.
• [Sep 23] David Sanger and Julian Barnes, The New York Times, The urgent search for a cyber silver bullet against Iran.
• [Sep 23] Neven Ahmad, PRIO Blog, The EU’s response to the drone age: A united sky.
• [Sep 23] Bisajit Dhar and KS Chalapati Rao, The Wire, Why an India-US Free Trade Agreement would require New Delhi to reorient key policies.
• [Sep 23] Filip Cotfas, Money Control, Five reasons why data loss prevention has to be taken seriously.
• [Sep 23] NF Mendoza, Tech Republic, 10 policy principles needed for artificial intelligence.
• [Sep 24] Ali Ahmed, News Click, Are Indian armed forces turning partisan? : The changing civil-military relationship needs monitoring.
• [Sep 24] Editorial, Deccan Herald, A polity drunk on Aadhaar.
• [Sep 24] Mike Loukides, Quartz, The biggest problem with social media has nothing to do with free speech.
• [Sep 24] Ananth Padmanabhan, Medianama, Civilian Drones: Privacy challenges and potential resolution. 
• [Sep 24] Celine Herwijer and Dominic Kailash Nath Waughray, World Economic Forum, How technology can fast-track the global goals.
• [Sep 24] S. Jaishankar, Financial Times, Changing the status of Jammu and Kashmir will benefit all of India.
• [Sep 24] Editorial, Livemint, Aadhaar Mark 2.
• [Sep 24] Vishal Chawla, Analytics India Magazine, AI in Defence: How Indi compares to US, China, Russia and South Korea.
• [Sep 25] Craig Borysowich, IT Toolbox, Origin of Markets for Artificial Intelligence.
• [Sep 25] Sudeep Chakravarti, Livemint, After Assam, NRC troubles may visit ‘sister’ Tripura.
• [Sep 25] DH Kass, MSSP Blog, Cyber Warfare: New Rules of Engagement?
• [Sep 25] Chris Roberts, Observer, How artificial intelligence could make nuclear war more likely.
• [Sep 25] Ken Tola, Forbes, What is cybersecurity?
• [Sep 25] William Dixon and  Jamil Farshchi, World Economic Forum, AI is transforming cybercrime. Here’s how we can fight back.
• [Sep 25] Patrick Tucker, Defense One, Big Tech bulks up its anti-extremism group. But will it do more than talk?
• [Sep 26] Udbhav Tiwari, Huffpost India, Despite last year’s Aadhaar judgement, Indians have less privacy than ever.
• [Sep 26] Sylvia Mishra, Medianama, India and the United States: The time has come to collaborate on commercial drones.
• [Sep 26] Subimal Bhattacharjee, The Hindu Business Line, Data flows and our national security interests.
• [Sep 26] Ram Sagar, Analytics India Magazine, Top countries that are betting big on AI-based surveillance.
• [Sep 26] Patrick Tucker, Defense One, AI will tell future medics who lives and who dies on the battlefield.
• [Sep 26] Karen Hao, MIT Technology Review, This is how AI bias really happens – and why it’s so hard to fix.
• [Sep 27] AG Noorani, Frontline, Kashmir dispute: Domestic or world issue?
• [Sep 27] Sishanta Talukdar, Frontline, Final NRC list: List of exclusion.
• [Sep 27] Freddie Stuart, Open Democracy, How facial recognition technology is bringing surveillance capitalism to our streets.
• [Sep 27] Paul de Havilland, Crypto Briefing, Did Bitcoin crash or dip? Crypto’s trajectory moving forward.
• [Sep 28] John Naughton, The Guardian, Will advances in quantum computing affect internet security?
• [Sep 28] Suhrith Parthasarathy, The Hindu, The top court and a grave of freedom.
• [Sep 28] Kazim Rizvi, YourStory, Data Protection Authority: the cornerstone to implement data privacy.
• [Sep 28] Shekhar Gupta, The Print, Modi has convinced the world that Kashmir is India’s internal affair – but they’re still watching.
• [Sep 29] Indrani Bagchi, The Economic Times, Why india needs to tread carefully on Kashmir.
• [Sep 29] Medha Dutta Yadav, The New Indian Express, Data: Brave new frontier.
• [Sep 29] Jon Markman, Forbes, New cybersecurity companies have their heads in the cloud.
• [Sep 29] Editorial, The New York Times, On cybersecurity: Two scoops of perspective.
• [Sep 30] Kuldip Singh, The Quint, New IAF Chief’s appointment: Why RKS Bhadauria must tread lightly.
• [Sep 30] Karishma Koshal, The Caravan, With the data-protection bill in limbo, these policies contravene the right to privacy.

Indian hackers, Anonymous and #OpISIS: The grey area of online vigilantism

By Shalini S

The post originally appeared in Scroll.in on 29th November 2015.

While hacktivists help limit the presence and effect of militant groups online, their operations are marred by legal, ethical and privacy concerns.

Photo: Roslan Rahman/ AFP

The Islamic State of Iraq and Syria, better known as ISIS, has been receiving increasing attention, particularly after the recent Paris attacks, and the sporadic news that the militant group was trying to recruit Indian youth through social media. The recent news about some Indian hackers joining Anonymous – a loosely connected international network of activist and “hacktivist” entities around the world – in its cyber operation, #OpISIS, against ISIS’ online presence, was widely celebrated.

In an operation called #OpParis launched under the umbrella of #OpISIS, Anonymous and other hacktivist groups such as CtrlSec and GhostSec directly attacked ISIS’ presence on internet platforms to diminish its online following, disrupt its recruitment drives, and inhibit its dissemination of extremist propaganda.

While Anonymous has been widely lauded for #OpISIS, the operation, much like the collective, is marred by legal and ethical ambiguities. In limiting the presence and effect of extremist groups online, the operations of collectives like Anonymous may become indispensable to law enforcement. However, there is currently a lack of engagement on the possibility of constructively employing the abilities of such unregulated groups within a legally permissible framework.

It is interesting to note how Indian hacktivists are extending advanced technical cooperation to aid the numerous strategies employed by Anonymous to cripple the general outreach of ISIS. Multiple news reports have suggested that Anonymous and other hacktivist groups associated with #OpISIS, are themselves taking down ISIS’ social media accounts. However, this is not accurate as members of Anonymous only monitor social media platforms, identify accounts of ISIS members and recruiters, and report them to the social networking service for suspension.

Legal and strategic issues

Most social networking sites have amended policies to account for increasing social media presence of terror organisations. They suspend user accounts hosting content that “promotes terrorism”. However, these platforms cannot conceivably monitor each account and so allow individual users to report accounts that violate their policies.

To guarantee takedown through increased reporting, Anonymous is also releasing lists of identified accounts publicly and urging other users to report them. Even though new accounts can be opened easily, suspension of existing accounts that have amassed sizeable followers derails ISIS’ social media recruitment drives. While #OpISIS is arguably aiding law enforcement and social networks by ensuring the implementation of existing policies by vehemently flagging violators, experts on Nato, the intergovernmental military alliance, suggest that the operation is a hindrance to the strategised tracking of terrorists by intelligence agencies.

In addition to reporting accounts that share extremist content, Anonymous and its associate hacktivist groups are also attempting to cripple the reach of extremist websites by launching distributed denial-of-service – better known as DDOS – attacks, against them. Such attacks flood the servers of the targeted website beyond capacity with malicious traffic, making it unavailable for public viewing. As this effectively leads to unregulated censorship of online content, it is illegal in most countries. Even in countries that allow blocking and delisting of websites that engage in digital terror propaganda, only internet service providers are commonly allowed to block websites on the request or order of an administrative or judicial authority.

Indian hackers that are aiding Anonymous have also launched DDOS attacks against websites hosting extremist content. To foil future attacks, they are also tracking and spying on personal chats of suspected members and recruiters of extremist groups. Additionally, Indian hacktivists are also engaged in the illegal act of spreading spyware to track the location of suspected ISIS associates. While this monitoring by hacktivists groups may intend to aid law enforcement, it is patently illegal and therefore, principally problematic. Thus, it is critically important to examine how hacktivist cooperation in such operations can be formally endorsed or they must be subjected to regulation of some manner.

Privacy concerns

The most problematic part of Anonymous’ operation is the leaking of personal information of suspected members or recruiters of ISIS, illegally obtained by hacking personal accounts. Evidently, the hacktivist group is engaged in the illegal act of gaining unauthorised access to private user information. Further, a publication of such personal information by non-law enforcement entities is a possible infringement of privacy rights of these individuals.

Even if public interest is cited in justifying the act, we must be mindful that Anonymous is not infallible and has mistakenly identified innocent people as extremists in the past. Considering the nature of the imputed allegations and plausible repercussions, the publication of personal information of suspected extremists must be viewed more seriously. Personal information that Anonymous gained access to is certainly valuable, but must be verified independently by law enforcement authorities.

Law of the land

Hacktivist attacks are generally distinguished from cybercriminal activity as they are often employed to voice civil protest and therefore considered morally defensible. But the law recognises no such distinction and some parts of Anonymous’ operation falls outside the purview of legal permissibility. The effect of employing extra-legal means (described above) to censor extremist content and presence online must be necessarily examined to construct an informed response.

The organisational structure of Anonymous, which lacks a central command and definitive membership, makes it near-impossible to correctly pursue action against verifiable members, if deemed necessary. Regardless, it is important to realise that the impact of our response to Anonymous’ operation today is bound to shape the manner in which hacktivism is construed tomorrow.

With extremist organisations pushing their agenda online, there is a growing need to formally streamline expertise of these individuals and collectives, who have hitherto worked outside the scope of the law. They can be urged to inform larger campaigns against terror groups by working with intelligence agencies instead of operating separately.

Newer reports have claimed that a separate hacker group is engaged in identifying accounts associated with digital currency platform Bitcoin of suspected terror affiliates in order to potentially hamper their financial transactions. Such unconventional engagement in anti-terror programs might even prove beneficial in inhibiting terror organisations’ access and control of financial and physical resources. Nevertheless, we must remain cautious in our reaction to acts of such unorganised groups, as it is likely to shape both the future treatment of hacktivism and the fight against terrorism.

Cybersecurity in the Indian Banking Sector

By Shalini S.

The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary. The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country.  This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds,[1] birthed primarily by the continued migration of services to internet and mobile platforms. This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.

While the adoption of IT for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination.[2] With the significant operational risks of adopting information technology in the delivery of banking services, a significant rise in banking-related technology frauds has been reported, a cause for concern for customers, commercial banks and the RBI. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.

Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers.[3] Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.

The RBI, which is the central banking institution of the country and responsible for the supervision and regulation of the finance sector, also bears the onus of evolving and enforcing parameters of banking operations. Noting the inevitability of increased digitization of traditional banking services and accompanying vulnerabilities, the RBI has previously attempted to address the issue of cybersecurity by evolving minimum standard cyber safety norms for banks and other providers of financial services. In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security. Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011. The guidelines provided detailed insight into building fraud risk perspective in banks, customizing audits to detect irregularities and vulnerabilities and even the appropriate reporting of fraud cases to law enforcement and other relevant stakeholders.[4] Even though the guidelines themselves dealt only cursorily with issues of data security and privacy, the Institute for Development and Research in Banking Technology (IDRBT), an IT institute set up by the RBI, released a handbook on information security governance to the banking sector, to act as a follow-up to the above-mentioned guidelines.

Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner[5], have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence. The same year, RBI also released the Information Technology Vision Document 2011-2017 that highlighted its recognition of the enormity of the menace that is cyber-attacks and reiterated its commitment to mitigating IT fraud in the banking sector. In 2013, it also issued a circular on risk mitigations measures to be undertaken during e-payment transactions to help banks secure electronic payment transactions such as RTGS, NEFT and IMPS from cyber-attacks. Noting the significant increase in fraud in online banking transactions, RBI also advised banks to introduce two or three-stage authentication and transaction verification.[6] However, as telecom companies, whose services are used in authenticating transactions, continue to have fragile digital security and fail to follow minimum safety protocols, these transactions continue in high-risk environments[7] and are in desperate need of monitoring.

While it is clear from the measures outlined in paragraphs above that the banking industry has recognized the risks associated with the penetration of IT into financial services, the proposed IT subsidiary of RBI could prove to be a great institutional addition. The threat landscape highlighted in the paragraphs above, demonstrates the need for a dedicated IT subsidiary to evaluate technical capabilities of banks and provide support in beefing up cyber security in the sector. As the exact form and mandate for the IT arm of the RBI has not been set as yet, it can also be designed to act as an information sharing resource akin to the dedicated cell that was to be formed under the aegis of IDRBT[8] and additionally work towards ensuring compliance of commercial banks to RBI notifications, codes and rules pertaining to cybersecurity and data protection. Since banking, a finance sector function, potentially falls in the category of critical information infrastructure,[9] there needs to be constant security vigilance and cyber security measures on par with global standards. In addition to exploring methods in which the possibilities of IT can be harnessed for effective, cost-efficient, real-time delivery of banking services, it is also crucial for this proposed subsidiary to concentrate on evolving binding basic standards of data security, privacy which is currently, primarily driven by Information Technology Amendment Act, 2008 in the banking sector.[10] The subsidiary which currently aims to track evolving threats and vulnerabilities should also attempt developing real-time fraud prevention models and increase customer confidence by increasing effectiveness of independent financial IT controls.

[1] The Economic Times, Reserve Bank of India plans IT arm, to hire experts to work on banking technologies, 2015, http://economictimes.indiatimes.com/industry/banking/finance/banking/reserve-bank-of-india-plans-it-arm-to-hire-experts-to-work-on-banking-technologies/articleshow/49512043.cms (last visited Oct 26, 2015).

[2] Livemint, Banks bet big on technology to boost efficiency, curb fraud – Livemint (2011), http://www.livemint.com/Industry/8df71WBdwALasI5afwadUJ/Banks-bet-big-on-technology-to-boost-efficiency-curb-fraud.html (last visited Oct 26, 2015).

[3] The Economic Times, RBI asks banks to set up committees to protect IT data, 2011, http://articles.economictimes.indiatimes.com/2011-04-30/news/29490905_1_banking-and-mobile-banking-electronic-channels-frauds (last visited Oct 26, 2015).

[4] Amit Kashyap, Indian Banking: Contemporary Issues in Law and Challenges (2014).

[5] SearchSecurity, RBI guidelines focus on fortifying IT security by banks (2011), http://searchsecurity.techtarget.in/news/2240031005/RBI-guidelines-focus-on-fortifying-IT-security-by-banks (last visited Oct 26, 2015).

[6] The Economic Times, RBI for two-stage verification for online banking transactions, 2014, http://articles.economictimes.indiatimes.com/2014-04-22/news/49318793_1_cheque-truncation-system-authentication-transactions (last visited Oct 27, 2015).

[7] Sharad Vyas, Mumbaikars beware! Your bank details are being stolen and sold! Mid-ay (2015), http://www.mid-day.com/articles/mumbaikars-beware-your-bank-details-are-being-stolen-and-sold/16218163 (last visited Oct 28, 2015).

[8] See, Institute for Development and Research in Banking Technology, Consultancy Report on An initiative for research and intelligence gathering related to security incidents in financial services sector for analysis & sharing of insight (2012), http://www.idrbt.ac.in/PDFs/PT%20Reports/2012/RekhaAG_AnInitiative_2012.pdf (last visited Oct 27, 2015).

[9] See, DeitY, Cyber Security Strategy – Strategic Approach | Government of India, Department of Electronics and Information Technology (DeitY), http://deity.gov.in/content/strategic-approach (last visited Oct 26, 2015).

[10] PSA, Risk management in e-banking (2009), http://psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN-ISSUE-II_1288782887.pdf (last visited Oct 26, 2015).