Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

Guest Post: Evaluating MIB’s emergency blocking power under Rule 16 of the 2021 IT Rules (Part II)

This post is authored by Dhruv Bhatnagar

Part I of this two part-series examined the contours of Rule 16 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”), and the  Bombay High Court’s rationale for refusing to stay the rule in the Leaflet case. This second part examines the legality and constitutionality of Rule 16. It argues that the rule’s constitutionality may be contested because it deprives impacted content publishers of a hearing when their content is restricted. It also argues that the MIB should provide information on blocking orders under Rule 16 to allow them to be challenged, both by users whose access to information is curtailed, and by publishers whose right to free expression is restricted.

Rule 16’s legality

At its core, Rule 16 is a legal provision granting discretionary authority to the government to take down content. Consistently, the Supreme Court (“SC”) has maintained that to be compliant with Article 14, discretionary authority must be backed by adequate safeguards.[1] Admittedly, Rule 16 is not entirely devoid of safeguards since it envisages an assessment of the credibility of content blocking recommendations at multiple levels (refer Part I for context). But this framework overlooks a core principle of natural justice – audi alteram partem (hear the other side) – by depriving the impacted publishers of a hearing.

In Tulsiram Patel, the SC recognised principles of natural justice as part of the guarantee under Article 14 and ruled that any law or state action abrogating these principles is susceptible to a constitutionality challenge. But the SC also found that natural justice principles are not absolute and can be curtailed under exceptional circumstances. Particularly, audi alteram partem, can be excluded in situations where the “promptitude or the urgency of taking action so demands”.

Arguably, the suspension of pre-decisional hearings under Rule 16 is justifiable considering the rule’s very purpose is to empower the Government to act with alacrity against content capable of causing immediate real-world harm. However, this rationale does not preclude the provision of a post-decisional hearing under the framework of the 2021 IT Rules. This is because, as posited by the SC in Maneka Gandhi (analysed here and here), the “audi alteram partem rule is sufficiently flexible” to address“the exigencies of myriad kinds of situations…”. Thus, a post-decisional hearing to impacted stakeholders, after the immediacy necessitating the issuance of interim blocking directions had subsided, could have been reasonably accommodated within Rule 16. Crucially, this would create a forum for the State to justify the necessity and proportionality of its speech restriction to the individuals’ impacted (strengthening legitimacy) and the public at large (strengthening the rule of law and public reasoning). Finally, in the case of ex-facie illegal content, originators are unlikely to avail of post-facto hearings, mitigating concerns of a burdensome procedure.       

Rule 16’s exercise by MIB

Opacity

MIB has exercised its power under Rule 16 of the 2021 IT Rules on five occasions. Collectively, it has ordered the blocking of approximately 93 YouTube channels, 6 websites, 4 Twitter accounts, and 2 Facebook accounts. Each time, MIB has announced content blocking only through press releases after theorders were passed but has not disclosed the actual blocking orders.

MIB’s reluctance to publish its blocking orders renders the manner it is exercising power under Rule 16 opaque. Although press statements inform the public that content has been blocked, blocking orders are required (under Rule 16(2) and Rule 16(4)) to record the reasons for which the content has been blocked. As discussed above, this limits the right to free expression of the originators of the content and denies them the ability to be heard.

Additionally, content recipients, whose right to view content and access information is curtailed through such orders, are not being made aware of the existence of these orders by the Ministry directly. Pertinently, the 2021 IT Rules appear to recognise the importance of informing users about the reasons for blocking digital content. This is evidenced by Rule 4(4), which requires ‘significant social media intermediaries’ to display a notice to users attempting to access proactively disabled content. However, in the absence of similar transparency obligations upon MIB under the 2021 IT Rules, content recipients aggrieved by the Ministry’s blocking orders may be compelled to rely on the cumbersome mechanism under the Right to Information Act, 2005 to seek the disclosure of these orders to challenge them.   

Although the 2021 IT Rules do not specifically mandate the publication of blocking orders by MIB, this obligation can be derived from the Anuradha Bhasin verdict. Here, in the context of the Telecom Suspension Rules, the SC held that any order affecting the “lives, liberty and property of people” must be published by the government, “regardless of whether the parent statute or rule prescribes the same”. The SC also held that the State should ensure the availability of governmental orders curtailing fundamental rights unless it claims specific privilege or public interest for refusing disclosure. Even then, courts will finally decide whether the State’s claims override the aggrieved litigants’ interests.

Considering the SC’s clear reasoning, MIB ought to make its blocking orders readily available in the interest of transparency, especially since a confidentiality provision restricting disclosure, akin to Rule 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“2009 Blocking Rules”), is absent in the 2021 IT Rules.   

Overuse

Another concerning trend is MIB’s invocation of its emergency content-blocking power as the norm rather than the exception it was meant to be. For context, the 2021 IT Rules provide a non-emergency blocking process under Rules 14 and 15, whereunder impacted publishers are provided a pre-decisional hearing before an Inter-Departmental Committee required to be constituted under Rule 13(1)(b). However, thus far, MIB has exclusively relied on its emergency power to block ostensibly problematic digital content, including fake news.

While the Bombay High Court in the Leaflet case declined to expressly stay Rule 14 (noting that the Inter-Departmental Committee was yet to be set up) (¶19), the High Court’s stay on Rule 9(3) creates a measure of ambiguity as to whether Rules 14 and 15 are currently in effect. This is because Rule 9(3) states that there shall be a government oversight mechanism to “ensure adherence to the Code of Ethics”. A key part of this mechanism is the Inter-Departmental Committee whose role is to decide “violation[s] or contravention[s] of the Code of Ethics” (Rule 14(2)). The High Court even notes that it is “incomprehensible” how content may be taken down under Rule 14(5) for violating the Code of Ethics (¶27). Thus, despite the Bombay High Court’s refusal to stay Rule 14, it is arguable that the High Court’s stay on the operation of Rule 9(3) to prevent the ‘Code of Ethics’ from being applied against online news and curated content publishers, may logically extend to Rule 14(2) and 15. However, even if the Union were to proceed on a plain reading of the Leaflet order and infer that the Bombay High Court did not stay Rules 14 and 15, it is unclear if the MIB has constituted the Inter-Departmental Committee to facilitate non-emergency blocking.     

MeitY has also liberally invoked its emergency blocking power under Rule 9 of the 2009 Blocking Rules to disable access to content. Illustratively, in early 2021 Twitter received multiple blocking orders from MeitY, at least two of which were emergency orders, directing it to disable over 250 URLs and a thousand accounts for circulating content relating to farmers’ agitation against contentious farm laws. Commentators have also pointed out that there are almost no recorded instances of MeitY providing pre-decisional hearings to publishers under the 2009 Blocking Rules, indicating that in practice this crucial safeguard has been rendered illusory.  

Conclusion

Evidently, there is a need for the MIB to be more transparent when invoking its emergency content-blocking powers. A significant step forward in this direction would be ensuring that at least final blocking orders, which ratify emergency blocking directions, are made readily available, or at least provided to publishers/originators. Similarly, notices to any users trying to access blocked content would also enhance transparency. Crucially, these measures would reduce information asymmetry regarding the existence of blocking orders and allow a larger section of stakeholders, including the oft-neglected content recipients, the opportunity to challenge such orders before constitutional courts.

Additionally, the absence of hearings to impacted stakeholders, at any stage of the emergency blocking process under Rule 16 of the 2021 IT Rules limits their right to be heard and defend the legality of ‘at-issue’ content. Whilst the justification of urgency may be sufficient to deny a pre-decisional hearing, the procedural safeguard of a post-decisional hearing should be incorporated by MIB.

The aforesaid legal infirmities plague Rule 9 of the 2009 Blocking Rules as well, given its similarity with Rule 16 of the 2021 IT Rules. The Tanul Thakur case presents an ideal opportunity for the Delhi High Court to examine and address the limitations of these rules. Civil society organisations have for years advocated (here and here) for incorporation of a post-decisional hearing within the emergency blocking framework under the 2009 Blocking Rules too. Its adoption and diligent implementation could go a long way in upholding natural justice and mitigating the risk of arbitrary content blocking.


[1] State of Punjab v. Khan Chand, (1974) 1 SCC 549; Virendra v. The State of Punjab & Ors., AIR 1957 SC 896; State of West Bengal v. Anwar Ali, AIR 1952 SC 75.

Guest Post: Evaluating the legality of MIB’s emergency blocking power under the 2021 IT Rules (Part I)

This post is authored by Dhruv Bhatnagar

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”) were challenged before several High Courts (refer here and here) almost immediately after their promulgation. In one such challenge, initiated by the publishers of the online news portal ‘The Leaflet’, the Bombay High Court, by an order dated August 14, 2021,  imposed an interim stay on the operation of Rules 9(1) and (3) of the 2021 IT Rules. Chiefly, this was done because these provisions subject online news and curated content publishers to a vaguely worded ‘code of ethics’, adherence to which would have had a ‘chilling effect’ on their freedom of speech. However, the Bombay High Court refused to stay Rule 16 of these rules, which empowers the Ministry of Information and Broadcasting (“MIB”) to direct blocking of digital content during an “emergency” where “no delay is acceptable”.

Part I of this two-part series, examines the contours of Rule 16 and argues that the Bombay High Court overlooked the procedural inadequacy of this rule when refusing to stay the provision in the Leaflet case. Part II assesses the legality and constitutionality of the rule.

Overview of Rule 16

Part III of the 2021 IT Rules authorises the MIB to direct blocking of digital content in case of an ‘emergency’ in the following manner:

The MIB has correctly noted that Rule 16 is modelled after Rule 9 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“2009 Blocking Rules”) (analysed here), and confers upon the MIB similar emergency blocking powers which the Ministry of Electronics and Information Technology (“MeitY”) has possessed since 2009. Both provisions confer discretion upon authorised officers to determine what constitutes an emergency but fail to provide a hearing to impacted publishers or intermediaries at any stage.

Judicial findings on Rule 16

The Bombay High Court’s order in the Leaflet case is significant since it is the first time a constitutional court has recorded its preliminary findings on the rule’s legitimacy. Here, the Bombay High Court refused to stay Rule 16 primarily for two reasons. First, the High Court held that Rule 16 of the 2021 IT Rules is substantially similar to Rule 9 of the 2009 Blocking Rules, which is still in force. Second, the grounds upon which Rule 16 permits content blocking are coextensive with the grounds on which speech may be ‘reasonably restricted’ under Article 19(2) of the Indian Constitution. Respectfully, the plausibility of this reasoning is contestable:

Equivalence with the 2009 Blocking Rules: Section 69A of the IT Act and the 2009 Blocking Rules were previously challenged in Shreya Singhal, where both were upheld by the Supreme Court (“SC”). However, establishing an equivalence between Rule 16 of the 2021 IT Rules and Rule 9 of the 2009 Blocking Rules to understand the constitutionality of the former would have been useful only if Shreya Singhal contained a meaningful analysis of Rule 9. However, the SC did not examine this rule but rather broadly upheld the constitutionality of the 2009 Blocking Rules as a whole due to the presence of certain safeguards including: (a) the non-emergency process for content blocking under the 2009 Blocking Rules includes a pre-decisional hearing to identified intermediaries/originators before content was blocked; and (b) the 2009 Blocking Rules mandate the recording of reasons in blocking orders so that they may be challenged under Article 226 of the Constitution

However, the SC did not consider that the emergency blocking framework under Rule 9 of the 2009 Blocking Rules not only allows MeitY to bypass the essential safeguard of a pre-decisional hearing to impacted stakeholders but also fails to provide them with either a written order or a post-decisional hearing. It also did not address that Rule 16 of the 2009 Blocking Rules, which mandates confidentiality of blocking requests and subsequent actions, empowers MeitY to refuse disclosure of blocking orders to impacted stakeholders thus depriving them of the opportunity to challenge such orders.

In fact, Rule 16 was cited by MeitY as a basis for denying film critic Mr. Tanul Thakur access to the blocking order by which his satirical website ‘Dowry Calculator’ was banned. Mr. Thakur challenged Rule 16 of the 2009 Blocking Rules and highlighted the secrecy with which MeitY exercises its blocking powers in a writ petition which is being heard by the Delhi High Court. Recently, through an interim order dated 11 May 2022, the Delhi High Court directed MeitY to provide Mr. Thakur with a copy of the blocking order blocking his website, and offer him a post-decisional hearing. This is a significant development since it is the first recorded instances of such a hearing being provided to an originator under the 2009 Blocking Rules.

Thus, the Bombay High Court’s attempt in the Leaflet case to claim equivalence with Rule 9 of the 2009 Blocking Rules as a basis to defend the constitutionality of Rule 16 of the 2021 IT Rules was inapposite since Rule 9 itself was not substantively reviewed in Shreya Singhal, and its operation has since been challenged on constitutional grounds.

Procedural safeguards: Merely because Rule 16 of the 2021 IT Rules permits content blocking only under the circumstances enumerated under Article 19(2), does not automatically render it procedurally reasonable. In People’s Union of Civil Liberties (“PUCL”) the SC examined the procedural propriety of Section 5(2) of the Telegraph Act, 1885, which permits phone-tapping. Even though this provision restricts fundamental rights only on constitutionally permissible grounds, the SC found that substantive law had to be backed by adequate procedural safeguards to rule out arbitrariness. Although the SC declined to strike down Section 5(2) in PUCL, it framed interim guidelines to govern the provision’s exercise to compensate for the lack of adequate safeguards.

Since Rule 16 restricts the freedom of speech, its proportionality should be tested as part of any meaningful constitutionality analysis. To be proportionate, restrictions on fundamental rights must satisfy four prongs[1]: (a) legality – the requirement of a law having a legitimate aim; (b) suitability – a rational nexus between the means adopted to restrict rights and the end of achieving this aim, (c) necessity – proposed restrictions must be the ‘least restrictive measures’ for achieving the aim; and (d) balancing – balance between the extent to which rights are restricted and the need to achieve the aim. Justice Kaul’s opinion in Puttaswamy (9JB) also highlights the need for procedural safeguards against the abuse of measures interfering with fundamental rights (para 70 Kaul J).  

Arguably, by demonstrating the connection between Rule 16 and Article 19(2), the Bombay High Court has proven that Rule 16 potentially satisfies the ‘legality’ prong. However, even at an interim stage, before finally ascertaining Rule 16’s constitutionality by testing it against the other proportionality parameters identified above, the Bombay High Court should have considered whether the absence of procedural safeguards under this rule merited staying its operation.

For these reasons, the Bombay High Court could have ruled differently in deciding whether to stay the operation of Rule 16 in the Leaflet case. While these are important considerations at the interim stage, ultimately the larger question of constitutionality must be addressed. The second post in this series will critically examines the legality and constitutionality of Rule 16.


[1] Modern Dental College and Research Centre and Ors. v. State of Madhya Pradesh and Ors., (2016) 7 SCC 353; Justice K.S. Puttaswamy & Ors. v. Union of India (UOI) & Ors., (2019) 1 SCC 1; Anuradha Bhasin and Ors. v. Union of India (UOI) & Ors., (2020) 3 SCC 637.

Critiquing the Definition of Cyber Security under India’s Information Technology Act

Archit Lohani

“Security Measures” by Afsal CMK is licensed under CC BY 4.0

Introduction

As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.

This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).

Under Section 2(1)(nb) of the IT Act:

“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;

This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.

What is Cyber security under the IT Act?

The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008.  The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.

Critique of the IT Act definition

It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.

There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.

To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.

Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.

However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.

The following section examines a few other definitions to illustrate the shortcomings highlighted above.

Key elements of Cyber security

Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.

Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must address interdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.

An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.

When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions of cyberspace and cyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.

Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.

Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.

Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:

  • technological solutions
  • events
  • strategies, processes, and methods
  • human engagement; and
  • referent objects.

These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.

Conclusion

Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.

Innovative Reporting and Policing to curb Cyber Crime

By Shalini S

Cyberspace has been continually emerging as a significant forum of criminal activity that requires specialized monitoring. However, cyber crime cases often go unreported in India further increasing online vulnerability. Even reported cases mostly result in acquittal due to the lack of forensic infrastructure and trained policed personnel, who are able to retrieve and present adequate and admissible digital evidence.

Recognizing the difficulty of investigating high-technology crime by technically untrained police personnel, a specialized cyber crime cell was first established in Bangalore in 1999. Soon after, in 2001, the cell was declared as a cyber crime police station, the first one to have been established in India and exercising jurisdiction over Karnataka. A multidisciplinary group of experts was set to aid the police station in investigating registered cyber crime cases.

To tackle the mounting number of cyber crime cases being reported across the country, other states followed suit and several cyber crime investigation cells were established throughout India. At present at least 21 Indian states including New Delhi, Karnataka, Andhra Pradesh, Tamil Nadu, Maharashtra, Odisha and Uttar Pradesh have such dedicated anti-cyber crime cells. Some states which face higher incidence of cyber crime, such as Maharashtra and Odisha even have multiple cyber crime cells or cyber crime police stations staffed with tech-savvy officers.

These cells have been setup specifically to detect, prevent and investigate cyber crimes that fall within the ambit of Information Technology Amendment Act, 2008 (Central Act, 2000) and assist other law enforcement agencies in investigating computer-related crime. The specialized cells are generally equipped with high-tech software and hardware equipment required to pursue investigation of cyber crimes. They are also typically manned by specially trained police officers proficient in conducting cyber crime probes. They play a critical role in quickly retrieving digital evidence in a manner that allows it to be admissible in courts. Some of these cells also organize occasional awareness drives to educate the general public on cyber crime, in collaboration with other stakeholders.

While bigger cyber cells are sufficiently equipped to handle cyber crime complaints, local cells often lack expertise and competence in dealing with instances of cyber crime. This however, has not discouraged law enforcement agencies as they continue to innovate creatively to address the problem of cyber crime in India. Some of these innovative reporting and policing methods adopted in India have been described below.

The Delhi Police announced that FIRs for economic fraud and cyber crime cases could be filed through a mobile application that they were set to launch. This initiative was launched in order to simplify the procedure involved in filing a cyber crime complaint, increase transparency and encourage more victims to file complaints. Use of technology to enable simplified online cyber crime reporting is likely to increase the rate of reporting of cyber crime by victims, a view also espoused in a recent ASSOCHAM-EY study.

The Mumbai Police launched an interactive platform that is designed to help law enforcement agencies with detection of cyber crimes. The application which is termed Collaborative Online Crime Control Network (Coin) is linked to global cyber law databases of over 50 countries and help investigators identify offences under both the Information Technology Act, 2000 and cyber laws of other jurisdictions.

Additionally, the first private cyber crime reporting helpline has also begun operation in the Delhi-NCR region and provides technical assistance to victims upon receiving a complaint about a cyber offence. The helpline is generally used by victims who did not want to formally report cases to law enforcement agencies. It was conceptualized taking inspiration from the Internet Crime Complaint Centre (IC3.gov) operated by FBI. Of the complaints received, some serious crimes were forwarded to the Delhi police for investigation.

The Central Bureau of Investigation (CBI) is also engaged in the fight against cyber crime and has several specialized structures engaged in understanding and combatting cyber crime in India. It is also seemingly equipped with the expertise and equipment to deal with a high-technology crime as it functions as INTERPOL’s National Central Reference Points for Computer-Related Crime. The Cyber Crime Research and Development Unit (CCRDU) liaises with state police to collect information, track developments and trends in cyber crime and disseminates information on cyber crime.  The Cyber Crime Investigation Cell (CCIC) exercises jurisdiction throughout India and possesses the power to investigate high technology crime even if they are not covered under the IT Act. The Cyber Forensics Laboratory of the CBI even provides technical help to other law enforcement agencies in ongoing cyber crime investigation.

India is facing a slew of cyber-attacks, launched from both within and outside its border and it is undisputed that there must be determined efforts for better protection. While it is unclear whether tangible changes in cyber crime trends have already been noted after their introduction, creative reporting and policing initiatives are bound to effectively curb cyber crime rates by bringing an attitude change in victims and law enforcement officers.

Online Harrasment and Legal Remedies

By Shrutanjaya Bhardwaj

Background

The information in this piece had originally been collected for an awareness session hosted by JaagoTeens for college students in DU, for which I had gone with CCG Fellow Aarti Bhavana. While preparing for the same, I had reached out to all my friends and relatives to gather instances of online sexual harassment faced by them or those they knew, in order to prepare case studies relatable to by college students. Within two hours, (un)fortunately, my phone was full of replies.

What is most troubling is that these are not cherry-picked accounts. In fact, what I present below is a compilation of generic instances of humiliation all women face at some point in their lives – the product of a sick sense of entitlement over a woman’s body and person that our society constantly feeds into every man it bears. Most of my (mostly female) friends and relatives had gotten back to me with an added comment: “Every woman you write to would know about this.”

My immediate motive is to set out here the provisions of the Indian Penal Code (as amended in 2013; hereinafter IPC) as well as the Information Technology Act (as amended in 2008; hereinafter IT Act) that deal with, or have the potential to deal with, cases such as those hereinafter mentioned. While Case I is that of harassment being caused by a stranger, while Case II deals with someone more familiar – a frustrated ex-boyfriend who couldn’t get what he desired. The hope behind this piece is that the law against online harassment will be generally known, and actions like these will be met with complete intolerance and proper legal retaliation at all times to come. I welcome your feedback about other strategies that may be useful.

Case I: The Creep

It starts with a random message from a random stranger.

Him: “Hey. How old are you?”

Her: “16. Do I know you?”

Him: “16 is good. Very fresh.”

Her: “What do you mean?”

Him: “I just mean… 16 is very fresh, you know? Ripe for plucking.”

She stopped replying.

It doesn’t stop here, of course. The guy starts following and adding you everywhere – Orkut, Twitter, LinkedIn, Messenger – everywhere. Her ‘Other’ folder on Facebook is filled with dirty messages from him, including links to erotic sites. He keeps asking her for sexual favours despite her having expressed clear disinterest, and in his messages writes in great detail how he wants to dominate, exploit, harass and torture her in bed. When she doesn’t reply for a long time, he starts sending her pictures of his private body parts.

Still receiving no response, he decides to move out of her inbox, onto what is a more public aspect of her social media profile. He starts commenting on her pictures, saying things like “You dress like a call girl”, “You have very nice breasts” etc. He downloads her profile picture, morphs it and uploads a picture depicting her in a sexual act with another person. At this point, she reports him and blocks him from her profile.

Three IPC provisions provide you a direct legal remedy for this: S. 354A, S. 354D and S. 509. S. 354A punishes (with 3 years imprisonment and/or fine) as ‘Sexual Harassment’ instances where a man makes “a demand or request for sexual favours”, shows “pornography against the will of a woman”, or makes “sexually coloured remarks”. S. 354D punishes under ‘Stalking’ any man who “follows a woman and contacts, or attempts to contact such woman to foster personal interaction repeatedly despite a clear indication of disinterest by such woman” with three years and/or fine on first conviction, and five years and/or fine on second conviction. Finally, S. 509 provides that any person who utters any word or makes any sound or gesture, intending that such word, sound or gesture be heard or seen by a woman and insult her modesty, shall be punished with one year imprisonment and/or fine.

Further, the IT Act punishes transmission of obscene as well as sexually explicit content in electronic form. S. 67 prohibits, and punishes with imprisonment extending up to three years and fine for first conviction and to five years and fine upon second conviction, the publication, transmission and causing of transmission of obscene content. Obscene content has been defined in the same manner as in S. 292 IPC, and therefore the test of obscenity is to be the same as under that provision.[i] As per S. 67, something is obscene if it:

  • Is lascivious; or
  • Appeals to the prurient interest; or
  • Has the effect of depraving and corrupting persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.

Finally, S. 67A of the Act carves out a special category of obscene content i.e. material containing a ‘sexually explicit act’. The publication, transmission or causing of transmission or such material is punishable with imprisonment extending up to five years and fine for first conviction and to seven years and fine upon second conviction.

Case II: The Frustrated Ex-Boyfriend

Her boyfriend had taken some pictures and videos of her giving him a blowjob. On other occasions, he had asked her to send him nude pictures of hers over WhatsApp, and she had obliged. Shortly after this, however, the two had a big fight, and she broke up with him.

After the break up, he started threatening to leak her pictures and videos if she didn’t give in to his demands. When she didn’t oblige, he circulated the pictures and videos of her giving him a blowjob among all her friends and family on Facebook, with his own face blurred. Her nude pictures were circulated all over WhatsApp. One of her pictures had also been uploaded on a porn web site, with her contact number flashing next to it.

The IPC provides another three provisions to deal with situations such as this. S. 354C defines ‘Voyeurism’ as including the act of capturing the image of a woman engaging in a private act, and/or disseminating said image, without her consent.[ii] For the act to qualify as ‘Voyeurism’, the circumstances must be such where the woman would “usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator”. A person convicted under this Section is liable to be punished with fine as well as imprisonment up to three years on first conviction and seven years on subsequent convictions.

s. 499 punishes as ‘Defamation’ the publication by visible representations of an imputation concerning the woman, when done with the intention to harm her reputation. Further, S. 503 punishes as ‘Criminal Intimidation’ threats made to any person with injury to her reputation, either in order to cause alarm to her, or to make her change her course of action regarding anything she would otherwise do/not do. The offences under S. 499 and S. 503 are punishable with imprisonment which may extend to two years, and/or fine.

The IT Act makes a special provision via S. 66E to deal with violation of the privacy of a person. Under the section, capturing, publishing or transmitting the image of a private area of any person without her consent, under circumstances violating her privacy, is punishable with imprisonment which may extend to three years, and/or fine. “Under circumstances violating privacy” refers to those circumstances in which a person could have a reasonable expectation that –

  • He or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
  • Any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

Finally, the aforementioned generic provisions applicable to transmission of obscene or sexually explicit content also apply to situations like this.

Note: All offences mentioned above (except those under Ss. 499 and 503, IPC) are cognizable offences, which means that the police can take cognizance of these upon the filing of an FIR and begin investigation accordingly, without permission from the Magistrate.

What you can do: strategies to help you keep your options open

Often the first instinct in situations such as the above is either to delete all dirty messages and comments from your profile, or to hide in as many ways as possible any message or media that could ‘expose’ to your loved ones what you had been involved in. While I being a man can never claim to understand fully everything that the victim goes through in these situations, it is imperative that this urge is suppressed and the relevant evidence gathered. This would prove to be extremely useful if and when you decided to avail the legal remedies as aforementioned. Here are some things you could keep in mind:

  • Prevention against destruction of evidence: Change your account password and make sure no one knows what it is. Take all necessary precautions to protect your phone/laptop/other digital device well from intrusion or theft.
  • Preservation of important conversations etc.: Taking screenshots of relevant messages, conversations and comments always helps. If the conversation happened over an application such as Whatsapp that allows you to e-mail it to yourself, do it.
  • Witnesses: Make sure there are some trusted people around you who saw what happened, so that they could later testify if needed.

In conclusion, it would be useful to mention that some organizations working in the field of women’s rights offer help to victims of sexual violence in many ways including accompanying them to the police station for filing the complaint. The contact details can be searched for on the internet. One such organization is Jagori, which runs a campaign called the Safe Delhi campaign, more details on which could be found here.

[i] Maqbool Fida Husain v. Raj Kumar Pandey 2008 Cri LJ 4107.

[ii] See Explanation 2 to S. 354C.

(Shrutanjaya Bhardwaj is an intern at CCG, and a fourth year student at National Law University, Delhi)

Information Gatekeepers and Article 19(1)(a) of the Indian Constitution

I have put a draft of my paper titled ‘Gatekeeper Liability and Article 19(1)(a) of the Indian Constitution on SSRN. You can read it here. It will eventually be published in the NUJS Law Review.

Alternatively, this essay (written for a UPenn/ CIS/ ORF publication) based on the paper sets out my argument briefly.

Introduction

The press was once the most important medium of mass communication. Indira Gandhi understood this well and used the gatekeeping function of large media houses to prevent citizens from accessing critical information. The press’s function as an information gatekeeper is protected by jurisprudence, but this protection is articulated as ‘freedom of the press’, making it a medium-specific protection. As the Internet increasingly replaces the press as the most important source of information for citizens, structural protections need to extend online. The online intermediary may be the new avatar of the information gatekeeper, third parties who perform an essential function in transmitting information from speakers to audiences – they are potential choke points that the state can use to cut off flows of information.

Aside from the press freedom norms, much of our freedom of expression jurisprudence deals with the state’s relationship with the speaker. The contours of our freedom of expression rights have formed in this context. It is relatively easy for the judiciary to grasp how statutory provisions like section 66A of the Information Technology Act impact freedom of expression. Here the law targets the speaker directly and any unjust application or chilling effect is more visible. It is also more likely to be resisted by the target of regulation, since the speaker is always interested in her own right to speak.

Indirect regulation of speech is quite different. The law is aimed at information gatekeepers, who may choose not to publicise censorship and who may not be as interested in protected the speech as the original speaker. Scholars have described these gatekeepers as the ‘weakest link’, through which speech is most vulnerable to state excesses.

Information gatekeepers and Indian law

It is common enough for states to use ‘middle-men’ to enforce change in behaviour when it is difficult to control the primary offender’s conduct directly. For example, since it is difficult to directly compel minors to avoid drinking, the law targets alcohol-sellers, leveraging their gatekeeping function to cut off the supply of alcohol to minors.

Information gatekeepers were used to regulate the flow of information even in the pre-digital world. Publishers and booksellers were held liable for circulating banned publications in many countries including India. India has a particularly pernicious rule criminalizing the circulation of obscene content. This comes from the Supreme Court’s judgment in Ranjit Udeshi v. State of Maharashtra, that is well known for its interpretation of obscenity law in the context of D.H. Lawrence’s ‘Lady Chatterley’s Lover’. The other critical element of this judgment received almost no attention – the liability of a bookseller for the circulation of obscene content.

D.H. Lawrence was never prosecuted in India for his book. The ‘Lady Chatterley’s Lover’ case in the Supreme Court was about the liability of the owners of Happy Book Stall, a bookshop at which ‘Lady Chatterley’s Lover’ was sold. The Supreme Court said the booksellers were liable for circulation of the obscene content even if they argued that they were unaware that a book contained such content. Consider what this means: booksellers cannot plead ignorance of obscene content within any of the books they sell, and will be liable nonetheless. The state only has to prove that the booksellers circulated obscene content, and not that they did so knowingly. It is lucky that this part of the Supreme Court judgment went largely unnoticed since it could easily be used by the intolerant file criminal complaints that shut down large bookstores all over the country – all they need to do is look for a few books that the law would categorise as obscene. Booksellers would then have to scour every page and paragraph of each book they sell to weed it out content that might get them arrested – this would make it very difficult to do business.

Online intermediaries as information gatekeepers

Intermediary liability first received attention in India after the infamous ‘DPS-MMS’ explicit video, featuring two minors, ended up being sold on Baazee.com. The Managing Director of the company that owned the website was arrested. The fact that he had no knowledge that this content was shared on the website was irrelevant thanks to the Supreme Court’s ‘Lady Chatterley’s Lover’ verdict. This situation made it clear that if the law applicable to bookshops continued to apply to online intermediaries, online platforms would not be able to function in India. A platform like Facebook or Youtube hosts too much user content to be able to sift through it and proactively filter out everything obscene.

Fortunately, the amendment of the Information Technology Act (IT Act) gave Internet intermediaries immunity from this liability for third party content. The immunity was conditional. Intermediaries that edit or otherwise have knowledge of the content that they transmit are not immune from liability. To remain immune from liability, intermediaries must comply with certain legal obligations to take down content or block it in response to government orders or court orders. These obligations also leverage the gate-keeping function of these intermediaries to regulate online content – internet service providers and online platforms can ensure that certain kinds of content are inaccessible in India.

Why gatekeepers matter

Although information intermediaries existed in the pre-internet information ecosystem, their role is critical in the context of online content – several intermediaries mediate our access to online content. Some of these, like the gateways through which the Indian network connects to the global network, are located in India and are easy for the government to control since they are subject to onerous licenses and are few enough in number for the state to be able to control all of them successfully. Other intermediaries like Facebook or Google, are online platforms, and most of these have offices outside Indian jurisdiction.

Discussions about freedom of expression that focus on the direct relationship between the state and the speaker are not helpful in this context. This kind of reasoning tends to ignore the collateral effects of certain kinds of regulation of speech – the ‘Lady Chatterley’s Lover’ case case is a classic illustration of this with its tremendous impact on the liability of all booksellers and later on Baazee.com and other web based platforms.

As the new media make gatekeepers and intermediaries more critical to the controlling the flow of information, we need to focus on other dimensions of freedom of expression if we are ensure that effective safeguards are put in place to protect speech. Our jurisprudence on freedom of the press offers some degree of protection to newspapers so that regulation of their business structure cannot be used to influence their content, but this form of gatekeeper protection is limited to the press. There are information gatekeepers other than the press in India, and it is time that we think carefully about protecting the information ecosystem. Free speech principles need to accommodate themselves to a media ecosystem that is increasingly dependent on information gatekeepers.

Freedom of expression and access to information

It is time that our jurisprudence started focusing more on citizens’ rights to access information. Although this right that has been recognized in India, it needs to be outlined in more detail. In the well-known judgment in Shreya Singhal v. Union of India, which struck down section 66A of the Information Technology Act, the Supreme Court failed to deal with intermediary liability adequately because it did not use the lens of access to information and gatekeeper liability. Using traditional jurisprudence that focuses on the direct impact of regulation of speech, the court gave content-creators the right to a hearing and a right to appeal blocks and removals of their content wherever possible. However, it completely disregarded the rights of citizens to access online content.

The content blocking system in India makes all government blocking orders confidential. This means that when an intermediary is required to block content under the IT Act, users might imagine that the decision was a private decision made by the intermediary. Since the intermediary is unlikely to be willing to spend resources battling for the various kinds of content it hosts, any blocking process that counts on the intermediary to offer up sufficient resistance to unconstitutional blocking orders errs egregiously. The law must offer those who are actually affected – the publishers and the readers of the information – a chance to fight for content that they have the right to circulate and access. Of these, the publishers of information do have some right to make their case before the government committee making the blocking decision thanks to the Supreme Court’s decision in Shreya Singhal v. Union of India. But this judgment does nothing for citizens who could lose access to a wealth of information if the government might unreasonably blocks content created by someone in another country. The content publisher would not be in a position to defend its content in India, and citizens have not been given any avenue to defend their rights to view the content before the government committee making the decision.

The focus on access to information has been discussed many scholars, from Alexander Meiklejohn onwards. Amartya Sen has written about the salience of public discourse in a democracy. Robert Post and Jack Balkin have articulated in the detail the importance of focusing on the free flow of information or access to information, rather than on the right of individual speakers. The right we refer to as ‘freedom of expression’ is about much more than the freedom to say what one pleases. It is the foundational principle from which our rules about free flow of information have been built.

Conclusion

Section 66A was an example of what Jack Balkin characterises as ‘old school’ regulation of speech. This consists of criminal penalties, injunction and damages aimed directly at the speaker or publisher. The Supreme Court’s treatment of section 66A reflects its comfort with this form of regulation and its implications for freedom of expression.

Intermediary liability, and the use of Internet gatekeepers to control the flow of online information follows a different system: it uses control over the infrastructure or platforms of speech to exercise control over speech. Jack Balkin characterizes this as ‘new school’ regulation. Through ‘collateral censorship’, a third party is made to block or remove a primary speaker or publisher’s speech. For example, a government order or a court order requiring that certain online content be blocked, does this by requiring and internet service provider or online platform to censor the information. New school regulation works necessitates co-operation of these third party intermediaries like internet service providers and online platforms with the government, and this can be achieved by compelling them to co-operate through the law or by using softer means to co-opt them.

New school regulation must be assessed in terms of the collateral harm that it causes. It is not a question of whether online pornography should be blocked or not anymore. It is a question of whether the process used to get intermediaries to block the pornography can be abused to block constitutionally protected speech. We have already recognized the collateral effects of structural regulation in the context of press freedom, and the Supreme Court has barred certain kinds of structural interference with the media that might impact their reporting. It is time to create a version of this principle for online speech, and to think in terms of access and free flow of information.

References

Ranjit Udeshi v. State of Maharashtra

Shreya Singhal v. Union of India

Secretary, Ministry of Information & Broadcasting, Govt. of India v. Cricket Association of Bengal, (1995) 2 SCC 161.

Sakal Papers v Union of India

Amartya Sen, Idea of Justice, 321-337 (2009)

Chinmayi Arun, Gatekeeper Liability and Article 19(1)(a) of the Constitution of India, NUJS Law Review [forthcoming-2015]

Jack Balkin, ‘Old School/ New-School Speech Regulation’, 127 Harv. L. Rev. 2296

Jack Balkin, ‘The first amendment is an information policy’, Hofstra Law Review 41 (2013)

Robert Post, Participatory Democracy and Free Speech, 97 Virginia L. Rev. 3 (2011).

Seth Kreimer, Censorship by Proxy: the First Amendment, Internet Intermediaries, and the Problem of the Weakest Link, Penn Law: Legal Scholarship Repository (2006)

IT Ministry’s Response to Questions in Rajya Sabha (includes Blocking of Content, Net Neutrality, Amendments to IT Act, Website Accessibility)

The Ministry of Communication and Information Technology recently (8th May) provided answers to a number of questions (here and here), which were raised by the parliamentarians in the Rajya Sabha. We have extracted a set of 10 questions below, that deal with a number of issues including IAMAI’s role in blocking of content, Net Neutrality, proposals for amendment to the IT Act and accessibility of government website among others.

Question 1: (Monitoring and blocking of offensive online content) 

(a) Whether it is a fact that the Cyber Regulation Advisory Committee, in its meeting held on 5th September, 2014, has delegated the task of preparing a list of pornographic sites for blocking, to the Internet and Mobile Association of India (IAMAI), an industry organization.

(b) If so, the reasons for entrusting a private entity with a function that ought to be discharged by Government agencies in public interest; and

(c) The measures being taken by Government to enhance and strengthen the capacity and technical expertise of Government agencies for monitoring and blocking of offensive online content?

Answer:

(a) and (b) In Writ Petition in the matter of Kamlesh Vaswani vs. Union of India, the Hon’ble Supreme Court in its order dated 29.8.2014 directed that it would be appropriate if the Government places the copy of the writ petition and interlocutory applications before the Cyber Regulation Advisory Committee (CRAC), which has members from all sections of the Society including Government, Industry, Civil Society and Academy, for its consideration. The constitution of the Committee (CRAC) was revised and notified in Oct. 2010. The last CRAC meeting was held on 5th September 2014 to discuss issues relating to availability of pornography material on the Internet and filtering of the same by the service providers in the country. CRAC requested Internet and Mobile Association of India (IAMAI), an association of members from content providers to lead the effort as part of Social responsibility, to collect and maintain the repository of blacklisted pornography sites from various sources including list of child pornography sites maintained by other countries. Further, IAMAI was requested to set up help lines and web portal for reporting of such sites through Crowd sourcing mechanism. IAMAI would regularly provide the list of such sites to Government for further appropriate action. Similar approach is adopted by other countries like Australia, United Kingdom and Unites States of America, where the Governments are working with Non – Government Organizations (NGOs) to filter pornography sites.

(c) The filtering of web sites with obscene / objectionable content poses significant technical challenge. These websites keep on changing the names, domain addresses and hosting platforms from time to time making it difficult to filter or block such websites using technical tools available in the market. Further “https” websites with encrypted content are used to transmit the pornographic content which makes filtering difficult as the data is encrypted. Therefore, the tools provide filtering to a limited extent only. The tools, in the process may also filter genuine content and degrade the performance of systems.

To address the issues effectively, Government is in regular touch with Internet Service Providers to upgrade their infrastructure and technology to effectively address the shortcomings with regard to identifying and blocking encrypted websites /URLs. Further, Social Networking sites are monitored by the security agencies in order to check / remove objectionable contents from the web sites in consultation with Indian Computer Emergency Team (CERT-In) in accordance with the provisions of Information Technology Act, 2000. Government is in regular touch with Social Networking sites, having their offices in India, to disable objectionable contents at the source from their websites. Government has also initiated Research and Development programmes to deal with technical issues relating to encrypted communications from the point of monitoring and blocking.

Question 2: (Secure flow of public and private communications)

(a) The steps Government has taken or proposes to take to protect privacy and security of our citizens and elected leaders in view of recent global incidents of tapping of communications by US and UK agencies;

(b) Whether Government will control foreign agencies handling internal communications of our citizens and Government; and

(c) Whether Government will take initiative in this respect to bring together various Governments to ensure secure flow of public and private communications and protect exchange of communications of national interest among Government officials?

Answer:

(a) and (b) Sir, taking note of the disclosure by foreign media reports in June, 2013 about extensive electronic surveillance programmes deployed by the U.S. agencies to collect internet and telephony data, Government has expressed concerns over reported U.S. monitoring of internet traffic of India. Concerns with regard to violation of any of Indian laws relating to privacy of information of Indian citizens as well as intrusive data capture deployed against Indian citizens or Government infrastructure have been conveyed to the U.S. Government. In addition, the issue of U.S. cyber surveillance activities was discussed during the India-US Strategic Dialogue meeting held in New Delhi on 24 June 2013.

Government keeps on taking appropriate protective measures by way of an integrated approach with a series of legal, technical and administrative steps to ensure that necessary systems are in place to address the growing threat of cyber attacks. In this direction, Government has approved a framework for cyber security, including protection of critical sectors in country that envisages a multi-layered approach for ensuring defence-in-depth with clear demarcation of responsibilities among various agencies and departments. Government is also engaged with world community towards promoting the evolution of better international Internet governance-norms, through ongoing discussions at international fora.

(c) Government is promoting Indian players in the IT field to develop and offer Internet Services by having the servers located in India, in order to protect the interests and secrecy of communication of Indian citizens. Already Rediff and Indiatimes have set up Servers and accessories in the country to provide email and other services to Indian citizens.

Further, Government has notified email policy of Government of India on 19th Feb. 2015 to protect exchange of communications of National interest among Government officials. The policy mandates that only Government of India email service shall be used for official correspondence, the objective of the policy includes sensitizing the Government officials regarding protection of critical Government data and mandating the use of Government mail service for official communication. Government has also planned to install Secure & Dedicated Communication Network (SDCN) for Intra-Government Classified Communication.

Question 3: (Net Neutrality on the use of Internet)

(a) Whether TRAI has come out with a discussion paper on the use of internet particularly the Net Neutrality in the country

(b) If so, the details thereof

(c) Whether it is a fact that many people in the country are in favour of Net Neutrality and have given their comments to TRAI in this regard; and

(d) The stand of Government on Net Neutrality?

Answer:

(a) and (b) Telecom Regulatory Authority of India (TRAI) has released a consultation paper on “Regulatory Framework for Over-the-top services” on 27th March, 2015 for inviting comments from various stakeholders. This consultation paper also covers the issues related to Net Neutrality. The last date for receiving comments and counter comments is 24th April, 2015 and 8th May, 2015 respectively. Further, this consultation paper is available on TRAI website http://www.trai.gov.in.

(c) TRAI has received a large number of comments (more than 10 Lakh) in response to the consultation paper on “Regulatory Framework for Over-the-top services”. This consultation paper also covers the issues related to Net Neutrality. These comments are uploaded in TRAI website http://www.trai.gov.in.

(d) Government notes with assurance the growth of internet in India and wide platform it has offered for innovation, investment and creativity. Government is committed to the fundamental principles and concept of net neutrality and strives for non-discriminatory access to Internet for all citizens of the country.
At present the issues pertaining to net neutrality are in consultation stage. Department of Telecommunications has constituted a committee in January, 2015 to examine various aspects of net neutrality and recommend overall policy and technical response to net neutrality. The committee has already held stakeholder consultation meetings with Over the Top (OTT) players, Telecom Service Providers/Internet Service Providers, Civil Society Member & Consumer groups, Multi stakeholder Advisory Group (MAG) of Department of Electronics & Information Technology (DeitY) and various Associations/Industry bodies.
Based on the report of committee and TRAI recommendations Government will take a considered decision.

Question 4: (Resolving Net Neutrality Issue)

(a) How does Government proposes to address and resolve the Net Neutrality issue; and

(b) How does Government plans to ensure that telecom operators won”t pass on to the customers the burden of high spectrum price paid by them to the Government?

Answer:

(a) Government notes with assurance the growth of internet in India and wide platform it has offered for innovation, investment and creativity. Government is committed to the fundamental principles and concept of net neutrality and strives for non-discriminatory access to internet for all citizens of the country.

At present the issues pertaining to net neutrality are in consultation stage. Telecom Regulatory Authority of India (TRAI) has released a consultation paper on “Regulatory framework for Over-the-top services” on 27th March 2015. This consultation paper covers the views of the service providers and OTT providers and related issues including net neutrality. The last date for receiving comments and counter comments is 24th April, 2015 and 8th May, 2015 respectively.

Department of Telecommunications has constituted a committee in January,2015 to examine various aspects of net neutrality and recommend overall policy and technical response to net neutrality. The committee has already held stakeholder consultation meetings with Over the Top (OTT) players, Telecom Service Providers/Internet Service Providers, Civil Society Member & Consumer groups, Multi stakeholder Advisory Group (MAG) of Department of Electronics & Information Technology (DeitY) and various Associations/Industry bodies.

Based on the report of committee and TRAI recommendations Government will take a considered decision.

(b) Tariff for telecom services falls under purview of Telecom Regulatory Authority of India (TRAI). As per the existing tariff framework, tariff for telecommunication access service is under forbearance except for National Roaming and Rural Fixed Line Services. The service providers have the flexibility to decide various tariff components for different service areas of their operation. Tariffs are offered by service providers taking into account several factors including input costs, level of competition and other commercial considerations.

Question 5: (Position on Net Neutrality)

Whether in view of the fact that a committee has been formed within the Ministry to evolve its position on Net Neutrality, Government would ensure that the position on Net Neutrality is discussed in the Parliament and with the public, the details thereof?

Answer:

Government notes with assurance the growth of internet in India and wide platform it has offered for innovation, investment and creativity. Government is committed to the fundamental principles and concept of net neutrality and strives for non-discriminatory access to Internet for all citizens of the country.
At present, the issues pertaining to net neutrality are in consultation stage. Telecom Regulatory Authority of India (TRAI) has released a consultation paper on “Regulatory Framework for Over-the-top services” on 27th March, 2015 for inviting comments from various stakeholders. This consultation paper also covers the issues related to Net Neutrality. The last date for receiving comments and counter comments is 24th April, 2015 and 8th May, 2015 respectively. Further, this consultation paper is available on TRAI website http://www.trai.gov.in.

Department of Telecommunications has constituted a committee in January, 2015 to examine various aspects of net neutrality and recommend overall policy and technical response to net neutrality. The committee has already held stakeholder consultation meetings with Over the Top (OTT) players, Telecom Service Providers/Internet Service Providers, Civil Society Member & Consumer groups, Multi stakeholder Advisory Group (MAG) of Department of Electronics & Information Technology (DeitY) and various Associations/Industry bodies. The committee has been asked to submit its report by May, 2015 end.

Further, Statement on Calling Attention Notice by Sh. Derek O’ Brien Hon’ble MP, Rajya Sabha on ‘Issue of safeguarding Net Neutrality in the country’ was made by Hon’ble Minister of Communications & IT on 05.05.2015 and he replied on various queries, issues and aspects raised by Hon’ble Members of Rajya Sabha. (Copy of statement is annexed).

Based on the report of committee and TRAI recommendations Government will take a considered decision.

Question 6: (Amendment to IT Act, 2000)

(a) Whether Government is planning to amend the Information and Technology (IT) Act 2000 in the aftermath of the recent Supreme Court judgement that struck down Section 66A as unconstitutional, with a view to de-criminalize posting of offensive content on the Internet;

(b) If so, whether Government is planning to include procedural safeguards in such a provision to ensure that such provision is not misused by fundamentalist elements in Society to harass law-abiding citizens; and

(c) if so, the details thereof and if not, the reasons therefor?

Answer:

(a), (b) and (c) Presently, there is no proposal with the Government to amend the Information Technology (IT) Act 2000. However, Ministry of Home Affairs has constituted a Committee to examine the implications of the Hon’ble Supreme Court’s judgment quashing Section 66A of the Information Technology Act 2000 and to suggest appropriate legal remedy to fill gaps in the legal regime, if any, in the wake of the aforesaid judgment.

Also, an Expert Committee under the Chairmanship of Shri T.K. Vishwanathan, former Secretary, Law Commission & Secretary General has been set up by Ministry of Home Affairs to study and examine the existing domestic cyber laws and International Cyber legislations and recommend a road map with measures and amendments to the present laws for consideration of the Government.
Further, in order to comprehensively address the issues of Cyber Crimes, Ministry of Home Affairs has set up an Expert Group consisting of Academicians and Professionals of repute to prepare a roadmap for effectively tackling the Cyber Crimes in the country and give suitable recommendations on all facets of cyber crime. The five-member Expert Study Group comprises of Dr. Rajat Moona, Director General Centre for Development of Advanced Computing (CDAC), Professor Balakrishnan, Indian Institute of Science, Bengaluru, Dr. Gulshan Rai, then Director General Indian Computer Emergency Response Team (Cert-In), Professor Manindra Aggarwal, Indian Institute of Technology (IIT), Kanpur and Professor D. Dass, International Institute of Information Technology (IIIT), Bengaluru. Shri Kumar Alok, Joint Secretary, Ministry of Home Affairs is the Convenor of the Expert Group. The Terms of Reference of the Expert Group are:

i) To prepare a Road Map for effectively tackling the Cyber Crime in the country and give suitable recommendations on all its facets.

ii) Recommend possible partnerships with Public and Private Sector, NGOs, International Bodies and International NGOs.

iii) Any other special measures / steps the Expert Group may like to recommend with regard to tackling Cyber Crimes.

Question 7: (Broadband penetration in the county)

(a) Whether it is a fact that our country is ranked below Bhutan and Sri Lanka in terms of broadband penetration and ranks 125th in the world for fixed broadband penetration;

(b) Whether Telecom Regulatory Authority of India (TRAI) has suggested that the multi-layered structure involved in the decision making for the sector needs to be overhauled;

(c) If so, the details thereof;

(d) Whether it is also a fact that TRAI has also suggested that the licence fee on the revenue earned from fixed line should be exempted for five years; and

(e) If so, the view of Government in this regard?

Answer:

(a) As per ‘The State of Broadband 2014: Broadband for All’ report, published by the Broadband Commission of the International Telecommunication Union (ITU) and the United Nations Educational, Scientific and Cultural Organization (UNESCO) which was published in September 2014, the ranking of Bhutan, Sri Lanka and India with respect to Fixed Broadband penetration for 2013 are as under:

Fixed Broadband Penetration

                     (per 100 inhabitants)     Rank

Bhutan                       2.7                     108

Sri Lanka                    2.0                     115

India                            1.2                    125

(b) to (e) Telecom Regularity Authority of India (TRAI) in its recommendations “Delivering Broadband Quickly: What we need to do?”, dated 17.04.2015 has inter alia, recommended the following

(i) Overhauling of multi-layered structure involved in the decision making in respect to National Optical Fibre Network (NOFN) project

(ii) Exemption of the license fee on the revenues earned on fixed line Broadband for at least 5 years.

A committee has been constituted on 29.04.2015 in Department of Telecommunications to examine the TRAI recommendations.

Question 8: (Law with the concept of Net Neutrality)

(a) Whether Government is bringing a law with the concept of Net Neutrality for consumers; and

(b) if so, by when?

Answer:

(a) and (b) Government notes with assurance the growth of internet in India and wide platform it has offered for innovation, investment and creativity. Government is committed to the fundamental principles and concept of net neutrality and strives for non-discriminatory access to internet for all citizens of the country.
The issues pertaining to net neutrality are in consultative stage. Telecom Regulatory Authority of India (TRAI) has released a consultation paper on “Regulatory Framework for Over-the-top services” on 27th March, 2015 for inviting comments from various stakeholders. This consultation paper also covers the issues related to Net Neutrality. The last date for receiving comments and counter comments is 24th April, 2015 and 8th May, 2015 respectively.

Department of Telecommunications has constituted a committee in January, 2015 to examine various aspects of net neutrality and recommend overall policy and technical response to net neutrality. Committee has been asked to submit its report by May, 2015 end.

Based on the report of committee and TRAI recommendations Government will take a considered decision, in the best national interest.

Question 9: (Regulation of Over the Top services)

(a) The stand of Government in protection of Net Neutrality;

(b) Whether Government proposes to regulate Over-the-Top (OTT) services;

(c) The argument for and against for regulation of OTT services;

(d) The details of the growth of internet traffic and internet users over the years;

(e) The details of the revenue generated by different telecom companies over the years; and

(f) Whether the move to regulate OTT services will affect the growth of start-ups in the country?

Answer:

(a),(b),(c) & (f) Government notes with assurance the growth of internet in India and wide platform it has offered for innovation, investment and creativity. Government is committed to the fundamental principles and concept of net neutrality and strives for non-discriminatory access to internet for all citizens of the country.
At present the issues pertaining to net neutrality are in consultation stage. Telecom Regulatory Authority of India (TRAI) also has released a consultation paper on “Regulatory framework for Over-the-top services” on 27th March 2015 for inviting comments from various stakeholders. This consultation paper also covers the issues related to Net Neutrality. The last date for receiving comments and counter comments is 24th April, 2015 and 8th May, 2015 respectively. This consultation paper covers the views of the service providers and OTT providers and related issues including net neutrality.

The main arguments in favour of OTT regulation is loss of traditional revenues from data and voice to telecom service providers, telecom service providers are subjective to all licensing and regulatory conditions whereas the OTT providers are not subjected to similar restrictions and that large scale OTT service in traditional services could significantly hampered the TSPs investment capability and growth. The TSPs are insisting on ‘Same Service Same Rules’ to maintain regulatory balance.

The main argument against OTT regulation is that the OTT players offer services through internet provided by TSPs and the TSPs are paid for internet services consumed by end users and OTT service lead to increase data usages and revenue to TSPs.

Department of Telecommunications has constituted a committee to examine various aspects and recommend overall policy and technical response to net neutrality.
Based on the report of committee and TRAI recommendations Government will take a considered decision in the best national interest

(d) Details of Internet subscribers are as under

For the period ending      Dec-2013          Dec-2014 Internet subscribers (in Crores)

As per TRAI                       23.87                  26.74

As per IAMAI-IMRB report ‘Internet in India 2014’  > 30

(e) The trend of revenue from data usage from full mobility service (GSM+CDMA) segment is given below:

                       Quarter ending Revenue from data usage (in Rs. crore)

June 2013           3057.83

September 2013 3594.83

December 2013 4240.01

March 2014        4637.89

June 2014           5259.18

September 2014 5911.05

December 2014  6457.06

Question 10: (Government websites meeting international standards of web accessibility)

(a) Whether any survey has been conducted by Government regarding the number of Government websites that meet the international standards of web accessibility;

(b) if so, the details thereof;

(c) Whether it is a fact that in an accessibility survey conducted by National Centre for Promotion of Employment for Disabled People (NCPEDP), not a single Government website was accessible; and

(d) The steps taken to improve web accessibility?

Answer:

(a) Yes, Sir.

(b) The Guidelines for Indian Government Websites (GIGW) have been adopted by the Department of Administrative Reforms & Public Grievances (DARPG) and have become a part of the Central Secretariat Manual of Office Procedure (CSMOP). The GIGW accessibility guidelines are based on W3C”s Web Content Accessibility Guidelines (WCAG) 2.0. These are internationally accepted guidelines on web accessibility and cover a wide range of recommendations for making web content more accessible.

DeitY has initiated the Website Quality Testing project which is being executed by Standardization Testing and Quality Certification (STQC) for testing and certifying the government websites. Under this project, 1000 websites have been undertaken for testing. Currently, around 950 websites of various Ministries/Departments, attached offices, societies have already been tested by STQC and test reports have been sent to the concerned Ministries/Departments for addressing the issues of non-compliance.

(c) and (d) No, Sir. However, as per the Web Accessibility Survey Report for Indian Government websites – 2012 of National Centre for Promotion of Employment for Disabled People (NCPEDP), none of 10 Government websites were able to meet even the basic accessibility standards. The Government has undertaken following steps in this regard:

(i) The Guidelines for Indian Government Websites (GIGW) have been adopted by the Department of Administrative Reforms & Public Grievances (DARPG). The GIGW guidelines adhere to the requirements of persons with disabilities and ensure compliance with level A of Web Content Accessibility Guidelines (WCAG) 2.0 as laid down by World Wide Web Consortium (W3C). GIGW has incorporated all the level A success criteria and a few success criteria from level AA. This is sufficient to make the websites accessible.

(ii) Department of Electronics and Information Technology (DeitY) has had three rounds of meetings with the Website Information Managers (WIMs) of various Government departments to sensitize the departments regarding addressing the non-conformance issues of their websites with GIGW. STQC along with e-Governance division of DeitY and NIC has conducted one-to-one discussion with the concerned departments and ministries to close the non-conformance areas.

(Sarvjeet is a Project Manager and Research Fellow at the Centre for Communication Governance at National Law University, Delhi)

Government’s Response to Fundamental Questions Regarding the Internet in India

The Ministry of Communication and Information Technology today provided answers to a number of questions, which were raised by the parliamentarians in the Rajya Sabha. We have extracted a set of 6 questions below, that deal with a host of issues including number of blocks under Section 69A of the Information Technology Act, the current status of the Central Monitoring System, Data Privacy law and Net Neutrality.

Question 1: (Emergency Blocking under IT Act) 

(a) Whether Government has issued any emergency blocking orders under section 69 (A) of the Information Technology Act, 2000 pursuant to Rule 9 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009; and

(b) If so, the total number of emergency blocking orders issued from 1st January, 2014 till date and the details and specifications thereof?

Answer:

(a) and (b) Government has issued directions for blocking of URLs on emergency basis depending on the nature of contents and consequences of spreading such contents as reported by Law Enforcement and Security Agencies, following the procedure as outlined in Rule 9 of the Information Technology (procedure and Safeguards for blocking for access of Information by Public) Rules.

Emergency blocking orders issued to block a total number of 216 URLs from 1st January, 2014 till date. The information hosted on these URLs were anti-national, provocative, communal hatred, which could lead to serious law and order problem in the Country. The URLs were blocked based on the requests of Law Enforcement Agencies including by orders passed by competent courts, in the interest of Sovereignty and Integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the Commission of any cognizable offence relating to above as per the provisions of Section 69A of Information Technology Act, 2000.

Question 2: (Blocking under IT Act)

(a) Whether Government has blocked/disabled access to certain websites and /or Uniform Resource Locators(URLs) during the current year and the last year and if so , the specifications thereof; 

(b) The total number of requests received by the designated officer and the total number of orders issued for blocking of websites and/or content under section 69(A) of the Information Technology Act, 2000 from 1st January, 2014 till date; and

(c) The total number of blocking orders revoked by the Department of Electronics and Information Technology, or any other Government agency from 1st January, 2014 till date?

Answer:

(a) and (b) Government has invoked Section 69A of Information Technology Act, 2000 to block/disable access to certain websites/URLs. Section 69A of the Information Technology Act 2000 empowers Government to block any information generated, transmitted, received, stored or hosted in any Computer Resource in the interest of Sovereignty and Integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the Commission of any cognizable offence relating to above.

A total of 255 URLs were blocked in 2014 and no URLs has been blocked in 2015 (till 31 March 2015) under Section 69A through the Committee constituted under the rules therein. Further, a total of 2091 URLs and 143 URLs were blocked in order to comply with the Directions of the Competent Courts of India in 2014 and 2015 (till 31 March 2015) respectively.

The Committee constituted as per the rules of Section 69A of the Information Technology Act, 2000 had recommended not to block 19 URLs in the meetings held between 1st January 2014 to till date.

Besides, Indian Computer Emergency Response Team (CERT-In) gets requests for blocking of objectionable content from individuals and organisations, which merely forwards those requests to the concerned websites for appropriate action.

(c) Two orders were issued to revoke the 251 blocked URLs from 1st January 2014 till date.

Question 3: (Central Monitoring System)

(a) The status of implementation of the Central Monitoring System (CMS) set up by Government for lawful interception and monitoring of communications;

(b) The details and salient features of the system, including the nodal agency implementing CMS;

(c) The total expenditure approved and incurred by Government for setting up of CMS;

(d) Whether it is operational, if so, in which parts of the country; and

(e) If not, the time-frame within which setting up and operationalization of CMS across the country is expected to be completed?

Answer:

(a) and (b) Sir, the responsibility for execution of Central Monitoring Systems (CMS) has been entrusted with Centre for Development of Telematics (C-DOT). Most of Research & Development work has been completed. The Centralized Data Centre has been installed. Interception Store & Forward Servers (ISF) at the premises of Telecom Service Providers have been installed. Civil & electrical related environment works are at final stage of completion for the Regional Monitoring Centres. Installation activities at Regional Monitoring Centres have been initiated. Testing work has been initiated at Centralized Data Centre.

The envisaged salient features of CMS are as follows:

(i) Direct Electronic Provisioning of target number by a Government agency without any manual intervention from Telecom Service Providers (TSPs) on a secured network, thus enhancing the secrecy level and quick provisioning of target.

(ii) Central and regional database which will help Central and State level Law Enforcement Agencies in Interception and Monitoring.

(iii) Analysis of Call Data Records (CDR) to help in establishing linkage between anti-social/anti-national elements.

(iv) Research and Development (R&D) in related fields for continuous up gradation of the CMS.

(c) The CMS project has been approved by Cabinet Committee on Security with Government funding of Rs. 400.00 Crores. The equipment worth Rs. 255 Crores has been purchased and installed against which an amount of Rs. 149 Crores has been paid.

(d) & (e) Presently project is in roll out phase and not operational. The commissioning of CMS Delhi has been planned in phased manner. The Delhi and Karnataka Licensed Service Areas have been planned for initial roll out. 

Question 4: (Multi-Stakeholder model of IG)

(a) The Government’s view on the future on Internet Governance, given its opposition to the widely held multi-stakeholder model propounded at NETmundial;

(b) The Government’s rationale behind not conforming to the Multi-Stakeholder model for Internet Governance put forward at the NETmundial; and

(c) How Government supposes that the Multi-Stakeholder model impedes the principles of being multilateral, transparent, democratic, and representative, with the participation of Governments, private sector, civil society and international organizations?

Answer:

(a), (b) and (c) Government will take a view on the future of Internet Governance taking into account all issues which affect Internet’s growth and India’s interest in the matter.

Question 5: (Data Privacy and IPR Laws)

(a) The steps taken by Government to engage the India-US Working Group on Information and Communication Technologies (WG-ICT) on Digital India initiative thus far;

(b) Whether Government has the requisite measures for data privacy and intellectual property rights of local and foreign manufacturers in place to ensure an attractive IoT Market in India; and

(c) If so, the details thereof?

Answer:

(a) The meeting of the Working Group on Information & Communication Technologies (ICT) was held during 14th -15th January 2015 in Washington DC, USA. Amongst other issues, the two sides discussed cooperation framework under the Digital India Programme. Further a Joint Declaration of Intent for cooperation in the field of Information & Communications Technology and Electronics has been signed between the two countries on 20th January, 2015. One of the objectives under the aforesaid Joint Declaration of Intent is to explore the opportunities for collaboration in the course of implementation of India’s ambitious Digital India programme.

(b) and (c) The Information Technology Act, 2000 has adequate provisions for data protection and data privacy in digital form. Sections 43, 43A and 72A of the Information Technology Act, 2000 provides a legal framework for privacy and security of data in digital form. Further, Indian laws relating to Intellectual Property Right have been suitably amended and are TRIPS compliant

Question 6: (Net Neutrality and OTT Services)

(a) Whether there have been reports of private operators attempting to charge consumers premium rates for the use of services provided by Over-The-Top players;

(b) If so, the details thereof;

(c) The steps being taken by the Ministry to protect consumers from similar attempts in future; and

(d) the steps being taken by the Ministry to safeguard investor sentiment in the telecom sector?

Answer:

(a) & (b) Telecom Regulatory Authority of India has reported that M/s. Bharti Airtel Limited reported that effective from 23.12.2014, all internet/data packs or plans (through which consumers can avail discounted rate) will exclude Voice Over Internet Protocol (both incoming and outgoing) and standard data rates will be applicable for VoIP. Subsequently, M/s. Bharti Airtel limited reported withdrawal of the same with effect from 26.12.2014.

(c) Does not arise in view of (a) & (b).

(d) Telecom licenses are governed by license agreements which are entered by Department of Telecom (licensor) with telecom service providers (licensees). At present 100% Foreign Direct Investment (FDI) is permitted in the telecom services sector, with 49% through automatic route and beyond 49% through Government route.

Both the domestic as well as Foreign Investors have to follow the laws of the land and are treated at par. As far as FDI is concerned, the investment is protected through Bilateral Investment Promotion and Protection Agreements signed by India with 72 countries.

—-

(Sarvjeet is a Project Manager and Research Fellow at the Centre for Communication Governance at National Law University, Delhi)