“If you look at the rules,” one participant said at MediaNama’s discussion on Safe Harbor in Bangalore on the 25th of January, “there’s a duality in them. One is traceability and other things; helping you to get to the end user. The other is attribution of responsibility to the intermediary.” The idea behind traceability is that “Someone has to take responsibility for the content,” one participant said, highlighting that “intermediaries also intermediate between the government and end users, a lot of whom are anonymous or can only be ID’d by the intermediary.” Traceability can possibly change the risk-taking profile of the user who has a presumption of anonymity in behavior.”

“So what you’re trying to alter is also behavior at the edges, where the user feels like this may be encrypted, but I could be found out by the government. So changing behavior at the ends, but also the cost of enforcement to both private and public entities.

Holding the user, instead of the intermediary, to account for behavior was a key theme during the discussions, and that rests on the idea of traceability. “That also safeguards the intermediary”, one participant said.

Proactive monitoring of users and content for takedowns may not be proportional

The proactive takedowns provision was also equated with proactive monitoring of all users and all content, especially if it involves personal information. “The onus here is on the private parties to do it. There’s the question of informational privacy being a right versus the state. The state itself is enforcing that provision.”

That could be argued as being violative of the Puttaswamy judgment, which affirmed the fundamental nature of the Right to Privacy in India. “It’s a catch 22”, one person said, “If intermediaries don’t proactively regulate content on their platform, they lose the safe harbor protection, but if they do, they potentially violate Puttaswamy.

“Many countries have best practices to not require social media users to actively identify you, for several reasons. To not link your real world identity. Unfortunately Puttaswamy doesn’t make clear whether there’s a general right to anonymity under the constitution. It does make reference to it in certain paragraphs, most closely linked to the Canadian right to anonymity, but also leaves enough space for legitimate government interests for traceability, so I don’t think there’s a clear answer there.”

“The other concern,” one participant said, “is that the power to require the intermediary to share details of the originator seems to be quite unfettered. There are no guidelines on specific grounds under which they can actually seek that information. This is not linked to typical due diligence grounds or to clause 2. This could be a fishing expedition where you take advantage of technical ability of the intermediary and undermine the right of freedom of speech of users.”

API access to user data?

“When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.”

One participant said that usage of the word “assistance” essentially enables API access to private party data.

“This is classical architecture for the CMS [Centralised Monitoring System]. So if you historically look at what the Home Ministry has done, they’ve been working on CMS, which connects about 750 odd databases into a single portal using APIs and stuff like that. The first set were across phone calls. Then you keep doing it over a period of time, and you get into API integration, quarterly, annual, and finally real-time. This is how I read it. This is how it works.” [Before the CMS], the government had to send people to sit in the mobile operators office, and listen in and figure out what’s going on. “Now they don’t even need a warrant, it’s just a pull from the telcos.”

Assistance here means API integration in your database.

It seems this might already be happening. A participant disclosed/claimed that they had received a notification from the Ministry of Home Affairs – that all Prepaid Payment Instrument’s had received it – for providing API access to fraudulent users data. Some participants wondered whether the MHA has the jurisdiction to request API access, since that might be disproportionate, while the RBI does, since it has a supervisory role for all payments.

Another participant questioned whether a Section 79 provision, which is meant to provide safe harbor, should be the place for enabling access to data.

Impact of these changes

“To some extent I see it as it happens in the US. Shadow brokers, whose business it is to get data and give it to the government”, one participant said. “This is one method to get all that. Will FSSAI come tomorrow and make requests? Who can come and take data? And how much data can they take? Can you just suck up all my data and sift through it? Those are the question we’ll ask as platform creators.”

One representative of a company said “How can we say no, we won’t provide all this data. A platform like us, we have a no-logs policy, can that run afoul in the first place and the government can force us to store logs? We have nothing to give you. What happens tomorrow for VPN providers? Do they get outlawed overnight? The ramifications are very large.” Other participants echoed the sentiment that this becomes problematic when it concerns VPN providers.

Can Whatsapp even enable traceability?

“Let’s say there’s an order”, one participant asked, “issued to WhatsApp or other platforms for a decryption key or interception monitoring to tackle a terrorist attack. The potential if they don’t comply with this is not just non-compliance. Can the government argue then that now that 79 exemption is gone— because that’s what 79 does, it exempts you from an illegal message that was transacted. Is there a potential liability for a message which is transacted which is illegal in nature, and conducting warfare against India, and would the company face liability for not complying?”

“You can trace users unless they’re going through VPN, and there are ways around that. WhatsApp can’t pinpoint everyone. Very easy to get metadata and make judgement there. Content is what is protected. Everything under the sun is there in metadata. Other thing is Apple case in the US, where Apple said no. I can’t imagine anyone in India showing the guts to say no like that.”

But can Whatsapp even enable traceability? “The signal protocol [which Whatsapp uses] is hard to decrypt unless you build a backdoor. On WhatsApp Signal protocol, it’s very difficult.” Another participant said that “WhatsApp is based on Signal protocol. Signal has sealed sender capability. It encrypts your certificate also. Only when the receiver gets the message, it’s traced. Traceability is not defined, what kind of questions will Ravi Shankar Prasad ask? Communication metadata can be given by WhatsApp, but not by Signal sealed sender.”

Another participant questioned even whether a user can be identified: “User is person who wrote the message or forwarded it? WhatsApp doesn’t preserve record of original author of message on forwards. So can WhatsApp modify their app to preserve that feature? Can users modify their app to work around that? Definitely. Traceability can be introduced but you won’t catch the real culprits.”

What if…?

“I represent an [redacted] company and we have anonymized user data. Tomorrow if crime enforcement people come asking for information what will happen? Blanket data would impact our business as we weaken user privacy”. Another company representative asked whether “Under any of these acts can government ask me to include logging of data?”

What will the government do if someone doesn’t comply? “Then they’ll just ban whatever doesn’t comply”…”Ultimately it’s about the guy with the gun to your head. You have no choice but to comply.”

Review the IT Act

The IT Act has been in existence since 2000, and we’re in 2019. Significant amendments were last in 2008. It’s high time we review the whole act instead of going piecemeal in terms of what is there.”

Be careful what you wish for…