“If I [as a cloud service provider] get a notice today to share data even through a legal channel, I will have to contest it in court because I can’t implement what they [law enforcement] are asking me to,” said Venkatesh Krishnamoorthy from BSA – The Software Alliance. Intermediaries, including cloud service providers, often do not have access to data that law enforcement asks them for, or they are bound by confidentiality agreements. “Intermediaries such as cloud service providers do have access to some of client data, but they’re bound by contracts, and they also need to protect consumers’ right to privacy and free speech,” he said.
“In Andhra Pradesh, the police found a particular app problematic and approached the cloud service provider who was hosting this app [for access to the app’s data]. The cloud service provider said that they have only one option — to shut down the service, because they don’t know what aspect of its services the client [the app] is using at any stage,” Krishnamoorthy said. He was speaking at MediaNama’s discussion on Intermediary Liability in Delhi on October 23. The discussion was conducted in partnership with Centre for Communications Governance @ NLU Delhi, with support from Google, Facebook, and Friedrich Naumann Foundation.
“It’s technically not possible [for a cloud service provider to comply with a traceability request], and legally we can get into a soup if we try to implement some of this.” — Venkatesh Krishnamoorthy
Other intermediaries are routinely asked for information and data that they don’t have. Mozilla’s Sync service, for instance, essentially syncs a user’s password and bookmarks between different instances of a browser, but the data is never actually stored on a server; it’s simply sent from one instance of the browser to the other. “But not just in India but globally, Mozilla receives requests to share data that we don’t have, but via service that we provide,” said Udbhav Tiwari from Mozilla. “In such cases, the explanation we give is very similar to the explanation given for end-to-end encryption: we don’t have access to that data. There’s nothing for us to provide you and if you [law enforcement] would like, you can approach the two parties involved in that transaction directly,” he said.
Demanding information from an intermediary also means that the consumer, whose information is being sought, remains oblivious. People entrust their data to a cloud service provider on the sanctity of the promise that the data will be safe and secure, said Tanya Dayal Sadana from Ikigai Law. “When a decryption order is passed to an intermediary, the person targeted is the user, but the user is not informed,” Sadana explained.
“You go after the intermediary for information of the user. That creates a problem, because the intermediary has a contract with its users which is also sacrosanct but they are forced to break it.” — Tanya Dayal Sadana
Impact of traceability demands on ISPs
“We [ISPs] are living in a constant period of threat,” according to Brajesh Jain from the ISP Association of India. “Although only a Home Secretary is authorised to make an information request, the situation changes at the implementation stage as one goes down to the districts and local police stations,” said Jain. Local SHOs demand information with threats, he said. According to him, ISPs in Delhi face less trouble, since they are able to approach government officials, “but think of ISP in Guwahati, in Coimbatore, they are in deep trouble, and they are extremely scared of ramping up their business. This is seriously affecting them as intermediaries,” he said.
Moreover, the agencies that are authorised to demand information need to be defined. “Earlier, we were told that there are 9 such agencies, but 10th and 11th agencies have come up, but even this is not formalised anywhere. And we don’t know from whom we can get a request. Now for us every time [we get a request], whether it is IT, the police, or the CBI, it’s extremely troublesome to us. The government says that all telecom operators have the liability of fine up to Rs 50 crore. Such a figure for an ISP is extremely troublesome.”
Threats, oral requests, due process failures
Law enforcement following due process is an exception, said Prasanto K. Roy, an independent policy professional. Even Google’s headquarters in Gurgaon keep getting visits from the Gurgaon Police, including verbal demands for passwords, he said. “In another case, a restaurant which got very bad reviews went to the police against a restaurant reviews app. The police demanded the identities of all the people who posted bad reviews from the app. The app really pushed back and then the police gave a Section 91 request.” Police officers visit offices of ISPs, demanding information orally and threatening the company, said Brajesh Jain. “Most ISPs outside Delhi provide information without demur because [otherwise] it’s dangerous,” he said.
Traceability requirements are often coupled with a Section 91 request, and are often over-reaching, arbitrary, according to Suvarna Mandal from Saikrishna & Associates. “One can’t even determine the authenticity of the request because it’s just an email,” she said.
“More often than not, the data is anonymised or encrypted, or there’s an issue of informational privacy. I am pretty sure that police officers will not be aware that you have a certain criteria that you need to meet before you can break information privacy.” — Suvarna Mandal
“An information request is acceptable till the time I am not held hostage,” said Mehul Gupta from BIGO. “There are times when I am being arm-twisted to divulge information, and I am being shown as the devil in the room to the extent that [my] account’s getting frozen, which in turn impacts the businesses. Then I have to take a call because my business is suffering. They want us to do their job and they want every detail down to the T, which is very difficult for us to provide.”
Is traceability enforceable?
When it comes to WhatsApp messages and ‘forwards’, traceability breaks once people have the ability to copy and paste text between windows — which takes an additional one or two seconds.
“It doesn’t make sense to enforce traceability in this form because then you are telling people how to design technical systems that may not have anything to do with end-to-end encryption at all. The world is not going to do that just because there is a law that says that it should happen.” — Udbhav Tiwari
“For example, the IT Act contains provision for mandatory decryption, but end-to-end encryption is available in India, and people [intermediaries] can say that we can’t comply with that law because we don’t control encryption,” Tiwari said. “It’s important for the laws to be realistic and to not create provisions that would be technically unfeasible and it would just exist on paper,” he added.
What is an ideal traceability request?
The best case scenario would be a request that is legitimate, proportionate, and legally complies with standards such as the Puttaswamy test, according to Tiwari.
“But it’s also one that does not interfere in the technical design of systems, because many of these things are technical choices that start-ups, companies, entities of all sizes choose to make in terms of how they design the systems. Using law to regulate the design of technology, is not only very very ineffective but it very rarely works the way people want it to.” — Udbhav Tiwari
Similarly, a reasonable request for an ISP should be technically possible to comply with, said Jain. “A feasible traceability request for us is asking whom an IP number belongs to. Normally, it’s possible to do this, but when the WiFi comes, then it becomes a difficult situation: all we are able to give that this mobile number asked for the password. Beyond that we cannot do [anything],” he said. Even then, if that mobile number is not traceable for some reason, the police comes back to the ISPs, asking for a photograph, or whether the ISP took KYC.
A request should come from the competent authority, which is either the DoT or the courts, said Anjali Hans from Vodafone-Idea. “A reasonable request for traceability is the points at which it [the information or data] enters or exits our systems. We cannot go beyond what is within our system,” she said. So if someone is using a VPN, a telecom service provider would not be able to trace it, she added.
The first requirement is technical feasibility, followed by procedural safeguards in place and lawfulness of the order, or the competency of the agency or the authority involved, according to Snehashish Ghosh from Facebook India. But at the same time, the intermediary shouldn’t be taking a call on who the competent authority is, “that is up to the Government to decide”, he said. “The best case scenario for us would be judicial oversight or the judicial authority taking a call on it.”
Read our coverage of the discussion here: