In February, the Modi government’s notification of Information Technology Rules was met with concern and criticism. There were demands for the withdrawal of the rules, primarily because of their negative impact on the right to privacy and freedom of expression and their overbroad scope. Several challenges against these rules are pending in various High Courts, and some of the interim orders issued indicate that these courts share concerns about the rules’ unconstitutionality.

There has also been a lack of clarity on how key aspects of the rules are to be complied with, including, for example, which platforms need to comply with the requirement to trace the “first originator” of content.

In early November, the government released “Frequently Asked Questions on Part-II of the IT Rules”, in an attempt to provide clarity and allay concerns. (Part II of the rules set out due diligence requirements, including traceability and establishes a grievance redressal mechanism. This part applies to intermediaries, and “significant social media intermediaries”, which are those with more than 50 lakh users).

However, it arguably fails to allay concerns, and the limited clarity they offer is on certain procedural aspects relating to the appointment of compliance officers. The questions otherwise rehash old defences, for instance with respect to traceability, that does not substantively address concerns raised by civil society, tech companies and internet users.

This article provides rebuttals to the government’s justifications for the IT rules – with respect to both Part II and Part III on the code of ethics for digital media – which have come up time and again, most recently through the frequently asked questions, to demonstrate how they jeopardise the right to privacy and freedom of expression.

Chilling effect

According to the central government, Principles of reasonableness and proportionality” have been taken into account while framing the rules, and they “create a harmonious, soft-touch oversight mechanism”.

However, with respect to all online content including news and current affairs, the rules create a three-tier structure for grievance redressal with the central government at the top of the pyramid. The government also exerts a degree of control over the second-tier involving self-regulatory bodies of publishers, as they need to be registered with the Union Ministry of Information and Broadcasting.

Effectively, the government has the ultimate authority to determine what stays online with the power to direct modification or deletion of content. This will have a chilling effect on free speech. Far from a soft-touch mechanism, this framework tightens the government’s grip over free expression online. Reasonableness and proportionality would require meaningful checks and balances limiting arbitrariness and including independent, judicial oversight.

Public consultation

The Centre also claims that the rules were finalised only after “elaborate consultations with the public and stakeholders”.

While the previous draft of the intermediary guidelines released in 2018 went through public consultation, the current version was not placed in the public domain prior to being enforced. The 2021 rules contain provisions that are either dramatically different from the ones in the previous draft, such as the one on traceability or did not feature in the previous draft at all, such as the code of ethics for online news, OTT platforms and digital media.

Given that these rules have the potential to completely change the internet landscape in India, and their impact on fundamental rights and freedoms, they should be withdrawn and put through an open and inclusive public consultation.

Privacy concerns

The government claims that “the rules do not affect the normal functioning of WhatsApp and there will be no impact on the common user”. It also claimed that “sufficient legal safeguards have been incorporated while framing the order to trace first originators of information, and would only be adopted as a final measure after other options have been exhausted”.

The traceability mandate will require end-to-end encrypted platforms like WhatsApp and Signal to fundamentally alter their architecture to the detriment of users. A defining feature of WhatsApp, Signal and other end-to-end encrypted communication platforms, is that no third party, including the service provider itself, can access the information shared between the sender and the intended recipients. Even in the best-case scenario, the traceability mandate would undermine or weaken encryption by requiring that the originator’s information, or a kind of identifier, be tagged with a message, thereby creating additional data collection and retention obligations and compromising users’ privacy and anonymity.

And in the worst-case scenario, the alterations to the platform to make more information of users available would result in a vulnerability that compromises or breaks encryption, resulting in the possibility of unauthorised access to communications and exploitation by malicious actors.

The traceability provision has a direct bearing on the right to privacy and freedom of expression and should have meaningful limitations on the government’s discretionary powers which it currently lacks. The government can issue a traceability order on overbroad grounds, the provision does not adhere to the principles of necessity and proportionality recognised by the Supreme Court and there is an absence of independent judicial oversight, all of which point to the lack of sufficient legal safeguards.

The government’s response in the frequently asked questions does not address the argument made by civil society, security experts, tech companies and others several times over regarding the technical infeasibility of implementing traceability without undermining the privacy and security promise of end-to-end encryption. It continues to be premised on the false belief that traceability and end-to-end encryption can coexist seamlessly. Separately, the larger issue is that even if implementing traceability may be technically possible, the fact remains that it will jeopardise the privacy and free expression in an unnecessary and disproportionate manner.

Code of ethics

The rules aim to place online news platforms on a “level playing field” with print and broadcast media, according to the government. The decision to govern OTT platforms under the new IT rules was taken in light of complaints raised by civil society and parents requesting interventions. According to the government, “A robust grievance redressal mechanism has been provided while upholding journalistic and creative freedom”. The measures do not restrict freedom of speech in any manner, the government claimed.

Part III of of the rules create a structure that poses a serious threat to the independence of online news.

In India (as in many other countries) news media is regulated by a peer-based oversight mechanism. News media must adhere to the “Norms of Journalistic Conduct,” issued by the Press Council of India, an autonomous body under the Press Council Act, 1978. However, these are moral objectives and do not give a state body the power to remove content – an essential safeguard for the independence of the media.

All news media is subject to the existing regime of civil and criminal law, including the laws on defamation. Television news must adhere to a “Programme Code”, created under the Cable Television Networks (Regulation) Act, 1995.

In contrast, IT Rules create a three-tier grievance redress mechanism in which the third tier, the inter-ministerial body, has the final say over decisions relating to news content. This tier hears appeals from readers’ grievances, and the ministry can also directly approach it with complaints relating to the content. This effectively gives the government control over news content.

The grievance redress mechanism makes the publisher responsible for reporting on every complaint filed with the grievance redress officer. This removes the checks inherent in the judicial process – in effect granting a “trolls veto”.

Vague terms

The code also requires publishers to ensure content is in “good taste” and “decency”. These are vague and subjective terms – and could open publishers up to a wide range of complaints about the news they have reported. The Bombay High Court referred to the Code of Ethics as an impermissible “Sword of Damocles” hanging over people.

Similarly, the Code of Ethics for OTT platforms imposes constraints on the freedom of expression. The interdepartmental committee is comprised of bureaucrats, which in effect, grants the government the powers to act as a “super censor” of content. While the government says this brings OTT platforms at par with TV and cinema. It overlooks a fundamental difference between the two mediums.

While TV and the cinema are like “push” media (ie the material is broadcasted to the public at large), the latter is an instance of “pull” media, more similar to a video-rental store, available on demand. As consumers have more control and choice in the latter instance, the two types of platforms should not be censored in the same way. In any case, imposing more regulation on content is a retrogressive step, which takes us back to an era of greater regulation of expression.

In any case, regulating OTT platforms and digital news media is beyond scope of the Information Technology Act. Rules, which are issued by the executive branch of government, have to be confined to the subject matter of the “parent” Act that they are issued under.

Encryption undermined

The government claimed, “The rules aim at controlling the spread of fake news, the misuse of social media by criminals and anti-national elements, and ensuring online safety, particularly for women users, by restricting the circulation of pornography and morphed images.” The government aims to tackle this by “enabling identification of the first originator of such contents”.

These are all serious issues that need to be addressed. However, well-intentioned measures are not necessarily, as in this case, lawful or effective. Traceability undermines end-to-end encryption and its privacy and security guarantees.

Once traceability is implemented on end-to-end encrypted platforms, malicious actors will merely shift to other encrypted channels. The problem of illegal content online will not be resolved, and the public at large will be deprived of secure channels for communication.

Further, as experts have explained, traceability will be practically ineffective because the originator’s information, such as the mobile number, can be easily manipulated. Commercial services for untraceable messaging will burgeon and traceability is not an effective deterrent as is evident from the prevalence of disinformation on social media platforms on which users can be identified.

Any benefits of implementing traceability are hypothetical and would come at too steep a cost in terms of violation of the fundamental rights to privacy and freedom of expression.

Namrata Maheshwari is a policy counsel and Akhil Thomas is a policy fellow at Access Now, an international digital rights organisation.

Ria Singh Sawhney is a lawyer and researcher who works on digital rights.