On February 25, the Union government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Unlike the IT Rules of 2011, the new regulations include video streaming platforms and online news portals within their ambit.
For social media entities such as Facebook, Twitter and WhatsApp, which are defined as “social media intermediaries” under the new rules, discussions with the Union government on the renewed guidelines have been taking place for the past few years. The Ministry of Electronics and Information Technology even published draft rules in 2018 and invited public comments on them. Intermediaries include internet search engines such as Google, e-commerce platforms, internet service providers and other entities.
The new rules have two major implications for intermediaries – the dilution of the conditional “safe harbour” provisions guaranteed under Section 79 of the IT Act and the introduction of traceability of content. It has been the ministry’s consistent position that traceability is an essential requirement to fix culpability on the “originator” of unlawful messages.
The IT Act defines an originator as a “person who sends, generates, stores or transmits any electronic message” or causes it to be so but does not include the intermediary. Hence, via the newly notified rules, the Union government has made it liable for the social media intermediary to disclose the “first originator” of the information “for the prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integreity of India, the security of the state, friendly relations with foreign states or public order”.
On the other hand, almost all the major social media intermediaries have consistently argued that this requirement of traceability would violate privacy concerns presently protected by end-to-end encryption.
Despite this resistance, the Union government seeking to appear to be decisive, has resolved the disagreement in its favour, while the world still debates. The signals the government seeks to convey are quite apparent – we, the vishwagurus, will show the way how to reign in Big Tech decisively and boldly. In particular, where national security is at stake, there is to be no compromise.
Bhima Koregaon case
In 2018, the Pune police claimed to have received secret information from an informant that Delhi resident Rona Wilson and Nagpur resident Surendra Gadling possessed certain documents and letters concerning the banned Communist Party of India (Maoist).
Based on this claim, searches were conducted in April 2018 at both their homes and several other places in Mumbai and Pune. Several communications deemed to be incriminating were indeed claimed to have been discovered in the computers of Wilson and Gadling. The Pune police invoked the draconian Unlawful Activities (Prevention) Act and arrested Wilson, Gadling and several other human rights defenders and cultural activists in a matter that has come to be called the Bhima Koregaon-Elgar Parishad case.
It refers to an event called the Elgar Parishad that was held in Pune’s Shaniwar Wada on December 31, 2017, a day before lakhs of Dalits from across India gathered at the village of Koregaon Bhima to commemorate the 200th anniversary of a battle in which a Dalit contingent of the British Army defeated the region’s Peshwa Brahmins.
The police claims that clashes occurred between Dalits and people from upper castes in Bhima Koregaon was the result of a conspiracy by the human rights defenders and others now awaiting trial in jail.
Among those arrested was poet Varavara Rao, the 81-year-old uncle of the writer of this article. He is the only one of the accused to have received bail, having been released in February for six months on health grounds.
‘Assassination plot’
Among the documents that the police claimed to have discovered on the computer of these activists were purported messages between the accused and Maoist functionaries. The one that grabbed the attention of the media was a file named “Ltr_1804_to_cc.pdf”. In that document, Wilson is alleged to have written about taking “…concrete steps to end Modi-raj…thinking along the lines of another Rajiv Gandhi type incident”, with the insinuation being that an assassination was being suggested.
Considering the seriousness of this message that suggests a threat to the highest executive of state, it should have been imperative that the investigative agencies immediately trace the originator to take preventive and penal action. An immediate forensic analysis by a certified laboratory of the computer system and file metadata would help identify the originator.
However, forensic analysis commenced almost seven months after this discovery. It was conducted by the obscure Regional Government Forensic Science Laboratory which is not recognised as an “electronic examiner” under the IT Act nor has proper accreditation.
Further, even before the Pune RFSL could commence its analysis on October 14, 2018, Wilson and others had been arrested in June and August. In addition, even before the RFSL concluded its analysis on November 5, 2018, the Pune police rushed off a proposal to the state home department to grant it permission to prosecute the arrested men and women under UAPA.
As a result, even without identifying the originator of these unlawful messages, the government of Maharashtra granted sanction for the accused to be prosecuted for, among other things, having “conspired the assassination of the Prime Minister of India”.
To top it all, the final RFSL report merely established the existence of the files flagged by the investigative agency without any attempt to ascertain whether Wilson caused such an electronic message to be sent, generated, stored or transmitted. Without any authentication of the source of the files and in particular the file named “Ltr_1804_to_cc.pdf”, Wilson and others were imprisoned and compelled to face a trial, both in court and the media.
Quest for originator
Despite the deliberate negligence of the investigation agency and the government forensic laboratory to determine the originator of these highly unlawful messages, the search continued by some journalists and by the accused and their lawyers. However, this was only possible once the defence were provided with mirror images – or clone copies – of the digital evidence. This process of cloning the evidence began in November 2019 and remains incomplete.
In one such attempt, Caravan magazine noted that much of the system metadata related to the purportedly incriminating files were suspiciously deleted. It also reported on the existence of a malware that allowed remote access to Wilson’s computer. The magazine noted that Wilson’s computer had a 2007 version of Microsoft Word installed, whereas the files, including “Ltr_1804_to_cc.pdf”, were generated and saved as PDFs by Word 2010 or Word 2013.
Though Caravan cast enormous doubt on whether Wilson was the originator of the unlawful message, it fell short of identifying its source.
Meanwhile, in January 2020, the National Investigation Agency, which is under the control of the Union government, took over the investigation. Other than arresting seven more activists, including an octogenarian Catholic priest, there was no attempt by this premier anti-terror investigation agency, to identify the originator of the message.
It was only when Arsenal Consulting, a digital forensic firm engaged by Rona Wilson’s lawyers, attempted to analyse the mirror images that the whereabouts and modus operandi of the originator became traceable.
The Arsenal report, which was made presented to the court in February, outlined how almost all the files flagged on Wilson’s hard disk and pen drive were delivered by a cyber attack due to his computer being compromised by the use of a remote access Trojan software called NetWire.
With regards to the file named “Ltr_1804_to_cc.pdf”, Arsenal said it had been delivered to Wilson’s hard disk by NetWire in a cyberattack session that lasted from the early morning of April 19, 2017, to midnight.
The cyberattack initially delivered an RAR archive (compression) file named “Ltr_1804_to_cc.rar” on April 19, 2017, at 18:42:27. Thereafter, the PDF file was extracting using an UnRAR executable file wherein “Ltr_1804_to_cc.pdf” came into existence at 18:43:41. The original RAR file used for delivery was then deleted at 18:44:31 to erase traces of this operation.
Malware operation
It is quite common for cyber attackers to use RAR archive files for document delivery as the extracted file retains the original “creation time stamp” – in this case April 18, 2017,15:27:20 – which would not be possible in a simple cut-and-paste or copy-and-paste operation.
The same method for document delivery was repeated twice on Wilson’s pen drive on March 14, 2018, within a span of six hours. “Ltr_1804_to_cc.pdf” was once again part of these deliveries.
Part five of the Arsenal report, while outlining the malware infrastructure, identifies 25 “command & control” IP addresses used at various times for these cyberattacks and for document delivery on Wilson’s computer. It further identifies these IP addresses to “Hostsailor”, a virtual private server which, according to a footnote in the report, is “entirely worthy of deep suspicion, if not outright distrust” and having “apparent propensity for hosting spammers, aggressive hackers and malware”.
It is a matter of grave concern that a message suggesting the assassination of the prime minster of India was generated and transmitted from a server having a dubious global reputation and having caused it to be stored on the computer of a citizen of India.
It is only logical that this government, which claims to give the highest priority to threats to national security, act immediately to identify the originator and to take off from where the Arsenal report ends.
What if the government still refuses to act, despite claiming that the plot to assassinate the prime minister is serious? What inference should one draw? One obvious possibility is that its own posturings on national security are mere chest-thumping to charm the electorate and gain advantage over a weak-kneed Opposition.
That would mean that its claims to further tighten control over social media, video streaming platforms and online news in the interests of national security are quite empty.
The real purpose, it would seem, is to regulate these entities to enable better surveillance on its citizens and to quickly identify information that may challenge the official narrative.
The other possibility is that the plot to assassinate the prime minister was never taken seriously. It was a mere creation of an “originator” working within the state or in close collaboration with it, so as to use it to threaten, arrest and incarcerate those who have been critical of the state.
In such a case, it would be naïve to assume that the government, on its own, would act to identify the “originator”. On its own, it cannot and would not identify or convict someone when it refuses to admit to the existence of that person – of course, unless compelled to do so by an independent judiciary and alert citizenry.
These narratives are not mutually exclusive. They may coexist in a devious, politically charged juggernaut willing to crush whatever lies in its path.
N Venugopal is the editor of Veekshanam, a Telugu monthly.