What is the “Originator or Traceability” provision in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021?

Introduction

    The Ministry of Electronics and Information Technology (hereinafter MeitY”) and the Ministry of Information and Broadcasting (hereinafter “MIB) on 25.02.2021 notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter Rules, 2021”). The Intermediary Guidelines replace the Information Technology (Intermediaries Guidelines) Rules, 2011 (hereinafter, “Rules 2011).

    Amongst various other controversial provisions, one of the provisions is the “traceability or the originator” provision. It requires significant social media intermediaries, which is a new class created under the 2021 Rules, to trace the first originator of a message. This provision would be applicable on tech companies like Facebook, Signal, WhatsApp, Telegram, Instagram. In addition to this, via Rule 6, the intermediaries with less than a user base of 50 lakh users would have to comply with Rule 4 or any of its provisions.

    Through this blog post, we would be tracing out the context of the originator’s or the traceability provision by detailing the safe harbour protection in India, Intermediary Liability Rules, its applicability, the significant social media intermediaries and the impact it will have on privacy and free speech in India.

    What are intermediaries and what is safe harbour protection?

      Intermediaries are entities that provide services enabling the delivery of online content to the end user. This includes internet service providers, search engines, DNS providers, social media platforms, cyber cafes. The Information Technology Act, 2000 (hereinafter “IT Act) defines an intermediary as:

      intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes Telecom service providers, network service providers, internet service providers, web-hosting providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafe.”

      The intermediaries like the ISPs, social media websites, search engines play an important role in the dissemination of information but do not have any editorial control over their content. Therefore, they are given protection from any legal liability in the form of a safe harbour provision. This safe harbour provision in India can be found under S. 79 of the IT Act.

      However, the safe harbour provision in India is conditional in nature i.e. intermediaries can only avail benefits of this provision only when they comply with the guidelines notified under S. 79 as well as the conditions laid out in S. 79. These guidelines are now called the Information Technology (Intermediary Guideline) Rules, 2021 (hereinafter “Rules 2021”).

      What are the Intermediary Guidelines Rules, 2021?

        An intermediary would be required to comply with the provisions of these Rules in order to enjoy the safe harbour protection in India. Amongst various other provisions, these rules have added the requirement of take down of content within 36 hours in case of orders issued by the Government or court order, acknowledgment of a complaint/ grievance by grievance redressal officer within 24 hours and have set a limit of 15 days to dispose off the complaint, due diligence requirements including appointment of 3 different personnel, having a physical office in India.

        SFLC.in had previously submitted detailed comments on January 31, 2019 to MeitY on the draft Information Technology [Intermediaries Guidelines (Amendment) Rules], 2018 (hereinafter Draft Rules”) highlighting concerns regarding the traceability provision being excessive delegation of legislative powers, among other concerns. Further, SFLC.in submitted detailed counter comments to MeitY on February 14, 2019 in response to the comments of different stakeholders as uploaded by MeitY. Both these submissions had highlighted the adverse impact on privacy if originator’s provision is implemented.

        Who is a ‘significant social media intermediary’?

        The Rules have created a new class of intermediaries known as the significant social media intermediaries.

        As per the definition under S. 2(1)(v) of the Rules 2021, a ‘significant social media intermediary’ means ‘a social media intermediary having a number of registered users in India above such threshold as notified by the Central Government’.

        The Central Government has thereafter notified a threshold of more than 50 lakh users for a social media intermediary to be classified as a significant social media intermediary. Hence, tech giants like Facebook, Twitter, Whatsapp, Signal, Instagram among others will qualify as a significant social media intermediary.

        What is the traceability provision?

          Rule 4(2) of the Intermediary Guideline Rules 2021

            Rule 4(2) of the Rules 2021, mandates a ‘significant social media intermediary’ providing services primarily in the nature of messaging to enable identification of the first originator of the information on a computer source, as required by a judicial order or an order passed under S. 69 of the Information Technology Act, 2000 as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009.

            Further, the purpose for which such an order can be passed has also been specified to include offences related to, inter alia, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material.

            One of the provisos to the Rule states that if the first originator of an information is not based in India then the first originator of that information in India would be deemed as the originator of that information.

            Draft 2018 Rule vs 2021 Rule

            The scope of the traceability provision, as compared to the Draft Rules of 2018, has been expanded significantly in 2021 rules. Under Rule 3(5) of the Draft Rules (2018), an intermediary was obligated to enable tracing of originator of information concerning security of the State or cyber security and investigation or detection or prosecution or prevention of offence(s) connected to the same, as may be required by legally authorised government agencies.

            Applicability to other intermediaries

              In an effort to further expand the scope of their applicability, Rule 6 of the Rules 2021 mandates that MeitY can order any intermediary other than a significant social media intermediary to comply with obligations as under Rule 4 in the event that the services of such an intermediary transmits information that can create material risk of harm to the sovereignty and integrity or India, security of the State, friendly relations with foreign States or public order. However, the same is to be done by providing reasons in writing.

              This means that services with a user base of less than 50 lakh such as Matrix, Diaspora may be required to fulfil the obligations of Significant Social Media Intermediaries under Rule 4.

              A background to the concept of traceability in Indian context?

                The legislative framework governing intermediary liability in India initially consisted of the IT Act and the Rules 2011 that were framed under Section 87(2)(zg) read with Section 79 of the IT Act. Thereafter, in order to review the same, MeitY published the Draft Rules that received 171 comments and 80 counter-comments during the public consultations.

                Antony Clement Rubin v. Union of India

                  The issue of co-existence of traceability of users with end-to-end encryption was raised in the Madras High Court, pursuant to a petition seeking to mandate linking the Aadhar with social media accounts of users, which was eventually rejected following the principles laid down in the Puttaswamy judgment. To address the issue, Prof. V. Kamakoti filed an affidavit and suggested that tracing of originator can be done by adding information of the originator with each message and displaying the same during decryption.

                  Another alternative to the same was suggested by Dr. Manoj Prabhakaran which emphasized on the long term risks involved in adopting Prof. Kamakoti’s proposal of introducing traceability on encrypted platforms. In that, Dr. Prabhakaran highlighted that Prof. Kamakoti’s proposal of enabling traceability was susceptible to the vice of falsification of the information of the originator. Further, he opined that even if the risks of spoofing can be addressed by using digital signatures, the proposal still has limited use in addressing the problem of fake news in the long run.

                  Currently, the Supreme Court is adjudicating on this matter since it has been pleaded by WhatsApp/ Facebook that it is impossible for traceability to co-exist with end-to-end encryption because even WhatsApp doesn’t possess the decryption keys and hence, cannot trace the originator of the message on its platform. The central question before the Supreme Court is to address whether any new feature can be added to social media platforms such as WhatsApp to enable the tracing of the originator of information. Here, the government of India had submitted that the Intermediary Rules would be notified in January, 2020. The last hearing took place in January, 2020 wherein the notification of the Rules was still awaited.

                  Ad-Hoc Committee of the Rajya Sabha

                    Subsequently, on January 25, 2020, an Ad-hoc Committee of the Rajya Sabha created “to study the alarming issue of pornography on social media and its effects on children and society as a whole”, submitted that Rules 2011 should be modified in order to enable tracing the originator of the messages shared on end-to-end encryption platforms in cases wherein child sexual abuse material (hereinafter “CSAM”) has been shared.

                    Despite the recommendations, MeitY and MIB have now published the Rules 2021 without any substantive consultations with the stakeholders on the rules.

                    India signs the Five-Eyes alliance statement against end-to-end encryption

                      In 2020, the Five Eyes alliance along with India and Japan as signatories released an international statement stating that end-to-end encryption poses “significant challenges to public safety” and therefore, stated their intention that there must be backdoors for law enforcement agencies in such services.

                      How will the traceability provision undermine your privacy?

                        These rules seriously impinge on the right to privacy as enshrined in the Justice K.S. Puttaswamy vs. Union of India (2017) by not adhering to the four pronged tests espoused therein-

                        1. the action must be sanctioned by law;

                        2. the proposed action must be necessary in a democratic society for a legitimate state aim;

                        3. the extent of such interference must be proportionate to the need for such interference. There should be a rational nexus between the objects and the means adopted to achieve them; and

                        4. There must be procedural guarantees against abuse of such interference.

                        In the present case, while the rules have sanction of law, they bypassed legislative scrutiny by virtue of just being tabled in the Parliament and not being debated upon. While the rules have been notified, the Government has not stated a legitimate state aim behind originator’s provision. The government has also failed to substantiate the non-availability of less intrusive means than the traceability provision. The procedural guarantees in the new rules are absent too.

                        The traceability provisions raise several legal concerns, which includes the following:

                        1. Lack of general guidance: Although Rule 4(2) seeks to mandate the identification of first originators, the provision is bereft of any procedural guidance on the same. This vests enormous discretion in the hands of law enforcement agencies to employ wide-ranging means to elicit such information.

                        2. Either/or situation; No transparency: The acquisition of information via Rule 4(2) requires the passing of either a judicial order or an order under Section 69, IT Act. This either/or situation gives the information-seeking agencies to circumvent judicial scrutiny since Section 69, IT Act lacks procedural safeguards. Further, orders passed under this section are not available in the public domain, thereby compromising on the principles of accountability and transparency.

                        3. Less intrusive means’: One of the provisos to Rule 4(2) states that an order cannot be passed if there are ‘other less intrusive means’ to identify the first originator. However, the said proviso stands of little to no value as the phrase ‘less intrusive means’ find no definition/guidance within the Rules, thereby rendering the proviso unclear and ambiguous.

                        The final proviso to Rule 4(2) states that on account of the first originator being located outside India’s territory, the ‘first originator of that information within the territory of India’ is deemed the first originator of the information. This proviso, in effect, forces social media intermediaries to ensure access to users’ entire chain of metadata communication. This carries a significant impact on several quarters:

                        Firstly, it will have a chilling effect on free speech. As of now, End-to-End encryption on instant messaging applications allows for dissent. If this is compromised, it would impact the working of protestors, activists, journalists etc. who rely on confidential sources to gather information.

                        Secondly, access to metadata communication means that companies will have to compromise on End-to-End (‘E2E’) encryption. In this regard, E2E encryption means that messages between two individuals cannot be accessed by any other entity including the social media intermediary. Therefore, any compromise on the E2E encryption design undermines the hitherto-existing privacy of communication over messaging apps, as ensured through end-to-end encryption.

                        Thirdly, companies will be forced to modify their existing tech-infrastructure to comply with this proviso’s requirement of metadata access.

                        Fourthly, it disproportionately impacts fledgling tech-companies since they have few resources to incorporate such changes into their tech-infrastructure.

                        Fifthly, the proviso disregards a vital canon of law: mens rea. This means that a video or news link with incorrect facts innocently shared by one person to another does not necessarily make the person sharing such link have the criminal intent to commit any crime. This may lead to several legal tussels. It also needs to be understood that an originator may not be the author of an information.

                        1. Fate of federated messaging applications like Matrix, Diaspora, Mastodon: Several messaging applications which are federated in nature such as Matrix, Discord etc. may cross the user base of 50 lakh registered users or may be categorised as significant social media intermediaries via a notification under Rule 6. However, these messaging applications are federated in nature meaning that various individuals, group of individuals or organisations use these applications for organisational or personal purposes. These organisations/ groups of people exist in silos and do not interact with each other.

                        Rule 4(2) does not elaborate if federated messaging applications would be deemed as significant social media intermediaries or not. On a broad interpretation of the threshold required for SSMIs, there is a possibility that the federated services would also be deemed as SSMIs.

                        1. Impact on Open-Source Applications: There are several services which are federated in nature i.e. are operated by various servers across the globe like Matrix (Element on PlayStore), Diaspora etc. The Rules, 2021 do not differentiate these services with centralised services. This could lead to compliance and regulatory challenges going forward.

                        SFLC.in is assisting a FOSS developer volunteering with FSCI, Praveen Arimbrathodiyil in his petition challenging Part II of the Rules, 2021 in the Kerala High Court. (To read more about this, click here)

                        1. Compromising technical infrastructure will compromise technical infrastructure across the globe: Technological implementations on a global level are not designed in a manner to incorporate significant infrastructural alterations territorially. WhatsApp or Signal, when required to incorporate traceability/ originator requirement in their technical infrastructure may find it challenging to do so without denting the privacy by design principle.

                        Incorporating this feature in India would automatically mean that SSMIs would be compromising their technical infrastructure globally and thereby, undermining privacy of all its users.

                        So far, we have not seen any instance where a company has been successfully or unsuccessfully introduced traceability without breaking end-to-end encryption.

                        1. Fate of small not-for-profit messaging applications: In addition to the traceability requirement, SSMIs would be required to have a physical office in India, appoint 3 different officers who would be residents of India - a nodal officer, a compliance officer, and a grievance redressal officer.

                        These requirements clubbed with the traceability required would make it difficult for companies operating with limited resources and staff such as Signal, Telegram, Matrix etc. to function in India..