News and Draft Intermediary Rules.

What I had originally intended to share was about the Thoughtworks e4r symposium which was thought-provoking event in its own way but probably would have to leave it for another day. This would be a long one . The first bit of news/reading I did last week was about why prescription glasses are expensive. I had seen the same when my glasses dropped, crashed in debconf 2016 and had gone to an optical shop to find it 1000x times more expensive than in my city. I had gone to couple of other shops and thought it might either be ‘tourist prices’ or there may be something that I do not know but never suspected the news story as shared above.

Another interesting news which I read about has been http/3 . It is sad that we don’t have any of the implementations packaged in Debian for people to play and experiment. Somebody had RFPed for Quiche but there are many more and hopefully it gets also integrated in the browsers as well. It does make lot of sense but probably may have its own security issues as well but that probably is a topic for another day.

The other interesting bit of news has unfortunately been in the security phase. For instance Amadeus was recently hacked, reported and fixed but the Indian scene is still the same. While I shared about ET Prime, the same could be said of almost all the Indian cyber landscape. In fact, I was party to some conversations which led me to know that India would soon be having its own cyber agency and would need at the very least 500000 cyber experts in case of a cyber mass-attack. This is part of the ongoing military reforms happening in the Indian armed forces, which similar to many countries is going to have tri-service integrations. This is more necessatited with recent data leaks from SBI and of course Aadhar saying we are all secure because we have 13 feet tall, 5 feet thick walls and that too in the Supreme Court last year.

Before starting the blog post I am reminded of words by a famous Indian-Pakistani writer called Manto who wrote “A writer picks up his pen only when his sensibility is hurt.” While he shared this with a judge during partition years it resounds and remains relevant even today.

Now let’s go to the crux of this blog post. MEITY i.e. the Ministry of Electronics and Information Technology published a draft for Intermediary Amendment Rules on the 24th of December 2018, approximately 3 weeks back asking for comments from public till 31st January 2019. I do commend the government for asking people’s comments on their proposed amendments to the draft rules. There are of course many things which the draft is unclear for reasons unknown. The timing is also a bit of mystery as it’s just 2-3 months before the Indian General Elections. But before we get down to the brass tracks and see what the proposed changes are all about, let us try to understand what it’s all about.

Before starting I should share that two organizations, Medianama and SFLC both organized interventions i.e. space to people to share their comments and suggestions. Medianama did one in Bangalore and one upcoming Delhi, while sflc did one sharing in Kochi. While the Kochi and Bangalore deliberations have already finished, people can apply to attend the Delhi one.

Intermediary in the above scenario applies to any digital platform where views are discussed. Which means it applies to each and every individual who uses Internet day in and day out. If you are using facebook, twitter, whatsapp, diaspora, mastadom, telegram and any other social media and a significant part of your social media userbase is from India, it is possible that as an intermediary you would be affected as well as the users. The draft rules cannot be looked at in isolation but are part and parcel of the data localization drive and the changes to wiretapping rule shared by the Govt. of India recently. There was also a news article which gives some idea of what we can see forward to as things go on.

So without further ado, let’s see what the rules are. The Rules would be in quotes while my observations, understandings would be directly underneath it.

The first part are definitions which basically calls out to IT Act 2000 as has been shared.

3. Due diligence to be observed by intermediary — The intermediary shall observe
following due diligence while discharging his duties, namely: —
(1) The intermediary shall publish the rules and regulations, privacy policy and user
agreement for access-or usage of the intermediary’s computer resource by any person
(2) Such rules and regulations, privacy policy terms and conditions or user agreement
shall inform the users of computer resource not to host, display, upload, modify,
publish, transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to;
(b) is grossly harmful, harassing, blasphemous, defamatory, obscene,
pornographic, paedophilic, libelous, invasive of another’s privacy, hateful, or
racially, ethnically objectionable, disparaging, relating or encouraging money
laundering or gambling, or otherwise unlawful in any manner whatever;
(c) harm minors in any way;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force;
(f) deceives or misleads the addressee about the origin of such messages or
communicates any information which is grossly offensive or menacing in
(g) impersonates another person;
(h) contains software viruses or any other computer code, files or programs
designed to interrupt, destroy or limit the functionality of any computer
(i) threatens the unity, integrity, defence, security or sovereignty of India,
friendly relations with foreign states, or public order, or causes incitement to the
commission of any cognizable offence or prevents investigation of any offence
or is insulting any other nation.
(j) threatens public health or safety; promotion of cigarettes or any other tobacco
products or consumption of intoxicant including alcohol and Electronic Nicotine
Delivery System (ENDS) & like products that enable nicotine delivery except
for the purpose & in the manner and to the extent, as may be approved under the
Drugs and Cosmetics Act, 1940 and Rules made thereunder;
(k) threatens critical information infrastructure.

Intermediary Draft Rules 24.12.2018 MEITY Part 1.

My observations would be on two fronts, the user/publisher as well as the intermediary as both are affected. Of course people can use each of the argument and say each as either as counterexamples or a strawman argument but that is upto them. My counter-argument is the often stated principle of jurispudence (law) which says ‘ let 100 criminals escape but not a single innocent man should be behind bars ‘ Presumption of Innocence . There is an interesting discussion about Presumption of Innocence itself which makes for some very interesting reading. Unfortunately, the draft reads as the user is a guilty party with vague reference to a Greivance officer without giving much background and relief to the Greivance Officer/s. What happens if a Greivance Officer takes a wrong judgement is not spelled out, neither does it talk about on any responsibility on the executive to seek any remedial relief or/and any regulatory authority who could be an arbitrator in contentious issues and there will be a lot for sure. More on this below though.

User a. – My objection starts from point a. itself i.e. a user cannot host, display, upload, modify, publish, transmit, update any content to which he does not hold the copyright to. The copyright of this document lies with MEITY. So by sharing it, discussing it I am by definition being a criminal. In such a scenario any investigative journalism, scholarly criticism or any critique of any nature just goes out of the window. If you could not even discuss policy implications such as above, the net wouldn’t be used for anything more than cat pictures and any propoganda from the ruling party. Terms such as public interest and Fair use, re-mixing, humor, parody, satire would just be terms to be used only in fiction as they would become irrelevant as things go on. If it would have said (credit the source) then that wouldn’t have a problem but saying that you cannot say or publish anything you do not have right to, goes right in the face of Newton’s shoulder of giants comment. I do not know what ideas they had, but it seems there is a possibility that the people at MEITY may have said deny all rights because as people comment, we could consider some of the points and people will take that as victory 😦 .

Intermediary a. – Now while I was thinking from the user POV, from the intermediary POV how does s(he) make a distinction between tweets or blog posts. One way is to simply have no hyper-linking which would defeat the idea of the web itself or have some very biased algorithims which will censor whole parts of a blog post or conversation/s. So we won’t have a democracy at all but autocracy which it seems to target at. This would also increase the costs of social media so only large corporates would be able to function and no startups would be able to function as there are and would be significant regulation cost.

User b. – not to publish content which is is grossly harmful, harassing, blasphemous, defamatory, obscene . From a user perspective I have problems with all of the above. Just few months back, a child of 15 years of age protested against the Citizenship bill of Assam. The issue is a simple or a complex one depending upon what outlook you take. It relates to the Assam accord of 1985 which partially pertains to the Bangladesh Liberation War of 1971.

Now I say it’s simple because as per the Assam accord, the agreement said that apart from people from people who came as refugees from the Bangladesh war, on a certain date, the rest of the people would be sent back to which the Government of India of that time agreed. The National Citizenship bill has been criticized by ethnic Assamese groups as the new bill while splitting families (there has been lots of documentation on that) also allows new refugees to come from Bangladesh i.e. Hindus, Christians, Buddhists and people of any religion except Muslims. The indigenious people feel it would change the demographics as it has mix of people from scheduled backward castes and tribes and Muslims. The Government of the day which is BJP says it will prevent ‘another Kashmir’ . Now depending upon your understanding and outlook you may label the above in any which way.

The obscene part above also comes under ‘ I know when I see it ‘ phrase which is also arbitary as best. It also seems a bit hypocritical as India is the 3rd country in the world when it comes to watching porn and is on road to have the biggest population on earth. With families still hesitant to talk about sexuality and almost no counsellor or therapist in most schools, most of the knowledge is nowadays garnered by many Indians watching porn. To take the most recent example, one of my favorite actresses Maanvi Gagroo acted in a series called ‘ Four more shots please ‘ who plays an exhibitionist for sometime because she feels she is not confident, has daughter-mother issues, has body issues which at least in my limited knowledge has been acted for the first time in an Indian visual setting. In fact, how much Indian men have to grow up can be seen from her own twitter handle. This is probably the first time I read ‘ These are personal views. Characters I play may not necessarily be.’ I am sure Shakti Kapoor didn’t have to write that even though he played a baddie in so many movies. I am hopeful and sure it may have been explored in Indian literature but that probably is getting out of context of where we were. There is also art, so if one were to take pictures from any southern Indian temple and post they will be censored. The same could be talked of a woman breast-feeding her child.

Another recent example that I can share is Mr. Krishnaraj Rao’s outburst on hearings against Lodha Developers. The Gentleman’s friend has bought a flat from Lodha Developers, Mumbai and saw lot of deficinies in what was promised and given. The flats were priced anywhere between INR 2 to 3 crores . He shared what is a belief by most Indians that Indian courts should have in-camera based proceedings for transparency purposes. I am sharing the youtube video and the playlist below so people can make their own opinion. Fortunately for him, there has been some positives due to his activity in social media. There is an education about youtube as well in one of the videos as well as well as judgement on live streaming by the Honorable Supreme Court of India which was shared by him.

As far as laundering and gambling are concerned, does it mean that as an individual you would not be able to invest in bitcoin (currently a grey area and both the Government and Supreme Court are mulling options) , or for that stock market or online lotteries . The problems here is it tries to be catch-all and fails. From what little I know Goa, Daman and Sikkim are at least three states where gambling is legal . There is of course Diwali gambling as well. My point being it’s a slippery slope.

b. Intermediary – The easiest would be to censor anything anyone says. As the twitter episode shares and the same above, the intermediary would be in quandry and probably censor.

User d – “(d) infringes any patent, trademark, copyright or other proprietary rights “

This is and has been already been covered years before, at least the patent, trademark and copyright rights in IT Act 2000. I do not understand what is being meant by other proprietary rights especially in today’s world we talk about open access and collaborative models for almost everything and anything. I would not go into details otherwise the blog post would become much longer than it already would be. Although I do have to say in my own experience, if I ever do come across free software community projects trademark impinged upon, a single comment or a private mail is enough to sort out the issue most of the times. I usually wait for 2-3 weeks and send a mail again CCing the free software project to follow it up in case they don’t credit the source or whatever issue it might be.

Intermediary d – I don’t know of any tools other than Youtube’s ContentID tool and the DMCA Scan which offers such a service apart from hollering people and asking them to takedown videos, articles etc. This is going to raise the costs of the intermediaries which means either paywalls or more privacy breaches as companies continue to make ‘us’ the product. Also such tools afaik are not free and are only used by big corporations who can pay the high fees for such a service.

User i – “friendly relations with foreign states, or public order, or causes incitement to the
commission of any cognizable offence or prevents investigation of any offence
or is insulting any other nation.”

The problem is that sometimes public good is at odds with the above rule. For instance in the recent Rafale deal controversy . Apart from many of the issues highlighted by the opposition to the deal, one of the biggest issues has been there is no knowledge of any technology transfer deal between the French Government and the Indian Government. In such a scenario even a lack of a screw could screw us literally in case of a war where the French Government and Dassault Aviation refuses to help us. The example I shared isn’t an exact match as a combat aircraft is much more complex than a Macbook pro which actually makes the issue much more problematic.

The same is and can be said about importing and exporting pulses , farmer fraud and the agrarian crisis in the country.

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule(2):
(a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;
(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorized by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary shall inform its users at least once every month, that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove noncompliant information.

(5) When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance. The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorized.

(6) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.

(7) The intermediary who has more than fifty lakh users (5 million) in India or is in the list of intermediaries specifically notified by the government of India shall:
(i) be a company incorporated under the Companies Act, 1956 or the Companies Act, 2013;
(ii) have a permanent registered office in India with physical address; and
(iii) Appoint in India, a nodal person of contact and alternate senior designated functionary, for 24×7 coordination with law enforcement agencies and officers to ensure compliance to their orders/requisitions made in accordance with provisions of law or rules.

(8) The intermediary upon receiving actual knowledge in the form of a court order, or on being notified by the appropriate Government or its agency under section 79(3)(b) of Act shall remove or disable access to that unlawful acts relatable to Article 19(2) of the Constitution of India such as in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, on its computer resource without vitiating the evidence in any manner, as far as possible immediately, but in no case later than twenty-four hours in accordance with sub-rule (6) of Rule 3. Further the intermediary shall preserve such information and associated records for at least ninety days one hundred and eighty days for investigation purposes, or for such longer period as may be required by the court or by government agencies who are lawfully authorised.

(9) The Intermediary shall deploy technology based automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.

10) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

(11) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force: Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

(12) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule (3) can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint;

(13)The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

Remaining part of Draft Intermediary Guidelines 24th December 2018 .

User (4) – Point 4 seems to be taken or inspired by Germany’s three strike laws or Graduated response. It seems seemingly absurd that one of the most ancient civilizations whose whole structure has been based on oral history and sharing folk stories and mythologies has been reduced to pander to big business and big content industries.

Intermediary (4) – No alternative but to delete and censor.

User (5) – The problem with this above is that the user has been presumed to be guilty without any safeguards. While I can understand in case of something like a DOS or a DDOS attack but more often than not, many of the actors may be benign actors other than the originator. And in such scenarios, the perpetrator is often overseas or beyond the geographical boundaries. The possibility of innocents being dragged is far more than the real culprits in situations like these.

Intermediary (5) – I am not sure how effectively will they be able to respond and what sort of expertise would be available. In today’s complex systems it is very much possible to have large co-ordinated DDOS attacks using more than one platform where it probably may have more than one originator and have wide variety of techniques at hand. Most of the big organizations have shown themselves to be weak security-wise even today so don’t think it will change anytime soon.

User and Intermediary (12) – This is important from both User’s and Intermediary’s perspective. In today’s digital environment many people derive incomes from either sharing digital experiences, code or whatever. One of the need or suggestion that I would have is for the intermediary is to share detailed transparency reports while fuzzing or blurring the suspect’s name. This would be valuable both from an educational perspective as well as digital societial perspective as well.

At the very end, I believe this whole exercise would add costs to already stressed independant intermediaries. Most of these intermediaries would either have to enact paywalls or find some other ways and means to sustain themselves. Especially small communities who are interested in deploying their own infrastructure would find it more difficult to make it sustainable. It also raises questions on what sort of digital society is the Government thinking and planning to create for us. I do not see the possibility of any new intermediaries (social media giant India) as the entry barriers have been made too high.

One thought on “News and Draft Intermediary Rules.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.