IT legal guidelines within the offing promise safer web however elevate many considerations
On an unremarkable autumn night recently, Mumbaikar Vaibhav Borle came face to face with the demons of India’s digital boom. The 23-year-old CA aspirant was pinged out on a post-dinner stroll when his Facebook Messenger. The message was from his uncle, Vinayak, who stayed in another corner of the megalopolis and had recently recovered from a bad bout of Covid. “I have an emergency, can you ask your dad to transfer Rs10,000 to the following account?” Vaibhav asked his father to send the money immediately.
He soon got another message asking for another Rs10,000. Vaibhav complied with that, too, but the warning bells started ringing when he got a third message asking for more. “That was when I thought it was strange, and I called mama up,” said Vaibhav. He was in for a shock when Vinayak told him that his Facebook account had been hacked and such messages were being sent to everyone on his friends list. A cousin abroad had already sent Rs50,000.
Vaibhav’s ordeal for the next few days involved running from police station to cyber cell to a friend’s mom who worked at the Reserve Bank to track the money trail. By the time the authorities froze the account to which the money was transferred―it was traced to a remote location in Uttarakhand―it had been emptied out. Vinayak himself struggled for a long time to regain his Facebook account. Even with the police involved, it took a week before the social media giant moved to restore the account to the original owner.
Vinayak and Vaibhav’s story is bone-chillingly commonplace. As everything from banking and shopping to socialization and entertainment moved online, it also spawned an entire ecosystem of crimes. Stealing, cheating, extortion, defamation, misinformation, incitement, violence, even murder―you name it, there is a digital version out there hunting for gullible Indians clicking that one wrong link or button. Jamtara, as it turns out, is everywhere.
Making matters worse has been the lack of laws and provisions to deal with this wave that had virtually turned an outing online akin to a sojourn into the wild west. On paper, the Information Technology (IT) Act of 2000 is the umbrella legislation covering the digital world, but it has proven woefully inadequate, as the nature and use cases of technology itself transformed over the years, leaving many of the law’s assumptions and provisions inadequate.
Though late, the authorities have woken up. “The challenges that the internet and the technology space represents today are far more challenging and the changing nature of technology far more disruptive, leading to the need of a new one [legal] framework,” said Rajeev Chandrasekhar, Union minister of state for electronics and IT.
The fightback will be primarily in the form of three new landmark legislations. The Telecommunications Bill, 2022, the first, will replace the Indian Telegraph Act of 1885, the Indian Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act 1960. Its draft is already out. The proposed law aims to redefine communications by bringing into its ambit all parties, from telecom service providers to over-the-top (OTT) players and internet-based communication platforms under one umbrella legislation.
The second is the Data Protection Bill, which covers matters of use of data as well as privacy. It was initially released in 2018 but withdrawn after major opposition from various quarters. A new draft was released recently and it is open for public consultation till December 17. The third is the ambitious Digital India Act (DIA). An all-encompassing law to oversee India online, it will replace the 22-year-old IT Act and is expected to be out next month.
The loudest opposition to the two drafts now out in public has been to the sweeping powers the government has assigned for itself to suspend the internet or intercept private communication by citing national security and public order. Also worrying are the new rules like a KYC clearance for users and a license for operators like WhatsApp.
“The biggest worry in a country like India is that if sweeping powers as envisaged in the draft bill, like intercepting messages and suspension of internet services proceeds and become part of the final bill, it may lead to abuse of power by the authorities,” said Satya Muley, a lawyer who specializes in constitutional law. “In the past we have seen political bosses use their power to satisfy their political aims and objectives. The concerns are genuine; it will impact the fundamental right to privacy and the right to communicate very seriously.”
While the authorities have been at loggerheads with messaging services on accessing their end-to-end encrypted messages for long, the issue is dealt with in a roundabout manner in the new law. “No provision as such touches end-to-end encryption and it will apparently continue,” explained Muley. “However, the bill gives sweeping powers to the center to intercept and access end-to-end encrypted messages in the event of public emergency, for protecting national security and public order.”
There is another danger. “Platforms providing end-to-end encryption will have to store such data to comply with the law. This will defeat the very purpose of end-to-end encryption,” said Kazim Rizvi, head of the public policy think tank The Dialogue. “Such large amounts of data being collected to comply with the law may present cybersecurity challenges in the form of attracting cyber attacks and forced breaches.”
The government’s effort to control pesky telemarketers has also come in the crosshairs as it envisages a KYC-style verification of every user on all platforms, including social media and messaging apps. “Users having to submit identification documents will affect user anonymity online, potentially having a chilling effect on free speech,” said Rizvi.
While there is clarity on spectrum allocation, bunching everyone from a cellular company to an internet platform under one umbrella and subjecting them to licensing has raised concerns. “Such omnibus and catch-all definition can compromise regulatory efficiency and affect the orderly growth of the internet economy,” wrote senior Supreme Court lawyer Gopal Jain in a column. “By extending licensing to OTT platforms and making them licence-centric, even though India jettisoned the license permit raj decades ago, [India is] set the clock back.”
“Licensing has not worked in countries like China,” said Rizvi. “It has historically acted not only as a barrier to entry for new players but can also affect growth and innovation in the industry as larger sums of money may be needed for compliance.”
Equally worrisome have been the dilution of powers of the Telecom Regulatory Authority (TRAI) under the new law. Also, it remains to be seen if Big Tech would really be reined in. Section 11 of the draft Telecom Bill waters down the regulator’s powers, though Telecom Minister Ashwini Vaishnaw has said that TRAI will be the implementing consultant for the new laws.
“Given the role the telecom industry plays―it is the backbone on which Digital India runs, we really need an independent regulator who will represent the interests of all stakeholders,” said Sunil David, co-chair, Digital Communications working group, IET Future tech panel. “I’m not very sure who is behind this [move] to dilute TRAI’s powers.”
And big tech? “In the current bills, we don’t see many rules that make Big Tech accountable,” said Muley. “But you can see that the government is proceeding in that direction by defining concepts like social media intermediaries, requirements for compliance and grievance officers.”
The government, on its part, is moving carefully, putting up all the draft rules for extended public consultations and showing readiness to modify at least some provisions. It knows too well the far-reaching impact of these rules, and does not want to make any missteps like what happened with the farm bills, or even the 2018 version of the data protection bill.
All the nitpicking on various provisions of the new laws apart, perhaps the only area everyone agrees on is that rules to govern the online space are long overdue―with internet of things (IoT) and 5G getting more and more into the connected ecosystem and new Modes like Web3 and metaverse knocking on the doors, trust, accountability and openness on the internet are even more crucial than ever before.
“The common man wants trust when he goes online. He doesn’t want his data to be misused, and if for some reason there is a misuse, there should be regulatory certainty―he should know who to go to if there is an issue,” said David. “The new laws should not stifle innovation and at the same time we don’t want lax regulation. Getting the balance right is important.”
(Some names have been changed.)