Originally Published 2011-07-20 00:00:00 Published on Jul 20, 2011
In a stratagem that would make Sun Tzu proud, the government first velvet-gloved an iron fist and then clamped down hard on digital freedom and enterprise
The great Indian strangulation trick
The Indian digital jungle is in a flap. The very DNA of mega corporations, open source advocates and civil rights activists predisposes a relationship where the hunter and the hunted are clearly defined. So when the proverbial Lion and the Gazelle come together like a Panchatantra fable it’s time for a story.

When the Government of India notified a gazette for an innocuous sounding Information Technology (Electronic Service Delivery) Rules, 2011 in April, there was barely a ripple. But when the implications of the fine print dawned like the first rays of the harsh summer sun on the digital landscape it brought together giant companies, open source advocates and rights activists - usually implacable foes - into an unlikely alliance.

What spooked all of them into coming together was the manner in which the government was doing a mean big brother act by putting on a tight squeeze on access to the most precious resource in the digital jungle - the Internet itself. Using the fig leaf of ’sensitive personal information’ and ’reasonable security practices’, the gazette issued an entire set of rules that has made the provisions of IT Act 2008, especially those mentioned in Section 43A, liable to be interpreted in a subjective manner. Needless to say, subjectivity and law are to each other what Nazi Germany was to Jews.

Like all fables, there is a back-story to this one too. The IT Act 2000 was considered by many as a well-thought out legislation providing just the right amount of regulation to the ample freedom required for digital enterprises to flourish. The Act provided clear-cut definitions for digital signatures, electronic forms, data, cyber security, communication device, electronic record; all of which became the backbone for a transaction-driven electronic commerce.

But somewhere along the line as the digital media enterprises started becoming stronger, diverse and a repository of relatively independent points of view, the government found itself with the familiar itch to control the goose that laid the golden eggs. It started by quietly chiseling away at the framework with an aim to ’control the transmission and distribution’ of content. The culmination of the government’s efforts was the IT Act 2008. Almost like someone caught with their hand in the cookie jar, the government hastily passed the Act on December 23, 2008 in the Parliament without even a single discussion. A closer look reveals why.

Sections 67, 67A, 67B, of Chapter XI of the Act, deal with punishment for publishing or transmitting obscene material, including material containing sexually explicit acts, in electronic form. Through a craftily worded line ’Whoever publishes or transmits or causes to be published or transmitted in the electronic form...’, the government blurred the distinction between publishers, distributors, including sub-distributors, syndicators, retailers, ISPs, telecom service providers, content creators - a vast eco-system in itself comprising of MVAS providers, repositories having legal Digital Rights Management (DRM) - and final consumers.

In deliberately obfuscating the distinction, the government took upon itself the role of an interpreter and could theoretically put the onus of responsibility for any ’objectionable content’ on pure play bandwidth providers (as transmitters) to content aggregators and searchable repositories (like Google) to e-commerce websites using a Peer-to-Peer (P2P) model. The fear of the government flexing its considerable muscle power is not misplaced considering that Baazi.com CEO Avnish Bajaj had to face the wrong end of the stick in 2004 for a sex clip allegedly placed by a registered user on his site. A real life analogy may help understand the implications better. When an accident happens on a road owned by the municipal corporation, does the chairman of the corporation serve a jail sentence?

Section 67C of the Act, which provides for retention of information by intermediaries, implicitly arms the central government with a ’use anytime hammer’. It provisions for the government to retain information for as long a duration as may be specified by it. It has the civil liberty advocates boiling, and for good reason. The entire digital world has been opposed to any retention of personal information either by corporations or by the government. A case in point is the massive backlash that greeted Facebook’s attempt to churn personal data for their recommendation engine. Facebook hastily backed down when they saw the intensity of the uproar.

Similarly, Sections 69, 69A and 69B of Chapter XI dealing with interception, monitoring, decryption, blocking of computer resources, including blogs and websites, and collecting traffic data through any computer resource or cyberspace has also placed upon the government an arbitrary power to insidiously infiltrate any computer system and monitor the stored data or transmitted data.

That is the back-story to the current atmosphere of fear and consternation in the Indian digital space. In fact, in retrospect and with the benefit of hindsight, it is almost as if the government had first built a strong foundation to strategically position big caliber guns to cow down the irrepressible energy of the digital world. Those big caliber guns turned out to be sub-rules 2, 4 and 7 of the innocuous sounding gazette mentioned earlier. These sub-rules deal with Intermediaries mentioned in Sections 87 and 78 of the IT Act 2008.

Sub-rule 2 states ’Users should not host, display, upload, modify, publish, transmit, update or share any information that is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful or racially or ethnically objectionable, disparaging, relating or encouraging money laundering or gambling or otherwise unlawful in any manner whatever...’

Further it states ’users may not publish anything that threatens the unity, integrity, defence, security and sovereignty of India, friendly relations with foreign states or public order or causes incitement to the commission of any cognisable office or prevents investigation of any offence or is insulting to any other nation.’

There is immense potential for subjective interpretation of phrases - grossly harmful, obscene, racially or ethnically objectionable (who decides this?), blasphemous (what happens when McDonalds advertises on the Internet for a beef burger. Is it blasphemous for Hindus?), invasive of another’s privacy (who interprets what is invasive of privacy? Will the posting of an ex-girlfriend’s pictures be considered as invasive of privacy?), encouraging money laundering, gambling (what about advertising networks that display advertisements from countries where gambling is legal), public order (did the Internet signature campaign for Jan Lokpal Bill movement threaten public order?), unity, integrity, defence, security, sovereignty of India, friendly relations with foreign states (did the Wikileaks expose threaten all of the above?)

Sub-rule 4 states ’The intermediary on whose computer system the information is stored or hosted or published upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above shall act with thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.’

This has brought about a fundamental change in IT Act 2008, which mandated that the complaint about any piece of information hosted or published could be made only by an ’authority mandated by law’. Sub-rule 4 removes this additional check allowing even individuals to complain to the ISP, which then has been instructed to pull down the ’offensive information’ within 36 hours. By default sub-rule 4 seems to give the ISPs the power to decide whether a complaint is genuine or not. So here’s another real life analogy to make the implications clear. My neighbour complains that I play loud music to the electricity company. The company in its infinite wisdom decides within 36 hours that the complaint is genuine and disconnects my electricity connection. Now tell me it doesn’t sound absurd.

Sub-rule 7 on interception states ’When required by lawful order the intermediary shall provide information or any such assistance to government agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the verification of identity or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being informed, on a request in writing stating clearly the purpose of seeking such information or any such assistance.’

Again a fundamental change as the IT Act 2008 did not allow intermediaries to disclose personal information. While the sub-rules are the big hitters, there are other relatively smaller changes that will have a long-term impact on the very business model of digital enterprises. Cybercafé is now defined as ’any facility from where access to the Internet is offered by any person on the ordinary course of business to the members of the public.’

By referring to cybercafé as any facility that offers Internet it will impact the business models of companies rolling out Wi-Fi hotspots and as also of hotels, restaurants and small coffee shops that want to provide patrons with Wi-Fi connection. Moreover, the mandatory ’licensing of cybercafés’ and the establishment of a ’licensing authority’ is not only indicative of a license permit raj mindset of the government, but it also makes it difficult for the government itself to meet its ambitious targets for internet penetration.

For anybody planning to open a small cybercafé the entry barriers have suddenly shot-up. The gazette requires cybercafés to be constructed in a manner where every single computer screen is publicly visible. Additionally logs of patrons, proxy servers, network devices (routers and switches) and firewalls are to be maintained by the owner. Cybercafés are critical for increasing equitable access to Internet connectivity in tier 2 and tier 3 towns. And it’s precisely when these small enterprises need a boost that they have had huge metals chains clamped on to them.

Taken together as a composite picture, IT Act 2008 and the recent gazette notification make for a dark, gloomy future with a new fully armed cowboy - the government - entering the digital jungle. No wonder the hunter and the hunted are standing together trying to ward off this new threat.

R. Swaminathan is a National Internet Exchange of India (NIXI) Fellow.

Courtesy: Governance Now 
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.