‘A direct impact on free speech in cyberspace’

"The amended IT Act, 2000 is one cyber law that promotes e-commerce and grants legality to electronic communication. Prior to the November 26, 2008 attacks on Mumbai, the IT Act of 2000 covered the interception of information and the powers of the Controller of Certifying Authority to intercept information. However, a bill seeking amendments to this act was tabled in Parliament in 2006 and a report of a Parliamentary Standing Committee in September 2007 gave more coverage to cybercrime and cyber terrorism. Within a month of the November 26 attacks in 2008, the amendments were passed unanimously, notified in February 2009 and enacted in October 2009.

The act has a direct impact on free speech in cyberspace. It was a knee-jerk reaction to the preservation of national security rather than a well-thought out plan. By the new provisions, cyber security legislation reduces practical difficulties, makes cyber terror offences punishable with imprisonment and adds more categories of cyber crimes, like cyber nuisances, stalking, cyber harassment etc.

On the negative side, it makes all those crimes for which punishment is three years as bailable offences, save those crimes like cyber terrorism or breach of protected systems, which attract ten years punishment.

 

Regarding Interception, monitoring or blocking of any communication…

The other major drawback is that the new provisions, under Section 69, 69A and 69B, can intercept, monitor and block all communication • the last two provisions having been added after the November 26 attacks.  Earlier, there were various checks and balances • the Central Government had appointed the Controller of Certifying Authority as a statutory authority for this task.

But now, the Central government alone is the appropriate authority to intercept, monitor and block all information. So, whatever people talk or communicate in an electronic format • by audio, video or text • is now within the listening distance of the government. Primarily, there are no checks and balances to this. The government has now reserved for itself all rights to intercept. And, there is no statutory responsibility of the government to inform you that you are being intercepted. There are no checks and balances or to prevent potential misuse of this provision. The rules regarding this have been finalised but I need to check if they have been notified.

How does the monitoring actually happen?

I think the first steps would be to monitor, then intercept and then block • in its logical sequence. The problem here is that there are no checks and balances on the government or to prevent potential misuse of these provisions, because right now, the government is no longer required to go to a statutory authority or to the Controller of Certifying Authority.

Further, the government is authorised,  that, if it is satisfied that it is necessary or expedient to do so in the interests of the sovereignty or integrity of India,  defence of India (this is a new one added in the 2008 amendment), security, friendly relations with other countries, or public order or for preventing incitement to the commission of any cognizable offence relating to these, then it may direct any agency of the govt to intercept, monitor or decrypt, as well as cause to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource.

What does ‘Friendly relations’ mean? It is such a broad parameter

Decryption means to unlock, to ‘unsecure’.....Encryption is a methodology by means of which you secure any electronic information. the permission is to intercept, block and decrypt.

Typically, a communication is going from point A to point B. The government, without informing Point A or Point B, can first monitor - just watch what is happening and if they find anything suspicious happening, they enter • they intercept - which means they can make a copy of the communication and then they block....Technically, they have reserved for themselves the right to protect national security, primarily in the wake of the November 26 attacks. I think there is no doubting the argument that every sovereign nation has got the sovereign rights to monitor and intercept, as well as decryption. However, it is important that the legislature must keep effective checks and balances on the intercepting authority. But here, the legislature has not done so. If the government feels that it is necessary for it to do so, it orders interception, monitoring, decryption or blockage.

The amendments to the IT Act were passed unanimously. There was really no discussion or debate on this in Parliament.

I don’t think it has ever been tested. Pre-Amendment, it has never been tested and post-amendment, there have been no case. Most people are unaware or oblivious of the fact that there are provisions...Technically speaking, it is in part of the fundamental principles of natural justice or good conscience to inform the person who is being monitored. But the law does not mandate it • the writing of or of giving of notice to the person being monitored. Its unclear whether the rules have been notified yet, so we’ll have to see if there’s anything on this. But the Act itself is silent on this.

The role of CERT-In (Indian Computer Emergency Response Team)

CERT-In was created by a government notification in 2003 as the authority for blocking. But it has now been given tremendous powers...

Isn’t this completely in violation of the principles of natural justice? CERT-In draft the rules and then they sit in judgement...

Yes, that is the position. There has been a tremendous concentration of powers behind CERT-In which pales all the other statutory authorities like the CCA (Controller of Certifying Authority) into insignificance. Earlier, the CCA was very powerful. Now CERT-In is the de facto nodal agency for cyber security. In addition, there are no checks and balances on the powers of CERT-In, which is effectively, again, not a happy scenario, given the potentiality of misuse.

So I think, if you are a free speech expert or advocate for free speech, you have to realise that there are far more shackles on free speech because of the IT Act.

What about the role of the ‘intermediaries’ under the Act?

The ISPs have been brought into the ambit of a new concept created by law - the ‘intermediaries’ - under Sec 2 (1) (w) of the IT act. ....Sec 12 ...

This is a classical section which attracted a lot of attention and debate in 2004-05 in the Bazee.com case which led to the arrest of the CEO of the website and respond to the persistent demands made by the internet service providers on the issue of their liabilities. The new amendments are old wine in new bottles in terms of liabilities of intermediaries. They now say that if you are an intermediary, you will not be liable for third party data but for doing that, you must show that you are not involved in the transmission, you must show that you performed due diligence, you must show that you have not aided, abetted or conspired in the transmission, and that you must show that upon receiving the information of anything controversial, you acted in removing the material....if you did all of that, then you would not be liable...but if you fail to fulfil any one of the obligations...

Is that a better situation for the intermediaries?

Now, intermediaries are in a far worse situation than before. Section 79 is a classical wonder of legislation. It earlier stated, in positive covenant • it talked of network service providers, who would be liable for third party data. The new Section 79 now says the same proposition, but with a negative covenant. Now it has a far bigger ambit than the earlier Sec 79, which was only dealing with network service providers. Now, it has a wider canvas, as under this, intermediaries have been defined, with respect to electronic records, under Section 2 (i) (w) to mean:

Any person who on behalf of another person receives, stores or transmits any electronic records.. this also includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online auction sites, online-market places and cyber cafes.

....... Now, by a single stroke, the legislation has made it extremely vast to include all these categories. So  far more new people have been brought under the definition of the intermediary. The new law says that you will not be liable for third party data under Sec 79. However, you must fulfil the mandatory requirements under Sec 79 (2) where you provide access, do not initiate the transmission, select the receiver of the transmission, select or modify the information contained in the transmission, observe due diligence while discharging the duties under the act or observing guidelines the Central government may prescribe and Sec 79 (3), wherein you conspire or abet in the commission of the unlawful act or fail to expeditiously remove or disable access to material without vitiating evidence once you do receive actual knowledge or are notified by the appropriate authority that any communication link controlled by the intermediary is being used to commit the unlawful act.

This effectively means that in an online speech violation, not only the person doing the so-called violation is liable but the service provider is equally liable if the intermediary, after getting to know about the information, failed to expeditiously remove it. This reposes far more responsibility in terms of free speech, which effectively means that any free speech content which is true but uncomfortable, can be effectively gagged by the government under the garb of this legislation.

So, to that extent, I think the IT Act, with the amendments, is possibly one of the most overarching legislations in the country, because it is the only mother legislation which impacts all electronic communication devices...which virtually means 99 per cent of all electronic devices • the new amendments have brought communication devices under the Sec 2 (1) (h) (ha) • to mean cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video, audio or image.

So, in the absence of a strong watchdog on the government, free speech is likely take a back seat.

No clarity on Privacy issues 

Another aspect of the IT Act is the lack of clarity on privacy. There is no law on privacy in India and the new amendments haven’t done much in this regard either. We have a very primitive way of looking at privacy. Section 66E penalises the violation of privacy but reduces the entire issue to the private areas of a person and even specifies which body parts are liable to be violated under this section (private area: the naked or undergarment clad genitals, pubic area, buttocks or female breast). The punishment for this is three years imprisonment or a fine of Rs Two lakh or both, which is bailable.

By keeping cyber crimes compoundable, there is also a deliberate loophole kept in the legislation and in several cases of cyber crime, getting convictions are difficult as those accused are getting bail and destroying evidence with impunity. There have been only three cyber crime convictions in the last 16 years though online cheating and crime is on the rise, with cases running into the thousands...

So, while it is difficult to penalise petty crime, the danger of free speech being penalised is ever present.