Unfolding the idea of privacy and India’s recent social media intermediary rules

As a layman’s idea of privacy in the past decades, it’s been one of the prevalent opinions that unless you are doing something “wrong” in the eyes of the law, there can be no actual harm that would arise from the surveillance. However, privacy has taken a turn since the events such as the Cambridge […]

by Pulkit Mogra - July 17, 2021, 4:45 am

As a layman’s idea of privacy in the past decades, it’s been one of the prevalent opinions that unless you are doing something “wrong” in the eyes of the law, there can be no actual harm that would arise from the surveillance. However, privacy has taken a turn since the events such as the Cambridge Analytica scandal, where it was alleged that Facebook’s likes were used to manipulate voting of the United States. Furthermore, Yahoo’s data breach across 4 Years that resulted in a humongous $117.5 Million settlement. Since then, the definition of consumer’s privacy has taken a turn towards its evolution.

In 2009, the CEO of Google, Mr Erick Smith, had a supporting statement on this view that, if you are doing something you don’t want other people to know, then you should not be doing it in the first place itself. But after a few months, when CNET published articles about the personal lives of google employees, google issued a note where it stopped its employees from conversing with CNET. In 2010, the CEO of Facebook, Mr Mark Zuckerberg, pronounced that privacy is no longer a social norm in an interview. However, post that Facebook has been a leading group engaged in developing products that have integrated privacy by design to protect itself from privacy breaches. Privacy by design in simple terms integrates the values of privacy right across through the entire engineering process for a product.

There exists a school of thought that modern society humans have compromised the privacy notions of the past. We do publish information online through posts, tags, comments, etc. Still, even then, there may be some data that one may not be comfortable publishing, keeping aside whether any wrong or a right act has been committed under the eyes of the law. It’s has been a psychological study that human behaviour changes when subjected to surveillance, be it at the professional space or public space. Ideas of naming, blaming, and shaming has been a powerful motivator for people to act in a particular way. Jeremy Bentham conducted this study in the 18th century through an architectural design of a prison called Panopticon. To keep a check on inmate’s behaviour, he built a tower in the centre of the institution. This resulted in a drastic change in behaviour as the prisoners were continuously conscious of rules and obedience. Michel Foucault, building upon a similar model, implemented the system into the public institutions to monitor a segment of the population. But it was seen that it crippled down the human freedom to act and a room for dissent as an effect of the surveillance. This is where the importance of privacy strikes where it starts affecting a person’s ability to act in a manner of their own choice.

In 2018, there was the tracking of 10,000 call records by the Uttar Pradesh government to catch two culprits that were later on arrested for dumping potatoes outside the houses of government officials. Similarly, in Andhra Pradesh, a govt website leaked personal data of its citizen about their use of medicines. The questions come in what makes a purpose legitimate for the surveillance over the privacy of the citizens.

In the past couple of months, India has witnessed headlines where WhatsApp has challenged the recent notification under IT Act. Law enforcement authorities have sent notices to Twitter for non-compliance with the rules. Companies claim the new media code will compel it to “break privacy protections” while policymakers have answered it as the right to privacy is “fundamental, but not absolute”.

Through the case of Justice K.S. Puttaswamy (Retd.) vs Union of India, the supreme court proclaimed privacy as a fundamental right for the citizens of India, though it doesn’t grant it as an absolute right. The question then revolves around what amounts to the legitimate state purpose and the proportional allowance for the investigation that may lead to infringement of privacy.

India has not been the only country that has demanded traceability. In October 2020, India, U.K. Japan and the U.S signed a deal to share the information with governments for the issues related to national security and terrorism, even if that leads to de-encryption of data.

With the recent Information Technology (Guidelines for intermediaries and Digital Media Ethics Code) Rules, 2021 (hereinafter mentioned as IT Rules), issued under the Information Technology (IT) Act, the debates on infringement of privacy have tapped into new horizons. Globally the governments have been trying to carve out solutions for the growing concerns of online defamation and harassment for half a decade. And de-encryption laws have been one such solution that policymakers have tapped into. De-encryption debate hasn’t been a new term since the onset of encryption technology. With Australia’s enactment of anti-encryption laws, the movement has only gained a boost for the rest of the nations to follow in similar footsteps.

The new IT rules have narrowed down the scope of the safe harbour provisions, which were typically enjoyed under the IT act by the intermediaries. The intermediaries were not liable before for any content uploaded by the users on the internet, with a provision for a reporting mechanism for harmful content. However, rules 4(4) ask the companies to develop an automation system to identify and take down harmful content. But at the same time, the question comes in, who defines what is meant by the “harmful content” and will also include dissenting opinions towards policies.

A concern of social media and messaging apps has been that to meet the demands of this legislation; it would require them to break end to end encryptions. A technology that assures the privacy of communication between the two users. “Security” and “Privacy” has been a selling point for the social media and messaging platform. The companies doubt that this policy would firstly restrict the effectiveness of communication amongst the users, knowing the communication would be ought to surveillance if any doubts arise. Secondly, the tech giants also fear facing future challenges and competition from blockchain-based technology applications that would guarantee better privacy and can suddenly grapple up the existing market under the flag of better privacy protection.

Applications like “Session” by Loki Foundation that have introduced blockchain technology in their application systems have taken a further step in their quest for unrivalled privacy for their users. This technology neither requires a phone number nor saves an IP address. Bringing in additional challenges both of the existing Tech App giants to invest in their innovation labs and at the same time for governments that would only bring in newer headaches for policymakers. Hence, the fear is, will such legislation make the technology go obsolete way before their time.

RIGHT TO PRIVACY AND THE RIGHT TO EXPRESSION, HAS IT BEEN PUT AT STAKE?

Rule 4 (2) of the new IT Rules lays down a ground for tracing the first originator of any message that is under investigation. With the messaging platform already powered with encryption technology, 4(2) would threaten end-to-end encryption. Hence it won’t be incorrect to argue that it threatens the right to privacy and the freedom of speech and expression. We are now reaching up to a similar stage of how Jeremy Bentham’s panopticon redefined a human’s ability to act under surveillance. Hence, it won’t be wrong to ask the question at this point that how much in future it may affect our right to dissent.

Several questions have yet left been unanswered, such as how the legislation would define the meaning of “the first originator”. Does the first originator have to be an Indian citizen, or should the message have first originated under India’s territory? Would that also mean that the applications would require to track the location of the users as well?

The tech giants are concerned with Rule 4(2) because the algorithms these apps are using are global algorithms and haven’t been made as a country-specific one. Hence, creating a backdoor entry for one also creates a back door entry for the rest of the world. And the world isn’t comprised of only governments and law enforcement agencies; it includes the ones that would illegally break the back doors. There is no question on the fact that fundamental rights are subjected to restrictions, as has also been reiterated by our I.T Minister. But there also requires a cost-benefit analysis for the same and at what we may end up trading off for.

Another grey area that legislation has left is on surveillance, whether the legislation mandates retrospective or prospective surveillance. Retrospective would bring in numerous debatable points about the feasibility of the technology and social justice, where people would have communicated certain things when they were not aware that they might be subjected to surveillance in the future.

Lastly, there is still lacks the clarity about the internationalization of this legislation. The world doesn’t function on the same set of policies. How do we prepare ourselves with cases where the “WhatsApp India” ends up tracing an EU citizen’s messages that have been granted protection under the GDPR norms of the European Union while tracing of the first originator? There are complex challenges ahead for compliance on such grounds, especially for the tech giants when legislation such as GDPR has prescribed a fine of 4% global turnover over the data breach. At the same time market of India provides a considerable share of the user that can’t be ignored. There is no doubt that as a nation, we need to bring down the cases of fake news, hate speech, child pornography etc., and such issues must be addressed at utmost priority but, is surveillance and de-encryption are the only mechanisms for it, is something to brainstorm upon for the policymakers.

This article has been written by Pulkit Mogra, Assistant Professor at University of Petroleum and Energy Studies, Dehradun and is currently pursuing his Ph.D from University of Ottawa, Canada.