IT laws on the way promise a safer internet, but raise many concerns
On an unremarkable autumn evening recently, Mumbaikar Vaibhav Borle came face to face with the demons of India’s digital boom. The 23-year-old CA aspirant was out for a walk after dinner when his Facebook messenger pinged. The message was from his uncle, Vinayak, who lived in another corner of the megalopolis and had recently recovered from a bad bout of Covid. “I have an emergency, can you ask your father to transfer Rs 10,000 to the following account?” Vaibhav asked his father to send the money immediately.
He soon got another message asking for another Rs 10,000. Vaibhav complied too, but warning bells started ringing when he got a third message asking for more. “That’s when I thought it was strange and I called my mom,” said Vaibhav. He got a shock when Vinayak told him that his Facebook account had been hacked and such messages were being sent to everyone on his friend list. A cousin abroad had already sent Rs 50,000.
Vaibhav’s ordeal for the next few days involved running from the police station to the cyber cell of a friend’s mother who worked at the Reserve Bank to trace the money trail. When the authorities froze the account into which the money was transferred – it was traced to a remote location in Uttarakhand – it was emptied. Vinayak himself struggled for a long time to get his Facebook account back. Even with the police involved, it took a week for the social media giant to move to restore the account to the original owner.
Vinayak and Vaibhav’s story is quite ordinary. As everything from banking and shopping to socializing and entertainment has moved online, it has also created an entire ecosystem of crimes. Theft, cheating, extortion, defamation, misinformation, incitement, violence, even murder – all in all, there is a digital version out there preying on gullible Indians who click the wrong link or button. Jamtara, as it turns out, is everywhere.
What has made matters worse has been the lack of laws and regulations to deal with this wave which had practically made an excursion on the web similar to a sojourn in the wild west. On paper, the Information Technology (IT) Act 2000 is the umbrella legislation covering the digital world, but it has proved woefully inadequate, as the nature and use cases of the technology itself have transformed over the years, leaving behind many of the Act’s assumptions and provisions. insufficient.
Although it is late, the authorities have woken up. “The challenges that the internet and the technology space represent today are far more challenging and the changing nature of technology far more disruptive, leading to the need for a new [legal] framework, said Rajeev Chandrasekhar, Union Minister for Electronics and IT.
The setback will primarily be in the form of three new landmark pieces of legislation. The Telecommunications Bill, 2022, the first, will replace the Indian Telegraph Act of 1885, the Indian Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act 1960. Its draft is already out. The proposed law aims to redefine communication by bringing all parties, from telecom service providers to over-the-top (OTT) players and internet-based communication platforms under one umbrella legislation.
The second is the Data Protection Act, which covers issues of data use as well as privacy. It was originally released in 2018, but was withdrawn after much opposition from various quarters. A new draft was recently released and is open for public consultation until 17 December. The third is the ambitious Digital India Act (DIA). An all-encompassing law to monitor India online, it will replace the 22-year-old IT Act and is expected to be out next month.
The loudest opposition to the two drafts now in the public domain has been to the sweeping powers the government has given itself to suspend the internet or intercept private communications citing national security and public order. Also worrying are the new rules like a KYC approval for users and a license for operators like WhatsApp.
“The biggest concern in a country like India is that if sweeping powers as envisaged in the bill, such as interception of messages and suspension of internet services, go ahead and become part of the final bill, it could lead to abuse of power by the government.” said Satya Muley, a lawyer specializing in constitutional law. “In the past, we have seen political bosses use their power to satisfy their political goals and objectives. The concerns are real; it will affect the fundamental right to privacy and the right to communicate very seriously.”
While authorities have long been at odds with messaging services over access to their end-to-end encrypted messages, the new law addresses the issue in a roundabout way. “No provision as such affects end-to-end encryption, and it will apparently continue,” Muley explained. “However, the bill gives broad powers to the Center to intercept and access end-to-end encrypted messages in the event of a public emergency, to protect national security and public order.”
There is another danger. “Platforms that offer end-to-end encryption will have to store such data to comply with the law. This will defeat the very purpose of end-to-end encryption,” says Kazim Rizvi, head of the public policy think tank The Dialogue. “Such large amounts of data collected to comply with the law can present cybersecurity challenges in terms of attracting cyberattacks and forced breaches.”
The government’s efforts to control pesky telemarketers have also come under fire as it envisions a KYC-like verification of every user on all platforms, including social media and messaging apps. “Requiring users to submit identification documents will affect users’ anonymity online, potentially chilling freedom of expression,” Rizvi said.
While there is clarity on spectrum allocation, bringing everyone from a mobile company to an internet platform under one umbrella and subjecting them to licensing has raised concerns. “Such omnibus and catch-all definition could compromise regulatory effectiveness and affect the orderly growth of the Internet economy,” senior Supreme Court lawyer Gopal Jain wrote in an op-ed. “By extending licensing to OTT platforms and making them license-centric, even though India threw away the license permit raj decades ago, [India is] set the clock back.”
“Licensing has not worked in countries like China,” Rizvi said. “Historically, it has not only acted as a barrier to entry for new entrants, but can also affect growth and innovation in the industry as larger sums of money may be required to comply with regulations.”
Equally worrying has been the dilution of the power of the Telecom Regulatory Authority (TRAI) under the new law. It also remains to be seen whether Big Tech would really be reined in. Section 11 of the draft telecom bill dilutes the regulator’s powers, although telecom minister Ashwini Vaishnaw has said that TRAI will be the implementation consultant for the new laws.
“Given the role the telecom industry plays – it is the backbone that drives Digital India, we really need an independent regulator that will represent the interests of all stakeholders,” said Sunil David, Co-Chair, Digital Communications Working Group, IET Future Technical Panel. “I’m not really sure who is behind this [move] to dilute TRAI’s powers.”
And Big Tech? “In the current bills, we don’t see a lot of rules that make Big Tech accountable,” Muley said. “But you can see the government moving in that direction by defining concepts like social media intermediaries, compliance requirements and complaints officers.”
The government, for its part, is treading carefully, putting up all draft rules for extended public hearings and showing a willingness to change at least some provisions. It knows all too well the far-reaching impact of these rules, and doesn’t want to make any missteps like what happened with the farm bills, or even the 2018 version of the Data Protection Act.
All the gibberish about various provisions of the new laws aside, perhaps the one area everyone agrees on is that rules to govern the online space are long overdue – with the Internet of Things (IoT) and 5G coming more and more into it connected ecosystem and new modes like Web3 and metaverse knocking on the doors, trust, accountability and transparency on the internet are even more crucial than ever before.
“The common man wants confidence when he goes online. He doesn’t want his data to be misused, and if for some reason there is misuse, there should be regulatory security – he should know who to go to if there’s a problem, David said. “The new laws should not stifle innovation and at the same time we do not want lax regulation. Getting the balance right is important.”
(Some names have been changed.)