Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Critics Blast Proposed IT Act Modifications

Some Argue That Proposal Would Limit Freedom of Speech, Compliance Would Prove Difficult
Critics Blast Proposed IT Act Modifications
Among the intermediaries that would be affected by the proposed amendment are social networks.

New concerns are being raised about the Indian government's proposal to modify the Information Technology Act, 2000 to make intermediaries that handle consumers' data more responsible for the content they host in an effort to crack down on "fake news."

See Also: Modernizing Malware Security with Cloud Sandboxing in the Public Sector

The government in late December proposed an amendment of Section 79 of the Information Technology Act. The Ministry of Electronics and Information Technology published a draft of revised rules.

As of now, the IT Act provides expansive protection (a safe harbor) to intermediaries for third-party content as long as they had no knowledge the same. Under the proposed amendment, intermediaries would be required to track all the content that gets posted on their websites and if anything is found that is "objectionable" it would have to be removed. The government has not clearly defined what content meets the "objectionable" definition, but it appears the target is fake news and hate speech.

The proposal also would require intermediaries to remove objectionable content within 24 hours of receiving a court order or notification from the government.

The government expects to finalize its proposal in the next few weeks before the spring elections.

Critics of the proposal says the effort to crack down on certain content could pose a threat to individuals' freedom of expression. They also say compliance with the 24-hour requirement would prove difficult. And they say the IT Act's definition of "intermediary" is far too vague, which means too many organizations would have to comply with the amendment.

Broad Definition

The IT Act defines an intermediary very broadly as sites that receive, store or transmit electronic records or provides any service with respect to those records. This includes, for example, social media networks, telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online auction sites, online marketplaces and cyber cafes.

Vikram Mehta, associate director of information security at MakeMyTrip, an India-based online ticketing portal, says the proposed amendment appears to primarily be targeting social networks. "But since they have decided not to name these companies, the entire community of intermediaries is now bearing the brunt of this," Mehta says.

The government says its proposed changes are necessary to empower agencies to ask intermediaries for any information or assistance for investigative, protective and cybersecurity activities. The onus is on the intermediary to ensure there is no violation of these terms, the government says.

Freedom of Speech Concerns

Under the amendment, intermediaries would be required to deploy technologies, such as artificial intelligence or machine learning, to detect objectionable content.

In a letter to MeitY, change.org, an online platform that for sharing opinions, strongly objects to that requirement.

"Proactively identifying, removing and disabling content is a grave threat to freedom of expression," says Nida Hasan, associate country director at Change.org. "Furthermore, maintaining and improving such technology to adapt and meet changing patterns of internet use and abuse requires further significant investment."

A spokesperson from Amnesty International, which focuses on human rights, argues that requiring intermediaries to take down content on the directions of government authorities greatly increases the risks of legitimate expression being restricted.

"People will have varied views and how does one decide what is right and what is wrong. There must be clear criteria," the spokesperson says.

Too Short a Time?

Some security experts claim taking action to remove objectionable content within 24 hours of receiving a court order or notification from the government is not feasible.

"There are various formalities that needs to be done, like informing relevant people about the action. Hence, the time frame must be increased from 24 hours to 72 business hours," Mehta says.

The proposed amendment also would require intermediaries to inform users once every month on various rules and regulations, privacy policies and right to immediately terminate access or user right in case of non-compliance.

But the government has failed to specify the mode in which such information needs to be delivered, security experts say. Plus, they question the effectiveness of such automated messaging.

Mehta says the requirement should be dropped. "This seems to be an unnecessary, additional obligation on intermediaries because such information is already provided for in the user agreements that are easily available and accessible to users on the intermediary's website," he says.

In addition to raising compliance-related expenses, Mehta says, users "may not appreciate excessive information provided by the intermediaries at such intervals, leading to notification fatigue."

Who Must Comply?

Under the proposed amendment, intermediaries with more than 50 lakh users in India must:

  • Be incorporated under the Companies Act, 1956 or the Companies Act, 2013;
  • Have a permanent registered office in India with a physical address;
  • Appoint in India a nodal person of contact and alternate senior designated functionary, for 24x7 coordination with law enforcement agencies on the effort to control objectionable content.

Some critics say the 50 lakh user threshold is far too low and would lead to smaller companies facing a costly compliance burden.

"My view is that they might have thought of the number to target large platform players. But in reality, a small ISP too will have 50 lakh users. The government must consider changing this number," says a spokesperson for the Software Freedom Law Center, a donor supported legal services organization.

Shivangi Nadkarni, CEO at Arrka Consulting, adds: "The definition of an intermediary is broad. The definition includes many small firms who have yet to set up a strong foothold in the market. Some of the modalities laid out may be a burden to implement - especially for smaller companies - while some may not be practical or feasible. In my opinion, a middle ground needs to be found."


About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.