Giving in to prior restraint
This article is an expanded version of a column which appeared in the Hindu, on June 7, 2009 titled, “In the name of national security”.
After 26/11 when the Information and Broadcasting Ministry tried to come up with sweeping restrictions on TV channels in the interests of national security there was the predictable outcry and the government backed down very quickly.
Why then is there not enough of an outcry when websites are affected, for the same reason? Particularly over the way rules are being framed for the IT (Amendment) Act of 2008? The powers they give the Government to block websites amount to prior restraint, permitting blocking without informing the affected party, or giving him/her a chance to be heard. Obviously it has been done to deal with terrorism, and it could be argued that you will not be seeking permission from a non-state actor when you are seeking to track him by intercepting his email or blocking the websites he uses to spread his message. But civil liberties can end up being curtailed in the name of combating terror, and individual privacy can be violated the same way. Both are endangered as the new government goes about putting teeth into the amended IT act.
The controversial Mr A Raja does not just preside over telecom, which the country’s biggest industrialists are interested in. He also presides over the lawmaking which governs the use of the Internet in India. Surely that is something which deserves at least as much media vigilance as the awarding of telecom licences to companies?
Last year, a few weeks after the Mumbai attacks in November, a Bill which had been sitting around in a Standing Committee since 2006 was hastily passed, without much debate in parliament. The Information Technology (Amendment) Act, 2008 seeks to give teeth to existing laws on information technology and cyberspace. Last month, shortly before Mr Raja began his second stint, the Department of IT posted on the Internet the results of its labours in drafting rules for this Act. Since the devil is in the details, the import of the Act resides in the rules. These are still at the draft stage, you are invited to send your comments to the Government of India, which does this feedback exercise to show how democratic it is. http://www.mit.gov.in/default.aspx?id=969.
Here, then, is a idiot’s guide to what Mr Raja and his men are proposing to do, in the name of national security, safe internet use, and suchlike.
a) Intercept email, under section 69 of the Act.
Who can give orders for such interception? Technically only the Union Home Secretary or the Home Secretary at the state level, but in unavoidable circumstances also a joint secretary. In further unavoidable circumstances---in an emergency (not defined) in a remote area (not defined)---a security officer of the rank of an inspector general of police can order the interception. They have to get it okayed in a week’s time by a home secretary or joint secretary or cease intercepting.
What about laws protecting privacy? This provision circumvents those in the name of security.
b) Block websites and web content, under section 69A.
A designated officer of joint secretary-level is empowered to handle requests for blocking from departments or individuals. He submits the request to an inter-ministerial comittee of joint secretaries, including one from the Ministry of Information and Broadcasting. In an emergency, scrutiny by just the designated officer will do, and the final permission has to come from the Secretary, Department of Information Technology. What can be the basis for a request to block? The Sovereignty or Integrity of India, the Defence of India, the Security of the State, Friendly Relations with Foreign States, Public order, and, for "preventing incitement to the commission of any cognisable offence relating to above." Apart from the fact that all of the above are open to interpretation, do note the 'preventing incitement' bit. In case somebody thinks you might provoke someone to do something, they can block your website.
What about a right to be heard before the blocking? There is none. The job of Secretary, Department of Information Technology, suddenly becomes a pivotal one in the matter of freedom of expression. He has the final say in any blocking.
Review of the decision? A committee headed by the Cabinet Secretary, GOI, needs to meet at least once in two months for that. As a CERT IN official said at a recent meeting when questioned about the inordinately long time taken for a review, "Bahut cases hote, saab. Cabinet Secretary khali nahin baithe hota." His point was that overall there is a four-level scrutiny, and that so far blocking of web pages or sites has been very rare indeed, three to four cases in the last five years.
c) Monitor and collect traffic data relating to a website, in the name of ensuring cyber security, and foiling cyber security incidents. Under section 69B.
d) Set up an Indian Computer Emergency Response Team (CERT-IN), whose constituency “shall be the Indian cyber community,” under section 70B (1)
If you plough through all the citizen-friendly sounding stuff that this team is supposed to do, you will hit upon this clause: “For carrying out its functions prescribed in section 70 (B) of the Act, CERT-IN may seek information and give directions for compliance to the service providers, intermediaries, data centres, body corporate and any other person, as may be necessary.” This innocuous body can order your service provider to cough up any data it wants. And what level of officer can do this? Any officer of CERT-In, not below the rank of Deputy Secretary to the Government of India. Again the defence is that this clause only relates to cyber security. The rules empowering CERT-IN are drafted by the organisation itself. Talk of giving yourself powers because you are making the rules!
e) Define the liability of Network Service Providers, under section 79.
This is a section for which the rules have not yet been posted, because there is hectic lobbying going on by industry. It seeks to protect the companies that operate in India as Network Service Providers from being liable for any third party information, data, or communication link made available or hosted by them. They are not liable so long as they “do not initiate the transmission, select the receiver of the transmission, and select or modify the information contained in the transmission, and so long as they observe due diligence while discharging their duties under this Act.” But once they come to know of data posted on their servers which could be interpreted as violating the “integrity of India, defence of India, friendly relations with foreign States” bits and do not remove it, they become liable.
Who will be defined as a network service provider? What will be defined as due diligence? What will be the definition of an intermediary? Industry is lobbying with CERT-IN on these issues. Sachin Pilot is the minister in charge.
But is civil society mounting enough of a fight to protect privacy, and prevent web content blocking without a prior right to be heard? Is it doing enough to oppose the extraordinary powers Mr Raja's ministry is arming itself with?
Because given the way we handle technology, actions officially ordered do not end up have the restricted impact they are supposed to. Back in 2003 when there was an attempt at Internet censorship through the blocking of a discussion group on the Web, the Internet Service Providers went beyond the targeted blocking they were asked to do. An organisation in Meghalaya which advocates seccession had set up this group, and the request for blocking it came from the Central Bureau of Investigation (CBI).
Had the service providers quietly blocked this one discussion group, nobody might have noticed. But they had never received such a request before and three of them (Mahanagar Telephone Nigam Limited, Data Access and Sify) wrote back immediately to DoT to say that since their infrastructure made it technically impossible to block just one group they had ("as per your directive") blocked all of Yahoo Groups, thousands of them. Predictably, there was a huge outcry.
And it achieved the opposite of what it set out to do because it sent the curious rushing to a little-visited discussion group. Despite being blocked, the page could be accessed through an anonymizer site on the Net whose express purpose is to allow people to circumvent blocks. Censorship does stay quiet in this country, which is a great thing. Nor does it achieve its objective. See what this attempt did for Kynhun.BriU Hynniewtrep, the Meghalaya discussion group, seeking a separate state for the Khasis. Its membership grew from 25 or so before the censorship, to 214 after it. The year-old group had meandered along unnoticed, with an average of three postings a month. Post ban, it got 23 in four days.
Censorship does stay quiet in this country, which is a great thing. But the point to remember about governments is that where arbitrary powers are concerned, they never stop trying to exercise them.
(This article also draws upon an earlier column available at http://www.hindu.com/mag/2003/10/12/stories/2003101200180300.htm)
Source: The Hoot