Follow up from the Previous Review
As Internet rights are a relatively new concern for the Human Rights Council, only Sweden made a relevant recommendation in the previous review, requesting India to ensure ‘that measures limiting freedom of expression on the Internet are based on clearly defined criteria in accordance with international human rights standards’.1
India merely noted this recommendation at the time. The executive or legislature have not taken any steps in the direction of making restrictions to freedom of expression on the Internet conform with international human rights standards since then.
However, in Shreya Singhal v. Union of India, a landmark judgment in 2015, the Supreme Court of India struck down Section 66A of the Information Technology Act, 2000, (IT Act) which sought to punish the sending of ‘grossly offensive’ messages and messages known to cause ‘inconvenience’ and ‘annoyance’ among other categories2, for creating offences that were vague and overbroad, thereby restricting freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution of India.
The Supreme Court also read down Section 79(3)(b) of the IT Act, on intermediary liability, and Rule 3(4) of Information Technology (Intermediary Guidelines) Rules 2011 passed under Section 79, for similar reasons.
Positive changes beyond previous recommendations
The Telecom Regulatory Authority of India (TRAI) passed a regulation3 against differential pricing of data services by Internet service providers, after an open public consultation. This is a positive step that is affirming a commitment to an open, free and secure Internet, enhancing freedom of expression, assembly and association on the Internet. However, this step was led by the telecom regulator, which is a semi-independent body from the reading of the TRAI Act.
Areas of Concern
A. Criminal laws curbing freedom of expression
Content blocking, punishment and intimidation under Section 67 and Section 67A of the IT Act
Section 67 of the IT Act4 deals with obscenity. Due to the vague wording of the section, it is frequently used to censor all kinds of subject matter – including, but not limited to, sexual content.
For example, section 67 has been used to harass and intimidate a journalist working in a remote, conflict-ridden area. Prabhat Singh, a journalist in the Bastar region was arrested under the section (as well as section 292 of the IPC) in March 2016 for sending a Whatsapp message5, after the police found his message ‘offensive’.
Section 67A of the IT Act deals with punishment for ‘publishing or transmitting of material containing a sexually explicit act in electronic form’. The section does not distinguish between consensually uploaded sexual expression and non-consensual sexual material. The section provides an exception when the publication can be ‘justified as being for the public good’- a phrase that is undefined.
Due to the vagueness of the section, it has been misused in several instances, including for booking cases of defamation by a politician, for sharing pictures of him on a yacht.6
Content blocking under Section 69A of the IT Act
The government has powers to block content under Section 69A of the IT Act, for a fairly restricted number of reasons.7 It has increasingly exercised this power, with a total of 492 URLs blocked under this section in the first 11 months of 2015 alone.8 Compared to 13 URLs blocked in 2013 and 10 in 2014, the government is using the section more and more.
Orders passed under this section are secretive and do not lend themselves to scrutiny. The procedural safeguard of a hearing is available to the originator of the content under the section, but in practice, it is mostly never carried out.9
In June 2016, the section was used by the Department of Telecommunications (DoT), upon advise from the Department of Electronics and Information Technology (DEITY), to order the blocking of around 240 URLs offering escort websites.10 This mass blocking is questionable11 as prostitution is not an offence under the Immoral Traffic Prevention Act, 1956 (ITPA); only soliciting in a public place punishable.12
Although it is section 69A of the IT Act that explicitly empowers the government to block certain content on the Internet, the government frequently prefers to use section 67 and 79 of the IT Act to justify its blocking orders.
Section 79 of the IT Act
In an order dated 31st July 2015, DEITY directed the DoT to notify Internet Service Providers (ISP) to block a list of 857 websites under Section 79(3)(b) of the IT Act. According to the leaked order that was kept confidential, the blocking was done as ‘content hosted on these websites relate to morality, decency given in Article 19(2) of the Constitution’.13 Under section 69A of the IT Act, this would not have been a valid ground for the government to block content.
In April 2016, District Magistrate of Kupwara in Jammu and Kashmir passed an order that all admins of Whatsapp groups have to register themselves in the District Magistrate’s office.14 The Department of Information and Public Relations issued a press release requiring ‘proper permission from the concerned Deputy Commissioners’ for ‘posting news on social media news groups along with sources’. As the court order and the press release make group admins responsible for content shared by members of the group, the orders turned them into intermediaries under Section 2(w) of the Act. In arrests made, liability under Section 153A of the Indian Penal Code was assigned to Whatsapp group admins, disregarding that section 79(1) of the IT Act protects an intermediary from any liability under any law in force if the intermediary fulfils conditions laid down therein.
Shutdown of Internet services
In his report as the United Nations Special Rapporteur for freedom of opinion and expression in 2011, Frank La Rue notes that Internet shutdowns violate freedom of speech.15
Internet shutdowns in India are imposed16, not with reference to section 69A of the IT Act and its attendant rules, but through Section 144 of the Criminal Procedure Code. It means that ISPs are instructed to suspend 2G, 3G, GPRS, lease line and/or broadband services in the specified regions. No checks and balances are in place to ensure that such shutdowns are indeed legitimate.
By September 2016, there have been Internet shutdowns in Jharkhand17, Jammu & Kashmir18 and Gujarat19 this year alone. In 2015, Internet services were shutdown in Nagaland20, Gujarat, Manipur21, Kashmir22, Rajasthan23. In 2013 and 2014, Internet services were temporarily banned in Kashmir24 and Gujarat25 - sometimes for reasons as frivolous as preventing cheating in an examination.
The UNHRC-appointed Special Rapporteurs on Freedom of Opinion and Expression for many years in succession have called on States to repeal criminal defamation laws in favour of civil defamation laws.
In a judgment delivered in May 2016, the Supreme Court of India upheld the validity of Sections 499 and 500 of the Indian Penal Code, providing for criminal defamation.26 Currently, a petition in the Supreme Court challenges corporations’ claim that its Right to Life can be violated in the context of defamation suits.27
The criminal defamation provisions have been used to silence speech on the Internet of a diverse range of actors, including journalists, politicians28 29 and media personalities30, by harassing them with punitive laws that could result in imprisonment upto two years and/or fines in case of conviction.
Section 124A of the Indian Penal Code deals with sedition. The provision prohibits any signs, visible representations, or words, spoken or written, that can cause ‘hatred or contempt, or excite or attempt to excite disaffection’ towards the government. As the language of the provision is overly broad, the section has been misused and misapplied to curb freedom of expression and opinion on the Internet, exercised by a large number of people including activists and students.31
The Supreme Court in multiple cases has read down the provision on sedition, stating clearly, for example, that criticism of the government cannot constitute sedition32 and requiring an additional condition of incitement to violence33 or incitement to imminent lawless action34 to be present to incur liability. Despite such qualifications, multiple cases continue to be booked by law enforcement where these conditions have not been met.35 The language of the law remains unchanged.
B. Right to Privacy
Lack of legislative protections of the Right to Privacy
Although there is no explicit ‘right to privacy’ in the Constitution of India, Courts have read this right into Article 21, the right to life and liberty, subject to some restrictions.36 Moreover, Courts have also ruled that the right may be curtailed only through procedure established by law, where the procedure is fair, just and reasonable.37 Legislative guidance on this issue remains, however, absent.
This interpretation of the right to privacy under Article 21 has now been challenged by the government in a writ petition.38 The Attorney General of India argued in the Supreme Court that the right to privacy cannot be read into the Indian constitution.39
This is at odds with India’s submission to the United Nations Commission on Science and Technology for Development (UN CSTD) Working Group on Enhanced Cooperation40, where it mentions the freedom of expression and privacy as crucial Internet issues that deserve attention.
Expanding surveillance in the name of intelligence gathering
The Indian State’s surveillance powers are expanding, and several new intelligence gathering bodies have been formed in the last four years,41 leading to increasing citizen data collection in the name of eliminating threats to national security, without concomitant privacy protections.
There is also no statutory redressal mechanism in case of illegal interception and monitoring of information and communications by the State.
Intelligence agencies are exempt from disclosing information about themselves under section 8 of the Right To Information Act, 2005, and operate without judicial or legislative oversight. In addition, the intelligence community has been pushing for exemption under privacy bills that have been under deliberation.42
The Central Monitoring System (CMS) is a telecommunications interception system that enables agencies of the government to intercept communications without requiring court orders or needing to liaise with the telecom service providers.43 No information has been made available about whose data will be collected, how the collected will be used, or how long the data will be retained.
The National Intelligence Grid (NATGRID) centralises 21 databases, including information from banks, credit card, Internet, cell phones, immigration, motor vehicle departments, railways, National Crime Records Bureau, Securities and Exchange Board of India and Income Tax Department, with the aim of giving a full profile of persons to security agencies who seek it.44 There are no known checks and balances in place, nor is there information available about effective oversight of its functioning or about where responsibility resides in case of overreach.
Surveillance programs such as the CMS and the NATGRID arguably do not conform with any of the ‘International Principles on the Application of Human Rights to Communications Surveillance’.45 These principles were drafted with the intention of providing a framework for ensuring that laws, policies and practices of communications surveillance adhere to international human rights standards, and result in the protection of the right to privacy and freedom of expression.
According to ISP license agreement terms, ISPs have to ensure that the permitted upper limit for encryption strength of 40-bit key length in symmetric algorithms is not exceeded by individuals, groups and organisations.46 This is an extremely weak standard. For a higher standard, prior permission is required from the DoT, along with submission of private keys for decryption. The upper limit of 40 bits is not specified for ISP authorisation under Unified Access Service license agreement. Bulk encryption by ISPs is also not permitted under the license agreements.
Under Section 84A of the IT Act, the government released draft National Encryption Policy47 in September 2015, which applied to the use of encryption technologies for storage and communication of information held with the central and state governments, businesses and citizens.
Under the draft policy, C2C (Citizen-to-Citizen) category of users were required to store plain text of all encrypted communications for 90 days from date of transaction and provide verifiable plain text to law enforcement agencies as and when required, according to laws in place. The draft policy endangered the privacy of users and defied the very utility of encryption by asking users to retain communications insecurely.
It also required vendors of encryption technologies to register with the government, and service providers using encryption to enter into agreements the government and turn in decrypted data on demand. These provisions were not counter-balanced by any consideration of the right to privacy or potential governmental overreach. By specifying key lengths to be used by different categories of users, the government could also restrict how secure users can choose to make their communications. The policy was rolled back after severe public pressure.
A new draft of the encryption policy was released selectively only to the private sector in 2016.
Aadhaar or Universal Identification (UID)
Aadhaar seeks to provide identification to residents of India by linking a 12-digit number to biometric and demographic information of residents. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is riddled with issues of exclusion and privacy concerns.
The Act does not perform well, measured against a globally accepted set of principles by which standards of privacy may be gleaned.48 These principles are Notice, Choice and Consent, Collection Limitation, Purpose Limitation, Disclosure of Information, Access and Corrections, Security, Openness and Accountability.
The Supreme Court passed an order that Aadhaar should be voluntary, and cannot be made mandatory for availing government services or benefits.49 Since the Act and the regulations under it were passed, the UIDAI has sent out a circular to all government bodies to issue specific notifications making Aadhaar mandatory for social schemes and government processes.50
Even as Aadhaar authentication failures are being reported in several states, the government is requiring the public distribution system, subsidised liquefied petroleum gas, government scholarships and other benefits to be linked to Aadhaar, leading to exclusion of many from availing basic needs.51
C. Reducing barriers to access
Restrictions on access to mobile phones for women and girls
Khap panchayats (local community bodies) in villages of Uttar Pradesh,52 Rajasthan53 and Gujarat54 have imposed a ban on the usage of social media and mobile phones for women in the areas, especially young and unmarried women. The lack of disavowal of and strong action against khap panchayats who are banning the use of mobile phones among women, is disconcerting.
A. Criminal laws curbing freedom of expression
Amend the rules under Section 69A of the IT Act to remove secrecy of the orders.
Ensure blocking orders by the government are passed only under Section 69A of the IT Act, and the reasons fall strictly within the limits provided in the section. Require court orders for all other blocking orders.
Bring an immediate end to the use of section 144 IPC to justify network shutdowns in the name of law and order.
Amend the Indian Penal Code to strike down provisions on criminal defamation, in compliance with international human rights standards. The aggrieved party is free to pursue civil remedy.
Amend the Indian Penal Code provisions on sedition in line with the Supreme Court’s guidelines.
B. Right to Privacy
Pass a law providing strong protections of the right to privacy.
Proscribe clear limits on government surveillance and discontinue bulk collection of citizen data, in compliance with international human rights standards
Comply with the order passed by the Courts to not make Aadhaar mandatory for delivery of welfare services. Place strong penalties and create redressal mechanisms for breach of data either by sub-contractors or government agencies.
Require the use of strong encryption in business and government communications as well as individual communications. The government should not require manufacturers of software and hardware to insert backdoors, or deposit private keys with the government, creating security vulnerabilities.
C. Reducing barriers to access
- Take strong measures against and issue guidelines for community bodies imposing restrictions on the use of mobile phones by women.