The controversial Mr. A. Raja does not just preside over telecom, which the country’s biggest industrialists are interested in. He also presides over the lawmaking which governs the use of the Internet in India. Surely that is something which deserves at least as much media vigilance as the awarding of telecom licences to companies?
Last year, a few weeks after the Mumbai attacks in November, a Bill which had been sitting around in a Standing Committee since 2006 was hastily passed, without much debate in parliament. The Information Technology (Amendment) Act, 2008 seeks to give teeth to existing laws on information technology and cyberspace. Last month, shortly before Mr. Raja began his second stint, the Department of IT posted on the Internet the results of its labours in drafting rules for this Act. Since the devil is in the details, the import of the Act resides in the rules. These are still at the draft stage, you are invited to send your comments to the Government of India, which does this feedback exercise to show how democratic it is. http://www.mit.gov.in/ default.aspx?id=969.
Here, then, is an idiot’s guide to what Mr. Raja and his men are proposing to do, in the name of national security, safe Internet use, and suchlike.
a) Intercept email, under Section 69 of the Act.
Who can give orders for such interception? Technically, only the Union Home Secretary or the Home Secretary at the state level, but in unavoidable circumstances also a Joint Secretary. In further unavoidable circumstances — in an emergency (not defined) in a remote area (not defined) — a security officer of the rank of an Inspector Feneral of Police can order the interception. They have to get it okayed in a week’s time by a Home Secretary or Joint Secretary or cease intercepting.
What about laws protecting privacy? This provision circumvents those in the name of security.
b) Block websites and web content, under Section 69A.
A designated officer of Joint Secretary-level is empowered to handle requests for blocking from departments or individuals. He submits the request to an inter-ministerial committee of Joint Secretaries, including one from the Ministry of Information and Broadcasting. In an emergency, scrutiny by just the designated officer will do, and the final permission has to come from the Secretary, Department of Information Technology. What can be the basis for a request to block? The Sovereignty or Integrity of India, the Defence of India, the Security of the State, Friendly Relations with Foreign States, Public order, and, for “preventing incitement to the commission of any cognisable offence relating to above.” Apart from the fact that all of the above are open to interpretation, do note the “preventing incitement” bit. In case somebody thinks you might provoke someone to do something, they can block your website.
What about a right to be heard before the blocking? There is none. The job of Secretary, Department of Information Technology, suddenly becomes a pivotal one in the matter of freedom of expression. He has the final say in any blocking.
Review of the decision? A committee headed by the Cabinet Secretary, GOI, needs to meet at least once in two months for that. As a CERT-IN official said at a recent meeting when questioned about the inordinately long time taken for a review, “Bahut cases hote, saab. Cabinet Secretary khali nahin baithe hota.” His point was that overall there is a four-level scrutiny, and that so far blocking of web pages or sites has been very rare indeed, three to four cases in the last five years.
c) Monitor and collect traffic data relating to a website, in the name of ensuring cyber security, and foiling cyber security incidents. Under Section 69B.
d) Set up an Indian Computer Emergency Response Team (CERT-IN), whose constituency “shall be the Indian cyber community”, under Section 70B (1).
If you plough through all the citizen-friendly sounding stuff that this team is supposed to do, you will hit upon this clause: “For carrying out its functions prescribed in section 70 (B) of the Act, CERT-IN may seek information and give directions for compliance to the service providers, intermediaries, data centres, body corporate and any other person, as may be necessary.” This innocuous body can order your service provider to cough up any data it wants. And what level of officer can do this? Any officer of CERT-IN, not below the rank of Deputy Secretary to the Government of India. Again, the defence is that this clause only relates to cyber security. The rules empowering CERT-IN are drafted by the organisation itself. Talk of giving yourself powers because you are making the rules!
e) Define the liability of Network Service Providers, under Section 79.
This is a section for which the rules have not yet been posted, because there is hectic lobbying going on by industry. It seeks to protect the companies that operate in India as Network Service Providers from being liable for any third party information, data, or communication link made available or hosted by them. They are not liable so long as they “do not initiate the transmission, select the receiver of the transmission, and select or modify the information contained in the transmission, and so long as they observe due diligence while discharging their duties under this Act.” But once they come to know of data posted on their servers which could be interpreted as violating the “integrity of India, defence of India, friendly relations with foreign States” bits and do not remove it, they become liable.
Who will be defined as a network service provider? What will be defined as due diligence? What will be the definition of an intermediary? Industry is lobbying with CERT-IN on these issues. Sachin Pilot is the minister in charge.
But is civil society mounting enough of a fight to protect privacy, and prevent web content blocking without a prior right to be heard? Is it doing enough to oppose the extraordinary powers Mr Raja’s ministry is arming itself with? You know the answer to that one.
Author – Sevanti Ninan
From The Hindu – Sunday, June 07, 2009