User Privacy Vs Law Enforcement: Is There A Middle Ground?

NEW DELHI: The new IT rules that took effect earlier this week has pitted the government against social media platforms such as Twitter and Whatsapp who say it could compromise data encryption and, as an extension, user privacy. The government insists it’s committed to the right to privacy of its citizens but at the same time it has a duty to maintain law & order and national security. Barring Twitter, most platforms have complied with the new rules so far, at least partially. To get a sense of the new rules and the controversy surrounding them, we spoke to Kazim Rizvi, founding director of policy think-tank ‘The Dialogue’.

Is there a need to regulate the internet?

Over the last few years, we have seen a rise in fake news and problematic content such as child sexual abuse material proliferating on social media platforms. It has been getting increasingly difficult for the government to regulate the space and provide a good ecosystem for opinions. There’s a need to regulate the internet space and governments globally have been trying to do that. The challenge is how to regulate the internet, bring in greater transparency from the platforms while at the same time ensure the security and privacy of the user.

Will the new IT rules help?

The new rules have a lot of good intentions when it comes to regulating the space but at the same time there is the need to fine-tune some of the aspects to make sure that we don’t overregulate the space or curb free speech. On the platform side, we need timely and regular reporting, we need better accountability. The rules also talk about appeal mechanisms. So if your content is taken down, you can ask why it was taken down.

What are the contentious issues?

There are certain concerns such as the takedown timeline of 24 to 36 hours, criminal liability of employees as well as traceability. And non-compliance of the provisions would lead to loss of safe harbour of the platforms. I think there are certain aspects that need to be addressed. Before these rules, if an intermediary would come to know about problematic content, it was bound to take it down through a government order or a court order. Now the rules are proactively asking companies to filter content and identify problematic content. And if they don’t do that, they may lose their safe harbour status. From a reactive approach, we are moving towards a proactive approach. The challenges of this would be that platforms would start overcompensating and remove content first before analysing whether the appeal was legitimate or not.

Is there a way around the problems?

We do need to regulate the internet space; we need greater accountability and transparency from platforms. And I feel we need a system in place that has adequate checks and balances so that even where there are additional requirements of regulation, we do not end up curbing free speech.

The best way to deal with problematic content on encrypted platforms would be to collect and analyse metadata (data of data). That has proved to be sufficient in many cases and can help solve investigations and drive law enforcement. The government is talking to platforms so that this goes through. It can also get access to metadata around problematic content through targeted metadata analysis, without having to break encryption or without having to do traceability on encrypted platforms. Traceability could undermine encryption.

What are the issues with traceability?

One challenge with traceability is that when you open the backdoor of a system, you make it vulnerable. It becomes vulnerable to Chinese hackers, it becomes vulnerable to cyber criminals; a lot of spoofing can also be done. Let’s say, if problematic content is being shared on a platform, smart cyber criminals can spoof ids of different people and that could lead to wrongful liability or wrongful assumption of the fact that Person A shared this when it was actually Person B and somebody spoofed into Person A mischievously. We need to be a little careful about this in terms of the cyber security challenges of traceability.

Is it possible to trace the origin of problematic content without compromising encryption?

The government has the right to know who started the mischief. It’s a legitimate demand. Platforms need to do more when it comes to collaborating with the Government of India as well as globally. They need to do a lot more when it comes to sharing metadata analysis and the Government of India can do a lot more in terms of its own capacity, of improving its forensic and technical systems to make sure that with the least amount of data at hand, it can actually have a trail of a criminal or the profile of a criminal, which is required to pinpoint the right person behind a mischievous act.

What’s the way forward?

There are methods that are privacy-focused, less intrusive and can help the government meet its own target without violating the privacy of users. National security is also about the security of individual users.

A data protection law will give the government a lot of teeth to ensure privacy of users. The government is working on that. In 2018, it came up with a draft; in 2019 it came up with another draft which is now in Parliament. If we have a data protection authority under the ambit of the law, it will be in a better position to coordinate with various sectoral regulators, audit policies of platforms and come up with better privacy-respecting standard operating procedures for platforms. At this stage, the government doesn’t have a regulator which can actually analyse processing infrastructure of any platform.