India and the world want social media firms to do more for 'safe harbour'

As India tightens the noose of regulatory compliance around social media, there have been concerns about the dilution of the safe harbour provision in the country's Information Technology Rules.

As India tightens the noose of regulatory compliance around social media platforms, there have been concerns about dilution of the safe harbour provision in the country’s Information Technology Rules.
 

Safe harbour means immunity for social media companies, in case any content transmitted over their platforms violates the local laws. Facebook, Twitter, Instagram, YouTube and a host of other social media platforms enjoy such immunity, as several jurisdictions, including India, recognise these platforms are like bookstore owners, mere conduits that shouldn’t be held accountable for the content of the books in their store.
 

But in the digital economy, various countries, looking to check the spread of misinformation and hate speech, require social media platforms to fulfil certain conditions to enjoy their safe harbour. A common condition across countries is that these platforms should remove ‘unlawful’ content, after receiving actual knowledge about the same in a notice from the courts or law enforcement agencies (LEAs). India’s new IT rules broaden these conditions substantially. They require significant social media intermediaries — social media platforms with over 5 million users — to identify the first originator of any piece of information, which the government feels jeopardises the sovereignty and integrity of India. Law experts have pointed out that the wording of these rules is too broad-based and could mean many things. There is also the concern about what the government treats as fake news or unlawful content, as recent events such as the clampdown on young ‘toolkit’ activists would attest.
 

WhatsApp said that to identify the first originator, it would need to break the end-to-end encryption (E2E) on its platform. Tech experts agree. E2E forms the fulcrum of WhatsApp’s, Signal’s and Telegram’s claims of safeguarding user privacy. It means that no one, even WhatsApp, can read your messages. But to comply with the new norms, it would have to store ‘hashed’ data about the originator of each message. So the new rules require platforms to store more user data, undermining the principle of data minimisation.
 

“Law and order when threatened, everyone cooperates. Hand-waving and demanding data without legal backing is what companies resist. We need to work on better metadata analysis techniques that can give us all the information and more for investigation. It's the extra-judicial requests that should be resisted. Section 69 and Rule 4(2) create a non-transparent Executive controlled dark hole,” said Mishi Choudhary, founder and legal director of Software Freedom Law Centre in India (sflc.in).
 

The world wants more compliance from social media companies
 

India isn’t the first country seeking backdoor access to these E2E-enabled messaging platforms. The US has, in recent years, discussed legislation that seeks to impose similar conditions on social media companies to grant them their safe harbour. One such Bill seeks to provide US LEAs with the right to access digital messages without a warrant. It also seeks to notify a broad category of ‘best practices’ to be followed by social media platforms to enjoy their safe harbour. The US Parliament hasn’t passed the Bill, despite the former President Donald Trump also seeking a change to the intermediary liability rules during his tenure.
 

If WhatsApp is forced to comply with the new IT rules in India, it would have to alter its existing architecture and store more data. That too, before India ratifies the Personal Data Protection Bill, 2019.
 

Further, if the Facebook-owned messaging platform bends in India — the second largest internet market in the world with over 700 million users — it could have to agree to similar rules in other jurisdictions as well. Brazil also wants traceability of users on WhatsApp. The European Union (EU) wants platforms to proactively monitor and remove objectionable content. Its member states, Germany and France, have already moved ahead on that front.
 

There are some similarities between the rules for intermediaries in India and those envisaged in the EU. 
 

Rules don’t distinguish between WhatsApp & Signal
 

India classifies social media platforms with over 5 million users as ‘significant social media intermediaries’, which besides having to enable the identification of the first originator, have to appoint a resident grievance officer, a chief compliance officer and a nodal person of contact for 24x7 coordination with Indian LEAs. The rules also require these bigger platforms to have an office in India.

India casts a much wider net than the EU, the latter proposes additional compliance only for very large platforms with 45 million monthly users. The rules in EU are yet to be approved. 
 

“Such requirements for bigger platforms can disincentivise domestic startups from expanding their business beyond the said user limit and prove a challenge for the country’s overall economic progress,” said Kazim Rizvi, founding director at The Dialogue, a research and public policy think tank. Europe has raised similar concerns, with domain experts of the view that the incumbency advantages of very large platforms are likely to get stronger.

“These rules are a dampener for platforms built out of the free and open-source software (FOSS) movement. India’s IT rules contain no distinction between for-profit enterprises such as WhatsApp and platforms such as Signal, which has been built by an American non-profit,” added Mishi of sflc.in.
 

WhatsApp alternative Signal has seen considerable traction in India this year, amid concerns over WhatsApp’s new privacy policy. Over two weeks in January, Signal logged 26.4 million downloads from India. It is hence a significant social media intermediary.
 

Sflc.in has assisted FOSS developer Praveen Arimbrathodiyil in challenging parts of the new IT rules in the Kerala High Court. The petitioners have argued that the rules place a compliance burden on FOSS entities or services, affecting their right to trade.
 

The new rules would also affect competition in the sector. Social media giants such as Facebook, Twitter and WhatsApp have the wherewithal to appoint more officers in India, also to store more data for traceability. Smaller and upcoming platforms such as Signal don’t. Platforms that cannot comply with the new rules could lose their safe harbour as social media intermediaries in India. In that scenario, if a message on Signal violates the local laws, state agencies could book not just the sender or ‘originator’ of that message but even the platform and its employees.
 

“The Competition Commission of India would tell you that this is a bad provision,” a legal expert quipped.
 

While various entities that the new rules will affect have stated their willingness to comply, Signal has suspended media interactions in India till further notice.